0% found this document useful (0 votes)

47 views2,135 pages

WiNG 5.9.7 Controller Access-Point CLI Reference Guide

Uploaded by

alfie

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

47 views2,135 pages

WiNG 5.9.7 Controller Access-Point CLI Reference Guide

Uploaded by

alfie

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2135

Controller, Service Platform and Access

Point
CLI Reference Guide
for WiNG 5.9.7

9036316-02 REV AB
January 2020
Copyright © 2020 Extreme Networks, Inc. All rights reserved.

Legal Notice
Extreme Networks, Inc. reserves the right to make changes in specifications and other information
contained in this document and its website without prior notice. The reader should in all cases
consult representatives of Extreme Networks to determine whether any such changes have been
made.
The hardware, firmware, software or any specifications described or referred to in this document
are subject to change without notice.

Trademarks
Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of
Extreme Networks, Inc. in the United States and/or other countries.
All other names (including any product names) mentioned in this document are the property of
their respective owners and may be trademarks or registered trademarks of their respective
companies/owners.
For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks

Open Source Declarations

Some software files have been licensed under certain open source or third-party licenses. End-
user license agreements and open source declarations can be found at:
www.extremenetworks.com/support/policies/software-licensing
Table of Contents
Preface................................................................................................................................... 7
Text Conventions.......................................................................................................................................................... 7
Platform-Dependent Conventions....................................................................................................................... 9
Providing Feedback.................................................................................................................................................... 9
Getting Help....................................................................................................................................................................9
Subscribe to Service Notifications............................................................................................................ 10
Documentation and Training................................................................................................................................ 10

About This Guide.................................................................................................................11

ABOUT THIS GUIDE................................................................................................................................................... 11
Notational Conventions.................................................................................................................................... 11

Introduction........................................................................................................................ 14
WiNG CLI Structure................................................................................................................................................... 14
Configuration for connecting to a Controller using a terminal emulator............................... 14
User Credentials..................................................................................................................................................14
Examples in this reference guide................................................................................................................15
CLI Overview........................................................................................................................................................ 15
Getting Context Sensitive Help..................................................................................................................20
Using the No Command................................................................................................................................ 22
Using CLI Editing Features and Shortcuts............................................................................................22

User Exec Mode Commands.............................................................................................29

USER EXEC MODE COMMANDS....................................................................................................................... 29
user-exec-commands..................................................................................................................................... 30

Privileged Exec Mode Commands.................................................................................120

PRIVILEGED EXEC MODE COMMANDS...................................................................................................... 120
privileged-exec-commands........................................................................................................................ 122

Global Configuration Mode Commands....................................................................... 257

GLOBAL CONFIGURATION COMMANDS...................................................................................................257
global-config-commands...........................................................................................................................260

Common Commands...................................................................................................... 705

COMMON COMMANDS....................................................................................................................................... 705
common-commands.................................................................................................................................... 705

Show Commands.............................................................................................................. 771

SHOW COMMANDS................................................................................................................................................ 771
show-commands..............................................................................................................................................771

Profile Commands...........................................................................................................949
PROFILES................................................................................................................................................................... 949
Profile Config Commands.......................................................................................................................... 954

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 iii
Table of Contents

Device Config Commands........................................................................................................................1386

T5 Profile Config Commands................................................................................................................... 1421
EX3524 & EX3548 Profile/Device Config Commands............................................................... 1432

AAA Policy......................................................................................................................1454
AAA-POLICY........................................................................................................................................................... 1454
aaa-policy-commands................................................................................................................................ 1455

Auto-Provisioning Policy.............................................................................................. 1477

AUTO-PROVISIONING-POLICY......................................................................................................................1477
auto-provisioning-policy-commands..................................................................................................1479

Association-ACL Policy.................................................................................................1498
ASSOCIATION-ACL-POLICY........................................................................................................................... 1498
Association-acl-policy-commands...................................................................................................... 1499

Access-List Policy..........................................................................................................1504
ACCESS-LIST.......................................................................................................................................................... 1504
ip-access-list....................................................................................................................................................1507
mac-access-list...............................................................................................................................................1536
ipv6-access-list.............................................................................................................................................. 1550
ip-snmp-access-list...................................................................................................................................... 1564
ex3500-ext-access-list...............................................................................................................................1566
ex3500-std-access-list............................................................................................................................... 1573

DHCP Policy.................................................................................................................... 1578

DHCP-SERVER-POLICY..................................................................................................................................... 1578
dhcp-server-policy commands.............................................................................................................. 1579
dhcpv6-server-policy commands......................................................................................................... 1627

Firewall Policy................................................................................................................ 1639

FIREWALL-POLICY.............................................................................................................................................. 1639
firewall-policy-commands........................................................................................................................1640

MiNT Policy..................................................................................................................... 1672

MINT-POLICY........................................................................................................................................................... 1672
mint-policy-commands.............................................................................................................................. 1673

Management Policy....................................................................................................... 1679

MANAGEMENT-POLICY.....................................................................................................................................1679
management-policy-commands...........................................................................................................1680

RADIUS Policy................................................................................................................ 1722

RADIUS-POLICY.....................................................................................................................................................1722
radius-group.................................................................................................................................................... 1723
radius-server-policy...................................................................................................................................... 1731
radius-user-pool-policy..............................................................................................................................1750

Radio QoS Policy........................................................................................................... 1756

RADIO-QOS-POLICY........................................................................................................................................... 1756
radio-qos-policy-commands................................................................................................................... 1758

Role Policy...................................................................................................................... 1770

ROLE-POLICY......................................................................................................................................................... 1770
role-policy-commands................................................................................................................................. 1771

Controller, Service Platform and Access Point

iv CLI Reference Guide for version 5.9.7
Table of Contents

Smart-RF Policy............................................................................................................. 1808

SMART-RF-POLICY..............................................................................................................................................1808
smart-rf-policy commands....................................................................................................................... 1810

WIPS Policy.....................................................................................................................1837
WIPS-POLICY.......................................................................................................................................................... 1837
wips-policy-commands..............................................................................................................................1839

WLAN QoS Policy..........................................................................................................1860

WLAN-QOS-POLICY...........................................................................................................................................1860
WLAN-QOS-Policy commands...............................................................................................................1861

L2TPv3 Policy................................................................................................................. 1876

L2TPV3-POLICY.....................................................................................................................................................1876
l2tpv3-policy-commands.......................................................................................................................... 1877
l2tpv3-tunnel-commands..........................................................................................................................1887
l2tpv3-manual-session-commands..................................................................................................... 1900

Router Mode Commands.............................................................................................. 1909

ROUTER-MODE..................................................................................................................................................... 1909
router-mode-commands............................................................................................................................1910

Routing Policy................................................................................................................ 1925

ROUTING-POLICY.................................................................................................................................................1925
routing-policy-commands........................................................................................................................ 1926

AAA_TACACS Policy..................................................................................................... 1939

AAA-TACACS-POLICY....................................................................................................................................... 1939
aaa-tacacs-policy-commands................................................................................................................1940

Meshpoint Policy........................................................................................................... 1950

MESHPOINT.............................................................................................................................................................1950
meshpoint-config-instance......................................................................................................................1950
meshpoint-qos-policy-config-instance..............................................................................................1974
meshpoint-device-config-instance........................................................................................................1981

Passpoint Policy.............................................................................................................1996
PASSPOINT POLICY............................................................................................................................................ 1996
passpoint-policy............................................................................................................................................ 1997

Crypto-CMP Policy........................................................................................................2027
CRYPTO-CMP-POLICY...................................................................................................................................... 2027
crypto-cmp-policy-instance...................................................................................................................2028
other-cmp-related-commands............................................................................................................. 2037

Roaming-Assist Policy................................................................................................. 2040

ROAMING ASSIST POLICY............................................................................................................................. 2040
roaming-assist-policy commands........................................................................................................ 2041

Border Gateway Policy................................................................................................ 2050

BORDER GATEWAY PROTOCOL................................................................................................................ 2050
bgp ip-prefix-list............................................................................................................................................2051
bgp ip-access-list........................................................................................................................................ 2054
bgp as-path-list............................................................................................................................................ 2057
bgp community-list..................................................................................................................................... 2061

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 v
Table of Contents

bop ext-community-list............................................................................................................................2065
bgp route-map............................................................................................................................................. 2069
bgp router-config....................................................................................................................................... 2080
bgp neighbor-config................................................................................................................................. 2096

Controller Managed WLAN Use Case......................................................................... 2127

CREATE A CONTROLLER MANAGED WLAN.........................................................................................2127
Assumptions.................................................................................................................................................... 2127
Designs............................................................................................................................................................... 2127
Using the Command Line Interface to Configure the WLAN................................................. 2128
Log into the Controller for the First Time......................................................................................... 2128
Create an RF Domain.................................................................................................................................. 2128
Create a Controller Profile........................................................................................................................ 2129
Creating an AP Profile................................................................................................................................ 2130
Create a DHCP Server Policy.................................................................................................................. 2133
Test the Configuration................................................................................................................................ 2134

Index.................................................................................................................................2135

Controller, Service Platform and Access Point

vi CLI Reference Guide for version 5.9.7
Preface
This section describes the text conventions used in this document, where you can find additional
information, and how you can provide feedback to us.

Text Conventions
Unless otherwise noted, information in this document applies to all supported environments for the
products in question. Exceptions, like command keywords associated with a specific software version,
are identified in the text.

When a feature, function, or operation pertains to a specific hardware product, the product name is
used. When features, functions, and operations are the same across an entire product family, such as
ExtremeSwitching switches or SLX routers, the product is referred to as the switch or the router.

Table 1: Notes and warnings

Icon Notice type Alerts you to...
Tip Helpful tips and notices for using the product.

Note Useful information or instructions.

Important Important features or instructions.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 7
Text Conventions Preface

Table 1: Notes and warnings (continued)

Icon Notice type Alerts you to...
Caution Risk of personal injury, system damage, or loss of data.

Warning Risk of severe personal injury.

Table 2: Text
Convention Description
screen displays This typeface indicates command syntax, or represents information as
it appears on the screen.
The words enter and type When you see the word enter in this guide, you must type something,
and then press the Return or Enter key. Do not press the Return or
Enter key when an instruction simply says type.
Key names Key names are written in boldface, for example Ctrl or Esc. If you must
press two or more keys simultaneously, the key names are linked with a
plus sign (+). Example: Press Ctrl+Alt+Del
Words in italicized type Italics emphasize a point or denote new terms at the place where they
are defined in the text. Italics are also used when referring to
publication titles.
This symbol identifies new content. In a PDF, this is searchable text.

Table 3: Command syntax

Convention Description
bold text Identifies command names, keywords, and command options.
italic text Identifies a variable.
[ ] Syntax components displayed within square brackets are optional.
Default responses to system prompts are enclosed in square brackets.
{ x | y | z } A choice of required parameters is enclosed in curly brackets separated
by vertical bars. You must select one of the options.
x | y A vertical bar separates mutually exclusive elements.
< > Nonprinting characters, such as passwords, are enclosed in angle
brackets.
... Repeat the previous element, for example, member[member...].
\ Indicates a “soft” line break in command examples. If a backslash
separates two lines of a command input, enter the entire command at
the prompt without the backslash.

Controller, Service Platform and Access Point

8 CLI Reference Guide for version 5.9.7
Preface Platform-Dependent Conventions

Platform-Dependent Conventions

Unless otherwise noted, all information applies to all platforms supported by ExtremeXOS software,
which are the following:
• ExtremeSwitching® switches
• SummitStack™

When a feature or feature implementation applies to specific platforms, the specific platform is noted in
the heading for the section describing that implementation in the ExtremeXOS command
documentation (see the Extreme Documentation page at www.extremenetworks.com/
documentation/). In many cases, although the command is available on all platforms, each platform
uses specific keywords. These keywords specific to each platform are shown in the Syntax Description
and discussed in the Usage Guidelines sections.

Providing Feedback
The Information Development team at Extreme Networks has made every effort to ensure the accuracy
and completeness of this document. We are always striving to improve our documentation and help
you work better, so we want to hear from you. We welcome all feedback, but we especially want to
know about:
• Content errors, or confusing or conflicting information.
• Improvements that would help you find relevant information in the document.
• Broken links or usability issues.

If you would like to provide feedback, you can do so in three ways:

• In a web browser, select the feedback icon and complete the online feedback form.
• Access the feedback form at https://www.extremenetworks.com/documentation-feedback/.
• Email us at [email protected].

Provide the publication title, part number, and as much detail as possible, including the topic heading
and page number if applicable, as well as your suggestions for improvement.

Getting Help
If you require assistance, contact Extreme Networks using one of the following methods:
Extreme Portal
Search the GTAC (Global Technical Assistance Center) knowledge base; manage support cases and
service contracts; download software; and obtain product licensing, training, and certifications.
The Hub
A forum for Extreme Networks customers to connect with one another, answer questions, and share
ideas and feedback. This community is monitored by Extreme Networks employees, but is not
intended to replace specific guidance from GTAC.
Call GTAC
For immediate support: (800) 998 2408 (toll-free in U.S. and Canada) or 1 (408) 579 2826. For the
support phone number in your country, visit: www.extremenetworks.com/support/contact

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 9
Subscribe to Service Notifications Preface

Before contacting Extreme Networks for technical support, have the following information ready:
• Your Extreme Networks service contract number, or serial numbers for all involved Extreme
Networks products
• A description of the failure
• A description of any actions already taken to resolve the problem
• A description of your network environment (such as layout, cable type, other relevant environmental
information)
• Network load at the time of trouble (if known)
• The device history (for example, if you have returned the device before, or if this is a recurring
problem)
• Any related RMA (Return Material Authorization) numbers

Subscribe to Service Notifications

You can subscribe to email notifications for product and software release announcements, Vulnerability
Notices, and Service Notifications.

1. Go to www.extremenetworks.com/support/service-notification-form.
2. Complete the form (all fields are required).
3. Select the products for which you would like to receive notifications.

Note
You can modify your product selections or unsubscribe at any time.

4. Select Submit.

Documentation and Training

Find Extreme Networks product information at the following locations:
Current Product Documentation
Release Notes
Hardware/software compatibility matrices for Campus and Edge products
Supported transceivers and cables for Data Center products
Other resources, like white papers, data sheets, and case studies

Extreme Networks offers product training courses, both online and in person, as well as specialized
certifications. For details, visit www.extremenetworks.com/education/.

Controller, Service Platform and Access Point

10 CLI Reference Guide for version 5.9.7
About This Guide
ABOUT THIS GUIDE on page 11

ABOUT THIS GUIDE

This manual supports the following access points, wireless controllers and service platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9510, NX9600, VX9000

Note
In this document:
• NX9500 and NX9510 are collectively referred to as NX9500.
• AP7502, AP7522, AP7532 and AP7562 are collectively referred to as AP75XX.
• AP7602, AP7612, AP7622, AP7632 and AP7662 are collectively referred to as AP76XX.

Notational Conventions
The following notational conventions are used in this document:
• Italics are used to highlight specific items in the general text, and to identify chapters and sections in
this and related documents.
• Bullets (•) indicate:
◦ lists of alternatives
◦ lists of required steps that are not necessarily sequential
◦ action items
• Sequential lists (those describing step-by-step procedures) appear as numbered lists

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 11
Notational Conventions About This Guide

Understanding Command Syntax

<variable> Variables are described with a short description enclosed within a ‘<‘ and a
‘>' pair.
For example, the command,
nx9500-6C8809>show interface ge 1
is documented as:
show interface ge <1-2>
where:
• show – is the command – displays information
• interface – is the keyword – represents the interface type
• <1-2> – is the variable – represents the ge interface index value

Note: Since this output is from an NX 9500 service platform, which

supports only two (2) GE interfaces, the index value is shown as <1-2>.
This value will vary depending on the platform type.

| The pipe symbol. This is used to separate the variables/keywords in a list.

Controller, Service Platform and Access Point

12 CLI Reference Guide for version 5.9.7
About This Guide Notational Conventions

{} Any command/keyword/variable or a combination of them inside a ‘{‘ &‘}'

pair is optional. All optional commands follow the same conventions as
listed above. However, they are displayed italicized.
For example, the command,
nx9500-6C8809> show adoption ....
is documented as:
show adoption info {on <DEVICE-NAME>}
here:
• show adoption info – is the command. This command can also be used
as:
show adoption info
The command can also be extended as:
show adoption info {on <DEVICE-NAME>}
here:
• {on <DEVICE-NAME>} – is the optional keyword.

command / keyword The first word is always a command. Keywords are words that must be
entered as is. Commands and keywords are mandatory.
For example, the command,
nx9500-6C8809>show wireless
is documented as:
show wireless
where:
• show – is the command
• wireless – is the keyword

() Any command/keyword/variable or a combination of them inside a ‘(‘ & ‘)'

pair are recursive. All recursive commands can be listed in any order and
can be used once along with the rest of the commands.
For example, the command,
crypto pki export request generate-rsa-key test
autogen-subject-name ...
is documented as:
nx9500-6C8809#crypto pki export request generate-
rsa-key test
autogen-subject-name (<URL>,email <EMAIL>,fqdn
<FQDN>,ip-address <IP>)
here:
• crypto pki export request generate-rsa-key <RSA-KEYPAIR-NAME>
auto-gen-subject-name – is the command
• <RSA-KEYPAIR-NAME> – is the RSA keypair name (in this example, the
keypair name is ‘test')
• (<URL>,email <EMAIL>,fqdn <FQDN>,ip-address <IP>) – is the set of
recursive parameters (separated by commas) that can be used in any
order.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 13
Introduction
WiNG CLI Structure on page 14

WiNG CLI Structure

This chapter describes the commands available within a device's Command Line Interface (CLI)
structure. CLI is available for wireless controller, access points (APs), and service platforms.

Access the CLI by using:

• A terminal emulation program running on a computer connected to the serial port on the device
(AP, wireless controller, and service platform).
• A Telnet session through Secure Shell (SSH) over a network.

Configuration for connecting to a Controller using a terminal emulator

If connecting through the serial port, use the following settings to configure your terminal emulator:

Bits Per Second 19200

For AP8533, AP8432, AP8163, AP7622, AP7632, AP7622, AP7612,
AP7602, AP7562, AP7532, AP7522, AP7502 model access points,
set this value to 115200.
Data Bits 8
Parity None
Stop Bit 1
Flow Control None

When a CLI session is established, complete the following (user input is in bold):
login as: <username>
administrator's login password: <password>

User Credentials
Use the following credentials when logging into a device for the first time:

User Name admin

Password admin123

Controller, Service Platform and Access Point

14 CLI Reference Guide for version 5.9.7
Introduction Examples in this reference guide

When logging into the CLI for the first time, you are prompted to change the password. Reset the
password and use it for subsequent logins.

Examples in this reference guide

Examples used in this reference guide are generic to the each supported wireless controller, service
platform, and AP model. Commands that are not common, are identified using the notation "Supported
in the following platforms." For an example, see below:

Supported in the following platforms:

• Service Platform – NX5500

The above example indicates the command is only available for a NX5500 model service platform.

CLI Overview
The CLI is used for configuring, monitoring, and maintaining the network. The user interface allows you
to execute commands on supported wireless controllers, service platforms, and APs, using either a
serial console or a remote access method.

This chapter describes basic CLI features. Topics covered include an introduction to command modes,
navigation and editing features, help features and command history.

The CLI is segregated into different command modes. Each mode has its own set of commands for
configuration, maintenance, and monitoring. The commands available at any given time depend on the
mode you are in, and to a lesser extent, the particular model used. Enter a question mark (?) at the
system prompt to view a list of commands available for each command mode/instance.

Use specific commands to navigate from one command mode to another. The standard order is: USER
EXEC mode, PRIV EXEC mode and GLOBAL CONFIG mode.

Figure: Hierarchy of User Modes

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 15
CLI Overview Introduction

Command Modes
A session generally begins in the USER EXEC mode (one of the two access levels of the EXEC mode).
For security, only a limited subset of EXEC commands are available in the USER EXEC mode. This level
is reserved for tasks that do not change the device’s (wireless controller, service platform, or AP)
configuration.
rfs4000-6DB5D4>

The system prompt signifies the device name and the last three bytes of the device MAC address.

To access commands, enter the PRIV EXEC mode (the second access level for the EXEC mode). Once in
the PRIV EXEC mode, enter any EXEC command. The PRIV EXEC mode is a superset of the USER EXEC
mode.
rfs4000-6DB5D4>enable
rfs4000-6DB5D4#

Most of the USER EXEC mode commands are one-time commands and are not saved across device
reboots. Save the command by executing ‘commit’ command. For example, the show command
displays the current configuration and the clear command clears the interface.

Access the GLOBAL CONFIG mode from the PRIV EXEC mode. In the GLOBAL CONFIG mode, enter
commands that set general system characteristics. Configuration modes, allow you to change the
running configuration. If you save the configuration later, these commands are stored across device
reboots.

Access a variety of protocol specific (or feature-specific) modes from the global configuration mode.
The CLI hierarchy requires you to access specific configuration modes only through the global
configuration mode.
rfs4000-6DB5D4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
rfs4000-6DB5D4(config)#

You can also access sub-modes from the global configuration mode. Configuration sub-modes define
specific features within the context of a configuration mode.
rfs4000-6DB5D4(config)#aaa-policy test
rfs4000-6DB5D4(config-aaa-policy-test)#

The following table summarizes the available controller commands:

Table 4: Controller CLI Modes and Commands

User Exec Mode Priv Exec Mode Global Configuration Mode
captive-portal-page-upload archive aaa-policy
change-passwd boot aaa-tacacs-policy
clear captive-portal-page-upload alias
clock cd AP7502
cluster change-passwd AP7522
commit clear AP7532
connect clock AP7562

Controller, Service Platform and Access Point

16 CLI Reference Guide for version 5.9.7
Introduction CLI Overview

Table 4: Controller CLI Modes and Commands (continued)

User Exec Mode Priv Exec Mode Global Configuration Mode
create-cluster cluster AP7602
crypto commit AP7612
crypto-cmp-cert-update configure AP7622
database connect AP7632
database-backup copy AP7662
database-restore cpe (supported on NX7500, AP8163
NX9500, NX9600 and VX9000)
debug create-cluster AP8432
device-upgrade crypto AP8533
disable crypto-cmp-cert-updateted application
enable database application-group
file-sync database-backup application-policy
help database-restore auto-provisioning-policy
join-cluster debug bgp
l2tpv3 delete bonjour-gw-discovery-policy
logging device-upgrade bonjour-gw-forwarding-policy
mint diff bonjour-gw-query-forwarding-
policy
no dir captive-portal
on disable clear
opendns edit client-identity
page enable client-identity-group
ping erase clone
ping6 factory-reset crypto-cmp-policy
revert file-sync customize
service halt database-client-policy
(supported only on VX9000)
show help database-policy (supported only
on NX9500, NX9600, and
VX9000)
ssh join-cluster device
telnet l2tpv3 device-categorization
terminal logging dhcp-server-policy
time-it mint dhcp6-server-policy
traceroute mkdir dns-whitelist
traceroute6 more event-system-policy

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 17
CLI Overview Introduction

Table 4: Controller CLI Modes and Commands (continued)

User Exec Mode Priv Exec Mode Global Configuration Mode
virtual-machine (supported only no firewall-policy
on NX9500, NX9600 and
VX9000)
watch on global-association-list
write opendns guest-management
clrscr page help
exit ping host
ping6 igmp-snoop-policy (This
command has been deprecated.
IGMP snooping is now
configurable under the profile/
device configuration mode. For
more information, see ip on page
1280.
pwd inline-password-encryption
raid (supported only on NX7500, ip
NX9500 and NX9600)
re-elect ipv6
reload ipv6-router-advertisement-
policy
remote-debug l2tpv3
rename mac
revert management-policy
rmdir meshpoint
self meshpoint-qos-policy
service mint-policy
show nac-list
ssh no
t5 (supported only on RFS4010, nsight-policy
NX9500, NX9600 and VX9000)
telnet NX5500 (supported only on
NX9500, NX9600 and VX9000)
terminal NX7500 (supported only on
NX9500, NX9600 and VX9000)
time-it NX9000 (supported only on
NX9500, NX9600 and VX9000)
traceroute NX9600 (supported only on
NX9600 and VX9000)
traceroute6 passpoint-policy
upgrade password-encryption

Controller, Service Platform and Access Point

18 CLI Reference Guide for version 5.9.7
Introduction CLI Overview

Table 4: Controller CLI Modes and Commands (continued)

User Exec Mode Priv Exec Mode Global Configuration Mode
upgrade-abort profile
virtual-machine (supported only radio-qos-policy
on NX9500, NX9600 and
VX9000)
watch radius-group
write radius-server-policy
clrscr radius-user-pool-policy
exit rename
roaming-assist-policy
role-policy
route-map
routing-policy
rtl-server-policy
schedule-policy
self
sensor-policy
smart-rf-policy
t5 (supported only on NX7500,
NX9500, NX9600 and VX9000)
url-filter (supported only on
NX9500, NX9600 and VX9000)
url-list (supported only on
NX9500, NX9600 and VX9000)
vx9000 (supported only on
NX9500, NX9600 and VX9000)
web-filter-policy
wips-policy
wlan
wlan-qos-policy
write
clrscr
commit
do
end
exit
revert

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 19
Getting Context Sensitive Help Introduction

Table 4: Controller CLI Modes and Commands (continued)

User Exec Mode Priv Exec Mode Global Configuration Mode
service
show

Getting Context Sensitive Help

Enter a question mark (?) at the system prompt to display a list of commands available for each mode.
Obtain a list of arguments and keywords for any command using the CLI context-sensitive help.

Use the following commands to obtain help specific to a command mode, command name, keyword or
argument:

Command Description
(prompt)# help Displays a brief description of the help system
(prompt)# abbreviated- Lists commands in the current mode that begin with a particular
command-entry? character string
(prompt)# abbreviated- Completes a partial command name
command-entry<Tab>
(prompt)# ? Lists all commands available in the command mode
(prompt)# command ? Lists the available syntax options (arguments and keywords) for the
command
(prompt)# command keyword ? Lists the next available syntax option for the command

Note
The system prompt varies depending on the configuration mode.

Note
Enter Ctrl + V to use ? as a regular character and not as a character used for displaying
context sensitive help. This is required when the user has to enter a URL that ends with a ?

Note
The escape character used through out the CLI is "\". To enter a "\" use "\\" instead.

When using context-sensitive help, the space (or lack of a space) before the question mark (?) is
significant. To obtain a list of commands that begin with a particular sequence, enter the characters
followed by a question mark (?). Do not include a space. This form of help is called word help, because it
completes a word.
rfs4000-6DB5D4#service?
service Service Commands
rfs4000-6DB5D4#service

Controller, Service Platform and Access Point

20 CLI Reference Guide for version 5.9.7
Introduction Getting Context Sensitive Help

Enter a question mark (?) (in place of a keyword or argument) to list keywords or arguments. Include a
space before the "?". This form of help is called command syntax help. It shows the keywords or
arguments available based on the command/keyword and argument already entered.
rfs4000-6DB5D4#service ?
block-adopter-config-update Block configuration updates from the
bluetooth Bluetooth service commands
clear Clear adoption history
cli-tables-skin Choose a formatting layout/skin for CLI
tabular outputs (EXPERIMENTAL-Applies only
to certain commands)
cluster Cluster Protocol
copy Copy files or directories
delete Delete sessions
delete-offline-aps Delete Access Points that are configured
but offline
force-send-config Resend configuration to the device
force-update-vm-stats Force VM statistics to be pushed up to the
NOC
load-balancing Wireless load-balancing service commands
load-ssh-authorized-keys Load Ssh authorized keys
locator Enable leds flashing on the device
mint MiNT protocol
pktcap Start packet capture
pm Process Monitor
radio Radio parameters
radius Radius test
request-full-config-from-adopter Request full configuration from the
adopter
set Set global options
show Show running system information
signal Send a signal to a process
smart-rf Smart-RF Management Commands
snmp Snmp
ssm Command related to ssm
start-shell Provide shell access
syslog Syslog service
trace Trace a process for system calls and
signals
troubleshoot Troubleshooting
wireless Wireless commands
rfs4000-6DB5D4#

It is possible to abbreviate commands and keywords to allow a unique abbreviation. For example,
"configure terminal" can be abbreviated as config t. Since the abbreviated command is unique, the
wireless controller accepts the abbreviation and executes the command.

Enter the help command (available in any command mode) to provide the following description:
rfs4000-6DB5D4>help

When using the CLI, help is provided at the command line when typing '?'. If no help is
available, the help content will be empty. Backup until entering a '?' shows the help
content.
There are two styles of help provided:
1. Full help. Available when entering a command argument (e.g. 'show ?'). This will
describe each possible argument.

2. Partial help. Available when an abbreviated argument is entered. This will display
which arguments match the input (e.g. 'show ve?').

rfs4000-6DB5D4>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 21
Using the No Command Introduction

Using the No Command

Almost every command has a no form. Use no to disable a feature or function or return it to its default.
Use the command without the no keyword to re-enable a disabled feature.

Using CLI Editing Features and Shortcuts

A variety of shortcuts and edit features are available. The following sections describe these features:
• Moving the Cursor on the Command Line
• Completing a Partial Command Name
• Command Output pagination

Moving the Cursor on the Command Line

The following table shows the key combinations or sequences to move the command line cursor. Ctrl
defines the control key, which must be pressed simultaneously with its associated letter key. Esc means
the escape key (which must be pressed first), followed by its associated letter key. Keys are not case
sensitive. Specific letters are used to provide an easy way of remembering their functions. The bold
characters indicate the relation between a letter and its function.

Table: Keystrokes Details

Keystrokes Function Function Details

Summary
Left Arrow Back character Moves the cursor one character to the left
or When entering a command that extends beyond a single
Ctrl-B line, press the Left Arrow or Ctrl-B keys repeatedly to move
back to the system prompt.
Right Arrow or Ctrl-F Forward Moves the cursor one character to the right
character
Esc- B Back word Moves the cursor back one word
Esc- F Forward word Moves the cursor forward one word
Ctrl-A Beginning of line Moves the cursor to the beginning of the command line
Ctrl-E End of line Moves the cursor to the end of the command line
Ctrl-D Deletes the current character
Ctrl-U Deletes text up to cursor
Ctrl-K Deletes from the cursor to end of the line
Ctrl-P Obtains the prior command from memory
Ctrl-N Obtains the next command from memory
Esc-C Converts the letter at the cursor to uppercase
Esc-L Converts the letter at the cursor to lowercase
Esc-D Deletes the remainder of a word
Ctrl-W Deletes the word up to the cursor
Ctrl-Z Returns to the root prompt

Controller, Service Platform and Access Point

22 CLI Reference Guide for version 5.9.7
Introduction Using CLI Editing Features and Shortcuts

Keystrokes Function Function Details

Summary
Ctrl-T Transposes the character to the left of the cursor with the
character located at the cursor
Ctrl-L Clears the screen

Completing a Partial Command Name

If you cannot remember a command name (or if you want to reduce the amount of typing you have to
perform), enter the first few letters of a command, then press the Tab key. The command line parser
completes the command if the string entered is unique to the command mode. If your keyboard does
not have a Tab key, press Ctrl-L.

The CLI recognizes a command once you have entered enough characters to make the command
unique. If you enter "conf" within the privileged EXEC mode, the CLI associates the entry with the
configure command, since only the configure command begins with conf.

In the following example, the CLI recognizes a unique string in the privileged EXEC mode when the Tab
key is pressed:
rfs4000-6DB5D4#conf[TAB]
rfs4000-6DB5D4#configure

When using the command completion feature, the CLI displays the full command name. The command
is not executed until the Return or Enter key is pressed. Modify the command if the full command was
not what you intended in the abbreviation. If entering a set of characters (indicating more than one
command), the system lists all commands beginning with that set of characters.

Enter a question mark (?) to obtain a list of commands beginning with that set of characters. Do not
leave a space between the last letter and the question mark (?).

In the following example, all commands, available in the current context, starting with the characters ‘co’
are listed:
rfs4000-6DB5D44#co?
commit Commit all changes made in this session
configure Enter configuration mode
connect Open a console connection to a remote device
copy Copy from one file to another

rfs4000-6DB5D4#

Note
The characters entered before the question mark are reprinted to the screen to complete the
command entry.

Command Output pagination

Output often extends beyond the visible screen length. For cases where output continues beyond the
screen, the output is paused and a
--More--

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 23
Using CLI Editing Features and Shortcuts Introduction

prompt displays at the bottom of the screen. To resume the output, press the Enter key to scroll down
one line or press the Space bar to display the next full screen of output.

Creating Profiles
Profiles are sort of a ‘template’ representation of configuration. The system has:
• a default profile for each of the following wireless controllers:
◦ RFS4000
• a default profile for each of the following service platforms:
◦ NX5500, NX7500, NX9500, NX9600, VX9000
• a default profile for each of the following access points:
◦ AP6522, AP6562, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632,
AP7662, AP8163, AP8432, AP8533

You can modify a default profile. In the following example, an IP address is assigned to the management
port on the default RFS 4000 profile.
rfs4000-6DB5D4(config)#profile rfs4000 default-rfs4000
rfs4000-6DB5D4(config-profile-default-rfs4000)#interface me1
rfs4000-6DB5D4(config-profile-default-rfs4000-if-me1)#ip address 172.16.10.2/24
rfs4000-6DB5D4(config-profile-default-rfs4000-if-me1)#commit
rfs4000-6DB5D4(config-profile-default-rfs4000)#exit
rfs4000-6DB5D4(config)#

The following command displays a default AP 7562 profile configuration:

rfs4000-6DB5D4(config-profile-default-ap7562)#
rfs4000-6DB5D4(config-profile-default-ap7562)#show context
profile ap7562 default-ap7562
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
placement outdoor
interface radio2
placement outdoor
interface ge1
interface ge2
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
--More--
rfs4000-6DB5D4(config-profile-default-ap7562)#

Controller, Service Platform and Access Point

24 CLI Reference Guide for version 5.9.7
Introduction Using CLI Editing Features and Shortcuts

Change the default profile by creating vlan 150 and mapping to ge3 Physical interface
Log on to the controller in config mode and follow the procedure below:
rfs4000-6DB5D4(config-profile-default-rfs4000)# interface vlan 150
rfs4000-6DB5D4(config-profile-default-rfs4000-if-vlan150)# ip address 192.168.150.20/24
rfs4000-6DB5D4(config-profile-default-rfs4000-if-vlan150)# exit
rfs4000-6DB5D4(config-profile-default-rfs4000)# interface ge 3
rfs4000-6DB5D4(config-profile-default-rfs4000-if-ge3)# switchport access vlan 150
rfs4000-6DB5D4(config-profile-default-rfs4000-if-ge3)# commit write
[OK]
rfs4000-6DB5D4(config-profile-default-rfs4000-if-ge3)#show interface vlan 150
Interface vlan150 is UP
Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-70-1D
Index: 6, Metric: 1, MTU: 1500
IP-Address: 192.168.150.20/24
input packets 0, bytes 0, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 2, bytes 140, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
IPv6 mode is disabled

rfs4000-6DB5D4(config-profile-default-rfs4000-if-ge3)#

Enabling Remote Administration

A terminal server may function in remote administration mode if either the terminal services role is not
installed on the machine or the client used to invoke the session has enabled the admin controller.
• A terminal emulation program running on a computer connected to the serial port on the controller.
The serial port is located on the front of the controller.
• A Telnet session through a SSH (Secure Shell) over a network. The Telnet session may or may not
use SSH depending on how the controller is configured. Using SSH for remote administration tasks is
recommended.

Configuring Telnet for Management Access

About This Task

To enable Telnet for management access, use the serial console to login to the device and perform the
following:

Procedure
1. The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC
mode). Access the PRIV EXEC mode from the USER EXEC mode.
rfs4000-6DB5D4>en
rfs4000-6DB5D4#>

2. Access the GLOBAL CONFIG mode from the PRIV EXEC mode.
rfs4000-6DB5D4>en
rfs4000-6DB5D4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
rfs4000-6DB5D4(config)#

3. Go to ‘default-management-policy’ mode.
rfs4000-6DB5D4(config)#management-policy ?
MANAGEMENT Name of the management policy to be configured (will be created
if it does not exist)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 25
Using CLI Editing Features and Shortcuts Introduction

rfs4000-6DB5D4(config)#management-policy default
rfs4000-6DB5D4(config-management-policy-default)#

4. Enter Telnet and the port number at the command prompt. Note, the port number is optional. If you
do not specify the port, the system, by default, assigns port 23 for Telnet. Commit your changes.
Telnet is enabled.
rfs4000-6DB5D4(config-management-policy-default)#telnet
rfs4000-6DB5D4(config-management-policy-default)#commit write
rfs4000-6DB5D4(config-management-policy-default)#end
rfs4000-6DB5D4#exit

5. Connect to the controller through Telnet using its configured IP address. If logging in for the first
time, use the following credentials:
User Name admin
Password admin123

Note: When logging in for the first time, you will be prompted to
change the password. Re-set the password and use it for subsequent
logins.

6. To change password, on subsequent logins, access the default management-policy configuration

mode and enter the username, new password, role, and access details.
rfs4000-6DB5D4(config-management-policy-default)#user testuser password test@123
role helpdesk access all
rfs4000-6DB5D4(config-management-policy-default)#commit
rfs4000-6DB5D4(config-management-policy-default)#show context
management-policy default
telnet
http server
https server
no ftp
ssh
user admin password 1
fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access
all
user testuser password 1
32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access
all
snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw
snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro
snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/
QAAAAiDhBZTln0UIu+y/W6E/0tR
snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/
QAAAAjdvbWANBNw+We/xHkH9kLi
no https use-secure-ciphers-only
rfs4000-6DB5D4(config-management-policy-default)#

7. Log on to the Telnet console and provide the user details configured in the previous step to access
the controller.
rfs4000 release 5.9.6.0-004D
rfs4000-6DB5D4 login: testuser
Password:
Welcome to CLI
Starting CLI...rfs4000-6DB5D4>

Controller, Service Platform and Access Point

26 CLI Reference Guide for version 5.9.7
Introduction Using CLI Editing Features and Shortcuts

Configuring SSH for Management Access

About This Task

By default, SSH is enabled from the factory settings on the controller. The controller requires an IP
address and login credentials.

To enable SSH access on a device, login through the serial console and perform the following:

Procedure
1. The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC
mode). Access the PRIV EXEC mode from the USER EXEC mode.
rfs4000-6DB5D4>en
rfs4000-6DB5D4#

2. Access the GLOBAL CONFIG mode from the PRIV EXEC mode.
rfs4000-6DB5D4>en
rfs4000-6DB5D4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
rfs4000-6DB5D4(config)#

3. Go to ‘default-management-policy’ mode.
rfs4000-6DB5D4(config)#management-policy ?
MANAGEMENT Name of the management policy to be configured (will be created
if it does not exist)

rfs4000-6DB5D4(config)#management-policy default
rfs4000-6DB5D4(config-management-policy-default)#

4. Enter SSH at the command prompt.

rfs4000-6DB5D4(config-management-policy-default)#ssh
rfs4000-6DB5D4(config-management-policy-default)#commit write
rfs4000-6DB5D4(config-management-policy-default)#end
rfs4000-6DB5D4#exit

5. Connect to the controller through SSH using its configured IP address. If logging in for the first time,
use the following credentials:
User Name admin
Password admin123

Note: When logging in for the first time, you will be prompted to
change the password. Re-set the password and use it for subsequent
logins.

6. On subsequent logins, to change the password, access the default management-policy configuration
mode and enter the username, new password, role, and access details.
rfs4000-6DB5D4(config-management-policy-default)#user testuser password test@123
role helpdesk access all
rfs4000-6DB5D4(config-management-policy-default)#commit
rfs4000-6DB5D4(config-management-policy-default)#show context
management-policy default
telnet
http server
https server
no ftp
ssh
user admin password 1

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 27
Using CLI Editing Features and Shortcuts Introduction

fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access

all
user testuser password 1
32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access
all
snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw
snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro
snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/
QAAAAiDhBZTln0UIu+y/W6E/0tR
snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/
QAAAAjdvbWANBNw+We/xHkH9kLi
no https use-secure-ciphers-only
rfs4000-6DB5D4(config-management-policy-default)#

7. Log on to the SSH console and provide the user details configured in the previous step to access the
controller.
rfs4000 release 5.9.6.0-004D
rfs4000-6DB5D4 login: testuser
Password:
Welcome to CLI
Starting CLI...
rfs4000-6DB5D4>

Controller, Service Platform and Access Point

28 CLI Reference Guide for version 5.9.7
User Exec Mode Commands
USER EXEC MODE COMMANDS on page 29

USER EXEC MODE COMMANDS

Logging in to the wireless controller places you within the USER EXEC command mode. Typically, a
login requires a user name and password. You have three login attempts before the connection attempt
is refused. USER EXEC commands (available at the user level) are a subset of the commands available
at the privileged level. In general, USER EXEC commands allow you to connect to remote devices,
perform basic tests, and list system information.

To list available USER EXEC commands, use ? at the command prompt. The USER EXEC prompt
consists of the device host name followed by an angle bracket (>).
<DEVICE>>?
Command commands:
captive-portal-page-upload Captive portal internal and advanced page upload
change-passwd Change password
clear Clear
clock Configure software system clock
cluster Cluster commands
commit Commit all changes made in this session
connect Open a console connection to a remote device
create-cluster Create a cluster
crypto Encryption related commands
crypto-cmp-cert-update Update the cmp certs
database Database
database-backup Backup database
database-restore Restore database
debug Debugging functions
device-upgrade Device firmware upgrade
disable Turn off privileged mode command
enable Turn on privileged mode command
file-sync File sync between controller and adoptees
gps GPS commands
help Description of the interactive help system
join-cluster Join the cluster
l2tpv3 L2tpv3 protocol
logging Modify message logging facilities
mint MiNT protocol
no Negate a command or set its defaults
on On RF-Domain
opendns OpenDNS configuration
page Toggle paging
ping Send ICMP echo messages
ping6 Send ICMPv6 echo messages
revert Revert changes
service Service Commands

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 29
user-exec-commands User Exec Mode Commands

show Show running system information

ssh Open an ssh connection
telnet Open a telnet connection
terminal Set terminal line parameters
time-it Check how long a particular command took between
request and completion of response
traceroute Trace route to destination
traceroute6 Trace route to destination(IPv6)
virtual-machine Virtual Machine
watch Repeat the specific CLI command at a periodic
interval
write Write running configuration to memory or
terminal

clrscr Clears the display screen

exit Exit from the CLI

user-exec-commands
The following table summarizes the User Exec Configuration Mode commands:

Table 5: User Exec Mode Commands

Command Description
captive-portal-page-upload Uploads captive portal advanced pages
(user and privi exec modes on
page 32
change-passwd (user and privi Changes the password of a logged user
exec modes) on page 35
clear (user and privi exec modes) Resets the last saved command
on page 36
clock (user and privi exec Configures the system clock
modes) on page 53
cluster (user and privi exec Accesses the cluster context
modes) on page 54
connect (user and privi exec Establishes a console connection to a remote device
modes) on page 55
create-cluster (user and privi Creates a new cluster on a specified device
exec modes) on page 56
crypto (user and privi exec Enables encryption
modes) on page 58
crypto-cmp-cert-policy (user Triggers a CMP certificate update on a specified device or devices
and privi exec modes) on page
68
database (user and privi exec Enables automatic repairing (vacuuming) and dropping of
modes) on page 69 databases (Captive-portal and NSight)
database-backup (user and privi Backs up captive-portal and/or NSight database to a specified
exec modes) on page 74 location and file on an FTP or SFTP server

Controller, Service Platform and Access Point

30 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Table 5: User Exec Mode Commands (continued)

Command Description
database-restore (user and privi Restores a previously exported database [captive-portal and/or
exec modes) on page 73 NSight]. Previously exported databases (backed up to a specified
FTP or SFTP server) are restored to the original database.
device-upgrade (user and privi Configures device firmware upgrade settings
exec modes) on page 75
disable on page 82 Turns off (disables) the privileged mode command set
enable on page 83 Turns on (enables) the privileged mode command set
join-cluster (user and privi exec Adds a device (access point, wireless controller, or service platform)
modes) on page 90 to an existing cluster of devices
file-sync (user and privi exec Configures parameters enabling syncing of PKCS#12 and wireless-
modes) on page 83 bridge certificate between the staging-controller and adopted
access points
gps (user and privi exec modes) Triggers the GPS hardware, on a device, to start/stop search for the
on page 89 device's GPS coordinates.

Note: This feature is supported on only the AP7662 model access

point.

l2tpv3 (user and privi exec Establishes or brings down L2TPv3 (Layer 2 Tunneling Protocol
modes) on page 92 Version 3) tunnels
logging (user and privi exec Modifies message logging facilities
modes) on page 94
mint (user and privi exec modes) Configures MiNT protocol
on page 95
no (user-exec-mode) on page Negates a command or sets its default
96
opendns (user and privi exec Connects to the OpenDNS site using OpenDNS registered
modes) on page 99 credentials (username, password) OR OpenDNS API token to fetch
the OpenDNS device_id. This command is a part of the process
integrating access points, controllers, and service platforms with
OpenDNS.
page (user and privi exec Toggles a device's (Access Point, wireless controller, or service
modes) on page 103 platform) paging function
ping (user and privi exec modes) Sends ICMP echo messages to a user-specified location
on page 103
ping6 (user and privi exec Sends ICMPv6 echo messages to a user-specified location
modes) on page 105
ssh (user and privi exec modes) Opens an SSH connection between two network devices
on page 106
telnet (user and privi exec Opens a Telnet session
modes) on page 106
terminal (user and privi exec Sets the length and width of the terminal window
modes) on page 107

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 31
user-exec-commands User Exec Mode Commands

Table 5: User Exec Mode Commands (continued)

Command Description
time-it (user and privi exec Verifies the time taken by a particular command between request
modes) on page 108 and response
traceroute (user-privi-exec- Traces the route to its defined IPv4 destination
mode) on page 109
traceroute6 (user-privi-exec- Traces the route to its defined IPv6 destination
mode) on page 110
watch on page 119 Repeats a specific CLI command at a periodic interval
virtual-machine Installs, configures, and monitors the status of VMs (virtual
machines). This command is specific to the NX 9500 and NX 9510
series service platforms.
exit (user exec mode) on page Ends the current CLI session and closes the session window
118

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an
underscore (_) character.

captive-portal-page-upload (user and privi exec modes

Uploads captive portal advanced pages to adopted access points. Use this command to provide access
points with specific captive portal configurations, so that they can successfully provision login,
welcome, and condition pages to clients attempting to access the wireless network using the captive
portal.

Note
Ensure that the captive portal pages to upload are *.tar files.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

32 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Syntax
captive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|load-file]
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]
{from-controller} {(upload-time <TIME>)}
captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|
all]]
captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>
captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

Parameters
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}

captive-portal-page-upload Uploads advanced pages of the captive portal identified by the

<CAPTIVE-PORTAL-NAME> <CAPTIVE-PORTAL-NAME> parameter
• <CAPTIVE-PORTAL-NAME> – Specify captive portal's name
(should be existing and configured).

<MAC/HOSTNAME> Uploads to a specified AP

• <MAC/HOSTNAME> – Specify the AP's MAC address or
hostname.

all Uploads to all APs

upload-time <TIME> Schedules an AP upload time
• <TIME> – Specify upload time in the MM/DD/YYYY-HH:MM or
HH:MM format.
The scheduled upload time is your local system’s time. It is not the
access point, controller, service platform, or virtual controller time
and it is not synched with the device.
To view a list of uploaded captive portal files, execute the show →
captive-portal-page-upload → list-files
<CAPTIVE-PORTAL-NAME> command.

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]

{from-controller} {(upload-time <TIME>)}

captive-portal-page-upload Uploads advanced pages of the captive portal identified by the

<CAPTIVE-PORTAL-NAME> <CAPTIVE-PORTAL-NAME> parameter
• <CAPTIVE-PORTAL-NAME> – Specify the captive portal's name
(should be existing and configured).

rf-domain [<DOMAIN-NAME>| Uploads to all APs within a specified RF Domain or all RF Domains
all] • <DOMAIN-NAME> – Uploads to APs within a specified RF
Domain. Specify the RF Domain name.
• all – Uploads to APs across all RF Domains

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 33
user-exec-commands User Exec Mode Commands

from-controller Optional. Uploads captive-portal pages to APs via the controller to

which the APs are adopted
upload-time <TIME> Optional. Schedules an AP upload time
• <TIME> – Specify upload time in the MM/DD/YYYY-HH:MM or
HH:MM format.
The scheduled upload time is your local system’s time. It is not the
access point, controller, service platform, or virtual controller time
and it is not synched with the device.
To view a list of uploaded captive portal files, execute the show →
captive-portal-page-upload → list-files
<CAPTIVE-PORTAL-NAME> command.

captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|

all]]

captive-portal-page-upload Cancels a scheduled AP upload

cancel-upload
cancel-upload [<MAC/ Select one of the following options:
HOSTNAME>| all|on rf-domain • <MAC/HOSTNAME> – Cancels scheduled upload to a specified
[<DOMAIN-NAME>| all] AP. Specify the AP's MAC address or hostname.
• all – Cancels all scheduled AP uploads
• on rf- domain – Cancels all scheduled uploads within a specified
RF Domain or all RF Domains
◦ <DOMAIN-NAME> – Cancels scheduled uploads within a
specified RF Domain. Specify the RF Domain name.
◦ all – Cancels scheduled uploads across all RF Domains

captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>

captive-portal-page-upload Deletes a specified captive portal’s uploaded captive-portal Web

delete-file page files
<CAPTIVE-PORTAL-NAME> Identifies the captive-portal and Web pages to delete
<FILE-NAME> • <CAPTIVE-PORTAL-NAME> – Specify the captive portal name.
• <FILE-NAME> – Specify the file name. The specified internal
captive portal page is deleted.

captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

captive-portal-page-upload Loads captive-portal advanced pages

Controller, Service Platform and Access Point

34 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

IPv6 URLs:
• tftp://<hostname|IPv6>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IPv6>[:port]/path/file
• sftp://<user>:<passwd>@<hostname|IPv6>[:port]>/path/file
• http://<hostname|IPv6>[:port]/path/file

Note: The captive portal pages are downloaded to the controller

from the location specified here. After downloading use
thecaptive-portal-page-upload → <CAPTIVE-PORTAL-
NAME> → <DEVICE-OR-DOMAIN-NAME> command to upload
these pages to APs.

Examples
ap8533-B1A214#captive-portal-page-upload load-file captive_portal_test tftp://89.89.89.17/
pages_new_only.tar
ap8533-B1A214#show captive-portal-page-upload load-image-status
Download of captive_portal_test advanced page file is complete
ap6562-B1A214#
ap8533-B1A214#captive-portal-page-upload captive_portal_test all
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
FC-0A-81-B1-A2-14 Success Added 6 APs to upload queue
--------------------------------------------------------------------------------
ap8533-B1A214#
ap8533-B1A214@#show captive-portal-page-upload status
Number of APs currently being uploaded : 1
Number of APs waiting in queue to be uploaded : 0
---------------------------------------------------------------------------------------
AP STATE UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY
---------------------------------------------------------------------------------------
ap8533-B1A738 downloading immediate 100 0 - None
---------------------------------------------------------------------------------------
ap8533-B1A214#

The following example lists captive portal CP-BW uploaded files:

nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW
--------------------------------------------------------------------------------
NAME SIZE LAST MODIFIED
--------------------------------------------------------------------------------
CP-BW-1.tar.gz 6133 2019-05-16 10:38:40
CP-BW.tar.gz 3370 2019-05-16 10:45:44
--------------------------------------------------------------------------------
nx7500-7F2C13#

change-passwd (user and privi exec modes)

Changes the password of a logged user. When this command is executed without any parameters, the
password can be changed interactively.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 35
user-exec-commands User Exec Mode Commands

Supported in the following platforms:

Syntax
change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>

Parameters
change passwd {<OLD-PASSWORD>} <NEW-PASSWORD>

<OLD-PASSWORD> Optional. Specify the existing password.

Note: Password must be from 1 - 64 characters.

<NEW-PASSWORD> Specify the new password.

Note: The password can also be changed interactively. To do so,

press [Enter] after the command.

Examples
nx9500-6C8809#change-passwd
Enter old password:
Enter new password:
Password for user 'admin' changed successfully
Please write this password change to memory(write memory) to be persistent.
nx9500-6C8809#write memory
OK
nx9500-6C8809#

clear (user and privi exec modes)

Clears parameters, cache entries, table entries, and other similar entries. The clear command is available
for specific commands only. The information cleared, using this command, depends on the mode in
which the clear command is executed.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

36 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Syntax
clear [arp-cache|bonjour|cdp|counters|crypto|event-history|firewall|gre|ip|ipv6|
l2tpv3-stats|lacp|license|lldp|mac-address-table|mint|role|rtls|spanning-tree|
traffic-shape|vrrp]
clear arp-cache {on <DEVICE-NAME>}
clear bonjour cache {on <DEVICE-NAME>}
clear [cdp|lldp] neighbors {on <DEVICE-NAME>}
clear counters [all|ap|bridge|interface|radio|router|thread|wireless-client]
clear counters all {(on <DEVICE-OR-DOMAIN-NAME>)}
clear counters [bridge|router|thread]
clear counters interface <INF-TYPE> {(on <DEVICE-OR-DOMAIN-NAME>)}
clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-3>}|
wireless-client {<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}
clear crypto [ike|ipsec] sa
clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}
clear crypto ipsec sa {on <DEVICE-NAME>}
clear event-history
clear firewall [dhcp|dos|flows|neighbors]
clear firewall [dhcp|neighbors] snoop-table {on <DEVICE-NAME>}
clear firewall [dos stats|flows [ipv4|ipv6]] {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 37
user-exec-commands User Exec Mode Commands

Syntax contd....
clear gre stats {on <DEVICE-NAME>}
clear ip [bgp|dhcp|ospf]
clear ip bgp [<IP>|all|external|process]
clear ip bgp [<IP>|all|external] {in|on|out|soft}
clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}
clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}
clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}
clear ip bgp process {on <DEVICE-NAME>}
clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}
clear ip ospf process {on <DEVICE-NAME>}
clear mac-address-table {address|interface|vlan} {on <DEVICE-NAME>}
clear ipv6 neighbor-cache {on <DEVICE-NAME>}
clear lacp [<1-4> counters|counters]
clear license [borrowed|lent to <BORROWER-CONTROLLER-NAME>] {on <DEVICE-NAME>}
clear l2tpv3-stats tunnel <TUNNEL-NAME> {session <SESSION-NAME>} {on <DEVICE-NAME>}
clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}
clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-NAME>}
clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}
clear mac-address-table {interface [<IN-NAME>|ge <1-2>|port-channel <1-2>|vmif <1-8>]}
{on <DEVICE-NAME>}
clear mac-address-table mac-auth-state address <MAC> vlan <1-4094>
{on <DEVICE-NAME>}
clear mint mlcp history {on <DEVICE-NAME>}
clear role ldap-stats {on <DEVICE-NAME>}
clear rtls [aeroscout|ekahau]
clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}
|on <DEVICE-OR-DOMAIN-NAME>}
clear spanning-tree detected-protocols{interface|on}
clear spanning-tree detected-protocols {on <DEVICE-NAME>}
clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|
me1|port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}
clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}
clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

38 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Parameters
clear arp-cache {on <DEVICE-NAME>}

arp-cache Clears Address Resolution Protocol (ARP) cache entries on a AP,

wireless controller, or service platform. This protocol matches the
layer 3 IP addresses to the layer 2 MAC addresses.
on <DEVICE-NAME> Optional. Clears ARP cache entries on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear bonjour cache {on <DEVICE-NAME>}

bonjour cache Clears all Bonjour cached statistics. Once cleared the system has to
re-discover available Bonjour services.
on <DEVICE-NAME> Optional. Clears all Bonjour cached statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear [cdp|lldp] neighbors {on <DEVICE-NAME>}

cdp Clears Cisco Discovery Protocol (CDP) table entries

lldp Clears Link Layer Discovery Protocol (LLDP) table entries
neighbors Clears CDP or LLDP neighbor table entries based on the option
selected in the preceding step
on <DEVICE-NAME> Optional. Clears CDP or LLDP neighbor table entries on a specified
device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear counters all {(on <DEVICE-OR-DOMAIN-NAME>)}

counters Clears all counters on the logged device or on all devices within a
specified RF Domain. These counters are: AP, bridge, interface,
radio, router, thread and wireless clients.
on <DEVICE-OR-DOMAIN- Optional. Specify the device name or the RF Domain name.
NAME> • on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears all counters
on a specified device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 39
user-exec-commands User Exec Mode Commands

Note: If you do not specify a device name or an RF Domain name,

the system clears all counters on the logged device.

clear counters [bridge|router|thread]

counters Clears counters based on the parameters passed. The options are:
AP, bridge, interface, radio, router, thread and wireless clients.
[bridge|router|thread] Select one of the following options:
• bridge – Clears bridge counters. When executed, this command
resets the bridge forwarding cache.
• router – Clears router counters. When executed, this command
resets the router counters.
• thread – Clears thread counters. When executed, this command
resets the pre-thread counters.

clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client {<MAC>}]

{(on <DEVICE-OR-DOMAIN-NAME>)}

counters Clears counters based on the parameters passed. The options are:
AP, bridge, interface, radio, router, thread and wireless clients.
ap <MAC> Clears counters for all APs or a specified AP
• <MAC> – Optional. Specify the AP’s MAC address.

Note: If no MAC address is specified, all AP counters are cleared.

radio <MAC/DEVICE-NAME> <1- Clears radio interface counters on a specified device or on all
X> devices
• <MAC/DEVICE-NAME> – Optional. Specify the device’s
hostname or MAC address. Optionally, append the radio
interface number (to the radio ID) using one of the following
formats: AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX (where RX
is the interface number).
◦ <1-X> – Optional. Identifies the radio interface by its index.
Specify the radio interface index, if not specified as part of
the radio ID. Note, the number of radio interfaces available
varies with the access point type.

Note: If no device name or MAC address is specified, all radio

interface counters are cleared.

Controller, Service Platform and Access Point

40 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

wireless-client <MAC> Clears counters for all wireless clients or a specified wireless client
• <MAC> – Optional. Specify the wireless client's MAC address.

Note: If no MAC address is specified, all wireless client counters are

cleared.

on <DEVICE-OR-DOMAIN- The following option is common to all of the above keywords:

NAME> • on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears AP, radio,
or wireless client counters on a specified device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

clear counters interface <INF-TYPE> <INF-NUMBER>{(on <DEVICE-OR-DOMAIN-NAME>)}

counters Clears counters based on the parameters passed. The options are:
AP, bridge, interface, radio, router, thread and wireless clients.
interface <INF-TYPE> <INF- Clears interface counters
NUMBER> • <INF-TYPE> - Specify the interface type as Ethernet, VLAN,
port-channel, usb, all, etc.
◦ <INF-NUMBER> - After specifying the interface type, specify
the interface number.

on <DEVICE-OR-DOMAIN- Optional. Clears the specified interface counters on a specified

NAME> device or RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}

crypto Clears encryption module’s cached statistics

ike sa [<IP>|all] Clears Internet Key Exchange (IKE) security associations (SAs)
• <IP> – Clears IKE SA entries for the peer identified by the <IP>
keyword
• all – Clears IKE SA entries for all peers

on <DEVICE-NAME> Optional. Clears IKE SA entries, for a specified peer or all peers, on a
specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear crypto ipsec sa {on <DEVICE-NAME>}

Clears encryption module’s cached statistics

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 41
user-exec-commands User Exec Mode Commands

crypto
ipsec sa {on <DEVICE-NAME>} Clears Internet Protocol Security (IPsec) database SAs
• on <DEVICE-NAME> – Optional. Clears IPSec SA entries on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear gre stats {on <DEVICE-NAME>}

gre stats Clears GRE tunnel statistics

on <DEVICE-NAME> Optional. Clears GRE tunnel statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear event-history

event-history Clears event history cache entries

clear firewall [dhcp|neighbors] snoop-table {on <DEVICE-NAME>}

firewall Clears configured wireless firewall filter statistics based on the

parameters passed
[dhcp|neighbors] snoop-table Clears the following snoop-table database
• dhcp - Clears the DHCP snooping binding database.
• neighbors - Clears IPv6 neighbor cache.

on <DEVICE-NAME> The following option is common to both the 'dhcp' and 'neighbor'
parameters:
• on <DEVICE-NAME> - Optional. Executes the command on as
specified device.
◦ <DEVICE-NAME> - Specify the AP, wireless controller, or
service platform name.

clear firewall [dos stats|flows [ipv4|ipv6]] {on <DEVICE-NAME>}

firewall Clears configured wireless firewall filter statistics based on the

parameters passed
dos stats Clears Denial of Service (DoS)statistics

Controller, Service Platform and Access Point

42 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

flows [ipv4|ipv6] Clears all established IPv4 or IPv6 firewall session statistics
• ipv4 - Optional. Clears only IPv4 firewall session statistics
• ipv6 - Optional. Clears only ipv6 firewall session statistics

Note: If you do not specify IPv4 or IPv6, the system clears all
ACL related statistics.

on <DEVICE-NAME> The following option is common to both the 'dos' and 'flows'
parameters:
• on <DEVICE-NAME> - Optional. Executes the command on as
specified device.
◦ <DEVICE-NAME> - Specify the AP, wireless controller, or
service platform name.

clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}

ip bgp [<IP>|all|external] Clears on-going BGP sessions based on the option selected
• <IP> – Clears BGP session with the peer identified by the <IP>
keyword. Specify the BGP peer’s IP address.
• all – Clears all BGP peer sessions
• external – Clears external BGP (eBGP) peer sessions
This command is applicable only to the RFS4010, NX9500,
NX9600, and VX9000 platforms.
Modifications made to BGP settings (BGP access lists, weight,
distance, route-maps, versions, routing policy, etc.) take effect only
after on-going BGP sessions are cleared. The clear > ip >
bgp command clears BGP sessions. To reduce lose of route
updates during the process, use the ‘soft’ option. Soft
reconfiguration stores inbound/outbound route updates to be
processed later and updated to the routing table. This requires high
memory usage.
in prefix-filter Optional. Clears inbound route updates
• prefix-filter – Optional. Clears the existing Outbound Route
Filtering (ORF) prefix-list

on <DEVICE-NAME> Optional. Clears route updates on a specified device

• <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 43
user-exec-commands User Exec Mode Commands

This command is applicable only to the RFS4010, NX9500,

NX9600, and VX9000 platforms.
out Optional. Clears outbound route updates. Optionally specify the
device on which to execute this command.
on <DEVICE-NAME> The following keyword is recursive and optional.
• on <DEVICE-NAME> – Optional. Clears BGP sessions on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}

ip bgp [<IP>|all|external] Clears on-going BGP sessions based on the option selected
• <IP> – Clears BGP session with the peer identified by the <IP>
keyword. Specify the BGP peer’s IP address.
• all – Clears all BGP peer sessions
• external – Clears eBGP peer sessions
This command is applicable only to the RFS4010, NX9500,
NX9600, and VX9000 platforms.
soft {in|out} Optional. Initiates soft-reconfiguration of route updates for the
specified IP address
• in – Optional. Enables soft reconfiguration of inbound route
updates
• out – Optional. Enables soft reconfiguration of outbound route
updates
Modifications made to BGP settings (BGP access lists, weight,
distance, route-maps, versions, routing policy, etc.) take effect only
after on-going BGP sessions are cleared. The clear > ip >
bgp command clears BGP sessions. To reduce loss of route updates
during the process, use the ‘soft’ option. Soft reconfiguration stores
inbound/outbound route updates to be processed later and
updated to the routing table. This requires high memory usage.
on <DEVICE-NAME> Optional. Initiates soft reconfiguration inbound/outbound route
updates on a specified device
• <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip bgp process {on <DEVICE-NAME>}

ip bgp process Clears all BGP processes running

Controller, Service Platform and Access Point

44 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

This command is applicable only to the RFS4010, NX9500,

NX9600, and VX9000 platforms.
on <DEVICE-NAME> Optional. Clears all BGP processes on a specified device
• <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}

ip Clears a Dynamic Host Configuration Protocol (DHCP) server's IP

address binding entries
dhcp bindings Clears DHCP connections and server bindings
<IP> Clears specific address binding entries. Specify the IP address to
clear binding entries.
all Clears all address binding entries
on <DEVICE-NAME> Optional. Clears a specified address binding or all address bindings
on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear ip ospf process {on <DEVICE-NAME>}

ip ospf process Clears already enabled Open Shortest Path First (OSPF) process
and restarts the process
on <DEVICE-NAME> Optional. Clears OSPF process on a specified device
OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP
packets within a single routing domain (autonomous system), like
an enterprise LAN. OSPF gathers link state information from
neighboring routers and constructs a network topology. The
topology determines the routing table presented to the Internet
Layer, which makes routing decisions based solely on the
destination IP address found in IP packets.
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear ipv6 neighbor-cache {on <DEVICE-NAME>}

clear ipv6 neighbor-cache Clears IPv6 neighbor cache entries

on <DEVICE-NAME> Optional. Clears IPv6 neighbor cache entries on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear lacp [<1-4> counters|counters]

clear lacp [<1-4> counters| Clears Link Aggregation Control Protocol (LACP) counters/statistics
counters] for a specified channel group or all channel groups configured
• <1-4> counters – Clears LACP stats for a specified channel
group. Specify the port-channel index number from 1 - 4. Note,

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 45
user-exec-commands User Exec Mode Commands

LACP is supported only on the NX5500, NX7500, NX9500 and

NX9600 model service platforms.
• counters – Clears LACP stats for all configured channel groups
on the device

clear license [borrowed|lent to <BORROWER-CONTROLLER-NAME>] {on <DEVICE-NAME>}

license Releases borrowed licenses or revokes lent licenses

borrowed Releases all licenses borrowed by the logged controller or by a
specified controller

Note:
If you do not specify a controller name, the command is executed
on the controller you have logged on to.

lent to <BORROWING- Revokes licenses lent to a specified controller

CONTROLLER-NAME> • to <BORROWING-CONTROLLER-NAME> - Specifies the
borrowing controller's name. When specified, the system
revokes all licenses (AP, AAP) lent to the specified controller.

on <DEVICE-NAME> Optional. This option is common to both of the above parameters.

• on <DEVICE-NAME> - Specify the name of the controller on
which the command is to be executed.
◦ <DEVICE-NAME> – Specify the name of the wireless
controller or service platform.

Note:
If you do not specify the controller name, the system
executes the command on the logged controller.

clear l2tpv3-stats tunnel <TUNNEL-NAME> {session <SESSION-NAME>} {on <DEVICE-NAME>}

l2tpv3-stats Clears L2TPv3 tunnel statistics for a specified L2TPv3 tunnel

tunnel <TUNNEL-NAME> Specifies the tunnel name

Controller, Service Platform and Access Point

46 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

session <SESSION-NAME> Optional. Clears a specific session statistics in the specified L2TPv3
tunnel.
• <SESSION-NAME> - Specify the session name.

Note: If you do not specify the session name, the system clears
statistics for all sessions.

on <DEVICE-NAME> This option is common to all of the above parameters.

• on <DEVICE-NAME> - Optional. Executes the command on a
specified device.
◦ <DEVICE-NAME> - Specify the name of the AP, wireless
controller, or service platform.

Note: If you do not specify the device name, the system clears
L2TPv3 tunnel and session statistics on the logged device.

clear mac-address-table{address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}

mac-address-table Clears MAC address forwarding table data based on the parameters
passed
Use this command to clear the following: all or specified MAC
addresses from the system, all MAC addresses on a specified
interface, all MAC addresses on a specified VLAN, or the
authentication state of a MAC address.
address <MAC> Optional. Clears a specified MAC address from the MAC address
table.
• <MAC> – Specify the MAC address in one of the following
formats: AA-BB-CC-DD-EE-FF or AA:BB:CC;DD:EE:FF or
AABB.CCDD.EEFF

Note: If executed without specifying any MAC address(es), all MAC

addresses from the MAC address table will be removed.

vlan <1-4094> Optional. Clears all MAC addresses for a specified VLAN
• <1-4094> – Specify the VLAN ID from 1 - 4094

on <DEVICE-NAME> Optional. Clears a single MAC entry or all MAC entries, for the
specified VLAN on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear mac-address-table {interface [<IF-NAME>|ge <1-X>|port-channel <1-X>]} {on <DEVICE-

NAME>}

mac-address-table Clears MAC address forwarding table data based on the parameters
passed
Use this command to clear the following: all or specified MAC
addresses from the system, all MAC addresses on a specified
interface, all MAC addresses on a specified VLAN, or the
authentication state of a MAC address.
interface Clears all MAC addresses for the selected interface. Use the options
available to specify the interface.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 47
user-exec-commands User Exec Mode Commands

<IF-NAME> Clears MAC address forwarding table for the specified layer 2
interface (Ethernet port)
• <IF-NAME> – Specify the layer 2 interface name.

ge <1-X> Clears MAC address forwarding table for the specified

GigabitEthernet interface
• <1-X> – Specify the GigabitEthernet interface index from 1 - X.

Note: The number of GE interfaces supported varies for different

device types.

port-channel <1-X> Clears MAC address forwarding table for the specified port-channel
interface
• <1-X> – Specify the port-channel interface index from 1 - X.

Note: The number of port-channel interfaces supported varies for

different device types.

on <DEVICE-NAME> Optional. Clears the MAC address forwarding table, for the selected
interface, on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-NAME>}

mac-address-table mac-auth- Clears MAC addresses learned from a particular VLAN when WLAN
state address <MAC> vlan MAC authentication and captive-portal fall back is enabled
<1-4904> Access points/controllers provide WLAN access to clients whose
MAC address has been learned and stored in their MAC address
tables. Use this command to clear a specified MAC address on the
MAC address table. Once cleared the client has to re-authenticate,
and is provided access only on successful authentication.
• <MAC> – Specify the MAC address to clear.
◦ vlan <1-4904> – Specify the VLAN interface from 1 - 4094. In
the AP/controller’s MAC address table, the specified MAC
address is cleared on the specified VLAN interface.

on <DEVICE-NAME> Optional. Clears the specified MAC address on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Note: If a device is not specified, the system clears the MAC address
on all devices.

clear mint mlcp history {on <DEVICE-NAME>}

Clears MiNT related information

Controller, Service Platform and Access Point

48 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

mint
mlcp history Clears MiNT Link Creation Protocol (MLCP) client history
on <DEVICE-NAME> Optional. Clears MLCP client history on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear role ldap-stats {on <DEVICE-NAME>}

role ldap-stats Clears Lightweight Directory Access Protocol (LDAP) server

statistics
on <DEVICE-NAME> Optional. Clears LDAP server statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}| on <DEVICE-

OR-DOMAIN-NAME>}

rtls Clears Real Time Location Service (RTLS) statistics

aeroscout Clears RTLS Aeroscout statistics
ekahau Clears RTLS Ekahau statistics

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 49
user-exec-commands User Exec Mode Commands

<MAC/DEVICE-NAME> This keyword is common to the ‘aeroscout' and ‘ekahau'

parameters.
• <MAC/DEVICE-NAME> – Optional. Clears Aeroscout or Ekahau
RTLS statistics on a specified AP, wireless controller, or service
platform. Specify the AP’s MAC address or hostname.

on <DEVICE-OR-DOMAIN- This keyword is common to the ‘aeroscout' and ‘ekahau'

NAME> parameters.
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears Aeroscout
or Ekahau RTLS statistics on a specified AP, wireless controller,
service platform, or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

clear spanning-tree detected-protocols {on <DEVICE-NAME>}

spanning-tree Clears spanning tree entries on an interface and restarts protocol

migration
detected-protocols Restarts protocol migration
on <DEVICE-NAME> Optional. Clears spanning tree entries on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|port-

channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}

spanning-tree Clears spanning tree entries on an interface and restarts protocol

migration
detected-protocols Restarts protocol migration

Controller, Service Platform and Access Point

50 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

interface [<INTERFACE-NAME>| Optional. Clears spanning tree entries on different interfaces

ge <1-X>|me1| port-channel <1- • <INTERFACE-NAME> – Clears detected spanning tree entries on
X>| pppoe1|up1| vlan <1-4094>| a specified interface. Specify the interface name.
wwan1] • ge <1-X> – Clears detected spanning tree entries for the selected
GigabitEthernet interface. Select the GigabitEthernet interface
index from 1 - X.
• me1 – Clears FastEthernet interface spanning tree entries
• port-channel <1-X> – Clears detected spanning tree entries for
the selected port channel interface. Select the port channel
index from 1 - X. The number of port-channel interfaces
supported varies for different device types.
• pppoe1 – Clears detected spanning tree entries for Point-to-
Point Protocol over Ethernet (PPPoE) interface
• up1 – Clears detected spanning tree entries for the WAN
Ethernet interface
• vlan <1-4094> – Clears detected spanning tree entries for the
selected VLAN interface. Select a Switch Virtual Interface (SVI)
VLAN ID from 1- 4094.
• wwan1 – Clears detected spanning tree entries for wireless WAN
interface.

on <DEVICE-NAME> Optional. Clears spanning tree entries on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)

traffic-shape statistics Clears traffic shaping statistics

class <1-4> Clears traffic shaping statistics for a specific traffic class
• <1-4> – Specify the traffic class from 1 - 4.

Note: If the traffic class is not specified, the system clears all
traffic shaping statistics.

on <DEVICE-NAME> Optional. Clears traffic shaping statistics for the specified traffic
class on a specified device
• <DEVICE-NAME> – Specify the name of the access point,
wireless controller, or service platform.

Note: For more information on configuring traffic-shape, see

traffic-shape on page 1355.

clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

vrrp Clears Virtual Router Redundancy Protocol (VRRP) statistics

VRRP allows a pool of routers to be advertized as a single virtual
router. This virtual router is configured by hosts as their default
gateway. VRRP elects a master router, from this pool, and assigns it
a virtual IP address. The master router routes and forwards packets
to hosts on the same subnet. When the master router fails, one of

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 51
user-exec-commands User Exec Mode Commands

the backup routers is elected as the master and its IP address is

mapped to the virtual IP address.
error-stats Clears global error statistics
stats Clears VRRP related statistics
on <DEVICE-NAME> This following keywords are common to the ‘error-stats' and ‘stats'
parameters:
• on <DEVICE-NAME> – Optional. Clears VRRP statistics on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809>clear event-history
nx9500-6C8809>clear spanning-tree detected-protocols interface port-channel 1
nx9500-6C8809>clear spanning-tree detected-protocols interface ge 1
nx9500-6C8809>show lldp neighbors
-------------------------
Chassis ID: 00-18-71-D0-0B-00
System Name: ProCurve Switch 5406zl
Platform: ProCurve J8697A Switch 5406zl, revision K.12.1X, ROM K.11.03 (/sw/code/build/
btm(sw_esp1))
Capabilities: Bridge Router
Enabled Capabilities: Bridge Router
Local Interface: ge1, Port ID(Port Description) (outgoing port): 26(B2)
TTL: 95 sec
Management Addresses: 10.234.160.1
-------------------------
Chassis ID: 5C-0E-8B-1C-53-2C
System Name: HM-ROUTER
Platform: RFS-4011-11110-WR, Version 5.9.6.0-004D
Capabilities: Bridge WLAN Access Point Router
Enabled Capabilities: Bridge WLAN Access Point Router
Local Interface: ge2, Port ID(Port Description) (outgoing port): ge1(ge1)
TTL: 165 sec
Management Addresses: 192.168.0.1,172.168.16.1,192.168.13.1,20.168.10.1
nx9500-6C8809>
nx9500-6C8809>clear lldp neighbors
nx9500-6C8809>show lldp neighbors
nx9500-6C8809>show cdp neighbors
--------------------------------------------------------------------------------
Device ID Platform Local Interface Port ID Duplex
--------------------------------------------------------------------------------
HM-ROUTER RFS-4011-11110-WR ge2 ge1 full
--------------------------------------------------------------------------------
nx9500-6C8809>
nx9500-6C8809>clear cdp neighbors
nx9500-6C8809>show cdp neighbors
--------------------------------------------------------------------------------
Device ID Platform Local Interface Port ID Duplex
--------------------------------------------------------------------------------

Controller, Service Platform and Access Point

52 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

--------------------------------------------------------------------------------
nx9500-6C8809>
nx9500-6C8809>clear role ldap-stats
nx9500-6C8809>show role ldap-stats
No ROLE LDAP statistics found.
nx9500-6C8809>
nx9500-6C8809>show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 ge5 00-02-B3-28-D1-55 forward
1 1 ge5 00-0F-8F-19-BA-4C forward
1 1 ge5 B4-C7-99-5C-FA-8E forward
1 1 ge5 00-23-68-0F-43-D8 forward
1 1 ge5 00-15-70-38-06-49 forward
1 1 ge5 00-23-68-13-9B-34 forward
1 1 ge5 B4-C7-99-58-72-58 forward
1 1 ge5 00-15-70-81-74-2D forward
--------------------------------------------------------
Total number of MACs displayed: 8
nx9500-6C8809>
S
nx9500-6C8809>clear mac-address-table address 00-02-B3-28-D1-55
nx9500-6C8809>show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 ge5 00-0F-8F-19-BA-4C forward
1 1 ge5 B4-C7-99-5C-FA-8E forward
1 1 ge5 00-23-68-0F-43-D8 forward
1 1 ge5 00-15-70-38-06-49 forward
1 1 ge5 00-23-68-13-9B-34 forward
1 1 ge5 B4-C7-99-58-72-58 forward
1 1 ge5 00-15-70-81-74-2D forward
--------------------------------------------------------
Total number of MACs displayed: 7
nx9500-6C8809>

clock (user and privi exec modes)

Sets a device’s system clock. By default all WiNG devices are shipped with the time zone and time
format set to UTC and 24-hour clock respectively. If a device’s clock is set without resetting the time
zone, the time is displayed relative to the Universal Time Coordinated (UTC) – Greenwich Time. To
display time in the local time zone format, in the device’s configuration mode, use the timezone
command. You can also reset the time zone at the RF Domain level. When configured as RF Domain
setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the
clock is recommended. For more information on configuring RF Domain time zone, see timezone.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 53
user-exec-commands User Exec Mode Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

Parameters
clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

clock set Sets a device's software system clock

<HH:MM:SS> Sets the current time (in military format hours, minutes, and
seconds)

Note: By default, the WiNG software displays time in the 24-hour

clock format. This setting cannot be changed.

<1-31> Sets the numerical day of the month

<MONTH> Sets the month of the year (Jan to Dec)
<1993-2035> Sets a valid four digit year from 1993 - 2035
on <DEVICE-NAME> Optional. Sets the clock on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
ap8432-5C63F0(config-device-74-67-F7-5C-63-F0)#timezone Etc/UTC
ap8432-5C63F0#clock set 14:16:30 18 Sep 2019
ap8432-5C63F0#show clock
2019-09-18 14:16:44 UTC
ap8432-5C63F0#

cluster (user and privi exec modes)

Initiates cluster context. The cluster context provides centralized management to configure all cluster
members from any one member. Commands executed under this context are executed on all members
of the cluster.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
cluster start-election

Controller, Service Platform and Access Point

54 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Parameters
cluster start-election

start-election Starts a new cluster master election

Examples (Privi Exec Mode)

rfs4000-229D58#cluster start-election
rfs4000-229D58#

Related Commands

create-cluster (user and privi Creates a new cluster on the specified device
exec modes) on page 56
join-cluster (user and privi exec Adds a wireless controller or service platform, as a member, to an
modes) on page 90 existing cluster of controllers

commit
Commits changes made in the active session. Use the commit command to save and invoke settings
entered during the current transaction.

Supported in the following platforms:

Syntax
commit {write}{memory}

Parameters
commit {write}{memory}

write Optional. Commits changes made in the current session

memory Optional. Writes to memory. This option ensures current changes
persist across reboots.

Examples
nx9500-6C8809#commit write memory
[OK]
nx9500-6C8809#

connect (user and privi exec modes)

Begins a console connection to a remote device using the remote device's MiNT ID or name

Note
This command command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 55
user-exec-commands User Exec Mode Commands

Supported in the following platforms:

Syntax
connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

Parameters
connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

mint-id <MINT-ID> Connects to the remote system using its MiNT ID

• <MINT-ID> – Specify the remote device's MiNT ID.

<REMOTE-DEVICE-NAME> Connects to the remote system using its name

• <REMOTE-DEVICE-NAME> – Specify the remote device's name.

Examples
nx9500-6C8809>show mint lsp-db
5 LSPs in LSP-db of 19.6C.88.09:
LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 4 adjacencies, seqnum 334790
LSP 2C.13.40.38 at level 1, hostname "ap505-134038", 4 adjacencies, seqnum 1093428
LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 4 adjacencies, seqnum 946734
LSP 4D.DF.9A.4C at level 1, hostname "ap7532-DF9A4C", 4 adjacencies, seqnum 352858
LSP 75.07.02.35 at level 1, hostname "ap8432-070235", 4 adjacencies, seqnum 319736
nx9500-6C8809>
nx9500-6C8809>connect mint-id 75.07.02.35

Entering character mode

Escape character is '^]'.

AP8432 release 5.9.7.0-004D

ap8432-070235 login:

create-cluster (user and privi exec modes)

Creates a new device cluster, with the specified name, and assigns it an IP address and routing level

A cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by
a profile configuration. Within the cluster, members discover and establish connections to other
members and provide wireless network self-healing support in the event of member's failure.

A cluster's load balance is typically distributed evenly amongst its members. An administrator needs to
define how often the profile is load balanced for radio distribution, as radios can come and go and
members join and exit the cluster.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

56 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Supported in the following platforms:

Syntax
create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

Parameters
create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

create-cluster Creates a cluster

name <CLUSTER-NAME> Configures the cluster name
• <CLUSTER-NAME> – Specify a cluster name. Define a name for
the cluster that uniquely identifies its configuration or profile
support requirements. The name cannot exceed 64 characters.

ip <IP> Specifies the device's IP address used for cluster creation

• <IP> – Specify the device's IP address in the A.B.C.D format.

level [1|2] Optional. Configures the routing level for this cluster
• 1 – Configures level 1 (local) routing
• 2 – Configures level 2 (inter-site) routing

Examples
nx9500-6C8809#create-cluster name TechPubs1 ip 192.168.13.8 level 2
... creating cluster
... committing the changes
... saving the changes
Please Wait .
[OK]
nx9500-6C8809#
nx9500-6C8809#show cluster configuration

Cluster Configuration Information

Name : TechPubs1
Configured Mode : Active
Master Priority : 128
Force configured state : Disabled
Force configured state delay : 5 minutes
Handle STP : Disabled
Radius Counter DB Sync Time : 5 minutes
nx9500-6C8809#

Related Commands

cluster (user and privi exec Initiates cluster context. The cluster context provides centralized
modes) on page 54 management to configure all cluster members from any one
member.
join-cluster (user and privi exec Adds a wireless controller or service platform, as a member, to an
modes) on page 90 existing cluster of controllers

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 57
user-exec-commands User Exec Mode Commands

crypto (user and privi exec modes)

Enables digital certificate configuration and RSA Keypair management. Digital certificates are issued by
CAs and contain user or device specific information, such as name, public key, IP address, serial number,
company name etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs
and generate Certificate Signing Request (CSR).

This command also enables trustpoint configuration. Trustpoints contain the CA's identity and
configuration parameters.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

58 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

<ORGANIZATION-UNIT>
(<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)
crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase
<KEY-PASSPHRASE>
background} {(on <DEVICE-NAME)}
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-
KEYPAIR-NAME>
[autogen-subject-name|subject-name]
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-
KEYPAIR-NAME>
autogen-subject-name {(email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>,on <DEVICE-
NAME>)}
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-
KEYPAIR-NAME>
subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT>
{(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}
crypto pki import [certificate|crl|trustpoint]
crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on
<DEVICE-NAME>})
crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

Parameters
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-
PASSPHRASE> background} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
export rsa <RSA-KEYPAIR- Exports an existing RSA Keypair to a specified destination
NAME> • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.

<EXPORT-TO-URL> Specify the RSA Keypair destination address.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 59
user-exec-commands User Exec Mode Commands

passphrase <KEY-PASSPHRASE> Optional. Encrypts RSA Keypair before exporting

background • <KEY-PASSPHRASE> – Specify a passphrase to encrypt the RSA
Keypair.
◦ background – Optional. Performs export operation in the
background. After specifying the passphrase, optionally
specify the device (access point or controller) to perform the
export on.

on <DEVICE-NAME> The following parameter is recursive and common to all of the

above parameters:
• on <DEVICE-NAME> – Optional. Performs export operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
generate rsa <RSA-KEYPAIR- Generates a new RSA Keypair
NAME> [2048|4096] • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.
◦ [2048|4096] – Sets the size of the RSA key in bits. The
options are 2048 bits and 4096 bits. The default size is 2048
bits.

After specifying the key size, optionally specify the device

(access point or controller) to generate the key on.

on <DEVICE-NAME> Optional. Generates the new RSA Keypair on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-

PASSPHRASE> background} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
import rsa <RSA-KEYPAIR- Imports a RSA Keypair from a specified source
NAME> • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.

<IMPORT-FROM-URL> Specify the RSA Keypair source address.

Controller, Service Platform and Access Point

60 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

passphrase <KEY-PASSPHRASE> Optional. Decrypts the RSA Keypair after importing

background • <KEY-PASSPHRASE> – Specify the passphrase to decrypt the
RSA Keypair.
◦ background – Optional. Performs import operation in the
background. After specifying the passphrase, optionally
specify the device (access point, controller, or service
platform) to perform the import on.

on <DEVICE-NAME> The following parameter is recursive and common to the

‘background’ and ‘passphrase’ keywords:
• on <DEVICE-NAME> – Optional. Performs import operation on a
specific device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
zeroize rsa <RSA-KEYPAIR- Deletes a specified RSA Keypair
NAME> • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.

Note: All device certificates associated with this key will also be
deleted.

force Optional. Forces deletion of all certificates associated with the

specified RSA Keypair. Optionally specify a device on which to force
certificate deletion.
on <DEVICE-NAME> The following parameter is recursive and optional:
• on <DEVICE-NAME> – Optional. Deletes all certificates
associated with the RSA Keypair on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-NAME>)}

pki Enables Private Key Infrastructure (PKI) management. Use this

command to authenticate, export, generate, or delete a trustpoint
and its associated Certificate Authority (CA) certificates.
authenticate <TRUSTPOINT- Authenticates a trustpoint and imports the corresponding CA
NAME> certificate
• <TRUSTPOINT-NAME> – Specify the trustpoint name.

url Specify CA’s location. Both IPv4 and IPv6 address formats are
supported.

Note: The CA certificate is imported from the specified location.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 61
user-exec-commands User Exec Mode Commands

background Optional. Performs authentication in the background. If selecting

this option, you can optionally specify the device (access point,
controller, or service platform) to perform the export on.
on <DEVICE-NAME> The following parameter is recursive and optional:
• on <DEVICE-NAME> – Optional. Performs authentication on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-

subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
export request Exports CSR to the CA for digital identity certificate. The CSR
contains applicant’s details and RSA Keypair’s public key.
[generate-rsa-key| use-rsa-key] Generates a new RSA Keypair or uses an existing RSA Keypair
<RSA-KEYPAIR-NAME> • generate-rsa-key – Generates a new RSA Keypair for digital
authentication
• use-rsa-key – Uses an existing RSA Keypair for digital
authentication
◦ <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair,
specify a name for it. If using an existing RSA Keypair, specify
its name.

autogen-subject-name Auto generates subject name from configuration parameters. The

subject name identifies the certificate.
<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are
supported.

Note: The CSR is exported to the specified location.

email <SEND-TO-EMAIL> Exports CSR to a specified e-mail address

• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.

fqdn <FQDN> Exports CSR to a specified FQDN (Fully Qualified Domain Name)
• <FQDN> – Specify the CA’s FQDN.

ip-address <IP> Exports CSR to a specified device or system

• <IP> – Specify the CA’s IP address.

crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-

key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>
<ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>)

pki Enables PKI management. Use this command to authenticate,

Controller, Service Platform and Access Point

62 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

[generate-rsa-key| short Generates a new RSA Keypair or uses an existing RSA Keypair
[generate-rsa-key|use-rsa-key]| • generate-rsa-key – Generates a new RSA Keypair for digital
use-rsa-key] <RSA-KEYPAIR- authentication
NAME> • short [generate-rsa-key|use-rsa-key] – Generates and exports a
shorter version of the CSR
◦ generate-rsa-key – Generates a new RSA Keypair for digital
authentication. If generating a new RSA Keypair, specify a
name for it.
◦ use-rsa-key – Uses an existing RSA Keypair for digital
authentication. If using an existing RSA Keypair, specify its
name.
• use-rsa-key – Uses an existing RSA Keypair for digital
authentication
◦ <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair,
specify a name for it. If using an existing RSA Keypair, specify
its name.

subject-name <COMMON- Configures a subject name, defined by the <COMMON-NAME>

NAME> keyword, to identify the certificate
• <COMMON-NAME> – Specify the common name used with the
CA certificate. The name should enable you to identify the
certificate easily (2 to 64 characters in length).

<COUNTRY> Sets the deployment country code (2 character ISO code)

<STATE> Sets the state name (2 to 64 characters in length)
<CITY> Sets the city name (2 to 64 characters in length)
<ORGANIZATION> Sets the organization name (2 to 64 characters in length)
<ORGANIZATION-UNIT> Sets the organization unit (2 to 64 characters in length)
<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are
supported. The CSR is exported to the specified location.
email <SEND-TO-EMAIL> Exports CSR to a specified e-mail address
• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.

fqdn <FQDN> Exports CSR to a specified FQDN

• <FQDN> – Specify the CA’s FQDN.

ip-address <IP> Exports CSR to a specified device or system

• <IP> – Specify the CA’s IP address.

crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
export trustpoint <TRUSTPOINT- Exports a trustpoint along with CA certificate, (Certificate
NAME> Revocation List) (CRL), server certificate, and private key
• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be
authenticated).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 63
user-exec-commands User Exec Mode Commands

<EXPORT-TO-URL> Specify the destination address. Both IPv4 and IPv6 address
formats are supported. The trustpoint is exported to the address
specified here.
background Optional. Performs export operation in the background. If selecting
this option, you can optionally specify the device (access point or
controller) to perform the export on
passphrase <KEY-PASSPHRASE> Optional. Encrypts the key with a passphrase before exporting
background • <KEY-PASSPHRASE> – Specify the passphrase to encrypt the
trustpoint.
◦ background – Optional. Performs export operation in the
background. After specifying the passphrase, optionally
specify the device (access point or controller) to perform the
export on.

on <DEVICE-NAME> The following parameter is recursive and common to the

‘background’ and ‘passphrase’ keywords:
• on <DEVICE-NAME> – Optional. Performs export operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-

KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on
<DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated
certificates.
generate Generates a certificate and a trustpoint
self-signed <TRUSTPOINT- Generates a self-signed certificate and a trustpoint
NAME> • <TRUSTPOINT-NAME> – Specify a name for the certificate and
its trustpoint.

[generate-rsa-key| use-rsa-key] Generates a new RSA Keypair, or uses an existing RSA Keypair
<RSA-KEYPAIR-NAME> • generate-rsa-key – Generates a new RSA Keypair for digital
authentication
• use-rsa-key – Uses an existing RSA Keypair for digital
authentication
◦ <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair,
specify a name for it. If using an existing RSA Keypair, specify
its name.

autogen-subject-name Auto generates the subject name from the configuration

parameters. The subject name helps to identify the certificate.
email <SEND-TO-EMAIL> Optional. Exports the self-signed certificate to a specified e-mail
address
• <SEND-TO-EMAIL> – Specify the e-mail address.

fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN

• <FQDN> – Specify the FQDN.

Controller, Service Platform and Access Point

64 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

ip-address <IP> Optional. Exports the self-signed certificate to a specified device or

system
• <IP> – Specify the device’s IP address.

on <DEVICE-NAME> Optional. Exports the self-signed certificate on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-

KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION>
<ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated
certificates.
generate self-signed Generates a self-signed certificate and a trustpoint
<TRUSTPOINT-NAME> • <TRUSTPOINT-NAME> – Specify a name for the certificate and
its trustpoint.

subject-name <COMMON- Configures a subject name, defined by the <COMMON-NAME>

NAME> keyword, to identify the certificate
• <COMMON-NAME> – Specify the common name used with this
certificate. The name should enable you to identify the
certificate easily and should not exceed 2 to 64 characters in
length.

<COUNTRY> Sets the deployment country code (2 character ISO code)

<STATE> Sets the state name (2 to 64 characters in length)
<CITY> Sets the city name (2 to 64 characters in length)
<ORGANIZATION> Sets the organization name (2 to 64 characters in length)
<ORGANIZATION-UNIT> Sets the organization unit (2 to 64 characters in length)
email <SEND-TO-EMAIL> Optional. Exports the self-signed certificate to a specified e-mail
address
• <SEND-TO-EMAIL> – Specify the e-mail address.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 65
user-exec-commands User Exec Mode Commands

fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN

• <FQDN> – Specify the FQDN.

ip-address <IP> Optional. Exports the self-signed certificate to a specified device or

system
• <IP> – Specify the device’s IP address.

crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on

<DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
import Imports certificates, CRL, or a trustpoint to the selected device
[certificate|crl] <TRUSTPOINT- Imports a signed server certificate or CRL
NAME> • certificate – Imports signed server certificate
• crl – Imports CRL
◦ <TRUSTPOINT-NAME> – Specify the trustpoint name (should
be authenticated).

<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both
IPv4 and IPv6 address formats are supported.
The server certificate or the CRL (based on the parameter passed in
the preceding step) is imported from the location specified here.
background Optional. Performs import operation in the background. If selecting
this option, you can optionally specify the device (access point or
controller) to perform the import on.
on <DEVICE-NAME> The following parameter is recursive and optional:
• on <DEVICE-NAME> – Optional. Performs import operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
import Imports certificates, CRL, or a trustpoint to the selected device
trustpoint <TRUSTPOINT- Imports a trustpoint and its associated CA certificate, server
NAME> certificate, and private key
• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be
authenticated).

Controller, Service Platform and Access Point

66 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

passphrase <KEY-PASSPHRASE> Optional. Decrypts trustpoint with a passphrase after importing

background • <KEY-PASSPHRASE> – Specify the passphrase. After specifying
the passphrase, optionally specify the device to perform import
on.
◦ background – Optional. Performs import operation in the
background. After specifying the passphrase, optionally
specify the device (access point or controller) to perform the
import on.

on <DEVICE-NAME> The following parameter is recursive and optional:

• on <DEVICE-NAME> – Optional. Performs import operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
zeroize trustpoint Imports certificates, CRL, or a trustpoint to the selected device
<TRUSTPOINT-NAME>
[certificate|crl] <TRUSTPOINT- Deletes a trustpoint and its associated CA certificate, server
NAME> certificate, and private key
• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be
authenticated).

del-key Optional. Deletes the private key associated with the server
certificate. Optionally specify the device to perform deletion on.
on <DEVICE-NAME> The following parameter is recursive and optional:
• on <DEVICE-NAME> – Optional. Deletes the trustpoint on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Usage Guidelines

The system supports both IPv4 and IPv6 address formats. Provide source and destination locations
using any one of the following options:
• IPv4 URLs:

tftp://<hostname|IPv4>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IPv4>[:port]/path/file

sftp://<user>@<hostname|IPv4>[:port]>/path/file

http://<hostname|IPv4>[:port]/path/file

cf:/path/file usb<n>:/path/file
• IPv6 URLs:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 67
user-exec-commands User Exec Mode Commands

tftp://<hostname|IPv6>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IPv6>[:port]/path/file

sftp://<user>@<hostname|IPv6>[:port]>/path/file

http://<hostname|IPv6>[:port]/path/file

Examples
NOC-NX9500#crypto key generate rsa key 2048
RSA key size > 2048. Key generation started in background.
NOC-NX9500#

Related Commands

no (user-exec-mode) on page Removes server certificates, trustpoints and their associated

96 certificates

crypto-cmp-cert-policy (user and privi exec modes)

Triggers a Certificate Management Protocol (CMP) certificate update on a specified device or devices

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

Parameters
crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

crypto-cmp-cert-update Triggers a CMP certificate update on a specified device or devices

<TRUSTPOINT-NAME> on • <TRUSTPOINT-NAME> – Specify the target trustpoint name. A
<DEVICE-NAME> trustpoint represents a CA/identity pair containing the identity
of the CA, CA specific configuration parameters, and an
association with an enrolled identity certificate. Use the crypto-
cmp-policy context mode to configure the trustpoint.
◦ on <DEVICE-NAME> – Optional. Initiates a CMP certificate
update and response on a specified device or devices.
Specify the name of the AP, wireless controller, or service
platform. Multiple devices can be provided as a comma
separated list.
▪ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Controller, Service Platform and Access Point

68 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Examples
NOC-NX9500#crypto-cmp-cert-update test on NOC-NX9500
CMP Cert update success
NOC-NX9500#

database (user and privi exec modes)

Enables automatic repairing (vacuuming) and dropping of captive-portal database.

If enforcing authenticated access to the database, use this command to generate the keyfile. Every
keyfile has a set of associated users having a username and password. Access to the database is
allowed only if the user credentials entered during database login are valid. For more information on
enabling database authentication, see Enabling Database Authentication.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
database [drop|keyfile|repair]
database drop [all|captive-portal]
database repair {on <DEVICE-NAME>}
database keyfile [export|generate|import|zerzoise]
database keyfile generate
database keyfile [export|import] <URL>
database keyfile zerzoise

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 69
user-exec-commands User Exec Mode Commands

Parameters
database drop [all|captive-portal]

database drop [all|captive- Drops (deletes) all or a specified database. Execute the command
portal] on the database.
• all – Drops all databases, captive portal and NSight
• captive-portal – Drops the captive-portal database

database repair {on <DEVICE-NAME>}

database repair on <DEVICE- Enables automatic repairing of all databases. Repairing (vacuuming
NAME> a database refers to the process of finding and reclaiming space left
over from previous DELETE statements. Execute the command on
the database host.
• on <DEVICE-NAME> – Optional. Specifies the name of the
database host. When specified, databases on the specified host
are periodically checked to identify and remove obsolete data
documents.
◦ <DEVICE-NAME> – Specify the name of the access point,
wireless controller, or service platform.

Note: If no device is specified, the system repairs all databases.

database keyfile generate

database keyfile generate Enables database keyfile management. This command is part of a
set of configurations required to enforce database authentication.
Use this command to generate database keyfiles. After generating
the keyfile, create the username and password combination
required to access the database. For information on creating
database users, see service on page 713. For information on
enabling database authentication, see Enabling Database
Authentication.
• generate – Generates the keyfile. In case of a replica-set
deployment, execute the command on the primary database
host. Once generated, export the keyfile to a specified location
from where it is imported on to the replica-set hosts.

database keyfile [export|import] <URL>

database keyfile [export|import] Enables database keyfile management. This command is part of a
<URL> set of configurations required to enforce database authentication.
Use this command to exchange keyfiles between replica set
members.
• export – Exports the keyfile to a specified location on an FTP/
SFTP/TFTP server. Execute the command on the database host
on which the keyfile has been generated.
• import – Imports the keyfile from a specified location. Execute
the command on the replica set members.

Controller, Service Platform and Access Point

70 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

The following parameter is common to both of the above keywords:

• <URL> – Specify the location to/from where the keyfile is to be
exported/imported. Use one of the following options to specify
the keyfile location:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

tftp://<hostname|IP>[:port]/path/file

database keyfile zerzoise

database keyfile zerzoise Enables database keyfile management. Use this command to delete
keyfiles
• zerzoise – Deletes an existing keyfile.

Examples
vx9000-1A1809#database keyfile generate
Database keyfile successfully generated
vx9000-1A1809#
vx9000-1A1809#database keyfile export ftp://1.1.1.111/db-key
Database keyfile successfully exported
vx9000-1A1809#
vx9000-D031F2#database keyfile import ftp://1.1.1.111/db-key
Database keyfile successfully imported
vx9000-D031F2#

Example: Enabling Database Authentication

Follow the steps below to enable database authentication.

1. On the primary database host,
a. Generate the database keyfile.
Primary-DB-HOST>database keyfile generate
Database keyfile successfully generated
Primary-DB-HOST>

b. Use the show > database > keyfile command to view the generated keyfile.
c. Export the keyfile to an external location. This is required only in case of database replica-set
deployment.
Primary-DB-HOST>database keyfile export ftp://1.1.1.111/db-key
Database keyfile successfully exported
Primary-DB-HOST>

d. Create the users that are allowed access to the database.

Primary-DB-HOST#service database authentication create-user username techpubs
password techPubs@123
Database user [techpubs] created.
Primary-DB-HOST#

e. View the database user account created.

Primary-DB-HOST#show database users
--------------------------------
DATABASE USER
--------------------------------
techpubs

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 71
user-exec-commands User Exec Mode Commands

--------------------------------
Primary-DB-HOST#

2. On the replica set host, import the keyfile from the location specified in Step 1 c.
Secondary-DB-HOST#database keyfile import ftp://1.1.1.111/db-key

3. In the database-policy context, --- (used on the NSight/EGuest database hosts)

a. Enable authentication.
Primary-DB-HOST(config-database-policy-techpubs)#authentication

b. Configure the user accounts created in Step 1 d.

Primary-DB-HOST(config-database-policy-techpubs)#authentication username techpubs
password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr
Primary-DB-HOST(config-database-policy-techpubs)#show context
database-policy techpubs
authentication
authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/
Ih2ruxnOYnr
replica-set member nx7500-A02B91 arbiter
replica-set member vx9000-1A1809 priority 1
replica-set member vx9000-D031F2 priority 20
Primary-DB-HOST(config-database-policy-techpubs)#

4. In the database-client policy context --- (used on the NSight/EGuest server host), Note, this
configuration is required only if the NSight/EGuest server and database are hosted on separate
hosts.

a. Configure the user credentials created in Step 1 d.

NOC-Controller(config-database-client-policy-techpubs)#authentication username
techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr

b. View the configuration.

NOC-Controller(config-database-client-policy-techpubs)#show context
database-client-policy techpubs
authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/
Ih2ruxnOYnr
NOC-Controller(config-database-client-policy-techpubs)#

Related Commands

database-backup (user and privi Backs up captive-portal and/or NSight database to a specified
exec modes) on page 74 location and file on an FTP or SFTP server
database-restore (user and privi Restores a previously exported database [captive-portal and/or
exec modes) on page 73 NSight]
database-policy global config on Documents database-policy configuration commands. Use this
page 403 option to enable the database.
database-client-policy global- Documents database-client-policy configuration commands. Use
config on page 399 this option to configure the database host details (IP address or
hostname). If enforcing database authentication, use it to configure
the users having database access. Once configured, use the policy
in the NSight/EGuest server’s device config context.
service on page 713 Documents the database user account configuration details

Controller, Service Platform and Access Point

72 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

database-restore (user and privi exec modes)

Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases
(backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original
database.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
database-restore database [captive-portal|nsight] <URL>

Parameters
database-restore database [captive-portal|nsight] <URL>

database-restore database Restores previously exported (backed up) captive-portal and/or

[captive-portal| nsight] NSight database. Specify the database type:
• captive-portal – Restores captive portal database
• nsight – Restores NSight database
After specifying the database type, configure the destination
location and file name from where the files are restored.
<URL> Configures the destination location. The database is restored from
the specified location. Specify the location URL in one of the
following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz
sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz
tftp://<hostname|IP>[:port]/path/file.tar.gz

Examples
nx9500-6C874D#database-restore database nsight ftp://anonymous:[email protected]/
backups/nsight/nsight.tar.gz

Related Commands

database (user and privi exec Enables automatic repairing (vacuuming) and dropping of
modes) on page 69 databases (captive-portal and NSight)
database-backup (user and privi Backs up captive-portal and/or NSight database to a specified
exec modes) on page 74 location and file on an FTP or SFTP server

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 73
user-exec-commands User Exec Mode Commands

database-backup (user and privi exec modes)

Backs up captive-portal and/or NSight database to a specified location and file on an FTP, SFTP, or
TFTP server. Execute this command on the database host.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000
Syntax
database-backup database [captive-portal|nsight|nsight-placement-info] <URL>
database-backup database [captive-portal|nsight] <URL>
database-backup database nsight-placement-info <URL>

Parameters
database-backup database [captive-portal|nsight] <URL>

database-backup database Backs up captive portal and/or NSight database to a specified location.
[captive-portal|nsight] Select the database to backup:
• captive-portal – Backs up captive portal database
• nsight – Backs up NSight database After specifying the database
type, configure the destination location.

<URL> Configures the destination location.

The database is backed up at the specified location. Specify the location
URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz
sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz

database-backup database nsight-placement-info <URL>

database-backup database Backs up the NSight access point placement related details to a
nsight-placement-info <URL> specified location
• <URL> – Specify the URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz

sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz

tftp://<hostname|IP>[:port]/path/file.tar.gz

Example (User Exec Mode)

NS-DB-nx9510-6C87EF>database-backup database nsight tftp://192.168.9.50/testbckup
NS-DB-nx9510-6C87EF>show database backup-status
Last Database Backup Status : In_Progress(Starting tftp transfer.)
Last Database Backup Time : 2018-01-01 12:48:05
NS-DB-nx9510-6C87EF>show database backup-status
Last Database Backup Status : Successful
Last Database Backup Time : Mon Jan 01 12:48:08 IST 2018
NS-DB-nx9510-6C87EF>

Controller, Service Platform and Access Point

74 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Example (Privi Exec Mode)

NS-DB-nx9510-6C87EF#database-backup database nsight-placement-info tftp://192.168.9.50/
plmentinfo
NS-DB-nx9510-6C87EF#show database backup-status
Last Database Backup Status : Successful
Last Database Backup Time : Mon Jan 01 12:48:48 IST 2018
NS-DB-nx9510-6C87EF#

Related Commands

database (user and privi exec Enables automatic repairing (vacuuming) and dropping of databases
modes) on page 69 (captive-portal and/or NSight)
database-restore (user and Restores a previously exported (backed up) database (captive-portal
privi exec modes) on page 73 and/or NSight)]

device-upgrade (user and privi exec modes)

Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless
controllers, and service platforms)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

In an hierarchically managed (HM) network, this command enables centralized device upgradation
across the network.

The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a
single Network Operations Center (NOC) controller. The NOC controller constitutes the first and the site
controllers constitute the second tier of the hierarchy respectively. The site controllers may or may not
be grouped to form clusters. The site controllers in turn adopt and manage access points that form the
third tier of the hierarchy.

Note
Hierarchical management allows the NOC controller to upgrade controllers and access points
that are directly or indirectly adopted to it. However, ensure that the NOC controller is loaded
with the correct firmware version.

Use the device-upgrade command to schedule firmware upgrades across adopted devices within the
network. Devices are upgraded based on their device names, MAC addresses, or RF Domain.

Note
If the persist-images option is selected, the RF Domain manager retains the old firmware
image, or else deletes it. For more information on enabling device upgrade on profiles and
devices (including the ‘persist-images’ option), see device-upgrade on page 1082.

Note
A NOC controller’s capacity is equal to, or higher than that of a site controller. The following
devices can be deployed at NOC and sites:
• NOC controller – NX9500, NX9600, VX9000
• Site controller – RFS4010, NX5500, or NX7500

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 75
user-exec-commands User Exec Mode Commands

Note
Standalone devices have to be manually upgraded.

Supported in the following platforms:

Syntax
device-upgrade [<MAC/HOSTNAME>|all|ap7502|ap7522|ap7532|ap7602|ap7612|ap7622|
ap7632|ap7662|ap8163|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000|
cancel-upgrade|load-image|rf-domain]
device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}
device-upgrade all {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade [ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000] all
{force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}
{(staggered-reboot)}
device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|
nx9600|vx9000|on rf-domain [<RF-DOMAIN-NAME>|all]]
device-upgrade load-image [ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000]
{<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}
device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>]
[all|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap8432|ap8533|
rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|no-
reboot|
reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}

Parameters
device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}

<MAC/HOSTNAME> Upgrades firmware on the device identified by the <MAC/

HOSTNAME> keyword
• <MAC/HOSTNAME> – Specify the device's MAC address or
hostname.

no-reboot Optional. Disables automatic reboot after a successful upgrade (the

device must be manually restarted)

Controller, Service Platform and Access Point

76 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade

• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM
or HH:MM format.

upgrade-time <TIME> {no- Optional. Schedules an automatic device firmware upgrade

reboot| reboot-time <TIME>} • <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM
or HH:MM format. The following actions can be performed after
a scheduled upgrade:
◦ no-reboot – Optional. Disables automatic reboot after a
successful upgrade (the device must be manually restarted)
◦ reboot-time <TIME> – Optional. Schedules an automatic
reboot after a successful upgrade. Specify the reboot time in
the MM/DD/YYYY-HH:MM or HH:MM format.

device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

all Upgrades firmware on all devices

force Optional. Select this option to force upgrade on the selected
device(s). When selected, the devices are upgraded even if they
have the same firmware as the upgrading access point, wireless
controller, or service platform. If forcing a device upgrade,
optionally specify any one of the following options: no-reboot,
reboot-time, upgrade-time, or staggered-reboot.
no-reboot Optional. Disables automatic reboot after a successful upgrade (the
device must be manually restarted)
reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade
• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM
or HH:MM format.

upgrade-time <TIME> {no- Optional. Schedules an automatic firmware upgrade on all devices,
reboot| reboot-time <TIME>} of the specified type, on a specified day and time
• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM
or HH:MM format. The following actions can be performed after
a scheduled upgrade:
◦ no-reboot – Optional. Disables automatic reboot after a
successful upgrade (the device must be manually restarted)
◦ reboot-time <TIME> – Optional. Schedules an automatic
reboot after a successful upgrade. Specify the reboot time in
the MM/DD/YYYY-HH:MM or HH:MM format.

staggered-reboot This keyword is recursive and common to all of the above.

• Optional. Enables staggered reboot (one at a time), without
network impact

device-upgrade [ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000] all

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 77
user-exec-commands User Exec Mode Commands

{force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}

{(staggered-reboot)}

device-upgrade <DEVICE-TYPE> Upgrades firmware on all devices of a specific type. Select the
all device type.
After selecting the device type, schedule an automatic upgrade
and/or an automatic reboot.
force Optional. Select this option to force upgrade on the selected
device(s). When selected, the devices are upgraded even if they
have the same firmware as the upgrading access point, wireless
controller, or service platform. If forcing a device upgrade,
optionally specify any one of the following options: no-reboot,
reboot-time, upgrade-time, or staggered-reboot.
no-reboot Optional. Disables automatic reboot after a successful upgrade (the
device must be manually restarted)
reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade
• <TIME> – Optional. Specify the reboot time in the MM/DD/
YYYY-HH:MM or HH:MM format.

staggered-reboot This keyword is recursive and common to all of the above.

• Optional. Enables staggered reboot (one at a time), without
network impact

device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap7502|ap7522|ap7532|ap7562|ap7602|

ap7612|

Controller, Service Platform and Access Point

78 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000|
on rf-domain [<RF-DOMAIN-NAME>|all]]

cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters

passed. This command provides the following options to cancel
scheduled firmware upgrades:
• Cancels upgrade on specific device(s). The devices are identified
by their MAC addresses or hostnames.
• Cancels upgrade on all devices within the network
• Cancels upgrade on all devices of a specific type. Specify the
device type.
• Cancels upgrade on specific device(s) or all device(s) within a
specific RF Domain or all RF Domains. Specify the RF Domain
name.

cancel-upgrade [<MAC/ Cancels a scheduled firmware upgrade on a specified device or on

HOSTNAME>| all] all devices
• <MAC/HOSTNAME> – Cancels a scheduled upgrade on the
device identified by the <MAC/HOSTNAME> keyword. Specify
the device’s MAC address or hostname.
• all – Cancels scheduled upgrade on all devices

cancel-upgrade <DEVICE-TYPE> Cancels scheduled firmware upgrade on all devices of a specific

all type. Select the device type.
cancel-upgrade on rf-domain Cancels scheduled firmware upgrade on all devices in a specified RF
[<RF-DOMAIN-NAME>|all] Domain or all RF Domains
• <RF-DOMAIN-NAME> – Cancels scheduled device upgrade on
all devices in a specified RF Domain. Specify the RF Domain
name.
• all – Cancels scheduled device upgrade on all devices across all
RF Domains

device-upgrade load-image [ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|

ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000]
{<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}

load-image <DEVICE-TYPE> Loads device firmware image from a specified location. Use this
command to specify the device type and the location of the
corresponding image file.
• <DEVICE-TYPE> - Specify the device type.
After specifying the device type, provide the location of the
required device firmware image.
<IMAGE-URL> Specify the device’s firmware image location in one of the following
formats:
IPv4 URLs:
• tftp://<hostname|IP>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
• sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file
• http://<hostname|IP>[:port]/path/file
• cf:/path/file
• usb<n>:/path/file

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 79
user-exec-commands User Exec Mode Commands

on <DEVICE-OR-DOMAIN- Specify the name of the device or RF Domain. The image, of the
NAME> specified device type is loaded from the device specified here. In
case of an RF Domain, the image available on the RF Domain
manager is loaded.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>]

[all|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|
rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|no-
reboot|
reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}

rf-domain [<RF-DOMAIN- Upgrades firmware on devices in a specified RF Domain or all RF

NAME>|all| containing <WORD>| Domains. Devices within a RF Domain are upgraded through the RF
filter location <WORD>] Domain manager.
• <RF-DOMAIN-NAME> – Upgrades devices in the RF Domain
identified by the <RF-DOMAIN-NAME> keyword.
◦ <RF-DOMAIN-NAME> – Specify the RF Domain name.
• all – Upgrades devices across all RF Domains
• containing <WORD> – Filters RF Domains by their names. RF
Domains with names containing the sub-string identified by the
<WORD> keyword are filtered. Devices on the filtered RF
Domains are upgraded.
• filter location <WORD> – Filters devices by their location. All
devices with location matching the <WORD> keyword are
upgraded.

<DEVICE-TYPE> After specifying the RF Domain, select the device type.

After specifying the RF Domain and the device type, configure any
one of the following actions: force devices to upgrade, or initiate an
upgrade through the adopting controller.
<MAC/HOSTNAME> Optional. Use this option to identify specific devices for
upgradation. Specify the device’s MAC address or hostname. The
device should be within the specified RF Domain and of the
specified device type. After identifying the devices to upgrade,
configure any one of the following actions: force devices to
upgrade, or initiate an upgrade through the adopting controller.

Note: If no MAC address or hostname is specified, all devices of the

type selected are upgraded.

force Optional. Select this option to force upgrade for the selected
device(s). When selected, the devices are upgraded even if they
have the same firmware as the upgrading access point, wireless
controller, or service platform. If forcing a device upgrade,
optionally specify any one of the following options: no-reboot,
reboot-time, upgrade-time, or reboot-time.

Controller, Service Platform and Access Point

80 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

from-controller Optional. Upgrades a device through the adopted device. If

initiating an upgrade through the adopting controller, optionally
specify any one of the following options: no-reboot, reboot-time,
upgrade-time, or reboot-time.
no-reboot {staggered-reboot} Optional. Disables automatic reboot after a successful upgrade (the
device must be manually restarted)
reboot-time <TIME> {staggered- Optional. Schedules an automatic reboot after a successful
reboot} upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or
HH:MM format.
staggered-reboot This keyword is common to all of the above. Optional. Enables
staggered reboot (one at a time) without network impact
upgrade-time <TIME> {no- Optional. Schedules an automatic firmware upgrade
reboot| reboot-time <TIME>} • <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM
or HH:MM format. After a scheduled upgrade, the following
actions can be performed.
◦ no-reboot – Optional. Disables automatic reboot after a
successful upgrade the device must be manually restarted)
◦ reboot-time <TIME> – Optional. Schedules an automatic
reboot after a successful upgrade. Specify the reboot time in
the MM/DD/YYYY-HH:MM or HH:MM format.

Examples
nx9500-6C8809#show adoption status
------------------------------------------------------------------------------------------
--------------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION
UPTIME IPv4-ADDRESS
------------------------------------------------------------------------------------------
--------------------------------------
ap8432-070235 5.9.7.0-001D version-mismatch No nx9500-6C8809 0 days 00:49:26 55 days
02:40:43 10.234.160.13
ap7562-84A224 5.9.7.0-001D version-mismatch No nx9500-6C8809 0 days 00:49:26 55 days
02:40:18 10.234.160.6
ap7532-DF9A4C 5.9.7.0-001D version-mismatch No nx9500-6C8809 0 days 00:49:26 55 days
02:40:41 10.234.160.12
------------------------------------------------------------------------------------------
---------------------------------------
Total number of devices displayed: 3
nx9500-6C8809#
nx9500-6C8809#device-upgrade rf-domain WiNG5 all
In progress ....
------------------------------------------------------------------------------------------
---------------
CONTROLLER STATUS MESSAGE
------------------------------------------------------------------------------------------
---------------
B4-C7-99-6C-88-09 Success WiNG5(device type-count: ap7562-1 ap7532-1 ap8432-1 added
for upgrade),
------------------------------------------------------------------------------------------
---------------
nx9500-6C8809#
nx9500-6C8809#show device-upgrade status
Number of devices currently being upgraded : 1
Number of devices waiting in queue to be upgraded : 0
Number of devices currently being rebooted : 0
Number of devices waiting in queue to be rebooted : 1

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 81
user-exec-commands User Exec Mode Commands

Number of devices failed upgrade : 0

------------------------------------------------------------------------------------------
---------------
DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE
ERROR UPGRADED BY
------------------------------------------------------------------------------------------
---------------
ap8432-070235 updating immediate immediate 38 0
- ap8432-070235
ap7562-84A224 wait for reboot immediate immediate 0 0
- ap8432-070235
------------------------------------------------------------------------------------------
---------------
nx9500-6C8809#
nx9500-6C8809#show adoption status
------------------------------------------------------------------------------------------
--------------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME IPv4-ADDRESS
------------------------------------------------------------------------------------------
--------------------------------------
ap8432-070235 5.9.7.0-003D configured No nx9500-6C8809 0 days
01:03:50 0 days 01:05:04 0.0.0.0
ap7562-84A224 5.9.7.0-003D configured No nx9500-6C8809 0 days
01:14:00 0 days 01:15:13 10.234.160.6
ap7532-DF9A4C 5.9.7.0-003D configured No nx9500-6C8809 0 days
01:24:32 0 days 01:25:45 10.234.160.12
------------------------------------------------------------------------------------------
---------------------------------------
Total number of devices displayed: 3
nx9500-6C8809#

disable
This command can be executed in the Priv Exec Mode only. This command turns off (disables) the
privileged mode command set and returns you to the User Executable Mode. The prompt changes from
nx9500-6C8809# to nx9500-6C8809>.

Supported in the following platforms:

Syntax
disable

Parameters

None

Examples
nx9500-6C8809#disable
nx9500-6C8809>

Controller, Service Platform and Access Point

82 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

enable
Turns on (enables) the privileged mode command set. The prompt changes from nx9500-6C8809> to
nx9500-6C8809#. This command does not do anything in the Privilege Executable mode.

Supported in the following platforms:

Syntax
enable

Parameters

None

Examples
nx9500-6C8809>enable
nx9500-6C8809#

file-sync (user and privi exec modes)

Syncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and its
adopted devices.

When enabling file syncing, consider the following points:

• The X.509 certificate needs synchronization only if the adopted devices are configured to use EAP-
TLS authentication.
• Execute the command on the controller adopting the devices.
• Ensure that the X.509 certificate file is installed on the controller.

Syncing of trustpoint/wireless-bridge certificate can be automated. To automate file syncing, in the

controller’s device/profile configuration mode, execute the following command: file-sync [auto|
count <1-20>]. For more information, see file-sync on page 1100.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 83
user-exec-commands User Exec Mode Commands

Syntax
file-sync [cancel|load-file|trustpoint|wireless-bridge]
file-sync cancel [trustpoint|wireless-bridge]
file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain
[<DOMAIN-NAME>|all]]
file-sync load-file [trustpoint|wireless-bridge]]
file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>
file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-domain
[<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}

Controller, Service Platform and Access Point

84 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Parameters
file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|
all]]

file-sync cancel [trustpoint| Cancels scheduled file synchronization

wireless-bridge] [<DEVICE- • trustpoint – Cancels scheduled trustpoint synchronization on a
NAME>| all|rf-domain specified device, all devices, or devices within a specified RF
[<DOMAIN-NAME>| all]] Domain
• wireless-bridge – Cancels scheduled wireless-bridge certificate
synchronization on a specified device, all devices, or devices
within a specified RF Domain
◦ <DEVICE-NAME> – Cancels scheduled trustpoint/certificate
synchronization on a specified device. Specify the device’s
hostname or MAC address.
◦ all – Cancels scheduled trustpoint/certificate synchronization
on all devices
◦ rf-domain [<DOMAIN-NAME>|all] – Cancels scheduled
trustpoint/certificate synchronization on all devices in a
specified RF Domain or in all RF Domains
▪ <DOMAIN-NAME> – Cancels scheduled trustpoint/
certificate synchronization within a specified RF Domain.
Specify the RF Domain’s name.
▪ all – Cancels scheduled trustpoint/certificate
synchronization on all RF Domains

file-sync load-file [trustpoint|wireless-bridge] <URL>

file-sync load-file [trustpoint| Loads the following files on to the staging controller:
wireless-bridge] <URL> • trustpoint – Loads the trustpoint, including CA certificate, server
certificate and private key
• wireless-bridge – Loads the wireless-bridge certificate to the
staging controller. Use this command to load the certificate to
the controller before scheduling or initiating a certificate
synchronization.
◦ <URL> – Provide the trustpoint/certificate location using one
of the following formats:

tftp://<hostname|IP>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file

http://<hostname|IP>[:port]/path/file

Note: Both IPv4 and IPv6 address types are supported.

cf:/path/file

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 85
user-exec-commands User Exec Mode Commands

usb<n>:/path/file

file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|

all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}

file-sync trustpoint Configures file-syncing parameters

<TRUSTPOINT-NAME> • trustpoint <TRUSTPOINT-NAME> – Syncs a specified trustpoint
[<DEVICE-NAME>| all|rf-domain between controller and its adopted devices
[<DOMAIN-NAME> |all] from- ◦ <TRUSTPOINT-NAME> – Specify the trustpoint name.
controller]
Note: Starting with WiNG 5.9.4, the trustpoint will be synced all
the way down the hierarchical structure. If you issue the
command on the NOC controller, the specified trustpoint will be
synced with the site controllers and its adopted APs.
• wireless-bridge – Syncs wireless-bridge certificate between
controller and its adopted devices

After specifying the file that is to be synced, configure following

file-sync parameters:
◦ <DEVICE-NAME> – Syncs trustpoint/certificate with a
specified AP. Specify the device’s hostname or MAC address.
◦ all – Syncs trustpoint/certificate with all devices
◦ rf-domain [<DOMAIN-NAME>|all] from-controller – Syncs
trustpoint/certificate with all devices in a specified RF
Domain or in all RF Domains
▪ <DOMAIN-NAME> – Select to sync with APs within a
specified RF Domain. Specify the RF Domain’s name.
▪ all – Select to sync with APs across all RF Domains
▪ from-controller – Optional. Loads certificate to the APs
from the adopting controller and not the RF Domain
manager

After specifying the access points, specify the following

options: reset-radio and upload-time.

reset-radio This keyword is recursive and applicable to all of the above

parameters.
Optional. Resets the radio after file synchronization. Reset the radio
in case the certificate is renewed along with no changes made to
the ‘bridge EAP username’ and ‘bridge EAP password’.
upload-time <TIME> This keyword is recursive and applicable to all of the above
parameters.
• upload-time – Optional. Schedules certificate upload at a
specified time
◦ <TIME> – Specify the time in the MM/DD/YYYY-HH:MM or
HH:MM format. If no time is configured, the process is
initiated as soon as the command is executed.

Examples
NOC-NX9500>file-sync wireless-bridge ap7532-11E6C4 upload-time 09/01/2019-12:30
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------

Controller, Service Platform and Access Point

86 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

B4-C7-99-6C-88-09 Success Queued 1 APs to upload

--------------------------------------------------------------------------------
NOC-NX9500>

The following command uploads certificate to all access points:

NOC-NX9500>file-sync wireless-bridge all upload-time 09/01/2019-23:42
rfs4000-6DB5D4#file-sync wireless-bridge ap7532-11E6C4 upload-time 09/01/2019-12:30
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
B4-C7-99-6D-B5-D4 Success Queued 1 APs to upload
--------------------------------------------------------------------------------
rfs4000-6DB5D4#

help
Describes the interactive help system. Use this command to access the advanced help feature. Use "?"
anytime at the command prompt to access the help topic

Two kinds of help are provided:

• Full help is available when ready to enter a command argument
• Partial help is provided when an abbreviated argument is entered and you want to know what
arguments match the input (for example 'show ve?').

Supported in the following platforms:

Syntax
help {search|show}
help {search <WORD>} {detailed|only-show|skip-no|skip-show}

Parameters
help {search <WORD>} {detailed|only-show|skip-no|skip-show}

search <WORD> Optional. Searches for CLI commands related to a specific target
term
• <WORD> – Specify a target term (for example, a feature or a
configuration parameter). After specifying the term, select one
of the following options: detailed, only-show, skip-no, or skip-
show. The system displays information based on the option
selected.

detailed Optional. Searches and displays help strings in addition to mode

and commands
only-show Optional. Displays only "show" commands. Does not display
configuration commands.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 87
user-exec-commands User Exec Mode Commands

skip-no Optional. Displays only configuration commands. Does not display

"no" commands
skip-show Optional. Displays only configuration commands. Does not display
"show" commands

Examples
nx9500-6C8809>help search crypto detailed
found more than 64 references, showing the first 64

Context : Command
Command : clear crypto ike sa (A.B.C.D|all)(|on DEVICE-NAME)
\ Clear
\ Encryption Module
\ IKE SA
\ Flush IKE SAs
\ Flush IKE SAs for a given peer
\ Flush all IKE SA
\ On AP/Controller
\ AP/Controller name

: clear crypto ipsec sa(|on DEVICE-NAME)

\ Clear
\ Encryption Module
\ IPSec database
\ Flush IPSec SAs
\ On AP/Controller
\ AP/Controller name

: crypto key export rsa WORD URL (passphrase WORD|) (background|) ...
\ Encryption related commands
--More--
nx9500-6C8809>
nx9500-6C8809help search crypto only-show

Context : Command
Command : service block-adopter-config-update
: service clear adoption history(|on DEVICE-NAME)
: service clear captive-portal-page-upload history (|(on DOMAIN-NA...
: service clear command-history(|on DEVICE-NAME)
: service clear device-upgrade history (|on DOMAIN-NAME)
: service clear noc statistics
: service clear reboot-history(|on DEVICE-NAME)
: service clear unsanctioned aps (|on DEVICE-OR-DOMAIN-NAME)
: service clear upgrade-history(|on DEVICE-NAME)
: service clear web-filter cache(|on DEVICE-NAME)
: service clear wireless ap statistics (|(AA-BB-CC-DD-EE-FF)) (|on...
: service clear wireless client statistics (|AA-BB-CC-DD-EE-FF) (|...
: service clear wireless controller-mobility-database
: service clear wireless dns-cache(|on DEVICE-OR-DOMAIN-NAME)
: service clear wireless radio statistics (|(DEVICE-NAME (|<1-3>))...
: service clear wireless wlan statistics (|WLAN) (|on DEVICE-OR-DO...

Controller, Service Platform and Access Point

88 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

: service clear xpath requests (|<1-100000>)

: service show block-adopter-config-update
: service show captive-portal servers(|on DEVICE-NAME)
: service show captive-portal user-cache(|on DEVICE-NAME)
: service show cli
--More--
nx9500-6C8809>
nx9500-6C8809>help search mint only-show
Found 25 references for "mint"

Context : Command
Command : show debugging mint (|on DEVICE-OR-DOMAIN-NAME)
: show mint config(|on DEVICE-NAME)
: show mint dis (|details)(|on DEVICE-NAME)
: show mint id(|on DEVICE-NAME)
: show mint info(|on DEVICE-NAME)
: show mint known-adopters(|on DEVICE-NAME)
: show mint links (|details)(|on DEVICE-NAME)
: show mint lsp
: show mint lsp-db (|details AA.BB.CC.DD)(|on DEVICE-NAME)
: show mint mlcp history(|on DEVICE-NAME)
: show mint mlcp(|on DEVICE-NAME)
: show mint neighbors (|details)(|on DEVICE-NAME)
: show mint route(|on DEVICE-NAME)
: show mint stats(|on DEVICE-NAME)
: show mint tunnel-controller (|details)(|on DEVICE-NAME)
: show mint tunneled-vlans(|on DEVICE-NAME)
: show wireless mint client (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint client portal-candidates(|(DEVICE-NAME (|<1-3...
: show wireless mint client statistics (|on DEVICE-OR-DOMAIN-NAME)...
: show wireless mint client statistics rf (|on DEVICE-OR-DOMAIN-NA...
: show wireless mint detail (|(DEVICE-NAME (|<1-3>))) (|(filter {|...
: show wireless mint links (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint portal (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint portal statistics (|on DEVICE-OR-DOMAIN-NAME)...
: show wireless mint portal statistics rf (|on DEVICE-OR-DOMAIN-NA...
nx9500-6C8809>

gps (user and privi exec modes)

Use this command to enable the GPS hardware, on an AP7662 model access point, initiate a search for
the AP's geographic coordinates. You can execute the command directly on the AP (standalone), or on
the AP's controller (in case of adopted AP).

Note
This command only initiates the search process. It does not return the actual GPS coordinates.
To view the coordinates, execute the following command:
show gps coordinates {on <DEVICE-NAME>}

Supported in the following platforms:

• Access Point — AP7662

Syntax
gps search [start|stop] {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 89
user-exec-commands User Exec Mode Commands

Parameters
gps search [start|stop] {on <DEVICE-NAME>}

gps search [start|stop] Triggers the GPS hardware to start or stop the GPS coordinates
search process
• start - The GPS hardware starts the search process.
• stop - The GPS hardware stops the search process.

Note: Unless explicitly stopped, the GPS coordinates search

continues at regular intervals.

on <DEVICE-NAME> Optional. Specifies the AP whose geographic coordinates are to be

determined. Use this option if executing the command on the
controller or virtual controller to which the AP is adopted.
• <DEVICE-NAME> – Specify the name of the AP7662.

Note: If you do not specify a device name, the system initiates the
search on the logged device. And if the logged device is not an
AP7662 model access point, an error message returns.

Examples
ap7662-8BDE4D#gps search start
Started GPS Search, please check back after some time.
ap7662-8BDE4D#
ap7662-8BDE4D#show gps coordinates
GPS Search is in progress.
Last location recorded at UTC time : Mon Apr 23 22:10:54 2018 : Latitude : 13.036N
Longitude : 77.3827E
ap7662-8BDE4D#

join-cluster (user and privi exec modes)

Adds a device (access point, wireless controller, or service platform), as a member, to an existing cluster
of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only
formed of devices of the same model type.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
join-cluster <IP> user <USERNAME> password <WORD> {level|mode}
join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}

Controller, Service Platform and Access Point

90 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Parameters
join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}

join-cluster Adds a access point wireless controller, or service platform to an

existing cluster
<IP> Specify the cluster member's IP address.
user <USERNAME> Specify a user account with super user privileges on the new cluster
member
password <WORD> Specify password for the account specified in the user parameter
level [1|2] Optional. Configures the routing level
• 1 – Configures level 1 routing
• 2 – Configures level 2 routing

mode [active|standby] Optional. Configures the cluster mode

• active – Configures this cluster as active
• standby – Configures this cluster to be on standby mode

Usage Guidelines

To add a device to an existing cluster:

• Configure a static IP address on the device (access point, wireless controller, or service platform).
• Provide username and password for superuser, network admin, system admin, or operator accounts.

After adding a device to a cluster, execute the "write memory" command to ensure the configuration
persists across reboots.

Examples
rfs4000-229D58>join-cluster 192.168.13.15 user admin password superuser level 1
mode standby
... connecting to 192.168.13.15
... applying cluster configuration
... committing the changes
... saving the changes
[OK]
rfs4000-229D58>
rfs4000-229D58>show context
!
! Configuration of RFS4000 version 5.9.6.0-004D
!
!
version 2.6
!
!
................................................................................
cluster name TechPubs
cluster mode standby
cluster member ip 192.168.13.15 level 1
logging on
logging console warnings
logging buffered warnings
!
!
end
rfs4000-229D58>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 91
user-exec-commands User Exec Mode Commands

Related Commands

create-cluster (user and privi Creates a new cluster on the specified device
exec modes) on page 56
cluster (user and privi exec Initiates cluster context. The cluster context enables centralized
modes) on page 54 management and configuration of all cluster members from any
one member.

l2tpv3 (user and privi exec modes)

Establishes or brings down a Layer 2 Tunnel Protocol Version 3 (L2TPV3) tunnel

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
l2tpv3 tunnel [<TUNNEL-NAME>|all]
l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]
l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

92 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Parameters
l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel Establishes or brings down L2TPV3 tunnels

<TUNNEL-NAME> [down|up] Specifies the tunnel name to establish or bring down
• down – Brings down the specified tunnel
• up – Establishes the specified tunnel

on <DEVICE-NAME> Optional. Establishes or brings down a tunnel on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel Establishes or brings down L2TPV3 tunnels

<TUNNEL-NAME> [session Establishes or brings down a specified session inside an L2TPV3
<SESSION-NAME>] [down|up] tunnel
• <TUNNEL-NAME> – Specify the tunnel name.
◦ session <SESSION-NAME> – Identifies a specific session
▪ <SESSION-NAME> – Specify the session name.
• down – Brings down the session identified by the
<SESSION-NAME> keyword
• up – Establishes the session identified by the
<SESSION-NAME> keyword

on <DEVICE-NAME> Optional. Establishes or brings down a tunnel session on a specified

device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel Establishes or brings down L2TPV3 tunnel

all [down|up] Establishes or brings down all L2TPV3 tunnels
• down – Brings down all tunnels
• up – Establishes all tunnels

on <DEVICE-NAME> Optional. Establishes or brings down all tunnels on a specified

device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809#l2tpv3 tunnel TestTunnel session TestTunnelSession1 up on rfs4000-6DB5D4

Note
For more information on the L2TPV3 tunnel configuration mode and commands, see L2TPV3-
POLICY on page 1876.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 93
user-exec-commands User Exec Mode Commands

logging (user and privi exec modes)

Modifies message logging settings

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings}

Parameters
logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings}

monitor Sets the terminal lines logging levels. The logging severity levels can
be set from 0 - 7. The system configures default settings, if no
logging severity level is specified.
• <0-7> – Optional. Specify the logging severity level from 0-7.
The various levels and their implications are as follows:
• alerts – Optional. Immediate action needed (severity=1)
• critical – Optional. Critical conditions (severity=2)
• debugging – Optional. Debugging messages (severity=7)
• emergencies – Optional. System is unusable (severity=0)
• errors – Optional. Error conditions (severity=3)
• informational – Optional. Informational messages (severity=6)
• notifications – Optional. Normal but significant conditions
(severity=5)
• warnings – Optional. Warning conditions (severity=4)

Note: Before configuring the message logging level, ensure logging

module is enabled. To enable message logging, in the device’s
configuration mode, execute the logging > on command. Message
logging can also be enabled on a profile. All devices using the
profile will have message logging enabled.

Examples
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#logging on
nx9500-6C8809>logging monitor debugging
nx9500-6C8809>show logging

Logging module: enabled

Aggregation time: disabled
Console logging: level debugging

Controller, Service Platform and Access Point

94 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Monitor logging: level debugging

Buffered logging: level warnings
Syslog logging: level warnings
Facility: local7

Log Buffer (2208029 bytes):

Sep 18 06:48:40 2019: nx9500-6C8809 : %NSM-4-IFUP: Interface ge1 is up

Sep 18 06:48:39 2019: nx9500-6C8809 : %NSM-4-IFUP: Interface ge1 is up
Sep 18 06:48:37 2019: nx9500-6C8809 : %NSM-4-IFDOWN: Interface ge1 is down
Sep 18 06:48:36 2019: nx9500-6C8809 : %NSM-4-IFUP: Interface ge1 is up
Sep 17 03:41:56 2019: nx9500-6C8809 : %NSM-4-IFUP: Interface ge3 is up
Sep 17 03:41:55 2019: nx9500-6C8809 : %NSM-4-IFUP: Interface ge3 is up
Sep 17 03:41:53 2019: nx9500-6C8809 : %NSM-4-IFDOWN: Interface ge3 is down
--More--
nx9500-6C8809>

Related Commands

no (user-exec-mode) on page Resets terminal lines logging levels

96
no (priv-exec-mode) on page
215

mint (user and privi exec modes)

Uses MiNT protocol to perform a ping and trace route to a remote device

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
mint [ping|traceroute]
mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}
mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|
source-port <1-65535>|timeout <1-255>)}

Parameters
mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}

ping <MINT-ID> Sends a MiNT echo message to a specified destination

• <MINT-ID> – Specify the destination device's MiNT ID.

count <1-10000> Optional. Sets the number of ping packets sent to the specified
MiNT destination
• <1-60> – Specify a value from 1 - 10000. The default is 3.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 95
user-exec-commands User Exec Mode Commands

size <1-64000> Optional. Sets the MiNT payload size in bytes

• <1-64000> – Specify a value from 1 - 640000. The default is 64
bytes.

timeout <1-10> Optional. Sets a response time in seconds

• <1-10> – Specify a value from 1 sec - 10 sec. The default is 1
second.

mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|

source-port <1-65535>|timeout <1-255>)}

traceroute <MINT-ID> Prints the route packets trace to a device

• <MINT-ID> – Specify the destination device's MiNT ID.

destination-port <1-65535> Optional. Sets the Equal-cost Multi-path (ECMP) routing destination
port
• <1-65535> – Specify a value from 1 - 65535. The default port is
45.

max-hops <1-255> Optional. Sets the maximum number of hops a traceroute packet
traverses in the forward direction
• <1-255> – Specify a value from 1 - 255. The default is 30.

source-port <1-65535> Optional. Sets the ECMP source port

• <1-65535> – Specify a value from 1 - 65535. The default port is
45.

timeout <1-255> Optional. Sets the minimum response time period in seconds
• <1-65535> – Specify a value from 1 sec - 255 sec. The default is
30 seconds.

Examples
nx9500-6C8809#mint ping 75.07.02.35
MiNT ping 75.07.02.35 with 64 bytes of data.
Response from 75.07.02.35: id=16777216 time=0.130 ms
Response from 75.07.02.35: id=33554432 time=0.152 ms
Response from 75.07.02.35: id=50331648 time=0.163 ms

--- 75.07.02.35 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.130/0.148/0.163 ms
nx9500-6C8809#

no (user-exec-mode)
Use the no command to remove a setting or to revert a setting to its default value.

Note
The commands have their own set of parameters that can be reset.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

96 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [adoption|captive-portal|crypto|debug|logging|page|service|terminal|
virtual-machine|wireless]
no adoption {on <DEVICE-OR-DOMAIN-NAME>}
no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>]
{on <DEVICE-OR-DOMAIN-NAME>}
no crypto pki [server|trustpoint]
no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|
on <DEVICE-NAME>}
no logging monitor
no page
no service [block-adopter-config-update|locator|snmp|ssm|wireless]
no service snmp sysoid wing5
no service block-adopter-config-update
no service ssm trace pattern {<WORD>} {on <DEVICE-NAME>}
no service wireless [trace pattern {<WORD>} {on <DEVICE-NAME>}|
unsanctioned ap air-terminate <BSSID> {on <DOMAIN-NAME>}]
no service locator {on <DEVICE-NAME>}
no terminal [length|width]
no virtual-machine assign-usb-ports {on <DEVICE-NAME>}
no wireless client [all|<MAC>]
no wireless client all {filter|on}
no wireless client all {filter [wlan <WLAN-NAME>]}
no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}
no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
no <PARAMETERS>

no <PARAMETERS> Resets or reverts settings based on the parameters passed

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.

Examples
nx9500-6C8809>no adoption
nx9500-6C8809>no page
nx9500-6C8809>no service cli-tables-expand line

on (user and privi exec modes)

Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and
show

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 97
user-exec-commands User Exec Mode Commands

Supported in the following platforms:

Syntax
on rf-domain [<RF-DOMAIN-NAME>|all]

Parameters
on rf-domain [<RF-DOMAIN-NAME>|all]

on rf-domain [<RF-DOMAIN- Enters the RF Domain context based on the parameter specified
NAME>|all] • <RF-DOMAIN-NAME> – Specify the RF Domain name. Enters
the specified RF Domain context.
• all – Specifies all RF Domains.

Examples
nx9500-6C8809>on rf-domain TechPubs
nx9500-6C8809(TechPubs)>?
on RF-Domain Mode commands:

clrscr Clears the display screen

do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
service Service Commands
show Show running system information

nx9500-6C8809(TechPubs)>
nx9500-6C8809(rf-domain-all)>?
on RF-Domain Mode commands:

clrscr Clears the display screen

Controller, Service Platform and Access Point

98 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

15015522201502
ap7532-DF9A4C 84-24-8D-DF-9A-4C ap7532 AP-7532-67030-WR
15265522204149
------------------------------------------------------------------------------------------
----------
Total number of devices displayed: 3
nx9500-6C8809(WiNG5)#

opendns (user and privi exec modes)

Fetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS
device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled.

OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is a
reliable DNS service that provides the following services: DNS query resolution, Web-filtering,
protection against virus and malware attacks, performance enhancement, etc.

This command is part of a set of configurations that are required to integrate WiNG devices with
OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or
service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as
proxy DNS servers.

For more information on integrating WiNG devices with OpenDNS site, see Example: Enabling
OpenDNS Support on page 101.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
opendns [APIToken|username]
opendns APIToken <OPENDNS-APITOKEN>
opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Note
Note, as per the current implementation both of the above commands can be used to fetch
the device_id from the OpenDNS site.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 99
user-exec-commands User Exec Mode Commands

Parameters
opendns APIToken <OPENDNS-APITOKEN>

opendns Fetches the device_id from the OpenDNS site using the OpenDNS
API token
APIToken <OPENDNS- Configures the OpenDNS APIToken. This is the token provided you
APITOKEN> by CISCO at the time of subscribing for their OpenDNS service.
• <OPENDNS-APITOKEN> – Provide the OpenDNS API token
(should be a valid token).
For every valid OpenDNS API token provided a device_id is
returned. Apply this device_id to WLANs that are to be OpenDNS
enabled. Once applied, DNS queries originating from associating
clients are appended with an additional 31 bytes of data
(representing the device ID) at the end of the DNS packet. For
information on configuring the device_id in the WLAN context, see
opendns on page 644.

opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

opendns Fetches the device_id from the OpenDNS site using the OpenDNS
credentials
username <USERNAME> Configures the OpenDNS user name. This is your OpenDNS email ID
provided by CISCO at the time of subscribing for their OpenDNS
service.
• <USERNAME> – Provide the OpenDNS user name (should be a
valid OpenDNS username).

password <OPENDNS-PSWD> Configures the password associated with the user name specified in
the previous step
• <OPENDNS-PSWD> – Provide the OpenDNS password (should
be a valid OpenDNS password).

label <LABEL> Configures the network label. This the label (the user friendly name)
of your network, and should be the same as the label (name)
configured on the OpenDNS portal.
• <LABEL> – Specify your network label.
For every set of user name, password, and label passed only one
unique device_id is returned. Apply this device_id to WLANs that
are to be OpenDNS enabled. Once applied, DNS queries originating
from associating clients are appended with an additional 31 bytes of
data (representing the device ID) at the end of the DNS packet. For
information on configuring the device_id in the WLAN context, see
opendns on page 644.

Usage Guidelines

Use your OpenDNS credentials to logon to the opendns.org site and use the labels, edit settings, and
customize content filtering options to configure Web filtering settings.

Example
ap7532-E6D512>opendns username [email protected] password opendns label company_name
Connecting to OpenDNS server...

Controller, Service Platform and Access Point

100 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

device_id = 0014AADF8EDC6C59
ap7532-E6D512>
nx9600-7F3C7F>opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id =
001480fe36dcb245
nx9600-7F3C7F>

Example: Enabling OpenDNS Support

The following example shows how to enable OpenDNS support:

1. Fetch the OpenDNS device_id from the OpenDNS site.

a. In the User/Privilege executable mode execute one of the following commands:

nx9500-6C8809#opendns APIToken <OPENDNS-APITOKEN>
nx9500-6C8809#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073
device_id = 001480fe36dcb245#

OR
nx9500-6C8809#opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Note
The OpenDNS API token and/or user account credentials are provided the OpenDNS
service provider when subscribing for the OpenDNS service.
b. Apply the device_id fetched in the step 1 to the WLAN.
nx9500-6C8809(config-wlan-opendns)#opendns device-id <OPENDNS-DEVICE-ID>
nx9500-6C8809(config-wlan-opendns)#opendns device-id 001480fe36dcb245
nx9500-6C8809(config-wlan-opendns)#show context
wlan opendns
ssid opendns
bridging-mode local
encryption-type none
authentication-type none
opendns device-id 001480fe36dcb245
nx9500-6C8809(config-wlan-opendns)#

Note
Once applied, DNS queries originating from wireless clients associating with the WLAN are
appended with an additional 31 bytes of data (representing the device ID) at the end of
the DNS packet.
2. Configure a DHCP server policy, and set the DHCP pool’s DNS server configuration to point to the
OpenDNS servers.
nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#dns-server 208.67.222.222

Note
You can configure any one of the following OpenDNS servers: 208.67.222.222 OR
208.67.222.220

nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#show context
dhcp-pool opendnsPool
dns-server 208.67.222.222
nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 101
user-exec-commands User Exec Mode Commands

3. Apply the DHCP server policy configured in step 2 on the access point, controller, or service
platform.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#use dhcp-server-policy opendns
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include
use
use profile default-nx9000
use rf-domain TechPubs
use database-policy default
use nsight-policy noc
use dhcp-server-policy opendns
use auto-provisioning-policy TechPubs
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Note
When configured, DNS queries are forwarded by the access point, controller, or service
platform to the specified OpenDNS resolver.
4. Configure an IP Access Control List with the following permit and deny rules:
nx9500-6C8809(config-ip-acl-OpenDNS)#permit udp any host 208.67.222.222 eq dns rule-
precedence 1 rule-description "allow dns queries only to OpenDNS"
nx9500-6C8809(config-ip-acl-OpenDNS)#deny udp any any eq dns rule-precedence 10 rule-
description "block all DNS queries"
nx9500-6C8809(config-ip-acl-OpenDNS)#permit ip any any rule-precedence 100 rule-
description "allow all other ip packets"
nx9500-6C8809(config-ip-acl-OpenDNS)#show context
ip access-list OpenDNS
permit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description "allow
dns queries only to OpenDNS"
deny udp any any eq dns rule-precedence 10 rule-description "block all dns queries"
permit ip any any rule-precedence 100 rule-description "allow all other ip packets"
nx9500-6C8809(config-ip-acl-OpenDNS)#

Note
When configured and applied in the WLAN context, the IP ACL prevents wireless clients
from adding their own DNS servers to bypass the Web filtering and network policies
enforced by OpenDNS.
5. Apply the IP ACL configured in step 4 in the WLAN context.
nx9500-6C8809(config-wlan-opendns)#use ip-access-list out OpenDNS
nx9500-6C8809(config-wlan-opendns)#show context
wlan opendns
ssid opendns
vlan 1
bridging-mode local
encryption-type none
authentication-type none
use ip-access-list in OpenDNS
use ip-access-list out OpenDNS
opendns device-id 0014AADF8EDC6C59
nx9500-6C8809(config-wlan-opendns)#

Note
When applied to the WLAN, only the DNS queries directed to the OpenDNS server are
forwarded. All other DNS queries are dropped.

Controller, Service Platform and Access Point

102 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

page (user and privi exec modes)

Toggles a device's paging function. Enabling this option displays the CLI command output page by
page, instead of running the entire output at once.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
page

Parameters
None

Examples
nx9500-6C8809#page
nx9500-6C8809#

Related Commands

no (user-exec-mode) on page 96 Disables paging

no (priv-exec-mode) on page Disables paging
215

ping (user and privi exec modes)

Sends Internet Controller Message Protocol (ICMP) echo messages to a user-specified location

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 103
user-exec-commands User Exec Mode Commands

Parameters
ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}

<IP/HOSTNAME> Specify the destination IP address or hostname. When entered

without any parameters, this command prompts for an IP address
or a hostname.
count <1-10000> Optional. Sets the pings to the specified destination
• <1-10000> – Specify a value from 1 - 10000. The default is 5.

dont-fragment {count|size} Optional. Sets the don’t fragment bit in the ping packet. Packets
with the dont-fragment bit specified are not fragmented. When a
packet, with the dont-fragment bit specified, exceeds the specified
maximum transmission unit (MTU) value, an error message is sent
from the device trying to fragment it.
• count <1-10000> – Optional. Sets the pings to the specified
destination from 1 - 10000. The default is 5.
• size <1-64000> – Optional. Sets the ping payload size from 1 -
64000 bytes. The default is 100 bytes.

size <1-64000> Optional. Sets the ping payload size in bytes

• <1-64000> – Specify the ping payload size from 1 - 64000. The
default is 100 bytes.

source [<IP>|pppoe| vlan Optional. Sets the source address or interface name. This is the
<1-4094>|wwan] source of the ICMP packet to the specified destination.
• <IP> – Specifies the source IP address
• pppoe – Selects the PPP over Ethernet interface
• vlan <1-4094> – Selects the VLAN interface from 1 - 4094
• wwan – Selects the wireless WAN interface

Examples
NOC-NX9500>ping 10.234.160.13
PING 10.234.160.13 (10.234.160.13) 100(128) bytes of data.
108 bytes from 10.234.160.13: icmp_seq=1 ttl=64 time=3.61 ms
108 bytes from 10.234.160.13: icmp_seq=2 ttl=64 time=0.177 ms
108 bytes from 10.234.160.13: icmp_seq=3 ttl=64 time=0.162 ms
108 bytes from 10.234.160.13: icmp_seq=4 ttl=64 time=0.167 ms
108 bytes from 10.234.160.13: icmp_seq=5 ttl=64 time=0.170 ms

--- 10.234.160.13 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.162/0.857/3.613/1.378 ms
NOC-NX9500>
NOC-NX9500>ping 10.234.160.11 source vlan 1
PING 10.234.160.11 (10.234.160.11) from 10.234.160.5 vlan1: 100(128) bytes of data.
108 bytes from 10.234.160.11: icmp_seq=1 ttl=64 time=6.87 ms
108 bytes from 10.234.160.11: icmp_seq=2 ttl=64 time=0.469 ms
108 bytes from 10.234.160.11: icmp_seq=3 ttl=64 time=0.448 ms
108 bytes from 10.234.160.11: icmp_seq=4 ttl=64 time=0.437 ms
108 bytes from 10.234.160.11: icmp_seq=5 ttl=64 time=0.459 ms

--- 10.234.160.11 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.437/1.738/6.879/2.570 ms
NOC-NX9500>

Controller, Service Platform and Access Point

104 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

ping6 (user and privi exec modes)

Sends ICMPv6 echo messages to a user-specified IPv6 address

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
ping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}

Parameters
ping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}

<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.

<INTF-NAME> Specify the interface name for link local/broadcast address
count <1-10000> Optional. Sets the pings to the specified IPv6 destination
• <1-10000> – Specify a value from 1 - 10000. The default is 5.

size <1-64000> Optional. Sets the IPv6 ping payload size in bytes
• <1-64000> – Specify the ping payload size from 1 - 64000. The
default is 100 bytes.

Usage Guidelines

To configure a device’s IPv6 address, in the VLAN interface configuration mode, use the ipv6 >
address <IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 >
enable command to enable IPv6. For more information, see ipv6 on page 1288 (profile config mode).

Examples
rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#show ipv6 interface brief
--------------------------------------------------------------------------------
INTERFACE IPV6 MODE IPV6-ADDRESS/MASK TYPE STATUS PROTOCOL
--------------------------------------------------------------------------------
vlan1 True fe80::223:68ff:fe88:da7/64 Link-Local UP up
vlan1 True 2001:10:10:10:10:10:10:1/64 Global-Permanent UP up
vlan2 False UNASSIGNED None UP up
--------------------------------------------------------------------------------
rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#
rfs4000-229D58>ping6 2001:10:10:10:10:10:10:1 count 6
PING 2001:10:10:10:10:10:10:1(2001:10:10:10:10:10:10:1) 100 data bytes
108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=1 ttl=64 time=0.401 ms
108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=2 ttl=64 time=0.311 ms
108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=3 ttl=64 time=0.300 ms
108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=4 ttl=64 time=0.309 ms
108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=5 ttl=64 time=0.299 ms

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 105
user-exec-commands User Exec Mode Commands

108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=6 ttl=64 time=0.313 ms

--- 2001:10:10:10:10:10:10:1 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 6999ms
rtt min/avg/max/mdev = 0.299/0.318/0.401/0.031 ms
rfs4000-229D58>

ssh (user and privi exec modes)

Opens a Secure Shell (SSH) connection between two network devices

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}

Parameters
ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}

<IP/HOSTNAME> Specify the remote system's IP address or hostname.

<USERNAME> Specify the name of the user requesting SSH connection with the
remote system.
<INF-NAME/ LINK-LOCAL-ADD> Optional. Specify the interface’s name or link local address.

Examples
NOC-NX9500>ssh 10.234.160.13 admin
[email protected]'s password:
ap8432-070235>>ssh 192.168.13.24 admin
[email protected]'s password:
rfs4000-6DB5D4>

telnet (user and privi exec modes)

Opens a Telnet session between two network devices

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

106 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

Parameters
telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

<IP/HOSTNAME> Configures the destination remote system’s IP (IPv4 or IPv6)

address or hostname. The Telnet session is established between the
connecting system and the remote system.
• <IP/HOSTNAME> – Specify the remote system's IPv4 or IPv6
address or hostname.

<TCP-PORT> Optional. Specify the Transmission Control Protocol (TCP) port

number.
<INTF-NAME> Optional. Specify the interface name for the link local address.

Examples
NOC-NX9500>telnet 10.234.160.11
telnet: cannot connect to remote host (10.234.160.11): Connection refused
NOC-NX9500>telnet 10.234.160.13

Entering character mode

Escape character is '^]'.

AP8432 release 5.9.7.0-004D

ap8432-070235 login:

terminal (user and privi exec modes)

Sets the length and width of the CLI display window on a terminal

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
terminal [length|width] <0-512>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 107
user-exec-commands User Exec Mode Commands

Parameters
terminal [length|width] <0-512>

length <0-512> Sets the number of lines displayed on a terminal window

• <0-512> – Specify a value from 0 - 512.

width <0-512> Sets the width (the number of characters displayed) of the terminal
window
• <0-512> – Specify a value from 0 - 512.

Examples
NOC-NX9500#show terminal
Terminal Type: xterm
Length: 24 Width: 80
NOC-NX9500#
NOC-NX9500#terminal length 30
NOC-NX9500#terminal width 100
NOC-NX9500#show terminal
Terminal Type: xterm
Length: 30 Width: 100
NOC-NX9500#

Related Commands

no (user-exec-mode) on page 96 Resets the width or length of the terminal window

no (priv-exec-mode) on page Resets the width or length of the terminal window
215

time-it (user and privi exec modes)

Verifies the time taken by a particular command between request and response

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
time-it <COMMAND>

Controller, Service Platform and Access Point

108 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Parameters
time-it <COMMAND>

time-it <COMMAND> Verifies the time taken by a particular command to execute and
provide a result
• <COMMAND> – Specify the command.

Examples
ap8432-070235>time-it enable
That took 0.00 seconds..
ap8432-070235#
nx9500-6C8809#time-it config terminal
Enter configuration commands, one per line. End with CNTL/Z.
That took 0.00 seconds..
nx9500-6C8809(config)#

traceroute (user-privi-exec-mode)
Traces the route to a defined destination

Use ‘--help' or ‘-h' to display a complete list of parameters for the traceroute command

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
traceroute <LINE>

Parameters
traceroute <LINE>

traceroute <LINE> Traces the route to a destination IP address or hostname

• <LINE> – Specify the destination IPv4 address or hostname.

Examples
NOC-NX9500>traceroute 10.234.160.13
traceroute to 10.234.160.13 (10.234.160.13), 30 hops max, 46 byte packets
1 10.234.160.13 (10.234.160.13) 0.315 ms 0.159 ms 0.137 ms
NOC-NX9500>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 109
user-exec-commands User Exec Mode Commands

traceroute6 (user-privi-exec-mode)
Traces the route to a specified IPv6 destination

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
traceroute6 <LINE>

Parameters
traceroute6 <LINE>

traceroute6 <LINE> Traces the route to a destination IPv6 address or hostname

• <LINE> – Specify the destination IPv6 address or hostname.

Examples
rfs4000-6DB5D4>traceroute6 2001:10:10:10:10:10:10:1
traceroute to 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) from
2001:10:10:10:10:10:10:2, 30 hops max, 16 byte packets
1 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) 6.054 ms 0.448 ms 0.555 ms
rfs4000-6DB5D4>

virtual-machine (user and privi exec modes)

Installs, configures, and monitors the status of virtual machines (VMs)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

110 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Syntax
virtual-machine [assign-usb-ports|console|export|install|restart|set|start|stop|uninstall]
virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}
virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}
virtual-machine install [<VM-NAME>|team-urc|team-rls|team-vowlan]
virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]
virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]
virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count
<0-2>|
vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>|vnc [disable|
enable]]
[<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

The following virtual-machine commands are supported only on the VX9000 platform:
virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-group]
virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>
virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-DEVICE-LABEL>
virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 111
user-exec-commands User Exec Mode Commands

Parameters
virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}

assign-usb-ports team-vowlan Assigns USB ports to TEAM-VoWLAN on a specified device

• on <DEVICE-NAME> – Optional. Specify the device name.

Note: Use the no > virtual-machine > assign-usb-

ports command to reassign the port to WiNG.

Note: TEAM-RLS VM cannot be installed when USB ports are

assigned to TEAM-VoWLAN.

virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}

virtual-machine export Exports an existing VM image and settings. Use this command to
export the VM to another device in the same domain.
• <VM-NAME> – Specify the VM name.
◦ <FILE> – Specify the location and name of the source file
(VM image). The VM image is retrieved and exported from
the specified location.
◦ <URL> – Specify the destination location. This is the location
to which the VM image is copied. Use one of the following
formats to provide the destination path:
▪ tftp://<hostname|IP>[:port]/path/file
▪ ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
▪ sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/
file
▪ http://<hostname|IP>[:port]/path/file
• on <DEVICE-NAME> – Optional. Executes the command on a
specified device or devices
◦ <DEVICE-NAME> – Specify the service platform name. In
case of multiple devices, list the device names separated by
commas.

Note: The VM should be in a stop state during the export process.

Note: If the destination is a device, the image is copied to a

predefined location (VM archive).

virtual-machine install [<VM-NAME>|team-centro|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine install Installs the VM. The install command internally creates a VM
template, consisting of the specified parameters, and starts the
installation process.
• <VM-NAME> – Specify the VM name.
• team-centro – Installs the VM TEAM-Centro image
• team-rls – Installs the VM TEAM-RLS image
• team-vowlan – Installs the VM TEAM-VoWLAN image

Controller, Service Platform and Access Point

112 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Specify the device on which to install the VM.

• on <DEVICE-NAME> – Optional. Executes the command on a
specified device or devices
◦ <DEVICE-NAME> – Specify the service platform name. In
case of multiple devices, list the device names separated by
commas.

virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count

<0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>|vnc [disable|

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 113
user-exec-commands User Exec Mode Commands

enable]]
[<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine set Configures the VM settings

• autostart – Specifies whether to autostart the VM on system
reboot
◦ ignore – Enables autostart on each system reboot
◦ start – Disables autostart
• memory – Defines the VM memory size
◦ <512-8192> – Specify the VM memory from 512 - 8192 MB.
The default is 1024 MB.
• vcpus – Specifies the number of VCPUS for this VM
◦ <1-4> – Specify the number of VCPUS from 1- 4.
• vif-count – Configures or resets the VM's VIFs
◦ <0-2> – Specify the VIF number from 0 - 2.
• vif-mac – Configures the MAC address of the selected virtual
network interface
◦ <1-2> – Select the VIF
▪ <1-8> – Specify the MAC index for the selected VIF
• <MAC> – Specify the customized MAC address for the
selected VIF in the AA-BB-CC-DD-EE-FF format.
Each VM has a maximum of two network interfaces (indexed 1 and
2, referred to as VIF). By default, each VIF is automatically assigned
a MAC from the range allocated for that device. However, you can
use the ‘set’ keyword to specify the MAC from within the allocated
range. Each of these VIFs are mapped to a layer 2 port in the
dataplane (referred to as VMIF). These VMIFs are standard l2 ports
on the DP bridge, supporting all VLAN and ACL commands. The
WiNG software supports up to a maximum of 8 VMIFs. By default, a
VM’s interface is always mapped to VMIF1. You can map a VIF to
any of the 8 VMIFs. Use the vif-to-vmif command to map a VIF to a
VMIF on the DP bridge.
• vif-to-vmif – Maps the virtual interface (1 or 2) to the selected
VMIF interface. Specify the VMIF interface index from 1 - 8.
WiNG provides a dataplane bridge for external network
connectivity for VMs. VM Interfaces define which IP address is
associated with each VLAN ID the service platform is connected to
and enables remote service platform administration. Each custom
VM can have up to a maximum of two VM interfaces. Each VM
interface can be mapped to one of the twelve ports for NX95XX on
the dataplane bridge. This mapping determines the destination for
service platform routing.
By default, VM interfaces are internally connected to the dataplane
bridge via VMIF1. VMIF1, by default, is an untagged port providing
access to VLAN 1 to support the capability to connect the VM
interfaces to any of the VMIF ports. This provides the flexibility to
move a VM interface onto different VLANs as well as configure
specific firewall and QoS rules.
• vnc – Disables/enables VNC port option for an existing VM.
When enabled, provides remote access to VGA through the
noVNC client.
◦ disable – Disables VNC port

Controller, Service Platform and Access Point

114 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

◦ enable – Enables VNC port

After configuring the VM settings, identify the VM to apply

the settings.
• <VM-NAME> – Applies these settings to the VM identified by
the <VM-NAME> keyword. Specify the VM name.
• team-urc – Applies these settings to the VM TEAM-URC
• team-rls – Applies these settings to the VM TEAM-RLS
• team-vowlan – Applies these settings to the VM TEAM-
VoWLAN

virtual-machine start [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine start Starts the VM, based on the parameters passed. Select one of the
following options:
• <VM-NAME> – Starts the VM identified by the <VM-NAME>
keyword. Specify the VM name.
• team-urc – Starts the VM TEAM-URC
• team-rls – Starts the VM TEAM-RLS
• team-vowlan – Starts the VM TEAM-VoWLAN
The following keywords are common to all of the above parameters:
• on <DEVICE-NAME> – Optional. Executes the command on a
specified device or devices
◦ <DEVICE-NAME> – Specify the service platform name. In
case of multiple devices, list the device names separated by
commas.

virtual-machine stop [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine stop hard Stops the VM, based on the parameters passed. Select one of the
following options:
• <VM-NAME> – Stops the VM identified by the <VM-NAME>
keyword. Specify the VM name.
• ADSP – Stops the ADSP VM
• team-urc – Stops the VM TEAM-URC
• team-rls – Stops the VM TEAM-RLS team-vowlan – Stops the
VM TEAM-VoWLAN

The following keywords are common to all of the above

parameters:
◦ on <DEVICE-NAME> – Optional. Executes the command on a
specified device or devices
▪ <DEVICE-NAME> – Specify the service platform name. In
case of multiple devices, list the device names separated
by commas. Note: The option ‘hard’ forces the selected
VM to shutdown.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 115
user-exec-commands User Exec Mode Commands

Note: The option ‘hard’ forces the selected VM to shutdown.

virtual-machine uninstall [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine uninstall Uninstalls the specified VM

• <VM-NAME> – Uninstalls the VM identified by the <VM-NAME>
keyword. Specify the VM name.
• ADSP – Uninstalls the ADSP VM
• team-urc – Uninstalls the VM TEAM-URC
• team-rls – Uninstalls the VM TEAM-RLS team-vowlan – Stops
the VM TEAM-VoWLAN

The following keywords are common to all of the above

Note: This command releases the VM’s resources, such as memory,

VCPUS, VNC port, disk space, and removes the RF Domain
reference from the system.

virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>

virtual-machine volume-group Enables provisioning of logical volume-groups on the VX9000

[add-drive|resize-drive] platform. Logical volume-groups are created on the primary
<BLOCK-DEVICE-LABEL>] storage device, allowing the database storage to be expanded to
include additional storage drives. However, volume-groups can be
provisioned only on new VX9000 installation and cannot be added
to existing VX9000 installation.

Note: The logical volume-group is supported only on a VX9000

running the WiNG 5.9.1 and above version.

• add-drive – Adds a new block-device to the VM. Note, currently

a maximum of 3 (three) block devices can be added. To add a
new drive, first halt the VM, In the Hypervisor, add a new storage
disk to the VM and restart the VM. Once the VM comes up, use
this command to add the new drive. To identify the new drive
execute the show > virtual-machine > volume-
group > status command.
• resize-drive - Resizes a drive in the VM’s volume group. To
increase the size of a drive in the volume-group, first halt the
VM. In the Hypervisor, increase the size of the existing secondary
storage drive and restart the VM. Once the VM comes up, use
this command to resize the drive. To identify the drive with the
additional free space, execute the show > virtual-
machine > volume-group > status command.

Controller, Service Platform and Access Point

116 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

The following keyword is common to all of the above

parameters:
◦ <BLOCK-DEVICE-LABEL> –Specify the block-device label to
be added or resized depending on the action being
performed.

virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-DEVICE-LABEL>

virtual-machine volume-group Enables provisioning of VMs as logical volume-groups on the

replace-drive <BLOCK-DEVICE- VX9000 platform. Logical volume-group VMs are created on the
LABEL> <NEW-BLOCK-DEVICE- primary storage device, allowing the database storage to be
LABEL>] expanded to include additional storage drives.
• replace-drive – Replaces an existing block-device with a new
block-device in a volume-group. To replace a drive in the
volume-group, first halt the VM. In the Hypervisor, add the new
drive and restart the VM. Once the VM comes up, use this
command to replace an existing drive with the new drive. To
identify the drive with the additional free space, execute the
show > virtual-machine > volume-group >
status command
◦ <BLOCK-DEVICE-LABEL> –Specify the block-device label to
be replaced.
▪ <BLOCK-DEVICE-LABEL> – Specify the replacement
block-device label.

virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>

virtual-machine volume-group Enables provisioning of VMs as logical volume-groups on the

resize-volume-group <BLOCK- VX9000 platform. Logical volume-group VMs are created on the
DEVICE-LABEL> primary storage device, allowing the database storage to be
expanded to include additional storage drives
• resize-volume-group – Adds drive space to an existing block-
device in the volume-group
◦ <BLOCK-DEVICE-LABEL> –Specify the block-device label to
which additional drive space is to be provided

Examples

The following examples show the VM installation process:

Insatllation media: USB

<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/
win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enable

Installation media: pre-installed disk image

<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/
win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable on <DEVICE-NAME>

In the preceding example, the command is executed on the device identified by the <DEVICE-NAME>
keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first
boot device.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 117
user-exec-commands User Exec Mode Commands

Installation media: VM archive

<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-NAME> vcpus
3

In the preceding example, the default configuration attached with the VM archive overrides any
parameters specified.

Exporting an installed VM:

<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>

In the preceding example, the command copies the VM archive on to the URL (VM should be in stop
state).
<DEVICE>>virtual-machine install team-urc
Virtual Machine install team-urc command successfully sent.
<DEVICE>>
VX9000-DE6F97>cirtual-machine add-drive sdb
VX9000-DE6F97>show virtual-machine volume-group status
-----------------------------------------
Logical Volume: lv1
-----------------------------------------
STATUS : available
SIZE : 81.89 GiB
VOLUME GROUP : vg0
PHYSICAL VOLUMES :
sda10 : 73.90 GiB
sdc1 : 8.00 GiB
AVAILABLE DISKS :
sdb : size: 8590MB
-----------------------------------------
* indicates a drive that must be resized
-----------------------------------------
VX9000-DE6F97>

exit (user exec mode)

Ends the current CLI session and closes the session window

For more information, see exit.

Supported in the following platforms:

Syntax
exit

Parameters
None

Controller, Service Platform and Access Point

118 CLI Reference Guide for version 5.9.7
User Exec Mode Commands user-exec-commands

Examples
nx9500-6C8809>exit

watch
Repeats the specified CLI command at periodic intervals

Supported in the following platforms:

Syntax
watch <1-3600> <LINE>

Parameters
watch <1-3600> <LINE>

watch Repeats a CLI command at a specified interval (in seconds)

<1-3600> Select an interval from 1 - 3600 sec. Pressing CTRL-Z halts
execution of the command.
<LINE> Specify the CLI command.

Examples

In the following example, the controller pings the specified IP address once in every 40 seconds.
NOC-NX9500>watch 40 ping 10.234.160.13
PING 10.234.160.13 (10.234.160.13) 100(128) bytes of data.
108 bytes from 10.234.160.13: icmp_seq=1 ttl=64 time=0.257 ms
108 bytes from 10.234.160.13: icmp_seq=2 ttl=64 time=0.176 ms
108 bytes from 10.234.160.13: icmp_seq=3 ttl=64 time=0.170 ms
108 bytes from 10.234.160.13: icmp_seq=4 ttl=64 time=0.170 ms
108 bytes from 10.234.160.13: icmp_seq=5 ttl=64 time=0.169 ms

--- 10.234.160.13 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.169/0.188/0.257/0.036 ms
PING 10.234.160.13 (10.234.160.13) 100(128) bytes of data.
108 bytes from 10.234.160.13: icmp_seq=1 ttl=64 time=0.251 ms
108 bytes from 10.234.160.13: icmp_seq=2 ttl=64 time=0.174 ms
108 bytes from 10.234.160.13: icmp_seq=3 ttl=64 time=0.154 ms
108 bytes from 10.234.160.13: icmp_seq=4 ttl=64 time=0.170 ms
108 bytes from 10.234.160.13: icmp_seq=5 ttl=64 time=0.169 ms

--More--
NOC-NX9500>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 119
Privileged Exec Mode Commands
PRIVILEGED EXEC MODE COMMANDS on page 120

PRIVILEGED EXEC MODE COMMANDS

Most PRIV EXEC commands set operating parameters. Privileged-level access should be password
protected to prevent unauthorized use. The PRIV EXEC command set includes commands contained
within the USER EXEC mode. The PRIV EXEC mode also provides access to configuration modes, and
includes advanced testing commands.

Note
To password-protect the Privilege mode, in the Management Policy, configure the privilege-
mode-password. For more information, see privilege-mode-password on page 1696.

The PRIV EXEC mode prompt consists of the hostname of the device followed by a pound sign (#).

To access the PRIV EXEC mode, enter the following at the prompt:
<DEVICE>>enable
<DEVICE>#

The PRIV EXEC mode is often referred to as the enable mode, because the enable command is used to
enter the mode.

There is no provision to configure a password to get direct access to PRIV EXEC (enable) mode.
<DEVICE>#?
Privileged command commands:
<DEVICE>#?
Privileged command commands:
archive Manage archive files
boot Boot commands
captive-portal-page-upload Captive portal internal and advanced page upload
cd Change current directory
change-passwd Change password
clear Clear
clock Configure software system clock
cluster Cluster commands
commit Commit all changes made in this session
configure Enter configuration mode
connect Open a console connection to a remote device
copy Copy contents of one dir to another
cpe T5 CPE configuration
create-cluster Create a cluster
crypto Encryption related commands
crypto-cmp-cert-update Update the cmp certs
database Database

Controller, Service Platform and Access Point

120 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands PRIVILEGED EXEC MODE COMMANDS

database-backup Backup database

database-restore Restore database
debug Debugging functions
delete Deletes specified file from the system
device-upgrade Device firmware upgrade
diff Display differences between two files
dir List files on a filesystem
disable Turn off privileged mode command
edit Edit a text file
enable Turn on privileged mode command
erase Erase a filesystem
ex3500 EX3500 commands
factory-reset Delete startup configuration on device(s),
reload the device(s) and remove configuration
entry from the controller
file-sync File sync between controller and adoptees
gps GPS commands
format Format file system
halt Halt the system
help Description of the interactive help system
join-cluster Join the cluster
l2tpv3 L2tpv3 protocol
logging Modify message logging facilities
mint MiNT protocol
mkdir Create a directory
more Display the contents of a file
no Negate a command or set its defaults
on On RF-Domain
opendns Opendns username/password configuration
page Toggle paging
ping Send ICMP echo messages
ping6 Send ICMPv6 echo messages
pwd Display current directory
raid RAID operations
re-elect Perform re-election
reload Halt and perform a warm reboot
remote-debug Troubleshoot remote system(s)
rename Rename a file
revert Revert changes
rmdir Delete a directory
self Config context of the device currently logged
into
service Service Commands
show Show running system information
ssh Open an ssh connection
t5 T5 commands
telnet Open a telnet connection
terminal Set terminal line parameters
time-it Check how long a particular command took between
request and completion of response
traceroute Trace route to destination
traceroute6 Trace route to destination(IPv6)
upgrade Upgrade software image
upgrade-abort Abort an ongoing upgrade
virtual-machine Virtual Machine
watch Repeat the specific CLI command at a periodic
interval
write Write running configuration to memory or
terminal

clrscr Clears the display screen

exit Exit from the CLI

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 121
privileged-exec-commands Privileged Exec Mode Commands

privileged-exec-commands
The following table summarizes the PRIV EXEC configuration mode commands:

Table 6: Privileged Exec Commands

Command Description
archive on page 125 Manages file archive operations
boot on page 127 Specifies the boot partition as primary or secondary. The device
boots using the image stored in the specified partition.
captive-portal-page-upload Uploads captive portal advanced pages to adopted access points
(user and privi exec modes on
page 32
cd on page 132 Changes the current directory
change-passwd (user and privi Changes the password of the currently logged-in user
exec modes) on page 35
clear (user and privi exec Clears parameters, cache entries, table entries, and other similar
modes) on page 36 entries
clock (user and privi exec Configures the system clock
modes) on page 53
cluster (user and privi exec Initiates a cluster context
modes) on page 54
configure Enters the global configuration mode
connect (user and privi exec Begins a console connection to a remote device
modes) on page 55
copy on page 154 Clears parameters, cache entries, table entries, and other similar
entries
cpe (privilege-exec-mode) on Enables adopted T5 CPE (Customer Premises Equipment) device(s)
page 154 management. Use this command to perform the following
operations on the CPEs: boot, reload, upgrade. This command is
specific to the RFS 4000, NX 95XX, and NX 96XX devices.
create-cluster (user and privi Creates a new cluster on a specified device
exec modes) on page 56
crypto (user and privi exec Enables encryption
modes) on page 58
crypto-cmp-cert-policy (user Triggers a CMP certificate update on a specified device or devices
and privi exec modes) on page
68
database (user and privi exec Enables automatic repairing (vacuuming) and dropping of
modes) on page 69 databases (Captive-portal and NSight)
database-backup (user and privi Backs up captive-portal and/or NSight database to a specified
exec modes) on page 74 location and file on an FTP or SFTP server
database-backup (user and privi Restores a previously exported database [captive-portal and/or
exec modes) on page 74 NSight]. Previously exported databases (backed up to a specified
FTP or SFTP server) are restored to the original database.
delete on page 183 Deletes a specified file from the system

Controller, Service Platform and Access Point

122 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Table 6: Privileged Exec Commands (continued)

Command Description
device-upgrade (user and privi Configures device firmware upgrade parameters
exec modes) on page 75
diff on page 184 Displays the differences between two files
dir on page 185 Displays the list of files on a file system
disable on page 186 Disables the privileged mode command set
edit on page 186 Edits a text file
enable on page 187 Turns on (enables) the privileged mode commands set
erase on page 188 Erases a file system
ex3500 on page 190 Enables the EX3500 switch firmware management. Use this
command to perform the following operations: boot, copy, delete,
and IP related configurations.
factory-reset on page 198 Erases startup configuration on a specified device or all devices
within a specified RF Domain
file-sync (user and privi exec Configures parameters enabling syncing of PKCS#12 and wireless-
modes) on page 83 bridge certificate between the staging-controller and adopted
access points
gps (user and privi exec modes) Triggers the GPS hardware, on a device, to start/stop search for the
on page 89 device's GPS coordinates.

Note:
This feature is supported only on the AP7662 model access point.

halt on page 207 Halts a device (access point, wireless controller, or service platform)
join-cluster (user and privi exec Adds a device (access point, wireless controller, or service platform),
modes) on page 90 as cluster member, to an existing cluster of devices
l2tpv3 (user and privi exec Establishes or brings down L2TPV3 tunnels
modes) on page 92
logging (user and privi exec Modifies message logging parameters
modes) on page 94
mint (user and privi exec Configures MiNT protocols
modes) on page 95
mkdir on page 214 Creates a new directory in the file system
more on page 215 Displays the contents of a file
on (user and privi exec modes) Reverts a command or sets values to their default
on page 97
on (user and privi exec modes) Executes the following commands in the RF Domain context: clrscr,
on page 97 do, end, exit, help, service, and show
opendns (user and privi exec Connects to the OpenDNS site using OpenDNS registered
modes) on page 99 credentials (username, password) OR OpenDNS API token to fetch
the OpenDNS device_id. This command is a part of the process
integrating access points, controllers, and service platforms with
OpenDNS.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 123
privileged-exec-commands Privileged Exec Mode Commands

Table 6: Privileged Exec Commands (continued)

Command Description
page (user and privi exec Toggles a device’s (access point, wireless controller, or service
modes) on page 103 platform) paging function
ping (user and privi exec Sends ICMP echo messages to a user-specified location
modes) on page 103
ping6 (user and privi exec Sends ICMPv6 echo messages to a user-specified location
modes) on page 105
pwd on page 225 Displays the current directory
re-elect on page 226 Re-elects the tunnel controller (wireless controller, service platform,
or access point)
reload on page 227 Halts a device (wireless controller, service platform, or access point)
and performs a warm reboot
rename on page 232 Renames a file in the existing file system
rmdir on page 233 Deletes an existing file from the file system
self on page 234 Displays the configuration context of the device
ssh (user and privi exec modes) Connects to another device using a secure shell
on page 106
t5 (privi exec mode) on page Executes the following operations on a T5 device: copy, rename,
235 delete, and write. This command is specific to the RFS 4000, NX
95XX and NX 96XX devices.
telnet (user and privi exec Opens a Telnet session
modes) on page 106
terminal (user and privi exec Sets the length and width of the terminal window
modes) on page 107
time-it (user and privi exec Verifies the time taken by a particular command between request
modes) on page 108 and response
traceroute (user-privi-exec- Traces the route to a defined IPv4 destination
mode) on page 109
traceroute6 (user-privi-exec- Traces the route to a defined IPv6 destination
mode) on page 110
upgrade on page 240 Upgrades the software image
upgrade-abort on page 244 Aborts an ongoing software image upgrade
exit (privi exec mode) on page Ends the current CLI session and closes the session window
190
watch on page 256 Repeats the specific CLI command at a periodic interval

Controller, Service Platform and Access Point

124 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Table 6: Privileged Exec Commands (continued)

Command Description
virtual-machine (user and privi Installs, configures, and monitors the status of VMs. This command is
exec modes) on page 110 specific to the NX 95XX and NX 96XX series service platforms.
raid on page 254 Enables RAID management. This command is specific to the NX
95XX and NX 96XX series service platforms.

Note
For information on common commands (clrscr, commit, help, revert, service, show, write, and
exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an
underscore (_) character.

archive
Manages file archive operations

Supported in the following platforms:

Syntax
archive tar /table [<FILE>|<URL>]
archive tar /create [<FILE>|<URL>] <FILE>
archive tar /xtract [<FILE>|<URL>] <DIR>

Parameters
archive tar /table [<FILE>|<URL>]

tar Manipulates (creates, lists, or extracts) a tar file

/table Lists the files in a tar file
<FILE> Defines a tar filename
<URL> Sets the tar file URL

archive tar /create [<FILE>|<URL>] <FILE>

tar Manipulates (creates, lists or extracts) a tar file

/create Creates a tar file

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 125
privileged-exec-commands Privileged Exec Mode Commands

<FILE> Defines tar filename

<URL> Sets the tar file URL

archive tar /xtract [<FILE>|<URL>] <DIR>

tar Manipulates (creates, lists or extracts) a tar file

/xtract Extracts content from a tar file
<FILE> Defines tar filename
<URL> Sets the tar file URL
<DIR> Specify a directory name. When used with /create, dir is the source directory for the tar file.
When used with /xtract, dir is the destination file where contents of the tar file are extracted.

Examples

Following examples show how to zip the folder flash:/log/?

nx9500-6C8809#dir flash:/
Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt

drwx Mon Apr 3 12:40:23 2017 crashinfo
drwx Wed Mar 22 13:58:28 2017 upgrade
drwx Mon Sep 28 09:48:33 2015 tmptpd
drwx Wed Apr 5 11:20:11 2017 log
drwx Thu Mar 30 15:07:54 2017 archived_logs
drwx Tue May 24 22:23:54 2016 cache
drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar
drwx Tue Jan 17 10:02:01 2017 hotspot

nx9500-6C8809#
nx9500-6C8809#archive tar /create flash:/in.tar flash:/log/
log/nsightd.log.1
log/nsight_reportd.log
log/messages.1.log
log/martdb.log
log/reportd.log.2
log/adopts.log.2
log/mongod.log.2
log/dpd2.log
log/nsight_server.log
log/mart_websock_server.log
log/nuxi/
log/nuxi/beanyaml.log
log/nuxi/statsreqresp.1.log
log/nuxi/hadoop.log.2014-08-03
log/nuxi/puts.log
log/nuxi/copy2w.log
log/nuxi/obj2yaml.log
log/nuxi/infl.log
--More--
nx9500-6C8809#
nx9500-6C8809#dir flash:/
Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt

drwx Thu Sep 22 00:12:07 2016 crashinfo
drwx Sat Sep 17 05:14:43 2016 upgrade

Controller, Service Platform and Access Point

126 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

drwx Mon Sep 28 09:48:33 2015 tmptpd

drwx Tue Sep 27 09:59:12 2016 log
drwx Mon Sep 26 09:58:54 2016 archived_logs
drwx Tue May 24 22:23:54 2016 cache
drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar
drwx Mon Sep 15 03:40:02 2014 hotspot

nx9500-6C8809#

boot
Changes the next boot partition or image on a specified device or on the logged device. The WiNG
devices have two partitions: primary and secondary, with each partition containing an image of the
operating system. Whenever the device boots up it loads the image from the partition specified here.

The partition currently in control of the boot process is the active partition, the other partition is the
inactive partition with the alternate image. Use this command to manually change the next boot
partition or image.

Supported in the following platforms:

Syntax
boot system [active|inactive|primary|secondary] {on <DEVICE-NAME>}

Parameters
boot system [active|inactive|primary|secondary] {on <DEVICE-NAME>}

system [active|inactive|primary| Specifies the image used by the device to boot up

secondary] • active – Changes the next boot image to the current, running
(active) image
• inactive – Changes the next boot image to the current, inactive
image
• primary – Changes the next boot partition to the primary
partition.
• secondary – Changes the next boot partition to the secondary
partition.

Note: You will need to reload the device in order for the change to
take effect.

on <DEVICE-NAME> Optional. Changes the next boot image or partition on a specified

device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Note: If no device is specified, the logged device's next boot-up

configuration is changed.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 127
privileged-exec-commands Privileged Exec Mode Commands

Examples
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 08/07/2019 06:09:06 08/12/2019 20:14:42 5.9.6.0-004D
Secondary 07/31/2019 18:44:43 08/06/2019 12:04:14 5.9.6.0-003D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Primary
Software Fallback : Enabled
VM support : Not present
nx9500-6C8809#
nx9500-6C8809#boot system secondary
Updated system boot partition
nx9500-6C8809#
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 08/07/2019 06:09:06 08/12/2019 20:14:42 5.9.6.0-004D
Secondary 07/31/2019 18:44:43 08/06/2019 12:04:14 5.9.6.0-003D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Secondary
Software Fallback : Enabled
VM support : Not present
nx9500-6C8809#
nx9500-6C8809#show boot on ap7562-84A224
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 07/31/2019 18:14:31 08/06/2019 13:22:20 5.9.6.0-003D
Secondary 05/25/2019 06:43:28 06/03/2019 15:23:42 5.9.5.0-004D
--------------------------------------------------------------------------------
Current Boot : Primary
Next Boot : Primary
Software Fallback : Enabled
VM support : Not present
nx9500-6C8809#

captive-portal-page-upload (user and privi exec modes

Note
Ensure that the captive portal pages to upload are *.tar files.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

128 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Supported in the following platforms:

Parameters
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}

captive-portal-page-upload Uploads advanced pages of the captive portal identified by the

<CAPTIVE-PORTAL-NAME> <CAPTIVE-PORTAL-NAME> parameter
• <CAPTIVE-PORTAL-NAME> – Specify captive portal's name
(should be existing and configured).

<MAC/HOSTNAME> Uploads to a specified AP

• <MAC/HOSTNAME> – Specify the AP's MAC address or
hostname.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 129
privileged-exec-commands Privileged Exec Mode Commands

all Uploads to all APs

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]

{from-controller} {(upload-time <TIME>)}

captive-portal-page-upload Uploads advanced pages of the captive portal identified by the

<CAPTIVE-PORTAL-NAME> <CAPTIVE-PORTAL-NAME> parameter
• <CAPTIVE-PORTAL-NAME> – Specify the captive portal's name
(should be existing and configured).

from-controller Optional. Uploads captive-portal pages to APs via the controller to

captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|

all]]

captive-portal-page-upload Cancels a scheduled AP upload

Controller, Service Platform and Access Point

130 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

◦ all – Cancels scheduled uploads across all RF Domains

captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>

captive-portal-page-upload Deletes a specified captive portal’s uploaded captive-portal Web

captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

captive-portal-page-upload Loads captive-portal advanced pages

load-file
<CAPTIVE-PORTAL-NAME> Specify the captive portal's name and location. The captive portal
<URL> should be existing and configured.
IPv4 URLs:
• tftp://<hostname|IP>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
• sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file
• http://<hostname|IP>[:port]/path/file
• cf:/path/file
• usb<n>:/path/file
IPv6 URLs:
• tftp://<hostname|IPv6>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IPv6>[:port]/path/file
• sftp://<user>:<passwd>@<hostname|IPv6>[:port]>/path/file
• http://<hostname|IPv6>[:port]/path/file

Note: The captive portal pages are downloaded to the controller

from the location specified here. After downloading use
thecaptive-portal-page-upload → <CAPTIVE-PORTAL-
NAME> → <DEVICE-OR-DOMAIN-NAME> command to upload
these pages to APs.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 131
privileged-exec-commands Privileged Exec Mode Commands

--------------------------------------------------------------------------------
ap8533-B1A214#
ap8533-B1A214@#show captive-portal-page-upload status
Number of APs currently being uploaded : 1
Number of APs waiting in queue to be uploaded : 0
---------------------------------------------------------------------------------------
AP STATE UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY
---------------------------------------------------------------------------------------
ap8533-B1A738 downloading immediate 100 0 - None
---------------------------------------------------------------------------------------
ap8533-B1A214#

The following example lists captive portal CP-BW uploaded files:

cd
Changes the current directory

Supported in the following platforms:

Syntax
cd {<DIR>}

Parameters
cd {<DIR>}

<DIR> Optional. Changes the current directory to the directory identified by the <DIR> keyword. If a
directory name is not provided, the system displays the current directory.

Examples
rfs4000-229D58#cd flash:/log/
rfs4000-229D58#pwd
flash:/log/
rfs4000-229D58#

Controller, Service Platform and Access Point

132 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

change-passwd (user and privi exec modes)

Changes the password of a logged user. When this command is executed without any parameters, the
password can be changed interactively.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>

Parameters
change passwd {<OLD-PASSWORD>} <NEW-PASSWORD>

<OLD-PASSWORD> Optional. Specify the existing password.

Note: Password must be from 1 - 64 characters.

<NEW-PASSWORD> Specify the new password.

Note: The password can also be changed interactively. To do so,

press [Enter] after the command.

clear (user and privi exec modes)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 133
privileged-exec-commands Privileged Exec Mode Commands

Supported in the following platforms:

Controller, Service Platform and Access Point

134 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 135
privileged-exec-commands Privileged Exec Mode Commands

Parameters
clear arp-cache {on <DEVICE-NAME>}

arp-cache Clears Address Resolution Protocol (ARP) cache entries on a AP,

clear bonjour cache {on <DEVICE-NAME>}

clear [cdp|lldp] neighbors {on <DEVICE-NAME>}

cdp Clears Cisco Discovery Protocol (CDP) table entries

clear counters all {(on <DEVICE-OR-DOMAIN-NAME>)}

Controller, Service Platform and Access Point

136 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Note: If you do not specify a device name or an RF Domain name,

the system clears all counters on the logged device.

clear counters [bridge|router|thread]

clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client {<MAC>}]

{(on <DEVICE-OR-DOMAIN-NAME>)}

Note: If no MAC address is specified, all AP counters are cleared.

Note: If no device name or MAC address is specified, all radio

interface counters are cleared.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 137
privileged-exec-commands Privileged Exec Mode Commands

wireless-client <MAC> Clears counters for all wireless clients or a specified wireless client
• <MAC> – Optional. Specify the wireless client's MAC address.

Note: If no MAC address is specified, all wireless client counters are

cleared.

on <DEVICE-OR-DOMAIN- The following option is common to all of the above keywords:

clear counters interface <INF-TYPE> <INF-NUMBER>{(on <DEVICE-OR-DOMAIN-NAME>)}

on <DEVICE-OR-DOMAIN- Optional. Clears the specified interface counters on a specified

NAME> device or RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}

crypto Clears encryption module’s cached statistics

on <DEVICE-NAME> Optional. Clears IKE SA entries, for a specified peer or all peers, on a
specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear crypto ipsec sa {on <DEVICE-NAME>}

Clears encryption module’s cached statistics

Controller, Service Platform and Access Point

138 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

clear gre stats {on <DEVICE-NAME>}

gre stats Clears GRE tunnel statistics

on <DEVICE-NAME> Optional. Clears GRE tunnel statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear event-history

event-history Clears event history cache entries

clear firewall [dhcp|neighbors] snoop-table {on <DEVICE-NAME>}

firewall Clears configured wireless firewall filter statistics based on the

parameters passed
[dhcp|neighbors] snoop-table Clears the following snoop-table database
• dhcp - Clears the DHCP snooping binding database.
• neighbors - Clears IPv6 neighbor cache.

clear firewall [dos stats|flows [ipv4|ipv6]] {on <DEVICE-NAME>}

firewall Clears configured wireless firewall filter statistics based on the

parameters passed
dos stats Clears Denial of Service (DoS)statistics

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 139
privileged-exec-commands Privileged Exec Mode Commands

Note: If you do not specify IPv4 or IPv6, the system clears all
ACL related statistics.

clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}

on <DEVICE-NAME> Optional. Clears route updates on a specified device

• <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

140 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

This command is applicable only to the RFS4010, NX9500,

clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}

ip bgp [<IP>|all|external] Clears on-going BGP sessions based on the option selected
• <IP> – Clears BGP session with the peer identified by the <IP>
keyword. Specify the BGP peer’s IP address.
• all – Clears all BGP peer sessions
• external – Clears eBGP peer sessions
This command is applicable only to the RFS4010, NX9500,
NX9600, and VX9000 platforms.
soft {in|out} Optional. Initiates soft-reconfiguration of route updates for the
specified IP address
• in – Optional. Enables soft reconfiguration of inbound route
updates
• out – Optional. Enables soft reconfiguration of outbound route
updates
Modifications made to BGP settings (BGP access lists, weight,
distance, route-maps, versions, routing policy, etc.) take effect only
after on-going BGP sessions are cleared. The clear > ip >
bgp command clears BGP sessions. To reduce loss of route updates
during the process, use the ‘soft’ option. Soft reconfiguration stores
inbound/outbound route updates to be processed later and
updated to the routing table. This requires high memory usage.
on <DEVICE-NAME> Optional. Initiates soft reconfiguration inbound/outbound route
updates on a specified device
• <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip bgp process {on <DEVICE-NAME>}

ip bgp process Clears all BGP processes running

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 141
privileged-exec-commands Privileged Exec Mode Commands

This command is applicable only to the RFS4010, NX9500,

NX9600, and VX9000 platforms.
on <DEVICE-NAME> Optional. Clears all BGP processes on a specified device
• <DEVICE-NAME> – Specify the name of the AP or service
platform.

clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}

ip Clears a Dynamic Host Configuration Protocol (DHCP) server's IP

clear ip ospf process {on <DEVICE-NAME>}

clear ipv6 neighbor-cache {on <DEVICE-NAME>}

clear ipv6 neighbor-cache Clears IPv6 neighbor cache entries

on <DEVICE-NAME> Optional. Clears IPv6 neighbor cache entries on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear lacp [<1-4> counters|counters]

Controller, Service Platform and Access Point

142 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

LACP is supported only on the NX5500, NX7500, NX9500 and

NX9600 model service platforms.
• counters – Clears LACP stats for all configured channel groups
on the device

clear license [borrowed|lent to <BORROWER-CONTROLLER-NAME>] {on <DEVICE-NAME>}

license Releases borrowed licenses or revokes lent licenses

borrowed Releases all licenses borrowed by the logged controller or by a
specified controller

Note:
If you do not specify a controller name, the command is executed
on the controller you have logged on to.

lent to <BORROWING- Revokes licenses lent to a specified controller

CONTROLLER-NAME> • to <BORROWING-CONTROLLER-NAME> - Specifies the
borrowing controller's name. When specified, the system
revokes all licenses (AP, AAP) lent to the specified controller.

on <DEVICE-NAME> Optional. This option is common to both of the above parameters.

• on <DEVICE-NAME> - Specify the name of the controller on
which the command is to be executed.
◦ <DEVICE-NAME> – Specify the name of the wireless
controller or service platform.

Note:
If you do not specify the controller name, the system
executes the command on the logged controller.

clear l2tpv3-stats tunnel <TUNNEL-NAME> {session <SESSION-NAME>} {on <DEVICE-NAME>}

l2tpv3-stats Clears L2TPv3 tunnel statistics for a specified L2TPv3 tunnel

tunnel <TUNNEL-NAME> Specifies the tunnel name

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 143
privileged-exec-commands Privileged Exec Mode Commands

session <SESSION-NAME> Optional. Clears a specific session statistics in the specified L2TPv3
tunnel.
• <SESSION-NAME> - Specify the session name.

Note: If you do not specify the session name, the system clears
statistics for all sessions.

on <DEVICE-NAME> This option is common to all of the above parameters.

• on <DEVICE-NAME> - Optional. Executes the command on a
specified device.
◦ <DEVICE-NAME> - Specify the name of the AP, wireless
controller, or service platform.

Note: If you do not specify the device name, the system clears
L2TPv3 tunnel and session statistics on the logged device.

clear mac-address-table{address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}

Note: If executed without specifying any MAC address(es), all MAC

addresses from the MAC address table will be removed.

vlan <1-4094> Optional. Clears all MAC addresses for a specified VLAN
• <1-4094> – Specify the VLAN ID from 1 - 4094

clear mac-address-table {interface [<IF-NAME>|ge <1-X>|port-channel <1-X>]} {on <DEVICE-

NAME>}

mac-address-table Clears MAC address forwarding table data based on the parameters
passed
Use this command to clear the following: all or specified MAC
addresses from the system, all MAC addresses on a specified
interface, all MAC addresses on a specified VLAN, or the
authentication state of a MAC address.
interface Clears all MAC addresses for the selected interface. Use the options
available to specify the interface.

Controller, Service Platform and Access Point

144 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

<IF-NAME> Clears MAC address forwarding table for the specified layer 2
interface (Ethernet port)
• <IF-NAME> – Specify the layer 2 interface name.

ge <1-X> Clears MAC address forwarding table for the specified

GigabitEthernet interface
• <1-X> – Specify the GigabitEthernet interface index from 1 - X.

Note: The number of GE interfaces supported varies for different

device types.

port-channel <1-X> Clears MAC address forwarding table for the specified port-channel
interface
• <1-X> – Specify the port-channel interface index from 1 - X.

Note: The number of port-channel interfaces supported varies for

different device types.

clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-NAME>}

on <DEVICE-NAME> Optional. Clears the specified MAC address on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Note: If a device is not specified, the system clears the MAC address
on all devices.

clear mint mlcp history {on <DEVICE-NAME>}

Clears MiNT related information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 145
privileged-exec-commands Privileged Exec Mode Commands

clear role ldap-stats {on <DEVICE-NAME>}

role ldap-stats Clears Lightweight Directory Access Protocol (LDAP) server

statistics
on <DEVICE-NAME> Optional. Clears LDAP server statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}| on <DEVICE-

OR-DOMAIN-NAME>}

rtls Clears Real Time Location Service (RTLS) statistics

aeroscout Clears RTLS Aeroscout statistics
ekahau Clears RTLS Ekahau statistics

Controller, Service Platform and Access Point

146 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

<MAC/DEVICE-NAME> This keyword is common to the ‘aeroscout' and ‘ekahau'

parameters.
• <MAC/DEVICE-NAME> – Optional. Clears Aeroscout or Ekahau
RTLS statistics on a specified AP, wireless controller, or service
platform. Specify the AP’s MAC address or hostname.

on <DEVICE-OR-DOMAIN- This keyword is common to the ‘aeroscout' and ‘ekahau'

clear spanning-tree detected-protocols {on <DEVICE-NAME>}

spanning-tree Clears spanning tree entries on an interface and restarts protocol

clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|port-

channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}

spanning-tree Clears spanning tree entries on an interface and restarts protocol

migration
detected-protocols Restarts protocol migration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 147
privileged-exec-commands Privileged Exec Mode Commands

interface [<INTERFACE-NAME>| Optional. Clears spanning tree entries on different interfaces

on <DEVICE-NAME> Optional. Clears spanning tree entries on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)

traffic-shape statistics Clears traffic shaping statistics

class <1-4> Clears traffic shaping statistics for a specific traffic class
• <1-4> – Specify the traffic class from 1 - 4.

Note: If the traffic class is not specified, the system clears all
traffic shaping statistics.

Note: For more information on configuring traffic-shape, see

traffic-shape on page 1355.

clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

vrrp Clears Virtual Router Redundancy Protocol (VRRP) statistics

Controller, Service Platform and Access Point

148 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

the backup routers is elected as the master and its IP address is

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 149
privileged-exec-commands Privileged Exec Mode Commands

clock (user and privi exec modes)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

150 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

Parameters
clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

clock set Sets a device's software system clock

<HH:MM:SS> Sets the current time (in military format hours, minutes, and
seconds)

Note: By default, the WiNG software displays time in the 24-hour

clock format. This setting cannot be changed.

<1-31> Sets the numerical day of the month

Examples
ap8432-5C63F0(config-device-74-67-F7-5C-63-F0)#timezone Etc/UTC
ap8432-5C63F0#clock set 14:16:30 18 Sep 2019
ap8432-5C63F0#show clock
2019-09-18 14:16:44 UTC
ap8432-5C63F0#

cluster (user and privi exec modes)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
cluster start-election

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 151
privileged-exec-commands Privileged Exec Mode Commands

Parameters
cluster start-election

start-election Starts a new cluster master election

Examples (Privi Exec Mode)

rfs4000-229D58#cluster start-election
rfs4000-229D58#

Related Commands

configure
Enters the configuration mode. Use this command to enter the current device's configuration mode, or
enable configuration from the terminal.

Supported in the following platforms:

Syntax
configure {self|terminal}

Parameters
configure {self|terminal}

self Optional. Enables the logged-in device's configuration mode

terminal Optional. Enables configuration from the terminal

Examples
nx9500-6C8809#configure self
Enter configuration commands, one per line. End with CNTL/Z.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
NOC-NX9500#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NOC-NX9500(config)#

Controller, Service Platform and Access Point

152 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

connect (user and privi exec modes)

Begins a console connection to a remote device using the remote device's MiNT ID or name

Note
This command command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

Parameters
connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

mint-id <MINT-ID> Connects to the remote system using its MiNT ID

• <MINT-ID> – Specify the remote device's MiNT ID.

<REMOTE-DEVICE-NAME> Connects to the remote system using its name

• <REMOTE-DEVICE-NAME> – Specify the remote device's name.

Entering character mode

Escape character is '^]'.

AP8432 release 5.9.7.0-004D

ap8432-070235 login:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 153
privileged-exec-commands Privileged Exec Mode Commands

copy
Copies a file (config,log,txt...etc) from any location to the Access Point, wireless controller, or service
platform and vice-versa

Note
Copying a new config file to an existing running-config file merges it with the existing
running-config file on the wireless controller. Both the existing running-config and the new
config file are applied as the current running-config. Copying a new config file to a start-up
config file replaces the existing start-up config file with the parameters of the new file. It is
recommended that you erase the existing start-up config file and then copy the new config
file to the startup config.

Supported in the following platforms:

Syntax
copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]

Parameters
copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]

<SOURCE-FILE> Specify the source file to copy.

<SOURCE-URL> Specify the source file's location (URL).
<DESTINATION-FILE> Specify the destination file to copy to.
<DESTINATION-URL> Specify the destination file's location (URL).

Examples

Transferring file snmpd.log to remote TFTP server.

rfs4000-229D58#copy flash:/log/snmpd.log tftp://10.233.89.183:/snmpd.log
Accessing running-config file from remote TFTP server into switch running-config.
rfs4000-229D58#copy tftp://10.233.89.183:/running-config running-config

cpe (privilege-exec-mode)
Enables a WiNG controller to perform certain operations on Customer Premises Equipments (CPEs)
through an adopted T5 controller

A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the
WiNG operating system used by RFS wireless controllers and NX service platforms. A T5 controller,
once enabled as a supported external device, provides data to WiNG to assist in a T5’s management
within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller
managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line (DSL)
as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone
jack.

Controller, Service Platform and Access Point

154 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Supported in the following platforms:

• Wireless Controllers — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
cpe [boot|reload|upgrade]
cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}
cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}

Note
These commands can also be executed on the T5 profile and device context. For more
information, see T5 Profile Config Commands on page 1421.

Parameters
cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}

cpe boot system Changes the image used by a CPE to boot. When reloading, the
CPE uses the specified image.
cpe [<1-24>|all] Identifies the CPE(s) on which this change is implemented
• <1-24> – Reloads only those CPEs whose IDs have been
specified. Specify the ID from 1 - 24.
• all – Reloads all CPEs

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 155
privileged-exec-commands Privileged Exec Mode Commands

[primary|secondary] Select the next boot image

• primary – Uses the primary image when reloading
• secondary – Uses the secondary image when reloading

on <T5-DEVICE-NAME> Optional. Performs this operation on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname.

cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}

cpe [reload| upgrade <IMAGE- Performs the following operations on CPEs

LOCATION>] • reload – Reloads the device
• upgrade <IMAGE-LOCATION> – Upgrades the device
• <IMAGE-LOCATION> – Specify the location of the firmware
image. Both IPv4 and IPv6 addresses are supported.

Use one of the following options to provide the location:

IPv4 URLs:
◦ tftp://<hostname|IP>[:port]/path/file
◦ ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
◦ sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file
◦ http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/
path/file

IPv6 URLs:
◦ tftp://<hostname|[IPv6]>[:port]/path/file
◦ ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file
◦ sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/
file
◦ http://<hostname|[IPv6]>[:port]/path/file

Note: After specifying the operation to perform, identify the

device(s).

cpe [<1-24>|all] Identifies the CPE(s) on which the operation is performed

• <1-24> – Configures the CPE’s ID from 1 - 24
• all – Configures all CPEs

on <T5-DEVICE-NAME> Optional. Performs this operation on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname.

Example
nx9500-6C8809#show t5 cpe boot on t5-ED7C6C
------------------------------------------------------------------------------------------
----------
DEVICE PRIMARY VERSION SECONDARY VERSION NEXT BOOT UPGRADE STATUS UPGRADE
PROGRESS %
------------------------------------------------------------------------------------------
----------
cpe1 5.4.2.0-010R 5.4.2.0-006B primary none 0
cpe2 5.4.2.0-010R 5.4.2.0-006B primary none 0
------------------------------------------------------------------------------------------

Controller, Service Platform and Access Point

156 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

----------
nx9500-6C8809#
nx9500-6C8809#cpe boot system cpe 1 secondary on t5-ED7C6C
Updated T5 CPE system boot partition
nx9500-6C8809#

create-cluster (user and privi exec modes)

Creates a new device cluster, with the specified name, and assigns it an IP address and routing level

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

Parameters
create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

create-cluster Creates a cluster

ip <IP> Specifies the device's IP address used for cluster creation

• <IP> – Specify the device's IP address in the A.B.C.D format.

level [1|2] Optional. Configures the routing level for this cluster
• 1 – Configures level 1 (local) routing
• 2 – Configures level 2 (inter-site) routing

Examples
nx9500-6C8809#create-cluster name TechPubs1 ip 192.168.13.8 level 2
... creating cluster

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 157
privileged-exec-commands Privileged Exec Mode Commands

... committing the changes

... saving the changes
Please Wait .
[OK]
nx9500-6C8809#
nx9500-6C8809#show cluster configuration

Cluster Configuration Information

Related Commands

crypto (user and privi exec modes)

This command also enables trustpoint configuration. Trustpoints contain the CA's identity and
configuration parameters.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

158 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Syntax
crypto [key|pki]
crypto key [export|generate|import|zeroize]
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL {background|on|passphrase}
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|on|passphrase}
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}
crypto pki [authenticate|export|generate|import|zeroise]
crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background} {(on <DEVICE-NAME>)}
crypto pki export [request|trustpoint]
crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME>
[autogen-subject-name|subject-name]
crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-
subject-name
[<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>]
crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-
subject-name
(<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)
crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-
key]
<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION>
<ORGANIZATION-UNIT>
(<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)
crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase
<KEY-PASSPHRASE>
background} {(on <DEVICE-NAME)}
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-
KEYPAIR-NAME>
[autogen-subject-name|subject-name]
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-
KEYPAIR-NAME>
autogen-subject-name {(email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>,on <DEVICE-
NAME>)}
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-
KEYPAIR-NAME>
subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT>
{(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}
crypto pki import [certificate|crl|trustpoint]
crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on
<DEVICE-NAME>})
crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 159
privileged-exec-commands Privileged Exec Mode Commands

Parameters
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-
PASSPHRASE> background} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
export rsa <RSA-KEYPAIR- Exports an existing RSA Keypair to a specified destination
NAME> • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.

<EXPORT-TO-URL> Specify the RSA Keypair destination address.

Both IPv4 and IPv6 address formats are supported. After specifying
the destination address (where the RSA Keypair is exported),
configure one of the following parameters: background or
passphrase.
background Optional. Performs export operation in the background. If selecting
this option, you can optionally specify the device (access point or
controller) to perform the export on.
passphrase <KEY-PASSPHRASE> Optional. Encrypts RSA Keypair before exporting
background • <KEY-PASSPHRASE> – Specify a passphrase to encrypt the RSA
Keypair.
◦ background – Optional. Performs export operation in the
background. After specifying the passphrase, optionally
specify the device (access point or controller) to perform the
export on.

on <DEVICE-NAME> The following parameter is recursive and common to all of the

above parameters:
• on <DEVICE-NAME> – Optional. Performs export operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

key Enables RSA Keypair management. Use this command to export,

Controller, Service Platform and Access Point

160 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

After specifying the key size, optionally specify the device

(access point or controller) to generate the key on.

on <DEVICE-NAME> Optional. Generates the new RSA Keypair on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-

PASSPHRASE> background} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
import rsa <RSA-KEYPAIR- Imports a RSA Keypair from a specified source
NAME> • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.

<IMPORT-FROM-URL> Specify the RSA Keypair source address.

Both IPv4 and IPv6 address formats are supported. After specifying
the source address (where the RSA Keypair is imported from),
configure one of the following parameters: background or
passphrase.
background Optional. Performs import operation in the background. If selecting
this option, you can optionally specify the device (access point or
controller) to perform the import on.
passphrase <KEY-PASSPHRASE> Optional. Decrypts the RSA Keypair after importing
background • <KEY-PASSPHRASE> – Specify the passphrase to decrypt the
RSA Keypair.
◦ background – Optional. Performs import operation in the
background. After specifying the passphrase, optionally
specify the device (access point, controller, or service
platform) to perform the import on.

on <DEVICE-NAME> The following parameter is recursive and common to the

crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export,

import, generate, or delete a RSA key.
zeroize rsa <RSA-KEYPAIR- Deletes a specified RSA Keypair
NAME> • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.

Note: All device certificates associated with this key will also be
deleted.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 161
privileged-exec-commands Privileged Exec Mode Commands

force Optional. Forces deletion of all certificates associated with the

crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-NAME>)}

pki Enables Private Key Infrastructure (PKI) management. Use this

url Specify CA’s location. Both IPv4 and IPv6 address formats are
supported.

Note: The CA certificate is imported from the specified location.

background Optional. Performs authentication in the background. If selecting

crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-

subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)

pki Enables PKI management. Use this command to authenticate,

autogen-subject-name Auto generates subject name from configuration parameters. The

subject name identifies the certificate.

Controller, Service Platform and Access Point

162 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are
supported.

Note: The CSR is exported to the specified location.

email <SEND-TO-EMAIL> Exports CSR to a specified e-mail address

• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.

fqdn <FQDN> Exports CSR to a specified FQDN (Fully Qualified Domain Name)
• <FQDN> – Specify the CA’s FQDN.

ip-address <IP> Exports CSR to a specified device or system

• <IP> – Specify the CA’s IP address.

crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-

key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>
<ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>)

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
export request Exports CSR to the CA for a digital identity certificate. The CSR
contains applicant’s details and RSA Keypair’s public key.
[generate-rsa-key| short Generates a new RSA Keypair or uses an existing RSA Keypair
[generate-rsa-key|use-rsa-key]| • generate-rsa-key – Generates a new RSA Keypair for digital
use-rsa-key] <RSA-KEYPAIR- authentication
NAME> • short [generate-rsa-key|use-rsa-key] – Generates and exports a
shorter version of the CSR
◦ generate-rsa-key – Generates a new RSA Keypair for digital
authentication. If generating a new RSA Keypair, specify a
name for it.
◦ use-rsa-key – Uses an existing RSA Keypair for digital
authentication. If using an existing RSA Keypair, specify its
name.
• use-rsa-key – Uses an existing RSA Keypair for digital
authentication
◦ <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair,
specify a name for it. If using an existing RSA Keypair, specify
its name.

subject-name <COMMON- Configures a subject name, defined by the <COMMON-NAME>

<COUNTRY> Sets the deployment country code (2 character ISO code)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 163
privileged-exec-commands Privileged Exec Mode Commands

<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are
supported. The CSR is exported to the specified location.
email <SEND-TO-EMAIL> Exports CSR to a specified e-mail address
• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.

fqdn <FQDN> Exports CSR to a specified FQDN

• <FQDN> – Specify the CA’s FQDN.

ip-address <IP> Exports CSR to a specified device or system

• <IP> – Specify the CA’s IP address.

crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

on <DEVICE-NAME> The following parameter is recursive and common to the

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-

KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on
<DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated
certificates.
generate Generates a certificate and a trustpoint

Controller, Service Platform and Access Point

164 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

self-signed <TRUSTPOINT- Generates a self-signed certificate and a trustpoint

NAME> • <TRUSTPOINT-NAME> – Specify a name for the certificate and
its trustpoint.

autogen-subject-name Auto generates the subject name from the configuration

fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN

• <FQDN> – Specify the FQDN.

ip-address <IP> Optional. Exports the self-signed certificate to a specified device or

system
• <IP> – Specify the device’s IP address.

on <DEVICE-NAME> Optional. Exports the self-signed certificate on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-

KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION>
<ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 165
privileged-exec-commands Privileged Exec Mode Commands

subject-name <COMMON- Configures a subject name, defined by the <COMMON-NAME>

<COUNTRY> Sets the deployment country code (2 character ISO code)

<STATE> Sets the state name (2 to 64 characters in length)
<CITY> Sets the city name (2 to 64 characters in length)
<ORGANIZATION> Sets the organization name (2 to 64 characters in length)
<ORGANIZATION-UNIT> Sets the organization unit (2 to 64 characters in length)
email <SEND-TO-EMAIL> Optional. Exports the self-signed certificate to a specified e-mail
address
• <SEND-TO-EMAIL> – Specify the e-mail address.

fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN

• <FQDN> – Specify the FQDN.

ip-address <IP> Optional. Exports the self-signed certificate to a specified device or

system
• <IP> – Specify the device’s IP address.

crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on

<DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

Controller, Service Platform and Access Point

166 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

background Optional. Performs import operation in the background. If selecting

this option, you can optionally specify the device (access point or
controller) to perform the import on.
on <DEVICE-NAME> The following parameter is recursive and optional:
• on <DEVICE-NAME> – Optional. Performs import operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address
formats are supported.
background Optional. Performs import operation in the background. If selecting
this option, you can optionally specify the device (access point or
controller) to perform the import on.
passphrase <KEY-PASSPHRASE> Optional. Decrypts trustpoint with a passphrase after importing
background • <KEY-PASSPHRASE> – Specify the passphrase. After specifying
the passphrase, optionally specify the device to perform import
on.
◦ background – Optional. Performs import operation in the
background. After specifying the passphrase, optionally
specify the device (access point or controller) to perform the
import on.

on <DEVICE-NAME> The following parameter is recursive and optional:

• on <DEVICE-NAME> – Optional. Performs import operation on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate,

export, generate, or delete a trustpoint and its associated CA
certificates.
zeroize trustpoint Imports certificates, CRL, or a trustpoint to the selected device
<TRUSTPOINT-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 167
privileged-exec-commands Privileged Exec Mode Commands

[certificate|crl] <TRUSTPOINT- Deletes a trustpoint and its associated CA certificate, server

NAME> certificate, and private key
• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be
authenticated).

Usage Guidelines

The system supports both IPv4 and IPv6 address formats. Provide source and destination locations
using any one of the following options:
• IPv4 URLs:

tftp://<hostname|IPv4>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IPv4>[:port]/path/file

sftp://<user>@<hostname|IPv4>[:port]>/path/file

http://<hostname|IPv4>[:port]/path/file

cf:/path/file usb<n>:/path/file
• IPv6 URLs:

tftp://<hostname|IPv6>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IPv6>[:port]/path/file

sftp://<user>@<hostname|IPv6>[:port]>/path/file

http://<hostname|IPv6>[:port]/path/file

Examples
NOC-NX9500#crypto key generate rsa key 2048
RSA key size > 2048. Key generation started in background.
NOC-NX9500#

Related Commands

no (user-exec-mode) on page 96 Removes server certificates, trustpoints and their associated

certificates

Controller, Service Platform and Access Point

168 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

crypto-cmp-cert-policy (user and privi exec modes)

Triggers a Certificate Management Protocol (CMP) certificate update on a specified device or devices

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

Parameters
crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

crypto-cmp-cert-update Triggers a CMP certificate update on a specified device or devices

Examples
NOC-NX9500#crypto-cmp-cert-update test on NOC-NX9500
CMP Cert update success
NOC-NX9500#

database (user and privi exec modes)

Enables automatic repairing (vacuuming) and dropping of captive-portal database.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 169
privileged-exec-commands Privileged Exec Mode Commands

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

170 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
database drop [all|captive-portal]

database repair {on <DEVICE-NAME>}

Note: If no device is specified, the system repairs all databases.

database keyfile generate

database keyfile [export|import] <URL>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 171
privileged-exec-commands Privileged Exec Mode Commands

The following parameter is common to both of the above keywords:

• <URL> – Specify the location to/from where the keyfile is to be
exported/imported. Use one of the following options to specify
the keyfile location:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

tftp://<hostname|IP>[:port]/path/file

database keyfile zerzoise

database keyfile zerzoise Enables database keyfile management. Use this command to delete
keyfiles
• zerzoise – Deletes an existing keyfile.

Example: Enabling Database Authentication

Follow the steps below to enable database authentication.

1. On the primary database host,
a. Generate the database keyfile.
Primary-DB-HOST>database keyfile generate
Database keyfile successfully generated
Primary-DB-HOST>

d. Create the users that are allowed access to the database.

Primary-DB-HOST#service database authentication create-user username techpubs
password techPubs@123
Database user [techpubs] created.
Primary-DB-HOST#

e. View the database user account created.

Primary-DB-HOST#show database users
--------------------------------
DATABASE USER
--------------------------------
techpubs

Controller, Service Platform and Access Point

172 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

--------------------------------
Primary-DB-HOST#

2. On the replica set host, import the keyfile from the location specified in Step 1 c.
Secondary-DB-HOST#database keyfile import ftp://1.1.1.111/db-key

3. In the database-policy context, --- (used on the NSight/EGuest database hosts)

a. Enable authentication.
Primary-DB-HOST(config-database-policy-techpubs)#authentication

b. Configure the user accounts created in Step 1 d.

4. In the database-client policy context --- (used on the NSight/EGuest server host), Note, this
configuration is required only if the NSight/EGuest server and database are hosted on separate
hosts.

a. Configure the user credentials created in Step 1 d.

NOC-Controller(config-database-client-policy-techpubs)#authentication username
techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr

b. View the configuration.

Related Commands

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 173
privileged-exec-commands Privileged Exec Mode Commands

database-backup (user and privi exec modes)

Backs up captive-portal and/or NSight database to a specified location and file on an FTP, SFTP, or
TFTP server. Execute this command on the database host.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
database-backup database [captive-portal|nsight|nsight-placement-info] <URL>
database-backup database [captive-portal|nsight] <URL>
database-backup database nsight-placement-info <URL>

Parameters
database-backup database [captive-portal|nsight] <URL>

<URL> Configures the destination location.

database-backup database nsight-placement-info <URL>

database-backup database Backs up the NSight access point placement related details to a
nsight-placement-info <URL> specified location
• <URL> – Specify the URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz

sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz

tftp://<hostname|IP>[:port]/path/file.tar.gz

Example (User Exec Mode)

Controller, Service Platform and Access Point

174 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Last Database Backup Time : Mon Jan 01 12:48:08 IST 2018

NS-DB-nx9510-6C87EF>

Example (Privi Exec Mode)

Related Commands

database-restore (user and privi exec modes)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
database-restore database [captive-portal|nsight] <URL>

Parameters
database-restore database [captive-portal|nsight] <URL>

database-restore database Restores previously exported (backed up) captive-portal and/or

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 175
privileged-exec-commands Privileged Exec Mode Commands

Examples
nx9500-6C874D#database-restore database nsight ftp://anonymous:[email protected]/
backups/nsight/nsight.tar.gz

Related Commands

device-upgrade (user and privi exec modes)

Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless
controllers, and service platforms)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

In an hierarchically managed (HM) network, this command enables centralized device upgradation
across the network.

Use the device-upgrade command to schedule firmware upgrades across adopted devices within the
network. Devices are upgraded based on their device names, MAC addresses, or RF Domain.

Controller, Service Platform and Access Point

176 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Note
Standalone devices have to be manually upgraded.

Supported in the following platforms:

Parameters
device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}

<MAC/HOSTNAME> Upgrades firmware on the device identified by the <MAC/

HOSTNAME> keyword
• <MAC/HOSTNAME> – Specify the device's MAC address or
hostname.

no-reboot Optional. Disables automatic reboot after a successful upgrade (the

device must be manually restarted)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 177
privileged-exec-commands Privileged Exec Mode Commands

reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade

• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM
or HH:MM format.

upgrade-time <TIME> {no- Optional. Schedules an automatic device firmware upgrade

device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

all Upgrades firmware on all devices

staggered-reboot This keyword is recursive and common to all of the above.

• Optional. Enables staggered reboot (one at a time), without
network impact

device-upgrade [ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000] all

Controller, Service Platform and Access Point

178 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

{force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}

{(staggered-reboot)}

staggered-reboot This keyword is recursive and common to all of the above.

• Optional. Enables staggered reboot (one at a time), without
network impact

device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap7502|ap7522|ap7532|ap7562|ap7602|

ap7612|

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 179
privileged-exec-commands Privileged Exec Mode Commands

ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000|
on rf-domain [<RF-DOMAIN-NAME>|all]]

cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters

cancel-upgrade [<MAC/ Cancels a scheduled firmware upgrade on a specified device or on

cancel-upgrade <DEVICE-TYPE> Cancels scheduled firmware upgrade on all devices of a specific

device-upgrade load-image [ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|

ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000]
{<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}

Controller, Service Platform and Access Point

180 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>]

rf-domain [<RF-DOMAIN- Upgrades firmware on devices in a specified RF Domain or all RF

<DEVICE-TYPE> After specifying the RF Domain, select the device type.

Note: If no MAC address or hostname is specified, all devices of the

type selected are upgraded.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 181
privileged-exec-commands Privileged Exec Mode Commands

from-controller Optional. Upgrades a device through the adopted device. If

Controller, Service Platform and Access Point

182 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Number of devices failed upgrade : 0

delete
Deletes a specified file from the device's file system

Supported in the following platforms:

Syntax
delete [/force <FILE>|/recursive <FILE>|<FILE>]

Parameters
delete [/force <FILE>|/recursive <FILE>|<FILE>]

/force Forces deletion without a prompt

/recursive Performs a recursive delete
<FILE> Specifies the file name
• Deletes the file specified by the <FILE> parameter

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 183
privileged-exec-commands Privileged Exec Mode Commands

Examples
rfs4000-229D58#delete flash:/out.tar flash:/out.tar.gz
Delete flash:/out.tar [y/n]? y
Delete flash:/out.tar.gz [y/n]? y
rfs4000-229D58
rfs4000-229D58#delete /force flash:/tmp.txt
rfs4000-229D58#
rfs4000-229D58#delete /recursive flash:/backup/
Delete flash:/backup//fileMgmt_350_180B.core
[y/n]? y
Delete flash:/backup//fileMgmt_350_18212X.core_bk
[y/n]? n
Delete flash:/backup//imish_1087_18381X.core.gz
[y/n]? n
rfs4000-229D58

diff
Displays the differences between two files on a device's file system or a particular URL

Supported in the following platforms:

Syntax
diff [<FILE>|<URL>] [<FILE>|<URL>]

Parameters
diff [<FILE>|<URL>] [<FILE>|<URL>]

<FILE> The first <FILE> is the source file for the diff command. The second
<FILE> is used for comparison.
<URL> The first <URL> is the source file's URL. The second <URL> is the
second file's URL.

Examples
nx9500-6C8809#diff startup-config running-config
--- startup-config
+++ running-config
@@ -1,12 +1,10 @@
+!### show running-config
!
! Configuration of NX9500 version 5.9.6.0-004D
!
!
version 2.6
!
-password-encryption-version 1.0
-inline-password-encryption
-password-encryption-key secret 2
776f9d6d5bb08fac753394d779cbc5a200000020a4ca26def55d4d77952308cd5e3afc66c06581bb1e5af6d6b0
33fd664c363522

Controller, Service Platform and Access Point

184 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

!
client-identity-group default
load default-fingerprints
@@ -35,13 +33,13 @@
!
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
!
-alias encrypted-string $READ 2 LKSXiTieTV5hybKxfbd6JwAAAAZ/lakoqHh/ZfyHLJWzluTH
+alias encrypted-string $READ 2 1og6ZeMyEVJhybKxfbd6JwAAAAahnGq6RaJb70CEIbVpTYre
--More--
nx9500-6C8809#

dir
Lists files on a device's file system

Supported in the following platforms:

Syntax
dir {/all|/recursive|<DIR>|all-filesystems}

Parameters
dir {/all|/recursive|<DIR>|all-filesystems}

/all Optional. Lists all files

/recursive Optional. Lists files recursively
<DIR> Optional. Lists files in the named file path
all-filesystems Optional. Lists files on all file systems

Examples
nx9500-6C8809#dir flash:/
Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt

drwx Tue Nov 29 09:48:42 2016 crashinfo
drwx Sat Sep 17 05:14:43 2016 upgrade
drwx Mon Sep 28 09:48:33 2015 tmptpd
drwx Wed Feb 15 11:53:07 2017 log
drwx Wed Feb 15 11:02:55 2017 archived_logs
drwx Tue May 24 22:23:54 2016 cache
drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar
drwx Tue Jan 17 10:02:01 2017 hotspot

nx9500-6C8809#
nx9500-6C8809#dir all-filesystems
Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt

drwx Tue Nov 29 09:48:42 2016 crashinfo

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 185
privileged-exec-commands Privileged Exec Mode Commands

drwx Sat Sep 17 05:14:43 2016 upgrade

drwx Mon Sep 28 09:48:33 2015 tmptpd
drwx Wed Feb 15 11:53:07 2017 log
drwx Wed Feb 15 11:02:55 2017 archived_logs
drwx Tue May 24 22:23:54 2016 cache
drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar
drwx Tue Jan 17 10:02:01 2017 hotspot

Directory of nvram:/

lrwx 29 Tue Oct 27 16:22:21 2015 sensor_default_scan

--More--
nx9500-6C8809#

disable
Turns off (disables) the privileged mode command set. This command returns to the User Executable
mode.

Supported in the following platforms:

Syntax
disable

Parameters

None

Examples
nx9500-6C8809#disable
nx9500-6C8809>

edit
Edits a text file on the device's file system

Supported in the following platforms:

Syntax
edit <FILE>

Controller, Service Platform and Access Point

186 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
edit <FILE>

<FILE> Specify the name of the file to modify.

Examples
nx9500-6C8809#edit startup-config
GNU nano 1.2.4 File: startup-config

!
! Configuration of NX9500 version 5.9.6.0-004D
!
!
version 2.6
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit $
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-descripti$
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP $
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
[ Read 106 lines ]
^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Txt ^T To Spell

enable
Turns on (enables) the privileged mode command set. This command does not do anything in the
Privilege Executable mode.

Supported in the following platforms:

Syntax
enable

Parameters

None

Examples
nx9500-6C8809#enable
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 187
privileged-exec-commands Privileged Exec Mode Commands

erase
Erases a device’s (wireless controller, Access Point, and service platform) file system. Erases the content
of the specified storage device. Also erases the startup configuration to restore the device to its default.

Supported in the following platforms:

Syntax
erase [flash:|nvram:|startup-config|usb1:|usb2:|usb3:|usb4:]
erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]
erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|
exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}

Parameters
erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]

flash: Erases everything in the device's flash: file

nvram: Erases everything in the device's nvram: file
startup-config Erases the device's startup configuration file. The startup configuration file is used to
configure the device when it reboots.
usb1: Erases everything in the device's usb1: file
usb2: Erases everything in the device's usb2: file

Controller, Service Platform and Access Point

188 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

usb3: Erases everything in the device's usb3: file

usb4: Erases everything in the device's usb4: file

erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|

exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}

startup-config: Erases the startup configuration file on a specified device or devices in a

specified RF Domain. The specified device(s) are reloaded after the startup
configuration file is erased. Use the <HOSTNAME/MAC> or on <DOMAIN-
NAME> options to identify the device or RF Domain respectively. Once
executed, the configuration file, for the targeted device or for all device(s) in
the targeted RF Domain, is also erased from the adopting controller’s
configuration file. They are automatically reloaded once the startup
configuration file has been erased.
<HOSTNAME/MAC> Optional. Erases the startup configuration file on the device identified by the
<HOSTNAME/MAC> keyword. Specify the device’s hostname or MAC
address.
on <DOMAIN-NAME> Optional. Erases the startup configuration file on all devices or specified
{containing <SUB- device(s) in a specified RF Domain
STRING>| exclude- • <DOMAIN-NAME> – Specify the RF Domain name. After specifying the RF
controllers| exclude-rf- Domain, optionally use the filters provided to identify specific device(s)
domain-manager| filter within the RF Domain. If none of the filters are used, the command is
<DEVICE-TYPE>} executed on all devices within the RF Domain. These filters are:
◦ containing <SUB-STRING> – Optional. Executes the command on all
devices containing a specified sub-string in their hostname
▪ <SUB-STRING> – Specify the sub-string to match. The startup
configuration file is erased on all devices whose hostname contains
the sub-string specified here.
◦ exclude-controllers – Optional. Executes the command on all devices
excluding controllers. The startup configuration file is erased on all
devices except controllers.
◦ exclude-rf-domain-manager – Optional. Executes the command on all
devices excluding RF Domain managers. The startup configuration file
is erased on all devices except RF Domain managers.
◦ filter <DEVICE-TYPE> – Optional. Executes the command on all
devices of a specified type.
▪ <DEVICE-TYPE> – Specify the device type. The options are: AP
6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP
7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432,
AP-8533, RFS 4000, NX 5500, NX 7500, NX 95XX, NX 96XX, and
VX. The startup configuration file is erased on all devices of the
type specified here. For example, if AP7602 is the device-type
specified, the startup configuration file on all AP7602, within the RF
Domain, is erased.

Examples
nx9500-6C8809#erase ?
cf: Erase everything in cf:
flash: Erase everything in flash:
nvram: Erase everything in nvram:
startup-config Reset configuration to factory default
usb1: Erase everything in usb1:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 189
privileged-exec-commands Privileged Exec Mode Commands

usb2: Erase everything in usb2:

nx9500-6C8809#

exit (privi exec mode)

Ends the current CLI session and closes the session window

For more information, see exit.

Supported in the following platforms:

Syntax
exit

Parameters

None

Examples
nx9500-6C8809#exit

ex3500
Enables EX3500 switch firmware management. Use this command to perform the following operations:
boot, copy, delete, and IP-related configurations.

The copy keyword provides multiple copy options. It allows you to upload or download code images or
configuration files between the switch’s flash memory and an FTP/TFTP server. When you save the
system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded
to the switch to restore system operation. The success of the file transfer depends on the accessibility of
the FTP/TFTP server and the quality of the network connection.

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

190 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Syntax
ex3500 [adoptd|boot|copy|delete|ip]
ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>
ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [file|ftp|running-config|startup-config|tftp|unit]
ex3500 copy [file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>]
ex3500 copy [ftp|tftp] [add-to-running-config|file|https-certificate|public-key|running-
config|startup-config]
ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>
<SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2] <SOURCE-
FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>
<SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2]
<SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP> <USER-NAME>
<PASSWORD> <SOURCE-CONFIG-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy running-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME>
<PASSWORD> <DEST-FILE-NAME>|startup-config|tftp <TFTP-SERVER-IP> <DEST-FILE-NAME>] on
<EX3500-DEVICE-NAME>
ex3500 copy startup-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME>
<PASSWORD> <DEST-FILE-NAME>|running-config|tftp <TFTP-SERVER-IP> <DEST-FILE-NAME>] on
<EX3500-DEVICE-NAME>
ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-
NAME>
ex3500 delete [file|public-key]
ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>] on <EX3500-DEVICE-NAME>
ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 ip ssh [crypto|save]
ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 ip ssh crypto zeroize [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 191
privileged-exec-commands Privileged Exec Mode Commands

Parameters
ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>

ex3500 adoptd upgrade Upgrades an adopted EX3500 switch After an upgrade, reboot the
EX3500 switch to initiate the new image.

Note: To view an EX3500’s current image version, use the show >
version > on <EX3500-DEVICE-NAME> command.

<URL> Specifies the location and image file name in the following format: tftp://
<IP>[/path]/file
on <EX3500-DEVICE- Executes the command on a specified EX3500 switch
NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname.

ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 boot system Boots a EX3500 switch using a specified configuration file
<1-1> Identifies the EX3500 unit by its ID number. Specify the EX3500 ID from 1 -
1.

Note: As of now only one (1) EX3500 unit can be managed through a NOC
controller.

(config|opcode) <FILE- The following keywords are recursive: Specifies the image file to use for
NAME> booting. The options are:
• config – Uses the configuration file to boot the switch
• opcode – Uses the opcode (Operation Code), which is the runtime
code, to boot the switch. The opcode is like an operating system that
enables the WiNG software to communicate with the EX3500 device.

The following parameter is common to the ‘config’ and opcode’

keywords:
◦ <FILE-NAME> – Specify the configuration/runtime-code file name.

on <EX3500-DEVICE- Reloads a specified EX3500 switch

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname.
You can also specify its MAC address.

ex3500 copy file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy Copies a configuration file to another file

file file <SOURCE-FILE- Copies a specified file (this is the source configuration file)
NAME> <DEST-FILE- • file – Copies the specified source file to a specified file (this is the
NAME> destination configuration file)
◦ <SOURCE-FILE-NAME> – Specify the source configuration file’s
name
▪ <DEST-FILE-NAME> – Specify the destination configuration file’s
name.

Controller, Service Platform and Access Point

192 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

When specifying the destination file name, keep in mind the

following points:

- It should not contain slashes (\ or /),

- It should not exceed 32 characters for files on the switch, or 127

characters for files on the server.

on <EX3500-DEVICE- Copies the file to a specified EX3500 switch

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname.
The specified source file is copied to specified destination file on the
EX3500 identified here.

ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>

<SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy
the following types of files: HTTPS certificate, running configuration,
startup configuration, public key, etc.
This command also allows you to add a remote system’s running
configuration to the current system configuration.
add-to-running-config Adds a remote system’s running configuration to the current system
<FTP/TFTP-SERVER-IP> Configures the FTP or TFTP server details (depending on the option
<USER-NAME> selected in the previous step), such as IP address and user credentials. This
<PASSWORD> is the device running the FTP/TFTP server.
• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address
in the A.B.C.D format.
◦ <USER-NAME> – If using a FTP server, specify the FTP server’s user
name (should be an authorized user)
▪ <PASSWORD> – Specify the password applicable for the above
specified FTP server user name.

<SOURCE-FILE-NAME> After specifying the server details, specify the name of the running
configuration file.
• <SOURCE-FILE-NAME> – Specify the source file’s name.

on <EX3500-DEVICE- Copies the file to a specified EX3500 switch

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname.
The specified source file is copied to specified destination file on the
EX3500 identified here.

ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2] <SOURCE-

FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 193
privileged-exec-commands Privileged Exec Mode Commands

<FTP/TFTP-SERVER-IP> Configures the FTP or TFTP server details (depending on the option
<USER-NAME> <PASS- selected in the previous step), such as IP address and user credentials. This
WORD> is the device running the FTP/TFTP server.
• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address in
the A.B.C.D format.
◦ <USER-NAME> – If using a FTP server, specify the FTP server’s user
name (should be an authorized user)
▪ <PASSWORD> – Specify the password applicable for the above
specified FTP server user name.

[1|2] <SOURCE-FILE- After specifying the server details, select the file type and specify the name
NAME> <DEST-FILE- of the source and destination file names.
NAME> • [1|2] – Select the file type from 1 - 2.
◦ 1 – Copies the EX3500 configuration file.
◦ 2 – Copies the opcode, which is the runtime code. The opcode is like
an operating system that enables the WiNG software to
communicate with the EX3500 device.
▪ <SOURCE-FILE-NAME> – Specify the source file’s name.
• <DEST-FILE-NAME> – Specify the destination file’s name.

on <EX3500-DEVICE- Copies the file to a specified EX3500 device

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname. The
specified source file is copied to specified destination file on the EX3500
identified here.

ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>

<SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy
the following types of files: HTTPS certificate, running configuration,
startup configuration, public key, etc.
https-certificate Copies HTTPS secure site certificate from the FTP or TFTP server to the
switch
<FTP/TFTP-SERVER-IP> Configures the FTP or TFTP server details (depending on the option
<USER-NAME> selected in the previous step), such as IP address and user credentials. This
<PASSWORD> is the device running the FTP/TFTP server.
• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address
in the A.B.C.D format.
◦ <USER-NAME> – If using a FTP server, specify the FTP server’s user
name (should be an authorized user)
▪ <PASSWORD> – Specify the password applicable for the above
specified FTP server user name.

Controller, Service Platform and Access Point

194 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

<SOURCE-CERT-FILE- After identifying the FTP or TFTP server, specify the following:
NAME> <SOURCE-PVT- • <SOURCE-CERT-FILE-NAME> – Specify the source HTTPS secure site
KEY-FILE-NAME> <PVT- certificate file name.
PASS-WORD> ◦ <SOURCE-PVT-KEY-FILE-NAME> – Specify the source private-key
file name.
▪ <PVT-PASS-WORD> – Specify the private password.

on <EX3500-DEVICE- Copies the file to a specified EX3500 device

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.

ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2]

<SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to
copy the following types of files: HTTPS certificate, running
configuration, startup configuration, public key, etc.
public-key Copies the SSH public key from the FTP or TFTP server to the switch
<FTP/TFTP-SERVER-IP> Configures the FTP or TFTP server details (depending on the option
<USER-NAME> selected in the previous step), such as IP address and user credentials.
<PASSWORD> This is the device running the FTP/TFTP server.
• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP
address in the A.B.C.D format.
◦ <USER-NAME> – If using a FTP server, specify the FTP server’s
user name (should be an authorized user)
▪ <PASSWORD> – Specify the password applicable for the
above specified FTP server user name.

[1|2] <SOURCE-PUB-KEY- After identifying the FTP or TFTP server, specify the following:
FILE-NAME> <USER- • [1|2] – Configures the SSH public key type as RS or DSA
NAME> ◦ 1 – Configures the public key type as RSA
◦ 2 – Configures the public key type as DSA
▪ <SOURCE-PUB-KEY-FILE-NAME> – Specifies the source
public key file name
• <USER-NAME> – Specifies the public key’s user name

on <EX3500-DEVICE- Copies the public key to a specified EX3500 device

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.

ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP> <USER-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy
the following types of files: HTTPS certificate, running configuration,
startup configuration, public key, etc.
[running-config| startup- Copies the running or startup configuration file to one of the following
config] destinations: file system, FTP server, or TFTP server
The running configuration file can be copied to the startup configuration
file and vice versa.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 195
privileged-exec-commands Privileged Exec Mode Commands

<FTP/TFTP-SERVER-IP> If copying to a FTP/TFTP server, configure the following parameters:

<USER-NAME> • <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address
<PASSWORD> in the A.B.C.D format.
◦ <USER-NAME> – If using a FTP server, specify the FTP server’s user
name (should be an authorized user)
▪ <PASSWORD> – Specify the password applicable for the above
specified FTP server user name.

<DEST-FILE-NAME> Configures the destination file name. The running or startup configuration
file is copied to the specified destination file.
• <DEST-FILE-NAME> – Specify the destination file name. You can also
copy the running configuration file to the startup configuration file and
vice versa.

on <EX3500-DEVICE- Copies the running or startup configuration file on to a specified EX3500

NAME> device
• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.

ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-

NAME>

ex3500 copy unit Copies from a EX3500 switch

file <1-1> [1|2] Copies the file system from the EX3500 switch identified by the unit
number
• <1-1> – Specify the unit number from 1 - 1.
◦ [1|2] – Select the file type from 1 - 2. 1 – Copies the selected
unit’s configuration file.
◦ 2 – Copies the selected unit’s opcode, which is the runtime
code. The opcode is like an operating system that enables the
WiNG software to communicate with the EX3500 device.

<SOURCE-FILE-NAME> Configures the source file name

• <SOURCE-FILE-NAME> – Specify the source file name. You can
copy the running configuration file to the startup configuration
file and vice versa.

<DEST-FILE-NAME> Configures the destination file name. The running or startup

configuration file is copied to the specified file.
• <DEST-FILE-NAME> – Specify the destination file name. You can
copy the running configuration file to the startup configuration
file and vice versa.

on <EX3500-DEVICE-NAME> Copies the running or startup configuration file on to a specified

EX3500 device
• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s
hostname.

ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>] on <EX3500-DEVICE-NAME>

ex3500 delete file Deletes a file or image on a specified EX3500 device

name <FILE-NAME> Specifies the file to delete. The specified file is deleted.
• <FILE-NAME> – Specify the file name.

Controller, Service Platform and Access Point

196 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

unit <1-1> name <FILE- Identifies the unit in the stackable system on which the file is located
NAME> • <1-1> – Select the unit from 1 - 1.
◦ name – After identifying the unit, specify the file to delete. The
specified file is deleted.
▪ <FILE-NAME> – Specify the file name.

on <EX3500-DEVICE-NAME> Executes the command on a specified EX3500 device

• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s
hostname.

ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>

ex3500 delete public-key Deletes a specified user’s public key

<USER-NAME> [dsa|rsa] • <USER-NAME> – Specify the SSH user’s name.
◦ dsa – Deletes the specified user’s DSA (version 2) key
◦ rsa – Deletes the specified user’s RSA (version 1) key

on <EX3500-DEVICE- Executes the command on a specified EX3500 device

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.

ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>

ex3500 ip ssh crypto host- Generates the host-key pair (public and private). This host key is used by
key generates [dsa|rsa] the SSH server to negotiate a session key and encryption method with the
client trying to connect to it.
• dsa – Generates DSA (version 2) key type
• rsa – Generates RSA (version 1) key type

Note: The RSA Version 1 is used only for SSHv1.5 clients, whereas DSA
Version 2 is used only for SSHv2 clients.

Note: This generated host-key pair is stored in the volatile memory (i.e
RAM). To save the host-key pair in the flash memory, use the ex3500 >
ip > ssh > save > host-key command.

on <EX3500-DEVICE- Executes the command on a specified EX3500 device

NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.

ex3500 ip ssh zeroize [dsa|rsa] <EX3500-DEVICE-NAME>

ex3500 ip ssh zeroize [dsa| Removes the host-key (DSA and RSA) from the volatile memory (i.e.
rsa] RAM)
on <EX3500-DEVICE- Executes the command on a specified EX3500 device
NAME> • <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.

ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>

Saves the host-key (DSA and RSA) to the flash memory

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 197
privileged-exec-commands Privileged Exec Mode Commands

ex3500 ip ssh save host-key

on <EX3500-DEVICE-NAME> Executes the command on a specified EX3500 device
• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s
hostname.

Usage Guidelines

When using the ex3500 command and its parameters, keep in mind the following:
• Destination file names should not:
◦ Contain slashes (\ or /),
◦ Exceed 32 characters for files on the switch, or 127 characters for files on the server.
• The FTP server’s default user name is set as “anonymous”.
• The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. Follow
instructions provided in the release notes for new firmware, or contact your distributor for help.
• The “Factory_Default_Configure” can be used as the source to copy from, but cannot be used as the
destination.
• Although the switch supports only two operation code files, the maximum number of user-defined
configuration files supported is 16.

Example
nx9500-6C8809#ex3500 adopted upgrade tftp://192.168.0.99/ex3500-adopted-5.8.5.0.img on
ex3524-ED5EAC
Flash programming started
Flash programming completed
Successful
nx9500-6C8809#
nx9500-6C8809#ex3500 copy tftp file 10.2.0.100 1 m360.bix m360.bix on ex3524-ED5EAC
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
nx9500-6C8809#
nx9500-6C8809#ex3500 copy tftp startup-config 10.2.0.99 startup.01 startup on ex3524-
ED5EAC
TFTP server ip address: 10.1.0.99
Flash programming started.
Flash programming completed.
Success.
nx9500-6C8809#

factory-reset
Erases startup configuration on a specified device or all devices within a specified RF Domain

Supported in the following platforms:

Controller, Service Platform and Access Point

198 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Syntax
factory-reset [<HOSTNAME/MAC>|config-all|config-device-only|on <RF-DOMAIN-NAME>]
factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}
factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|
exclude-rf-domain-manager|filter <DEVICE-TYPE>}
factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/MAC>}|on <RF-
DOMAIN-NAME>
{containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-
TYPE>}]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 199
privileged-exec-commands Privileged Exec Mode Commands

Parameters
factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}

factory-reset Erases startup configuration and reloads device(s) based on the parameters
passed
For more information on the actions performed by this command, see
Actions performed by the factory-reset command.
<HOSTNAME/MAC> Erases startup configuration and reloads the device identified by the
{<HOSTNAME/MAC>} <HOSTNAME/MAC> keyword
• <HOSTNAME/MAC> – Optional. You can optionally specify multiple
space-separated devices.

factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|

exclude-rf-domain-manager|filter <DEVICE-TYPE>}

factory-reset Erases startup configuration and reloads device(s) based on the

parameters passed
For more information on the actions performed by this command, see
Actions performed by the factory-reset command.
on <RF-DOMAIN-NAME> Erases startup configuration and reloads all devices or specified device(s)
{containing <SUB- within a specified RF Domain identified by the <RF-DOMAIN-NAME>
STRING>| exclude- keyword
controllers| exclude-rf- • <RF-DOMAIN-NAME> – Specify the RF Domain name. After specifying
domain-manager| filter the RF Domain, optionally use the filters provided to identify specific
<DEVICE-TYPE>]} device(s) within the RF Domain. If none of the filters are used, the
command is executed on all devices within the RF Domain. These filters
are:
◦ containing <SUB-STRING> – Optional. Executes the command on all
devices containing a specified sub-string in their hostname
▪ <SUB-STRING> – Specify the sub-string to match.
◦ exclude-controllers – Optional. Executes the command on all devices
excluding controllers. Since only a NOC controller is capable of
adopting other controllers, use this option when executing the
command on a NOC controller.
◦ exclude-rf-domain-manager – Optional. Executes the command on
all devices excluding RF Domain managers. Use this option when
executing the command on the NOC, site controller, or RF Domain
manager.
◦ filter <DEVICE-TYPE> – Optional. Executes the command on all
devices of a specified type
▪ <DEVICE-TYPE> – Specify the device type. The options are:AP
6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP
7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432,
AP-8533, RFS 4000, NX 5500, NX 75XX, NX 95XX, NX 96XX, and
VX. The startup configuration is erased on all devices of the type
specified here. For example, if AP 7602 is the device-type
specified, the command is executed on all AP 7602s within the
specified RF Domain.

factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/MAC>}|on <RF-

DOMAIN-NAME>

Controller, Service Platform and Access Point

200 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

{containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-

TYPE>}]

factory-reset Erases startup configuration and reloads device(s) based on the parameters
passed
For more information on the actions performed by this command, see
Actions performed by the factory-reset command.
[config-all| config- Erases startup configuration and reloads only controller-adopted devices or
device-only] the controller as well as its adopted devices
• config-all – Erases startup configuration on the controller and all devices
adopted by it
• config-device-only – Erases startup configuration only on the devices
adopted by the controller

<HOSTNAME/MAC> This parameter is common to the ‘config-all’ and ‘config-device-only’

{<HOSTNAME/MAC>} keywords:
• <HOSTNAME/MAC> – Erases startup configuration and reloads the
device identified by the <HOSTNAME/MAC> keyword. Specify the
device’s hostname or MAC address.
◦ <HOSTNAME/MAC> – Optional. You can optionally specify multiple
space-separated devices.

on <RF-DOMAIN- The following parameters are common to the ‘config-all’ and ‘config-device-
NAME> {containing only’ keywords:
<SUB-STRING>|exclude- • on <RF-DOMAIN-NAME> – Erases startup configuration and reloads all
controllers|exclude-rf- devices or specified device(s) within a specified RF Domain
domain-manager|filter ◦ <RF-DOMAIN-NAME> – Specify the RF Domain name.
<DEVICE-TYPE>
After specifying the RF Domain, optionally use the filters provided to
identify specific device(s) within the RF Domain. If none of the filters
are used, the command is executed on all devices within the RF
Domain. These filters are:
▪ containing <SUB-STRING> – Optional. Executes the command on
all devices containing a specified sub-string in their hostname
• <SUB-STRING> – Specify the sub-string to match.
▪ exclude-controllers – Optional. Executes the command on all
devices excluding controllers. Since only a NOC controller is
capable of adopting other controllers, use this option when
executing the command on a NOC controller.
▪ exclude-rf-domain-manager – Optional. Executes the command
on all devices excluding RF Domain managers. Use this option
when executing the command on the NOC, Site controller, or RF
Domain manager.
▪ filter <DEVICE-TYPE> – Optional. Executes the command on all
devices of a specified type
• <DEVICE-TYPE> – Specify the device type. The options are:AP
6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562,
AP 7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163,
AP-8432, AP-8533, RFS 4000, NX 5500, NX 75XX, NX 95XX,
NX 96XX, and VX.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 201
privileged-exec-commands Privileged Exec Mode Commands

Usage Guidelines (Actions performed by the factory-reset command)

The action taken by this command depends on the parameters passed.

• For the factory-reset [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the
command:
◦ Erases startup configuration on the target device (or) all devices in the target RF Domain.
◦ Erases the device configuration entries from the controller’s configuration for the target device
(or) for all the devices in the target RF Domain.
◦ Reloads the target device (or) all devices in the target RF Domain.
• For the factory-reset config-all [<DEVICE-NAME>|on <RF-DOMAIN-NAME>]
options, the command:
◦ Erases startup configuration on the target device (or) all devices in the target RF Domain.
◦ Erases the device configuration entries from the controller’s configuration for the target device
(or) for all the devices in the target RF Domain.
• For the factory-reset config-device-only [<DEVICE-NAME>|on <RF-DOMAIN-
NAME>] options, the command:
◦ Erases startup configuration on the target device (or) all devices in the target RF Domain.

Example
nx7500-7F3609#factory-reset config-all ap6522-5A873C
In progress ....
Erased startup-config - success 1 fail 0
Successful device deletion - total 1
nx7500-7F3609#
rfs4000-6DB5D4# factory-reset B4-C7-99-5A-87-3C
In progress ....
Erased startup-config and initiated reload - success 1 fail 0
Successful device deletion - total 1
rfs4000-6DB5D4#

file-sync (user and privi exec modes)

Syncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and its
adopted devices.

When enabling file syncing, consider the following points:

Syncing of trustpoint/wireless-bridge certificate can be automated. To automate file syncing, in the

controller’s device/profile configuration mode, execute the following command: file-sync [auto|
count <1-20>]. For more information, see file-sync on page 1100.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Controller, Service Platform and Access Point

202 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 203
privileged-exec-commands Privileged Exec Mode Commands

Parameters
file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|
all]]

file-sync cancel [trustpoint| Cancels scheduled file synchronization

file-sync load-file [trustpoint|wireless-bridge] <URL>

tftp://<hostname|IP>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file

http://<hostname|IP>[:port]/path/file

Note: Both IPv4 and IPv6 address types are supported.

cf:/path/file

Controller, Service Platform and Access Point

204 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

usb<n>:/path/file

file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|

all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}

file-sync trustpoint Configures file-syncing parameters

After specifying the file that is to be synced, configure following

After specifying the access points, specify the following

options: reset-radio and upload-time.

reset-radio This keyword is recursive and applicable to all of the above

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 205
privileged-exec-commands Privileged Exec Mode Commands

B4-C7-99-6C-88-09 Success Queued 1 APs to upload

--------------------------------------------------------------------------------
NOC-NX9500>

The following command uploads certificate to all access points:

gps (user and privi exec modes)

Note
This command only initiates the search process. It does not return the actual GPS coordinates.
To view the coordinates, execute the following command:
show gps coordinates {on <DEVICE-NAME>}

Supported in the following platforms:

• Access Point — AP7662

Syntax
gps search [start|stop] {on <DEVICE-NAME>}

Parameters
gps search [start|stop] {on <DEVICE-NAME>}

Note: Unless explicitly stopped, the GPS coordinates search

continues at regular intervals.

on <DEVICE-NAME> Optional. Specifies the AP whose geographic coordinates are to be

determined. Use this option if executing the command on the
controller or virtual controller to which the AP is adopted.
• <DEVICE-NAME> – Specify the name of the AP7662.

Note: If you do not specify a device name, the system initiates the
search on the logged device. And if the logged device is not an
AP7662 model access point, an error message returns.

Controller, Service Platform and Access Point

206 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

halt
Stops (halts) a device (Access Point, wireless controller, or service platform). Once halted, the system
must be restarted manually.

This command stops the device immediately. No indications or notifications are provided while the
device shuts down.

Supported in the following platforms:

Syntax
halt force {on <DEVICE-NAME>}

Parameters
halt force {on <DEVICE-NAME>}

halt Halts a device

force Optional. Forces a device to halt ignoring in-progress operations, such as firmware upgrades,
downloads, unsaved configuration changes, etc.
The following keywords are recursive and applicable to the ‘force’ parameter:
• on <DEVICE-NAME> – Optional. Specifies the name of the device to be halted
◦ <DEVICE-NAME> – Enter the name of the AP, wireless controller, or service platform.

Note: If the device name is not specified, the logged device is halted.

Example
nx9500-6C8809#halt on rfs4000-229D58
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 207
privileged-exec-commands Privileged Exec Mode Commands

join-cluster (user and privi exec modes)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
join-cluster <IP> user <USERNAME> password <WORD> {level|mode}
join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}

Parameters
join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}

join-cluster Adds a access point wireless controller, or service platform to an

mode [active|standby] Optional. Configures the cluster mode

• active – Configures this cluster as active
• standby – Configures this cluster to be on standby mode

Usage Guidelines

To add a device to an existing cluster:

After adding a device to a cluster, execute the "write memory" command to ensure the configuration
persists across reboots.

Controller, Service Platform and Access Point

208 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Related Commands

l2tpv3 (user and privi exec modes)

Establishes or brings down a Layer 2 Tunnel Protocol Version 3 (L2TPV3) tunnel

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 209
privileged-exec-commands Privileged Exec Mode Commands

Parameters
l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel Establishes or brings down L2TPV3 tunnels

<TUNNEL-NAME> [down|up] Specifies the tunnel name to establish or bring down
• down – Brings down the specified tunnel
• up – Establishes the specified tunnel

on <DEVICE-NAME> Optional. Establishes or brings down a tunnel on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel Establishes or brings down L2TPV3 tunnels

on <DEVICE-NAME> Optional. Establishes or brings down a tunnel session on a specified

device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel Establishes or brings down L2TPV3 tunnel

all [down|up] Establishes or brings down all L2TPV3 tunnels
• down – Brings down all tunnels
• up – Establishes all tunnels

on <DEVICE-NAME> Optional. Establishes or brings down all tunnels on a specified

device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Controller, Service Platform and Access Point

210 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Examples
nx9500-6C8809#l2tpv3 tunnel TestTunnel session TestTunnelSession1 up on rfs4000-6DB5D4

Note
For more information on the L2TPV3 tunnel configuration mode and commands, see L2TPV3-
POLICY on page 1876.

logging (user and privi exec modes)

Modifies message logging settings

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings}

Parameters
logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings}

Note: Before configuring the message logging level, ensure logging

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 211
privileged-exec-commands Privileged Exec Mode Commands

Examples
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#logging on
nx9500-6C8809>logging monitor debugging
nx9500-6C8809>show logging

Logging module: enabled

Aggregation time: disabled
Console logging: level debugging
Monitor logging: level debugging
Buffered logging: level warnings
Syslog logging: level warnings
Facility: local7

Log Buffer (2208029 bytes):

Sep 18 06:48:40 2019: nx9500-6C8809 : %NSM-4-IFUP: Interface ge1 is up

Related Commands

no (user-exec-mode) on page 96 Resets terminal lines logging levels

no (priv-exec-mode) on page
215

mint (user and privi exec modes)

Uses MiNT protocol to perform a ping and trace route to a remote device

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

212 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}

ping <MINT-ID> Sends a MiNT echo message to a specified destination

• <MINT-ID> – Specify the destination device's MiNT ID.

count <1-10000> Optional. Sets the number of ping packets sent to the specified
MiNT destination
• <1-60> – Specify a value from 1 - 10000. The default is 3.

size <1-64000> Optional. Sets the MiNT payload size in bytes

• <1-64000> – Specify a value from 1 - 640000. The default is 64
bytes.

timeout <1-10> Optional. Sets a response time in seconds

• <1-10> – Specify a value from 1 sec - 10 sec. The default is 1
second.

mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|

source-port <1-65535>|timeout <1-255>)}

traceroute <MINT-ID> Prints the route packets trace to a device

• <MINT-ID> – Specify the destination device's MiNT ID.

destination-port <1-65535> Optional. Sets the Equal-cost Multi-path (ECMP) routing destination
port
• <1-65535> – Specify a value from 1 - 65535. The default port is
45.

max-hops <1-255> Optional. Sets the maximum number of hops a traceroute packet
traverses in the forward direction
• <1-255> – Specify a value from 1 - 255. The default is 30.

source-port <1-65535> Optional. Sets the ECMP source port

• <1-65535> – Specify a value from 1 - 65535. The default port is
45.

timeout <1-255> Optional. Sets the minimum response time period in seconds
• <1-65535> – Specify a value from 1 sec - 255 sec. The default is
30 seconds.

--- 75.07.02.35 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.130/0.148/0.163 ms
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 213
privileged-exec-commands Privileged Exec Mode Commands

mkdir
Creates a new directory in the file system

Supported in the following platforms:

Syntax
mkdir <DIR>

Parameters
mkdir <DIR>

<DIR> Specify a directory name.

Note: A directory, specified by the <DIR> parameter, is created within the file system.

Examples
rfs4000-229D58#dir
Directory of flash:/.

drwx Tue Sep 27 06:25:15 2016 log

drwx Sat Jan 1 05:30:08 2000 configs
drwx Sat Jan 1 05:30:08 2000 cache
drwx Wed Nov 4 16:12:15 2015 crashinfo
drwx Mon Sep 26 10:45:03 2016 archived_logs
drwx Sat Jan 1 05:30:08 2000 upgrade
drwx Sat Jan 1 05:30:23 2000 hotspot
drwx Sat Jan 1 05:30:08 2000 floorplans
drwx Sat Jan 1 05:30:08 2000 tmptpd

rfs4000-229D58#
rfs4000-229D58#mkdir test
rfs4000-229D58#
rfs4000-229D58#dir
Directory of flash:/.

drwx Tue Sep 27 06:25:15 2016 log

drwx Tue Sep 27 15:20:01 2016 test
drwx Sat Jan 1 05:30:08 2000 configs
drwx Sat Jan 1 05:30:08 2000 cache
drwx Wed Nov 4 16:12:15 2015 crashinfo
drwx Mon Sep 26 10:45:03 2016 archived_logs
drwx Sat Jan 1 05:30:08 2000 upgrade
drwx Sat Jan 1 05:30:23 2000 hotspot
drwx Sat Jan 1 05:30:08 2000 floorplans
drwx Sat Jan 1 05:30:08 2000 tmptpd

rfs4000-229D58#

Controller, Service Platform and Access Point

214 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

more
Displays files on the device's file system. This command navigates and displays specific files in the
device's file system.

The more command also displays the startup configuration file.

Supported in the following platforms:

Syntax
more <FILE>

Parameters
more <FILE>

<FILE> Specify the file name and location. Provide the complete path to the file.

Examples
NOC-NX9500#more flash:/archived_logs/startup.1.log
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(22 - DEFRAG) : memory = 2064375.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(22) : Enabled midstream protocol detection.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(23) : Enabled rtp performance measurement.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(23) : Enabled metadata dissectors.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(23 - DEFRAG) : memory = 2064375.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(23) : Enabled midstream protocol detection.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(0 - FLOW) : real_sizeof_flow_data = 533
, real_sizeof_flow_data_aligned = 536, sizeof_flow_data = 584, num_flows = 68812,
conn_toh_size = 47893152.
Jan 23 09:51:23 2017: %KERN-6-INFO: PACE(0 - SUBSCRIBER) : real_sizeof_id_data =
992, real_sizeof_id_data_aligned = 992, sizeof_id_data = 996, num_subscribers = 6826,
id_toh_size = 7399384.
--More--
NOC-NX9500#

no (priv-exec-mode)
Use the no command to revert to turn off an enabled feature or to revert a setting to default value.

The no commands have their own set of parameters that can be reset. These parameters depend on the
context in which the command is being used.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 215
privileged-exec-commands Privileged Exec Mode Commands

Syntax
no [adoption|captive-portal|cpe|crypto|debug|logging|page|raid|service|terminal|upgrade|
virtual-machine|wireless]
no adoption {on <DEVICE-OR-DOMAIN-NAME>}

Note
The no > adoption command resets the adoption state of a specified device (and all
devices adopted to it) or devices within a specified RF Domain. When executed without
specifying the device or RF Domain, the command resets the adoption state of the logged
device and all devices, if any, adopted to it.

no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>]

{on <DEVICE-OR-DOMAIN-NAME>}
no crypto pki [server|trustpoint]
no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|
on <DEVICE-NAME>}
no logging monitor
no page
no service [block-adopter-config-update|locator|snmp|ssm|wireless]
no service block-adopter-config-update
no service locator {on <DEVICE-NAME>}
no service snmp sysoid wing5
no service ssm trace pattern {<WORD>} {(on <DEVICE-NAME>)}
no service wireless [trace pattern {<WORD>} {(on <DEVICE-NAME>)}|
unsanctioned ap air-terminate <BSSID> {on <DOMAIN-NAME>}]
no terminal [length|width]
no upgrade <PATCH-NAME> {on <DEVICE-NAME>}
no wireless client [all|<MAC>]
no wireless client all {filter|on}
no wireless client all {filter [wlan <WLAN-NAME>]}
no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}
no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}

The following command is available only on the NX 95XX and NX 96XX series service platforms:
no cpe led cpe [<1-24>|all] {on <T5-DEVICE-NAME>}
no virtual-machine assign-usb-ports {on <DEVICE-NAME>}
no raid locate

Parameters
no <PARAMETERS>

no <PARAMETERS> Resets or reverts settings based on the parameters passed �

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.

Controller, Service Platform and Access Point

216 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Examples
NOC-NX9500#no adoption on ?
DEVICE-OR-DOMAIN-NAME AP/Controller/RF-Domain name

NOC-NX9500#
NOC-NX9500#no page
NOC-NX9500#
NOC-NX9500#no upgrade ?
WORD Name of the patch to remove

NOC-NX9500#

on (user and privi exec modes)

Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and
show

Supported in the following platforms:

Syntax
on rf-domain [<RF-DOMAIN-NAME>|all]

Parameters
on rf-domain [<RF-DOMAIN-NAME>|all]

Examples
nx9500-6C8809>on rf-domain TechPubs
nx9500-6C8809(TechPubs)>?
on RF-Domain Mode commands:

clrscr Clears the display screen

nx9500-6C8809(TechPubs)>
nx9500-6C8809(rf-domain-all)>?
on RF-Domain Mode commands:

clrscr Clears the display screen

do Run commands from Exec mode

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 217
privileged-exec-commands Privileged Exec Mode Commands

end End current mode and change to EXEC mode

exit End current mode and down to previous mode
help Description of the interactive help system
service Service Commands
show Show running system information

nx9500-6C8809(rf-domain-all)>
nx9500-6C8809#on rf-domain WiNG5
nx9500-6C8809(WiNG5)#
nx9500-6C8809(WiNG5)#show adoption info
------------------------------------------------------------------------------------------
----------
HOST-NAME MAC TYPE MODEL
SERIAL-NUMBER
------------------------------------------------------------------------------------------
----------
ap8432-070235 74-67-F7-07-02-35 ap8432 AP-8432-680B30-US
16009522200002
ap7562-84A224 84-24-8D-84-A2-24 ap7562 AP-7562-67040-US
15015522201502
ap7532-DF9A4C 84-24-8D-DF-9A-4C ap7532 AP-7532-67030-WR
15265522204149
------------------------------------------------------------------------------------------
----------
Total number of devices displayed: 3
nx9500-6C8809(WiNG5)#

opendns (user and privi exec modes)

Fetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS
device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled.

For more information on integrating WiNG devices with OpenDNS site, see Example: Enabling
OpenDNS Support on page 220.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

218 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Syntax
opendns [APIToken|username]
opendns APIToken <OPENDNS-APITOKEN>
opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Note
Note, as per the current implementation both of the above commands can be used to fetch
the device_id from the OpenDNS site.

Parameters
opendns APIToken <OPENDNS-APITOKEN>

opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 219
privileged-exec-commands Privileged Exec Mode Commands

password <OPENDNS-PSWD> Configures the password associated with the user name specified in
the previous step
• <OPENDNS-PSWD> – Provide the OpenDNS password (should
be a valid OpenDNS password).

Usage Guidelines

Use your OpenDNS credentials to logon to the opendns.org site and use the labels, edit settings, and
customize content filtering options to configure Web filtering settings.

Example
ap7532-E6D512>opendns username [email protected] password opendns label company_name
Connecting to OpenDNS server...
device_id = 0014AADF8EDC6C59
ap7532-E6D512>
nx9600-7F3C7F>opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id =
001480fe36dcb245
nx9600-7F3C7F>

Example: Enabling OpenDNS Support

The following example shows how to enable OpenDNS support:

1. Fetch the OpenDNS device_id from the OpenDNS site.

a. In the User/Privilege executable mode execute one of the following commands:

nx9500-6C8809#opendns APIToken <OPENDNS-APITOKEN>
nx9500-6C8809#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073
device_id = 001480fe36dcb245#

OR
nx9500-6C8809#opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Controller, Service Platform and Access Point

220 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

encryption-type none
authentication-type none
opendns device-id 001480fe36dcb245
nx9500-6C8809(config-wlan-opendns)#

Note
You can configure any one of the following OpenDNS servers: 208.67.222.222 OR
208.67.222.220

nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#show context
dhcp-pool opendnsPool
dns-server 208.67.222.222
nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 221
privileged-exec-commands Privileged Exec Mode Commands

permit ip any any rule-precedence 100 rule-description "allow all other ip packets"
nx9500-6C8809(config-ip-acl-OpenDNS)#

Note
When applied to the WLAN, only the DNS queries directed to the OpenDNS server are
forwarded. All other DNS queries are dropped.

page (user and privi exec modes)

Toggles a device's paging function. Enabling this option displays the CLI command output page by
page, instead of running the entire output at once.

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
page

Parameters
None

Examples
nx9500-6C8809#page
nx9500-6C8809#

Controller, Service Platform and Access Point

222 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Related Commands

no (user-exec-mode) on page 96 Disables paging

no (priv-exec-mode) on page 215 Disables paging

ping (user and privi exec modes)

Sends Internet Controller Message Protocol (ICMP) echo messages to a user-specified location

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}

Parameters
ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}

<IP/HOSTNAME> Specify the destination IP address or hostname. When entered

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 223
privileged-exec-commands Privileged Exec Mode Commands

size <1-64000> Optional. Sets the ping payload size in bytes

• <1-64000> – Specify the ping payload size from 1 - 64000. The
default is 100 bytes.

--- 10.234.160.13 ping statistics ---

--- 10.234.160.11 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.437/1.738/6.879/2.570 ms
NOC-NX9500>

ping6 (user and privi exec modes)

Sends ICMPv6 echo messages to a user-specified IPv6 address

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
ping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}

Controller, Service Platform and Access Point

224 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
ping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}

<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.

size <1-64000> Optional. Sets the IPv6 ping payload size in bytes
• <1-64000> – Specify the ping payload size from 1 - 64000. The
default is 100 bytes.

Usage Guidelines

--- 2001:10:10:10:10:10:10:1 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 6999ms
rtt min/avg/max/mdev = 0.299/0.318/0.401/0.031 ms
rfs4000-229D58>

pwd
Displays the full path of the present working directory, similar to the UNIX pwd command

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 225
privileged-exec-commands Privileged Exec Mode Commands

Syntax
pwd

Parameters

None

Examples
rfs4000-229D58#pwd
flash:/
rfs4000-229D58#
rfs4000-229D58#dir
Directory of flash:/.

drwx Mon Feb 8 17:37:21 2016 log

drwx Sat Jan 1 05:30:08 2000 configs
drwx Sat Jan 1 05:30:08 2000 cache
drwx Thu Nov 12 17:55:02 2015 crashinfo
drwx Mon Feb 8 17:34:21 2016 archived_logs
drwx Sat Jan 1 05:30:08 2000 upgrade
drwx Sat Jan 1 05:30:23 2000 hotspot
drwx Sat Jan 1 05:30:08 2000 floorplans
drwx Sat Jan 1 05:30:08 2000 tmptpd

rfs4000-229D58#

re-elect
Re-elects the tunnel controller (wireless controller or service platform)

Supported in the following platforms:

Syntax
re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}

Parameters
re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}

re-elect tunnel- Re-elects the tunnel controller

controller
<WORD> {on Optional. Re-elects the tunnel controller on all devices whose preferred tunnel
<DEVICE-NAME>} controller name matches <WORD>
• on <DEVICE-NAME> – Optional. Re-elects the tunnel controller on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless controller, or
service platform.

Controller, Service Platform and Access Point

226 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Example
rfs4000-229D58#re-elect tunnel-controller
OK
rfs4000-229D58#

reload
Halts a device or devices and performs a warm reboot

Supported in the following platforms:

Syntax
reload {<DEVICE-MAC-OR-HOSTNAME>|at|cancel|force|in|on|staggered}
reload {(<DEVICE-MAC-OR-HOSTNAME>)}
reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}
reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}
reload {force} {(<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>|staggered)}
reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-HOSTNAME>|
on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|
filter <DEVICE-TYPE>}
reload {in <1-999>} {list|on}
reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}
reload {in <1-999>} {on <DEVICE-OR-DOMAIN-NAME>}
reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|
exclude-rf-domain-manager|filter <DEVICE-TYPE>}
reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing <WORD>|
exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 227
privileged-exec-commands Privileged Exec Mode Commands

Parameters
reload {on <DEVICE-OR-DOMAIN-NAME>}

reload <DEVICE- Initiates device(s) reload and configures associated parameters

MAC-OR- The following keyword is recursive and allows you to specify multiple devices:
HOSTNAME> • <DEVICE-MAC-OR-HOSTNAME> – Optional. Reloads a specified device(s),
identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the
device’s hostname or MAC address.

Note: If no device is specified, the system reloads the logged device.

reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}

reload at Initiates device(s) reload and configures associated parameters

• at – Optional. Schedules a reload at a specified time and day. Use the following
keywords to specify the time and day: <TIME>, <1-31>, <MONTH>, and
<1993-2035>.

<TIME> Specifies the time in the HH:MM:SS format

<1-31> Specifies the day of the month from 1 - 31
<MONTH> Specifies the month from Jan - Dec
<1993-2035> Specifies the year from 1993 - 2035. It should be a valid 4 digit year.
on <DEVICE-OR- Optional. Performs reload at the scheduled time, on a specified device or all
DOMAIN-NAME> devices within a specified RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain. When a RF Domain name is
provided, all devices within the specified RF Domain are reloaded at the
scheduled time. If no device is specified, the reload is scheduled on the logged
device.

reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}

reload cancel on Cancels pending/scheduled reloads of device(s) cancel – Optional. Cancels all
<DEVICE-OR- pending reloads
DOMAIN-NAME> • on <DEVICE-OR-DOMAIN-NAME> – Optional. Cancels reloads pending on a
specified device or all devices within a specified RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

Controller, Service Platform and Access Point

228 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Note: If no device is specified, the system cancels reloads pending on the

logged device.

on <DEVICE-OR- Optional. Reloads on a specified device or RF Domain

DOMAIN-NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}

reload force Initiates device(s) reload and configures associated parameters

• force – Optional. Forces device(s) to reload, while ignoring conditions
like upgrade in progress, unsaved changes, etc. Use the options provided
to force a reload on a specified device or all devices in a RF Domain.

<DEVICE-MAC-OR- This keyword is recursive and allows you to specify multiple devices.
HOSTNAME> • <DEVICE-MAC-OR-HOSTNAME> – Optional. Forces a reload on a
specified device identified by the <DEVICE-MAC-OR-HOSTNAME>
keyword. Specify the device’s hostname or MAC address. When
executed, the specified device(s) are forced to halt and a warm reboot is
performed.

Note: If no device is specified, the system forcefully reloads the logged

device.

reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-HOSTNAME>|on

<DOMAIN-NAME>}}
{containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}

reload force Initiates device(s) reload and configures associated parameters

• force – Optional. Forces device(s) to reload, while ignoring conditions
like upgrade in progress, unsaved changes, etc. Use the options
provided to force a reload on a specified device or all devices in a RF
Domain.

on <DOMAIN-NAME> Optional. Forces a reload on all devices in a RF Domain

staggered • <DOMAIN-NAME> – Optional. Specify the name of the RF Domain.
When executed, all devices within the specified RF Domain are forced
to halt and a warm reboot is performed.
◦ staggered – Optional. Enables staggered reload of devices (one at a
time) without network impact. Use this option when rebooting
multiple devices within an RF Domain. When executed, all devices
within the specified RF Domain are forced to halt and reboot in a
staggered manner.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 229
privileged-exec-commands Privileged Exec Mode Commands

staggered {<DEVICE- Optional. Enables staggered reload of devices (one at a time) without
MAC-OR-HOSTNAME>| network impact
on <DOMAIN-NAME>} • <DEVICE-MAC-OR-HOSTNAME> – Optional. Forces a reload on
specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME>
keyword. Specify the device’s hostname or MAC address. This is a
recursive keyword that allows you to specify multiple devices. When
executed, the specified device(s) are forced to halt and a warm reboot
is performed.
• on <DOMAIN-NAME> – Optional. Forces a reload on all devices in a RF
Domain. Specify the name of the RF Domain. When executed, all
devices within the specified RF Domain are forced to halt and a warm
reboot is performed.

Note: If no device or RF Domain is specified, the system forcefully reloads

the logged device.

{containing <WORD>| When forcefully reloading devices in a RF Domain, you can use following
exclude-controllers| options to filter specific devices or device types:
exclude-rf-domain- • containing <WORD> – Optional. Filters out devices containing a
manager| filter <DEVICE- specified sub-string in their hostnames
TYPE>} ◦ <WORD> – Optional. Provide the sub-string to match. All devices
having hostnames containing the provided sub-string are filtered
and forcefully reloaded.
• exclude-controllers – Optional. Excludes all controllers in the specified
RF Domain from the reload process
• exclude-rf-domain-manager – Optional. Excludes the RF Domain
manager from the reload process
• filter <DEVICE-TYPE> – Optional. Filters devices by the device type
specified. Select the type of device. All devices, of the specified type,
within the specified RF Domain, are forcefully reloaded.
◦ <DEVICE-TYPE> – Select the type of device to reload. The options
are:AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP
7562, AP 7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163,
AP-8432, AP-8533, RFS 4000, NX 5500, NX 75XX, NX 95XX, NX
96XX, VX, and t5.

reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}

reload in <1-999> Initiates device(s) reload and configures associated parameters

• in – Optional. Performs a reload after a specified time period
◦ <1-999> – Specify the time from 1 - 999 minutes

list {<LINE>|all} Optional. Reloads all adopted devices or specified devices

• <LINE> – Optional. Reloads listed devices. List all devices (to be
reloaded) separated by a space.

Controller, Service Platform and Access Point

230 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

• all – Optional. Reloads all devices adopted by this controller

on <DEVICE-OR-DOMAIN- Optional. Reloads a specified device or all devices within a specified RF

NAME> Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|

exclude-rf-domain-manager|filter <DEVICE-TYPE>}

reload on <DOMAIN-NAME> Initiates device(s) reload and configures associated parameters

• on <DOMAIN-NAME> – Optional. Enables reload of all devices in
a RF Domain
◦ <DOMAIN-NAME> – Specify the name of the RF Domain.
When executed, all devices within the specified RF Domain
are immediately halted and a warm reboot is performed.

Note: If no RF Domain is specified, the system reloads the

logged device.

{containing <WORD>| exclude- When reloading devices in a RF Domain, you can use following
controllers| exclude-rf-domain- options to filter specific devices or device types:
manager| filter <DEVICE-TYPE>} • containing <WORD> – Optional. Filters out devices containing a
specified sub-string in their hostnames.
◦ <WORD> – Optional. Provide the sub-string to match. All
devices having hostnames containing the provided sub-
string are filtered and forcefully reloaded.
• exclude-controllers – Optional. Excludes all controllers in the
specified RF Domain from the reload process
• exclude-rf-domain-manager – Optional. Excludes the RF
Domain manager from the reload process
• filter <DEVICE-TYPE> – Optional. Filters devices by the device
type specified. Select the type of device to reload. All devices, of
the specified type, within the specified RF Domain, are forcefully
reloaded.
◦ <DEVICE-TYPE> – Select the type of device to reload. The
options are: AP 6522, AP 6562, AP 7161, AP 7502, AP-7522,
AP 7532, AP 7562, AP 7602, AP-7612, AP 7622, AP7632,
AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX 5500,
NX 75XX, NX 95XX, NX 96XX, VX, and t5. All devices of the
type specified are reloaded.

reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing <WORD>|

exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}

reload staggered Initiates device(s) reload and configures associated parameters

• staggered – Optional. Enables staggered reload of devices (one at
a time) without network impact

{<DEVICE-MAC-OR- Use one of the following options to specify a single device, multiple
HOSTNAME>| on <DOMAIN- devices, or a RF Domain
NAME>} • <DEVICE-MAC-OR-HOSTNAME> – Optional. Performs staggered
reload on specified device(s) identified by the <DEVICE-MAC-OR-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 231
privileged-exec-commands Privileged Exec Mode Commands

HOSTNAME> keyword. Specify the device’s hostname or MAC

address. This is a recursive keyword that allows you to specify
multiple devices. When executed, the specified device(s) are halted
and a warm reboot is performed. Multiple devices are halted and
rebooted one at a time without impacting network functioning.
• <DOMAIN-NAME> – Optional. Performs staggered reload of all
devices in a RF Domain. Specify the name of the RF Domain. When
executed, devices in the specified RF Domain are halted and
rebooted one at a time without impacting network functioning. Use
additional filter options to filter devices in the specified RF Domain.

Note: If no device or RF Domain is specified, the system reloads the

logged device.

{containing <WORD>| When reloading devices in a RF Domain, you can use following options
exclude-controllers| exclude- to filter specific devices or device types:
rf-domain-manager| filter • containing <WORD> – Optional. Filters out devices containing a
<DEVICE-TYPE>} specified sub-string in their hostnames.
◦ <WORD> – Optional. Provide the sub-string to match. All
devices having hostnames containing the provided sub-string
are filtered and reloaded.
◦ exclude-controllers – Optional. Excludes all controllers in the
specified RF Domain from the reload process
◦ exclude-rf-domain-manager – Optional. Excludes the RF
Domain manager from the reload process
◦ filter <DEVICE-TYPE> – Optional. Filters devices by the device
type specified. Select the type of device. All devices, of the
specified type, within the specified RF Domain, are reloaded.
▪ <DEVICE-TYPE> – Select the type of device to reload. The
options are: AP 6522, AP 6562, AP 7161, AP 7502, AP-7522,
AP 7532, AP 7562, AP 7602, AP-7612, AP 7622, AP7632,
AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX 5500,
NX 75XX, NX 95XX, NX 96XX, VX, and t5.

Example
nx9500-6C8809#reload at 12:30:00 10 Jan 2018 on rfs4000-6DB5D4
Reload scheduled at 2018-01-10 12:30:00 UTC ...
nx9500-6C8809#
nx9500-6C8809#reload cancel on rfs4000-6DB5D4
Scheduled reload cancelled.
nx9500-6C8809#

rename
Renames a file in the devices' file system

Supported in the following platforms:

Controller, Service Platform and Access Point

232 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Syntax
rename <OLD-FILE-NAME> <NEW-FILE-NAME>

Parameters
rename <OLD-FILE-NAME> <NEW-FILE-NAME>

<OLD-FILE-NAME> Specify the file to rename.

<NEW-FILE-NAME> Specify the new file name.

Examples
rfs4000-229D58#dir
Directory of flash:/.

drwx Wed Sep 14 13:54:10 2016 log

drwx Sat Jan 1 05:30:08 2000 configs
drwx Sat Jan 1 05:30:08 2000 cache
drwx Wed Nov 4 16:12:15 2015 crashinfo
drwx Fri Sep 16 05:26:37 2016 testdir
drwx Thu Sep 8 04:09:30 2016 archived_logs
drwx Sat Jan 1 05:30:08 2000 upgrade
drwx Sat Jan 1 05:30:23 2000 hotspot
drwx Sat Jan 1 05:30:08 2000 floorplans
drwx Sat Jan 1 05:30:08 2000 tmptpd

rfs4000-229D58#
rfs4000-229D58#rename flash:/testdir/ Final
rfs4000-229D58#
rfs4000-229D58#dir
Directory of flash:/.

drwx Wed Sep 14 13:54:10 2016 log

drwx Sat Jan 1 05:30:08 2000 configs
drwx Fri Sep 16 05:26:37 2016 Final
drwx Sat Jan 1 05:30:08 2000 cache
drwx Wed Nov 4 16:12:15 2015 crashinfo
drwx Thu Sep 8 04:09:30 2016 archived_logs
drwx Sat Jan 1 05:30:08 2000 upgrade
drwx Sat Jan 1 05:30:23 2000 hotspot
drwx Sat Jan 1 05:30:08 2000 floorplans
drwx Sat Jan 1 05:30:08 2000 tmptpd

rfs4000-229D58#

rmdir
Deletes an existing directory from the file system (only empty directories can be removed)

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 233
privileged-exec-commands Privileged Exec Mode Commands

Syntax
rmdir <DIR>

Parameters
rmdir <DIR>

rmdir <DIR> Specifies the directory name

Note: The directory, specified by the <DIR> parameter, is removed from the file system.

Examples
rfs4000-229D58#dir
Directory of flash:/.

drwx Wed Sep 14 13:54:10 2016 log

rfs4000-229D58#
rfs4000-229D58#rmdir Final
rfs4000-229D58#
rfs4000-229D58#dir
Directory of flash:/.

drwx Wed Sep 14 13:54:10 2016 log

drwx Sat Jan 1 05:30:08 2000 configs
drwx Sat Jan 1 05:30:08 2000 cache
drwx Wed Nov 4 16:12:15 2015 crashinfo
drwx Thu Sep 8 04:09:30 2016 archived_logs
drwx Sat Jan 1 05:30:08 2000 upgrade
drwx Sat Jan 1 05:30:23 2000 hotspot
drwx Sat Jan 1 05:30:08 2000 floorplans
drwx Sat Jan 1 05:30:08 2000 tmptpd

rfs4000-229D58#

self
Enters the logged device's configuration context

Supported in the following platforms:

Controller, Service Platform and Access Point

234 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Syntax
self

Parameters

None

Examples
nx9500-6C8809#self
Enter configuration commands, one per line. End with CNTL/Z.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

ssh (user and privi exec modes)

Opens a Secure Shell (SSH) connection between two network devices

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}

Parameters
ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}

<IP/HOSTNAME> Specify the remote system's IP address or hostname.

<USERNAME> Specify the name of the user requesting SSH connection with the
remote system.
<INF-NAME/ LINK-LOCAL-ADD> Optional. Specify the interface’s name or link local address.

Examples
NOC-NX9500>ssh 10.234.160.13 admin
[email protected]'s password:
ap8432-070235>>ssh 192.168.13.24 admin
[email protected]'s password:
rfs4000-6DB5D4>

t5 (privi exec mode)

Executes following operations on a T5 device through the WiNG controller:
• copy, rename, and delete files on the T5 device’s file system
• write running configuration to the T5 device’s memory

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 235
privileged-exec-commands Privileged Exec Mode Commands

The T5 switch is a means of providing cost-effective, high-speed, wall-to-wall coverage across a

building. The T5 switch leverages the in-building telephone lines to extend Ethernet and Wireless LAN
networks without additional expenditure on re-wiring. This setup is ideally suited for hotels, providing
high-speed Wi-Fi coverage to guest rooms.

The entire setup consists of the DSL T5 switch, TW-510 Ethernet wallplates, and TW-511 wireless
wallplate access points. Replace the phone jack plate in a room with the TW-511 delivers 802.11 a/b/g/n
and extend wireless connectivity in that room and the neighboring rooms. These TW-511 wallplates (also
referred to as the CPEs) are connected to the T5 switch over the DSL interface using a phone block.

The connection between the T5 and WiNG switches is over a WebSocket.

Note
For more information on other T5 CPE related commands, see cpe (privilege-exec-mode) on
page 154.

Supported in the following platforms:

• Wireless Controllers — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|
rename <SOURCE-FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}

Parameters
t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|
rename <SOURCE-FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}

copy <SOURCE-FILE-NAME> Copies file to an external server

<DEST-FILE-NAME> • <SOURCE-FILE-NAME> – Specify the source file name.
◦ <DEST-FILE-NAME> – Specify the destination file name.

The content from the source file is copied to the destination

file.

The source or destination files can be local or remote FTP or

TFTP files. The source file also can be a pre-defined keyword.
At least one of the files should be a local file. Use this
command to copy the startup and/or running configurations
to an external server.

delete <FILE-NAME> Deletes files on the T5 device’s file system

• <FILE-NAME> – Specify the file name. The specified file is
deleted.

rename <SOURCE-FILE-NAME> Renames a file on the T5 device’s file system

<DEST-FILE-NAME> • <SOURCE-FILE-NAME> – Specify the source file name
◦ <DEST-FILE-NAME> – Specify the new file name. The source
file is renamed to the input provided here.

Controller, Service Platform and Access Point

236 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

write memory Writes running configuration to an adopted T5 device’s memory

• memory – Writes running configuration to the T5 device’s non-
volatile (NV) memory.

on <T5-DEVICE-NAME> Optional. Executes these operation on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname.

Example
nx9500-6C8809#t5 write memory on t5-ED7C6C
Success
nx9500-6C8809#

telnet (user and privi exec modes)

Opens a Telnet session between two network devices

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

Parameters
telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

<IP/HOSTNAME> Configures the destination remote system’s IP (IPv4 or IPv6)

address or hostname. The Telnet session is established between the
connecting system and the remote system.
• <IP/HOSTNAME> – Specify the remote system's IPv4 or IPv6
address or hostname.

<TCP-PORT> Optional. Specify the Transmission Control Protocol (TCP) port

number.
<INTF-NAME> Optional. Specify the interface name for the link local address.

Examples
NOC-NX9500>telnet 10.234.160.11
telnet: cannot connect to remote host (10.234.160.11): Connection refused
NOC-NX9500>telnet 10.234.160.13

Entering character mode

Escape character is '^]'.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 237
privileged-exec-commands Privileged Exec Mode Commands

AP8432 release 5.9.7.0-004D

ap8432-070235 login:

terminal (user and privi exec modes)

Sets the length and width of the CLI display window on a terminal

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
terminal [length|width] <0-512>

Parameters
terminal [length|width] <0-512>

length <0-512> Sets the number of lines displayed on a terminal window

• <0-512> – Specify a value from 0 - 512.

width <0-512> Sets the width (the number of characters displayed) of the terminal
window
• <0-512> – Specify a value from 0 - 512.

Related Commands

no (user-exec-mode) on page 96 Resets the width or length of the terminal window

no (priv-exec-mode) on page 215 Resets the width or length of the terminal window

Controller, Service Platform and Access Point

238 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

time-it (user and privi exec modes)

Verifies the time taken by a particular command between request and response

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
time-it <COMMAND>

Parameters
time-it <COMMAND>

time-it <COMMAND> Verifies the time taken by a particular command to execute and
provide a result
• <COMMAND> – Specify the command.

traceroute (user-privi-exec-mode)
Traces the route to a defined destination

Use ‘--help' or ‘-h' to display a complete list of parameters for the traceroute command

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 239
privileged-exec-commands Privileged Exec Mode Commands

Syntax
traceroute <LINE>

Parameters
traceroute <LINE>

traceroute <LINE> Traces the route to a destination IP address or hostname

• <LINE> – Specify the destination IPv4 address or hostname.

Examples
NOC-NX9500>traceroute 10.234.160.13
traceroute to 10.234.160.13 (10.234.160.13), 30 hops max, 46 byte packets
1 10.234.160.13 (10.234.160.13) 0.315 ms 0.159 ms 0.137 ms
NOC-NX9500>

traceroute6 (user-privi-exec-mode)
Traces the route to a specified IPv6 destination

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

Syntax
traceroute6 <LINE>

Parameters
traceroute6 <LINE>

traceroute6 <LINE> Traces the route to a destination IPv6 address or hostname

• <LINE> – Specify the destination IPv6 address or hostname.

upgrade
Upgrades a device's software image

Controller, Service Platform and Access Point

240 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Supported in the following platforms:

Syntax
upgrade [<FILE>|<URL>|dhcp-vendor-options]
upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}
upgrade dhcp-vendor-options {<DEVICE-NAME>|on <RF-DOMAIN-NAME>}
upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}
upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-STRING>|exclude-
controllers|
exclude-rf-domain-managers|filter <DEVICE-TYPE>}

Parameters
upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}

<FILE> Specify the target firmware image location in the following format:
cf:/path/file
usb1:/path/file
usb2:/path/file
usb<n>:/path/file
<URL> Specify the target firmware image location. Use one of the
following formats:
• IPv4 URLS:
◦ tftp://<hostname|IP>[:port]/path/file
◦ ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
◦ sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file
◦ http://<hostname|IP>[:port]/path/file
◦ cf:/path/file
◦ usb<n>:/path/file
• IPv6 URLS:
◦ tftp://<hostname|IPv6>[:port]/path/file
◦ ftp://<user>:<passwd>@<hostname|IPv6>[:port]/path/file
◦ sftp://<user>:<passwd>@<hostname|IPv6>[:port]>/path/file
◦ http://<hostname|IPv6>[:port]/path/file

background Optional. Performs upgrade in the background

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 241
privileged-exec-commands Privileged Exec Mode Commands

on <DEVICE-NAME> Optional. Upgrades the software image on a specified remote

device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

on <RF-DOMAIN-NAME> Optional. Upgrades the software image on all devices within a

specified RF Domain
• <RF-DOMAIN-NAME> – Specify the name of the RF Domain.

upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}

dhcp-vendor-options Uses DHCP vendor options to upgrade device(s)

<DEVICE-NAME> {<DEVICE- Optional. Uses DHCP vendor options to upgrade a specified device.
NAME>} Specify the name of the AP, wireless controller, or service platform.
• <DEVICE-NAME> – Optional. You can optionally specify multiple
comma-separated device names/MAC addresses to upgrade.

upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-STRING>|

exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}

dhcp-vendor-options Uses DHCP vendor options to upgrade device(s)

on <RF-DOMAIN-NAME> Optional. Uses DHCP vendor options to upgrade all devices or
{containing <SUB-STRING>| specified device(s) within the RF Domain identified by the <RF-
exclude-controllers| exclude-rf- DOMAIN-NAME> keyword
domain-managers| filter • <RF-DOMAIN-NAME> – Specify the RF Domain name. After
<DEVICE-TYPE>} specifying the RF Domain, optionally use the filters provided to
identify specific device(s) within the RF Domain. If none of the
filters are used, all devices within the RF Domain are upgraded.
These filters are:
◦ containing <SUB-STRING> – Optional. Upgrades all devices,
within the specified RF Domain, containing a specified sub-
string in their hostname
▪ <SUB-STRING> – Specify the sub-string to match.
• exclude-controllers – Optional. Upgrades all devices, within the
specified RF Domain, excluding controllers. Since only a NOC
controller is capable of adopting other controllers, use this
option when executing the command on a NOC controller.
• exclude-rf-domain-manager – Optional. Upgrades all devices,
within the specified RF Domain, excluding RF Domain
managers. Use this option when executing the command on the
NOC, Site controller, or RF Domain manager.
• filter <DEVICE-TYPE> – Optional. Executes the command on all
devices, within the specified RF Domain, of a specified type
◦ <DEVICE-TYPE> – Specify the device type. The options are:
AP7502, AP7522, AP7532, AP7562, AP7602, AP7612,
AP7622, AP7632, AP7662, AP8163, AP8432, AP8533,
RFS4010, NX5500, NX7500, NX9500, NX9600, VX9000.

Upgrades all devices of the type specified here. For example,

if AP7602 is the device-type specified, all AP7602 within the
specified RF Domain are upgraded.

Controller, Service Platform and Access Point

242 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Example
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 08/12/2019 02:35:38 08/16/2019 15:20:46 5.9.6.0-006D
Secondary 08/22/2019 00:54:30 08/22/2019 12:37:40 5.9.6.0-011D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Secondary
Software Fallback : Enabled
VM support : Not present
nx9500-6C8809#
nx9500-6C8809#upgrade ftp://symbol:[email protected]/NX9500-5.9.7.0-001D.img
Running from partition /dev/sda8
Validating image file header
Removing other partition
Making file system
Extracting files (this may take some
time).....................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..................................................................................
Control C disabled
Version of firmware update file is 5.9.7.0-001D
Removing unneeded files from flash:/crashinfo directory
Removing unneeded files from flash:/var2/log directory
Creating LILO files
Running LILO
Successful
nx9500-6C8809#
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 09/12/2019 02:35:38 09/16/2019 15:20:46 5.9.7.0-001D
Secondary 08/22/2019 00:54:30 08/22/2019 12:37:40 5.9.6.0-011D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Primary
Software Fallback : Enabled
VM support : Not present
nx9500-6C8809#

The following example shows the upgrade status:

ap7532-DF9A4C#show upgrade-status
Last Image Upgrade Status : Successful
Last Image Upgrade Time : 2019-08-06 13:10:02
ap7532-DF9A4C#
ap7532-DF9A4C#show upgrade-status detail
Last Image Upgrade Status : Successful
Last Image Upgrade Time : 2019-08-06 13:10:02
-----------------------------------------------
Running from partition /dev/mtdblock6
var2 is 3 percent full
/tmp is 6 percent full
Free Memory 65964 kB
FWU invoked via Linux shell

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 243
privileged-exec-commands Privileged Exec Mode Commands

Validating image file header

Making file system
Extracting files (this may take some time).
Control C disabled
Version of firmware update file is 5.9.6.0-003D
Writing Kernel to /dev/mtd5
Checking if boot sector needs to be upgraded
Boot Sector version 10, image file bootsector ver 10, no change required
Writing BootOS to /dev/mtd3
Successful

ap7532-DF9A4C#

Note
After upgrading, the device has to be reloaded to boot using the new image.

ap7532-DF9A4C#reload
The system will be rebooted, do you want to continue? (y/n): y
ap7532-DF9A4C#
ap7532-DF9A4C#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 05/25/2019 06:43:28 06/03/2019 15:25:22 5.9.5.0-004D
Secondary 07/31/2019 17:14:41 08/06/2019 13:10:02 5.9.6.0-003D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Secondary
Software Fallback : Enabled
ap7532-DF9A4C#

Related Commands

no (priv-exec-mode) on page 215 Removes a patch installed on a specified device

upgrade-abort
Aborts an ongoing software image upgrade

Supported in the following platforms:

Syntax
upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}

Controller, Service Platform and Access Point

244 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}

upgrade-abort Aborts an ongoing software image upgrade

on <DEVICE-OR-DOMAIN- Optional. Aborts an ongoing software image upgrade on a specified
NAME> device or domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

Examples
rfs4000-229D58#upgrade ftp://anonymous:[email protected]/LatestBuilds/W59/
RFS4000-5.9.6.0-004D.img
Running from partition /dev/mtdblock6
Validating image file header
Making file system
Extracting files (this may take some time)..................
rfs4000-6DB5D4#upgrade-abort
rfs4000-229D58#upgrade ftp://anonymous:[email protected]/LatestBuilds/W59/
RFS4000-5.9.6.0-004D.img
Running from partition /dev/mtdblock6
Validating image file header
Making file system
Extracting files (this may take some time)..................
Update error: Aborted
rfs4000-229D588#

virtual-machine (user and privi exec modes)

Installs, configures, and monitors the status of virtual machines (VMs)

Note
This command and its syntax is common to both the User Executable and Privilege
Executable configuration modes.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 245
privileged-exec-commands Privileged Exec Mode Commands

Controller, Service Platform and Access Point

246 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}

assign-usb-ports team-vowlan Assigns USB ports to TEAM-VoWLAN on a specified device

• on <DEVICE-NAME> – Optional. Specify the device name.

Note: Use the no > virtual-machine > assign-usb-

ports command to reassign the port to WiNG.

Note: TEAM-RLS VM cannot be installed when USB ports are

assigned to TEAM-VoWLAN.

virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}

Note: The VM should be in a stop state during the export process.

Note: If the destination is a device, the image is copied to a

predefined location (VM archive).

virtual-machine install [<VM-NAME>|team-centro|team-rls|team-vowlan] {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 247
privileged-exec-commands Privileged Exec Mode Commands

Specify the device on which to install the VM.

virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count

<0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>|vnc [disable|

Controller, Service Platform and Access Point

248 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

enable]]
[<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine set Configures the VM settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 249
privileged-exec-commands Privileged Exec Mode Commands

◦ enable – Enables VNC port

After configuring the VM settings, identify the VM to apply

virtual-machine start [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine stop [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

The following keywords are common to all of the above

Controller, Service Platform and Access Point

250 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Note: The option ‘hard’ forces the selected VM to shutdown.

virtual-machine uninstall [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}

virtual-machine uninstall Uninstalls the specified VM

The following keywords are common to all of the above

Note: This command releases the VM’s resources, such as memory,

VCPUS, VNC port, disk space, and removes the RF Domain
reference from the system.

virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>

virtual-machine volume-group Enables provisioning of logical volume-groups on the VX9000

Note: The logical volume-group is supported only on a VX9000

running the WiNG 5.9.1 and above version.

• add-drive – Adds a new block-device to the VM. Note, currently

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 251
privileged-exec-commands Privileged Exec Mode Commands

The following keyword is common to all of the above

parameters:
◦ <BLOCK-DEVICE-LABEL> –Specify the block-device label to
be added or resized depending on the action being
performed.

virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-DEVICE-LABEL>

virtual-machine volume-group Enables provisioning of VMs as logical volume-groups on the

virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>

virtual-machine volume-group Enables provisioning of VMs as logical volume-groups on the

Examples

The following examples show the VM installation process:

Insatllation media: USB

<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/
win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enable

Installation media: pre-installed disk image

<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/
win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable on <DEVICE-NAME>

Controller, Service Platform and Access Point

252 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Installation media: VM archive

<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-NAME> vcpus
3

In the preceding example, the default configuration attached with the VM archive overrides any
parameters specified.

Exporting an installed VM:

<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>

exit (privi exec mode)

Ends the current CLI session and closes the session window

For more information, see exit.

Supported in the following platforms:

Syntax
exit

Parameters

None

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 253
privileged-exec-commands Privileged Exec Mode Commands

Examples
nx9500-6C8809#exit

raid
Enables RAID (Redundant Array of Independent Disks) management. RAID is a group of one or more
independent, physical drives, referred to as an array or drive group, These physically independent drives
are linked together and appear as a single storage unit or multiple virtual drives. Replacing a single,
large drive system with an array, improves performance (input and output processes are faster) and
increases fault tolerance within the data storage system.

In an array, the drives can be organized in different ways, resulting in different RAID types. Each RAID
type is identified by a number, which determines the RAID level. The common RAID levels are 0, 00, 1, 5,
6, 50 and 60. The WiNG MegaRAID implementation supports RAID-1, which provides data mirroring,
but does not support data parity. RAID-1 consists of a two-drive array, where the data is simultaneously
written on both drives, ensuring total data redundancy. In case of a drive failure the information on the
other drive is used to rebuild the failed drive.

An array is said to be degraded when one of its drives has failed. A degraded array continues to
function and can be rebooted using the one remaining functional drive. When a drive fails, the chassis
sounds an alarm (if enabled), and the CLI prompt changes to “RAID degraded”. The failed drive is
automatically replaced with a hot spare (provided a spare is installed). The spare is used to re-build the
array.

Use this command to:

• Verify the current array status
• Start and monitor array consistency checks
• Retrieve date and time of the last consistency check
• Shut down drives before physically removing them
• Install new drives
• Assign drives as hot spares
• Identify a degraded drive
• Deactivate an alarm (triggered when a drive is removed from the array)

Supported in the following platforms:

• Service Platforms — NX 9500, NX 7500

Note
The NX 9500 service platform includes a single Intel MegaRAID controller, configured to
provide a single virtual drive. This virtual drive is of the RAID-1 type, and has a maximum of
two physical drives. In addition to these two drives, there are three hot spares, which are used
in case of a primary drive failure.

Controller, Service Platform and Access Point

254 CLI Reference Guide for version 5.9.7
Privileged Exec Mode Commands privileged-exec-commands

Parameters
raid [check|silence]

check Starts a consistency check on the RAID array. Use the show > raid
command to view consistency check status.
A consistency check verifies the data stored in the array. When
regularly executed, it helps protect against data corruption, and
ensures data redundancy. Consistency checks also warn of potential
disk failures.
silence Deactivates an alarm

Note: When enabled, an audible alarm is triggered when a drive in the

array fails. The silence command deactivates the alarm (sound).

Note: To enable RAID alarm, in the device configuration mode, use the
raid > alarm > enable command. An NX 9500 profile can also
have the RAID alarm feature activated. For more information on the
enabling RAID alarm, see raid on page 1420.

raid [install|locate|remove|spare] drive <0-4>

install <0-4> Includes a new drive, inserted in one of the available slots, in the array.
Specify the drive number.

Note: Drives 0 and 1 are the array drives. Drives 2, 3, and 4 are the hot
spare drives. You can include the new drive in a degraded array, or
enable it as a hot spare.

Note: If the array is in a degraded state, the re-build process is

triggered and the new drive is used to repair the degraded array.

locate <0-4> Enables LEDs to blink on a specified drive. Specify the drive number.

Note: Blinking LEDs enable you correctly locate a drive.

remove <0-4> Removes (shuts downs) a disk from the array, before it is physically
removed from its slot. Specify the drive number containing the disk.

Note: Use this command to also remove a hot spare.

spare <0-4> Converts an unused drive into a hot spare. Specify the drive number.

Example
nx9500-6C874D#raid install drive 0
Error: Input Error: Drive 0 is already member of array, can't be added
nx9500-6C874D#
nx9500-6C8809#raid spare drive 1
Error: RAID operation failed, returned 2, output: Input Error: Drive 1 is member of
array, can't be a hotspare
/
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 255
privileged-exec-commands Privileged Exec Mode Commands

watch
Repeats a specified CLI command at periodic intervals

Supported in the following platforms:

• Access Points — AP 6522, AP 6532, AP 6562, AP 7502, AP-7522, AP 7532, AP 7161, AP 81XX, AP
8232
• Wireless Controllers — RFS 4000, RFS 6000
• Service Platforms — NX 7500, NX 9500, NX 9510

Syntax
watch <1-3600> <LINE>

Parameters
watch <1-3600> <LINE>

watch <1-3600> Repeats a CLI command at a specified interval

<1-3600> Select an interval from 1- 3600 seconds. Pressing CTRL-Z halts execution of the
command
<LINE> Specify the CLI command name.

Examples
<exsw1>#watch 1 show clock
<exsw1>#

Controller, Service Platform and Access Point

256 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands
GLOBAL CONFIGURATION COMMANDS on page 257

GLOBAL CONFIGURATION COMMANDS

This chapter summarizes the global-configuration commands in the CLI command structure.

The term global indicates characteristics or features effecting the system as a whole. Use the Global
Configuration Mode to configure the system globally, or enter specific configuration modes to configure
specific elements (such as interfaces or protocols). Use the configure terminal command (under PRIV
EXEC) to enter the global configuration mode.

The following example describes the process of entering the global configuration mode from the
privileged EXEC mode:
<DEVICE>#configure terminal
<DEVICE>(config)#

Note
The system prompt changes to indicate you are now in the global configuration mode. The
prompt consists of the device host name followed by (config) and a pound sign (#).

Commands entered in the global configuration mode update the running configuration file as soon as
they are entered. However, these changes are not saved in the startup configuration file until a commit
> write > memory command is issued.
<DEVICE>(config)#?
Global configuration commands:
aaa-policy Configure a
authentication/accounting/authorization
policy
aaa-tacacs-policy Configure an
authentication/accounting/authorization
TACACS policy
alias Alias
ap621 AP621 access point
ap622 AP622 access point
ap650 AP650 access point
ap6511 AP6511 access point
ap6521 AP6521 access point
ap6522 AP6522 access point
ap6532 AP6532 access point
ap6562 AP6562 access point
ap71xx AP71XX access point
ap7502 AP7502 access point
ap7522 AP7522 access point

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 257
GLOBAL CONFIGURATION COMMANDS Global Configuration Mode Commands

ap7532 AP7532 access point

ap7562 AP7562 access point
ap7602 AP7602 access point
ap7612 AP7612 access point
ap7622 AP7622 access point
ap7632 AP7632 access point
ap7662 AP7662 access point
ap81xx AP81XX access point
ap82xx AP82XX access point
ap8432 AP8432 access point
ap8533 AP8533 access point
application Configure an application
application-group Configure an application-group
application-policy Configure an application policy
association-acl-policy Configure an association acl policy
auto-provisioning-policy Configure an auto-provisioning policy
bgp BGP Configuration
ble-data-export-policy Configure a ble data export policy
bonjour-gw-discovery-policy Bonjour Gateway discovery policy
bonjour-gw-forwarding-policy Bonjour Gateway forwarding policy
bonjour-gw-query-forwarding-policy Bonjour Gateway Query forwarding policy
captive-portal Configure a captive portal
clear Clear
client-identity Client identity (DHCP Device
Fingerprinting)
client-identity-group Client identity group (DHCP Fingerprint
Database)
clone Clone configuration object
crypto-cmp-policy CMP policy
customize Customize the output of summary cli
commands
database-client-policy Configure database client policy
database-policy Configure database policy
device Configuration on multiple devices
device-categorization Configure a device categorization object
dhcp-server-policy DHCP server policy
dhcpv6-server-policy DHCPv6 server related configuration
dns-whitelist Configure a whitelist
event-system-policy Configure a event system policy
ex3500 Ex3500 device
ex3500-management-policy Configure a ex3500 management policy
ex3500-qos-class-map-policy Configure a ex3500 qos class-map policy
ex3500-qos-policy-map Configure a ex3500 qos policy-map
ex3524 EX3524 wireless controller
ex3548 EX3548 wireless controller
firewall-policy Configure firewall policy
global-association-list Configure a global association list
guest-management Configure a guest management policy
help Description of the interactive help
system
host Enter the configuration context of a
device by specifying its hostname
igmp-snoop-policy Create igmp snoop policy
inline-password-encryption Store encryption key in the startup
configuration file
iot-device-type-imagotag-policy Configure a iot imagotag device type
policy
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
ipv6-router-advertisement-policy IPv6 Router Advertisement related
configuration
l2tpv3 L2tpv3 tunnel protocol
mac MAC configuration
location-policy Configure a location policy used for

Controller, Service Platform and Access Point

258 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands GLOBAL CONFIGURATION COMMANDS

ExtremeLocation
management-policy Configure a management policy
meshpoint Create a new MESHPOINT or enter
MESHPOINT configuration context for one
or more MESHPOINTs
meshpoint-qos-policy Configure a meshpoint quality-of-service
policy
mint-policy Configure the global mint policy
nac-list Configure a network access control list
no Negate a command or set its defaults
nsight-policy Configure a Nsight policy
nx45xx NX45XX integrated services platform
nx5500 NX5500 wireless controller
nx65xx NX65XX integrated services platform
nx75xx NX75XX wireless controller
nx9000 NX9000 wireless controller
passpoint-policy Configure a passpoint policy
password-encryption Encrypt passwords in configuration
profile Profile related commands - if no
parameters are given, all profiles are
selected
radio-qos-policy Configure a radio quality-of-service
policy
radius-group Configure radius user group parameters
radius-server-policy Create device onboard radius policy
radius-user-pool-policy Configure Radius User Pool
rename Clone configuration object
replace Replace configuration object
rf-domain Create a RF Domain or enter rf-domain
context for one or more rf-domains
rfs4000 RFS4000 wireless controller
rfs6000 RFS6000 wireless controller
rfs7000 RFS7000 wireless controller
roaming-assist-policy Configure a roaming-assist policy
role-policy Role based firewall policy
route-map Dynamic routing route map Configuration
routing-policy Policy Based Routing Configuration
rtl-server-policy Configure a rtl server policy
schedule-policy Configure a schedule policy
self Config context of the device currently
logged into
sensor-policy Configure a sensor policy
smart-rf-policy Configure a Smart-RF policy
t5 T5 DSL switch
url-filter Configure a url filter
url-list Configure a URL list
vx9000 VX9000 wireless controller
web-filter-policy Configure a web filter policy
wips-policy Configure a wips policy
wlan Create a new WLAN or enter WLAN
configuration context for one or more
WLANs
wlan-qos-policy Configure a wlan quality-of-service
policy
write Write running configuration to memory or
terminal

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous
mode
revert Revert changes

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 259
global-config-commands Global Configuration Mode Commands

service Service Commands

show Show running system information

<DEVICE>(config)#

global-config-commands
The following table summarizes the Global Configuration Mode commands:

Table 7: Global Config Commands

Command Description
aaa-policy on page 264 Creates a AAA policy and enters its configuration mode. This policy
enables administrators to define access control within the network.
aaa-tacacs-policy on page 266 Creates a AAA-TACACS policy and enters its configuration mode.
This policy provides access control to network devices such as
routers, network access servers, and other computing devices
through centralized servers.
alias on page 267 Configures network, VLAN, and service aliases
ap7502 on page 276 Adds an AP7502 to the network
ap7522 on page 277 Adds an AP7522 to the network
ap7532 on page 278 Adds an AP7532 to the network
ap7562 on page 279 Adds an AP7562 to the network
ap7602 on page 280 Adds an AP7602 to the network
ap7612 on page 280 Adds an AP7612 to the network
ap7622 on page 281 Adds an AP7622 to the network
ap7632 on page 282 Adds an AP7632 to the network
ap7662 on page 282 Adds an AP7662 to the network
ap8163 on page 283 Adds an AP8163 to the network
ap8432 on page 284 Adds an AP8432 to the network
ap8533 on page 284 Adds an AP8533 to the network
application on page 285 Creates an application definition and enters its configuration mode.
This command allows you to create a customized application
detection definition.
application-policy on page 294 Creates an application group and enters its configuration mode
application-group on page 290 Creates an application policy and enters its configuration mode.
This policy defines the actions executed on recognized HTTP (e.g.
Facebook), enterprise (e.g. Webex) and peer-to-peer (e.g. gaming)
applications or application-categories.
association-acl-policy on page Creates an association ACL policy and enters its configuration
312 mode. This policy restricts access by specifying a client MAC
address or range of addresses to either include or exclude from
WLAN connectivity.

Controller, Service Platform and Access Point

260 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Table 7: Global Config Commands (continued)

Command Description
auto-provisioning-policy on page Creates an auto provisioning policy and enters its configuration
313 mode. This policy defines the process by which an access point
discovers controllers and associates with it.
bgp on page 314 Configures Border Gateway Protocol (BGP) settings
ble-data-export-policy on page Creates a Bluetooth Low Energy (BLE) data export policy and
316 enters its configuration mode.
bonjour-gw-discovery-policy on Creates a Bonjour GW Discovery policy and enters its configuration
page 319 mode. This policy configures the VLANs on which Bonjour services
are located.
bonjour-gw-forwarding-policy Configures a Bonjour GW Forwarding policy and enters its
on page 324 configuration mode. This policy enables the discovery of services on
VLANs not visible to the device running the Bonjour Gateway.
bonjour-gw-query-forwarding- Creates a Bonjour GW Query Forwarding policy and enters its
policy on page 325 configuration mode. This policy enables Bonjour query forwarding
across multiple VLANs.
captive-portal on page 327 Creates a captive portal and enters its configuration mode
clear on page 373 Clears the event history
client-identity on page 374 Creates a client identity definition and enters its configuration
mode. This feature enables client identification through DHCP
device fingerprinting.
client-identity-group on page Creates a new client identity group and enters its configuration
380 mode
clone on page 385 Clones a specified configuration object
crypto-cmp-policy on page 386 Creates a crypto Certificate Management Protocol (CMP) policy and
enters its configuration mode. CMP is an Internet protocol designed
to obtain and manage digital certificates in a Public Key
Infrastructure (PKI) network.
customize on page 387 Customizes the CLI command summary output
database-client-policy global- Creates a database client policy and enters its configuration mode.
config on page 399 The database client policy configures the IP address or hostname of
the VX9000 hosting the captive-portal/NSight database. Use this
option when deploying a split NSight/EGuest deployment.
database-policy global config on Creates a database policy and enters its configuration mode. This
page 403 policy enables the database, and also configures the database
replica set.
device on page 408 Specifies configuration on multiple devices
device-categorization on page Creates a device categorization list and enters its configuration
409 mode. The list categorizes devices as sanctioned or neighboring.
Categorization of devices enables quick identification and blocking
of unsanctioned devices in the network.
dhcp-server-policy on page 412 Creates a DHCP server policy and enters its configuration mode.
This policy allows hosts on an IP network to request and be
assigned IP addresses and discover information about the network.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 261
global-config-commands Global Configuration Mode Commands

Table 7: Global Config Commands (continued)

Command Description
dhcpv6-server-policy on page Creates a DHCPv6 server policy and enters its configuration mode.
413 This policy configures hosts with IPv6 addresses, IP prefixes and
other configuration attributes required on an IPv6 network.
dns-whitelist on page 415 Creates a DNS whitelist and enters its configuration mode. A DNS
whitelist is used with a captive portal to provide access services to
requesting wireless clients.
event-system-policy on page Creates an Event system policy and enters its configuration mode.
456 This policy enables administrators to create notification
mechanisms using one, some, or all of the SNMP, syslog, controller
forwarding, or email notification options available to the controller
or service platform.
ex3500 on page 417 Creates an EX3500 time range list and enters its configuration
mode
ex3500-management-policy on Creates an EX3500 management policy and enters its configuration
page 422 mode. This policy controls access to the EX3500 switch from
management stations using SNMP.
ex3500-qos-class-map-policy on Creates an EX3500 QoS class map policy and enters its
page 439 configuration mode. The QoS policy map assigns priority to mission
critical EX3500 switch data traffic, prevents EX3500 switch
bandwidth congestion, and prevents packet drops.
ex3500-qos-policy-map on page Creates an EX3500 QoS policy map and enters its configuration
444 mode. This policy defines rules that filter traffic exchanged between
the EX3500 switch and its connected devices.
ex3524 on page 454 Adds a EX3524 switch to the network
ex3548 on page 455 Adds a EX3548 switch to the network
firewall-policy on page 471 Creates a firewall policy and enters its configuration mode. This
policy configures safe guards against denial of service (DoS)
attacks and packet storms. It also configures firewall parameters,
such as logging, application layer gateway, TCP protocol checks,
state flow checks, etc.
global-association-list on page Configures a global list of client MAC addresses
473
guest-management-policy on Creates a guest management policy and enters its configuration
page 475 mode. This policy redirects guest users to a registration portal, upon
association to a captive portal Service Set Identifier (SSID).
host on page 485 Sets the system's network name
inline-password-encryption on Stores the encryption key in the startup configuration file
page 486
iot-device-type-imagotag-policy Creates an IoT Device-Type Imagotag policy and enters its
on page 487 configuration mode. This policy enables support for SES-imagotag’s
ESL tags on WiNG APs (with USB ports).
ip on page 495 Creates a IP access control list (ACL) and/or a Simple Network
Management Protocol (SNMP) ACL, and enters its configuration
mode

Controller, Service Platform and Access Point

262 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Table 7: Global Config Commands (continued)

Command Description
ipv6 on page 497 Creates a IPv6 ACL and enters its configuration mode
ipv6-router-advertisement- Creates an IPv6 router advertisement (RA) policy and enters its
policy on page 498 configuration mode
l2tpv3 on page 511 Configures L2TPv3 (Layer 2 Tunneling Protocol Version 3) tunnel
policy and enters its configuration mode. This policy defines control
and encapsulation protocols for tunneling layer 2 frames between
two IP nodes.
location-policy on page 513 Configures a location policy and enters its configuration mode
mac on page 517 Configures MAC access lists (goes to the MAC ACL mode)
management-policy on page Creates a management policy and enters its configuration context.
518 This policy configures services that run on a device, such as
welcome messages, banners, etc.
meshpoint on page 519 Creates a meshpoint and enters its configuration mode
meshpoint-qos-policy on page Creates a meshpoint QoS (quality of service) policy and enters its
520 configuration mode
mint-policy on page 521 Creates a MiNT security policy and enters its configuration mode
nac-list on page 522 Creates a network ACL and enters its configuration mode
no (global-config-mode) on Negates a command or sets its default
page 525
nsight-policy (global-config- Creates an NSight policy and enters its configuration mode
mode) on page 529
passpoint-policy on page 534 Creates a new passpoint policy and enters its configuration mode
password-encryption on page Enables password encryption
535
profile on page 536 Creates a device profile and enters its configuration mode
radio-qos-policy on page 540 Creates a radio qos policy and enters its configuration mode
radius-group on page 541 Creates a RADIUS group and enters its configuration mode
radius-server-policy on page Creates a RADIUS server policy and enters its configuration mode
542
radius-user-pool-policy on page Creates a RADIUS user pool policy and enters its configuration
543 mode
rename on page 544 Renames and existing top-level object (TLO)
replace on page 545 Selects an existing device by its MAC address or hostname and
replaces it with a new device having a different MAC address
rf-domain on page 547 Creates an RF Domain and enters its configuration mode
rfs4000 on page 578 Adds an RFS4010 to the network
roaming-assist-policy on page Configures a roaming assist policy and enters its configuration
580 mode. This policy enables access points to assist wireless clients in
making roaming decisions, such as which access point to connect,
etc.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 263
global-config-commands Global Configuration Mode Commands

Table 7: Global Config Commands (continued)

Command Description
nx5500 on page 578 Adds an NX5500 to the network
nx7500 on page 579 Adds an NX7500 to the network
nx9000 on page 579 Adds an NX9500 to the network
role-policy on page 581 Creates a role policy and enters its configuration mode
route-map on page 582 Creates a dynamic BGP route map and enters its configuration
mode
routing-policy on page 583 Creates a routing policy and enters its configuration mode
rtl-server-policy on page 584 Creates an RTL server policy and enters its configuration mode. The
RTL server policy provides the exact location (URL) at which the
Euclid server can be reached.
schedule-policy on page 587 Creates a schedule policy and enters its configuration mode
self on page 591 Displays a logged device's configuration context
sensor-policy on page 591 Creates a sensor policy and enters its configuration mode
smart-rf-policy on page 596 Creates a Smart RF policy and enters its configuration mode
t5 on page 598 Configures a t5 wireless controller. This command is applicable only
on the RFS4010, NX75XX, NX95XX, NX96XX, and VX9000
platforms.
web-filter-policy on page 599 Creates a Web Filtering policy and enters its configuration mode
wips-policy on page 606 Creates a WIPS policy and enters its configuration mode
wlan on page 607 Creates a WLAN (Wireless Local Area Network) and enters its
configuration mode
wlan-qos-policy on page 684 Creates a WLAN QoS policy and enters its configuration mode
url-filter on page 685 Creates an URL filter and enters its configuration mode. URL
filtering is a licensed feature.
url-list on page 697 Creates an URL list and enters its configuration mode.
vx9000 on page 700 Configures a Virtual WLAN Controller (V-WLC) in a virtual machine
(VM) environment

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character.

aaa-policy
Configures an AAA (Authentication, Accounting, and Authorization) policy. AAA policies define access
control within the network.

Controller, Service Platform and Access Point

264 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

A controller, service platform, or access point can interoperate with external RADIUS and LDAP servers
(AAA Servers) to provide an additional user database and authentication resource. Each WLAN can
maintain its own unique AAA configuration. Up to six servers can be configured for providing AAA
services.

Supported in the following platforms:

Syntax
aaa-policy <AAA-POLICY-NAME>

Parameters
aaa-policy <AAA-POLICY-NAME>

<AAA-POLICY-NAME> Specify the AAA policy name. If the policy does not exist, it is created.

Examples
nx9500-6C8809(config)#aaa-policy test
nx9500-6C8809(config-aaa-policy-test)#?
AAA Policy Mode commands:
accounting Configure accounting parameters
attribute Configure RADIUS attributes in access and accounting
requests
authentication Configure authentication parameters
health-check Configure server health-check parameters
mac-address-format Configure the format in which the MAC address must be
filled in the Radius-Request frames
no Negate a command or set its defaults
proxy-attribute Configure radius attribute behavior when proxying
through controller or rf-domain-manager
server-pooling-mode Configure the method of selecting a server from the
pool of configured AAA servers
use Set setting to use

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-aaa-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 265
global-config-commands Global Configuration Mode Commands

Related Commands

no (global-config-mode) on page Removes an existing AAA policy

525

Note
For more information on the AAA policy commands, see AAA-POLICY.

aaa-tacacs-policy
Configures AAA TACACS+ (Terminal Access Controller Access-Control System) policy. TACACS+ is a
protocol created by CISCO Systems which provides access control to network devices such as routers,
network access servers and other networked computing devices through one or more centralized
servers. TACACS provides separate authentication, authorization, and accounting services running on
different servers.

TACACS controls user access to devices and network resources while providing separate accounting,
authentication, and authorization services. Some of the services provided by TACACS are:
• Authorizing each command with the TACACS+ server before execution.
• Accounting each session’s logon and log off events.
• Authenticating each user with the TACACS+ server before enabling access to network resources.

Supported in the following platforms:

Syntax
aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>

Parameters
aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>

<AAA-TACACS-POLICY- Specify the AAA-TACACS policy name. If the policy does not exist, it is
NAME> created.

Examples
nx9500-6C8809(config)#aaa-tacacs-policy testpolicy
nx9500-6C8809(config-aaa-tacacs-policy-testpolicy)#?
AAA TACACS Policy Mode commands:
accounting Configure accounting parameters
authentication Configure authentication parameters
authorization Configure authorization parameters
no Negate a command or set its defaults

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode

Controller, Service Platform and Access Point

266 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

help Description of the interactive help system

revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-aaa-tacacs-policy-testpolicy)#

Related Commands

no Removes an existing AAA TACACS policy

Note
For more information on the AAA-TACACS policy commands, see AAA-TACACS-POLICY.

alias
Configures the following types of aliases: network, VLAN, host, string, network-service, etc. Aliases are
objects having a unique name and content that is determined by the alias type (for example, network,
VLAN, network-service, etc.).

A typical, large enterprize network, consists of multiple sites (RF Domains) having similar configuration
parameters with few elements that vary, such as networks or network ranges, hosts having different IP
addresses, and VLAN IDs or URLs. These elements can be defined as aliases (object oriented wireless
firewalls) and used across sites by applying overrides to the object definition. Using aliases results in a
configuration that is easier to understand and maintain.

Multiple instances of an alias (same type and same name) can be defined at any of the following levels:
global, RF Domain, profile, or device. An alias defined globally functions as a TLO (top-level-object).
Global aliases are not mandatory, and can be defined at the domain-level, or profile, or device-level only.
An alias defined on a device is applicable to that device only. An alias defined on a profile applies to
every device using the profile. Similarly, aliases defined at the RF Domain level apply to all devices
within that domain.

Aliases defined at any given level can be overridden at any of the next lower levels. For example, a
global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at
the device level take precedence.

The different aliases types supported are:

• address-range alias – Maps a user-friendly name to a range of IP addresses. An address-range alias
can be utilized at different deployments. For example, if an ACL defines a pool of network addresses
as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range
is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias. At the
remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be
created specifically for the remote deployment location.
• host alias – Maps a user-friendly name to a specific host (identified by its IP address. For example,
192.168.10.23). A host alias can be utilized at different deployments. For example, if a central network
DNS server is set a static IP address, and a remote location’s local DNS server is defined, this host
can be overridden at the remote location. At the remote location, the network is functional with a
local DNS server, but uses the name set at the central network. A new host need not be created at

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 267
global-config-commands Global Configuration Mode Commands

the remote location. This simplifies creating and managing hosts and allows an administrator to
better manage specific local requirements.
• network alias – Maps a user-friendly name to a network. A network alias can be utilized at different
deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a
remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location
to suit their local (but remote) requirement. At the remote location, the ACL functions with the
172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This
simplifies ACL definition and allows an administrator to better manage specific local requirements.
• network-group alias – Maps a user-friendly name to a single or a range of addresses of devices,
hosts, and network configurations. Network configurations are complete networks in the form
192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20.

A network-group alias can contain a maximum of eight (8) host entries, eight (8) network entries,
and eight (8) IP address-range entries. A maximum of 32 network-group alias entries can be
created.

A network-group alias can be used in IP firewall rules to substitute hosts, subnets, and IP address
ranges.
• network-service alias – Maps a user-friendly name to service protocols and ports. Both source and
destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2
destination port ranges can be configured. A maximum of 4 protocol entries can be configured per
network-service alias. When used with an ACL, the network-service alias defines the service-specific
components of the ACL rule. Overrides can be applied to the service alias, at the device level,
without modifying the ACL. Application of overrides to the service alias allows an ACL to be used
across sites.

Use a network-service alias to associate more than one IP address to a network interface, providing
multiple connections to a network from a single IP node.
• number alias – Maps a user-friendly name to a number
• vlan alias – Maps a user-friendly name to a VLAN ID. A VLAN alias can be used at different
deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN
is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an
alias. At the remote deployment location, the network is functional with a VLAN ID of 26, but utilizes
the name defined at the centrally managed network. A new VLAN need not be created specifically
for the remote deployment.
• string alias – Maps a user-friendly name to a specific string (for example, RF Domain name). A string
alias can be utilized at different deployments. For example, if the main domain at a remote location
is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias
can be overridden at the remote location to suit the local (but remote) requirement. At one remote
location, the alias functions with the loc1.domain.com domain and at the other with the
loc2.domain.com domain.

Controller, Service Platform and Access Point

268 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• encrypted-string alias – Maps a user-friendly name to a string value. The string value of this alias is
encrypted when "password-encryption" is enabled. Encrypted-string aliases can be used for string
configuration parameters that are encrypted by the "password-encryption" feature.
• hashed-string alias – Maps a user-friendly name to a hashed-string value. Hashed-string aliases can
be used for string configuration parameters that are hashed, such as passwords.

Note
When used with ACLs, network, network-group, and network-service aliases act as enhanced
firewalls.

Supported in the following platforms:

Syntax
alias [address-range|encrypted-string|hashed-string|host|network|network-group|network-
service|number|string|vlan]
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-
IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|
igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 269
global-config-commands Global Configuration Mode Commands

Parameters
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

address-range Creates an address range alias, defining a range of IP addresses

<ADRESS-RANGE- • <ADRESS-RANGE-ALIAS-NAME> – Specify the address range alias name.
ALIAS-NAME>
Note: Alias name should begin with ‘$’.

<STARTING-IP> to Associates a range of IP addresses with this address range alias

<ENDING-IP> • <STARTING-IP> – Specify the first IP address in the range.
◦ to <ENDING-IP> – Specify the last IP address in the range.

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

encrypted- Creates an alias for an encrypted string. Use this alias for string configuration values that
string are encrypted when "password-encryption" is enabled. For example, in the management-
<ENCRYPT policy, use it to define the SNMP community string. For more information, see snmp-
ED- server on page 1701 (management policy config mode).
STRING- • <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias name.
ALIAS-
NAME> Note: Alias name should begin with ‘$’.

[0|2] Configures the value associated with the alias name specified in the previous step
<LINE> • [0|2] <LINE> – Configures the alias value

Note: If password-encryption is enabled, in the show > running-config output,

this clear text is displayed as an encrypted string, as shown below:
nx9500-6C8809(config)#show running-config
!...............................
alias encrypted-string $enString 2
fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//
!
--More--
nx9500-6C8809
In the above show > running-config output, the ‘2’ displayed before the
encrypted-string alias value indicates that the displayed text is encrypted and not a
clear text.
However, if password-encryption is disabled the clear text is displayed as is:
nx9500-6C8809(config)#show running-config
!...............................
!
alias encrypted-string $enString 0 test11223344
!
--More--
nx9500-6C8809
For more information on enabling password-encryption, see password-encryption on
page 535 .

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

hashed-string <HASHED- Creates an alias for a hashed string. Use this alias for configuration values
STRING-ALIAS-NAME> that are hashed strings, such as passwords. For example, in the

Controller, Service Platform and Access Point

270 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

management-policy, use it to define the privilege mode password. For

more information, see privilege-mode-password on page 1696.
• <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias
name.

Note: Alias name should begin with ‘$’.

<LINE> Configures the hashed-string value associated with this alias.

nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2
sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv
!
alias hashed-string $PriMode 1
faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efb
a054112ecfc75
0
--More--
nx9500-6C8809
In the above show > running-config output, the ‘1’ displayed
before the hashed-string alias value indicates that the displayed text is
hashed and not clear text.

alias host <HOST-ALIAS-NAME> <HOST-IP>

host <HOST-ALIAS-NAME> Creates a host alias, defining a single network host

• <HOST-ALIAS-NAME> – Specify the host alias name.

Note: Alias name should begin with ‘$’.

<HOST-IP> Associates the network host’s IP address with this host alias. For
example, ‘alias host $HOST 1.1.1.100’. In this example, the host alias name
is: $HOST and the host IP address it is mapped to is: 1.1.1.100.
• <HOST-IP> – Specify the network host’s IP address.

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

network Creates a network alias, defining a single network address

<NETWORK-ALIAS- • <NETWORK-ALIAS-NAME> – Specify the network alias name.
NAME>
Note: Alias name should begin with ‘$’.

<NETWORK- Associates a single network with this network alias. For example, 'alias network
ADDRESS/MASK> $NET 1.1.1.0/24’. In this example, the network alias name is: $NET and the network
it is mapped to is: 1.1.1.0/24.
• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-

IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

network <NETWORK- Creates a network-group alias

GROUP-ALIAS- • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias
NAME> name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 271
global-config-commands Global Configuration Mode Commands

Note: Alias name should begin with ‘$’.

The network-group aliases are used in ACLs, to define the network-specific

components. ACLs using aliases can be used across sites by re-defining the
network-group alias elements at the device or profile level.
After specifying the name, specify the following: a range of IP addresses, host
addresses, or a range of network addresses.
address-range Associates a range of IP addresses with this network-group alias
<STARTING-IP> to • <STARTING-IP> – Specify the first IP address in the range.
<ENDING-IP> ◦ to <ENDING-IP> – Specify the last IP address in the range.
{<STARTING-IP> to
▪ <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than one
<ENDING-IP>}
range of IP addresses. A maximum of eight (8) IP address ranges can
be configured.

host <HOST-IP> Associates a single or multiple hosts with this network-group alias
{<HOST-IP>} • <HOST-IP> – Specify the hosts’ IP address.
◦ <HOST-IP> – Optional. Specifies more than one host. A maximum of
eight (8) hosts can be configured.

network <NETWORK- Associates a single or multiple networks with this network-group alias
ADDRESS/MASK> • <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.
{<NETWORK- ◦ <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one
ADDRESS/MASK>} network. A maximum of eight (8) networks can be configured.

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|

igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|
ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}

alias network-service Configures an alias that specifies available network services and the
<NETWORK-SERVICE-ALIAS- corresponding source and destination software ports
NAME> • <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service
alias name.

Note: Alias name should begin with ‘$’.

Network-service aliases are used in ACLs, to define the service-specific

components. ACLs using aliases can be used across sites by re-
defining the network-service alias elements at the device or profile
level.
proto [<0-254>| <WORD>| Use one of the following options to associate an Internet protocol with
eigrp|gre| igmp|igp|ospf|vrrp] this network-service alias:
• <0-254> – Identifies the protocol by its number. Specify the
protocol number from 0 - 254. This is the number by which the
protocol is identified in the Protocol field of the IPv4 header and
the Next Header field of IPv6 header. For example, the UDP (User
Datagram Protocol) designated number is 17.
• <WORD> – Identifies the protocol by its name. Specify the protocol
name.
• eigrp – Selects EIGRP (Enhanced Interior Gateway Routing
Protocol). The protocol number 88.
• gre – Selects GRE (Generic Routing Encapsulation). The protocol
number is 47.

Controller, Service Platform and Access Point

272 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• igmp – Selects IGMP (Internet Group Management Protocol). The

protocol number is 2.
• igp – Selects IGP (Interior Gateway Protocol). The protocol number
is 9.
• ospf – Selects OSPF (Open Shortest Path First). The protocol
number is 89.
• vrrp – Selects VRRP (Virtual Router Redundancy Protocol). The
protocol number is 112.

{(<1-65535>| <WORD>| bgp| After specifying the protocol, you may configure a destination port for
dns|ftp|ftp-data| gopher| this service. These keywords are recursive and you can configure
https|ldap| nntp|ntp|pop3| multiple protocols and associate multiple destination and source ports.
proto| sip|smtp|sourceport • <1-65535> – Optional. Configures a destination port number from 1
[<1-65535>| <WORD>]|ssh| - 65535
telnet| tftp|www)} • <WORD> – Optional. Identifies the destination port by the service
name provided. For example, the SSH service uses TCP port 22.
• bgp – Optional. Configures the default BGP (Border Gateway
Protocol) services port (179)
• dns – Optional. Configures the default DNS (Domain Name System)
services port (53)
• ftp – Optional. Configures the default FTP (File Transfer Protocol)
control services port (21)
• ftp-data – Optional. Configures the default FTP data services port
(20)
• gopher – Optional. Configures the default gopher services port (70)
• https – Optional. Configures the default HTTPS services port (443)
• ldap – Optional. Configures the default LDAP (Lightweight
Directory Access Protocol) services port (389)
• nntp – Optional. Configures the default NNTP (Newsgroup) services
port (119)
• ntp – Optional. Configures the default NTP (Network Time Protocol)
services port (123)
• POP3 – Optional. Configures the default POP3 (Post Office
Protocol) services port (110)
• proto – Optional. Use this option to select another Internet protocol
in addition to the one selected in the previous step.
• sip – Optional. Configures the default SIP (Session Initiation
Protocol) services port (5060)
• smtp – Optional. Configures the default SMTP (Simple Mail Transfer
Protocol) services port (25)
• sourceport [<1-65535>|<WORD>] – Optional. After specifying the
destination port, you may specify a single or range of source ports.
• <1-65535> – Specify the source port from 1 - 65535.
• <WORD> – Specify the source port range, for example 1-10.
• ssh – Optional. Configures the default SSH services port (22)
• telnet – Optional. Configures the default Telnet services port (23)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 273
global-config-commands Global Configuration Mode Commands

• tftp – Optional. Configures the default TFTP (Trivial File Transfer

Protocol) services port (69)
• www – Optional. Configures the default HTTP services port (80)

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias number <NUMBER- Creates a number alias identified by the <NUMBER-ALIAS-NAME>

ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example,
<0-4294967295> ‘alias number $NUMBER 100’. In this example:
• The number alias name is: $NUMBER
• The value assigned is: 100
The value referenced by alias $NUMBER, wherever used, is 100.
• <NUMBER-ALIAS-NAME> – Specify the number alias name.

Note: Alias name should begin with ‘$’.

◦ <0-4294967295> – Specify the number, from 0 - 4294967295,

assigned to the number alias created.

alias string <STRING-ALIAS-NAME> <LINE>

alias string <STRING- Creates a string alias identified by the <STRING-ALIAS-NAME> keyword
ALIAS-NAME> • <STRING-ALIAS-NAME> – Specify the string alias name.

Note: Alias name should begin with ‘$’.

◦ <LINE> – Specify the string value.

String aliases map a name to an arbitrary string value. For example, ‘alias
string $DOMAIN test.example_company.com’. In this example,
• the string alias name is: $DOMAIN
• the string value it is mapped to is: test.example_company.com (a
domain name).
The value referenced by alias $DOMAIN, wherever used, is
test.example_company.com.
You can also use a string alias to configure the Bonjour Service instance
name. Once configured, use the string alias in the Bonjour Gateway
Discovery Policy context to specify the Bonjour service instance name to
be used as the match criteria. For more information, see bonjour-gw-
discovery-policy on page 319.

alias vlan <VLAN-ALIAS-NAME> <1-4094>

alias vlan <VLAN-ALIAS- Creates a VLAN alias identified by the <VLAN-ALIAS-NAME>

NAME> keyword
• <VLAN-ALIAS-NAME> – Specify the VLAN alias name.

Note: Alias name should begin with ‘$’.

<1-4094> Maps the VLAN alias to a VLAN ID

• <1-4094> – Specify the VLAN ID from 1 - 4094.

Controller, Service Platform and Access Point

274 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
rfs4000-229D58(config)#alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13
rfs4000-229D58(config)#alias network $TestNetworkAlias 192.168.13.0/24
rfs4000-229D58(config)#alias host $TestHostAlias 192.168.13.100
rfs4000-229D58(config)#alias vlan $TestVLANAlias 1
rfs4000-229D58(config)#alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10
rfs4000-229D58(config)#alias network-service $NetServAlias proto igmp
rfs4000-229D58(config)#show running-config | include alias
alias network-group $NetGrAlias address-range 192.168.13.7 to 192.168.13.9 192.168.13.20
to 192.168.13.25
alias network $NetworkAlias 192.168.13.0/24
alias host $HostAlias 192.168.13.10
alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10
alias network-service $NetServAlias proto igmp
alias vlan $VlanAlias 1
rfs4000-229D58(config)#
nx9500-6C8809(config)#alias number $NUMBER 100
nx9500-6C8809(config)#show context include-factory | include alias
alias string $DOMAIN test.examplecompany.com
alias string $DOMAIN2 test.example_company.com
alias number $NUMBER 100
alias string $SN B4C7996C8809
nx9500-6C8809(config)#

The following examples show encrypted-string alias configuration:

nx9500-6C8809(config)#alias encrypted-string $WRITE 0 private
nx9500-6C8809(config)#alias encrypted-string $READ 0 public
nx9500-6C8809(config)#show context | include alias
alias vlan $BLR-01 1
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 0 public
alias encrypted-string $WRITE 0 private
nx9500-6C8809(config)#

The following example shows the encrypted-string aliases, configured in the previous example, used in
the management-policy:
nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $WRITE rw
nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $READ ro
nx9500-6C8809(config-management-policy-default)#show context
management-policy default
no telnet
no http server
https server
rest-server
ssh
user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5
role superuser access all
snmp-server community 0 $WRITE rw
snmp-server community 0 $READ ro
snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/
QAAAAjWNKa4KXF95pruUCSnhOiT
snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/
QAAAAgc0l8ahJYo3AjHo9wXzYGo
t5 snmp-server community public ro 192.168.0.1
t5 snmp-server community private rw 192.168.0.1
vnx9500-6C8809(config-management-policy-default)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 275
global-config-commands Global Configuration Mode Commands

The following example shows hashed-string alias configuration:

nx9500-6C8809(config)#alias hashed-string $PriMode Test12345
nx9500-6C8809(config)#show context | include alias
alias vlan $BLR-01 1
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 0 public
alias encrypted-string $WRITE 0 private
alias hashed-string $PriMode 1
faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75
nx9500-6C8809(config)#

The following example shows the hashed-string alias, configured in the previous example, used in the
management-policy:
nx9500-6C8809(config-management-policy-default)#show context
management-policy default
https server
rest-server
ssh
user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5
role superuser access all
snmp-server community 0 $WRITE rw
snmp-server community 0 $READ ro
snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/
QAAAAjWNKa4KXF95pruUCSnhOiT
snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/
QAAAAgc0l8ahJYo3AjHo9wXzYGo
t5 snmp-server community public ro 192.168.0.1
t5 snmp-server community private rw 192.168.0.1
privilege-mode-password $PriMode
nx9500-6C8809(config-management-policy-default)#

Related Commands

no (global-config-mode) on Removes an existing network, VLAN, service, or string alias

page 525

ap7502
Adds an AP7502 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7502, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7502 <MAC>

Parameters
ap7502 <MAC>

<MAC> Specify the AP7502's MAC address.

Controller, Service Platform and Access Point

276 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
rfs4000-6DB5D4(config)#ap7502 00-23-68-99-BF-A8
rfs4000-6DB5D4(config-device-00-23-68-99-BF-A8)#show context
ap7502 00-23-68-99-BF-A8
use profile default-ap7502
use rf-domain default
hostname ap7502-99BFA8
mint mlcp vlan
mint mlcp ip
use radius-server-policy eap
interface radio1
rf-mode 2.4GHz-wlan
wlan open_test bss 1 primary
interface radio2
rf-mode 5GHz-wlan
wlan open_test bss 1 primary
rfs4000-6DB5D4(config-device-00-23-68-99-BF-A8)#
rfs4000-6DB5D4(config)#show wireless ap configured
------------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
------------------------------------------------------------------------------------------
1 ap7502-99BFA8 00-23-68-99-BF-A8 default-ap7502 default 00-15-70-6D-B5-D4
------------------------------------------------------------------------------------------
rfs4000-6DB5D4(config)#

Related Commands

no (global-config-mode) on Removes an AP7502 from the network

page 525

ap7522
Adds an AP7522 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7522, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7522 <MAC>

Parameters
ap7522 <MAC>

<MAC> Specify the AP7522's MAC address.

Examples
NOC-NX9500(config)#ap7522 84-24-8D-83-30-A4
NOC-NX9500(config-device-84-24-8D-83-30-A4)#show context
ap7522 84-24-8D-83-30-A4
use profile default-ap7522
use rf-domain default
hostname ap7522-8330A4
mint mlcp vlan

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 277
global-config-commands Global Configuration Mode Commands

mint mlcp ip
use radius-server-policy eap
interface radio1
rf-mode 2.4GHz-wlan
wlan open_test bss 1 primary
interface radio2
rf-mode 5GHz-wlan
wlan open_test bss 1 primary
NOC-NX9500(config-device-84-24-8D-83-30-A4)#
NOC-NX9500(config)#show wireless ap configured
------------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
------------------------------------------------------------------------------------------
1 ap7522-8330A4 84-24-8D-83-30-A4 default-ap7522 default B4-C7-99-6C-88-09
2 ap8163-74B45C B4-C7-99-74-B4-5C default-ap81xx default B4-C7-99-6C-88-09
------------------------------------------------------------------------------------------
NOC-NX9500(config)#

Related Commands

no (global-config-mode) on Removes an AP7522 from the network

page 525

ap7532
Adds an AP7532 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7522, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7532 <MAC>

Parameters
ap7532 <MAC>

<MAC> Specify the AP7532's MAC address.

Examples
rfs4000-6DB5D4(config)#ap7532 00-23-68-12-B6-18
rfs4000-6DB5D4(config-device-00-23-68-12-B6-18)#show context
ap7532 00-23-68-12-B6-18
use profile default-ap7532
use rf-domain default
hostname ap7532-12B618
mint mlcp vlan
mint mlcp ip
use radius-server-policy eap
interface radio1
rf-mode 2.4GHz-wlan
wlan open bss 1 primary
interface radio2
rf-mode 5GHz-wlan

Controller, Service Platform and Access Point

278 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

wlan open bss 1 primary

rfs4000-6DB5D4(config-device-00-23-68-12-B6-18)#
rfs4000-6DB5D4(config)#show wireless ap configured
------------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
------------------------------------------------------------------------------------------
1 ap7502-99BFA8 00-23-68-99-BF-A8 default-ap7502 default 00-15-70-6D-B5-D4
2 ap7532-12B618 00-23-68-12-B6-18 default-ap7532 default 00-15-70-6D-B5-D4
------------------------------------------------------------------------------------------
rfs4000-6DB5D4(config)#

Related Commands

no (global-config-mode) on Removes an AP7532 from the network

page 525

ap7562
Adds an AP7562 series to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7562, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7562 <MAC>

Parameters
ap7562 <MAC>

<MAC> Specify the AP7562's MAC address.

Examples
rfs4000-6DB5D4(config)#ap7562 01-16-71-A1-CD-20
rfs4000-6DB5D4(config-device-01-16-71-A1-CD-20)#show context
ap7562 01-16-71-A1-CD-20
use profile default-ap7562
use rf-domain default
hostname ap7562-A1CD20
mint mlcp vlan
mint mlcp ip
use radius-server-policy eap
interface radio1
rf-mode 2.4GHz-wlan
wlan open bss 1 primary
interface radio2
rf-mode 5GHz-wlan
wlan open bss 1 primary
rfs4000-6DB5D4(config-device-01-16-71-A1-CD-20)#
rfs4000-6DB5D4(config)#show wireless ap configured
------------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
------------------------------------------------------------------------------------------
1 ap7502-99BFA8 00-23-68-99-BF-A8 default-ap7502 default 00-15-70-6D-B5-D4
2 ap7532-12B618 00-23-68-12-B6-18 default-ap7532 default 00-15-70-6D-B5-D4

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 279
global-config-commands Global Configuration Mode Commands

3 ap7562-A1CD20 01-16-71-A1-CD-20 default-ap7562 default 00-15-70-6D-B5-D4

------------------------------------------------------------------------------------------
rfs4000-6DB5D4(config)#

Related Commands

no (global-config-mode) on Removes an AP7562 from the network

page 525

ap7602

Adds an AP7602 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7602, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7602 <MAC>

Parameters
ap7602 <MAC>

<MAC> Specify the AP7602's MAC address.

Examples
nx9500-6C8809(config)#ap7602 11-2C-3b-01-AA-23
nx9500-6C8809(config-device-11-2C-3b-01-AA-23)#show context
ap7602 11-2C-3b-01-AA-233
use profile default-ap7602
use rf-domain default
hostname ap7602-01AA23
nx9500-6C8809(config-device-11-2C-3b-01-AA-23)#

Related Commands

no (global-config-mode) on Removes an AP7602 from the network

page 525

ap7612
Adds an AP7612 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7612, AP7622, AP7632, AP7662, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7612 <MAC>

Controller, Service Platform and Access Point

280 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
ap7612 <MAC>

<MAC> Specify the AP7612's MAC address.

Examples
nx9500-6C8809(config)#ap7612 10-1c-AB-11-0E-20
nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#show context
ap7612 10-1C-AB-11-0E-20
use profile default-ap7612
use rf-domain default
hostname ap7612-110E20
nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#

Related Commands

no (global-config-mode) on Removes an AP7612 from the network

page 525

ap7622
Adds an AP 7622 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7632, AP7662, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7622 <MAC>

Parameters
ap7622 <MAC>

<MAC> Specify the AP7622's MAC address.

Examples
nx9500-6C8809(config)#ap7622 01-11-CD-21-0B-13)
nx9500-6C8809(config-device-01-11-CD-21-0B-13)#show con
ap7622 01-11-CD-21-0B-13
use profile default-ap7622
use rf-domain default
hostname ap7622-210B13
nx9500-6C8809(config-device-01-11-CD-21-0B-13)#

Related Commands

no (global-config-mode) on Removes an Ap7622 from the network

page 525

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 281
global-config-commands Global Configuration Mode Commands

ap7632
Adds an AP7632 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7632, AP7662, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7632 <MAC>

Parameters
ap7632 <MAC>

<MAC> Specify the AP7632's MAC address.

Examples
nx9500-6C8809(config)#ap7632 23-12-A1-F0-12-02
nx9500-6C8809(config-device-23-12-A1-F0-12-02)#show context
ap7632 23-12-A1-F0-12-02
use profile default-ap7632
use rf-domain default
hostname ap7632-F01202
nx9500-6C8809(config-device-23-12-A1-F0-12-02)#

Related Commands

no (global-config-mode) on Removes an AP7632 from the network

page 525

ap7662
Adds an AP7662 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP7632, AP7662, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap7662 <MAC>

Parameters
ap7662 <MAC>

<MAC> Specify the AP7662's MAC address.

Controller, Service Platform and Access Point

282 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config)#ap7662 20-12-bd-4C-31-5F
nx9500-6C8809(config-device-20-12-BD-4C-31-5F)#show context
ap7662 20-12-BD-4C-31-5F
use profile default-ap7662
use rf-domain default
hostname ap7662-4C315F
nx9500-6C8809(config-device-20-12-BD-4C-31-5F)#

Related Commands

no (global-config-mode) on Removes an AP7662 from the network

page 525

ap8163
Adds an AP8163 series to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP8163, AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap81xx <MAC>

Parameters
ap81xx <MAC>

<MAC> Specify the AP8163's MAC address.

Examples
rfs4000-6DB5D4#ap81xx B4-C7-99-71-17-28
rfs4000-6DB5D4(config-device-B4-C7-99-71-17-28)#show context
ap81xx B4-C7-99-71-17-28
use profile default-ap81xx
use rf-domain default
hostname ap8163-711728
license AAP DEFAULT-LICENSE
rfs4000-6DB5D4(config-device-B4-C7-99-71-17-28)#
rfs4000-6DB5D4(config)#show wireless ap configured
---------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
---------------------------------------------------------------------------------------
1 ap8163-711728 B4-C7-99-71-17-28 default-ap81xx default 00-15-70-6D-B5-D4
---------------------------------------------------------------------------------------
rfs4000-6DB5D4(config)#

Related Commands

no (global-config-mode) on Removes an AP8163 from the network

page 525

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 283
global-config-commands Global Configuration Mode Commands

ap8432
Adds an AP8432 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap8432 <MAC>

Parameters
ap8432 <MAC>

<MAC> Specify the AP8432's MAC address.

Examples
nx9500-6C8809(config)#ap8432 84-24-8D-80-C2-AC
nx9500-6C8809(config-device-84-24-8D-80-C2-AC)#show context
ap8432 84-24-8D-80-C2-AC
use profile default-ap8432
use rf-domain default
hostname ap8432-80C2AC
nx9500-6C8809(config-device-84-24-8D-80-C2-AC)#
nx9500-6C8809(config)#show wireless ap configured
---------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
---------------------------------------------------------------------------------------
1 ap8432-80C2AC 84-24-8D-80-C2-AC default-ap8432 default un-adopted
---------------------------------------------------------------------------------------
nx9500-6C8809(config)#

Related Commands

no (global-config-mode) on Removes an AP8432 from the network

page 525

ap8533
Adds an AP8533 to the network. If a profile for the AP is not available, a new profile is created.

Supported in the following platforms:

• Access Point — AP8432, AP8533

• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ap8533 <MAC>

Controller, Service Platform and Access Point

284 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
ap8533 <MAC>

<MAC> Specify the AP8533's MAC address.

Examples
nx9500-6C8809(config)#ap8533 B4-C7-99-74-B4-5C)
nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#show context
ap8533 B4-C7-99-74-B4-5C
use profile default-ap8533
use rf-domain default
hostname ap8533-74B45C
nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#
nx9500-6C8809(config)#show wireless ap configured
---------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
---------------------------------------------------------------------------------------
1 ap8533-74B45C B4-C7-99-74-B4-5C default-ap8533 default un-adopted
---------------------------------------------------------------------------------------
nx9500-6C8809(config)#

Related Commands

no (global-config-mode) on Removes an AP8533 from the network

page 525

application

Creates a new application definition and enters its configuration mode. Use this command to create a
customized application detection definition.

Supported in the following platforms:

• Access Points — AP-7522, AP 7532

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
application <APPLICATION-NAME>

Parameters
application <APPLICATION-NAME>

application Creates a new application definition and enters its configuration mode
<APPLICATION-NAME> • <APPLICATION-NAME> – Specify a name of the new application
definition. It is created if not already existing in the system.

Examples
nx9500-6C8809(config)#application Bing
nx9500-6C8809(config-application-Bing)#?
Application Mode commands:
app-category Set application category (default is custom)
description Add application description
https Secure HTTP

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 285
global-config-commands Global Configuration Mode Commands

no Negate a command or set its defaults

use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-application-Bing)#

Related Commands

no (global-config- Removes an existing application definition

mode) on page 525

application-mode-commands

The following table summarizes Application definition configuration mode commands:

Table 8: Application Config Mode Commands

Command Description
app-category (application- Configures the category for this application definition
config-mode) on page 286
description (application-config- Configures a description for this application definition
mode) on page 287
https (application-config-mode) Configures the HTTPS common-name attribute value for this
on page 288 application category’s server certificate. Applicable only to
applications using HTTPS protocol.
use (application-config-mode) Associates a network-service alias or a URL list with this application
on page 289 definition. Applicable for applications using protocols other than
HTTPS.
no (application-config-mode) on Removes or resets this application definition’s configured settings
page 289

app-category (application-config-mode)

Configures the category for this application definition

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
app-category <APP-CATEGORY-NAME>

Controller, Service Platform and Access Point

286 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
app-category <APP-CATEGORY-NAME>

app-category <APP- Select the category best suited for this application definition. There are
CATEGORY-NAME> twenty three categories. These are: business, conference, custom,
database, filetransfer, gaming, generic, im, mail, mobile, network\
management, other, p2p, remote_control, social\ networking, standard,
streaming, tunnel, video, voip, and Web.
The default setting is custom. Use this option to categorize your internal
custom applications, so that they do not appear as unknown traffic.

Examples
nx9500-6C8809(config-application-Bing)#app-category [TAB]
business conference custom
database filetransfer gaming
generic im mail
mobile network\ management other
p2p remote_control sharehosting
social\ networking streaming tunnel
voip web

nx9500-6C8809(config-application-Bing)#
nx9500-6C8809(config-application-Bing)#app-category streaming
nx9500-6C8809(config-application-Bing)#show context
application Bing
app-category streaming
nx9500-6C8809(config-application-Bing)#

Related Commands

no (application- Resets application category to default (custom)

config-mode) on page
289

description (application-config-mode)

Configures a description for this application definition

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, , NX 96XX, VX 9000

Syntax
description <WORD>

Parameters
description <WORD>

description <WORD> Configures a description for this application

• <WORD> – Specify a description not exceeding 80 characters in
length. Enter the descriptive text within double quotes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 287
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-application-Bing)#description "Bing is Microsoft's Web search engine"
nx9500-6C8809(config-application-Bing)#show context
application Bing
description "Bing is Microsoft's Web search engine"
app-category streaming
nx9500-6C8809(config-application-Bing)#

Related Commands

no (application- Removes this description configured for this application

config-mode) on page
289

https (application-config-mode)

Configures the HTTPS parameter type, attribute type, match criteria for the HTTPS server name and 64
character maximum server name attribute used in the HTTPS server message exchange
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
https server-cert common-name [contains|ends-with] <WORD>

Parameters
https server-cert common-name [contains|ends-with] <WORD>

https server-cert Configures the HTTPS parameter type as server certificate

common-name [contains| Configures the HTTPS attribute match criteria as common name. This is
ends-with] <WORD> the only option applicable when the HTTPS parameter type is set to
server-cert. Use one of the following options to provide the common-
name attribute value used as the match criteria:
• contains – Filters applications having common-name attributes
containing the string specified here
• ends-with – Filters applications ending with the string specified here
◦ <WORD> – Specify the string to match (should not exceed 64
characters).

Examples
nx9500-6C8809(config-application-Bing)#https server-cert common-name exact bing.com
nx9500-6C8809(config-application-Bing)#show context
application Bing
description "Bing is Microsoft's web search engine"
app-category streaming
https server-cert common-name exact bing.com
nx9500-6C8809(config-application-Bing)#

Related Commands

no (application- Removes the HTTPS common-name attribute value configured with this
config-mode) on page application category
289

Controller, Service Platform and Access Point

288 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

use (application-config-mode)

Associates a network-service alias or a URL list with this application definition

For applications using protocols other than HTTPS, use this command to define the protocols, ports,
and/or URL host name to match.
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]

Parameters
use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]

use Configures this application definition to use a network-service alias or a

URL list
network-service Associates a network-service alias with this application definition
<NETWORK-SERVICE- • <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service
ALIAS-NAME> alias name (should be existing and configured). The network-service
alias should specify the protocols and ports to match.

url-list <URL-LIST-NAME> Associates a URL list with this application definition. URL lists are utilized
for whitelisting and blacklisting Web application URLs from being
launched and consuming bandwidth within the WiNG managed network.
• <URL-LIST-NAME> – Specify the URL list name (should be existing
and configured). The URL list should specify the HTTP URL host
names to match.

Examples
nx9500-6C8809(config-application-Bing)#use url-list Bing
nx9500-6C8809(config-application-Bing)#show context
application Bing
description "Bing is Microsoft's web search engine"
app-category streaming
use url-list Bing
https server-cert common-name exact bing.com
nx9500-6C8809(config-application-Bing)#

Related Commands

no (application- Removes the network-service alias or the URL list associated with this
config-mode) on page application definition
289

no (application-config-mode)

Removes or resets this application definition’s configured settings

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 289
global-config-commands Global Configuration Mode Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this application definition’s configured settings

based on the parameters passed

Examples

The following example displays the application definition ‘Bing’ parameters before the ‘no’ commands
are executed:
nx9500-6C8809(config-application-Bing)#show context
application Bing
description "Bing is Microsoft's web search engine"
app-category streaming
use url-list Bing
https server-cert common-name exact bing.com
nx9500-6C8809config-application-Bing)#
nx9500-6C8809(config-application-Bing)#no description
nx9500-6C8809(config-application-Bing)#no https server-cert common-name exact bing.com

The following example displays the application definition ‘Bing’ parameters after the ‘no’ commands are
executed:
nx9500-6C8809(config-application-Bing)#show context
application Bing
app-category streaming
use url-list Bing
nx9500-6C8809(config-application-Bing)#

application-group

An application group is a collection of system-provided and/or user-defined applications. It is a subset

of the total number of supported applications.

Supported in the following platforms:

• Access Points — AP-7522, AP 7532

• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
application-group <APPLICATION-GROUP-NAME>

Controller, Service Platform and Access Point

290 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
application-group <APPLICATION-GROUP-NAME>

application-group Creates an application group and enters its configuration mode

<APPLICATION-GROUP- • <APPLICATION-GROUP-NAME – Specify the application group name. If
NAME> an application group with the specified name does not exist, it is
created. The name should not exceed 32 characters in length.

Examples
nx9500-6C8809(config)#application-group amazon
nx9500-6C8809(config-app-group-amazon)#?
Application Group Mode commands:
application Add application to group
description Add application-group description
no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-app-group-amazon)#

Related Commands

no (global-config- Removes an existing application group

mode) on page 525

application-group-mode-commands

The following table summarizes the application group configuration mode commands:

Table 9: Application Group Config Commands

Command Description
application (application- Adds an application to this application group
group-config-mode) on page
291
description (application- Configures a description for this application group
group-config-mode) on page
293
no (application-group-config- Removes this application group’s configured parameters (application
mode) on page 293 and/or description)

application (application-group-config-mode)

Adds an application to this application group. You can add a system-provided or user-defined
application.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 291
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
application <APPLICATION-NAME>

Parameters
application <APPLICATION-NAME>

application <APPLICATION- Configures the application to be added to this application group

NAME> • <APPLICATION-NAME> – Provide the application name (should be
available as an option in the system). A maximum of eight (8)
applications can be added to a group.

Note: If the desired application is not available as an option, use the

application command to add it.

Examples

To view all applications available in the system, use [TAB], as shown in the following example:
nx9500-6C8809(config-app-group-test)#application [TAB]
Display all 300 possibilities? (y or n)
1-clickshare-com 1-upload-com
1-upload-to 10upload-com

--More--
nx9500-6C8809(config-app-group-test)#

Select the desired application from the list displayed, as shown in the following examples:
nx9500-6C8809(config-app-group-amazon)#application amazon [TAB]
amazon-prime-music amazon-prime-video amazon_cloud amazon_shop
nx9500-6C8809(config-app-group-amazon)#
nx9500-6C8809(config-app-group-amazon)#application amazon-prime-music
nx9500-6C8809(config-app-group-amazon)#application amazon-prime-video
nx9500-6C8809(config-app-group-amazon)#application amazon_cloud
nx9500-6C8809(config-app-group-amazon)#application amazon_shop
nx9500-6C8809(config-app-group-amazon)#show context
application-group amazon
application amazon-prime-music
application amazon-prime-video
application amazon_cloud
application amazon_shop
nx9500-6C8809(config-app-group-amazon)#

Note, the system returns an error message if the application entered is not listed, as shown in the
following example:
nx9500-6C8809(config-app-group-test)#application bing
% Error: application 'bing' is not defined
nx9500-6C8809(config-app-group-test)#

Controller, Service Platform and Access Point

292 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (application- Removes a specified application from this application group

group-config-mode)
on page 293

description (application-group-config-mode)

Configures a description for this application group

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
description <WORD>

Parameters
description <WORD>

description <WORD> Configures a description for this application group that uniquely
differentiates it from other existing application groups
• <WORD> – Provide a description not exceeding 80 characters in length.

Examples
nx9500-6C8809(config-app-group-amazon)#description “This application-group lists
all Amazon applications.”
nx9500-6C8809(config-app-group-amazon)#show context
application-group amazon
description “This application-group lists all Amazon applications.”
application amazon-prime-music
application amazon-prime-video
application amazon_cloud
application amazon_shop
nx9500-6C8809(config-app-group-amazon)#

Related Commands

no (application- Removes the description configured for this application group

group-config-mode)
on page 293

no (application-group-config-mode)

Removes this application group’s configured parameters (application and/or description)

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
no [application <APPLICATION-NAME>|description]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 293
global-config-commands Global Configuration Mode Commands

Parameters
no [application <APPLICATION-NAME>|description]

no <PARAMETERS> Removes an application associated with this group, and removes this
group’s description

Examples

The following example displays the application-group ‘amazon’ configuration before the execution of
‘no’ commands:
nx9500-6C8809(config-app-group-amazon)#show context
application-group amazon
description "This application-group lists all Amazon applications."
application amazon-prime-music
application amazon-prime-video
application amazon_cloud
application amazon_shop
nx9500-6C8809(config-app-group-amazon)#
nx9500-6C8809(config-app-group-amazon)#no application amazon_cloud
nx9500-6C8809(config-app-group-amazon)#no description

The following example displays the application-group ‘amazon’ configuration after the execution of ‘no’
commands:
nx9500-6C8809(config-app-group-amazon)#show context
application-group amazon
application amazon-prime-music
application amazon-prime-video
application amazon_shop
nx9500-6C8809(config-app-group-amazon)#

application-policy

When an application is recognized and classified by the WiNG application recognition engine,
administrator defined actions can be applied to that specific application. An application policy defines
the rules or actions executed on recognized applications (for example, Facebook) or application-
categories (for example, social-networking). The following are the rules/actions that can be applied in
an application policy:
• Allow - Allows packets for a specific application or application category
• Deny - Denies packets for a specific application or application category
• Mark - Marks packets with DSCP/8021p value for a specific application or application category
• Rate-limit - Rate limits packets from specific application types.

For each rule defined, a precedence is assigned to resolve conflicting rules for applications and
categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is
redundant with other actions, since the default action is allow. An allow rule is useful when wanting to
deny packets for a category, but wanting to allow a few applications in the same category to proceed. In
such a cases, add an allow rule for applications with a higher precedence then a deny rule for that
category.

Mark actions mark packets for a recognized application and category with DSCP/8021p values used for
QoS. Rate-limits create a rate-limiter applied to packets recognized for an application and category.

Controller, Service Platform and Access Point

294 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and
rate-limit are the only two actions that can be combined for an application and category. All other
combinations are invalid.

Once created and configured, apply the application policy at the following levels within the network to
enforce application assurance:
• RADIUS CoA usage – In the device/profile configuration mode, use the application-policy >
radius > <APPLICATION-POLICY-NAME> command to apply the policy to every user
successfully authenticated by the RADIUS server.
• User role – In the role-policy-user-role configuration mode, use the use > application-
policy <APPLICATION-POLICY-NAME> command to apply the policy to all users assigned to
the role.
• WLAN – In the WLAN configuration mode, use the use > application-policy
<APPLICATION-POLICY-NAME> command to apply the policy to all users accessing the WLAN.
• Bridge VLAN – In the bridge VLAN configuration mode, use the use > application-policy
<APPLICATION-POLICY-NAME> command to apply the policy for the traffic corresponding to
the bridged VLAN.

Supported in the following platforms:

• Access Points — AP-7522, AP 7532

• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
application-policy <APPLICATION-POLICY-NAME>

Parameters
application-policy <APPLICATION-POLICY-NAME>

application-policy Specify the application policy name. If an application policy with the
<APPLICATION-POLICY- specified name does not exist, it is created. The name should not
NAME> exceed 32 characters in length.

Examples
nx9500-6C8809(config)#application-policy TestAppliPolicy
nx9500-6C8809(config-app-policy-TestAppliPolicy)#?
Application Policy Mode commands:
allow Allow packets
deny Deny packets
description Application policy description
enforcement-time Configure policy enforcement based on time
logging Application recognition logging
mark Mark packets
no Negate a command or set its defaults
rate-limit Rate-limit packets

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 295
global-config-commands Global Configuration Mode Commands

revert Revert changes

service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-app-policy-TestAppliPolicy)#

Related Commands

no (global-config- Removes an existing application policy

mode) on page 525

application-policy-mode-commands

The following table summarizes Application policy configuration mode commands:

Table 10: Application Policy Config Commands

Command Description
allow (application-policy-config-mode) on Creates an allow rule and configures the match criteria
page 296 based on which packets are filtered and the allow access
action appliedc
deny (application-policy-config-mode) on Creates a deny rule and configures the match criteria
page 300 based on which packets are filtered and the deny access
action applied
description (application-policy-config- Configures a brief description for this application policy
mode) on page 302 that enables you to differentiate it from other application
policies
enforcement-time (application-policy- Configures an enforcement time period in days and
config-mode) on page 303 hours for this application policy. The policy is enforced
only during the specified time period.
logging (application-policy-config-mode) Enables logging of application recognition hits made by
on page 304 the DPI engine. It also sets the logging level.
mark (application-policy-config-mode) on Creates a mark rule and configures the match criteria
page 305 based on which packets are filtered and marked with
802.1p priority value or DSCP code
rate-limit (application-policy-config-mode) Creates a rate-limit rule and configures the match criteria
on page 308 based on which incoming and outgoing packets are
filtered and the configured rate limits applied
no (application-policy-config-mode) on Removes or resets this application policy settings
page 311

allow (application-policy-config-mode)

Creates an allow rule and configures the match criteria based on which packets are filtered and the
allow access action applied
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

296 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule
<SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters
allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule
<SCHEDULE-POLICY-NAME> (precedence <1-256>)

allow Creates an allow rule and configures the match criteria. The options are
app-category and application.
app-category [<APP- Uses application category as the match criteria
CATEGORY-NAME>|all] • <APP-CATEGORY-NAME> – Specify the application category. The
options are: antivirus\ update, audio, business, conference, custom,
database, file transfer, gaming, generic, im, mail, mobile, network\
management, other, p2p, remote_control, social\ networking,
standard, streaming, tunnel, video, voip, and web. Each packet’s
app-category is matched with the value specified here. In case of a
match, the system forwards the packet or else drops it.
• all – The system forwards all packets irrespective of the application
category.

application <APPLICATION- Uses application name as the match criteria

NAME> • <APPLICATION-NAME> – Specify the application name. Each
packet’s application is matched with the application name specified
here. In case of a match, the system forwards the packet.

Note: The WiNG system provides approximately 309 canned

applications. In addition to these, the database also includes
custom-made applications. These are application definitions created
using the application command.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 297
global-config-commands Global Configuration Mode Commands

schedule <SCHEDULE- Schedules an enforcement time for this allow rule by associating a
POLICY-NAME> schedule policy with it. Use this parameter to apply rule-specific
enforcement time.
• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule
policy with the rule. When associated, the rule is enforced only on
the days and time configured in the schedule policy. Without the
association of a schedule policy, all rules within an application policy
are enforced concurrently (defined by the application-policy >
enforcement-time command). If scheduling a rule, ensure that the
time configured in the schedule policy is a subset of the application
policy’s enforcement time. In other words the application policy
should be active when the rule is being enforced. For example, if the
application policy is enforced on Mondays from 10:00 to 22:00 hours
and the schedule policy time-rule is set for Fridays, then this rule will
never be hit. When enforcing rules at different times the best
practice would be to keep the application policy active at all time
(i.e., retain the default enforcement-time setting as ‘all’).
• <SCHEDULE-POLICY-NAME> – Specify the policy name (should be
existing and configured). After applying a schedule policy, specify a
precedence for the rule.

Note: In case of no schedule policy being applied, the rule is

enforced as per the enforcement-time configured in the application
policy. For more information, see enforcement-time.

precedence <1-256> Assigns a precedence value for this allow rule. The precedence value
differentiates between rules applicable to applications and the
application categories to which they belong. The allow, deny, mark,
rate-limit options are mutually exclusive. In other words, in an
application policy, for a specific application or application category, you
can create either an allow rule, or a deny rule, or a mark and rate-limit
rule.
Let us consider application youtube belonging to app-category
streaming.
The action required is: Allow youtube packets, and deny all other
applications belonging to app-category streaming.
The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2
Once the deny app-category streaming precedence 1 rule is hit, all
streaming packets, including youtube, are dropped. Consequently, there
are no packets left to apply the subsequent allow rule.
The mark and rate-limit rules are the only two actions that can be
combined for a specific application or application category type.

Examples

The following example shows how to view all built-in, system provided applications:
nx9500-6C8809(config-app-policy-test)#allow application [TAB]
Display all 300 possibilities? (y or n)
1-clickshare-com 1-upload-com
1-upload-to 10upload-com
123upload-pl 139pan-com

Controller, Service Platform and Access Point

298 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

163pan-com 1clickshare-net
1fichier-com 1kxun
2channel 2gis
2shared-com 360mobile
4fastfile-com 4share-ws
Dota\ 2 EA\ Origin
--More--
nx9500-6C8809(config-app-policy-test)#

The following examples show two allow rules, allowing access to all packets belonging to the
application category ‘business’ and the application ‘Bing’:
nx9500-6C8809(config-app-policy-Bing)#allow application Bi [TAB]
Bing BitTorrent BitTorrent_encrypted
BitTorrent_plain BitTorrent_uTP BitTorrent_uTP_encrypted
nx9500-6C8809(config-app-policy-Bing)#

Note: Bing is not one of the WiNG built-in database applications. It is a customized application created
using the application command.
nx9500-6C8809(config-app-policy-Bing)#allow application Bing precedence 1
nx9500-6C8809(config-app-policy-Bing)#allow app-category [TAB]
all antivirus\ update audio
business conference custom
database filetransfer gaming
generic im mail
mobile network\ management other
p2p remote_control social\ networking
standard streaming tunnel
video voip web
nx9500-6C8809(config-app-policy-Bing)#
nx9500-6C8809(config-app-policy-Bing)#allow app-category business precedence 2
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
allow application Bing precedence 1
allow app-category business precedence 2
nx9500-6C8809(config-app-policy-Bing)#

The following example shows an application policy 'SocialNet' having an allow rule with an associated
schedule policy named 'FaceBook':
nx9500-6C8809(config-app-policy-SocialNet)#allow application facebook schedule Facebook
precedence 1
nx9500-6C8809(config-app-policy-SocialNet)#show context
application-policy SocialNet
description "This application policy relates to Social Networking sites."
allow application facebook schedule FaceBook precedence 1
nx9500-6C8809(config-app-policy-SocialNet)#

The schedule policy ‘FaceBook’ configuration is as follows. As per this policy, the above allow rule will
apply to all FaceBook packets every Friday between 13:00 and 18:00 hours.
nx9500-6C8809(config-schedule-policy-FaceBook)#show context
schedule-policy FaceBook
description "Allows FaceBook traffic on Fridays."
time-rule days friday start-time 13:00 end-time 18:00
nx9500-6C8809(config-schedule-policy-FaceBook)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 299
global-config-commands Global Configuration Mode Commands

Related Commands

no (application- Removes this allow rule from the application policy

policy-config-mode)
on page 311

deny (application-policy-config-mode)

Creates a deny rule and configures the match criteria based on which packets are filtered and the deny
access action applied
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule
<SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters
deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule
<SCHEDULE-POLICY-NAME> (precedence <1-256>)

deny Creates a deny rule and configures the match criteria. The options are app-
category and application.
app-category [<APP- Uses application category as the match criteria
CATEGORY-NAME>| • <APP-CATEGORY-NAME> – Specify the application category name. The
all] options are: antivirus\ update, audio, business, conference, custom,
database, file transfer, gaming, generic, im, mail, mobile, network\
management, other, p2p, remote_control, social\ networking, standard,
streaming, tunnel, video, voip, and web. Each packet’s app-category is
matched with the value specified here. In case of a match, the system
drops the packet.
• all – The system drops all packets irrespective of the application category.

application Uses application name as the match criteria

<APPLICATION- • <APPLICATION-NAME> – Specify the application name. Each packet’s
NAME> application is matched with the application name specified here. In case of
a match, the system drops the packet.
There are approximately 300 canned applications in the database. In addition
to these, the database displays custom-made applications also. These are
application definitions created using the application command.

Controller, Service Platform and Access Point

300 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

schedule <SCHEDULE- Schedules an enforcement time for this deny rule by associating a schedule
POLICY-NAME> policy with it. Use this parameter to apply rule-specific enforcement time.
• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy
with the rule. When associated, the rule is enforced only on the days and
time configured in the schedule policy. Without the association of a
schedule policy, all rules within an application policy are enforced
concurrently (defined by the application-policy > enforcement-time
command). If scheduling a rule, ensure that the time configured in the
schedule policy is a subset of the application policy’s enforcement time. In
other words the application policy should be active when the rule is being
enforced. For example, if the application policy is enforced on Mondays
from 10:00 to 22:00 hours and the schedule policy time-rule is set for
Fridays, then this rule will never be hit. When enforcing rules at different
times the best practice would be to keep the application policy active at
all time (i.e., retain the default enforcement-time setting as ‘all’).
• <SCHEDULE-POLICY-NAME> – Specify the policy name (should be
existing and configured). After applying a schedule policy, specify a
precedence for the rule.
In case of no schedule policy being applied, the rule is enforced as per the
enforcement-time configured in the application policy. For more information,
see enforcement-time.
precedence <1-256> Assigns a precedence value for this deny rule. The precedence value
differentiates between rules applicable to applications and the application
categories to which they belong. The allow, deny, mark, rate-limit options are
mutually exclusive. In other words, in an application policy, for a specific
application or application category, you can create either an allow rule, or a
deny rule, or a mark and rate-limit rule.
Let us consider application youtube belonging to app-category streaming.
The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2
Once the deny app-category streaming precedence 1 rule is hit, all streaming
packets, including youtube, are dropped. Consequently, there are no packets
left to apply the subsequent allow rule.
The mark and rate-limit rules are the only two actions that can be combined
for a specific application or application category type.

Examples

The following example shows one deny rule, denying access to all packets belonging to the application
category ‘social\ networking’:
nx9500-6C8809(config-app-policy-Bing)#deny app-category social\ networking precedence 3
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3
nx9500-6C8809(config-app-policy-Bing)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 301
global-config-commands Global Configuration Mode Commands

The following example displays the schedule policy ‘DenyS-N’ settings. The time-rule defined in the
policy is all weekdays from 9:30 AM to 11:30 PM.
nx9500-6C8809(config-schedule-policy-DenyS-N)#show context
schedule-policy DenyS-N
description "Denies all social Networking sites on weekdays."
time-rule days weekdays start-time 09:30 end-time 23:30
nx9500-6C8809(config-schedule-policy-DenyS-N)#

The following example displays the schedule policy ‘FaceBook’ settings. The time-rule defined in the
policy is Friday from 1:00 PM to 6:00 PM.
nx9500-6C8809(config-schedule-policy-FaceBook)#show context
schedule-policy FaceBook
description "Allows FaceBook traffic on Fridays."
time-rule days friday start-time 13:00 end-time 18:00
nx9500-6C8809(config-schedule-policy-FaceBook)#

The following example shows an application policy ‘SocialNet’ defining an allow and deny rule. Both
rules have different enforcement time, defined by their respective schedule policies (DenyS-N and
FaceBook). As per these two schedule policy settings, this application policy:
• Denies all social\ networking sites on weekdays (barring Fridays between 1:00 PM to 6:00 PM) from
9:30 AM to 11:30 PM.
• On Fridays, between 1:00 PM to 6:00 PM, it:
◦ Denies all social\ networking sites except Facebook.
nx9500-6C8809(config-app-policy-SocialNet)#show context
application-policy SocialNet
description "This application policy relates to Social Networking sites."
allow application facebook schedule FaceBook precedence 1
deny app-category "social networking" schedule DenyS-N precedence 2
nx9500-6C8809(config-app-policy-SocialNet)#

Related Commands

no (application- Removes this deny rule from the application policy

policy-config-mode)
on page 311

description (application-policy-config-mode)

Configures a brief description for this application policy that enables you to differentiate it from other
application policies
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
description <LINE>

Controller, Service Platform and Access Point

302 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
description <LINE>

description <LINE> Configures this application policy’s description

• <LINE> – Specify a brief description not exceeding 80 characters in
length.

Examples
nx9500-6C8809(config-app-policy-Bing)#description "This application policy allows Bing
search engine packets"
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3
nx9500-6C8809(config-app-policy-Bing)#

Related Commands

no (application- Removes this application policy’s description

policy-config-mode)
on page 311

enforcement-time (application-policy-config-mode)

Configures an enforcement time period in days and hours for this application policy. The enforcement
time is applicable only to those rules, within the application policy, that do not have a schedule policy
associated. By default an application policy is enforced on all days.

Note
Schedule policies are a means of enforcing allow/deny/mark/rate-limit rules at different time
periods. If no schedule policy is applied, all rules within an application policy are enforced at
the time specified using this enforcement-time command. For more information on
configuring a schedule policy, see schedule-policy.

Supported in the following platforms:

• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|
weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 303
global-config-commands Global Configuration Mode Commands

Parameters
enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|
weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}

enforcement-time days Enforces this application policy on only on the days specified here
• sunday – Enforces the policy only on Sundays
• monday – Enforces the policy only on Mondays
• tuesday – Enforces the policy only on Tuesdays
• wednesday – Enforces the policy only on Wednesdays
• thursday – Enforces the policy only on Thursdays
• friday – Enforces the policy only on Fridays
• saturday – Enforces the policy only on Saturdays
• all – Enforces the policy on all days. This is the default setting.
• weekends – Enforces the policy only on weekends
• weekdays – Enforces the policy only on weekdays
In case no enforcement time is specified, the application policy is
enforced on all days (i.e., always active).
If using schedule policies with the allow/deny/mark/rate-limit
rules, the best practice would be to keep the application policy
active at all time (i.e., retain the default enforcement-time setting
of ‘all’).
start-time <HH:MM> end-time Optional. Configures this application policy’s enforcement period
<HH:MM> • start-time – Configures the start time. This is the time at which
the application policy enforcement begins.
• end-time – Configures the end time. This is the time at which
the application policy enforcement ends.
◦ <HH:MM> – Specify the start and end time in the HH:MM
format.

Examples
nx9500-6C8809(config-app-policy-Bing)#enforcement-time days weekdays start-time 10:30 end-
time 20:00
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 10:30 end-time 20:00
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3
nx9500-6C8809(config-app-policy-Bing)#

Related Commands

no (application- Removes this application policy’s enforcement period

policy-config-mode)
on page 311

logging (application-policy-config-mode)

Enables DPI application recognition logging. It also sets the logging level.

DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to
determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify

Controller, Service Platform and Access Point

304 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server
name, TCP-RTT, etc.) for further use by the WiNG firewall.
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Parameters
logging on

logging on Enables logging of application recognition hits made by the DPI engine. This
option is disabled by default.

logging level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|

notifications|warnings]

logging level [<0-7>|alerts| critical| Sets the logging level for application recognition hits made by
debugging| emergencies|errors| the DPI engine. This option is disabled by default.
informational| notifications| • <0-7> – Sets the message logging severity level on a scale of
warnings] 0-7
• emergencies – Severity level 0: System is unusable
• alerts – Severity level 1: Requires immediate action
• critical – Severity level 2: Critical conditions
• errors – Severity level 3: Error conditions
• warnings – Severity level 4: Warning conditions
• notifications – Severity level 5: Normal but significant
conditions (this is the default setting)
• informational – Severity level 6: Informational messages
• debugging – Severity level 7: Debugging messages

Examples
nx9500-6C8809(config-app-policy-Bing)#logging level critical
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3
logging level critical
nx9500-6C8809(config-app-policy-Bing)#

Related Commands

no (application-policy- Resets the logging level to default (notifications). And the no > logging >
config-mode) on page 311 on command disables DPI logging.

mark (application-policy-config-mode)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 305
global-config-commands Global Configuration Mode Commands

Creates a mark rule and configures the match criteria based on which packets are marked

Marks packets, matching a specified set of application categories or applications/protocols, with 802.1p
priority level or DSCP ToS (type of service) code. Marking packets is a means of identifying them for
specific actions, and is used to provide different levels of service to different traffic types.
Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] [8021p <0-7>|
dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters
mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] [8021p <0-7>|
dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

mark Creates a mark rule and configures the match criteria. When applied, the
rule marks packets, matching the criteria configured here, with 802.1p
priority value or DSCP code. The match criteria options are: app-category
and application.
app-category [<APP- Uses application category as the match criteria
CATEGORY-NAME>|all] • <APP-CATEGORY-NAME> – Specify the application category. The
options are: antivirus\ update, audio, business, conference, custom,
database, file transfer, gaming, generic, im, mail, mobile, network\
management, other, p2p, remote_control, social\ networking,
standard, streaming, tunnel, video, voip, and web. Each packet’s app-
category is matched with the value specified here. In case of a match,
the system marks the packet.
• all – The system marks all packets irrespective of the application
category.

application Uses application name as the match criteria

<APPLICATION-NAME> • <APPLICATION-NAME> – Specify the application name. Each packet’s
application is matched with the application name specified here. In
case of a match, the system marks the packet.
The WiNG database provides approximately 309 canned applications. In
addition to these, the database includes custom-made applications. These
are application definitions created using the application command.
8021p <0-7> Marks packets matching the specified criteria with 802.1p priority value
• <0-7> – Specify a value from 0 - 7.
The IEEE 802.1p signaling standard enables marking of layer 2 network
traffic. Layer 2 network devices (such as switches), using 802.1p
standards, group traffic into classes based on their 802.1p priority value,
which is appended to the packet’s MAC header. In case of traffic
congestion, packets with higher priority get precedence over lower
priority packets and are forwarded first.

Controller, Service Platform and Access Point

306 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

dscp <0-63> Marks packets matching the specified criteria with DSCP ToS code
• <0-63> – Specify a value from 0 - 63.
The DSCP protocol marks layer 3 network traffic. Layer 3 network devices
(such as routers) using DSCP, mark each layer 3 packet with a six-bit
DSCP code, which is appended to the packet’s IP header. Each DSCP code
is assigned a corresponding level of service, enabling packet prioritization.
schedule <SCHEDULE- Schedules an enforcement time for this mark rule by associating a
POLICY-NAME> schedule policy with it. Use this parameter to apply rule-specific
enforcement time.
• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy
with the rule. When associated, the rule is enforced only on the days
and time configured in the schedule policy. Without the association of
a schedule policy, all rules within an application policy are enforced
concurrently (defined by the application-policy > enforcement-time
command). If scheduling a rule, ensure that the time configured in the
schedule policy is a subset of the application policy’s enforcement
time. In other words the application policy should be active when the
rule is being enforced. For example, if the application policy is
enforced on Mondays from 10:00 to 22:00 hours and the schedule
policy time-rule is set for Fridays, then this rule will never be hit. When
enforcing rules at different times the best practice would be to keep
the application policy active at all time (i.e., retain the default
enforcement-time setting as ‘all’).
◦ <SCHEDULE-POLICY-NAME> – Specify the policy name (should be
existing and configured). After applying a schedule policy, specify a
precedence for the rule.
In case of no schedule policy being applied, the rule is enforced as per the
enforcement-time configured in the application policy. For more
information, see enforcement-time.
precedence <1-256> Assigns a precedence value for this mark rule. The precedence value
differentiates between rules applicable to applications and the application
categories they belong. The allow, deny, mark, rate-limit options are
mutually exclusive. In other words, in an application policy, for a specific
application or application category, you can create either an allow rule, or
a deny rule, or a mark and rate-limit rule.
Let us consider application youtube belonging to app-category
streaming.
The action required is: Allow youtube packets and deny all other
applications belonging to app-category streaming.
The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2
Once the deny app-category streaming precedence 1 rule is hit, all
streaming packets, including youtube, are dropped. Consequently, there
are no packets left to apply the subsequent allow rule.
The mark and rate-limit rules are the only two actions that can be
combined for a specific application or application category type.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 307
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-app-policy-Bing)#mark app-category video dscp 9 precedence 4
nx9500-6C8809(config-app-policy-Bing)#mark application facetime dscp 10 precedence 5
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3
mark app-category video dscp 9 precedence 4
mark application facetime dscp 10 precedence 5
logging level critical
nx9500-6C8809(config-app-policy-Bing)#

Related Commands

no (application- Removes this mark rule from the application policy

policy-config-mode)
on page 311

rate-limit (application-policy-config-mode)

Creates a rate-limit rule and configures the match criteria

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax
rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule <SCHEDULE-POLICY-
NAME> (precedence <1-256>)

Parameters
rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule <SCHEDULE-POLICY-
NAME> (precedence <1-256>)

rate-limit Creates a rate-limit rule and configures the match criteria. When
applied, the rule applies a rate-limit to packets that match the criteria
configured here. These packets could be incoming, outgoing, or both.
The match criteria options are: app-category and application.
app-category [<APP- Uses application category as the match criteria
CATEGORY-NAME>|all] • <APP-CATEGORY-NAME> – Specify the application category. The
options are: antivirus\ update, audio, business, conference, custom,
database, file transfer, gaming, generic, im, mail, mobile, network\
management, other, p2p, remote_control, social\ networking,
standard, streaming, tunnel, video, voip, and web. Each packet’s app-
category is matched with the value specified here. In case of a
match, the system rate-limits the packet.
• all – The system rate-limits all packets irrespective of the application
category.

Controller, Service Platform and Access Point

308 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

application <APPLICATION- Uses application name as the match criteria

NAME> • <APPLICATION-NAME> – Specify the application name. Each
packet’s application is matched with the application name specified
here. In case of a match, the system rate-limits the packet.

[egress|ingress] The egress and ingress parameters are recursive and can be used to rate
limit either incoming, outgoing, or both incoming and outgoing traffic.
• egress – Selects the traffic type as outgoing
• ingress – Selects the traffic type as outgoing
After selecting the traffic type (incoming/outgoing) configure the rate
and maximum burst size.
rate <50-1000000> The following parameters are common to the ‘egress’ and ‘ingress’
keywords:
• rate – Configures the rate limit, in Kbps, for both incoming and
outgoing packets
◦ <50-1000000> – Specify the rate limit from 50 - 1000000 Kbps.

max-burst-size The following parameters are common to the ‘egress’ and ‘ingress’
keywords:
• max-burst-size – Configures the maximum burst size, in Kbytes, for
both incoming and outgoing packets
◦ <2-1024> – Specify the maximum burst size from 2 - 1024 Kbytes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 309
global-config-commands Global Configuration Mode Commands

schedule <SCHEDULE- Schedules an enforcement time for this rate-limit rule by associating a
POLICY-NAME> schedule policy with it. Use this parameter to apply rule-specific
enforcement time.
• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule
policy with the rule. When associated, the rule is enforced only on
the days and time configured in the schedule policy. Without the
association of a schedule policy, all rules within an application policy
are enforced concurrently (defined by the application-policy
> enforcement-time command). If scheduling a rule, ensure
that the time configured in the schedule policy is a subset of the
application policy’s enforcement time. In other words the application
policy should be active when the rule is being enforced. For example,
if the application policy is enforced on Mondays from 10:00 to 22:00
hours and the schedule policy time-rule is set for Fridays, then this
rule will never be hit. When enforcing rules at different times the best
practice would be to keep the application policy active at all time
(i.e., retain the default enforcement-time setting as ‘all’).
◦ <SCHEDULE-POLICY-NAME> – Specify the policy name (should
be existing and configured). After applying a schedule policy,
specify a precedence for the rule.
In case of no schedule policy being applied, the rule is enforced as per
the enforcement-time configured in the application policy. For more
information, see enforcement-time.
precedence <1-256> Assigns a precedence value for this mark rule. The precedence value
differentiates between rules applicable to applications and the
application categories they belong. The allow, deny, mark, rate-limit
options are mutually exclusive. In other words, in an application policy,
for a specific application or application category, you can create either
an allow rule, or a deny rule, or a mark and rate-limit rule.
Let us consider application youtube belonging to app-category
streaming.
The action required is: Allow youtube packets and deny all other
applications belonging to app-category streaming.
The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2
Once the deny app-category streaming precedence 1 rule is hit, all
streaming packets, including youtube, are dropped. Consequently, there
are no packets left to apply the subsequent allow rule.
The mark and rate-limit rules are the only two actions that can be
combined for a specific application or application category type.

Examples
nx9500-6C8809(config-app-policy-Bing)#rate-limit application BGP ingress rate 100
max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3

Controller, Service Platform and Access Point

310 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

mark app-category video dscp 9 precedence 4

mark application facetime dscp 10 precedence 5
rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-
size 25 precedence 6
logging level critical
nx9500-6C8809(config-app-policy-Bing)#

Related Commands

no (application- Removes this rate-limit rule from the application policy

policy-config-mode)
on page 311

no (application-policy-config-mode)

Removes or resets this application policy’s settings

Supported in the following platforms:
• Access Points — AP-7522, AP 7532
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, WiNG

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this application policy settings based on the

parameters passed

Examples

The following example shows the application policy ‘Bing’ settings before the ‘no’ commands are
executed:
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00
allow application Bing precedence 1
allow app-category business precedence 2
deny app-category "social networking" precedence 3
mark app-category video dscp 9 precedence 4
mark application facetime dscp 10 precedence 5
rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 311
global-config-commands Global Configuration Mode Commands

size 25 precedence 6
logging level critical
nx9500-6C8809(config-app-policy-Bing)#
nx9500-6C8809(config-app-policy-Bing)#no allow app-category business precedence 2
nx9500-6C8809(config-app-policy-Bing)#no deny app-category social\ networking precedence 3

The following example shows the application policy ‘Bing’ settings after the ‘no’ commands are
executed:
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00
allow application Bing precedence 1
mark app-category video dscp 9 precedence 4
mark application facetime dscp 10 precedence 5
rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-
size 25 precedence 6
logging level critical
nx9500-6C8809(config-app-policy-Bing)#

association-acl-policy
Configures an association ACL policy. This policy defines a list of devices allowed or denied access to
the network.

Supported in the following platforms:

Syntax
association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>

Parameters
association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>

<ASSOCIATION-ACL-POLICY- Specify the association ACL policy name. If the policy does not
NAME> exist, it is created.

Examples
NOC-NX9500(config)#association-acl-policy test
NOC-NX9500(config-assoc-acl-test)#?
Association ACL Mode commands:
deny Specify MAC addresses to be denied
no Negate a command or set its defaults
permit Specify MAC addresses to be permitted

clrscr Clears the display screen

Controller, Service Platform and Access Point

312 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

revert Revert changes

service Service Commands
show Show running system information
write Write running configuration to memory or terminal

NOC-NX9500(config-assoc-acl-test)#

Related Commands

no Removes this Association ACL Policy

Note
For more information on the association-acl-policy, see ASSOCIATION-ACL-POLICY.

auto-provisioning-policy
Configures an auto provisioning policy. This policy configures the automatic provisioning of device
adoption. The policy configures how an AP is adopted based on its type.

Supported in the following platforms:

Syntax
auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>

Parameters
auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>

<AUTO-PROVISIONING-POLICY- Specify the auto provisioning policy name. If the policy does not
NAME> exist, it is created.

Examples
NOC-NX9500(config)#auto-provisioning-policy test
NOC-NX9500(config-auto-provisioning-policy-test)#?
Auto-Provisioning Policy Mode commands:
adopt Add rule for device adoption
auto-create-rfd-template When RF Domain specified by the matching rule
template does not exist create new RF Domain
automatically
default-adoption Adopt devices even when no matching rules are
found. Assign default profile and default
rf-domain
deny Add rule to deny device adoption
evaluate-always Set the flag to evaluate the policy everytime,
regardless of previous adoption status
no Negate a command or set its defaults
redirect Add rule to redirect device adoption
upgrade Add rule for device upgrade

clrscr Clears the display screen

commit Commit all changes made in this session

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 313
global-config-commands Global Configuration Mode Commands

do Run commands from Exec mode

end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

NOC-NX9500(config-auto-provisioning-policy-test)#

Related Commands

no Removes an existing Auto Provisioning policy

Note
For more information on the auto-provisioning-policy, see AUTO-PROVISIONING-POLICY.

bgp

Configures BGP (Border Gateway Protocol) settings

BGP is an inter-ISP routing protocol which establishes routing between ISPs (Internet Service
Providers). ISPs use BGP to exchange routing and reachability information between AS (Autonomous
Systems) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules
configured by network administrators. The primary role of a BGP system is to exchange network
reachability information with other BGP peers. This information includes information on AS that the
reachability information traverses. This information is sufficient to create a graph of AS connectivity
from which routing decisions can be created and rules enforced.

An AS is a set of routers under the same administration that use IGP (Interior Gateway Protocol) and
common metrics to define how to route packets within the AS. AS uses inter-AS routing to route
packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan
and presents a consistent picture of the destinations reachable through it.

Routing information exchanged through BGP supports only destination based forwarding (it assumes a
router forwards packets based on the destination address carried in the IP header of the packet).

BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update
fragmentation, retransmission, acknowledgment, and sequencing. BGP listens on TCP port 179. The
error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding
data is delivered before the connection is closed).

Supported in the following platforms:

Controller, Service Platform and Access Point

314 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list] <LIST-
NAME>

Parameters
bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list] <LIST-
NAME>

as-path-list <LIST-NAME> Creates an AS path list and enters its configuration mode
• <LIST-NAME> – Provide the AS-PATH-LIST name.

community-list <LIST-NAME> Creates a community list and enters its configuration mode
• <LIST-NAME> – Provide the COMMUNITY-LIST name.

extcommunity-list <LIST- Creates an extended community list and enters its configuration
NAME> mode
• <LIST-NAME> – Provide the EXTCOMMUNITY-LIST name.

ip-access-list <LIST-NAME> Creates a BGP IP access list and enters its configuration mode
• <LIST-NAME> – Provide the BGP IP-ACCESS-LIST name.

ip-prefix-list <LIST-NAME> Creates a BGP IP prefix list and enters its configuration mode
• <LIST-NAME> – Provide the BGP IP-PREFIX-LIST name.

Examples
nx9500-6C8809(config)#bgp ?
as-path-list BGP AS path list Configuration
community-list Add a community list entry
extcommunity-list Add a extended community list entry (EXPERIMENTAL)
ip-access-list Add an access list entry
ip-prefix-list Build a prefix list

nx9500-6C8809(config)#
nx9500-6C8809(config)#bgp as-path-list AS-TEST-PATH
nx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#?
BGP AS Path List Mode commands:
deny Specify packets to reject
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

nx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 315
global-config-commands Global Configuration Mode Commands

Related Commands

no (global-config- Modifies BGP settings, based on the parameters passed

mode) on page 525

Note
For more information on the association-acl-policy, see BORDER GATEWAY PROTOCOL on
page 2050.

ble-data-export-policy

Creates a BLE data export policy and enters its configuration mode. This policy enables forwarding of
BLE (Bluetooth Low Energy) data to an external, third-party server.

The BLE data export policy provides the external, third-party server’s REST URL. After configuring the
policy apply it on an RF Domain. Once applied, BLE-enabled, WiNG APs, within the domain, sense BLE
iBeacon and Eddystone beacons from other BLE-enabled devices and forward device data to the
specified third-party server. This data is forwarded in the JASON format.

Note
The following WiNG access points support BLE data forwarding: AP-7612, AP7632, AP7662,
AP-8432, AP-8533

Before enabling BLE data export, ensure that the APs’ Bluetooth radio is active and the mode is set to
‘le-sensor’. For more information on configuring the Bluetooth settings on the AP’s profile/device
context, see interface-config-bluetooth-instance on page 1265.

After configuring the policy, in the RF Domain context,

• use the BLE data export policy. For more information, see use (rf-domain-config-mode) on page
574.
• use a sensor policy to define the interval at which data is forwarded. For more information, see use
(rf-domain-config-mode) on page 574.

Supported in the following platforms:

• Access Points — AP-7612, AP7632, AP7662, AP-8432, AP-8533

• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
ble-data-export-policy <POLICY-NAME>

Controller, Service Platform and Access Point

316 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
ble-data-export-policy <POLICY-NAME>

<POLICY-NAME> Specify the policy name. If a BLE data export policy with the specified
name does not exist, it is created.

Note:
The name should not exceed 32 characters in length.

Examples
NOC-NX9500(config)#ble-data-export-policy test
NOC-NX9500(config-ble-data-export-policy-test)#?
Ble Data Export Policy Mode commands:
no Negate a command or set its defaults
rest Configure the url to send the real time RSSI feed to

clrscr Clears the display screen

NOC-NX9500(config-ble-data-export-policy-test)#

Related Commands

no (global-config-mode) on Removes an existing BLE data export policy

page 525

ble-data-export-policy-commands

The following table summarizes the BLE data export policy configuration mode commands:

Table 11: BLE Data Export Policy Config Mode Commands

Command Description
rest (ble-data-export- Configures the external, third-party server’s REST URL. This is the
commands) on page 317 external REST end-point to which BLE-enabled, WiNG APs forward
BLE data (UUID, RSSI, etc.)
no (ble-data-export-commands) Removes this BLE data export policy.
on page 319

rest (ble-data-export-commands)

Configures the third-party, BLE-locationing server’s URL. This is the external resource to which WiNG
APs forward BLE data (UUID, RSSI, etc.) using the REST API. The data is forwarded in the JASON
format.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 317
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

• Access Points — AP-7612, AP7632, AP7662, AP-8432, AP-8533
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
rest <URL>

Parameters
rest <URL>

rest <URL> Configures the third-party server's URL

• <URL> – Enter the URL. This is the location of the resource to which
WiNG APs send real-time RSSI feeds.

Examples
ap8432-070235(config-ble-data-export-policy-test)#rest https://test.com/12/
ap8432-070235(config-ble-data-export-policy-test)#show context
ble-data-export-policy test
rest https://test.com/12/
ap8432-070235(config-ble-data-export-policy-test)#

The following example shows the configurations will have to configure the following parameters to
enable BLE data forwarding:

1. On the WiNG AP’s profile/device context, configure the following Bluetooth parameters:
ap8432-070235(config-profile-test-if-bluetooth1)#mode le-sensor
ap8432-070235(config-profile-test-if-bluetooth1)#no shutdown
ap8432-070235(config-profile-test-if-bluetooth1)#show context
interface bluetooth1
no shutdown
mode le-sensor
ap8432-070235(config-profile-test-if-bluetooth1)#

This enables the AP as a BLE sensor.

2. On the APs’ controller,

a. Configure a BLE data export policy, pointing to the external, third-party, REST end-point.
NOC-NX9500(config-ble-data-export-policy-test)#rest https://test.com/12/

b. Configure a sensor policy.

NOC-NX9500((config-sensor-policy-test)#rssi-interval-duration 30

c. Navigate to the BLE-enabled, WiNG AP’s RF Domain context and:

• Use the BLE data export policy, configured in step 2a.
NOC-NX9500(config-rf-domain-ble)#use ble-data-export-policy test

This enables BLE data forwarding to the external, third-party server specified in the policy.
• Use the sensor policy, configured in step 2b.
NOC-NX9500(config-rf-domain-ble)#use sensor-policy test

When applied, BLE data is forwarded at the interval specified in the sensor policy.

Controller, Service Platform and Access Point

318 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (ble-data-export- Removes the REST endpoint URL configuration

commands) on page 319
interface-config- Documents AP profile/device Bluetooth interface configuration commands
bluetooth-instance on
page 1265
sensor-policy on page Documents the Sensor policy configuration commands
591
use (rf-domain-config- Applies the ‘BLE data export policy’ and ‘Sensor policy’ on the RF Domain
mode) on page 574

no (ble-data-export-commands)

Removes the BLE data export policy settings

Supported in the following platforms:
• Access Points — AP-7612, AP 7622, AP7632, AP7662, AP-8432, AP-8533
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
no rest

Parameters
no rest

no rest Removes the REST API endpoint’s URL (in this case it is the third-party
locationing server)

Examples

The following example shows the BLE Data Export policy ‘test’ settings before the ‘no’ command is
executed:
ap8432-070235(config-ble-data-export-policy-test)#show context
ble-data-export-policy test
rest https://test.com/12/
ap8432-070235(config-ble-data-export-policy-test)#
ap8432-070235(config-ble-data-export-policy-test)#no rest

The following example shows the BLE Data Export policy ‘test’ settings after the ‘no’ command was
executed:
ap8432-070235(config-ble-data-export-policy-test)#show context
ble-data-export-policy test
ap8432-070235(config-ble-data-export-policy-test)#

bonjour-gw-discovery-policy
Bonjour is Apple’s zero-configuration networking (Zeroconf) implementation. Bonjour enables
automatic IP address assignment, name to address resolution, and service discovery without having to
configure a DHCP server, DNS server, and Directory server. When configured and applied on a WLAN,
the Bonjour Gateway Discovery policy queries for and locates Bonjour devices (printers, computers, file-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 319
global-config-commands Global Configuration Mode Commands

sharing servers, etc.) and services these computers provide over a local network. Bonjour works only
within a single broadcast domain. However, with a special DNS configuration, it can be extended to find
services across broadcast domains.

Use this command to configure a Bonjour GW Discovery policy. The policy defines a list of services
clients can discover across subnets. A maximum of 8 (eight) policies can be created on access points,
wireless controllers, or service platforms.

When configured and applied, this feature enables Bonjour services on local and tunneled VLANs.

Supported in the following platforms:

Syntax
bonjour-gw-discovery-policy <POLICY-NAME>

Parameters
bonjour-gw-discovery-policy <POLICY-NAME>

<POLICY-NAME> Specify the Bonjour GW Discovery policy name. If the policy does not
exist, it is created. In the Bonjour GW Discovery policy configuration
mode, use the allow-service keyword to configure the services that the
Bonjour gateway is allowed to discover. A maximum of 16 (sixteen)
service rules can be created. Optionally, you can restrict this facility for
users on specific VLANs. To do so, specify the VLAN IDs.
Execute the bonjour-gw-forwarding-policy command to enable
forwarding of Bonjour service responses across VLANs.
To associate a Bonjour GW Discovery policy with a WLAN, in the WLAN
configuration mode, execute the following command: use > bonjour-
gw-discovery-policy > <POLICY-NAME>. For more information,
see use (wlan-config-mode) on page 666.
To associate a Bonjour GW Discovery policy with a VLAN, in the interface
VLAN configuration mode, execute the following command: use >
bonjour-gw-discovery-policy > <POLICY-NAME>. For more
information, see use on page 1162.
To associate a Bonjour GW Discovery policy with a user role, in the role-
policy - user-role - configuration mode, execute the following command:
use > bonjour-gw-discovery-policy > <POLICY-NAME>.
For more information, see use on page 1801.

Examples
nx9500-6C8809(config)#bonjour-gw-discovery-policy TestPolicy
nx9500-6C8809(config-bonjour-gw-discovery-policy-TestPolicy)#?
commands:
allow-service Allow Bonjour Service on local or tunneled vlan,Optionally
VLAN IDs can be given so service will be discovered for those
vlan only
no Negate a command or set its defaults

clrscr Clears the display screen

Controller, Service Platform and Access Point

320 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

commit Commit all changes made in this session

do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-bonjour-gw-discovery-policy-TestPolicy)#sIsEtU_@3691

Related Commands

no (global-config-mode) on page 525 Removes an existing Bonjour GW Discovery policy

bonjour-gw-discovery-policy-config-commands

The following table summarizes the Bonjour Gateway Discovery Policy configuration mode commands:

Table 12: Bonjour GW Discovery Policy Config Commands

Command Description
allow-service (bonjour-gw- Configures the Bonjour Services that can be discovered on Local or
discovery-policy-cofig-mode) Tunneled VLANs. It configures the local VLANs on which these
on page 321 services can be found.
no (bonjour-gw-discovery- Removes or modifies the Bonjour Gateway Discovery policy settings
policy-config-mode) on page
323

allow-service (bonjour-gw-discovery-policy-cofig-mode)

Enables discovery of Bonjour devices and the services they provide on Local or Tunneled VLANs
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
allow-service <BONJOUR-SERVICE-NAME> [local|tunneled]
allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>} ({service-
vlans <WORD>})
allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 321
global-config-commands Global Configuration Mode Commands

Parameters
allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>} ({service-
vlans <WORD>})

allow-service Configures the services that can be discovered by the Bonjour gateway. And
<BONJOUR-SERVICE- also configures the VLANs on which the selected services can be discovered.
NAME> • <BONJOUR-SERVICE-NAME> – You can either select the Bonjour services
from a set of system-provided, pre-defined Apple services, or use an
existing alias to define a service not available in the predefined list.

The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint,
AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer,
and Scanner.

Use the <WORD> keyword to define a service not included in the system-
provided, pre-defined list. Ensure this device is registered with the
Multicast DNS Responder (mDNSResponder).

local Select to enable the discovery of the selected Bonjour Services on the local
VLAN
instance-name Optional. Specifies the selected Bonjour service’s instance name. When
contains <WORD> specified, the Bonjour service discovery queries contain the instance name. of
the service to be discovered.
This option is useful especially in large distributed, enterprise networks. Use it
to create different instances of a Bonjour service for the different
organizations or departments (VLANs) within your network. Creating
instances allows you to advertise specific service instances for a specific set
of VLANs, instead of advertising top-level Bonjour Services to various
allocated VLAN(s).
• contains <WORD> – Specify the instance name. You can either directly
specify the string value to be used as a match criteria, or use a string alias
(for example, $BONJOUR-STRING) to identify the string to match. If using
a string alias, ensure that it is existing and configured. For information on
configuring a string alias, see alias on page 267.

service-vlans <WORD> Optional. Configures a VLAN or a list of VLANs on which the selected service
is discoverable. When specified, Bonjour discovery queries are delivered to all
clients on the specified VLANs. Applicable only if enabling Bonjour Services
discovery on local VLANs.

allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}

allow-service Configures the services that can be discovered by the Bonjour gateway. And
<BONJOUR-SERVICE- also configures the VLANs on which the selected services can be
NAME> discovered.
• <BONJOUR-SERVICE-NAME> – You can either select the Bonjour
Services from a set of system-provided, pre-defined Apple services, or
use an existing alias to define a service not available in the predefined
list.

The predefined Apple services available are: Afp, AirPlay, AirPort,

AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing,
Printer, and Scanner.

Controller, Service Platform and Access Point

322 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Use the <WORD> keyword to define a service not included in the

system-provided, predefine list.

tunneled Select to enable the discovery of the selected Bonjour Services on tunneled
VLANs
instance-name contains Optional. Adds a Bonjour Service instance name. If you have a large
<WORD> enterprise network, use this option to create different Bonjour Service
instances for the different organizations or departments (VLANS) within
your network. Creating instances allows you to advertise specific service
instances for a specific set of VLANs, instead of advertising top-level
Bonjour Services to various allocated VLAN(s).
• contains <WORD> – Specify the sub-string to match. You can either
directly specify the string value to be used as a match criteria, or use a
string alias (for example, $BONJOUR-STRING) to identify the string to
match. If using a string alias, ensure that it is existing and configured. For
information on configuring aliases, see alias.

Examples
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Afp local
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Printer lo
cal instance-name contains $Bonjour_Service service-vlans 1,2
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context
bonjour-gw-discovery-policy test
allow-service Printer local service-vlans 1-2 instance-name contains $Bonjour_Service
allow-service Afp local
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#

Following example configures the string alias named $Bonjour_Service:

nx9500-6C8809(config)#alias string $Bonjour_Service admin
nx9500-6C8809(config)#commit
nx9500-6C8809(config)#show context include-factory | include alias string
alias string $Bonjour_Service admin
nx9500-6C8809(config)#

Related Commands

no (global-config- Removes or modifies this Bonjour Gateway Discovery Policy settings

mode) on page 525

no (bonjour-gw-discovery-policy-config-mode)

Removes or modifies the Bonjour Gateway Discovery policy settings

Syntax
no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 323
global-config-commands Global Configuration Mode Commands

Parameters
no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}

no <parameters> Removes allow-service rules in the selected Bonjour GW Discovery policy,

based on the parameters passed

Examples

The following example shows the Bonjour GW Discovery policy ‘test’ settings before the ‘no’ command
is executed:
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context
bonjour-gw-discovery-policy test
allow-service Printer local service-vlans 1-2 instance-name contains $Bonjour_Service
allow-service Afp local
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#
nx9500-6C8809(config-bonjour-gw-discovery-policy-test1)#no allow-service Afp local

The following example shows the Bonjour GW Discovery policy ‘test’ settings after the ‘no’ command
was executed:
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context
bonjour-gw-discovery-policy test
allow-service Printer local service-vlans 1-2 instance-name contains $Bonjour_Service
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#

bonjour-gw-forwarding-policy
Configures a Bonjour GW Forwarding policy. When configured and applied on the controller, the policy
defines the service VLANs (the VLANs on which Bonjour services are running) and client VLANs where
clients are present. All Bonjour responses from service VLANs are forwarded to client VLANs. A
maximum of 2 (two) policies can be created on a wireless controller or service platform. And only 1
(one) policy can be created on an access point.

Supported in the following platforms:

Syntax
bonjour-gw-forwarding-policy <POLICY-NAME>

Controller, Service Platform and Access Point

324 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
bonjour-gw-forwarding-policy <POLICY-NAME>

<POLICY- Specify the Bonjour GW Forwarding policy name. If the policy does not exist, it is created.
NAME> To receive Bonjour service responses from specific VLANs, specify the VLAN IDs. In the
Bonjour GW Forwarding policy configuration mode, provide a list of VLAN IDs from which
Bonjour responses can be received (format: 10-20, 25, 30-35). And then specify the list of
client VLANs that can access Bonjour services.
Execute the bonjour-gw-discovery-policy command to define the Bonjour services
allowed on local and tunneled VLANs.
To associate a Bonjour GW Forwarding policy with a device or profile, in the profile/device
configuration mode, execute the use > bonjour-gw-forwarding-policy >
<POLICY-NAME> command. For more information, see use (profile/device-config-
mode-commands) on page 1363.

Examples
nx9500-6C8809(config)#bonjour-gw-forwarding-policy test
nx9500-6C8809(config-bonjour-gw-forwarding-policy-test)#?
(config-bonjour-gw-forwarding-policy) commands:
forward-bonjour-response Forwards bonjour service response across vlans
no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-bonjour-gw-forwarding-policy-test)#

Related Commands

no Removes an existing Bonjour GW Forwarding policy

bonjour-gw-query-forwarding-policy

Configures a Bonjour GW Query Forwarding policy and enters its configuration mode. When created
and applied, this policy enables forwarding of Bonjour queries across VLANs.

Supported in the following platforms:

Syntax
bonjour-gw-query-forwarding-policy <POLICY-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 325
global-config-commands Global Configuration Mode Commands

Parameters
bonjour-gw-query-forwarding-policy <POLICY-NAME>

<POLICY-NAME> Specify the Bonjour GW Query Forwarding policy name. If the policy does
not exist, it is created.
In the Bonjour GW Query Forwarding policy configuration mode, specify
the ‘from’ and ‘to’ VLAN(s). The from-vlans option configures the
VLAN(s) that are the source of the Bonjour queries. The to-vlans option
configures the destination VLAN(s) that can access the Bonjour queries.
To associate a Bonjour GW Query Forwarding policy with a device or
profile, in the profile/device configuration mode, execute the
use > bonjour-gw-query-forwarding-policy > <POLICY-
NAME>
command. For more information, see use (profile/device-config-mode-
commands) on page 1363.

Examples
nx9500-6C8809(config)#bonjour-gw-query-forwarding-policy test
nx9500-6C8809(config-bonjour-gw-query-forwarding-policy-test)#?
(config-bonjour-gw-query-forwarding-policy) commands:
forward-bonjour-query Forwards bonjour query across vlans
no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-bonjour-gw-query-forwarding-policy-test)#

Related Commands

no (global-config- Removes an existing Bonjour GW Query Forwarding policy

mode) on page 525

bonjour-gw-query-forwarding-policy

Configures a Bonjour GW Query Forwarding policy and enters its configuration mode. When created
and applied, this policy enables forwarding of Bonjour queries across VLANs.

Supported in the following platforms:

Syntax
bonjour-gw-query-forwarding-policy <POLICY-NAME>

Controller, Service Platform and Access Point

326 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
bonjour-gw-query-forwarding-policy <POLICY-NAME>

clrscr Clears the display screen

nx9500-6C8809(config-bonjour-gw-query-forwarding-policy-test)#

Related Commands

no (global-config- Removes an existing Bonjour GW Query Forwarding policy

mode) on page 525

captive-portal
Configures a captive portal policy and enters its configuration mode. Once created and configured, use
the captive portal policy in the WLAN context, and in the device/profile contexts of the access point or
controller hosting the captive portal server.

A captive portal provides secure access using a standard Web browser. Captive portals provide
authenticated access by capturing and re-directing a wireless user's Web browser session to a captive
portal login page where the user must enter valid credentials to access to the wireless network. Once
logged into the captive portal, additional Acknowledgment, Agreement, Welcome, No Service, and Fail
pages provides you options to customize the screen flow and user appearance.

Captive portals are recommended for providing guests or visitors authenticated access to network
resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-
user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 327
global-config-commands Global Configuration Mode Commands

Authentication for captive portal access requests is performed using a username and password pair,
authenticated by an integrated RADIUS server. Authentication for private network access is conducted
either locally on the requesting wireless client, or centrally at a data center.

Captive portals use a Web provisioning tool to create guest user accounts directly on the controller,
service platform, or access point. The connection medium defined for the Web connection is either
HTTP or HTTPS. Both HTTP and HTTPS use a request and response procedure to disseminate
information to and from requesting wireless clients.

Supported in the following platforms:

Syntax
captive-portal <CAPTIVE-PORTAL-NAME>

Parameters
captive-portal <CAPTIVE-PORTAL-NAME>

<CAPTIVE-PORTAL- Specify the captive portal name. If a captive portal with the specified name
NAME> does not exist, it is created.

Examples
nx9500-6C8809(config)#captive-portal test
nx9500-6C8809(config-captive-portal-test)#?
Captive Portal Mode commands:
access-time Allowed access time for the client. Used when
there is no session time in radius response
access-type Access type of this captive portal
accounting Configure how accounting records are created for
this captive portal policy
bypass Bypass captive portal
connection-mode Connection mode for this captive portal
custom-auth Custom user information
data-limit Enforce data limit for clients
frictionless-onboarding Register the client MAC address at ExtremeGuest
on redirection
inactivity-timeout Inactivity timeout in seconds. If a frame is not
received from client for this amount of time,
then current session will be removed
ipv6 Internet Protocol version 6 (IPv6)
localization Configure the FQDN address to get the
localization parameters for the client
logout-fqdn Configure the FQDN address to logout the session
from client
no Negate a command or set its defaults
oauth OAuth 2.0 authentication configuration
php-helper Configure the captive portal to use a server for
help with php
post-authentication-vlan Configure post authentication vlan for captive
portal users
radius-vlan-assignment Enable radius vlan assignment for captive portal
users

Controller, Service Platform and Access Point

328 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

redirection Configure connection redirection parameters

report-loyalty-application Report customer loyalty application presence in
clients
server Configure captive portal server parameters
simultaneous-users Particular username can only be used by a
certain number of MAC addresses at a time
terms-agreement User needs to agree for terms and conditions
use Set setting to use
webpage Configure captive portal webpage parameters
webpage-auto-upload Enable automatic upload of internal and advanced
webpages
webpage-location The location of the webpages to be used for
authentication. These pages can either be hosted
on the system or on an external web server.
welcome-back Welcome back page settings

clrscr Clears the display screen

Related Commands

no Removes an existing captive portal

captive-portal-mode-commands

The following table summarizes captive portal configuration mode commands:

Table 13: Captive-Portal-Mode Commands

Command Description
access-time on page 330 Defines a client's access time. It is used when no session
time is defined in the RADIUS response.
access-type on page 331 Configures a captive portal's access type
accounting on page 332 Enables a captive portal's accounting records
bypass on page 333 Enables bypassing of captive portal detection requests
connection-mode on page 334 Configures a captive portal's connection mode
custom-auth on page 335 Configures custom user information
data-limit on page 335 Enforces data limit on captive portal clients
frictionless-onboarding on page 336 Enables wireless clients, associated with guest WLANs, to
self-register with the ExtremeGuest server.
inactivity-timeout on page 339 Defines an inactivity timeout in seconds
ipv6 on page 339 Configures the IPv6 address of the internal captive portal
server

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 329
global-config-commands Global Configuration Mode Commands

Table 13: Captive-Portal-Mode Commands (continued)

Command Description
localization on page 340 Configures an FQDN address string that enables the client to
receive localization parameters. This command also allows
the configuration of a response message.
logout-fqdn on page 342 Clears the logout FQDN address
no (captive-portal-config-mode) on Reverts the selected captive portal’s settings or resets
page 364 settings to default
oauth on page 342 Enables OAuth-based authentication support on the captive
portal. When enabled, OAuth allows captive-portal users to
sign in to guest WLANs using their Facebook or Google
credentials.
php-helper on page 344 Configures a PHP helper to serve the captive portal’s PHP
splash pages to guest users using social-media to login to
the captive portal.
post-authentication-vlan on page 345 Assigns a post authentication RADIUS VLAN for this captive
portal’s users
radius-vlan-assignment on page 346 Assigns a RADIUS VLAN for this captive portal
redirection on page 347 Enables redirection of client connections to specified
destination ports
report-royalty-application on page 347 Enables detection of captive portal client’s loyalty
application presence and stores this information in the
captive portal’s user database
server Configures the captive portal server settings
simultaneous-users on page 350 Specifies a username used by a MAC address pool
terms-agreement on page 350 Enforces the user to agree to terms and conditions (included
in login page) for captive portal access
use (captive-portal-config-mode) on Associates a AAA policy and a DNS whitelist with a captive
page 351 portal
webpage on page 352 Configures captive portal Web page settings
webpage-auto-upload on page 362 Enables automatic upload of advanced Web pages on a
captive portal
webpage-location on page 361 Specifies the location of Web pages used for captive portal
authentication
welcome-back on page 363 Enables the provision of direct Internet access to once-
registered, captive-portal guest users on subsequent log-ins

access-time

Defines the permitted access time for a client. It is used when no session time is defined in the RADIUS
response.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

330 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
access-time <10-10080>

Parameters
access-time <10-10080>

<30-10080> Defines the access time allowed for a wireless client from 10 - 10080 minutes. The default
is 1440 minutes.

Examples
nx9500-6C8809(config-captive-portal-test)#access-time 35
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Reverts to the default permitted access time (1440 minutes)

access-type

Defines the captive portal’s access type. The authentication scheme configured here is applied to
wireless clients requesting captive portal guest access to the network.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
access-type [custom-auth-radius|logging|no-auth|radius|registration]

Parameters
access-type [custom-auth-radius|logging|no-auth|radius|registration]

custom-auth- Specifies the custom user information used for authentication (RADIUS lookup of
radius given information, such as name, e-mail address, telephone, etc.). When configured,
accessing clients are required to provide a 1-32 character lookup data string used to
authenticate their credentials.
When selecting this option, use the custom-auth command to configure the required
user information.
logging Enables logging of user access details.
no-auth Defines no authentication required for a guest. Requesting clients are redirected to
the captive portal Welcome page without authentication.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 331
global-config-commands Global Configuration Mode Commands

radius Enables RADIUS authentication for wireless clients. A requesting client’s user
credentials require authentication before access to the captive portal is permitted.
This is the default setting.
registration Enables captive portal’s clients to self register. When enabled, a requesting client’s
user credentials require authentication locally or through social media credential
exchange and validation.
If enabled, use the webpage > internal > registration > field command to customize
the registration page. If not customized, the default, built-in registration Web page is
displayed.

Examples
nx9500-6C8809(config-captive-portal-test)#access-type logging
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-type logging
access-time 35
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Removes the captive portal access type or reverts to default (radius)

accounting

Enables support for accounting messages for this captive portal

When enabled, accounting for clients entering and exiting the captive portal is initiated. Accounting is
the method of collecting and sending security server information for billing, auditing, and reporting user
data. This data includes information, such as start and stop times, executed commands (such as PPP),
number of packets and number of bytes transmitted etc. Accounting enables tracking of captive portal
services consumed by clients.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
accounting [radius|syslog]
accounting radius
accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-
controller|through-rf-domain-manager]}

Controller, Service Platform and Access Point

332 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
accounting radius

radius Enables support for RADIUS accounting messages. When enabled, this option uses an external
RADIUS resource for AAA accounting. This option is disabled by default.

accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-

controller|through-rf-domain-manager]}

syslog host <IP/ Enables support for syslog accounting messages. When enabled, data relating to
HOSTNAME> wireless client usage of remote access services is logged on the specified
external syslog resource. This information assists in differentiating between local
and remote users. Remote user information can be archived to an external
location for periodic network and user administration. This option is disabled by
default.
• host <IP/HOSTNAME> – Specifies the destination where accounting
messages are sent. Specify the destination’s IP address or hostname.

port <1-65535> Optional. Specifies the syslog server’s listener port

• <1-65535> – Specify the UDP port from 1- 65535. The default is 514.

proxy-mode [none| Optional. Specifies the mode of proxying the syslog server
through-controller| • none – Accounting messages are sent directly to the syslog server
through-rf-domain- • through-controller – Accounting messages are sent through the controller
manager] configuring the device
• through-rf-domain-manager – Accounting messages are sent through the
local RF Domain manager

Examples
nx9500-6C8809(config-captive-portal-test)#accounting syslog host 172.16.10.13 port 1
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-type logging
access-time 35
accounting syslog host 172.16.10.13 port 1
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Disables accounting records for this captive portal

bypass

Enables bypassing of captive portal detection requests from wireless clients

Certain devices, such as Apple IOS devices send CNA (Captive Network Assistant) requests to detect
existence of captive portals. When enabled, the bypass option does not allow CNA requests to be
redirected to the captive portal pages.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 333
global-config-commands Global Configuration Mode Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
bypass captive-portal-detection

Parameters
bypass captive-portal-detection

bypass captive-portal-detection Bypasses captive portal detection requests

Examples
rfs4000-229D58(config-captive-portal-test)#bypass captive-portal-detection
rfs4000-229D58(config-captive-portal-test)#show context
aptive-portal test
bypass captive-portal-detection
rfs4000-229D58(config-captive-portal-test)#

Related Commands

no Disables bypassing of captive portal detection requests

connection-mode

Configures a captive portal’s mode of connection to the Web server. HTTP uses plain unsecured
connection for user requests. HTTPS uses an encrypted connection to support user requests.

Both HTTP and HTTPS use the same URI (Uniform Resource Identifier), so controller and client
resources can be identified. However, the use of HTTPS is recommended, as it affords controller and
client transmissions some measure of data protection HTTP cannot provide.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
connection-mode [http|https]

Parameters
connection-mode [http|https]

http Sets HTTP as the default connection mode. This is the default setting.
https Sets HTTPS as the default connection mode

Note: HTTPS is a more secure version of HTTP, and uses encryption while sending and receiving
requests.

Examples
nx9500-6C8809(config-captive-portal-test)#connection-mode https
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-type logging

Controller, Service Platform and Access Point

334 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

access-time 35
connection-mode https
accounting syslog host 172.16.10.13 port 1
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Removes this captive portal's connection mode

custom-auth

Configures custom user information

Syntax
custom-auth info <LINE>

Parameters
custom-auth info <LINE>

info <LINE> Configures information used for RADIUS lookup when custom-auth RADIUS access type
is configured
• <LINE> – Guest data needs to be provided. Specify the name, e-mail address, and
telephone number of the user.

Examples
nx9500-6C8809(config-captive-portal-test)#custom-auth info bob [email protected]
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-type logging
access-time 35
custom-auth info bob [email protected]
connection-mode https
accounting syslog host 172.16.10.13 port 1
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Removes custom user information configured with this captive portal

data-limit

Enforces data transfer limits on captive portal clients. This feature enables the tracking and logging of
user usage. Users exceeding the allowed bandwidth are restricted from the captive portal.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 335
global-config-commands Global Configuration Mode Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
data-limit <1-102400> {action [log-and-disconnect|log-only]}

Parameters
data-limit <1-102400> {action [log-and-disconnect|log-only]}

data-limit Sets a captive portal client's data transfer limit in megabytes. This limit is applicable
<1-102400> for both upstream and downstream data transfer.
• <1-102400> – Specify a value from 1 - 102400 MB.

action [log-and- Optional. Specifies the action taken when a client exceeds the configured data limit.
disconnect| log- The options are:
only] • log-and-disconnect – When selected, an entry is added to the log file any time a
captive portal client exceeds the data limit, and the client is disconnected.
• log-only – When selected, an entry is added to the log file any time a captive
portal client exceeds the data limit. the client, however, remains connected to
the captive portal. This is the default setting.

Examples
rfs4000-229D58(config-captive-portal-test)#data-limit 200 action log-and-disconnect
rfs4000-229D58(config-captive-portal-test)#
rfs4000-229D58(config-captive-portal-test)#show context
captive-portal test
data-limit 200 action log-and-disconnect
rfs4000-229D58(config-captive-portal-test)#

Related Commands

no Removes data limit enforcement for captive portal clients

frictionless-onboarding
Enables wireless clients, associated with guest WLANs, to self-register with the ExtremeGuest server. In
other words, this feature enables frictionless on-boarding of guest users to the ExtremeGuest server.

It also provides an integration API, as a means of on-boarding guest users through a loyalty application.

Note
To enable this feature, in the Guest WLAN (using this captive-portal), enable MAC
authentication and set the registration mode to ‘device’. For infomration on enabling
frictionless-onboarding, see Examples on page 337.

Supported in the following platforms:

Syntax
frictionless-onboarding

Controller, Service Platform and Access Point

336 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
None

Examples

The following configurations are required to enable frictionless on-boarding of guest users to the
ExtremeGuest server:

1. Create a captive-portal:
NX9500-EGuest(config)#captive-portal EGuest
NX9500-EGuest(config-captive-portal-EGuest)#

a. Set the access-type as registration..

NX9500-WC-EGuest(config-captive-portal-EGuest)#access-type registration

This sets the guest user access and authentication mode to self-registration.
b. Enable frictionless-onboarding.
NX9500-WC-EGuest(config-captive-portal-EGuest)#frictionless-onboarding

This enables auto-redirection of guest users to the ExtremeGuest server, where the user’s MAC
address is registered. Registered devices, on subsequent logins, are provided immediate access
without interaction with Splash pages.
c. Configure Localization URL..
NX9500-WC-EGuest(config-captive-portal-test)#localization fqdn local.guestaccess.com

When configured, the defined URL is triggered from a mobile application to derive location
information from the wireless network so that an application can be localized to a particular store
or region.
NX9500-WC-EGuest(config-captive-portal-Guest)#show context
captive-portal EGuest
access-type registration
webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address"
placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name"
placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder
"Zip"
webpage internal registration field via-sms type checkbox enable title "SMS
Preferred"
webpage internal registration field mobile type number enable label "Mobile"
placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age
Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label
"Email" placeholder "[email protected]"
webpage internal registration field via-email type checkbox enable title "Email
Preferred"
frictionless-onboarding
localization fqdn local.guestaccess.com
NX9500-WC-EGuest(config-captive-portal-Guest)#

Note
This is an example fqdn URl.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 337
global-config-commands Global Configuration Mode Commands

2. Create a WLAN with the following settings:

a. Set authentication-type as ‘mac’.

NX9500-WC-EGuest(config-wlan-EGuest)#authentication-type mac

When configured, enables MAC authentication of guest users.

b. Enable device registration.
NX9500-WC-EGuest(config-wlan-EGuest)#registration device group-name test expiry-
time 300

When enabled, guest users' device MAC addresses are registered in the database. Registered
devices are provided immediate access on subsequent logins.
c. Set guest-registration as external.
NX9500-WC-EGuest(config-wlan-EGuest)#registration external follow-aaa

This enables forwarding of guest registration and authentication requests to an external

authentication server resource, specified in an AAA policy.

Note, in this scenario, the external resource is the ExtremeGuest server.

Execute the command in the following step to specify the AAA Policy.
d. Apply an AAA Policy to the WLAN.
NX9500-WC-EGuest(config-wlan-EGuest)#use aaa-policy guest

When applied, registration and authentication requests are forwarded to the authentication
server configured in the specified AAA Policy.

Note
In the AAA policy, ensure that the authentication server configuration points to the
ExtremeGuest server.
e. Enable captive-portal enforcement.
NX9500-WC-EGuest(config-wlan-EGuest)#captive-portal-enforcement fall-back

When enabled, captive-portal validation is enforced on clients requesting access. Fall-back is an

optional parameter that enforces captive-portal authentication only on failure of WLAN
authentication.
f. Use the captive-portal configured in Step 1 in the WLAN..
NX9500-WC-EGuest(config-wlan-EGuest)#use captive-portal EGuest
NX9500-WC-EGuest(config-wlan-EGuest)#show context
wlan EGuest
ssid eguest
bridging-mode local
encryption-type none
authentication-type mac
use captive-portal EGuest
captive-portal-enforcement fall-back
registration device group-name test expiry-time 300
NX9500-WC-EGuest(config-wlan-EGuest)#

This is the captive-portal used with this WLAN for captive-portal validation of guest users.

Controller, Service Platform and Access Point

338 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (captive-portal- Disables frictionless-onboarding of guest users to the ExtremeGuest server

config-mode) on
page 364

inactivity-timeout

Defines an inactivity timeout in seconds. If a frame is not received from a client for the specified interval,
the current session is terminated.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
inactivity-timeout <60-86400>

Parameters
inactivity-timeout <60-86400>

<60-86400> Defines the interval for which a captive portal session is kept alive without receiving a
frame from the client. The session is automatically terminated once this interval is over.
• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 10 minutes or
600 seconds.

Examples
nx9500-6C8809(config-captive-portal-test)#inactivity-timeout 750
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-type logging
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
accounting syslog host 172.16.10.13 port 1
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Removes the client inactivity interval configured with this captive portal

ipv6

Configures the internal captive portal server’s (running on the centralized mode) IPv6 address. If using
centralized server mode, use this option to define the controller, service platform, or access point
resource’s (hosting the captive portal) IPv6 address. For information on configuring the server mode,
see server.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 339
global-config-commands Global Configuration Mode Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ipv6 server host <IPv6>

Parameters
ipv6 server host <IPv6>

ipv6 server host <IPv6> Configures the IPv6 address of the internal captive portal server
• <IPv6> – Specify the captive portal server’s global IPv6 address.

Examples
rfs4000-229D58(config-captive-portal-test2)#ipv6 server host 2001:10:10:10:6d:33:fa:8b
rfs4000-229D58(config-captive-portal-test2)#show context
captive-portal test2
access-type OAuth
ipv6 server host 2001:10:10:10:6d:33:fa:8b
OAuth client-id Google TechPubs.printer.google.com
rfs4000-229D58(config-captive-portal-test2)#

Related Commands

no Removes the captive portal server’s IPv6 address

localization

Configures an FQDN address string to get localization parameters for the client. Use this option to add a
URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application
to derive location information from the wireless network so an application can be localized to a
particular store or region.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
localization [fqdn <WORD>|response <WORD>]

Controller, Service Platform and Access Point

340 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
localization [fqdn <WORD>|response <WORD>]

localization Enables localization and configures the related parameters.

fqdn <WORD> Configures the FQDN address (for example, local.guestaccess.com) used to
obtain localization parameters for a client.
• <WORD> – Specify the FQDN address string. For example,
local.guestaccess.com

response <WORD> Configures the response message directed back to the client for localization
HTTP requests.
• <WORD> – Specify the response message (should not exceed 512
characters in length).

The following built-in query tags can be included in the response message:

'WING_TAG_CLIENT_IP' -Captive portal client IPv4 address

'WING_TAG_CLIENT_MAC' - Captive portal client MAC address

'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid

'WING_TAG_AP_MAC' - Captive portal client AP MAC address

'WING_TAG_AP_NAME' - Captive portal client AP Name

'WING_TAG_RF_DOMAIN' - Captive portal client RF Domain

'WING_TAG_USERNAME' - Captive portal authentication username

'WING_TAG_USERTYPE' - Captive portal usertype

(new/return/refresh) Example:- <local><site>WING_TAG_RF_DOMAIN</

site><ap>WING_TAG_AP_NAME</ap></local

Examples
nx9500-6C8809(config-captive-portal-test)#localization fqdn local.guestaccess.com
nx9500-6C8809(config-captive-portal-test)#localization response <local><site>SJExtreme</
site><ap>ap8163-74B45C</ap><user>Bob</user><local>
nx9500-6C8809(config-captive-portal-TechPubsNew)#show context
captive-portal TechPubsNew
webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address" placeholder
"123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder
"Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder
"Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age
Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email"
placeholder "[email protected]"
webpage internal registration field via-email type checkbox enable title "Email
Preferred"
localization fqdn local.guestaccess.com

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 341
global-config-commands Global Configuration Mode Commands

localization response <local><site>SJExtreme</site><ap>ap8163-74B45C</ap><user>Bob</

user><local>
nx9500-6C8809(config-captive-portal-TechPubsNew)#

Related Commands

no Removes the FQDN address string and response message configured on a

captive portal for localization

logout-fqdn

the Logout FQDN as the FQDN address to logout of the captive portal session from the client (for
example, logout.guest.com).
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
logout-fqdn <WORD>

Parameters
logout-fqdn <WORD>

logout-fqdn Configures the FQDN address used to logout

<WORD> • <WORD> – Provide the FQDN address (for example,
logout.guestaccess.com).

Examples
rfs4000-229D58(config-captive-portal-test)#logout-fqdn logout.testuser.com
rfs4000-229D58(config-captive-portal-test)#show context
captive-portal test
logout-fqdn logout.testuser.com
rfs4000-229D58(config-captive-portal-test)#

Related Commands

no Clears the logout FQDN address

oauth

Enables OAuth-driven Google and/or Facebook authentication on captive portals that use internal Web
pages.

To enable Google and Facebook captive-portal authentication:

• Enforce captive-portal authentication on the WLAN to which wireless-clients associate. For
information, see captive-portal-enforcement.
• Set captive-portal Web page location to internal. For more information, see webpage-location.
• Register your captive-portal individually on Google/FaceBook APIs and generate a client-id and
client-secret. The client-ids retrieved during registration are the IDs for the WiNG application running

Controller, Service Platform and Access Point

342 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

on the access point/controller. The WiNG application uses these client-ids to access the Google and
Facebook Auth APIs, and authenticate the guest client on behalf of the user.

If enabling OAuth-driven Google and/or Facebook authentication on the captive portal, use this
command to configure the Google/Facebook client-ids. Once enabled, the captive portal landing page,
displayed on the client’s browser, provides the Facebook and Google login buttons.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
oauth
oauth client-id [facebook|google] <WORD>

Parameters
oauth

oauth Execute this command without the associated keywords to enable

OAuth on this captive-portal. If enabling OAuth, ensure the captive-
portal Web page location is configured as advanced or external.

oauth client-id [facebook|google] <WORD>

oauth client-id [facebook| Configures the client-ids retrieved from the Google and Facebook
google] <WORD> API manager portals during registration
• facebook – Configures the Facebook API client-id (is a 15 digit
entity)
• google – Configures the Google API client-id (is a 12 digit
number)
◦ <WORD> – Provide the Facebook/Google client-id.
If the captive-portal Web page location is advanced or external, and
you are enabling OAuth support, you need not configure the client-
id. In such a scenario, the client-id is configured through the EGuest
server UI and not the WiNG CLI.

Example (User Exec Mode)

nx7500-6DCD39(config-captive-portal-test2)#OAuth
nx7500-6DCD39(config-captive-portal-test2)#OAuth client-id Google
xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyy
nx7500-6DCD39(config-captive-portal-test2)#show context
captive-portal test2
server host guest.social.com
oauth
oauth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyy

nx7500-6DCD39(config-captive-portal-test)#

In the above example,

• xxxxxxxxxxxx - Is the 12 digit numeric part of your Google client-id.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 343
global-config-commands Global Configuration Mode Commands

• yyyyyyyyyyyyyyy - Is the 15 digit Facebook client-id

Related Commands

no Removes all OAuth client identities configured for this captive

portal

php-helper

Configures a PHP helper to serve the PHP splash pages to guest users logging in to the captive portal
using social-media credentials. Configure a PHP helper only if the following criteria are fulfilled:
• OAuth-based authentication is enabled on the captive portal.
• The captive-portal server mode is “self”.
• The access point, hosting the captive-portal server, has low memory space.
• A hotspot server, hosting the captive-portal PHP splash pages, is up and running.

The WiNG software introduces HybridAuth support on captive portals. HybridAuth is an open-source,
social-sign on PHP Library. In addition to Google and Facebook, it allows a variety of third-party social
authentications, such as LinkedIn, Twitter, Live, Yahoo, OpenID, etc. However, HybridAuth uses space-
consuming PHP splash pages that cannot be loaded on access points with low memory space. These
access points can only serve the initial landing page, where guests clicking on a social login button are
redirected by the php-helper to a PHP page hosted on the PHP-helper.

To create PHP splash pages, use the splash template configuration tool available on the EGuest
(ExtremeGuest) dashboard. Upload the generated tar to both the hotspot server and the php helper.

For more information on enabling the EGuest server, see eguest-server (VX9000 only) on page 1092.

For more information on configuring an EGuest captive portal, see configuring ExtremeGuest captive
portal on page 370.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
php-helper [controller|domain-manager]
php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4096>
php-helper domain-manager <IP/HOSTNAME>

Controller, Service Platform and Access Point

344 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4096>

php-helper Configures the php-helper parameters

controller <IP/HOSTNAME> Configures the controller adopting the captive-portal access point
as the php-helper
• <IP/HOSTNAME> – Specify the adopting controller’s IP address
or host name.

hosting-vlan-interface <0-4096> Optional. Configures the VLAN on which the php-helper is

reachable
• <0-4096> – Specify the VLAN hosting the php-helper from 0 -
4096.

php-helper domain-manager <IP/HOSTNAME>

php-helper Configures the php-helper parameters

domain-manager <IP/ Configures the captive-portal access point’s RF Domain manager as
HOSTNAME> the php-helper
• <IP/HOSTNAME> – Specify the RF Domain manager’s IP
address or host name.

Examples

To enable php-helper configure the following parameters in the captive-portal context:

ap505-13403B(config-captive-portal-php-helper)#oauth
ap505-13403B(config-captive-portal-php-helper)#php-helper controller nx9500-6C8809
ap505-13403B(config-captive-portal-php-helper)#server mode self
ap505-13403B(config-captive-portal-php-helper)#server host cpsocial.extreme.com

Note, when configuring the server, specify the server’s hostname and not the IP address, because some
social media do not allow IP address as a redirect URI.
ap505-13403B(config-captive-portal-php-helper)#show running-config captive-portal php-
helper
captive-portal php-helper
server host cpsocial.extreme.com
php-helper controller nx9500-6C8809
oauth
webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address" placeholder
"123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder
--More--
ap505-13403B(config-captive-portal-php-helper)#

Related Commands

no Removes the PHP helper configuration

post-authentication-vlan

Configures the VLAN that is assigned to this captive portal’s users upon successful authentication

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 345
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Syntax
post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]

Parameters
post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]

post-authentication- Configures the post authentication VLAN. The VLAN specified here is assigned
vlan [<1-4096>| to this captive portal’s users after they have authenticated and logged on to the
<VLAN-ALIAS>] network. Provide the VLAN ID, or use an existing VLAN alias to identify the post
authentication VLAN.
• <1-4096> – Specify the VLAN's number from 1 - 4096.
• <VLAN-ALIAS> – Specify the VLAN alias (should be existing and
configured). VLAN alias names begin with a ‘$’.

Example
rfs4000-229D58(config-captive-portal-test)#post-authentication-vlan 1
rfs4000-229D58(config-captive-portal-test)#show context
captive-portal test
post-authentication-vlan 1
rfs4000-229D58(config-captive-portal-test)#

Related Commands

no Removes the post authentication RADIUS VLAN assigned to this captive portal's users

•
radius-vlan-assignment

Enables assignment of a RADIUS VLAN for this captive portal

When enabled, if the RADIUS server as part of the authentication process returns a client’s VLAN-ID in a
RADIUS access-accept packet, then all client traffic is forwarded on the post authentication VLAN. If
disabled, the RADIUS server’s VLAN assignment is ignored and the VLAN configuration defined within
the WLAN configuration is used instead. This feature is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
radius-vlan-assignment

Parameters

Controller, Service Platform and Access Point

346 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

None
Example
rfs4000-229D58(config-captive-portal-test)#radius-vlan-assignment
rfs4000-229D58(config-captive-portal-test)#show context
captive-portal test
post-authentication-vlan 1
radius-vlan-assignment
rfs4000-229D58(config-captive-portal-test)#

Related Commands

no Disables assignment of a RADIUS VLAN for this captive portal

redirection

Configures a list of destination ports (separated by commas, or using a dash for a range) that are taken
into consideration when redirecting client connections
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
redirection ports <LIST-OF-PORTS>

Parameters
redirection ports <LIST-OF-PORTS>

ports <LIST-OF- Configures destination ports considered for redirecting client connection
PORTS> A maximum of 16 ports can be specified in a comma-separated list. Standard ports
80 and 443 are always considered for client connections regardless of what’s
entered by the administrator.

Example
rfs4000-229D58(config-captive-portal-test)#redirection ports 1,2,3
rfs4000-229D58(config-captive-portal-test)#show context
captive-portal test
redirection ports 1-3
rfs4000-229D58(config-captive-portal-test)#

Related Commands

no Disables redirection of client connection

report-royalty-application
Enables detection of captive portal client’s usage of a selected (preferred) loyalty application
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 347
global-config-commands Global Configuration Mode Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
report-loyalty-application {custom-app <APPLICATION-NAME>}

Parameters
report-loyalty-application {custom-app <APPLICATION-NAME>}

report-loyalty-application Reports a captive portal client’s loyalty application presence and

{custom-app <APPLICATION- stores this information in the captive portal’s user database. The
NAME>} client’s loyalty application detection occurs on the access point to
which the client is associated. Retail administrators can use this
information to assess whether patrons’ loyalty application usage
is as per expectation within specific retail environments. This
option is disabled by default.
• custom-app <APPLICATION-NAME> – Optional. Uses a
custom application definition as match criteria.
◦ <APPLICATION-NAME> – Specify the custom application
name (should be existing and configured). Ensure that the
application specified is available and configured. If not,
create an application definition. For more information, see
application on page 285.
If no custom application definition is specified, the system uses
localization to detect application presence.

Examples
nx9500-6C8809(config-captive-portal-test)#report-loyalty-application custom-app
AntiVirus
nx9500-6C8809(config-captive-portal-test)#show context include-factory | include
report-loyalty-application
report-loyalty-application custom-app AntiVirus
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no (captive-portal-config- Disables detection of customer-loyalty application presence

mode) on page 364

server

Configures captive portal server parameters, such as the hostname, IP address, and mode of operation.
This is the captive-portal server hosting the captive portal Web pages.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
server [host|mode]
server host <IP/HOSTNAME>
server mode [centralized|centralized-controller {hosting-vlan-interface <0-4096>}|self]

Controller, Service Platform and Access Point

348 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
server host <IP/HOSTNAME>

host <IP/ Configures the internal captive portal server (wireless controller, access point, service
HOSTNAME> platform)
• <IP/HOSTNAME> – Specify the IPv4/IPv6 address or hostname of the captive
portal server.
For centralized-controller mode, the server host should be a virtual hostname and
not an IP address.
If enabling OAuth (social-media login) on the captive portal, configure the server’s
hostname and not the IP address. This is because some social media do not allow IP
address as redirect-uri. For more information, see oauth and php-helper.

server mode [centralized|centralized-controller {hosting-vlan-interface <0-4096>}|self]

mode Configures the captive portal server mode. This parameter identifies the device that will
capture and redirect a wireless user’s Web browser session to a landing page where the
user has to provide login credentials in order to access the managed network. The
captive portal implementation is very flexible and allows captive portal services to
reside anywhere within the managed network. For example, the capture and redirection
can be performed directly by the access points at the edge of the network, centrally on
the controllers or service platforms managing the access points, or on dedicated
wireless controller deployed within an isolated network.
centralized Select this option if capture and redirection is provided by a designated wireless
controller/service platform on the network defined using an IPv4/IPv6 address or
hostname. This dedicated device can either be managing the dependent/independent
access points or be a dedicated device deployed over the intermediate network.
Ensure the IPv4 address or hostname of the wireless controller performing the capture
and redirection is defined in the captive portal policy. And also, that the wireless
controller is reachable via MINT.
centralized- Select this option if capture and redirection is on a cluster of wireless controller/service
controller platforms managing dependent/independent access points when redundancy is
{hosting- required. The capture and redirection is provided by one of the controllers in the cluster
vlan- that is operating as the designated forwarder for the tunneled VLAN. The cluster can be
interface configured as active/active or active/standby as required.
<0-4096>} If using this option, ensure a non-resolvable virtual hostname is defined in the captive
portal policy which is shared between the controllers in the cluster.
• hosting-vlan-interface – Optional. Configures the VLAN where the client can reach
the captive-portal server. This option is available only for the centralized-controller
mode.
◦ <0-4096> – Specify the VLAN number (0 implies the controller is available on
the client’s VLAN).

self Select this option if capture and redirection is provided by the access point that is
servicing the captive portal enabled Wireless LAN. This is the default setting.
When enabled each remote access point servicing the captive portal enabled WLAN
performs the captive portal capture and redirection internally. The WLAN users are
mapped to a locally bridged VLAN for which each access point has a SVI defined. The
SVI can either have a static or dynamic (DHCP) IPv4 address assigned. The capture,
redirection, and presentation of the captive portal pages are performed using the SVI
on each access point the wireless device is associated to.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 349
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-captive-portal-test)#server host 172.16.10.9
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
server host 172.16.10.9
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Resets or disables captive portal host and mode settings

simultaneous-users

Specifies the number of users (client MAC addresses) that can simultaneously log on to the captive
portal. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
simultaneous-users <1-8192>

Parameters
simultaneous-users <1-8192>

simultaneous-users Specifies the number of MAC addresses that can simultaneously access the
<1-8192> captive portal
• <1-8192> – Select a number from 1 - 8192.

Examples
nx9500-6C8809(config-captive-portal-test)#simultaneous-users 5
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
server host 172.16.10.9
simultaneous-users 5
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Resets or disables captive portal commands

terms-agreement

Controller, Service Platform and Access Point

350 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Enforces the user to agree to terms and conditions (included in the login page) for captive portal
access. This feature is disabled by default.

When enabled, the system enforces a previously registered user to re-confirm the terms of agreement,
on successive log ins, only if the interval between the last log out and the current log in exceeds the
agreement-refresh timeout configured in the WLAN context. For more information on configuring the
agreement-refresh timeout value, see registration.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
terms-agreement

Parameters

None
Examples
nx9500-6C8809(config-captive-portal-test)#terms-agreement
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
server host 172.16.10.9
simultaneous-users 5
terms-agreement
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Resets or disables captive portal commands

use (captive-portal-config-mode)

Configures a AAA policy and DNS whitelist with this captive portal policy. AAA policies are used to
configure authentication and accounting servers for this captive portal. DNS whitelists restrict users to a
set of configurable domains on the Internet.

For more information on AAA policies, see aaa-policy.

For more information on DNS whitelists, see dns-whitelist.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 351
global-config-commands Global Configuration Mode Commands

Syntax
use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]

Parameters
use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]

aaa-policy <AAA- Associates a AAA policy with this captive portal. AAA policies validate user
POLICY-NAME> credentials and provide captive portal access to the network.
• <AAA-POLICY-NAME> – Specify the AAA policy name.

dns-whitelist Associates a DNS whitelist to use with this captive portal. A DNS whitelist defines
<DNS-WHITELIST- a set of allowed destination IP addresses. DNS whitelists restrict captive portal
NAME> access.
• <DNS-WHITELIST-NAME> – Specify the DNS whitelist name.
To effectively host captive portal pages on an external Web server, the IP address
of the destination Web server(s) should be added to the DNS whitelist.

Examples
nx9500-6C8809(config-captive-portal-test)#use aaa-policy test
nx9500-6C8809(config-captive-portal-test)#use dns-whitelist test
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
server host 172.16.10.9
simultaneous-users 5
terms-agreement
use aaa-policy test
use dns-whitelist test
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Removes a DNS Whitelist or a AAA policy from the captive portal

•
webpage

Use this command to define the appearance and flow of Web pages requesting clients encounter when
accessing a controller, service platform, or access point managed captive portal. Define whether the
Web pages are maintained locally or externally to the managing device as well as messages displayed
requesting clients.

Configures Web pages displayed when interacting with a captive portal. There are six (6) different
pages.
• acknowledgment – This page displays details for the user to acknowledge.
• agreement – This page displays “Terms and Conditions” that a user accepts before allowed access to
the captive portal.
• fail – This page is displayed when the user is not authenticated.

Controller, Service Platform and Access Point

352 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• login – This page is displayed when the user connects to the captive portal. It fetches login
credentials from the user.
• no-service – This page is displayed when a captive portal user is unable to access the captive portal
due unavailability of critical services.
• registration – This page is displayed when users are redirected to a Web page where they have to
register in the captive portal’s database.
• welcome – This page is displayed to welcome an authenticated user to the captive portal.

These Web pages, which interact with captive portal users, can be located either on the controller or an
external location.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
webpage [external|internal]
webpage external [acknowledgment|agreement|fail|login {post}|no-service|
registration|welcome] <URL>
webpage internal [acknowledgment|agreement|fail|login|no-service|org-name|org-signature|
registration|welcome]
webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome]
[description|footer|header|title] <CONTENT>
webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome]
[body-background-color|body-font-color|org-background-color|org-font-color] <WORD>
webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome]
[main-logo use-as-banner|small-logo] <URL>
webpage internal registration field [age-range|city|country|custom|disclaimer|dob|
email|gender|member|mobile|name|optout|street|via-email|via-sms|zip] type [checkbox|
date|
dropdown-menu|e-address|number|radio-button|text] enable
{label <LINE>|mandatory|title <LINE>|placeholder <LINE>}
webpage internal welcome use-external-success-url
webpage internal [org-name|org-signature] <LINE>

Parameters
webpage external [acknowledgment|agreement|fail|login {post}|no-service|
registration|welcome] <URL>

external Indicates Web pages being served are hosted on an external (to the captive portal)
server resource
acknowledgment Indicates the page is displayed for user acknowledgment of details. Users are
redirected to this page to acknowledge information provided.
agreement Indicates the page is displayed for “Terms & Conditions”
The agreement page provides conditions that must be agreed to before captive
portal access is permitted.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 353
global-config-commands Global Configuration Mode Commands

fail Indicates the page is displayed for login failure

The fail page asserts authentication attempt has failed, the user is not allowed to
access the Internet (using this captive portal) and must provide the correct login
information again to access the Internet.
login {post} Indicates the page is displayed for getting user credentials. This page is displayed
by default.
• post – Optional. Redirects users to post externally when they during
authentication
The login page prompts the user for a username and password to access the
captive portal and proceed to either the agreement page (if used) or the welcome
page.
no-service Indicates the page is displayed when certain critical services are unavailable and the
user fails to access the captive portal. The no-service page asserts the captive
portal service is temporarily unavailable due to technical reasons. Once the services
become available, the captive portal user is automatically connected back to the
services available through the captive portal. The possible scenarios are:
• The RADIUS server (on-board or external) is not reachable and the user cannot
be authenticated
• The external captive portal server is not reachable
• The connectivity between the adopted AP and controller is lost
• The external DHCP server is not reachable
To provide this service, enable the following:
• External captive portal server monitoring.
• AAA server monitoring. This enables detection of RADIUS server failure.
• External DHCP server monitoring.
• AP to controller connectivity monitoring.
For more information on enabling these critical resource monitoring, see service.
registration Indicates the page is displayed when users are redirected to a Web page where
they have to register in the captive portal’s database.
Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) upon association to a captive portal SSID, where previously, not-
registered guest users can register.

Controller, Service Platform and Access Point

354 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

welcome Indicates the page is displayed after a user has been successfully authenticated
The welcome page asserts a user has logged in successfully and can access the
captive portal.
<URL> Indicates the URL to the Web page displayed. Query String: URL can include query
tags.
Supported Query Tags are:
'WING_TAG_CLIENT_IP' - Captive portal client IPv4 address
'WING_TAG_CLIENT_MAC' - Captive portal client MAC address
'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid
'WING_TAG_AP_MAC' - Captive portal client AP MAC address
'WING_TAG_AP_NAME' - Captive portal client AP Name
'WING_TAG_RF_DOMAIN' - Captive portal client RF Domain
'WING_TAG_CP_SERVER' - Captive portal server address
'WING_TAG_USERNAME' - Captive portal authentication username
Example:
http://cportal.com/policy/login.html?client_ip=WING_TAG_CLIENT_IP&ap_m
c=WING_TAG_AP_MAC.
Use '&' or '?' character to separate field-value pair.
Enter 'ctrl-v' followed by '?' to configure query string

webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome]

[description|footer|header|title] <CONTENT>

internal Indicates the Web pages are hosted on an internal server resource. This is the
default setting.
acknowledgment Indicates the Web page is displayed for users to acknowledge the information
provided
agreement Indicates the page is displayed for “Terms & Conditions”
fail Indicates the page is displayed for login failure
login Indicates the page is displayed for entering user credentials
no-service Indicates the page is displayed when certain critical services are unavailable and the
user fails to access the captive portal. The possible scenarios are:
• The RADIUS server (on-board or external) is not reachable and the user cannot
be authenticated
• The external captive portal server is not reachable
• The connectivity between the adopted AP and controller is lost
• The external DHCP server is not reachable
To provide this service, enable the following:
• External captive portal server monitoring.
• AAA server monitoring. This enables detection of RADIUS server failure.
• External DHCP server monitoring.
• AP to controller connectivity monitoring.
For more information on enabling these critical resource monitoring, see service.
registration Indicates the page is displayed when users are redirected to a Web page where
they have to register in the captive portal’s database
Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) upon association to a captive portal SSID, where previously, not-
registered guest users can register.
welcome Indicates the page is displayed after a user has been successfully authenticated

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 355
global-config-commands Global Configuration Mode Commands

description Indicates the content is the description portion of each of the following internal
Web pages: acknowledgment, agreement, fail, login, no-service, and welcome
footer Indicates the content is the footer portion of each of the following internal Web
pages: acknowledgment, agreement, fail, no-service, registration, and welcome
page. The footer portion contains the signature of the organization that hosts the
captive portal.
header Indicates the content is the header portion of each of the following internal Web
pages: acknowledgment, agreement, fail, no-service, and welcome page. The
header portion contains the heading information for each of these pages.
title Indicates the content is the title of each of the following internal Web pages:
acknowledgment, agreement, fail, no-service, and welcome page. The title for each
of these pages is configured here.
<CONTENT> The following keyword is common to all of the above internal Web page options:
• <CONTENT> – Specify the content displayed for each of the different
components of the internal Web page. Enter up to 900 characters for the
description and 256 characters each for header, footer, and title.

webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome]

[main-logo use-as-banner|small-logo] <URL>

internal Indicates the Web pages are hosted on an internal server resource
acknowledgment Indicates the Web page is displayed for users to acknowledge the information
provided
agreement Indicates the page is displayed for “Terms & Conditions”
fail Indicates the page is displayed for login failure
login Indicates the page is displayed for user credentials
no-service Indicates the page is displayed when certain critical services are unavailable and
the user fails to access the captive portal. The possible scenarios are:
• The RADIUS server (on-board or external) is not reachable and the user
cannot be authenticated
• The external captive portal server is not reachable
• The connectivity between the adopted AP and controller is lost
• The external DHCP server is not reachable
To provide this service, enable the following:
• External captive portal server monitoring.
• AAA server monitoring. This enables detection of RADIUS server failure.
• External DHCP server monitoring.
• AP to controller connectivity monitoring.
For more information on enabling these critical resource monitoring, see
service.
registration Indicates the page displayed is the registration page to which users are
redirected in order to register in the captive portal’s database
Guest users are redirected to an internally (or) externally hosted registration
page (registration.html) upon association to a captive portal SSID, where
previously, not-registered guest users can register.
welcome Indicates the page is displayed after a user has been successfully authenticated

Controller, Service Platform and Access Point

356 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

main-logo use-as- The following keyword is common to all of the above internal Web page
banner options:
• main-logo – Indicates the main logo displayed in the header of each Web
page
◦ use-as-banner – Uses the image, specified here, as the Web page banner,
in place of the logo and organization name

small-logo The following keyword is common to all of the above internal Web page
options:
• small-logo – Indicates the logo image displayed in the footer portion of each
Web page, and constitutes the organization's signature

<URL> This parameter is common to the ‘main-logo’ and ‘small-logo’ keywords and
provides the complete URL from where the main-logo and small-logo files are
loaded and subsequently cached on the system.
• <URL> – Specify the location and name of the main-logo and the small-logo
image files.

webpage internal registration field [age-range|city|country|custom|disclaimer|

dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip]
type [checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable
{label <LINE>|mandatory|title <LINE>|placeholder <LINE>}

internal Indicates the Web pages are hosted on an internal server resource
registration Allows you to customize the user registration page. Select this option
if the captive-portal’s access-type is set to registration. Use the field
and type options to define the input fields (for example, age-range,
city, email, etc.) and the field type (for example, text, checkbox,
dropdown-menu, radio-button, etc.)
Guest users are redirected to an internally (or) externally hosted
registration page (registration.html) upon association to a captive
portal SSID, where previously, not-registered guest users can register.
If the registration Web page is not customized, the built-in, default
registration page is displayed to the client.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 357
global-config-commands Global Configuration Mode Commands

field [age-range| city|country| Configures the captive portal’s registration page fields
custom| disclaimer| dob|email| Following are the available fields and the field type for each:
gender|member| mobile|name| • age-range – Creates the age-range input field (enabled by default
optout| street|via-email|via- and included in the built-in registration page)
sms| zip] ◦ dropdown-menu – Configures the age-range field as a drop-
down menu
◦ radio-button – Configures the age-range field as a radio
button menu
• city – Creates the postal address: city name input field (enabled
by default and included in the built-in registration page)
◦ text – Configures the city field as only alpha-numeric and
special characters input field
• country – Creates the postal address: country name input field
(disabled by default)
◦ text – Configures the country field as only alpha-numeric and
special characters input field
• custom <WORD> – Creates a customized field (as per your
requirement). Use the ‘custom’ option to create a field not
included in the built-in list.
◦ <WORD> – Provide a name for the field. On the registration
page, the field is displayed under the name specified here.
• disclaimer – Creates client’s disclaimer-confirmation input field
(disabled by default)
• checkbox – Configures the disclaimer field as a check box
• dob – Creates the client’s date of birth (DoB) input field (disabled
by default)
◦ date – Configures the DoB field as only date-format input field
◦ dropdown-menu – Configures the DoB field as a drop-down
menu
◦ text – Configures the DoB field as only alpha-numeric and
special characters input field
• email – Creates the e-mail address input field (enabled by default
and included in the built-in registration page)
◦ e-address – Configures the e-mail field as only e-mail address
format input field
• gender – Creates client’s gender input field (disabled by default)
◦ dropdown-menu – Configures the gender field as a drop-
down menu
◦ radio-button – Configures the gender field as a radio button
menu
• member – Creates client’s loyalty or captive-portal membership
card number input field (disabled by default)
◦ number – Configures the member field as only-numeric
characters input field
◦ text – Configures the member field as only alpha-numeric and
special characters input field
• mobile – Creates the mobile number input field (enabled by
default and included in the built-in registration page)
◦ number – Configures the mobile field as only-numeric
characters input field
◦ text – Configures the mobile field as only alpha-numeric and
special characters input field

Controller, Service Platform and Access Point

358 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• name – Creates the client name input field (enabled by default

and included in the built-in registration page)
◦ text – Configures the name field as only alpha-numeric and
special characters input field
• optout – Creates an input field that enables clients to opt out
from registering
◦ checkbox – Configures the optout field as a check box
• street – Creates the postal address: street name/number input
field (enabled by default and included in the built-in registration
page)
◦ text – Configures the street field as only alpha-numeric and
special characters input field
• via-email – Creates the client’s preferred mode of communication
as e-mail input field (enabled by default and included in the built-
in registration page)
◦ checkbox – Configures the via-email field as a check box
• via-sms – Creates the client’s preferred mode of communication
as SMS input field (enabled by default and included in the built-in
registration page)
◦ checkbox – Configures the via-sms field as a check box
• zip – Creates the postal address: zip input field (enabled by
default and included in the built-in registration page)
◦ number – Configures the zip field as only-numeric characters
input field
◦ text – Configures the zip field as only alpha-numeric and
special characters input field

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 359
global-config-commands Global Configuration Mode Commands

type [checkbox|date| After specifying the field, configure the field type. The options
dropdown-menu|e-address| displayed depend on the field selected in the previous step. These
number| radio-button|text] options are: checkbox, date, dropdown-menu, e-address, number,
radio-button, and text.
• checkbox – Configures the field as a check box
• date – Configures the field as only date-format input field
• dropdown-menu – Configures the field as a drop-down menu
• e-address – Configures the field as an e-mail address input field
• number – Configures the field as only-numeric characters input
field
• radio-button – Configures the field as a radio button
• text – Configures the field as only alpha-numeric and special
characters input field
Some of the fields can have more than one field type options. For
example, the field ‘zip’ can either be a numerical field or a text. Select
the one best suited for your captive-portal.
enable {label <LINE>| Enables the field. When enabled, the field is displayed on the
mandatory| title <LINE>| registration page. After enabling the field, optionally configure the
placeholder <LINE>} following parameters:
• label <LINE> – Optional. Configures the field’s label
• mandatory – Optional. Makes the field mandatory
• title – Optional. Configures the comma-separated list of items to
include in the drop-down menu.
• placeholder <LINE> – Optional. Configures a string, not exceeding
300 characters, that is displayed within the field. If not configured,
the field remains blank.

webpage internal welcome use-external-success-url

internal Indicates the Web pages are hosted on an internal server resource
welcome Indicates the page is displayed after a user has been successfully authenticated
use-external- When configured, redirects the user, on successful authentication, to an externally
success-url hosted success URL from the locally-hosted landing page.
Use the webpage > external > welcome > <URL> command to specify the location
of the Welcome page.

webpage internal [org-name|org-signature] <LINE>

internal Indicates the Web pages are hosted on an internal server resource
org-name Specifies the company’s name, included on Web pages along with the main image
org-signature Specifies the company’s signature information, included in the bottom of Web pages
along with a small image
<LINE> Specify the company’s name or signature depending on the option selected.

Examples
nx9500-6C8809(config-captive-portal-guest)#webpage external welcome http://192.168.9.46/
welcome.html
nx9500-6C8809(config-captive-portal-guest)#show context
captive-portal guest

Controller, Service Platform and Access Point

360 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

webpage external welcome http://192.168.9.46/welcome.html

nx9500-6C8809(config-captive-portal-guest)#
nx9500-6C8809(config-captive-portal-register)#webpage internal registration field age-
range type dropdown-menu enable mandatory title 10-20,20-30,30-40,50-60,60-70
nx9500-6C8809(config-captive-portal-register)#show context include-factory | include age-
range
webpage internal registration field age-range type dropdown-menu enable mandatory label
"Age Range" title "10-20,20-30,30-40,50-60,60-70"
nx9500-6C8809(config-captive-portal-register)#

In the following examples, the background and font colors have been customized for the captive
portal’s login page. Similar customizations can be applied to the acknowledgement, agreement, fail,
welcome, no-service, and registration captive portal pages.
nx9500-6C88099(config-captive-portal-cap-enhanced-policy)#webpage internal login
body-background-color #E7F0EB
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#webpage internal login
body-font-color #EF68A7
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#webpage internal login
org-background-color #EFE4E9
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#webpage internal login
org-font-color #BA4A21
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#show context
captive-portal cap-enhanced-policy
webpage internal login org-background-color #EFE4E9
webpage internal login org-font-color #BA4A21
webpage internal login body-background-color #E7F0EB
webpage internal login body-font-color #EF68A7
nx9500-6C8809(config-captive-portal-ca-enhanced-policy)#

The following examples configure a scenario where a successfully authenticated user is redirected to an
externally hosted Welcome page from the internal landing page.
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#webpage external welcome http://
192.168.13.10/WelcomePage.html
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#webpage internal welcome use-
external-success-url
nx9500-6C8809(config-captive-portal-cap-enhanced-policy)#show context
captive-portal cap-enhanced-policy
webpage external welcome http://192.168.13.10/WelcomePage.html
webpage internal acknowledgement org-background-color #33ff88
webpage internal acknowledgement org-font-color #bb6622
webpage internal acknowledgement body-background-color #22aa11
webpage internal acknowledgement body-font-color #bb6622
webpage internal welcome use-external-success-url
nx9500-6C8809(config-captive-portal-ca-enhanced-policy)#

Related Commands

no Resets or disables captive portal configurations

webpage-location

Specifies the location of the Web pages used for authentication. These pages can either be hosted on
the system or on an external Web server.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 361
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Syntax
webpage-location [advanced|external|internal]

Parameters
webpage-location [advanced|external|internal]

advanced Uses Web pages for login, welcome, failure, and terms created and stored on the controller.
Select advanced to use a custom-developed directory full of Web page content that can be
copied in and out of the controller, service platform, or access point.
If selecting advanced, enable the webpage-auto-upload option to automatically launch the
advanced pages to requesting clients upon association. For more information, see
webpage-auto-upload.
external Uses Web pages for login, welcome, failure, and terms located on an external server.
Provide the URL for each of these pages.
internal Uses Web pages for login, welcome, and failure that are automatically generated

Examples
nx9500-6C8809(config-captive-portal-test)#webpage-location external
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
server host 172.16.10.9
simultaneous-users 5
terms-agreement
webpage-location external
use aaa-policy test
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Resets or disables captive portal Web page settings

webpage Configures a captive portal’s Web page (acknowledgment, agreement, login,
welcome, fail, no-service, and terms) settings
webpage-auto- Enables automatic upload of advanced Web pages on a captive portal
upload

webpage-auto-upload

Enables automatic upload of advanced Web pages to requesting clients on association. Enable this
option if the webpage-location is selected as advanced. For more information, see webpage-location.

If this feature is enabled, Access Points shall request for Web pages from the controller during adoption.
If the controller has a different set of Web pages, than the ones existing on the Access Points, the
controller shall distribute the Web pages uploaded on it to the Access Points.

Controller, Service Platform and Access Point

362 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
webpage-auto-upload

Parameters

None
Examples
nx9500-6C8809(config-captive-portal-test)#webpage-auto-upload
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
webpage-auto-upload
logout-fqdn logout.testuser.com
nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Disables automatic upload of advanced Web pages on a captive portal

webpage Configures Web pages displayed when interacting with a captive portal
webpage-location Specifies the location of the Web pages used for authentication

welcome-back

Enables the provision of direct Internet access to once-registered, captive-portal guest users on
subsequent log-ins. When enabled, a registered captive-portal guest user, on subsequent logins, is
served the Acknowledgement page only if:
• The agreement-refresh option is enabled for device-based (device and device-OTP) registration, and
• The interval between logout and login is lesser than the agreement-refresh timeout configured in the
WLAN context. If this interval exceeds the agreement-refresh timeout, the user is served the
Agreement page. For more information on configuring the agreement-refresh timeout value, see
registration.

Supported in the following platforms:

• Access Points — AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602,
AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX

Syntax
welcome-back pass-through

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 363
global-config-commands Global Configuration Mode Commands

Parameters
welcome-back pass-through

welcome-back pass-through Enables display of the Acknowledgement page to an already registered

user on subsequent captive-portal log-ins, provided the interval
between logout and login is lesser than the agreement-refresh timeout
• pass-through – Provides user direct Internet access, from the
Welcome-back page, without any user action

Examples
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
welcome-back pass-through
webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address" placeholder
"123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder
"Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder
"Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age
Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email"
placeholder "[email protected]"
webpage internal registration field via-email type checkbox enable title "Email
Preferred"nx9500-6C8809(config-captive-portal-test)#

Related Commands

no Disables the provision of direct Internet access to once-registered, captive-

portal guest users on subsequent log-ins

no (captive-portal-config-mode)

Controller, Service Platform and Access Point

364 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

report-loyalty-application|simultaneous-users|terms-agreement|webpage-auto-upload
|webpage-location]
no accounting [radius|syslog]
no bypass captive-portal-detection
no custom-auth info
no ipv6 server host
no localization [fqdn|response]
no oauth {client-id}
no php-helper
no redirection ports
no server host
no server mode {centralized-controller [hosting-vlan-interface]}
no use [aaa-policy|dns-whitelist]
no webpage external [acknowledgement|agreement|fail|login {post}|no-service|
registration|welcome]
no webpage internal [acknowledgement|agreement|fail|login|no-service|org-name|
org-signature|registration|welcome]
no webpage internal [org-name|org-signature]
no webpage internal [acknowledgment|agreement|fail|login|no-service]
[body-background-color|body-font-color|description|footer|header|main-logo|org-background-
color|
org-font-color|small-logo|title]
no webpage internal registration [body-background-color|body-font-color|description|field|
footer|header|main-logo|org-background-color|org-font-color|small-logo|title]
no webpage internal registration field [age-range|city|country|custom <FIELD-NAME>|
disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip]
{enable}
no webpage internal welcome [body-background-color|body-font-color|description|footer|
header|main-logo|org-background-color|org-font-color|small-logo|title|use-external-
success-url]
no welcome-back pass-through

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this captive portal’s settings, based on the parameters passed.

Example
The following example shows the captive portal ‘test' settings before the ‘no' commands
are executed:
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-type logging
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 365
global-config-commands Global Configuration Mode Commands

accounting syslog host 172.16.10.13 port 1

nx9500-6C8809(config-captive-portal-test)#
nx9500-6C8809(config-captive-portal-test)#no accounting syslog
nx9500-6C8809(config-captive-portal-test)#no access-type
The following example shows the captive portal ‘test' settings after the ‘no' commands
are executed:
nx9500-6C8809(config-captive-portal-test)#show context
captive-portal test
access-time 35
custom-auth info bob [email protected]
connection-mode https
inactivity-timeout 750
nx9500-6C8809(config-captive-portal-test)#
configuring-device-registration-with-dynamic-vlan-assignment

About This Task

This section provides the configurations required to enable device registration with dynamic VLAN
assignment in a multi-vendor environment.

Procedure

1. Create vendor-specific RADIUS user groups and assign an allowed VLAN to each group, as shown in
the following examples:
nx9500-6C8809(config)#radius-group Apple
nx9500-6C8809(config-radius-group-Apple)#policy vlan 200
nx9500-6C8809(config)#radius-group Samsung
nx9500-6C8809(config-radius-group-Samsung)#policy vlan 100
nx9500-6C8809(config)#radius-group Devices
nx9500-6C8809(config-radius-group-Devices)#policy vlan 1

Note
If necessary, configure the session-time for each of the above configured RADIUS group.
This is the duration for which a RADIUS group client’s session remains active after
successful authentication. Upon expiration, the RADIUS session is terminated. Use the
policy > session-time > <5-144000> command to specify the session-time.

2. Create a RADIUS user pool, add users to the pool, and assign the users to the vendor-specific user
groups: as shown in the following examples:
nx9500-6C8809(config)#radius-user-pool-policy Vendor-Devices
nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user Samsung password 0 samsung
group Samsung
nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user test password 0 test123
group Apple

3. Create a RADIUS server policy, and associate the RADIUS groups and user pool created in steps 1
and 2 respectively, as shown in the following examples:
nx9500-6C8809(config)#radius-server-policy Guest-Radius
nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-user-pool-policy
Vendor-Devices
nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Samsung
nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Sony
nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Apple

Controller, Service Platform and Access Point

366 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

4. Create an AAA Policy, on the controller, and configure the authentication server as self, as shown in
the following example:
nx9500-6C8809(config)#aaa-policy OnBoard-NX
nx9500-6C8809(config-aaa-policy-OnBoard-NX)#authentication server 1 onboard controller
nx9500-6C8809(config-aaa-policy-OnBoard-NX)#show context
aaa-policy OnBoard-NX
authentication server 1 onboard self
nx9500-6C8809(config-aaa-policy-OnBoard-NX)#

5. Create a captive-portal, and point to the captive-portal’s server, enable RADIUS VLAN assignment,
and associate the AAA policy, as shown in the following examples:
nx9500-6C8809(config)#captive-portal DeviceRegistration
nx9500-6C8809(config-captive-portal-DeviceRegistration)#server host
captive.extremenoc.com
nx9500-6C8809(config-captive-portal-DeviceRegistration)#radius-vlan-assignment
nx9500-6C8809(config-captive-portal-DeviceRegistration)#use aaa-policy OnBoard-NX
nx9500-6C8809(config-captive-portal-DeviceRegistration)#access-type radius

6. Configure a WLAN and enable RADIUS VLAN assignment, as shown in the following examples:
nx9500-6C8809(config)#wlan CP-OnBoarding
nx9500-6C8809(config-wlan-CP-OnBoarding)#ssid CP-OnBoarding
nx9500-6C8809(config-wlan-CP-OnBoarding)#radius vlan-assignment
nx9500-6C8809(config-wlan-CP-OnBoarding)#use aaa-policy OnBoard-NX
nx9500-6C8809(config-wlan-CP-OnBoarding)#use captive-portal DeviceRegistration
nx9500-6C8809(config-wlan-CP-OnBoarding)#captive-portal-enforcement fall-back
nx9500-6C8809(config-wlan-CP-OnBoarding)#registration device group-name Devices expiry-
time 4320
nx9500-6C8809(config-wlan-CP-OnBoarding)#authentication-type mac

7. Create an access point profile, associate the RADIUS server policy, captive-portal policy to it, and
also assign the WLAN to the AP radio, as shown in the following examples:
nx9500-6C8809(config-profile-SITE-10)#use radius-server-policy Guest-Radius
nx9500-6C8809(config-profile-SITE-10)#use captive-portal server DeviceRegistration
nx9500-6C8809(config-profile-SITE-10-if-radio2)#wlan CP-OnBoarding bss 1 primary
nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport mode trunk
nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk native vlan 90
nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk allowed vlan
1,90,1000-1002
nx9500-6C8809(config-profile-SITE-10-if-ge1)#no switchport trunk native tagged

8. Use the access point profile in the access point’s device context.
Related Commands

radius-server-policy on page Documents RADIUS server policy configuration commands

1731
radius-group on page 1723 Documents RADIUS group policy configuration commands
radius-user-pool-policy on Documents RADIUS user policy configuration commands
page 1750
AAA-POLICY on page 1454 Documents AAA policy configuration commands
captive-portal on page 327 Documents captive-portal configuration commands

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 367
global-config-commands Global Configuration Mode Commands

wlan on page 607 Documents WLAN configuration commands

PROFILES on page 949 Documents profile configuration commands
guest-registration on page Documents show > guest-registration command and
829 (show commands) outputs. Use this command to view guest registration statistics once
device-registration is enabled.

configuring WeChat Wi-Fi hotspot support in WiNG captive portal

About This Task

WeChat is a popular messaging app used in China with more than 500 million installations. WeChat’s
WiFi hotspot solution allows businesses to provide Internet access to their customers. The WiNG
captive portal can be configured to incorporate the WeChat WiFi hotspot, so that WeChat users, on
their first connect to a WiNG access point, can automatically authenticate with the WeChat server
through an intermediate server.

This section provides an example that shows the configurations required to be made on the WiNG
portal to enable WeChat Wi-Fi hotspot.

Procedure

1. Create an AAA policy re-directing the captive portal user to WeChat’s AAA server for
authentication, as shown in the following example:
nx9500-6C8809(config)#aaa-policy cloud2
nx9500-6C8809(config-aaa-policy-cloud2)#authentication server 1 host
cloud2.synchroweb.com secret 0 firmware
nx9500-6C8809(config-aaa-policy-cloud2)#show context
aaa-policy cloud2
authentication server 1 host cloud2.synchroweb.com secret 0 firmware
nx9500-6C8809(config-aaa-policy-cloud2)#

Note
Synchroweb is an independent software vendor (ISV), whose third-party software is being
used as the intermediate server. The AAA server and RADIUS accounting server
configured in AAA policy must be as per the specification provided by the ISV.

2. Create a DNS whitelist, whitelisting WeChat’s server name in order to initiate RADIUS authentication.
The “qq.com” domain name is where WeChat server can be reached.
nx9500-6C8809(config)#dns-whitelist wxWL
nx9500-6C8809(config-dns-whitelist-wxWL)#permit cloud2.synchroweb.com
nx9500-6C8809(config-dns-whitelist-wxWL)#permit qq.com suffix
nx9500-6C8809(config-dns-whitelist-wxWL)#show context
dns-whitelist wxWL
permit qq.com suffix
permit cloud2.synchroweb.com
nx9500-6C8809(config-dns-whitelist-wxWL)#

3. Create a captive portal and associate the AAA policy and DNS whitelist created in steps 1 & 2, as
shown in the following example:
nx9500-6C8809(config)#captive-portal wxCP
nx9500-6C8809(config-captive-portal-wxCP)#use aaa-policy cloud2
nx9500-6C8809(config-captive-portal-wxCP)#use dns-whitelist wxWL

Controller, Service Platform and Access Point

368 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

4. Configure the following parameters in the captive portal created in step 3:

nx9500-6C8809(config-captive-portal-wxCP)#access-time 10
nx9500-6C8809(config-captive-portal-wxCP)#server host guest.extreme.com
nx9500-6C8809(config-captive-portal-wxCP)#webpage-location external
nx9500-6C8809(config-captive-portal-wxCP)#webpage external login http://
cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MAC
nx9500-6C8809(config-captive-portal-wxCP)#)#show context
captive-portal wxCP
access-time 10
server host guest.extreme.com
webpage-location external
webpage external login http://cloud2.synchroweb.com/wechat.nx/
index.phpc=WING_TAG_CLIENT_MAC
use aaa-policy cloud2
use dns-whitelist wxWL
--More--
nx9500-6C8809(config-captive-portal-wxCP)#

Note
The login URL configured here must be as per the specifications provided by the ISV.

Note
The access-type remains unchanged (i.e. radius, which is the default setting). The access-
time is set to a minimum value (10 minutes in this example) in order to avoid the default
value of 24 hours being applied, in case the RADIUS response does not contain the
session-timeout attribute.

5. Create a WLAN and associate the captive portal created in step 3:

nx9500-6C8809(config)#wlan wxOpen
nx9500-6C8809(config-wlan-wxOpen)#ssid wxOpen
nx9500-6C8809(config-wlan-wxOpen)#vlan 200
nx9500-6C8809(config-wlan-wxOpen)#use captive-portal wxCP
nx9500-6C8809(config-wlan-wxOpen)#captive-portal-enforcement
nx9500-6C8809(config-wlan-wxOpen)#show context
wlan wxOpen
ssid wxOpen
vlan 200
bridging-mode local
encryption-type none
authentication-type none
use captive-portal wxCP
captive-portal-enforcement
nx9500-6C8809(config-wlan-wxOpen)#

Note
The modes of authentication and encryption remain unchanged (i.e. none, which is the
default setting for both parameters). Ensure captive-portal-enforcement is enabled on the
WLAN.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 369
global-config-commands Global Configuration Mode Commands

Following are the related commands:

AAA-POLICY on page 1454 Documents AAA policy configuration mode commands

configuring ExtremeGuest captive portal

About This Task

This section documents the basic configurations required to deploy an ExtremeGuest (EGuest) setup. A
typical EGuest deployment consists of the EGuest server, EGuest captive-portal database, and NOC
adopting the access points. The EGuest server and database can be hosted only on the VX platform.

In the following example, the EGuest server and database are hosted on the same device.

Procedure

1. On the EGuest server/database host,

a. enable the EGuest daemon. When enabled, the EGuest server is up and running.
EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-server

b. apply a database-policy to enable the EGuest database.

EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy default

c. configure the NTP server. This is to ensure time synchronization across replica-set members (this
is mandatory in replica-set deployments and should be configured either on the replica-set
members’ device or profile context).
EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt

2. On the NOC,
a. create an AAA policy with the following configurations:
• Configure the EGuest server (configured in Step 1) as the authentication and accounting
RADIUS server.
NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0
extreme123
NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0
extreme123

• Configure the proxy-mode as ‘through-controller’. When configured, all requests to the server
are proxied through the NOC.
NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-
controller
NOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-
controller
NOC(config-aaa-policy-EguestAAA)#show context
aaa-policy EguestAAA
accounting server 1 host EG-OnBServer secret 0 extreme123
accounting server 1 proxy-mode through-controller
authentication server 1 host EG-Server secret 0 extreme123

Controller, Service Platform and Access Point

370 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

authentication server 1 proxy-mode through-controller

NOC(config-aaa-policy-EguestAAA)#

b. Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on
the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS
whitelist renders social plugin buttons on the client prior to successful captive portal
authentication.
• Configure the following permit rules:
NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.net
NOC(config-dns-whitelist-EguestDNS)#permit connect facebook.net
NOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix
NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit google.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit static.licdn.com
NOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.net
NOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.com
NOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffix
NOC(config-dns-whitelist-EguestDNS)#permit local.extreme.com

c. Create a captive-portal with the following configurations:

• Specify the captive-portal server.
NOC(config-captive-portal-EguestCP)#server host guest.extreme.com

• Use the AAA policy created in Step 2 a.

NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA

• Enable social-media authentication. This setting is optional.

NOC(config-captive-portal-EguestCP)#oauth

• Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling
OAuth on the captive-portal.
NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS

• Configure the captive portal's webpage location as advanced.

Note
Webpage-location should be ‘advanced’ if using pages created with EGuest splash
templates.

NOC(config-captive-portal-EguestCP)#webpage-location advanced

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 371
global-config-commands Global Configuration Mode Commands

d. Create a WLAN policy with the following configurations:

• Enable MAC authentication.
NOC(config-wlan-EguestWLAN)#authentication-type mac

• Use the AAA policy created in Step 2 a.

NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA

Note
When used, access points/controllers forward registration requests to the EGuest
server specified in the AAA policy. However, ensure that the registration >
external > follow-aaa option is configured on the WLAN. See below.

NOC(config-wlan-EguestWLAN)#registration external follow-aaa

Note
This enables the use of the Authentication and Accounting servers specified in the
AAA policy applied on the WLAN.

• Use the captive-portal created in Step 2 c.

NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP

• Enable captive-portal enforcement with fall-back.

NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back

• Configure the following guest registration parameters:

NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time
4320 agreement-refresh 1440

Note
This is the RADIUS group assigned to registered users post authentication.

NOC(config-wlan-EguestWLAN)#show context
wlan EguestWLAN
ssid _EXTREME-GUEST-NRF2017
vlan 1
bridging-mode local
encryption-type none
authentication-type mac
no answer-broadcast-probes
no client-client-communication
wireless-client hold-time 300
use aaa-policy EguestAAA
use captive-portal EguestCP
captive-portal-enforcement fall-back
registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
registration external follow-aaa
mac-authentication cached-credentials
NOC(config-wlan-EguestWLAN)#

e. In the NOC’s self context, configure the EGuest server.

NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https

3. In the Access Point’s device or profile context, use the captive-portal configured in Step 2 c.
Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP

Controller, Service Platform and Access Point

372 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

4. To view EGuest registration status and statistics, on the EGuest server, use the following commands:
EG-Server-DB#show eguest registration statistics
EG-Server-DB#show eguest registration status

5. To clear EGuest registration statistics, on the EGuest server, use the following command:
EG-Server-DB#clear eguest registration statistics

Following are the related commands:

AAA-POLICY on page 1454 Documents AAA policy configuration mode commands

dns-whitelist on page 415 Documents DNS whitelist configuration mode commands
captive-portal on page 327 Documents captive portal configuration mode commands
wlan on page 607 Documents WLAN configuration mode commands
eguest-server (VX9000 only) on Documents the eguest-server command. When used in the
page 1092 EGuest server’s device/profile context, without the ‘host’ option,
it enables the EGuest daemon. When used on the NOC along
with the ‘host’ option, it points to the EGuest server.

clear
Clears parameters, cache entries, table entries, and other similar entries. The clear command is available
for specific commands only. The information cleared using this command varies depending on the
mode where executed.

Supported in the following platforms:

Syntax
clear event-history

Parameters
clear event-history

event-history Clears the event history file

Examples
rfs4000-880DA7(config)#show event-history
EVENT HISTORY REPORT
Generated on '2017-06-09 14:23:31 IST' by 'admin'

2017-06-09 14:16:28 rfs4000-880DA7 SYSTEM LOGIN Successfully logged

in user 'admin' with privilege 'superuser' from 'ssh'
2017-06-09 14:06:21 rfs4000-880DA7 DEVICE OFFLINE Device B4-
C7-99-71-17-28(ap8132-711728) is offline, last seen:10 minutes ago on switchport
ap7522-8330A4:ge1
2017-06-09 13:46:15 rfs4000-880DA7 SYSTEM CONFIG_REVISION Configuration
revision updated to 10 from 9
2017-06-09 13:36:12 rfs4000-880DA7 SYSTEM CONFIG_REVISION Configuration
revision updated to 9 from 8

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 373
global-config-commands Global Configuration Mode Commands

2017-06-09 13:26:09 rfs4000-880DA7 SYSTEM CONFIG_COMMIT Configuration commit

by user 'cfgd' (site apply config diff) from '127.0.0.1'
2017-06-09 13:16:06 rfs4000-880DA7 DEVICE UNADOPTED
Device('ap8132-711728'/'ap81xx'/B4-C7-99-71-17-28) at rf-domain:'TechPubs' unadopted.
Radios: Count=2, Bss: B4-C7-99-78-53-10|B4-C7-99-78-53-70|
2017-06-09 13:10:047 ap8132-711728 SYSTEM WARM_START System Warm Start
Reason : Upgrade done, reloading... (user: system @ rfs4000-880DA7) Timestamp: Nov 04
11:32:27 2016
2017-06-09 13:06:03 rfs4000-880DA7 DEVICE DEVICE_UPGRADE_REBOOT DEVICEUPGRADE:
ap81xx mac B4-C7-99-71-17-28 Device upgrade rebooting

--More--
rfs4000-880DA7(config)#
rfs4000-880DA7(config)#clear event-history
rfs4000-880DA7(config)#show event-history
EVENT HISTORY REPORT
Generated on '2017-06-09 14:27:05 IST' by 'admin'

rfs4000-880DA7(config)#

client-identity
With an increase in Bring Your Own Device (BYOD) corporate networks, there is a parallel increase in the
number of possible attack scenarios within the network. BYOD devices are inherently unsafe, as the
organization’s security mechanisms do not extend to these personal devices deployed in the corporate
wireless network. Organizations can protect their network by limiting how and what these BYODs can
access on and through the corporate network.

Device fingerprinting assists administrators by controlling how BYOD devices access a corporate
wireless domain.

Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a
unique signature specific to device class. For example, Apple devices have a different signature from
Android devices. The signature is used to classify the devices and assign permissions and restrictions on
each device class.

Device fingerprinting is a technique of collecting, analyzing, and identifying traffic patterns originating
from remote computing devices. When enabled, device fingerprinting helps to identify a wireless
client’s device type. There are two methods of fingerprinting devices: Active and Passive.

Active fingerprinting is based on the fact that traffic patterns vary with varying device types. It involves
the sending of requests (HTTP, etc.) to devices (clients) and analyzing their response to determine the
device type. For example, an invalid request is sent to a device, and its error response is analyzed to
identify the device type. Since active device fingerprinting involves sending of packets, the probability
of the network getting flooded is very high, especially when many devices are being fingerprinted
simultaneously.

Passive fingerprinting involves monitoring of devices to check for known traffic patterns specific to
devices based on the protocol, driver implementation etc. This method accurately classifies a client’s
TCP/IP configuration, OS fingerprints, wireless settings etc. No packets are sent to the device. Some of
the commonly used protocols for passive device fingerprinting are, TCP, DHCP, HTTP etc. This feature
implements DHCP device fingerprinting, which relies on specific information sent by a wireless client
when acquiring IP address and other configuration information from a DHCP server. The feature uses
the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique
signature specific to the class of devices. For example, Apple devices have a different signature than

Controller, Service Platform and Access Point

374 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Android devices. This unique signature can then be used to classify the devices and assign permissions
and restrictions on each device class.

The client-identity command enables device fingerprinting. It creates a new client identity and enters its
configuration mode. Client identity is a set of unique fingerprints used to identify a class of devices. This
information is used to configure permissions and access rules for the identified class of devices in the
network.

Note
The WiNG software provides a set of built-in device fingerprints that load by default and
identify client device types. Use the service > show > client-identity-
defaults command to view default client identity fingerprints.

Supported in the following platforms:

Syntax
client-identity <CLIENT-IDENTITY-NAME>

Parameters
client-identity <CLIENT-IDENTITY-NAME>

client-identity Creates a new client identity policy and enters its configuration mode
<CLIENT-IDENTITY- • <CLIENT-IDENTITY-NAME> – Specify a client identity policy name. If the
NAME> client identity policy does not exist, it is created.

Usage Guidelines

The following points should be considered when configuring the client identity (device fingerprinting)
feature:
• Ensure that DHCP is enforced on the WLANs. For more information on enforcing DHCP on WLANs,
see enforce-dhcp.
• Successful identification of different device types depends on the uniqueness of the configured
fingerprints. DHCP fingerprinting identifies clients based on the patterns (fingerprints) in the DHCP
discover and request messages sent by clients. If different operating systems have the same
fingerprints. it will be difficult to identity the device type.
• When associating client identities with a role policy, ensure that the profile/device, under which the
role policy is being used, also has an associated client identity group (containing all the client
identities used by the role policy).

Examples
rfs4000-229D58(config)#client-identity test
rfs4000-229D58(config-client-identity-test)#?
Client Identity Mode commands:
dhcp Add a DHCP option based match criteria
dhcp-match-message-type Specify DHCP message type to match

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 375
global-config-commands Global Configuration Mode Commands

no Negate a command or set its defaults

clrscr Clears the display screen

rfs4000-229D58(config-client-identity-test)#

Note
Use the service > show > client-identity-defaults command to view default,
built-in, system-provided client identity fingerprints:

nx9500-6C8809#service show client-identity-defaults

client-identity Android-2-1
dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79
dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1
client-identity Android-2-2
dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b
dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15
client-identity Android-2-3
dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b
dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15
dhcp 1 message-type request option-codes exact hexstring 353d32393c37
dhcp 2 message-type request option-codes exact hexstring 353d3236393c37
dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37
--More--
nx9500-6C8809#

Related Commands

no Removes an existing client identity definition

client-identity-group Configures a new client identity group

client-identity-mode-commands

The following table summarizes the client-identity configuration mode commands:

Table 14: Client-Identity-Mode Commands

Command Description
dhcp on page 376 Configures the DHCP option match criteria for device
fingerprinting
dhcp-match-message-type on page 379 Configures the DHCP message type for device
fingerprinting
no (client-identity-config-mode) on page 379 Removes the DHCP option (used for client
identification) configurations

dhcp

Controller, Service Platform and Access Point

376 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Configures the DHCP option match criteria (signature) for the discover and request message types
received from wireless clients

When accessing a network, DHCP discover and request messages are passed between wireless clients
and the DHCP server. These messages contain DHCP options and option values that differ from device
to device and are based on the DHCP implementation in the device’s Operating System (OS). Options
and option values contained in a client’s messages are parsed and compared against the configured
DHCP option values to identify the device. Once a device type is identified, the wireless client database
is updated with the discovered device type.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

dhcp <1-16> Adds a DHCP option match criteria signature

• <1-16> – Specify an index for this DHCP match criteria from 1 - 16.

Note: A maximum of 16 match criteria can be configured.

message- Specifies the message type to which this DHCP match criteria is applicable
type • discover – Applies this match criteria to DHCP discover messages only. Indicates
[discover| that the fingerprint is only checked with any DHCP discover messages received from
request] any device.
• request – Applies this match criteria to DHCP request messages only. Indicates that
the fingerprint is only checked with any DHCP request messages received from any
device.

Note: It is recommended to configure client-identity with request messages, because

clients rarely send discover messages.

Note: If the message type is not specified, the fingerprint is checked with all message
types (DHCP request and DHCP discover).

option The following keywords are common to the ‘discover’ and ‘request’ message types:
<1-254> • option – Configures a DHCP option value, which is used as the match criteria
◦ <1-254> – Configures a code for this DHCP option from 1 - 254 (except option 53)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 377
global-config-commands Global Configuration Mode Commands

option-codes The following keyword is common to the ‘discover’ and ‘request’ message types:
• option-codes – Matches criteria based on the DHCP option codes contained in the
client’s discover/request messages
Devices pass options in their DHCP discover/request messages as option codes, option
types, and option value sets. These option codes are extracted and matched against the
configured DHCP option codes and a fingerprint is derived. This derived fingerprint is
used to identify the device.
contains The following keyword is common to the ‘discover’ and ‘request’ message types:
• contains – Specifies that the DHCP options received in the client’s discover/request
messages contains the configured option code string

exact The following keyword is common to the discover and request message types:
• exact – Specifies that the DHCP options received in the client’s discover/request
messages is an exact match with the configured option code string

starts-with The following keyword is common to the ‘discover’ and ‘request’ message types:
• starts-with – Specifies that the DHCP options received in the client’s discover/
request messages starts with the configured option code string

ascii The following keywords are common to the ‘contains’, ‘exact’, and ‘starts-with’
<WORD> parameters:
• ascii – Configures the DHCP option in the ASCII format
◦ <WORD> – Specify the DHCP option ASCII value to match.

hexstring The following keywords are common to the ‘contains’, ‘exact’, and ‘starts-with’
<WORD> parameters:
• hexstring – Configures the DHCP option in the hexa-decimal format
◦ <WORD> – Specify the DHCP option hexstring value to match.

Usage Guidelines

The following DHCP options are useful for identifying different device types:
• Option 55: Used by a DHCP client to request values for specific configuration parameters. It is a list
of DHCP option codes and can be in the client’s order of preference.
• Client configured list of DHCP options (all options parsed into a hex string).
• Option 60: Vendor class identifier. Used to identify the vendor and functionality of a DHCP client
(some devices do not set the value of this field).

Though it is possible to use any option to configure a device fingerprint, the use of a combination of one
or more of the preceding options to define a device is recommended.
Examples
rfs4000-229D58(config-client-identity-test)#dhcp 1 message-type request option
60 exact ascii MSFT\5.0
rfs4000-229D58(config-client-identity-test)#dhcp 2 message-type discover option
2 exact hexstring 012456c22c44
rfs4000-229D58(config-client-identity-test)#show context
client-identity test
dhcp 2 message-type discover option 2 exact hexstring 012456c22c44
dhcp 1 message-type request option 60 exact ascii MSFT5.0
rfs4000-229D58(config-client-identity-test)#

Controller, Service Platform and Access Point

378 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no Removes a DHCP option signature (match criteria)

dhcp-match-message-type

Configures the DHCP message type to match

Syntax
dhcp-match-message-type [all|any|discover|request]

Parameters
dhcp-match-message-type [all|any|discover|request]

dhcp-match- Specifies the DHCP message type to consider for matching

message-type [all| • all – Matches all message types: discover and request. Indicates that the
any|discover| fingerprint is checked with both the DHCP request and the DHCP discover
request] message.
• any – Matches any message type: discover or request. Indicates that the
fingerprint is checked with either the DHCP request or the DHCP discover
message.
• discover – Matches discover messages only. A match is made only if the
discover message sent by the client matches the match criteria set in the
client identity. Values configured for request messages are ignored.
• request – Matches request messages only. A match is made only if the
request message sent by the client matches the match criteria set in the
client identity. Values configured for discover messages are ignored.

Examples
rfs4000-229D58(config-client-identity-test)#dhcp-match-message-type all
rfs4000-229D58(config-client-identity-test)#show context
client-identity test
dhcp 2 message-type discover option 2 exact hexstring 012456c22c44
dhcp 1 message-type request option 60 exact ascii MSFT5.0
dhcp-match-message-type all
rfs4000-229D58(config-client-identity-test)#

Related Commands

no Removes the DHCP message type to match

no (client-identity-config-mode)

Removes the DHCP options match criteria configurations

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 379
global-config-commands Global Configuration Mode Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [dhcp <1-16>|dhcp-match-message-type]

Parameters
no [dhcp <1-16>|dhcp-match-message-type]

dhcp <1-16> Removes the DHCP option match criteria rule identified by the <1-16>
keyword
• <1-16> – Specify the DHCP option match criteria rule index

dhcp-match-message- Removes the DHCP message type to match

type

Examples

The following example shows the client identity ‘test’ settings before the ‘no’ commands are executed:
rfs4000-229D58(config-client-identity-test)#show context
client-identity test
dhcp 2 message-type discover option 2 exact hexstring 012456c22c44
dhcp 1 message-type request option 60 exact ascii MSFT5.0
dhcp-match-message-type all
rfs4000-229D58(config-client-identity-test)#

The following example shows the client identity ‘test’ settings after the ‘no’ commands are executed:
rfs4000-229D58(config-client-identity-test)#no dhcp 2
rfs4000-229D58(config-client-identity-test)#no dhcp-match-message-type
rfs4000-229D58(config-client-identity-test)#show context
client-identity test
dhcp 1 message-type request option 60 exact ascii MSFT5.0
rfs4000-229D58(config-client-identity-test)#

Related Commands

dhcp Configures the DHCP option match criteria for device fingerprinting
dhcp-match-message-type Configures the DHCP message type for device fingerprinting

client-identity-group
Configures a new client identity group

A client identity group is a collection of client identities. Each client identity included in a client identity
group is set a priority value that indicates the priority for that identity when device fingerprinting.

Device fingerprinting relies on specific information sent by a wireless client when acquiring IP address
and other configuration information from a DHCP server. The feature uses the DHCP options sent by the
wireless client in the DHCP request or discover packets to derive a unique signature specific to the class
of devices. For example, Apple devices have a different signature than Android devices. This unique
signature can then be used to classify the devices and assign permissions and restrictions on each
device class.

A client identity group can be attached to a profile or device, enabling device fingerprinting on them.

Controller, Service Platform and Access Point

380 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
client-identity-group <CLIENT-IDENTITY-GROUP-NAME>

Parameters
client-identity-group <CLIENT-IDENTITY-GROUP-NAME>

client-identity-group Creates a new client identity group and enters its configuration mode
<CLIENT-IDENTITY- • <CLIENT-IDENTITY-GROUP-NAME> – Specify a client identity group
GROUP-NAME> name. If the group does not exist, it is created.

Examples
rfs4000-229D58(config)#client-identity-group test
rfs4000-229D58(config-client-identity-group-test)#
Client Identity group Mode commands:
client-identity Client identity (DHCP Device Fingerprinting)
load Load Client identity Fingerprints
no Negate a command or set its defaults

clrscr Clears the display screen

rfs4000-229D58(config-client-identity-group-test)#

Related Commands

no Removes an existing client identity group

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 381
global-config-commands Global Configuration Mode Commands

client-identity-group-mode-commands

The following table summarizes the client identity group configuration mode commands:

Table 15: Client-Identity-Group-Mode Commands

Command Description
client-identity on page 382 Associates an existing and configured client identity
(device fingerprinting definition) with this client identity
group
load on page 383 Loads default (system-provided) client identity
fingerprints
no (client-identity-group-config-mode) on Removes the client identity associated with this client
page 384 identity group

client-identity

Associates an existing and configured client identity (device fingerprinting definition) with this client
identity group
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

Parameters
client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

client-identity Associates a client identity with this group

<CLIENT- • <CLIENT-IDENTITY-NAME> – Specify a client identity name (should be existing
IDENTITY-NAME> and configured)

precedence Determines the order in which client identity is used.

<1-10000> • <1-10000> – Specify this client identity precedence from <1-10000>.
The client identity rule is applied based on its precedence value. Lower the value,
higher is the precedence. Therefore, a client identity with precedence 5 gets
priority over a client identity having precedence 20.

Examples

The following example shows two client identities created and configured:
rfs4000-229D58(config)#show context
!
! Configuration of RFS4000 version 5.9.2.0-006D
!
!
version 2.5
!
!

Controller, Service Platform and Access Point

382 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

client-identity TestClientIdentity
dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f
!
client-identity test
dhcp 2 message-type discover option 2 exact hexstring 012456c22c44
dhcp 1 message-type request option 60 exact ascii MSFT5.0
dhcp-match-message-type all
!
client-identity-group ClientIdentityGroup
client-identity TestClientIdentity precedence 1
!
client-identity-group test
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
--More--
rfs4000-229D58(config)#

The following example associates client identity ‘test’ with the client identity group ‘test’:
rfs4000-229D58(config-client-identity-group-test)#client-identity test precedence 1

The following example shows the client identity group ‘test’ with two associated client identities having
precedence 1 and 2:
rfs4000-229D58(config-client-identity-group-test)#client-identity TestClientIdentity
precedence 2
rfs4000-229D58(config-client-identity-group-test)#show context
client-identity-group test
client-identity test precedence 1
client-identity TestClientIdentity precedence 2
rfs4000-229D58(config-client-identity-group-test)#

Related Commands

no Removes the client identity associated with the client identity group

load

Loads default (built-in, system-provided) client identity fingerprints. This option is enabled by default.

The WiNG software provides some built-in client identity fingerprints that are automatically loaded
when the client identity group if applied to a device (either directly or through the profile).
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
load default-fingerprints

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 383
global-config-commands Global Configuration Mode Commands

Parameters
load default-fingerprints

load default-fingerprints Loads client identity default fingerprints. This option is enabled by
default.

Examples

The auto-load default fingerprints option is enabled by default, as shown in the following example:
nx9500-6C874D(config-client-identity-group-test)#show context
client-identity-group test
load default-fingerprints
nx9500-6C874D(config-client-identity-group-test)#

In scenarios where only customized client identities are to be applied, use the no > load > default-
fingerprints command to disable auto-loading of default device fingerprints.
nx9500-6C874D(config-client-identity-group-test)#no load default-fingerprints
nx9500-6C874D(config-client-identity-group-test)#show context
client-identity-group test
no load default-fingerprints
nx9500-6C874D(config-client-identity-group-test)#

Note
Use the service > show > client-identity-defaults command to view default
client identity fingerprints.

nx9500-6C874D#service show client-identity-defaults

Related Commands

no Disables automatic loading of default client identity fingerprints

no (client-identity-group-config-mode)

Removes the client identity associated with the client identity group
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

384 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [client-identity|load]
no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>
no load default-fingerprints

Parameters
no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

no client-identity <CLIENT- Disassociates a specified client identity from this client identity group
IDENTITY-NAME> • <CLIENT-IDENTITY-NAME> – Specify the client identity name.
precedence <1-10000> ◦ precedence <1-10000> – Specify the above specified client
identity’s precedence value from <1-10000>.
The client identity rule is applied based on its precedence value. Lower
the value, higher is the precedence. Therefore, a client identity with
precedence 5 gets precedence over a client identity having precedence
20.

no load default-fingerprints

no load default-fingerprints Disables automatic loading of built-in, system-provided client identity

fingerprints

Examples
<exsw5>(config-client-identity-group-test)#show context
client-identity-group test
client-identity test precedence 1
<exsw5>(config-client-identity-group-test)#
<exsw5>(config-client-identity-group-test)#no client-identity test
<exsw5>(config)#

Related Commands

client-identity Associates an existing and configured client identity (device fingerprinting) with this
client identity group

clone
Creates a replica of an existing object or device. The configuration of the new object or device is an
exact copy of the existing object or device configuration. Use this command to copy existing
configurations and then modifying only the required parameters.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 385
global-config-commands Global Configuration Mode Commands

Syntax
clone [TLO|device]
clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>
clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>

Parameters
clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>

TLO <EXISTING- Creates a new TLO by cloning an existing top-level object. The new object has
OBJECT-NAME> the same configuration as the cloned object.
<NEW-OBJECT- • <EXISTING-OBJECT-NAME> – Specify the existing object’s (to be cloned)
NAME> name
• <NEW-OBJECT-NAME> – Provide the new object’s name.

Note: Enter clone and press Tab to list objects available for cloning.

clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>

device <EXISTING- Configures a new device based on an existing device configuration

DEVICE-MAC/ • <EXISTING-DEVICE-MAC/NAME> – Specify the existing device’s name or
NAME> <NEW- MAC address (the device to be cloned)
DEVICE-MAC> • <NEW-DEVICE-MAC> – Provide the new device’s MAC address.

Note: Enter clone > device and press Tab to list devices available for
cloning.

Examples
nx9500-6C874D(config)#clone rf_domain TechPubs Cloned_TechPubs2
nx9500-6C874D(config)#show context
!
! Configuration of NX9500 version 5.9.2.0-008B
!
!
version 2.5
!
................................................................................
rf-domain TechPubs
location SanJose
timezone America/Los_Angeles
country-code us
!
rf-domain Cloned_TechPubs2
location SanJose
--More--
nx9500-6C874D(config)#

crypto-cmp-policy

Creates a crypto Certificate Management Protocol (CMP) policy and enters its configuration mode

Controller, Service Platform and Access Point

386 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>

Parameters
crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>

crypto-cmp-policy Specify the crypto CMP policy name. If the policy does not exist, it is
<CRYPTO-CMP-POLICY- created.
NAME>

Examples
nx9500-6C8809(config)#crypto-cmp-policy CMP
nx9500-6C8809(config-cmp-policy-CMP)#?
CMP Policy Mode commands:
ca-server CMP CA Server configuration commands
cert-key-size Set key size for certificate request
cert-renewal-timeout Trigger a cert renewal request on timeout
cross-cert-validate Validate cross-cert using factory-cert
no Negate a command or set its defaults
subjectAltName Configure subjectAltName value
trustpoint Trustpoint for CMP
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-cmp-policy-CMP)#

Related Commands

no Resets values or disables commands

Note
For more information on the crypto CMP policy, see CRYPTO-CMP-POLICY on page 2027.

customize
Customizes the output of the summary CLI commands. Use this command to define the data displayed
as a result of various show commands.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 387
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Controller, Service Platform and Access Point

388 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

show-wireless-mint-portal-stats|show-wireless-mint-portal-stats-rf|
show-wireless-radio|show-wireless-radio-stats|show-wireless-radio-stats-rf]
customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>
customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,
config-status,last-adoption,msgs,uptime,version)
customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>,bss,
enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,radio-id,
radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan)
customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors,
rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)
customize show-wireless-client-stats-rf (average-retry-number,error-rate,
hostname <1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate)
customize show-wireless-meshpoint-accelerated-multicast
(ap-hostname,group-addr,mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,
radio-id,radio-mac,subscriptions)
customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>,
interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-ifid,
next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-mpid)
customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>,
neighbor-hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-throughput,
t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)
customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>,
average-retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise,q-index,
rx-rate,signal,snr,t-index,tx-rate)
customize show-wireless-mint-client (client-alias <1-64>,client-bss,
portal-alias <1-64>,portal-bss,up-time)
customize show-wireless-mint-client-stats (client-alias <1-64>,
portal-alias <1-64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,
tx-bytes,tx-dropped,tx-packets,tx-throughput)
customize show-wireless-mint-client-stats-rf (average-retry-number,
client-alias <1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,
signal,snr,tx-rate)
customize show-wireless-mint-portal (client-alias <1-64>,client-bss,
portal-alias <1-64>,portal-bss,up-time)
customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss,
portal-alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,
tx-dropped,tx-packets,tx-throughput)
customize show-wireless-mint-portal-stats-rf (average-retry-number,
client-alias <1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,
signal,snr,tx-rate)
customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>,
num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state)
customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac,
rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets,
tx-throughput)
customize show-wireless-radio-stats-rf (average-retry-number,error-rate,
noise,q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,
tx-rate)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 389
global-config-commands Global Configuration Mode Commands

Parameters
customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>

hostname-column- Configures default width of the hostname column in all show commands
width <1-64> • <1-64> – Sets the hostname column width from 1 - 64 characters

cdp-lldp-info-column- Configures the column width in the show > cdp/lldp > [neighbor|report]
width <1-64> command output
• <1-64> – Sets the column width from 1 - 64 characters

customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,

config-status,last-adoption,msgs,uptime,version)

show-adoption-status Configures the information displayed in the show > adoption > status
command output. Select the columns (information) displayed from the
following options: adopted-by, ap-name, cdp-lldp-info, config-status, last-
adoption, msgs, uptime, and version. These are recursive parameters and you
can select multiple options at a time.
The columns displayed by default are: Device-Name, Version, Config-Status,
MSGS, Adopted-By, Last-Adoption, and Uptime.
Where ever available, you can optionally use the <1-64> parameter to set the
column width.

customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>,

bss,enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,
radio-id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan)

show-wireless- Customizes the show > wireless > client command output
client The columns displayed by default are: MAC, IPv4, Vendor, Radio-ID, WLAN. VLAN,
and State.
ap-name <1-64> Includes the ap-name column, which displays the name of the AP with which this
client associates
• <1-64> – Sets the ap-name column width from 1 - 64 characters

auth Includes the auth column, which displays the authorization protocol used by the
wireless client
client-identity Includes the client-identity (device type) column, which displays details gathered
<1-32> from DHCP device fingerprinting feature (when enabled). For more information, see
client-identity.
• <1-32> – Sets the client-identity column width from 1 - 32 characters

bss Includes the BSS column, which displays the BSS ID the wireless client is associated
with
enc Includes the enc column, which displays the encryption suite used by the wireless
client
hostname <1-64> Includes the hostname column, which displays the wireless client's hostname
• <1-64> – Sets the hostname column width from 1 - 64 characters

ip Includes the IP column, which displays the wireless client's current IP address
last-active Includes the last-active column, which displays the time of last activity seen from
the wireless client

Controller, Service Platform and Access Point

390 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

location <1-64> Includes the location column, which displays the location of the client's associated
Access Points
• <1-64> – Sets the location column width from 1 - 64 characters

mac Includes the MAC column, which displays the wireless client's MAC address
radio-alias Includes the radio-alias column, which displays the radio alias with the AP's
<3-67> hostname and radio interface number in the "HOSTNAME:RX" format
• <3-67 – Sets the radio-alias column width from 3 - 67 characters

radio-id Includes the radio-id column, which displays the radio ID with the AP's MAC
address and radio interface number in the "AA-BB-CC-DD-EE-FF:RX" format
radio-type Includes the radio-type column, which displays the wireless client's radio type
role <1-32> Includes the role column, which displays the client's role
• <1-32> – Sets the role column width from 1 - 32 characters

state Includes the state column, which displays the wireless client's current availability
state
username <1-64> Includes the username column, which displays the wireless client's username
• <1-64> – Specify the username column width from 1 - 64 characters.

vendor Includes the vendor column, which displays the wireless client's vendor ID
vlan Includes the VLAN column, which displays the wireless client's assigned VLAN
wlan Includes the WLAN column, which displays the wireless client's assigned WLAN

customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors,

rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)

show-wireless- Customizes the show > wireless > client stats command output
client-stats The columns displayed by default are: MAC, Tx bytes, RX bytes, Tx pkts, Rx pkts,
and Tx bps, RX bps, T-Index, and Dropped pkts.
hostname <1-64> Includes the hostname column, which displays the wireless client's hostname
• <1-64> – Sets the hostname column width from 1 - 64 characters

mac Includes the MAC column, which displays the wireless client's MAC address
rx-bytes Includes the rx-bytes column, which displays the total number of bytes received
by the wireless client
rx-errors Includes the rx-error column, which displays the total number of errors received
by the wireless client
rx-packets Includes the rx-packets column, which displays the total number of packets
received by the wireless client
rx-throughput Includes the rx-throughput column, which displays the receive throughput at the
wireless client
t-index Includes the t-index column, which displays the traffic utilization index at the
particular wireless client
tx-bytes Includes the tx-bytes column, which displays the total number of bytes
transmitted by the wireless client
tx-dropped Includes the tx-dropped column, which displays the total number of dropped
packets by the wireless client

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 391
global-config-commands Global Configuration Mode Commands

tx-packets Includes the tx-packets column, which displays the total number of packets
transmitted by the wireless client
tx-throughput Includes the tx-throughput column, which displays the transmission throughput
at the wireless client

customize show-wireless-client-stats-rf (average-retry-number,error-rate,noise,

q-index,rx-rate,signal,snr,t-index,tx-rate)

show-wireless- Customizes the show > wireless > client stats RF command output
client-stats-rf The columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB),
TX Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%).
average-retry- Includes the average-retry-number column, which displays the average number of
number retransmissions made per packet
error-rate Includes the error-rate column, which displays the rate of error for the wireless
client
hostname <1-64> Includes the hostname column, which displays the wireless client's hostname
• <1-64> – Sets the hostname column width from 1 - 64 characters

mac Includes the MAC column, which displays the wireless client's MAC address
noise Includes the noise column, which displays the noise (in dBm) as detected by the
wireless client
q-index Includes the q-index column, which displays the RF quality index
Note: Higher values indicate better RF quality.
rx-rate Includes the rx-rate column, which displays the receive rate at the particular
wireless client
signal Includes the signal column, which displays the signal strength (in dBm) at the
particular wireless client
snr Includes the snr column, which displays the signal-to-noise (SNR) ratio (in dB) at
the particular wireless client
t-index Includes the t-index column, which displays the traffic utilization index at the
particular wireless client
tx-rate Includes the tx-rate column, which displays the packet transmission rate at the
particular wireless client

customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-addr,

mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac,subscriptions)

show-wireless-meshpoint- Configures the information displayed in the show > wireless >
accelerated-multicast meshpoint > accelerated multicast command output. Select the
columns (information) displayed from the following options: ap-
hostname, group-addr, mesh-name, neighbor-hostname, neighbor-ifid,
radio-alias, radio-id, radio-mac, subscriptions. These are recursive
parameters and you can select multiple options at a time.

Controller, Service Platform and Access Point

392 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

The columns displayed by default are: Mesh, Radio, Neighbor-IFID,

Neighbor-Hostname, Group-MAC, and Subscriptions.

customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>,

interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-ifid,
next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-mpid)

show-wireless- Customizes the show > wireless > meshpoint command output
meshpoint The columns displayed by default are: Mesh, Hostname, Hops, Is-Root, Config-As-
Root, Root-Hostname, Root-Bound-Time, Path-Metric, Next-Hop-Hostname, and
Next-Hop-Use-Time.
ap-mac Includes the ap-mac column, which displays the AP's MAC address in the AA-BB-
CC-DD-EE-FF format. Applicable only in case of non-wireless controller
meshpoints
cfg-as-root Includes the cfg-as-root column, which displays the configured root state of the
meshpoint
hops Includes the hops column, which displays the number of hops to the root for this
meshpoint
hostname <1-64> Includes the hostname column, which displays the AP's hostname. Applicable
only in case of non-wireless controller meshpoints
• <1-64> – Sets the hostname column width from 1 - 64 characters

interface-ids Includes the interface-ids column, which displays the interface identifiers
(interfaces used by this meshpoint)
is-root Includes the is-root column, which displays the current root state of the
meshpoint
mesh-name <1-64> Includes the mesh-name column, which displays the meshpoint's name
• <1-64> – Sets the mesh-name column width from 1 - 64 characters

mpid Includes the mpid column, which displays the meshpoint identifier in the AA-BB-
CC-DD-EE-FF format
next-hop- Includes the next-hop-hostname column, which displays the next-hop AP's name
hostname <1-64> (the AP next in the path to the bound root)
• <1-64> – Sets the next-hop-hostname column width from 1 - 64 characters

next-hop-ifid Includes the next-hop-ifid column, which displays the next-hop interface identifier
in the AA-BB-CC-DD-EE-FF format
next-hop-use-time Includes the next-hop-use-time column, which displays the time since this
meshpoint started using this next hop
root-bound-time Includes the root-bound-time column, which displays the time since this
meshpoint has been bound to the current root
root-hostname Includes the root-hostname column, which displays the root AP's hostname to
<1-64> which this meshpoint is bound
• <1-64> – Sets the root-hostname column width from 1 - 64 characters

root-mpid Includes the root-mpid column, which displays the bound root meshpoint
identifier in the AA-BB-CC-DD-EE-FF format

customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>,

neighbor-hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-throughput,t-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 393
global-config-commands Global Configuration Mode Commands

index,
tx-bytes,tx-dropped,tx-packets,tx-throughput)

show-wireless- Customizes the show > wireless > meshpoint > neighbor > stats command
meshpoint-neighbor- output
stats The columns displayed by default are: AP Hostname, Neighbor-IFID, TX bytes,
RX bytes, Tx pkts, Rx pkts, Tx (bps), Rx (bps), T-Index (%), and Dropped pkts.
ap-name <1-64> Includes the ap-name column, which displays name of the AP reporting a
neighbor
• <1-64> – Sets the ap-name column width from 1 - 64 characters

neighbor-hostname Includes the neighbor-hostname column, which displays the reported

<1-64> neighbor's hostname
• <1-64> – Sets the neighbor-hostname column width from 1 - 64 characters

neighbor-ifid Includes the neighbor-ifid column, which displays the neighbor's interface ID
rx-bytes Includes the rx-bytes column, which displays the total bytes received
rx-errors Includes the rx-error column, which displays the total bytes of error received
rx-packets Includes the rx-packets column, which displays the number of packets
received
rx-throughput Includes the rx-throughput column, which displays neighbor's received
throughput
t-index Includes the t-index column, which displays the traffic utilization index at the
neighbor end
tx-bytes Includes the tx-bytes column, which displays the total bytes transmitted
tx-dropped Includes the tx-dropped column, which displays the total bytes dropped
tx-packets Includes the tx-packets column, which displays the number of packets
transmitted
tx-throughput Includes the tx-throughput column, which displays neighbor's transmitted
throughput

customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>,

average-retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise,
q-index,rx-rate,signal,snr,t-index,tx-rate)

show-wireless- Customizes the show > wireless > meshpoint > neighbor > statistics RF
meshpoint-neighbor- command output
stats-rf The columns displayed by default are: AP Hostname, Neighbor-IFID, Signal
(dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-Rate (Mbps), Retry Avg,
Errors (pps), and Q-Index (%).
ap-name <1-64> Includes the ap-name column, which displays name of the AP reporting a
neighbor
• <1-64> – Sets the ap-name column width from 1 - 64 characters

average-retry-number Includes the average-retry-number column, which displays the average

number of retransmissions made per packet.
error-rate Includes the error-rate column

Controller, Service Platform and Access Point

394 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

neighbor-hostname Includes the neighbor-hostname, which displays reported neighbor's

<1-64> hostname
• <1-64> – Sets the neighbor-hostname column width from 1 - 64 characters

noise Includes the noise column, which displays the noise level in dBm
q-index Includes the q-index column, which displays the q-index
rx-rate Includes the rx-rate column, which displays rate of receiving
signal Includes the signal column, which displays the signal strength in dBM
snr Includes the snr column, which displays the signal-to-noise ratio
t-index Includes the t-index column, which displays t-index
tx-rate Includes the tx-rate column, which displays rate of transmission

customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-alias

<1-64>,portal-bss,up-time)

show-wireless-mint-client Configures the information displayed in the show > wireless > mint >
client command output. Select the columns (information) displayed
from the following options: client-alias, client-bss, portal-alias, portal-
bss, and up-time. These are recursive parameters and you can select
multiple options at a time.
The columns displayed by default are: Portal, Portal-Radio-MAC, Client,
Client-Radio-MAC, and Up-Time.

customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-64>,

portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,
tx-packets,tx-throughput)

show-wireless-mint-client- Configures the information displayed in the show > wireless > mint >
stats client > statistics command output. Select the columns (information)
displayed from the following options: client-alias, portal-alias, portal-bss,
rx-bytes, rx-errors, rx-packets, rx-throughput, t-index, tx-bytes, tx-
dropped, tx-packets, tx-throughput. These are recursive parameters and
you can select multiple options at a time.
The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Tx
bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and
Dropped pkts.
Where ever available, you can optionally use the <1-64> parameter to set
the column width.

customize show-wireless-mint-client-stats-rf (average-retry-number,

client-alias <1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,
signal,snr,tx-rate)

show-wireless-mint-client- Configures the information displayed in the show > wireless > mint >
stats-rf client > statistics > rf command output. Select the columns
(information) displayed from the following options: average-retry-
number, client-alias, error-rate, noise, portal-alias, portal-bss, q-index, rx-
rate, signal, snr, and tx-rate. These are recursive parameters and you can
select multiple options at a time.
The columns displayed by default are: MAC, Signal (dBm), Noise (dBm),
SNR (dB), Tx-Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and
Q-Index (%).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 395
global-config-commands Global Configuration Mode Commands

Where ever available, you can optionally use the <1-64> parameter to
set the column width.

customize show-wireless-mint-portal (client-alias <1-64>,client-bss,

portal-alias <1-64>,portal-bss,up-time)

show-wireless-mint-portal Configures the information displayed in the show > wireless > mint >
portal command output. Select the columns (information) displayed
from the following options: client-alias, client-bss, portal-alias, portal-
bss, and up-time. These are recursive parameters and you can select
multiple options at a time.
The columns displayed by default are: Client, Client-Radio-MAC, Portal,
Portal-Radio-MAC, and Up-Time.
Where ever available, optionally use the <1-64> parameter to set the
column width.

customize show-wireless-mint-portal-stats-rf (average-retry-number,

client-alias <1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,
signal,snr,tx-rate)

show-wireless-mint-portal- Configures the information displayed in the show > wireless > mint >
stats-rf portal > statistics > rf command output. Select the columns
(information) displayed from the following options: average-retry-
number, client-alias, client-bss, error-rate, noise, portal-alias, q-index,
rx-rate, signal, snr, tx-rate. These are recursive parameters and you can
select multiple options at a time.
The columns displayed by default are: Client, Client-Radio-MAC, Portal,
Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-rate (Mbps),
Retry Avg, Errors (pps), and Q-Index (%).
Where ever available, optionally use the <1-64> parameter to set the
column width.

customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>,

num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state)

show-wireless- Customizes the show wireless radio command output

radio
adopt-to Includes the adopt-to column, which displays information about the wireless
controller adopting this AP
ap-name <1-64> Includes the ap-name column, which displays information about the AP this radio
belongs
• <1-64> – Sets the ap-name column width from 1 - 64 characters

channel Includes the channel column, which displays information about the configured and
current channel for this radio
location <1-64> Includes the location column, which displays the location of the AP this radio
belongs
• <1-64> – Sets the location column width from 1 - 64 characters

num-clients Includes the num-clients column, which displays the number of clients associated
with this radio
power Includes the power column, which displays the radio's configured and current
transmit power

Controller, Service Platform and Access Point

396 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

radio-alias Includes the radio-alias column, which displays the radio's alias (combination of
<3-67> AP's hostname and radio interface number in the "HOSTNAME:RX" formate)
• <3-67> – Sets the radio-alias column width from 3 - 67 characters

customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac,

rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets,
tx-throughput)

show-wireless-radio- Customizes the show wireless radio statistics command output

stats
radio-alias <3-67> Includes the radio-alias column, which displays the radio's alias (combination of
AP's hostname and radio interface number in the "HOSTNAME:RX" format)
• <3-67> – Sets the radio-alias column width from 3 - 67 characters

radio-id Includes the radio-id column, which displays the radio‘s ID (combination of AP's
MAC address and radio interface number in the "AA-BB-CC-DD-EE-FF:RX"
format)
radio-mac Includes the radio-mac column, which displays the radio's base MAC address
rx-bytes Includes the rx-bytes column, which displays the total number of bytes received
by the radio
rx-errors Includes the rx-error column, which displays the total number of errors received
by the radio
rx-packets Includes the rx-packets column, which displays the total number of packets
received by the radio
rx-throughput Includes the rx-throughput column, which displays the receive throughput at
the radio
tx-bytes Includes the tx-bytes column, which displays the total number of bytes
transmitted by the radio
tx-dropped Includes the tx-dropped column, which displays the total number of packets
dropped by the radio
tx-packets Includes the tx-packets column, which displays the total number of packets
transmitted by the radio
tx-throughput Includes the tx-throughput column, which displays the transmission throughput
at the radio

customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise,

-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate)

Customizes the show wireless radio stats RF command output

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 397
global-config-commands Global Configuration Mode Commands

show-wireless-
radio-stats-rf
average-retry- Includes the average-retry-number column, which displays the average number of
number retransmissions per packet
error-rate Includes the error-rate column, which displays the rate of error for the radio
noise Includes the noise column, which displays the noise detected by the radio
q-index Includes the q-index column, which displays the RF quality index
Higher values indicate better RF quality.
radio-alias <3-67> Includes the radio-alias column, which displays the radio's alias (combination of
AP's hostname and radio interface number in the "HOSTNAME:RX" format)
• <3-67> – Sets the radio-alias column width from 3 - 67 characters

Examples

The following example shows the shows the show > adoption > status command output before
customizing the output:
rfs4000-229D58#show adoption status
Adopted by:
Type : nx9000
System Name : nx9500-6C8809
MAC address : B4-C7-99-6C-88-09
MiNT address : 19.6C.88.09
Time : 4 days 22:38:32 ago

Adopted Devices:
------------------------------------------------------------------------------------------
---------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
------------------------------------------------------------------------------------------
---------------------
ap7532-A2A56C 5.9.2.0-010D configured No rfs4000-229D58 4 days 22:25:56 4
days 22:31:23
------------------------------------------------------------------------------------------
----------------------

Controller, Service Platform and Access Point

398 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Total number of devices displayed: 1

rfs4000-229D58#
rfs4000-229D58(config)#customize show-adoption-status adopted-by ap-name config-
status last-adoption
rfs4000-229D58(config)#commit

The following example shows the shows the show > adoption > status command output after
customizing the output:
rfs4000-229D58#show adoption status
Adopted by:
Type : nx9000
System Name : nx9500-6C8809
MAC address : B4-C7-99-6C-88-09
MiNT address : 19.6C.88.09
Time
Adopted Devices:
------------------------------------------------------------------------
ADOPTED-BY DEVICE-NAME CFG-STAT LAST-ADOPTION
------------------------------------------------------------------------
rfs4000-229D58 ap7532-A2A56C configured 4 days 22:25:56
------------------------------------------------------------------------

Total number of devices displayed: 1

rfs4000-229D58(config)#

Use the no > customize > show-adoption-status command to revert back to the default format.
rfs4000-229D58(config)#no customize show-adoption-status
rfs4000-229D58(config)#commit
rfs4000-229D58#show adoption status
Adopted by:
Type : nx9000
System Name : nx9500-6C8809
MAC address : B4-C7-99-6C-88-09
MiNT address : 19.6C.88.09
Time : 4 days 22:38:32 ago

Adopted Devices:
------------------------------------------------------------------------------------------
---------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
------------------------------------------------------------------------------------------
---------------------
ap7532-A2A56C 5.9.2.0-010D configured No rfs4000-229D58 4 days 22:25:56 4 days
22:31:23
------------------------------------------------------------------------------------------
----------------------
Total number of devices displayed: 1
rfs4000-229D58#

Related Commands

no Restores custom CLI settings to default

wireless Displays wireless configuration and other information

database-client-policy global-config
Creates a database-client-policy and enters its configuration mode. The database-client-policy
configures the IP address or hostname of the database host, and is used on the NSight/EGuest server’s

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 399
global-config-commands Global Configuration Mode Commands

device context. However, the database-client-policy is required only in a split deployment, where the
server and database are hosted on separate boxes. In such a scenario, the database-client-policy
enables the server to identify the database host.

If enforcing database authentication, configure the user-name and password required to access the
database on the database-client-policy. For more information on enabling database authentication, see
database (user and privi exec modes) on page 69.

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
database-client-policy <DATABASE-CLIENT-POLICY-NAME>

Parameters
database-client-policy <DATABASE-CLIENT-POLICY-NAME>

database-client-policy Specify the database-client-policy name. If the policy does not exist, it is
<DATABASE-CLIENT- created.
POLICY-NAME> Once created and configured, use this policy in the NSight/EGuest
server’s device context.

Examples
vx9000-34B78B(config)#database-client-policy DBClientPolicy
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#?
Database Client Policy Mode commands:
authentication Database authentication
database-server Add database server
no Negate a command or set its defaults

clrscr Clears the display screen

vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

To setup a database/server environment, with the database and the server hosted n separate hosts:

1. On the database host, use the database policy. This brings up the database server.
2. On the NSight/EGuest server, create the database-client-policy, and configure the database host’s IP
address or hostname.
vx9000-34B78B(config)#database-client-policy DBClientPolicy
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server
192.168.13.10
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context
database-client-policy DBClientPolicy
database-server 192.168.13.10
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

Controller, Service Platform and Access Point

400 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

3. Use this database-client-policy in the NSight/EGuest server’s device configuration context. Once
applied, the server posts details to the database specified in the policy.
vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#use database-client-policy
DBClientPolicy
vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#show context include-factory | include
database-client-policy
use database-client-policy DBClientPolicy
vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#

Related Commands

no (global-config-mode) on Removes an existing database-client-policy

page 525
database-policy global Documents database policy configuration commands. If enforcing
config on page 403 authenticated database access, use this command to enable
authentication on the database and configure the username and
password.
nsight-policy (global- Documents NSight policy configuration commands. The NSight policy is
config-mode) on page 529 a tool, which when created and applied at the RF Domain level allows the
RF Domain manager to send statistics (polled from devices within the RF
Domain) to the NOC. The NOC, when enabled as the NSight server,
stores this data in a locally or externally hosted database.
use (profile/device-config- Uses a database-client-policy in the VX 9000's device or profile context
mode-commands) on page
1363
database (user and privi Drops or repairs a database. Also provides database keyfile management
exec modes) on page 69 capabilities. If enforcing authenticated access to the database, use this
command to generate, export, import, and zerzoise the keyfile.

database-client-policy-commands

The following table summarizes database-client-policy configuration mode commands:

Table 16: Database Client Policy Config Commands

Command Description
authentication on page 401 Configures the captive-portal/NSight database users
database-server on page 402 Configures the database host’s IP address or hostname. Use this
command to configure the IP address or hostname of the VM hosting
the database.
no (database-client-policy- Removes the database host’s IP/hostname configuration
config-mode) on page 403

authentication
Configures the database’s user account details (username and password)
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
authentication username <USER-NAME> password <PASSWORD>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 401
global-config-commands Global Configuration Mode Commands

Parameters
authentication username <USER-NAME> password <PASSWORD>

authentication Configures the username and password required to access the database. Note,
username <USER- username and password specified here should be the same as those already
NAME> password created on the database host. For more information on creating database
<PASSWORD> users, see service on page 713 (common commands).
• username <USER-NAME> – Configures the user name
◦ password <PASSWORD> – Configures the password for the username
specified above.
However, ensure database authentication is enabled in the database-policy.

Note: For more information on database-policy, see database-policy global

config on page 403.

Note: For more information on enabling database authentication, see database

(user and privi exec modes) on page 69.

Examples
vx9000-65672(config-database-client-policy-DBClientPolicy)# authentication username
extreme password 2 test@12345
vx9000-656725#show running-config database-client-policy replica-set
database-client-policy replica-set
database-server 13.13.13.3
database-server 14.14.14.2
authentication username extreme password 2 q4cUyedmA4BFsn1kg/
xjCQAAAAliMbdrXKblQbsyrwMGdVzv
vx9000-656725#

Related Commands

no Removes an existing database username and password

database-server
Configures the IPv4/IPv6 address or hostname of the VM hosting the database
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
database-server [<IP>|<HOSTNAME>|<IPv6>]

Parameters
database-server [<IP>|<HOSTNAME>|<IPv6>]

database-server [<IP>| Identifies the database host using one of the following options:
<HOSTNAME>|<IPv6>] • <IP> – Specifies the host’s IPv4 address
• <HOSTNAME> – Specifies the host’s hostname
• <IPv6> – Specifies the host’s IPv6 address.

Controller, Service Platform and Access Point

402 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context
database-client-policy DBClientPolicy
database-server 192.168.13.10
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

Related Commands

no Removes the database server’s (the VM hosting the database) IP/hostname

configuration

no (database-client-policy-config-mode)
Removes the database host’s IP/hostname configuration. Also removes database user details.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
no [authentication|database-server]
no authentication username <USER-NAME>
no database-server [<IP>|<HOST-NAME>|<IPv6>]

Parameters
no [authentication|database-server]

no <PARAMETERS> Removes the database VM’s IPv4/Ipv6 address or hostname

associated with this database client policy. Also removes
database user details.

Examples
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context
database-client-policy DBClientPolicy
database-server 192.168.13.10
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#no database-server
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context
database-client-policy DBClientPolicy
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

database-policy global config

Creates a database-policy and enters its configuration mode. After creating the database-policy, use it
on the database host. This enables the database. If deploying a database replica-set, use this command
to define the replica set configurations.

To enforce database authentication, enable authentication on the database-policy, and configure the
username and password required to access the database. Note, this command is part of a set of
configurations that are required to enable authentication. For more information on the entire set of
configurations, see database (user and privi exec modes) on page 69.

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 403
global-config-commands Global Configuration Mode Commands

Syntax
database-policy <DATABASE-POLICY-NAME>

Parameters
database-policy <DATABASE-POLICY-NAME>

database-policy Specify the database policy name. If the policy with the specified name
<DATABASE-POLICY- does not exist, it is created.
NAME>

Examples

nx9500-6C8809(config)#database-policy test
nx9500-6C8809(config-database-policy-test)#?
Database Policy Mode commands:
authentication Database authentication
no Negate a command or set its defaults
replica-set Replica Set
shutdown Disable database server

clrscr Clears the display screen

database-policy-config-commands

The following table summarizes database-policy configuration mode commands:

Table 17: Database Policy Config Commands

Command Description
authentication on page 404 Enables database authentication and configures the username and
password required to access the database
replica-set on page 405 Adds a member to a database replica set
shutdown on page 407 Shuts down the database server
no (database-policy-config- Removes a member from the database replica set
mode) on page 407

authentication
Enables database authentication. When enabled and applied on the database host, this policy enforces
authenticated access to the database. This command also configures the username and password
required to access the database.

Controller, Service Platform and Access Point

404 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
authentication
authentication username <USER-NAME> password <PASSWORD>

Parameters
authentication

authentication Enables database authentication on this database-policy. When executed

without the associated keywords, the command enables authentication
on the database host using the policy. Execute the command along with
the username and password inputs to configure the user credentials
required for access the database.

authentication username <USER-NAME> password <PASSWORD>

authentication username Configures the username and password required to access the database.
<USER-NAME> password Note, username and password specified here should be the same as
<PASSWORD> those already created on the database host. For more information, see
service (common commands).
• username <USER-NAME> – Configures the database username
◦ password <PASSWORD> – Configures the password for the
username specified above
Users using these credentials are allowed database access. In case of a
split NSight/EGuest deployment, ensure that the database-client-policy
running on the NSight/EGuest server has the same user details
configured.
For information on creating database-client-policy, see database-client-
policy global-config on page 399.
For more information on enabling database authentication, see
database (user and privi exec modes) on page 69.

Examples
nx9500-6C874D(config-database-policy-test)#authentication
nx9500-6C874D(config-database-policy-test)#no shutdown
nx9500-6C874D(config-database-policy-test)#authentication username user1 password uesr@123
nx9500-6C874D(config-database-policy-test)#show context
database-policy test
authentication
authentication username user1 password 2 f20/dTjYiMnR/tqbGFaO5gAAAAjL/xo8clisk1TZjimo128t
nx9500-6C874D(config-database-policy-test)#

Related Commands

no Disables database authentication, and removes the username and password

configuration.

replica-set
Adds a member to a database replica set. A replica-set is a group of devices (replica-set members)
running the database instances that maintain the same data set. Replica sets provide redundancy and
high availability and are the basis for all production deployments. The replica set usually consists of: an

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 405
global-config-commands Global Configuration Mode Commands

arbiter, a primary member, and one or more secondary members. The primary member and the
secondary member(s) maintain replicas of the data set.

Before deploying a replica set, ensure that each of the replica-set member:
• has the DB instances installed, and
• is able to communicate with every other member in the set.

After ensuring the above,

• Create a database policy (with identical replica-set configuration) on each of the member devices,
and
• Use the database policy in the member device’s configuration mode.

These member devices elect a primary member, which begins accepting client-write operations.
Remaining devices in the replica-set, with the exception of the arbiter, are designated as secondary
members.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}

Parameters
replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}

replica-set member [<IP>| Adds a member to the database replica set. To identify the member, use
<FQDN>] {arbiter|priority one of the following options:
<0-255>} • <IP> – Specify the member’s IP address.
• <FQDN> – Specify the member’s FQDN.
After specifying the IP address or FQDN, specify the following:
• arbiter – Optional. Select to configure the member as the arbiter.
• priority <0-255> – Optional. Configures the priority of a non-arbiter
member of the replica set
◦ <0-255> – Specify the priority from 0 - 255. This value determines
the member’s position within the replica set as primary or
secondary. It also helps in electing the fall-back primary member in
the eventuality of the current primary member being unreachable.
A replica set should have at least three members. The maximum number of
members can go up to fifty (50). However, configuring a three-member
replica set is recommended. Replica sets should have odd number of
members. In case of an even-numbered replica set, add an arbiter to make
the member count odd. This ensures that at least one member gets a
majority vote in the primary-member election.

Examples
nx9500-6C874D(config-database-policy-test)#replica-set member 192.168.13.14 arbiter
nx9500-6C874D(config-database-policy-test)#replica-set member 192.168.13.16 priority 1
nx9500-6C874D(config-database-policy-test)#replica-set member 192.168.13.12 priority 2
nx9500-6C874D(config-database-policy-test)#show context
database-policy test
replica-set member 192.168.13.12 priority 2
replica-set member 192.168.13.14 arbiter

Controller, Service Platform and Access Point

406 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

replica-set member 192.168.13.16 priority 1

nx9500-6C874D(config-database-policy-test)#

Related Commands

no Removes a member from the database replica set

shutdown
Shuts down the database server. The factory default is set as no > shutdown.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
shutdown

Parameters
None

Examples
nx9500-6C874D(config-database-policy-test)#shutdown
nx9500-6C874D(config-database-policy-test)#show context
database-policy test
shutdown
nx9500-6C874D(config-database-policy-test)#

Related Commands

no Enables (brings-up) the database server

no (database-policy-config-mode)
Removes or reverts the database policy settings to default values
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
no [authentication|replica-set|shutdown]
no authentication {username <USER-NAME>}
no replica-set member [<IP>|<FQDN>]
no shutdown

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a member from the database replica set, or brings up a

database server that is down. Also disables database authentication
and removes user

Examples

The following example shows a three-member replica set:

nx9500-6C8809(config-database-policy-test)#show context
database-policy test

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 407
global-config-commands Global Configuration Mode Commands

replica-set member 192.168.13.12 priority 2

replica-set member 192.168.13.14 arbiter
replica-set member 192.168.13.16 priority 1
nx9500-6C8809(config-database-policy-test)#

In the following example the arbiter is being removed, leaving the replica set with only two members:
nx9500-6C8809(config-database-policy-test)#no replica-set member 192.168.13.14
nx9500-6C8809(config-database-policy-test)#show context
database-policy test
replica-set member 192.168.13.12 priority 2
replica-set member 192.168.13.16 priority 1
nx9500-6C8809(config-database-policy-test)#

Since a replica set must have at least three members, another member must be added to this replica
set. This member may or may not be an arbiter.
nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.8 priority 3
nx9500-6C8809(config-database-policy-test)#show context
database-policy test
replica-set member 192.168.13.12 priority 2
replica-set member 192.168.13.16 priority 1
replica-set member 192.168.13.8 priority 3
nx9500-6C8809(config-database-policy-test)#

device
Enables simultaneous configuration of multiple devices

Supported in the following platforms:

Syntax
device {containing|filter}
device {containing <STRING>} {filter type [ap6522|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|ex3524|ex3548|
rfs4000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}
device {filter type [ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|ex3524|ex3548|rfs4000|nx5500|nx75xx|nx9000|
nx9600|t5|vx9000]}

Controller, Service Platform and Access Point

408 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
device {containing <STRING>} {filter type [ap6522|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|ex3524|ex3548|
rfs4000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}

device Enters a device’s configuration mode. Use this command to simultaneously configure
devices having similar configuration.
containing Optional. Configures the string to search for in the device’s hostname. All devices
<STRING> having hostnames containing the string specified here are filtered, and can be
configured simultaneously.
• <STRING> – Specify the string to search for in the device’s hostname.

filter type Optional. Filters out a specific device type. After specifying the hostname string,
<DEVICE- select the device type. The options are: AP 6522, AP 6562, AP 7161, AP 7502,
TYPE> AP-7522, AP 7532, AP 7562, AP 7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163,
AP-8432, AP-8533 , EX3548, RFS 4000, NX 5500, NX 7510, NX 95XX, NX 96XX, t5
and VX(V-WLC).

device {filter type [ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|

ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|ex3524|ex3548|rfs4000|nx5500|nx75xx|nx9000|
nx9600|t5|vx9000]}

device Configures a basic device profile

filter type Optional. Filters out a specific device type. The options are: AP 6522, AP 6562, AP
<DEVICE-TYPE> 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602, AP-7612, AP 7622, AP7632,
AP7662, AP-8163, AP-8432, AP-8533 , EX3548, RFS 4000, NX 5500, NX 7510, NX
95XX, NX 96XX, t5 and VX(V-WLC).

Examples
nx9500-6C874D(config)#device filter type ap7532
nx9500-6C874D(config-device-{'type': 'ap7532'})#

Related Commands

no Removes multiple devices from the network

device-categorization
Configures a device categorization list, which categorizes devices as sanctioned or neighboring.
Categorization of devices enables quick identification and blocking of unsanctioned devices in the
network.

Proper classification and categorization of devices (access points, clients etc.) helps suppress
unnecessary unauthorized access point alarms, allowing network administrators to focus on alarms on
devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized
could potentially perform activities that harm your organization.

Authorized access points and clients are generally known to you and conform with your organization’s
security policies. Unauthorized devices are those detected as interoperating within the network, but are
not approved. These devices should be filtered to avoid jeopardizing the data within a managed
network. Use this command to apply the neighboring and sanctioned (approved) filters on peer devices
operating within a wireless controller or access point’s radio coverage area. Detected client MAC
addresses can also be filtered based on their classification.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 409
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Syntax
device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>

Parameters
device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>

<DEVICE-CATEGORIZATION- Specify the device categorization list name. If a list with the same
LIST-NAME> name does not exist, it is created.

Examples
nx9500-6C8809(config)#device-categorization rfs4000
nx9500-6C8809(config-device-categorization-rfs4000)#?
Device Category Mode commands:
mark-device Add a device
no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-device-categorization-rfs4000)#

Related Commands

no Removes an existing device categorization list

device-categorization-mode-commands

The following table summarizes device categorization configuration mode commands:

Table 18: Device-Categorization Config Mode Commands

Command Description
mark-device on page 410 Adds a device to the device categorization list
no (device-categorization-config- Removes a device from the device categorization list
mode) on page 412

mark-device

Controller, Service Platform and Access Point

410 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Adds a device to the device categorization list as sanctioned or neighboring. Devices are further
classified as AP or client.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
mark-device <1-1000> [sanctioned|neighboring] [ap|client]
mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac <MAC>}}
mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}

Parameters
mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac <MAC>}}

<1-1000> Configures the device categorization entry index number

sanctioned Marks a device as sanctioned. A sanctioned device is authorized to use network
resources.
neighboring Marks a device as neighboring. A neighboring device is a neighbor in the same
network as this device.
ap {mac <MAC>| Marks a specified AP as sanctioned or neighboring based on its MAC address or
ssid <SSID>} the SSID it is beaconing
• mac <MAC> – Optional. Specify the AP's MAC address
• ssid <SSID> – Optional. Specify the SSID the AP is beaconing. After specifying
the SSID, you can optionally specify MAC address of the radio.
All APs are marked if no specific MAC address or SSID is provided.

mark-device [sanctioned|neighboring] client {mac <MAC>}

<1-1000> Configures the device categorization entry index number

sanctioned Marks the wireless client as sanctioned. A sanctioned device is authorized to use
network resources.
neighboring Marks the wireless client as neighboring. A neighboring device is a neighbor in
the same network as this device.
client {mac <MAC>} Marks a specified wireless client as sanctioned or neighboring based on its MAC
address
• mac <MAC> – Optional. Specify the wireless client's MAC address.

Examples
nx9500-6C8809(config-device-categorization-rfs4000)#mark-device 1 sanctioned ap
mac 11-22-33-44-55-66
nx9500-6C8809(config-device-categorization-rfs4000)#show context
device-categorization rfs4000
mark-device 1 sanctioned ap mac 11-22-33-44-55-66
nx9500-6C8809(config-device-categorization-rfs4000)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 411
global-config-commands Global Configuration Mode Commands

Related Commands

no Removes an entry from the device categorization list

no (device-categorization-config-mode)

Removes a device from the device categorization list

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
no mark-device <1-1000> [neighboring|sanctioned] [ap|client]
no mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}
no mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac <MAC>}}

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a mark device (AP or wireless client) entry from this device
categorization list

Examples

The following example shows the device categorization list ‘rfs7000’ settings before the ‘no’ command
is executed:
nx9500-6C8809(config-device-categorization-rfs4000)#show context
device-categorization rfs4000
mark-device 1 sanctioned ap mac 11-22-33-44-55-66
nx9500-6C8809(config-device-categorization-rfs4000)#
nx9500-6C8809(config-device-categorization-rfs4000)#no mark-device 1 sanctioned ap mac
11-22-33-44-55-66

The following example shows the device categorization list ‘rfs7000’ settings after the ‘no’ command is
executed:
nx9500-6C8809(config-device-categorization-rfs4000)#show context
device-categorization rfs4000
nx9500-6C8809(config-device-categorization-rfs4000)#

dhcp-server-policy
Configures DHCPv4 server policy parameters, such as class, address range, and options. A new policy is
created if it does not exist.

Supported in the following platforms:

Controller, Service Platform and Access Point

412 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
dhcp-server-policy <DHCP-SERVER-POLICY-NAME>

Parameters
dhcp-server-policy <DHCP-SERVER-POLICY-NAME>

<DHCP-POLICY-NAME> Specify the DHCP server policy name. If the policy does not exist, it is
created.

Examples
nx9500-6C8809(config)#dhcp-server-policy test
nx9500-6C8809(config-dhcp-policy-test)#?
DHCP policy Mode commands:
bootp BOOTP specific configuration
dhcp-class Configure DHCP class (for address allocation using DHCP
user-class options)
dhcp-pool Configure DHCP server address pool
dhcp-server Activating dhcp server based on criteria
no Negate a command or set its defaults
option Define DHCP server option
ping Specify ping parameters used by DHCP Server

clrscr Clears the display screen

nx9500-6C8809(config-dhcp-policy-test)#

Related Commands

no Removes an existing DHCP server policy

Note
For more information on DHCPv4 policy, see DHCP-SERVER-POLICY.

dhcpv6-server-policy

Creates a DHCPv6 server policy and enters its configuration mode

DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other
configuration attributes required on an IPv6 network.

DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature
manages non-duplicate addresses in the correct prefix based on the network where the host is
connected. Assigned addresses can be from one or multiple pools. Additional options, such as the
default domain and DNS name-server address, can be passed back to the client. Address pools can be

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 413
global-config-commands Global Configuration Mode Commands

assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the
appropriate pool.

When configured and applied to a device, the DHCPv6 server policy enables the device to function as a
stateless DHCPv6 server.

Supported in the following platforms:

Syntax
dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>

Parameters
dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>

<DHCPv6-SERVER- Specify the DHCPv6 server policy name. If the policy does not exist, it is
POLICY-NAME> created.

Examples
nx9500-6C8809(config)#dhcpv6-server-policy test
nx9500-6C8809(config-dhcpv6-server-policy-test)#?
DHCPv6 server policy Mode commands:
dhcpv6-pool Configure DHCPV6 server address pool
no Negate a command or set its defaults
option Define DHCPv6 server option
restrict-vendor-options Restrict vendor specific options to be sent in
server reply
server-preference Server preference value sent in the reply, by the
server to client

clrscr Clears the display screen

nx9500-6C8809(config-dhcpv6-server-policy-test)#

Related Commands

no Removes an existing DHCPv6 server policy

Note
For more information on DHCPv6 policy, see DHCP-SERVER-POLICY.

Controller, Service Platform and Access Point

414 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

dns-whitelist
Configures a DNS whitelist. A DNS whitelist is a list of allowed DNS destination IP addresses pre-
approved to access a controller, service platform, or access point managed captive portal.

Supported in the following platforms:

Syntax
dns-whitelist <DNS-WHITELIST-NAME>

Parameters
dns-whitelist <DNS-WHITELIST-NAME>

<DNS-WHITELIST-NAME> Specify the DNS whitelist name. If the whitelist does not exist, it is created.

Examples
nx9500-6C8809(config)#dns-whitelist test
nx9500-6C8809(config-dns-whitelist-test)#?
DNS Whitelist Mode commands:
no Negate a command or set its defaults
permit Match a host

clrscr Clears the display screen

commit Commit all changes made in this session
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-dns-whitelist-test)#

Related Commands

no Removes an existing DNS Whitelist

dns-whitelist-mode-commands

The following table summarizes DNS Whitelist configuration mode commands:

Table 19: DNS-Whitelist Config Mode Commands

Command Description
permit on page 416 Permits a host, existing on a DNS whitelist, access to the
network or captive portal
no (dns-whitelist-config-mode) on page 416 Negates a command or reverts to default

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 415
global-config-commands Global Configuration Mode Commands

permit
A whitelist is a list of host names and IP addresses permitted access to the network or captive portal.
This command adds a host or destination IP address to the DNS whitelist.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
permit <IPv4/IPv6/HOSTNAME> {suffix}

Parameters
permit <IPv4/IPv6/HOSTNAME> {suffix}

<IPv4/IPv6/ Adds a device to the DNS whitelist

HOSTNAME> • <IPv4/IPv6/HOSTNAME> – Provide a hostname or numerical IPv4 or IPv6
address for each destination IP address or host included in the whitelist.

Note: A maximum of 256 entries can be made.

suffix Optional. Matches any hostname including the specified name as suffix

Examples
nx9500-6C8809(config-dns-whitelist-test)#permit example_company.com suffix
nx9500-6C8809(config-dns-whitelist-test)#show context
dns-whitelist test
permit example_company.com suffix
nx9500-6C8809(config-dns-whitelist-test)#

Related Commands

no Removes a DNS whitelist entry

no (dns-whitelist-config-mode)

Removes a specified host or IP address from the DNS whitelist, and prevents it from accessing network
resources
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no permit <IPv4/IPv6/HOSTNAME>

Controller, Service Platform and Access Point

416 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
no permit <IPv4/IPv6/HOSTNAME>

<IPv4/IPv6/HOSTNAME> Removes a device from the DNS whitelist (identifies the device by its IP
address or hostname)
• <IPv4/IPv6/HOSTNAME> – Specify the device’s IPv4/IPv6 address or
hostname.

Examples
nx9500-6C8809(config-dns-whitelist-test)#show context
dns-whitelist test
permit example_company.com suffix
nx9500-6C8809(config-dns-whitelist-test)#
nx9500-6C8809(config-dns-whitelist-test)#no permit example_company.com
nx9500-6C8809(config-dns-whitelist-test)#show context
dns-whitelist test
nx9500-6C8809(config-dns-whitelist-test)#

end
Ends and exits the current mode and moves to the PRIV EXEC mode

The prompt changes to the PRIV EXEC mode.

Supported in the following platforms:

Syntax
end

Parameters
None

Examples
rfs4000-229D58(config)#end
rfs4000-229D58#

ex3500

Creates an EX3500 time range list and enters its configuration mode

An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time
ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on
specific week days, for example on every successive Mondays. Absolute time ranges are not periodic
and do not recur. They consist of a range of days during a particular time period (the starting and
ending days and time are fixed).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 417
global-config-commands Global Configuration Mode Commands

The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T
ports, and four Small Form-factor Pluggable (SFP) transceiver slots for fiber connectivity. The EX3500
series switch can adopt to a NOC controller and be managed by it. The EX3500 time range values
configured here are used in EX3500 MAC ACL firewall rules that filter an EX3500’s incoming and
outgoing traffic.

For more information on creating EX3500 rules, see ex3500 (mac-acl-config-commands) on page 1541
and access-group on page 1435.

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
ex3500 time-range <TIME-RANGE-NAME>

Parameters
ex3500 time-range <TIME-RANGE-NAME>

ex3500 time-range <TIME- Configures EX3500 time range list and enters its configuration mode
RANGE-NAME> • <TIME-RANGE-NAME> – Enter a name for this time range. If the time
range does not exist, it is created.

Examples
nx9500-6C8809(config)#ex3500 time-range EX3500_TimeRange_02
nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#?
nx9500-6C8809 Time Range Configuration commands:
absolute Absolute time and date
no Negate a command or set its defaults
periodic Periodic time and date

clrscr Clears the display screen

nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#

Related Commands

no Removes this EX3500 time range list

Controller, Service Platform and Access Point

418 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

ex3500-time-range-config-commands

Table 20: EX3500 Time Range Config Commands

Command Description
absolute on page 419 Configures an absolute time range rule for this EX3500 time range list
periodic on page 420 Configures a periodic time range rule for this EX3500 time range list
no (ex3500-time-range- Removes this EX3500 time range list settings
config-mode) on page 421

absolute
Configures an absolute time range rule for this EX3500 time range list. Absolute time ranges are not
periodic and do not recur. They consist of a range of days during a particular time period.
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31>
<MONTH> <2013-2037>}

Parameters
absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31>
<MONTH> <2013-2037>}

absolute Configures an absolute time range rule settings

start <0-23> <0-59> Configures the start day and time settings
<1-31> <MONTH> • <0-23> – Specify the start time from 0 - 23 hours.
<2013-2037> ◦ <0-59> – Specify the start time from 0 - 59 minutes.
For example, if the values provided are 12 hours and 30 minutes, the start
time is 12:30 A.M on the specified day.
• <1-31> – Specify the day of month from 1 - 31 when the time range
starts.
◦ <MONTH> – Specify the month. The options are: April, August,
December, February, January, July, June, March, May, November,
October, September.
▪ <2013-2037> – Specify the year from 2013 - 2037.

end <0-23> <0-59> <1-31> Optional. Configures the end day and time settings
<MONTH> <2013-2037> • <0-23> – Specify the end time from 0 - 23 hours.
◦ <0-59> – Specify the end time from 0 - 59 minutes.
• <1-31> – Specify the day of month from 1 - 31 when the time range ends.
◦ <MONTH> – Specify the month. The options are: April, August,
December, February, January, July, June, March, May, November,
October, September.
▪ <2013-2037> – Specify the year from 2013 - 2037.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 419
global-config-commands Global Configuration Mode Commands

Examples
EX3500(config-ex3500-time-range-EX3500-TimeRange-01)#absolute start 1 0 1
june 2017 end 1 0 30 june 2018
EX3500(config-ex3500-time-range-EX3500-TimeRange-01)#show context
ex3500 time-range EX3500-TimeRange-01
absolute start 1 0 1 june 2018 end 1 0 30 june 2018
EX3500(config-ex3500-time-range-EX3500-TimeRange-01)#

Related Commands

no (ex3500-time-range- Removes this absolute time range rule from the EX3500 time range list
config-mode) on page
421

periodic
Configures a periodic time range rule for this EX3500 time range list

Periodic time ranges are configured to recur based on periodicity such as daily, weekly, weekends,
weekdays, and on specific week days, such as on every successive Sunday.
Supported in the following platforms:
• Service Platforms — NX 7500, NX 95XX, NX 96XX

<0-23> <0-59> After specifying the start day, specify the start time in hours (24 hours
format) and minutes
• <0-23> – Specify the start time from 0 - 23 hours.
◦ <0-59> – Specify the start time from 0 - 59 minutes.
For example, if the values provided are 12 hours and 30 minutes, the start
time is 12:30 A.M on the specified day.

Controller, Service Platform and Access Point

420 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

to [<023> <0-59>|daily| Configures this periodic time range’s end day. This is the day when the
friday|monday| saturday| time range ends. The options available changes depending on the start
sunday| thursday|tuesday| day configured. The options are:
wednesday| weekdays| • <0-23> <0-59> – Select this option to end the time range on the same
weekend] day as it starts. Specify the end hour from 0 - 23 hours and the
minutes from 0 - 59 minutes.
• daily – Select this option if the time range starts and ends every day at
a specified time
• friday – Select this option if the time range ends on Fridays
• monday – Select this option if the time range ends on Mondays
• saturday – Select this option if the time range ends on Saturdays
• sunday – Select this option if the time range ends on Sundays
• thursday – Select this option if the time range ends on Thursdays
• tuesday – Select this option if the time range ends on Tuesdays
• wednesday – Select this option if the time range ends on Wednesdays
• weekdays – Select this option if the time range ends on Weekdays
• weekend – Select this option if the time range ends on Weekends
If the time range does not end on the same day, select the end day, and
then specify the end time, or else just specify the end time.
<0-23> <0-59> After specifying the end day, specify the end time in hours (in 24 hours
format) and minutes
• <0-23> – Specify the end time from 0 - 23 hours.
◦ <0-59> – Specify the end minute from 0 - 59 minutes.
In case of time ranges starting and ending on the same day, ensure that
the end time (hours and minutes) is not lower than the specified start
time.
rule-precedence <1-7> Configures a precedence value for this periodic time range rule. Rules
with lower precedence have higher priority and are applied first.
• <1-7> – Specify a precedence value from 1 - 7.

Examples
EX3500(config-ex3500-time-range-EX3500-TimeRange-01)#periodic daily 1 10
to daily 23 10 rule-precedence 1
EX3500(config-ex3500-time-range-EX3500-TimeRange-01)#show context
ex3500 time-range EX3500-TimeRange-01
periodic daily 1 10 to daily 23 10 rule-precedence 1
absolute start 1 0 1 june 2017 end 1 0 30 june 2018
EX3500(config-ex3500-time-range-EX3500-TimeRange-01)#

Related Commands

no (ex3500-time-range- Removes this periodic time range rule from the EX3500 time range list
config-mode) on page
421

no (ex3500-time-range-config-mode)
Removes this EX3500 time range list settings
Supported in the following platforms:
• Service Platforms — NX 7500, NX 95XX, NX 96XX

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 421
global-config-commands Global Configuration Mode Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this EX3500 time range list settings based on the parameters
passed

Examples
nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context
ex3500 time-range EX3500-TimeRange-01
periodic daily 1 10 to daily 23 10 rule-precedence 1
absolute start 1 0 1 june 2017 end 1 0 30 june 2018
nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#
nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#no periodic daily 1
10 to daily 23 10 rule-precedence 1
nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context
ex3500 time-range EX3500-TimeRange-01
absolute start 1 0 1 june 2017 end 1 0 30 june 2018
nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#

ex3500-management-policy

Creates an EX3500 management policy and enters its configuration mode. Once configured and
applied on a EX3500 switch, the management policy controls access to the switch from management
stations using SNMP.

The EX3500 management policy is either applied:

• Individually on an adopted EX3500 series switch (in the device configuration mode), or
• To an EX3524 and EX3548 profile, which is then applied to an adopted EX3500 series switch.

EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48
10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000
Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch
has an SNMP-based management agent that provides both in-band and out-of-band management
access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being
different from that of the WiNG operating system provides WiNG controllers PoE and port management
resources.

Going forward NX 7510, NX 9500, and NX 9600 WiNGmanaged series service platforms and WiNG VMs
can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the
proprietary operating system running the EX3500 switches. The WiNG service platforms utilize
standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a
translation layer, understood by the EX3500 switch, for statistics retrieval.

Controller, Service Platform and Access Point

422 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

WiNG can partially manage an EX3500 without using DHCP option 193, provided the EX3500 is directly
configured to specify the IPv4 addresses of potential WiNG adopters. To identify the potential WiNG
adopter, in the EX3500’s device configuration mode specify the adopter’s IPv4 address using the
controller > host > <IP-ADDRESS> command. WiNG service platforms leave the proprietary
operating system running the EX3500 switches unmodified, and partially manage them utilizing
standardized WiNG interfaces. WiNG service platforms use a translation layer to communicate with the
EX3500.

Supported in the following platforms:

• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
ex3500-management-policy <POLICY-NAME>

Parameters
ex3500-management-policy <POLICY-NAME>

<POLICY-NAME> Specify the EX3500 management policy name. If the policy does not exist,
it is created.

Examples
nx9500-6C8809(config)#ex3500-management-policy test
nx9500-6C8809(config-ex3500-management-policy-test)#?
nx9500-6C8809_Management Mode commands:
enable Modifies enable password parameters
http Hyper Text Terminal Protocol (HTTP)
memory Memory utilization
no Negate a command or set its defaults
process-cpu Process-cpu utilization
snmp-server Enable SNMP server configuration
ssh Secure Shell server connections
username Login TACACS server port

clrscr Clears the display screen

nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (global-config-mode) on Removes this EX3500 management policy

page 525

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 423
global-config-commands Global Configuration Mode Commands

ex3500-management-policy-config-commands

Table 21: EX3500 Management Policy Config Commands

Command Description
enable on page 424 Configures an executive password for this EX3500 management policy
http on page 425 Configures the HTTP server settings used to authenticate HTTP connection
to a EX3500 switch
memory on page 426 Configures the EX3500’s memory utilization rising (upper) and falling
(lower) threshold values
process-cpu on page Configures the EX3500’s CPU (processor) utilization rising (upper) and
427 falling (lower) threshold values
snmp-server on page Configures SNMP server settings. Once configured and applied on a EX3500
428 switch, the management policy controls access to the switch from
management stations using SNMP.
ssh on page 436 Configures the SSH server settings used to authenticate SSH connection to
a EX3500 switch
username on page 437 Configures a EX3500 switch user settings
no (ex3500- Removes or reverts this EX3500 management policy settings
management-policy-
config-mode) on page
438

enable
Configures an executive password for this EX3500 management policy

Each EX3500 management policy can have a unique executive password with its own privilege level
assigned. Utilize these passwords as specific EX3500 management sessions require priority over others.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
enable password [0|7|level]
enable password [0|7] <PASSWORD>
enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]

Controller, Service Platform and Access Point

424 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
enable password [0|7] <PASSWORD>

enable password [0|7] Creates a new executive password for this EX3500 management policy.
<PASSWORD> The password could be in clear text or encrypted
• 0 – Configures a clear text password using ASCII characters (should be 1
- 32 characters long)
• 7 – Configures an encrypted password using HEX characters (should be
32 characters long)
◦ <PASSWORD> – Specify the password.

enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]

enable password level Creates a new executive password for this EX3500 management policy
<0-15> and sets its privilege level
• <0-15> – Specify the privilege level for this executive password from
0 - 15. Lower values have higher priority, to slot and prioritize
executive passwords and EX3500 management sessions.

[0|7] <PASSWORD> After setting the privilege level, configure the password, which could be
in clear text or encrypted
• 0 – Configures a clear text password using ASCII characters (should
be 1 - 32 characters long)
• 7 – Configures an encrypted password using HEX characters (should
be 32 characters long)
◦ <PASSWORD> – Specify the password.

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#enable password level 3 7
12345678901020304050607080929291
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
enable password level 3 7 12345678901020304050607080929291
snmp-server notify-filter 1 remote 127.0.0.1
nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (ex3500-management- Removes a executive password from this EX3500 management policy

policy-config-mode) on
page 438

http
Configures the HTTP server settings used to authenticate HTTP connection to a EX3500 switch

Management access to an EX3500 switch can be enabled/disabled as required using separate

interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused
management services can dramatically reduce an attack footprint and free resources within an EX3500
management policy.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 425
global-config-commands Global Configuration Mode Commands

Syntax
http [port <1-65535>|secure-port <1-65535>|secure-server|server]

Parameters
http [port <1-65535>|secure-port <1-65535>|secure-server|server]

http Configures following HTTP settings: port, secure-port, secure-server, and

server
port <1-65535> Configures the HTTP port number. This is the port used to connect to the
HTTP server.
• <1-65535> – Specify a value from 1 - 65535. The default port is 80.

secure-port <1-65535> Enables secure HTTP connection over a designated secure port. Ensure
that the HTTP secure server is enabled before specifying the secure-
server port.
• <1-65535> – Specify the secure HTTP server port from 1 - 65535. The
default port is 443.

secure-server Enables HTTP secure server. This option is disabled by default.

server Enables HTTP server. This option is enabled by default. Consequently,
HTTP management access is allowed by default.

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#http secure-server
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
http secure-server
enable password level 3 7 12345678901020304050607080929291
snmp-server notify-filter 1 remote 127.0.0.1
nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (ex3500-management- Reverts to default HTTP server settings (HTTP server enabled, HTTP port
policy-config-mode) on 80)
page 438

memory
Configures the EX3500’s memory utilization rising (upper) and falling (lower) threshold values. Once
configured, the system sends a notification when the memory utilization exceeds the specified rising
limit or falls below the specified falling limit.

By customizing an EX3500's memory and CPU utilization’s upper and lower thresholds, you can avoid
over utilization of the EX3500’s processor capacity when sharing network resources with an NX series
service platform or a WiNG VM.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
memory [falling-threshold|rising-threshold] <1-100>

Controller, Service Platform and Access Point

426 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
memory [falling-threshold|rising-threshold] <1-100>

memory Configures the EX3500’s memory utilization rising and falling threshold
values. The system generates a notification when either of these limits is
exceeded.
falling-threshold <1-100> Configures the falling threshold for the EX3500 memory utilization
• <1-100> – Specify the falling threshold as a percentage from 1 - 100.
The default is 70%.

rising-threshold <1-100> Configures the rising threshold for the EX3500’s memory utilization
• <1-100> – Specify the rising threshold as a percentage from 1 - 100. The
default is 90%.

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#memory falling-threshold 50
nx9500-6C8809(config-ex3500-management-policy-test)#memory rising-threshold 95
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
http secure-server
enable password level 3 7 12345678901020304050607080929291
snmp-server notify-filter 1 remote 127.0.0.1
memory falling-threshold 50
memory rising-threshold 95
nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (ex3500- Reverts the memory utilization's falling-threshold and/or rising threshold to

management-policy- 70% and 90% respectively
config-mode) on page
438

process-cpu
Configures the EX3500’s CPU (processor) utilization rising (upper) and falling (lower) threshold values.
Once configured, the system sends a notification when the CPU utilization exceeds the specified rising
limit or falls below the specified falling limit.

By customizing an EX3500’s memory and CPU utilization’s upper and lower thresholds, you can avoid
over utilization of the EX3500's processor capacity when sharing network resources with an NX series
service platform or a WiNG VM.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
process-cpu [falling-threshold|rising-threshold] <1-100>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 427
global-config-commands Global Configuration Mode Commands

Parameters
process-cpu [falling-threshold|rising-threshold] <1-100>

process-cpu Configures the EX3500’s CPU utilization rising and falling threshold values.
The system generates a notification when either of these limits is exceeded.
falling-threshold Configures the falling threshold for the EX3500’s CPU utilization
<1-100> • <1-100> – Specify the falling threshold as a percentage from 1 - 100. The
default is 70%.

rising-threshold Configures the rising threshold for the EX3500’s CPU utilization
<1-100> • <1-100> – Specify the rising threshold as a percentage from 1 - 100. The
default is 90%.

Example
nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu falling-threshold 60
nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu rising-threshold 80
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
http secure-server
enable password level 3 7 12345678901020304050607080929291
snmp-server notify-filter 1 remote 127.0.0.1
memory falling-threshold 50
memory rising-threshold 95
process-cpu falling-threshold 60
process-cpu rising-threshold 80
nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (ex3500-management- Reverts the CPU utilization's falling-threshold and/or rising threshold to

policy-config-mode) on 70% and 90% respectively
page 438

snmp-server
Configures Simple Network Management Protocol (SNMP) server settings. Once configured and applied
on a EX3500 switch, the management policy controls access to the switch from management stations
using SNMP.

SNMP is an application layer protocol that facilitates the exchange of management information between
the management stations and a managed EX3500 switch. SNMP-enabled devices listen on port 162 (by
default) for SNMP packets from the management server. SNMP uses read-only and read-write
community strings as an authentication mechanism to monitor and configure supported devices. The
read-only community string is used to gather statistics and configuration parameters from a supported
wireless device. The read-write community string is used by a management server to set device
parameters. SNMP is generally used to monitor a system's performance and other parameters.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Controller, Service Platform and Access Point

428 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
snmp-server {community|contact|enable|engine-id|group|host|location|notify-filter|
user|view}
snmp-server {community <STRING> {ro|rw}}
snmp-server {contact <NAME>}
snmp-server {enable traps {authentication|link-up-down}}
snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}
snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|read <WORD>|
write <WORD>}}
snmp-server {host <IP> [<STRING>|inform]}
snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]]
{udp-port <1-65535>}}
snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>]
<STRING> version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}
snmp-server {location <WORD>}
snmp-server {notify-filter <WORD> remote <IP>}
snmp-server {user <USER-NAME> <GROUP-NAME> [remote-host|v1|v2c|v3]}
snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3 [auth|encrypted auth]
[md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}
snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}
snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 429
global-config-commands Global Configuration Mode Commands

Parameters
snmp-server {community <STRING> {ro|rw}}

snmp-server Configures SNMP-server related settings

{community <STRING> • community – Optional. Configures an SNMP community access string
{ro|rw}} used to authorize management access by clients using SNMP v1, v2c, or
v3
◦ <STRING> – Specify the SNMP community access string (should not
exceed 32 characters).
After specifying the string, optionally specify the access type associated
with it.
• ro – Optional. Provides read-only access with this SNMP community
string. Allows authorized clients to only retrieve MIB (Management
Information Base) objects. This is the default setting.
• rw – Optional. Provides read-write access with this SNMP community
string. Allows authorized clients to retrieve as well as modify MIB objects.
You can configure a maximum of five (5) community strings per vEX3500
management policy.

snmp-server {contact <NAME>}

snmp-server {contact Configures SNMP-server related settings

<NAME>} • contact – Optional. Configures the system’s contact information
◦ <NAME> – Specify the contact person’s name (should not exceed
255 characters).

snmp-server {enable traps {authentication|link-up-down}}

snmp-server {enable Configures SNMP-server related settings

traps {authentication| • enable traps – Optional. Enables the EX3500 switch to send following
link-up-down}} SNMP traps or notifications:
◦ authentication – Optional. Enables SNMP authentication trap. This
option is disabled by default.
◦ link-up-down – Optional. Enables SNMP link up and link down traps.
This option is disabled by default.
If the command is executed without either of the above mentioned trap
options, the system enables both authentication and link-up-down traps.
If enabling SNMP traps, use the snmp-server > host command to
specify the host(s) receiving the SNMP notifications.

snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}

snmp-server {engine- Configures SNMP-server related settings

id [local <WORD>| • engine-id – Optional. Configures an identification string for the SNMPv3
remote <IP> engine. The SNMP engine is an independent SNMP agent residing either on
<WORD>]} the logged switch or on a remote device. It prevents message replay, delay,
and redirection. In SNMPv3, the engine ID in combination with user

Controller, Service Platform and Access Point

430 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

passwords generates the security keys that is used for SNMPv3 packet
authentication and encryption.
◦ local – Configures the SNMP engine on the logged switch
▪ <WORD> – Specify the hexadecimal engine ID string identifying the
SNMP engine (should be 9 - 64 characters in length).
◦ remote <IP> <WORD> – Configures a remote device as the SNMP
engine
▪ <IP> – Specify the remote device’s IP address.
• <WORD> – Specify the hexadecimal engine ID string identifying
the SNMP engine (should be 9 - 64 characters in length).
Configure the remote engine ID when using SNMPv3 informs. The remote ID
configured here is used to generate the security digest for authentication and
encryption of packets exchanged between the switch and the and the remote
host user. SNMP passwords are localized using the engine ID of the
authoritative agent. For informs, the authoritative SNMP agent is the remote
agent. You therefore need to configure the remote agent’s SNMP engine ID
before you can send proxy requests or informs to it.

snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|

read <WORD>|write <WORD>}}

snmp-server group Configures SNMP-server related settings

<GROUP-NAME> • group – Optional. Configures an SNMP user group, mapping SNMP
users to SNMP views
◦ <GROUP-NAME> – Specify the SNMP group name (should not
exceed 32 characters).

[v1|v2c|v3 [auth|noauth| Configures the SNMP version used for authentication by this user group
priv]] • v1 – Configures the SNMP version as v1.
• v2c – Configures SNMP version as v2c
• v3 – Configures the SNMP version as v3. If using SNMP v3, specify
the authentication and encryption levels.
◦ auth – Uses SNMP v3 with authentication and no privacy
◦ noauth – Uses SNMP v3 with no authentication and no privacy
◦ priv – Uses SNMP v3 with authentication and privacy

notify <WORD> Optional. Configures the notification view string

• <WORD> – Specify the string (should not exceed 32 characters).

read <WORD> Optional. Configures the read view string

• <WORD> – Specify the string (should not exceed 32 characters).

write <WORD> Optional. Configures the write view string

• <WORD> – Specify the string (should not exceed 32 characters).

snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port

<1-65535>}}

snmp-server host <IP> Configures SNMP-server related settings

• host – Optional. Configures the host(s) receiving the SNMP
notifications. At least one SNMP server host should be configured in
order to configure the switch to send notifications
◦ <IP> – Specify the SNMP host’s IP address.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 431
global-config-commands Global Configuration Mode Commands

You can configure a maximum of five (5) SNMP trap recipients per
EX3500 management policy.
Ensure that SNMP trap notification is enabled.
<STRING> Configures the SNMP community string. You can configure the SNMP
community string here, or else use the string configured using the snmp-
server > community <STRING> > {ro|rw} command. It is
recommended that you configure the SNMP community string prior to
configuring the SNMP host.
• <STRING> – Specify the community string. The string configured here
is sent in the SNMP traps to the SNMPv1 or SNMPv2c hosts.

version [v1|v2c| v3 [auth| Configures the SNMP version used

noauth| priv]] • v1 – Configures the SNMP version as 1. This is the default setting.
• v2c – Configures SNMP version as 2c
• v3 – Configures the SNMP version as 3. If using SNMPv3, specify the
authentication and encryption levels.
◦ auth – Uses SNMP v3 with authentication and no privacy
◦ noauth – Uses SNMP v3 with no authentication and no privacy
◦ priv – Uses SNMP v3 with authentication and privacy

udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host
UDP port
• <1-65535> – Specify the UDP port. The default is 162.

snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING>

version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}

snmp-server host <IP> Configures SNMP-server related settings

• host – Optional. Configures the host(s) receiving the SNMP
notifications
◦ <IP> – Specify the SNMP host’s IP address.
You can configure a maximum of five (5) SNMP trap recipients per
EX3500 management policy.
Ensure that SNMP trap notification is enabled.
inform [retry <0-255>| Enables sending of SNMP notifications as inform messages, and
timeout <0-2147483647>] configures inform message settings.
• retry <0-255> – Configures the maximum number attempts made to
re-send an inform message in case the specified SNMP host does
not acknowledge receipt. <0-255> – Specify a value from 0 - 255.
The default is 3.
• timeout <0-2147483647> – Configures the interval, in seconds, to
wait for an acknowledgment from the SNMP host before re-sending
an inform message
◦ <0-2147483647> – Specify a value from 0 - 2147483647 seconds.
The default is 1500 seconds.
Inform messages are more reliable than trap messages since they
include a request for acknowledgement of receipt. Using inform
messages to communicate critical information would be good practice.
However, since inform messages are retained in the memory until a
response is received, they consume more memory and may also result
in traffic congestion. Take into considerations these facts when
configuring the notification format.

Controller, Service Platform and Access Point

432 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<STRING> Configures the SNMP community string. You can configure the SNMP
community string here, or else use the string configured using the
snmp-server > community <STRING> > {ro|rw} command.
It is recommended that you configure the SNMP community string prior
to configuring the SNMP host.
• <STRING> – Specify the community string. The string configured
here is sent in the SNMP inform messages to the SNMPv2c or
SNMPv3 hosts.

version [v2c| v3 [auth| Configures the SNMP version used

noauth| priv]] • v2c – Configures the SNMP version as v2c
• v3 – Configures the SNMP version as v3. If using SNMP v3, specify
the authentication and encryption levels.
◦ auth – Uses SNMP v3 with authentication and no privacy
◦ noauth – Uses SNMP v3 with no authentication and no privacy
◦ priv – Uses SNMP v3 with authentication and privacy
SNMP inform messages are not supported on SNMP v1.
udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host
UDP port
• <1-65535> – Specify the UDP port. The default is 162.

snmp-server {location <WORD>}

snmp-server {location Configures SNMP-server related settings

<WORD>} • location – Optional. Configures the EX3500’s location string
◦ <WORD> – Specify the location (should not exceed 255
characters).

snmp-server {notify-filter <WORD> remote <IP>}

snmp-server notify-filter Configures SNMP-server related settings

<WORD> • notify-filter – Optional. Modifies the SNMP server’s notify filter
◦ <WORD> – Specify the SNMP notify-filter name.

remote <IP> Optional. Configures the remote host’s IP address

• <IP> – Specify the IP address in the A.B.C.D format.

snmp-server {user <USER-NAME> <GROUP-NAME> remote <IP> v3 {auth|encrypted auth}

[md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}

snmp-server user <USER- Configures SNMP-server related settings

NAME> <GROUP-NAME> • user – Optional. Configures the name of the SNMP user (connecting
to the SNMP agent) and adds the user to an existing SNMP group. It
also specifies the SNMP version type used. In case of SNMP version

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 433
global-config-commands Global Configuration Mode Commands

3, this command also configures the remote host’s IP address and

the authentication type used.
◦ <USER-NAME> – Specify the user’s name (should not exceed 32
characters).
▪ <GROUP-NAME> – Specify the SNMP group name to which
this user is assigned.

remote <IP> v3 Configures the remote host on which the SNMPv3 engine is running
• <IP> – Specify the remote host’s IP address.
This option is available only for SNMPv3 engine.
After configuring the remote host, optionally configure the
authentication type and the corresponding authentication password
used.
{auth|encrypted auth} Optional. Configures authentication and encryption settings
[md5|sha] <WORD> {priv • auth – Specifies the authentication type used and configures the
[3des|aes128| aes192| authentication password
aes256| des56] <WORD>} • encrypted – Enables encryption. When enabled all communications
between the user and the SNMP engine are encrypted. After
enabling encryption, specify the authentication type and configure
the authentication password.
The following parameters are common to the ‘auth’ and ‘encrypted’
keywords:
• md5 – Uses MD5 to authenticate the user
• sha – Uses SHA to authenticate the user
The following parameter is common to the ‘md5’ and ‘sha’ keywords:
• <WORD> – Specify the authentication password.

If the ‘encrypted’ option is not being used, enter an 8 - 40 characters

ASCII password. Whereas, in case of an encrypted password enter a
HEX characters password of 32 characters.
• priv – Optional. Uses SNMPv3 with privacy. Select one of the privacy
options: des, aes128, aes192, aes256, des56.
◦ <WORD> – Configures the privacy password. If the ‘encrypted’
option is not being used, enter an 8 - 40 characters long ASCII
password. Whereas, the encrypted password should be 32 HEX
characters.

snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}

snmp-server {user Configures SNMP-server related settings

<USER-NAME> • user – Optional. Configures the name of the SNMP user (connecting to
<GROUP-NAME> [v1| the SNMP agent) and adds the user to an existing SNMP group. It also
v2c|v3]}

Controller, Service Platform and Access Point

434 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

specifies the SNMP version type used. In case of SNMPv3, this command
also configures the authentication type used and the enables encryption.
◦ <USER-NAME> – Specify the user’s name (should not exceed 32
characters).
▪ <GROUP-NAME> – Specify the SNMP group name to which this
user is assigned.
• [v1|v2c|v3] – After specifying the group name, specify the
SNMP version used. The options are SNMP version v1, SNMP
version 2c, and SNMP version 3.
If using SNMP version 3, optionally specify the authentication type and the
corresponding authentication password used. Please see previous table for
SNMPv3 authentication and encryption configuration details.

snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}

snmp-server view <VIEW- Configures SNMP-server related settings

NAME> • view – Optional. Creates an SNMP view. SNMP views are used to control
user access to the MIB.
◦ <VIEW-NAME> – Provide a name for this SNMP view (should not
exceed 32 characters).

<OID-TREE-STRING> Configures the object identifier (OID) of a branch within the MIB tree
[excluded|included] • excluded – Specifies an excluded view
• included – Specifies an included view

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server enable traps
nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 192.168.13.10
snmpteststring version 1 udp-port 170
nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 1.2.3.4 inform
retry 2 test version 3 auth udp-port 180
nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server engine-id local
1234567890
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
http secure-server
enable password level 3 7 12345678901020304050607080929291
snmp-server enable traps authentication
snmp-server notify-filter 3 remote 1.2.3.4
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server notify-filter 2 remote 192.168.13.10
snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180
snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170
snmp-server engine-id local 1234567890
memory falling-threshold 50
memory rising-threshold 95
process-cpu falling-threshold 60
process-cpu rising-threshold 80
nx9500-6C8809(config-ex3500-management-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 435
global-config-commands Global Configuration Mode Commands

Related Commands

no (ex3500- Removes SNMP server related settings or reverts them to default

management-policy-
config-mode) on page
438

ssh
Configures the SSH server settings used to authenticate SSH connection to a EX3500 switch

Management access to an EX3500 switch can be enabled/disabled as required using separate

interfaces and protocols (HTTP, SSH). Disabling unused and insecure interfaces and unused
management services can dramatically reduce an attack footprint and free resources within an EX3500
management policy.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-120>]

Parameters
ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-120>]

ssh Enables SSH management access to an EX3500 switch. This option is disabled
by default. Use this command to configure SSH access settings.
authentication-retries Configures the maximum number of retries made to connect to the SSH server
<1-5> resource
• <1-5> – Specify a value from 1 - 5. The default setting is 3.

server Enables SSH server connection

server-key size Configures the SSH server key size
<512-1024> • <512-1024> – Specify the SSH server key from 512 - 1,024. The default length
is 768.

timeout <1-120> Configures the SSH server resource inactivity timeout value in seconds. When
the specified time is exceeded, the SSH server resource becomes unreachable
and must be re-authenticated.
• <1-120> – Specify a value from 1 120 seconds. The default is 120 seconds.

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#ssh authentication-retries 4
nx9500-6C8809(config-ex3500-management-policy-test)#ssh timeout 90
nx9500-6C8809(config-ex3500-management-policy-test)#ssh server-key size 600
nx9500-6C8809(config-ex3500-management-policy-test)#ssh server
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
ssh server
ssh authentication-retries 4
ssh timeout 90
ssh server-key size 600
http secure-server
enable password level 3 7 12345678901020304050607080929291

Controller, Service Platform and Access Point

436 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

snmp-server enable traps authentication

--More--
nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (ex3500- Disables SSH management access to an EX3500 switch

management-policy-
config-mode) on page
438

username
Configures a vEX3500 switch user settings

The EX3500 switch user details are stored in a local database on the NX 95XX, NX 96XX, NX 7510, or
WiNG VM. You can configure multiple users, each having a unique name, access level, and password.
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]

Parameters
username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]

username <USER- Configures the TACACS server port username

NAME> • <USER-NAME> – Specify the user name (should not exceed 32
characters)

access-level <0-15> Configures the access level for this user. This value determines the access
priority of each user requesting access and interoperability with EX3500
switch.
• <0-15> – Specify the access level from 0 - 15. The default is 0.

nopassword Allows user to login without a password

password [0|7] Configures the password for this user
<PASSWORD> • 0 – Configures a plain text password
• 7 – Configures an encrypted password (should be 32 characters in length)
◦ <PASSWORD> – Specify the password.

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#username user1 access-level 5
nx9500-6C8809(config-ex3500-management-policy-test)#username user1 password 0 user1@1234
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
ssh server
ssh authentication-retries 4
ssh timeout 90
ssh server-key size 600
http secure-server
enable password level 3 7 12345678901020304050607080929291
username user1 access-level 5
username user1 password 7 5c4786c1e52f913d38168ce89154a079
snmp-server enable traps authentication

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 437
global-config-commands Global Configuration Mode Commands

snmp-server notify-filter 3 remote 1.2.3.4

snmp-server notify-filter 1 remote 127.0.0.1
--More--
nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands

no (ex3500- Removes this SNMP user settings

management-policy-
config-mode) on page
438

no (ex3500-management-policy-config-mode)
Removes or reverts this EX3500 management policy settings
Supported in the following platforms:
• Service Platforms — NX 95XX, NX 96XX, NX 7510

Syntax
no [enable|http|memory|process-cpu|snmp-server|ssh|username]
no enable password {level <0-15>}
no http [port|secure-port|secure-sever|server]
no memory [falling-threshold|rising-threshold]
no process-cpu [falling-threshold|rising-threshold]
no snmp-server {community|contact|enable|engine-id|group|host|location|
notify-filter|user|view}
no snmp-server {community <STRING>}
no snmp-server {contact}
no snmp-server {enable traps {authentication|link-up-down}}
no snmp-server {engine-id [local|remote <IP>]}
no snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]]}
no snmp-server {location}
no snmp-server {notify-filter <WORD> remote <IP>}
no snmp-server {user <USER-NAME> [v1|v2c|v3]}
no snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3}
no snmp-server {view <VIEW-NAME> {<OID-TREE-STRING>}}
no ssh [authentication-retries|server|server-key size <512-1024>|timeout]
no username
no snmp-server {host <IP>}

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this EX3500 management policy settings based on the parameters
passed

Examples
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
ssh server
ssh authentication-retries 4
ssh timeout 90

Controller, Service Platform and Access Point

438 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

ssh server-key size 600

http secure-server
enable password level 3 7 12345678901020304050607080929291
username user1 access-level 5
username user1 password 7 5c4786c1e52f913d38168ce89154a079
snmp-server enable traps authentication
snmp-server notify-filter 3 remote 1.2.3.4
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server notify-filter 2 remote 192.168.13.10
snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180
snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170
snmp-server engine-id local 1234567890
memory falling-threshold 50
memory rising-threshold 95
process-cpu falling-threshold 60
process-cpu rising-threshold 80
nx9500-6C8809(config-ex3500-management-policy-test)#
nx9500-6C8809(config-ex3500-management-policy-test)#no http secure-server
nx9500-6C8809(config-ex3500-management-policy-test)#no memory falling-threshold
nx9500-6C8809(config-ex3500-management-policy-test)#no process-cpu rising-threshold
nx9500-6C8809(config-ex3500-management-policy-test)#no snmp-server notify-filter 3 remote
1.2.3.4
nx9500-6C8809(config-ex3500-management-policy-test)#show context
ex3500-management-policy test
ssh server
ssh authentication-retries 4
ssh timeout 90
ssh server-key size 600
enable password level 3 7 12345678901020304050607080929291
username user1 access-level 5
username user1 password 7 5c4786c1e52f913d38168ce89154a079
snmp-server enable traps authentication
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server notify-filter 2 remote 192.168.13.10
snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180
snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170
snmp-server engine-id local 1234567890
memory rising-threshold 95
process-cpu falling-threshold 60
nx9500-6C8809(config-ex3500-management-policy-test)#

ex3500-qos-class-map-policy

Creates a EX3500 Quality of Service (QoS) class map policy and enters its configuration mode

A QoS class map policy contains a set of Differentiated Services (DiffServ) classification criteria that are
used to classify incoming traffic into different category and provide differentiated service based on this
classification. Each policy defines a set match criteria rules that use objects, such as access lists, IP
precedence or DSCP values, and VLANs. When configured and applied, the policy classifies traffic
based on layer 2, layer 3, or layer 4 information contained in each incoming packet.

Supported in the following platforms:

• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
ex3500-qos-class-map-policy <POLICY-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 439
global-config-commands Global Configuration Mode Commands

Parameters
ex3500-qos-class-map-policy <POLICY-NAME>

<POLICY-NAME> Specify the EX3500 QoS class map policy name. If the policy does not
exist, it is created.

Examples
nx9500-6C8809(config)#ex3500-qos-class-map-policy dscp
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#?
EX3500_Qos_class_map Mode commands:
description Class-map description
match Defines the match criteria to classify traffic
no Negate a command or set its defaults
rename Redefines the name of class-map

clrscr Clears the display screen

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

Related Commands

no (global-config-mode) Removes an existing EX3500 QoS class map policy

on page 525

ex3500-qos-class-map-policy config commands

The following table summarizes EX3500 QoS class map policy configuration mode commands:

Table 22: EX3500 QoS Class Map Policy Config Commands

Command Description
description on page 440 Configures a description for this EX3500 QoS class map policy
match on page 441 Configures match criteria rules used to classify traffic
rename on page 443 Renames an existing EX3500 QoS class map object
no (ex3500-qos-class- Removes this EX3500 QoS class map policy’s description and match
map-policy-config- criteria
commands) on page 443

description
Configures this EX3500 QoS class map policy’s description
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Controller, Service Platform and Access Point

440 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
description <LINE>

Parameters
description <LINE>

description <LINE> Configures this EX3500 QoS class map policy’s description
• <LINE> – Enter a description that allows to you differentiate it from
other policies with similar configuration (should not exceed 64
characters)

Examples
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#description "Matches packets
marked for DSCP service 3"
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context
ex3500-qos-class-map-policy dscp
description "Matches packets marked for DSCP service 3"
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

Related Commands

no (ex3500-qos-class- Removes this EX3500 QoS class map policy’s description

map-policy-config-
commands) on page 443

match
Configures match criteria rules used to classify traffic

Access lists, IP precedence, DSCP values, or VLANs are commonly used to classify traffic. Access lists
select traffic based on layer 2, layer 3, or layer 4 information contained in each packet.
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

match Configures the match criteria.

The options are: access-list, cos, ip, ipv6, vlan Incoming packets matching
the specified criteria are included in this QoS class map.
access-list [ex3500-ext- Uses access lists to provide the match criteria. You can use any one the
access-list| ex3500-std- following ACL types to classify traffic:
access-list| mac-acl] • ex3500-ext-access-list – Uses an IPv4 EX3500 extended ACL
<ACL-NAME> • ex3500-std-access-list – Uses an IPv4 EX3500 standard ACL
• mac-acl – Uses a MAC EX3500 ACL
The following keyword is common to all of the above ACL types:
• <ACL-NAME> – Specify the ACL name (should be existing and
configured).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 441
global-config-commands Global Configuration Mode Commands

cos <0-7> Configures the class of service (CoS) value used to apply user priority. CoS
is a form of QoS applicable only to layer 2 Ethernet frames. It uses 3-bits (8
values) of the 802.1Q tag to differentiate and shape network traffic.
• <0-7> – Specify the CoS value from 0 - 7.

Following are the 8 traffic classes based on the CoS value:

◦ 000 (0) - Routine
◦ 001 (1) - Priority
◦ 010 (2) - Immediate
◦ 011 (3) - Flash
◦ 100 (4) - Flash Override
◦ 101 (5) - Critical
◦ 110 (6) - Internetwork Control
◦ 111 (7) - Network Control

ip [dscp <0-63>| Configures the IPv4 DSCP value to match and/or the IP precedence value
precedence <0-7>] to match.
• <0-63> – Specify the DSCP value from 0 - 63. Use this option to specify
the type of service (ToS) field values included in the IP header. The ToS
field exists between the header length and the total length fields. The
DSCP constitutes the first 6 bits of the ToS field.
• precedence <0-7> – Configures the IP precedence to match. Following
are the 8 traffic classes based on the IP precedence values:
◦ 000 (0) - Routine
◦ 001 (1) - Priority
◦ 010 (2) - Immediate
◦ 011 (3) - Flash
◦ 100 (4) - Flash Override
◦ 101 (5) - Critical
◦ 110 (6) - Internetwork Control
◦ 111 (7) - Network Control

ipv6 dscp <0-63> Configures the IPv6 DSCP value to match

• <0-63> – Specify the DSCP value from 0 - 63.

vlan <1-4094> Configures the VLAN to match

• <1-4094> – Specify the VLAN ID.

Usage Guidelines

When configuring match entries, take into consideration the following points:
• Deny rules included in an ACL (associated with a vEX3500 QoS class map policy) are ignored
whenever an incoming packet matches the ACL.
• A class map policy cannot include both IP ACL or IP precedence rule and a VLAN rule.
• A class map policy containing a MAC ACL or VLAN rule cannot include either an IP ACL or a IP
precedence rule.
• A class map policy can include a maximum of 16 match entries.

Controller, Service Platform and Access Point

442 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#match ip dscp 3
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context
ex3500-qos-class-map-policy dscp
description "Matches packets marked for DSCP service 3"
match ip dscp 3
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
nx9500-6C8809(config-ex3500-qos-class-map-policy-test2)#match ip precedence 1

Related Commands

no (ex3500-qos-class- Removes match criteria rules configured for this EX3500 QoS class map
map-policy-config- policy
commands) on page 443

rename
Renames an existing EX3500 QoS class map policy
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME>

Parameters
rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME>

rename <EX3500-QOS- Renames an existing EX3500 QoS class map

CLASS-MAP-POLICY-NAME> • <EX3500-QOS-CLASS-MAP-POLICY-NAME> – Enter the EX3500
<NEW-EX3500-QOS-CLASS- QoS class map’s current name.
MAP-POLICY-NAME> ◦ <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME> – Enter the
new name.

Examples
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]
dscp test test2
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename test2 IP_Precedence
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]
dscp IP_Precedence test
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
no (ex3500-qos-class-map-policy-config-commands)
description
Removes this EX3500 QoS class map policy’s description and match criteria
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 443
global-config-commands Global Configuration Mode Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes the EX3500 QoS class map policy’s settings based on the
parameters passed

Examples

The following example shows the EX3500 QoS class map policy ‘test’ settings before the ‘no’ command
are executed:
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context
ex3500-qos-class-map-policy dscp
description "Matches packets marked for DSCP service 3"
match ip dscp 3
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no description
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no match ip dscp

The following example shows the EX3500 QoS class map policy ‘test’ settings after the ‘no’ command
are executed:
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context
ex3500-qos-class-map-policy test
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

ex3500-qos-policy-map

Creates an EX3500 policy map and enters its configuration mode

An EX3500 policy map contains one or more EX3500 QoS class maps traffic classifications (existing
and configured) and can be attached to multiple interfaces. Create a EX3500 policy map, and then use
the class parameter to configure policies for traffic that matches the criteria defined in the EX3500 QoS
class map policy. For more information, see match on page 441.

Supported in the following platforms:

• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>

Parameters
ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>

<EX3500-QOS-POLICY- Specify the EX3500 policy map’s name

MAP-NAME>

Examples
nx9500-6C8809(config)#ex3500-qos-policy-map testPolicyMap
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#?
nx9500-6C8809_Qos_policy_map Mode commands:
class Defines a traffic classification for the policy
description Policy-map description

Controller, Service Platform and Access Point

444 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#

Related Commands

no (global-config-mode) Removes an existing EX3500 QoS policy map

on page 525

ex3500-qos-policy-map config commands

The following table summarizes EX3500 QoS policy map configuration mode commands:

Table 23: EX3500 QoS Policy Map Config Commands

Command Description
class on page 445 Creates a policy map class and enters its configuration mode
description on page Configures this EX3500 QoS policy map's description
452
no (ex3500-qos- Removes this EX3500 QoS policy map's settings. Use this keyword to remove
policy-map) on page or modify the description and to remove the QoS traffic classification created.
453

class
Creates a policy map class and enters its configuration mode. The policy map class is a traffic
classification upon which a policy can act.
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX
Syntax
class <EX3500-QoS-CLASS-MAP-POLICY-NAME>

Parameters
class <EX3500-QoS-CLASS-MAP-POLICY-NAME>

class <EX3500-QoS- Specify the EX3500 QoS class map policy’s name (should be existing and
CLASS-MAP-POLICY- configured)
NAME>

Examples
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#class dscp
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#?
commands:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 445
global-config-commands Global Configuration Mode Commands

no Negate a command or set its defaults

police Defines a policer for classified traffic
set Classify IP traffic

clrscr Clears the display screen

nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Related Commands

set on page 451 Sets CoS value, per-hop behavior (PHB) value, and IP DSCP value in matching
packets
police on page 446 Configures an enforcer for classified traffic
no (ex3500-qos- Removes this traffic classification’s settings
policy-map) on page
453

police
Configures an enforcer for classified traffic
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
police [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-color-blind]
police flow <0-1000000> <0-16000000> conform-action transmit violate-action [<0-63>|drop]
police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000>
<0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|
drop]
police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000> <0-1000000>
<0-16000000>
conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|drop]

Controller, Service Platform and Access Point

446 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
police flow <0-1000000> <0-16000000> conform-action transmit violate-action [<0-63>|drop]

police Configures an enforcer for classified traffic

flow <0-1000000> Configures an enforcer for classified traffic based on the metered flow
<0-16000000> rate
• <0-1000000> – Configures the CIR (committed information rate) from
0 -1000000 kilobits per second.
◦ <0-16000000> – Configures the BC (committed burst size) from 0
- 16000000 bytes.
Policing is based on a token bucket, where bucket depth (i.e., the
maximum burst before the bucket overflows) is specified by the
committed-burst field, and the average rate tokens are added to the
bucket is specified by the committed-rate option. Note, the token bucket
functions similar to that described in RFC 2697 and RFC 2698.
The behavior of the meter is specified in terms of one token bucket (C),
the rate at which the tokens are incremented CIR and the maximum size
of the token bucket BC.
The token bucket C is initially full, that is, the token count Tc(0) = BC.
Thereafter, the token count Tc is updated CIR times per second as
follows:The token bucket C is initially full, that is, the token count Tc(0) =
BC. Thereafter, the token count Tc is updated CIR times per second as
follows:
conform-action transmit Configures the action applied when packets fall within the specified CIR
and BC limits
• transmit – Transmits packets falling within the specified CIR and BC
limits. This is subject to there being enough tokens to service the
packet, in which case the packet is set green.

violate-action [<0-63>| Configures the action applied when packets violate the specified CIR and
drop] BC limits
• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 -
63.
• drops – Drops packets violating the specified CIR and BC limits

police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000> <0-16000000>

conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|drop]

police Configures an enforcer for classified traffic

[srtcm-color-aware| srtcm- Configures an enforcer for classified traffic based on single rate three
color-blind] <0-1000000> color meter (srTCM) mode. The srTCM as defined in RFC 2697 meters a
<0-16000000> traffic stream and processes its packets according to three traffic
<0-16000000> parameters – CIR, BC, and BE (Excess Burst Size).
• srtcm-color-blind - Single rate three color meter in color-blind mode
• srtcm-color-aware - Single rate three color meter in color-aware
mode
The meter operates in one of two modes. In the color-blind mode, the
meter assumes that the packet stream is uncolored. In color-aware
mode the meter assumes that some preceding entity has pre-colored
the incoming packet stream so that each packet is either green, yellow,

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 447
global-config-commands Global Configuration Mode Commands

or red. The marker (re)colors an IP packet according to the results of

the meter. The color is coded in the DS field [RFC 2474] of the packet.
• <0-1000000> – Configures the CIR from 0 -1000000 kilobits per
second.
◦ <0-16000000> – Configures the BC from 0 - 1600000 bytes.
▪ <0-16000000> – Configures the BE from 0 - 1600000 bytes.
The behavior of the meter is specified in terms of its mode and two
token buckets, C and E, which both share the common rate CIR. The
maximum size of the token bucket C is BC and the maximum size of the
token bucket E is BE.
The token buckets C and E are initially full, that is, the token count Tc(0)
= BC and the token count Te(0) = BE. Thereafter, the token counts Tc
and Te are updated CIR times per second as follows:
• If Tc is less than BC, Tc is incremented by one, else
• If Te is less then BE, Te is incremented by one, else
• neither Tc nor Te is incremented.
When a packet of size B bytes arrives at time t, the following happens if
srTCM is configured to operate in color-blind mode:
• If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B
down to the minimum value of 0, else
• if Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B
down to the minimum value of 0,
• else the packet is red and neither Tc nor Te is decremented.
When a packet of size B bytes arrives at time t, the following happens if
srTCM is configured to operate in color-aware mode:
• If the packet has been pre-colored as green and Tc(t)-B  0, the
packet is green and Tc is decremented by B down to the minimum
value of 0, else
• If the packet has been pre-colored as yellow or green and if
• Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B
down to the minimum value of 0, else the packet is red and neither
Tc nor Te is decremented.
The metering policy guarantees a deterministic behavior where the
volume of green packets is never smaller than what has been
determined by the CIR and BC, that is, tokens of a given color are
always spent on packets of that color. Refer to RFC 2697 for more
information on other aspects of srTCM.
conform-action transmit Configures the action applied when packet rates fall within the specified
CIR and BC limits
• transmit – Transmits packets falling within the specified CIR and BC
limits

Controller, Service Platform and Access Point

448 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

exceed-action [<0-63>|drop] Configures the action applied when packet rates exceed the specified
CIR and BC limits
• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 -
63
• drops – Drops packets exceeding the specified CIR and BC limits

violate-action [<0-63>|drop] Configures the action applied when packet rates exceed the specified
BE limit
• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 -
63
• drops – Drops packets exceeding the specified BE limit

police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000> <0-1000000>

<0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|
drop]

police Configures an enforcer for classified traffic

[trtcm-color-aware| Configures an enforcer for classified traffic based on a two rate three color
trtcm-color-blind] meter (trTCM) mode. The trTCM as defined in RFC 2698 meters a traffic
<0-1000000> stream and processes its packets based on two rates – CIR and Peak
<0-16000000> Information Rate (PIR), and their associated burst sizes - BC and BP (Peak
<0-1000000> Burst Size).
<0-16000000> • trtcm-color-blind - Two rate three color meter in color-blind mode
• trtcm-color-aware - Two rate three color meter in color-aware mode
◦ <0-1000000> – Configures the CIR from 0 - 1000000 kilobits per
second
▪ <0-16000000> – Configures the BC from 0 - 1600000 bytes.
• <0-1000000> – Configures the PIR from 0 - 1000000 kilobits
per second
• <0-16000000> – Configures the BP from 0 - 1600000 bytes
The meter operates in one of two modes. In the color-blind mode, the
meter assumes that the packet stream is uncolored. In color-aware mode
the meter assumes that some preceding entity has pre-colored the
incoming packet stream so that each packet is either green, yellow, or red.
The marker (re)colors an IP packet according to the results of the meter.
The color is coded in the DS field [RFC 2474] of the packet.
The behavior of the meter is specified in terms of its mode and two token
buckets, P and C, which are based on the rates PIR and CIR, respectively.
The maximum size of the token bucket P is BP and the maximum size of
the token bucket C is BC.
The token buckets P and C are initially (at time 0) full, that is, the token
count Tp(0) = BP and the token count Tc(0) = BC. Thereafter, the token
count Tp is incremented by one PIR times per second up to BP and the
token count Tc is incremented by one CIR times per second up to BC.
When a packet of size B bytes arrives at time t, the following happens if
trTCM is configured to operate in color-blind mode:
• If Tp(t)-B < 0, the packet is red, else
• if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else
• The packet is green and both Tp and Tc are decremented by B.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 449
global-config-commands Global Configuration Mode Commands

When a packet of size B bytes arrives at time t, the following happens if

trTCM is configured to operate in color-aware mode:
• If the packet has been pre-colored as red or if Tp(t)-B < 0, the packet is
red, else
• if the packet has been pre-colored as yellow or if Tc(t)-B < 0, the packet
is yellow and Tp is decremented by B, else
• the packet is green and both Tp and Tc are decremented by B.
The trTCM can be used to mark a IP packet stream in a service, where
different, decreasing levels of assurances (either absolute or relative) are
given to packets which are green, yellow, or red. Refer to RFC 2698 for
more information on other aspects of trTCM.
conform-action transmit Configures the action applied when packet rates fall within the specified
CIR and BP limits
• transmit – Transmits packets falling within the specified CIR and BC
limits

exceed-action [<0-63>| Configures the action applied when packet rates exceed the specified CIR
drop] limit, but are within the specified PIR limit
• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.
• drops – Drops packets exceeding the specified CIR and BC limit

violate-action [<0-63>| Configures the action applied when packet rates exceed the specified PIR
drop] limit
• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.
• drops – Drops packets exceeding the specified BE limi

Usage Guidelines

When configuring the traffic class enforcer parameters, consider the following factors:
• You can configure up to 200 enforcers/policers (i.e., class maps) for ingress ports.
• The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot
exceed 16 Mbytes.

Examples

The following example uses the police > trtcm-color-blind command to limit the average
bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to
1,000,000 Kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst
size, and to drop any packets exceeding the peak information rate.
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police
trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0
violate-action drop
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context
class dscp
police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action
0 violate-action drop
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Controller, Service Platform and Access Point

450 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (ex3500-traffic-class- Removes the traffic enforcer settings

config-commands) on
page 452

set
Sets CoS value, PHB value, and IP DSCP value in matching packets
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
set [cos <0-7>|ip dscp <0-63>|phb <0-7>]

Parameters
set [cos <0-7>|ip dscp <0-63>|phb <0-7>]

set Sets the match criteria used to identify and classify traffic into different
classes. The match criteria options are: CoS, IP DSCP, and PHB values.
cos <0-7> Configures the CoS value for a matching packet (as specified by the match
command) in the packet’s VLAN tag
• <0-7> – Specify a value from 0 - 7. The CoS is modified to the value
specified here.

ip dscp <0-63> Modifies the IP DSCP value in a matching packet (as specified by the match
command)
• <0-63> – Specify a value from 0 - 63. The DSCP value is modified to the
value specified here.

phb <0-7> Configures a PHB value for a matching packets

• <0-7> – Specify a value from 0 -7.
The PHB label is composed of five bits, three bits for per-hop behavior, and
two bits for the color scheme used to control queue congestion. A packet is
marked green, yellow, or red as per the following:
• green if it does not exceed the CIR and BC limits
• yellow if it exceeds the CIR and BC limits, but not the BE limit, and
• red otherwise.

Examples

The following example uses the set > phb command to classify the service that incoming packets
will receive, and then uses the police > trtcm-color-blind command to limit the average
bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to
1,000,000 Kbps, the peak burst size to 6000 bytes, to remark any packets exceeding the committed
burst size, and to drop any packets exceeding the peak information rate.
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#set phb 3
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)# police
trtcm-color-blind 100000 4000 1000000 6000 conform-action transmit exceed-action 0
violate-action drop
nx9500-6C8809nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-
test2)#show

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 451
global-config-commands Global Configuration Mode Commands

context
class test2
set phb 3
police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action
0 violate-action drop
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#

The following example uses the set > ip dscp command to classify the service that incoming packets
will receive, and then uses the police > flow command to limit the average bandwidth to 100,000 Kbps,
the burst rate to 4000 bytes, and configure the response to drop any violating packets:
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#set ip dscp 3
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)# police flow
100000 4000
conform-action transmit violate-action drop
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context
class dscp
set ip dscp 3
police flow 100000 4000 conform-action transmit violate-action drop
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Related Commands

no (ex3500-traffic- Removes CoS value, PHB value, or IP DSCP value from this traffic class
class-config-
commands) on page
452

no (ex3500-traffic-class-config-commands)
Removes this traffic classification’s settings
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this traffic class settings based on the parameters passed

Examples
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context
class dscp
set ip dscp 3
police flow 100000 4000 conform-action transmit violate-action drop
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no set ip dscp
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no police flow
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context
class dscp
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
description

Controller, Service Platform and Access Point

452 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Configures this EX3500 QoS policy map's description

Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
description <LINE>

Parameters
description <LINE>

description <LINE> Configures this EX3500 QoS policy map's description

• <LINE> – Enter a description that allows to you differentiate it from other
policies with similar configuration (should not exceed 64 characters)

Examples
nx9500-6C8809(config-ex3500-qos-policy-map-test)#description "This is a test EX3500 QoS
Policy Map"
nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context
ex3500-qos-policy-map test
description "This is a test EX3500 QoS Policy Map"
class test
nx9500-6C8809(config-ex3500-qos-policy-map-test)#

Related Commands

no (ex3500-qos-policy- Removes this EX3500 QoS policy map's description

map) on page 453

no (ex3500-qos-policy-map)
Removes this EX3500 QoS policy map's settings. Use this keyword to remove the description and to
remove the QoS traffic classification created.
Supported in the following platforms:
• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
no [class <EX3500-QoS-POLICY-MAP-NAME>|description]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this EX3500 QoS policy map's settings based on the
parameters passed

Examples

The following example shows the EX3500 QoS policy map ‘test’ settings before the ‘no’ command are
executed:
nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context
ex3500-qos-policy-map test
description "This is a test EX3500 QoS Policy Map"

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 453
global-config-commands Global Configuration Mode Commands

class test
nx9500-6C8809(config-ex3500-qos-policy-map-test)#
EX3500(config-ex3500-qos-policy-map-test)#no description
EX3500(config-ex3500-qos-policy-map-test)#no class test

The following example shows the EX3500 QoS policy map ‘test’ settings after the ‘no’ command are
executed:
EX3500(config-ex3500-qos-policy-map-test)#show context
ex3500-qos-policy-map test
EX3500(config-ex3500-qos-policy-map-test)#

ex3524

Adds a EX3524 switch to the network

The EX3524 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T
ports, and four SFP transceiver slots for fiber connectivity.

To enable layer 3 adoption of the logged EX3524 switch to a NOC controller, navigate to the switch’s
device configuration mode and execute the following command: controller > host > <IP/
HOSTANME>.

EX3524 devices are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports,
and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the
IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3524 switch has an SNMP-based
management agent that provides both in-band and out-of-band management access. The EX3524
switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the
EX3524 operating system provides WiNG controllers PoE and port management resources.

Going forward NX 7510, NX 9500, and NX 9600 WiNGmanaged series service platforms and WiNG VMs
can discover, adopt, and partially manage EX3524 series Ethernet switches without modifying the
proprietary operating system running the EX3524 switches. The WiNG service platforms utilize
standardized WiNG interfaces to push configuration files to the EX3524 switches, and maintain a
translation layer, understood by the EX3524 switch, for statistics retrieval.

Supported in the following platforms:

• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
ex3524 <DEVICE-EX3524-MAC>

Parameters
ex3524 <DEVICE-EX3524-MAC>

<DEVICE-EX3524-MAC> Specifies the MAC address of a EX3524 switch

Examples
nx9500-6C8809(config)#ex3524 A1-C4-33-6D-66-07
nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#?
EX35xx Device Mode commands:

Controller, Service Platform and Access Point

454 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

hostname Set system's network name

interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
power EX3500 Power over Ethernet Command
remove-override Remove configuration item override from the device (so
profile value takes effect)
upgrade Configures upgrade option for ex3500 system
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#

Related Commands

no (global-config-mode) on Removes a EX3524 switch from the network

page 525

ex3548

Adds a EX3548 switch to the network

The EX3548 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T
ports, and four SFP transceiver slots for fiber connectivity.

Supported in the following platforms:

• Service Platforms — NX 7510, NX 95XX, NX 96XX

Syntax
ex3548 <DEVICE-EX3548-MAC>

Parameters
ex3548 <DEVICE-EX3548-MAC>

<DEVICE-EX3548-MAC> Specifies the MAC address of a EX3548 switch

Examples
nx9500-6C8809(config)#ex3548 22-65-78-09-12-35
nx9500-6C8809(config-device-22-65-78-09-12-35)#?
EX35xx Device Mode commands:
hostname Set system's network name
interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
power EX3500 Power over Ethernet Command
remove-override Remove configuration item override from the device (so

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 455
global-config-commands Global Configuration Mode Commands

profile value takes effect)

upgrade Configures upgrade option for ex3500 system
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-device-22-65-78-09-12-35)#

Related Commands

no (global-config-mode) on Removes a EX3548 switch from the network

page 525

event-system-policy
Configures a system wide events handling policy

Event system policies enable administrators to create notification mechanisms using one, some, or all of
the SNMP, syslog, controller forwarding, or email notification options available to the controller or
service platform. Each listed event can have customized notification settings defined and saved as part
of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client
association, authentication or encryption, and performance events. Once policies are defined, they can
be mapped to device profiles strategically as the likelihood of an event applies to particular devices.

To view an existing event system policy configuration details, use the show > event-system-
policy command.

Supported in the following platforms:

Syntax
event-system-policy <EVENT-SYSTEM-POLICY-NAME>

Parameters
event-system-policy <EVENT-SYSTEM-POLICY-NAME>

<EVENT-SYSTEM-POLICY- Specify the event system policy name. If the policy does not exist, it is
NAME> created.

Controller, Service Platform and Access Point

456 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config)#event-system-policy event-testpolicy
nx9500-6C8809(config-event-system-policy-event-testpolicy)#?
Event System Policy Mode commands:
event Configure an event
no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-event-system-policy-event-testpolicy)#

Related Commands

no (global-config-mode) on page Removes an existing event system policy

525

event-system-policy-mode-commands

The following table summarizes event system policy configuration mode commands:

Table 24: Event-System-Policy Config Mode Commands

Command Description
event on page 457 Configures an event
no (event-system-policy- Negates a command or reverts to default
config-mode) on page 471

event
Configures an event and sets the action performed when the event happens
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog) [default|on|off]

The even types are:

nx9500-6C8809(config-event-system-policy-testpolicy)#event ?
aaa AAA/Radius module
adapt Adaptivity Module
adopt-service Adoption Service
adv-wips Adv-wips module
ap Access Point module

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 457
global-config-commands Global Configuration Mode Commands

bonjgw Bonjgw module

bt Bluetooth
captive-portal Captive Portal
cdp Cisco Discovery Protocol
certmgr Certificate Manager (Not valid for NCAP/MCN)
cfgd Cfgd module
cluster Cluster module
crm Critical Resource Monitoring
database Database Services
device Device module
dhcpsvr DHCP Configuration Daemon
diag Diag module
dot11 802.11 management module
dot1x 802.1X Authentication
fwu Firmware update module
isdn Isdn module
l2gre Layer 2 GRE Tunnel
l2tpv3 Layer 2 Tunneling Protocol Version 3
licmgr License module
lldp Link Layer Discovery Protocol
mesh Mesh module
mgmt Management Services
nsm Network Services Module
pm Process-monitor module
radconf Radius Configuration Daemon
rasst Roaming-Assist module
radio Radio module
smrt Smart-rf module
smtpnot Smtpnot module
system System module
test Test module
tron TRON Feature
vrrp Virtual Router Redundancy Protocol
webf Webf module
wips Wireless IPS module

nx9500-6C8809(config-event-system-policy-testpolicy)#

Note
The parameter values for <EVENT-TYPE> and <EVENT-NAME> are summarized in the table
under the Parameters section.

Parameters
event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog) [default|on|off]

<event-type> <event-name>
aaa Enables and configures logging of the following authentication,
authorization, and accounting related events:
• radius-discon-msg – RADIUS disconnection message
• radius-session-expired – RADIUS session expired message
• radius-session-not-started – RADIUS session not started message
• radius-vlan-update – RADIUS VLAN update message

adapt Enables and configures logging of the following adaptivity module related
events:
• adaptivity-change – Event adaptivity change
• adaptivity-rehome – Event adaptivity rehome

Controller, Service Platform and Access Point

458 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<event-type> <event-name>
adopt-services Enables and configures the logging of adopted services related events
adv-wips Enables and configures the logging of advanced WIPS related events
ap Enables and configures logging of the following AP related events:
• adopted – Event AP adopted
• adopted-to-controller – Event AP adopted to wireless controller
• ap-adopted – Event access port adopted
• ap-autoup-done – Event AP autoup done
• ap-autoup-fail – Event AP autoup fail
• ap-autoup-needed – Event AP autoup needed
• ap-autoup-no-need – Event AP autoup not needed
• ap-autoup-reboot – Event AP autoup reboot
• ap-autoup-timeout – Event AP autoup timeout
• ap-autoup-ver – Event AP autoup version
• ap-reset-detected – Event access port reset detected
• ap-reset-request – Event access port user requested reset
• ap-timeout – Event access port timed out
• ap-unadopted – Event access port unadopted
• image-parse-failure – Event image parse failure
• legacy-auto-update – Event legacy auto update
• no-image-file – Event no image file
• offline – Event AP detected as offline
• online – Event offline AP detected as online
• reset – Event reset
• sw-conn-lost – Event software connection lost
• unadopted – Event unadopted

bt Enables and configures logging of the following bluetooth related events:

• bt-started – Event bluetooth (bt) started
• bt-state-change – Event bt state change
• bt-tron-license - Logs a TRON license exists event
• bt-tron-no-license - Logs a TRON license missing event

captive-portal Enables and configures logging of the following captive portal (hotspot)
related events:
• allow-access – Event client allowed access
• auth-failed – Event client authentication failed
• auth-success – Event client authentication success
• client-disconnect – Event client disconnected
• client-removed – Event client removed
• data-limit-exceed – Event client data limit exceeded
• flex-log-access – Event flexible log access granted to client
• inactivity-timeout – Event client time-out due to inactivity
• page-cre-failed – Event page creation failure
• purge-client – Event client purged
• session-timeout – Event session timeout
• vlan-switch – Event client switched VLAN

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 459
global-config-commands Global Configuration Mode Commands

<event-type> <event-name>
cdp Enables and configures logging of the following CISCO Discovery Protocol
(CDP) related event:
• duplex-mismatch – Event duplex mismatch detected between CDP
neighbors

certmgr Enables and configures logging of the following certificate manager

related events:
• ca-cert-actions-failure – Event CA certificate actions failure
• ca-cert-actions-success – Event CA certificate actions success
• ca-key-actions-failure – Event CA key actions failure
• ca-key-actions-success – Event CA key actions success
• cert-expiry – Event certificate expiry
• crl-actions-failure – Event Certificate Revocation List (CRL ) actions
failure
• crl-actions-success – Event CRL actions success
• csr-export-failure – Event CSR export failure
• csr-export-success – Event CSR export success
• delete-trustpoint-action – Event delete trustpoint action
• export-trustpoint – Event trustpoint exported
• import-trustpoint – Event trustpoint imported
• rsa-key-actions-failure – Event RSA key actions failure
• rsa-key-actions-success – Event RSA key actions success
• svr-cert-actions-success – Event server certificate actions success
• svr-cert-actions-failure – Event server certificate actions failure

certmgr-lite Enables and configures logging of certificate manager (lite version)

related event messages
cfgd Enables and configures logging of the following configuration daemon
module related events:
• acl-attached-altered – Event Access List (ACL) attached altered
• acl-rule-altered – Event ACL rule altered

cluster Enables and configures logging of the following cluster module related
events:
• cmaster-cfg-update-fail – Event cluster master config update failed
• max-exceeded – Event maximum cluster count exceeded
• state-change – Event cluster state change (active/inactive)
• state-change-active – Event cluster state change to active
• state-change-inactive – Event cluster state change to inactive
• state-retain-active – Event cluster state retained as active

crm Enables and configures logging of the following Critical Resource

Monitoring (CRM) related event
• critical-resource-down – Event critical resource goes down
• critical-resource-up – Event critical resource comes up

device Enables and configures the logging of device module related events

Controller, Service Platform and Access Point

460 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<event-type> <event-name>
database Enables and configures logging of the following error conditions in the
captive-portal/NSIght database:
• database-election-fail – Event primary database node selection failure.
Requires manual intervention to select primary database node.
• database-exception – Event database may need to be dropped and
device restarted
• database-low-disk-space – Event database low disk space
• database-new-state – Event database state change
• database-op-failure – Event database failure
• database-set-name-mismatch – Event replica-set not enabled on host
• database-storage-mismatch – Event database mismatch. All database
files must be removed.
• operation-complete – Event database operation completed
successfully
• operation-failed – Event database operation failure

dhcpsvr Enables and configures logging of the following DHCP server related
events:
• dhcp-start – Event DHCP server started
• dhcpsvr-stop – Event DHCP sever stopped
• relay-iface-no-ip – Event no IP address on DHCP relay interface
• relay-no-iface – Event no interface for DHCP relay
• relay-start – Event relay agent started
• relay-stop – Event DHCP relay agent stopped

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 461
global-config-commands Global Configuration Mode Commands

<event-type> <event-name>
diag Enables and configures logging of the following diagnostics module
related events:
• autogen-tech-sprt – Event autogen technical support
• buf-usage – Event buffer usage
• cpu-load – Event CPU load
• cpu-usage-too-high – Event CPU usage high
• cpu-usage-too-high-recovery – Event recovery from high CPU usage
• disk-usage – Event disk usage
• elapsed-time – Event elapsed time
• fan-underspeed – Event fan underspeed
• fd-count – Event forward count
• free-flash-disk – Event free flash disk
• free-flash-inodes – Event free flash inodes
• free-nvram-disk – Event free nvram disk
• free-nvram-inodes – Event free nvram inodes
• free-ram – Event free ram
• free-ram-disk – Event free ram disk
• free-ram-inodes – Event free ram inodes
• head-cache-usage – Event head cache usage
• high-temp – Event high temp
• ip-dest-usage – Event ip destination usage
• led-identify – Event led identify
• low-temp – Event low temp
• mem-usage-too-high – Event memory usage high
• mem-usage-too-high-recovery – Event recovery from high memory
usage
• new-led-state – Event new led state
• over-temp – Event over temp
• over-voltage – Event over voltage
• poe-init-fail – Event PoE init fail
• poe-power-level – Event PoE power level
• poe-read-fail – Event PoE read fail
• poe-state-change – Event PoE state change
• poe-state-change – Event PoE state change
• pwrsply-fail – Event failure of power supply
• raid-degraded – Event Redundant Array of Independent Disks (RAID)
degraded
• raid-error – Event RAID error
• ram-usage – Event ram usage
• under-voltage – Event under voltage
• wd-reset-sys – Event wd reset system
• wd-state-change – Event wd state change

Controller, Service Platform and Access Point

462 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<event-type> <event-name>
dot11 Enables and configures logging of the following 802.11 management
module related events:
• client-assoc-ignored – Wireless client association ignored event
• client-associated – Wireless client associated event
• client-denied-assoc – Event client denied association
• client-disassociated – Wireless client disassociated
• country-code – Event country code applied
• country-code-error – Event country code error
• eap-cached-keys – Event Extensible Authentication Protocol (EAP)
cached keys
• eap-client-timeout – Event EAP client timeout
• eap-failed – Event EAP failed
• eap-opp-cached-keys – Event EAP opp cached keys
• eap-preauth-client-timeout – Event EAP pre authentication client
timeout
• eap-preauth-failed – Event EAP pre authentication failed
• eap-preauth-server-timeout – Event EAP pre authentication server
timeout
• eap-preauth-success – Event EAP pre authentication success
• eap-server-timeout – Event EAP server timeout
• eap-success – Event EAP success
• ft-roam-success – Event client fast BSS transition
• gal-rx-request – Event GAL request received event
• gal-tx-response – Event response sent to GAL request
• gal-validate-failed – Event GAL validation failed
• gal-validate-req – Event GAL validation request
• gal-validate-success – Event GAL validation success
• kerberos-client-success – Event client Kerberos authentication success
• kerberos-wlan-failed – Event WLAN Kerberos authentication failed
• kerberos-wlan-success – Event WLAN Kerberos authentication
success
• kerberos-wlan-timeout – Event Kerberos authentication timed out
• move-operation-success – Event move operation success
• tkip-cntrmeas-end – Event TKIP countermeasures ended
• tkip-cntrmeas-start – Event TKIP countermeasures initiated
• tkip-mic-fail-report – Event TKIP MIC failure report
• tkip-mic-failure – Event TKIP MIC check failed
• neighbor-denied-assoc – Event neighbor denied association
• unsanctioned-ap-active – Event unsanctioned AP active
• unsanctioned-ap-inactive – Event unsanctioned AP inactive
• unsanctioned-ap-status-change – Event unsanctioned AP status
change
• voice-call-completed – Event voice call completed
• voice-call-established – Event voice call established
• voice-call-failed – Event voice call failed
• wlan-time-access-disable – Event WLAN disabled by time-based-
access

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 463
global-config-commands Global Configuration Mode Commands

<event-type> <event-name>
• wlan-time-access-enable – Event WLAN re-enabled by time-based-
access
• wpa-wpa2-failed – Event WPA-WPA2 failed
• wpa-wpa2-key-rotn – Event WPA-WPA2 key rotn
• wpa-wpa2-success – Event WPA-WPA2 success

dot1x Enables and configures logging of the following 802.1X authentication

related events:
• dot1x-failed – Event EAP authentication failure
• dot1x-success – Event dot1x-success

fwu Enables and configures logging of the following firmware update (FWU)
related events:
• fwuaborted – Event fwu aborted
• fwubadconfig – Event fwu aborted due to bad config
• fwucorruptedfile – Event fwu aborted due to corrupted file
• fwucouldntgetfile – Event fwu aborted because the system could not
get file
• fwudone – Event fwu done
• fwufileundef – Event fwu aborted due to file undefined
• fwunoneed – Event fwu no need
• fwuprodmismatch – Event fwu aborted due to product mismatch
• fwuserverundef – Event fwu aborted due to server undefined
• fwuserverunreachable – Event fwu aborted due to server unreachable
• fwusignmismatch – Event fwu aborted due to signature mismatch
• fwusyserr – Event fwu aborted due to system error
• fwuunsupportedhw – Event fwu aborted due to unsupported
hardware
• fwuunsupportedmodelnum – Event fwu aborted due to unsupported
FIPS model number
• fwuvermismatch – Event fwu aborted due to version mismatch

isdn Configures file Integrated Service Digital Network (ISDN) module related
event s
• isdn-alert – Event ISDN alert
• isdn-crit – Event ISDN critical
• isdn-debug – Event ISDN debug
• isdn-emerg – Event ISDN emergency
• isdn-err – Event ISDN error
• isdn-info – Event ISDN info
• isdn-notice – Event ISDN notice
• isdn-warning – Event ISDN warning

l2gre Enables and configures logging of the following Layer 2 GRE (L2GRE)
tunnel related events:
• l2gre-tunnel-down – Event L2GRE tunnel down
• l2gre-tunnel-failover – Event L2GRE tunnel failover
• l2gre-tunnel-up – Event L2GRE tunnel up

Controller, Service Platform and Access Point

464 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<event-type> <event-name>
l2tpv3 Enables and configures logging of the following Layer 2 TPV3 (L2TPv3)
tunnel related events:
• l2tpv3-tunnel-down – Event L2TPv3 tunnel down
• l2tpv3-tunnel-up – Event L2TPv3 tunnel up

licmgr Enables and configures logging of the following license manager module
related events:
• lic-installed-count – Event total number of license installed count
• lic-installed-default – Event default license installation
• lic-installed – Event license installed
• lic-invalid – Event license installation failed
• lic-removed – Event license removed

lldp Enables and configures logging of the following Link Layer Discovery
Protocol (LLDP) related events:
• lldp-loop-detected – Event layer 2 switching loop
• lldp-loop-recovery – Event recovery from layer 2 switching loop

mgmt Enables and configures logging of the following management services

module related events:
• log-http-init – Event Web server started
• log-http-local-start – Event Web server started in local mode
• log-http-start – Event Web server started in external mode
• log-https-start – Event secure Web server started
• log-https-wait – Event waiting for Web server to start
• log-key-deleted – Event RSA key associated with SSH is deleted
• log-key-restored – Event RSA key associated with SSH is added
• log-trustpoint-deleted – Event trustpoint associated with HTTPS is
deleted

mesh Enables and configures logging of the following mesh module related
events:
• mesh-link-down – Event mesh link down
• mesh-link-up – Event mesh link up
• meshpoint-down – Event meshpoint down
• meshpoint-loop-prevent-off – Event meshpoint loop prevent off
• meshpoint-loop-prevent-on – Event meshpoint loop prevent on
• meshpoint-path-change – Event meshpoint-path-change
• meshpoint-root-change – Event meshpoint-root-change
• meshpoint-up – Event meshpoint up

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 465
global-config-commands Global Configuration Mode Commands

<event-type> <event-name>
nsm Configures Network Service Module (NSM) related event
• dhcpc-err – Event DHCP certification error
• dhcpdefrt – Event DHCP defrt
• dhcpip – Event DHCP IP
• dhcpipchg – Event DHCP IP change
• dhcpipnoadd – Event DHCP IP overlaps static IP address
• dhcplsexp – Event DHCP lease expiry
• dhcpnak – Event DHCP server returned DHCP NAK response
• dhcpnodefrt – Event interface no default route
• if-failback – Event interface failback
• if-failover – Event interface failover
• ifdown – Event interface down
• ifipcfg – Event interface IP config
• ifup – Event interface up
• nsm-ntp – Event translate host name

pm Configures process monitor module related event s

• procid – Event proc ID generated
• procmaxrstrt – Event proc max restart
• procnoresp – Event proc no response
• procrstrt – Event proc restart
• procstart – Event proc start
• procstop – Event proc stop
• procsysrstrt – Event proc system restart
• startupcomplete – Event startup complete

radconf Enables and configures logging of the following RADIUS configuration

daemon related events:
• could-not-stop-radius – Event could not stop RADIUS server
• radiusdstart – Event RADIUS server started
• radiusdstop – Event RADIUS server stopped

Controller, Service Platform and Access Point

466 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<event-type> <event-name>
radio Enables and configures logging of the following radio module related
events:
• acs-scan-complete – Event ACS scan completed
• acs-scan-started – Event ACS scan started
• cb-associated – Event client-bridge access point associates with an
infrastructure access point
• cb-roam – Event client-bridge access point roams from one
infrastructure access point to another infrastructure access point
• cb-wired-client-added – Event wired client is added to the client-
bridge
• cb-wired-client-removed – Event wired client is removed from the
client-bridge
• channel-country-mismatch – Event channel and country of operation
mismatch
• radar-det-info – Detected radar info
• radar-detected – Event radar detected
• radar-scan-completed – Event radar scan completed
• radar-scan-started – Event radar scan started
• radio-antenna-error – Event invalid antenna type on this radio
• radio-antenna-setting – Event antenna type setting on this radio
• radio-state-change – Event radio state change
• resume-home-channel – Event resume home channel

rasst Enables and configures the logging of roaming assist module related
events
smrt Enables and configures logging of the following SMART RF module
related events:
• calibration-done – Event calibration done
• calibration-started – Event calibration started
• channel-change – Event channel change
• config-cleared – Configuration cleared event
• cov-hole-recovery – Event coverage hole recovery
• cov-hole-recovery-done – Event coverage hole recovery done
• interference-recovery – Event interference recovery
• neighbor-recovery – Event neighbor recovery
• power-adjustment – Event power adjustment
• root-recovery – Event meshpoint root recovery

smtpnot Enables and configures logging of the following SMTP module related
events:
• cfg – Event cfg
• cfginc – Event cfg inc
• net – Event net
• proto – Event proto
• smtpauth – Event SMTP authentication
• smtperr – Event SMTP error
• smtpinfo – Event SMTP information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 467
global-config-commands Global Configuration Mode Commands

<event-type> <event-name>
system Enables and configures logging of the following system module related
events:
• clock-reset – Event clock reset
• cold-start – Event cold start
• config-commit – Event configuration commit
• config-revision – Event config-revision done
• devup-rfd-fail – Event device-upgrade failed on rf-domain manager
managed devices
• guest-user-exp – Event guest user purging
• http-err – Event Web server did not start
• login – Event successful login
• login-fail – Event login fail. Occurs when user authentication fails.
• login-fail-access – Event login fail access. Occurs in case of access
violation.
• login-fail-bad-role – Event login fail bad role. Occurs when user uses
an invalid role to logon.
• login-lockout – Event user account locked out message. Occurs when
a user account is locked due to exceeding of maximum number failed
login attempts threshold. Configure this event notification only if the
max-fail and lockout-time parameters have been configured in the
management-policy context. For more information, see password-
entry on page 1694.
• login-unlocked – Event user account un-locked. Occurs when a locked
user account is re-activated. Enable this event notification only if the
max-fail and lockout-time parameters have been configured in the
management-policy context. For more information, see password-
entry on page 1694.
• logout – Event logout
• maat-light – Event action on RIM (Research in Motion) radio(s) from
the Maat light module
• panic – Event panic
• periodic-heart-beat – Event periodic heart beat
• procstop – Event proc stop
• server-unreachable – Event server-unreachable
• system-autoup-disable – Event system autoup disable
• system-autoup-enable – Event system autoup enable
• t5-config-error – Event t5-config-error
• ui-user-auth-fail – Event user authentication fail
• ui-user-auth-success – Event user authentication success
• warm-start – Event warm start
• warm-start-recover – Event recovery from warm start

Controller, Service Platform and Access Point

468 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

<event-type> <event-name>
test Enables and configures logging of the following test module related
events:
• testalert – Event test alert
• testargs – Event test arguments
• testcrit – Event test critical
• testdebug – Event test debug
• testemerg – Event test emergency
• testerr – Event test error
• testinfo – Event test information
• testnotice – Event test notice
• testwarn – Event test warning

tron Enables and configures logging of the following TRON device (i.e., the ID
Nodes) related events:
• first-sighting - Logs an event when 'a first-sighting TRON message is
generated for the ID node'.
• offline - Logs an event when 'an off-line TRON message is generated
for the node'.
• online - Logs an event when 'an on-line TRON message is generated
for the node'.
• sporadic - Logs an event when 'a sporadic TRON message is
generated for the ID node'.

vrrp Enables and configures logging of the following Virtual Router

Redundancy Protocol (VRRP) related events:
• vrrp-monitor-change – Event VRRP monitor link state change
• vrrp-state-change – Event VRRP state transition
• vrrp-vip-subnet-mismatch – Event VRRP IP not overlapping with an
interface addresses

webf Enables and configures logging of the following Web Filtering (webf)
module related events:
• malform-url-request – Event malformed URL request
• no-parent-engine – Event ‘no session to URL classification server’
• srvr-connect-fail – Event URL classification server unreachable
• url-blocked – Event URL blocked
• webf-lic-acquired – Event webf license acquired
• webf-lic-missing – Event webf license missing
• webf-lic-revoked – Event webf license revoked

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 469
global-config-commands Global Configuration Mode Commands

<event-type> <event-name>
wips Enables and configures logging of the following Wireless IPS module
related events:
• air-termination-active – Event air termination active

air-termination-ended – Event air termination ended

air-termination-inactive – Event air termination inactive

air-termination-initiated – Event air termination initiated

rogue-ap-active – Event rogue AP active

rogue-ap-inactive – Event rogue AP inactive

unsanctioned-ap-active – Event unsanctioned AP active

unsanctioned-ap-inactive – Event unsanctioned AP inactive

unsanctioned-ap-status-change – Event unsanctioned AP changed

state

wips-client-blacklisted – Event WIPS client blacklisted

• wips-client-rem-blacklist – Event WIPS client rem blacklist
• wips-event – Event WIPS event triggered

email Sends e-mail notifications to a pre configured e-mail ID

forward-to-switch Forwards the messages to an external server
snmp Logs an SNMP event
syslog Logs an event to syslog
default Performs the default action for the event
off Switches the event off, when the event happens, and no action is
performed
on Switches the event on, when the event happens, and the configured
action is taken

Examples
rfs4000-229D58(config-event-system-policy-event-testpolicy)#event aaa radius-discon-msg
email on forward-to-switch default snmp default syslog default
rfs4000-229D58(config-event-system-policy-testpolicy)#show context
event-system-policy test
event aaa radius-discon-msg email on
rfs4000-229D58(config-event-system-policy-testpolicy)#
nx9500-6C8809(config-event-system-policy-test)#event database database-exception
syslog default snmp default forward-to-switch default email default
nx9500-6C8809(config-event-system-policy-test)#event database operation-failed syslog
default snmp default forward-to-switch default email default
nx9500-6C8809(config-event-system-policy-test)#show context include-factory | grep
operation-failed
event database operation-failed syslog default snmp default forward-to-switch default
email default
nx9500-6C8809(config-event-system-policy-test)#

Controller, Service Platform and Access Point

470 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (event-system-policy-config- Resets or disables event monitoring

mode) on page 471

no (event-system-policy-config-mode)
Negates an event monitoring configuration
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes event monitoring and message forwarding activity based on the
parameters passed
The system stops network monitoring for the occurrence of the specified event
and no notification is sent if the event occurs.

Examples
rfs4000-229D58(config-event-system-policy-TestPolicy)#event ap adopted syslog default
rfs4000-229D58(config-event-system-policy-TestPolicy)#no event ap adopted syslog

Related Commands

event on page 457 Configures the action taken for each event

firewall-policy
Configures a firewall policy. This policy defines a set of rules for managing network traffic and prevents
unauthorized access to the network behind the firewall.

Supported in the following platforms:

Syntax
firewall-policy <FIREWALL-POLICY-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 471
global-config-commands Global Configuration Mode Commands

Parameters
firewall-policy <FIREWALL-POLICY-NAME>

<FIREWALL-POLICY- Specify the firewall policy name. If a firewall policy, with the specified name,
NAME> does not exist, it is created.

Examples
nx9500-6C8809(config)#firewall-policy test
nx9500-6C8809(config-fw-policy-test)#?
Firewall policy Mode commands:
acl-logging Log on flow creating traffic
alg Enable ALG
clamp Clamp value
dhcp-offer-convert Enable conversion of broadcast dhcp offers to
unicast
dns-snoop DNS Snooping
firewall Wireless firewall
flow Firewall flow
ip Internet Protocol (IP)
ip-mac Action based on ip-mac table
ipv6 Internet Protocol version 6 (IPv6)
ipv6-mac Action based on ipv6-mac table
logging Firewall enhanced logging
no Negate a command or set its defaults
proxy-arp Enable generation of ARP responses on behalf
of another device
proxy-nd Enable generation of ND responses (for IPv6)
on behalf of another device
stateful-packet-inspection-l2 Enable stateful packet inspection in layer2
firewall
storm-control Storm-control
virtual-defragmentation Enable virtual defragmentation for IPv4
packets (recommended for proper functioning
of firewall)

clrscr Clears the display screen

nx9500-6C8809(config-fw-policy-test)#

Related Commands

no Removes an existing firewall policy

Note
For more information on Firewall policy, see FIREWALL-POLICY on page 1639

Controller, Service Platform and Access Point

472 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

global-association-list
Configures a global list of client MAC addresses. Based on the deny or permit rules specified, clients are
either allowed or denied access to the managed network.

The global association list serves the same purpose as an Association ACL (Access Control List).
However, the Association ACL allows a limited number of entries, a few thousand only, and does not
suffice the requirements of a large deployment. This gap is filled by a global association list, which is
much larger (with tens of thousands of entries). Both lists co-exist in the system. When an access
request comes in, the association ACL is looked up first and if the requesting MAC address is listed in
one of the deny ACLs, the association is denied. But, if the requesting client is permitted access, or if in
case none of the ACLs list the client’s MAC address, the global association ACL is checked. Once
authenticated, the client’s credentials are cached on the Access Point, and subsequent requests are not
referenced to the controller. An entry in an APs credential cache means a pass in the global association
list.

Supported in the following platforms:

Syntax
global-association-list <GLOBAL-ASSOC-LIST-NAME>

Parameters
global-association-list <GLOBAL-ASSOC-LIST-NAME>

<GLOBAL- Specify the global association list name. If a list with the same name does not exist, it is
ASSOC-LIST- created.
NAME> Map this global association list to a device (controller) or a controller profile.Once
associated, the controller applies this association list to requests received from all
adopted APs. For more information, see use (profile/device-config-mode-commands)
on page 1363.
The global association list can also be mapped to a WLAN. The usage of global access
lists is controlled on a per-WLAN basis. For more information, see association-list.

Examples
rfs4000-229D58(config)#global-association-list my-clients
rfs4000-229D58(config-global-assoc-list-my-clients)#?
Global Association List Mode commands:
default-action Configure the default action when the client MAC does not
match any rule
deny Specify MAC addresses to be denied
no Negate a command or set its defaults
permit Specify MAC addresses to be permitted

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 473
global-config-commands Global Configuration Mode Commands

revert Revert changes

service Service Commands
show Show running system information
write Write running configuration to memory or terminal

rfs4000-229D58(config-global-assoc-list-my-clients)#

To enable global-association-list controlled client association, execute the following commands:

1. Create a global association list, and configure it as shown in the following examples:
rfs4000-880DA7(config)#global-association-list vtt-list
rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 01-22-33-44-55-66 description
sample
rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 40-B8-9A-39-F1-27 description
acer
rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 42-B8-9A-39-F1-27 description
ami
rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 6C-40-08-B2-80-6C description
mac
rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit E0-98-61-34-11-47 description
my_mobile
rfs4000-880DA7(config-global-assoc-list-vtt-list)#show context
global-association-list vtt-list
default-action deny
permit 01-22-33-44-55-66 description sample
permit 40-B8-9A-39-F1-27 description acer
permit 42-B8-9A-39-F1-27 description ami
permit 6C-40-08-B2-80-6C description mac
permit E0-98-61-34-11-47 description my_mobile
rfs4000-880DA7(config-global-assoc-list-vtt-list)#

2. Attach this global association list to the profile or device context of the access point or controller, as
shown in the following examples:

On the access point’s profile context:

Note
Ensure that the global association list is associated with the profile being applied on the
access point.

rfs4000-880DA7(config-profile-testAP6522)#use global-association-list server

vtt-list
rfs4000-880DA7(config-profile-testAP6522)#show context include-factory | include g
lobal-association-list
service global-association-list blacklist-interval 60
use global-association-list server vtt-list
rfs4000-880DA7(config-profile-testAP6522)#

On the access point’s device context:

ap6522(config-device-B4-C7-99-EA-DF-2C)#use global-association-list server vtt-list
ap6522(config-device-B4-C7-99-EA-DF-2C)#show context include-factory | in
clude global-association-list
use global-association-list server vtt-list
ap6522(config-device-B4-C7-99-EA-DF-2C)#

Controller, Service Platform and Access Point

474 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

On the controller’s device context:

rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#use global-association-list server vtt-
list
rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#show context include-factory | in
clude global-association-list
use global-association-list server vtt-list
ap6522(config-device-B4-C7-99-EA-DF-2C)#

3. Attach this global association list with the WLAN, as shown in the following example:
rfs4000-880DA7(config-wlan-GLAssList)#association-list global vtt-list
rfs4000-880DA7(config-wlan-GLAssList)#show context include-factory | include
association-list
association-list global vtt-list
rfs4000-880DA7(config-wlan-GLAssList)#

guest-management-policy

Configures a guest management policy that redirects guest users to a registration portal upon
association to a captive portal. Guest users are redirected to an internally (or) externally hosted
registration page (registration.html) where previously, not-registered guest users can register. The
internally hosted captive portal registration page can be customized based on business requirements.

Use the guest management policy commands to configure parameters, such as E-mail host and SMS
gateway along with the credentials required for sending pass code to guest via e-mail and SMS. You can
configure up to 32 different guest management policies. Each guest management policy allows you to
configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents, and E-
mail message body. Although, at any point-in-time, multiple guest management policies may exist, only
one guest management policy can be active per device.

Guest registration is supported only on the NX 95XX and NX 75XX series service platforms. However,
the number of user identity entries supported on each varies. It is 2 million and 1 million user-identity
entries for the NX 95XX and NX 75XX model service platforms respectively.

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
guest-management <POLICY-NAME>

Parameters
guest-management <POLICY-NAME>

<POLICY-NAME> Specify the guest management policy name. If the policy does not exist, it
is created.

Examples
nx9500-6C8809(config)#guest-management guest
nx9500-6C8809(config-guest-management-guest)#?
Guest Management Mode commands:
email Email guest-notification configuration
guest-database-backup Configure guest-database-backup parameters
guest-database-export Configure guest-database-export parameters
no Negate a command or set its defaults

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 475
global-config-commands Global Configuration Mode Commands

sms SMS guest-notification configuration

sms-over-smtp Sms-over-smtp configuration to email sms gateway
address

clrscr Clears the display screen

nx9500-6C8809(config-guest-management-guest)#

Related Commands

no (global-config-mode) Removes an existing guest management policy

on page 525

guest-management-policy config commands

The following table summarizes guest management policy configuration mode commands:

Table 25: Guest Management Policy Config Commands

Command Description
email on page 476 Configures guest user e-mail notification settings
guest-database- Enables periodic backup of the captive portal’s guest registration user
backup on page 479 database
guest-database- Schedules an export of the Guest Management User database to a specified
export on page 479 external server
sms on page 480 Configures guest user SMS notification settings
sms-over-smtp on Configures an e-mail host server along with sender credentials and the
page 482 recipient’s gateway e-mail address to which the message is e-mailed. The
gateway server converts the e-mail into SMS and forwards the message to the
guest user’s mobile device.
no (guest- Removes this guest management policy settings
management-policy-
config-commands)
on page 485

email
Configures guest user e-mail notification settings. When configured, guest users can register
themselves with their e-mail credentials as a primary key for authentication. The captive portal system
provides the pass code for their registration. Guest users need to use their registered e-mail, mobile, or
member ID and the received pass code for subsequent logins to the captive portal.
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

476 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security
[none|ssl|starttls] username <USER-NAME> password <PASSWORD>

email Configures guest user e-mail notification settings

host [<IP/ Configures the SMTP server’s IP address or hostname used for guest
HOSTNAME>| management e-mail traffic, guest user credential validation, and pass code
<HOST-ALIAS- reception. Optionally you can use an existing host alias to identify the SMTP
NAME>] server host.
• <IP/HOSTNAME> – Specify the SMTP server’s IPv4 address or hostname.
• <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and
configured). Consider providing the host as an alias. A host alias is a
configuration item that maps the alias to a hostname. Once created, it can be
used across different configuration modes. Where ever used the alias is
replaced by the associated hostname.

sender <EMAIL- Configures the sender’s name for the guest user receiving the passcode required
ADDRESS> for registering their guest E-mail credentials using SMTP.
• <EMAIL-SENDER> – Specify the sender’s name (should not exceed 100
characters).

security [none|ssl| Configures the encryption protocol used by the SMTP server when
starttls] communicating the pass code
• none – No encryption used. Use if no additional user authentication is needed
beyond the required username and password combination.
• SSL – Uses SSL encryption. This is the default setting.
• STARTTLS – Uses STARTTLS encryption

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 477
global-config-commands Global Configuration Mode Commands

username <USER- Configures a username unique to this SMS guest management configuration.
NAME> After configuring the username, specify the associated password. Ensure that
the password is correctly provided to receive the pass code required for
registering guest user credentials with SMS.
• <USER-NAME> – Specify the username (should not exceed 100 characters).

password Configures the password associated with the specified SMTP user name
<PASSWORD> • <PASSWORD> – Specify the password (should not exceed 63 characters).

email message <LINE>

email Configures guest user e-mail notification content

message <LINE> Configures the content of the e-mail sent to the guest user notifying the pass
code (should not exceed 1024 characters)
• <LINE> – Specify the message content. When entering the message, use
the following tags:

GM-NAME – for the guest user’s name

GM_PASSCODE – for the pass code

CR-NL – to enter a new line

For example: Dear GM_NAME, CR-NL your internet access pass code is
GM_PASSCODE. CR-NL Use this for internet access.

email subject <LINE>

email Configures guest user e-mail notification subject line

subject <LINE> Configures the subject line of the e-mail sent to the guest user notifying the
pass code (should not exceed 100 characters)
• <LINE> – Specify the subject line content. When entering the subject line,
use the following tag:

GM-NAME – for the guest user’s name

For example: GM_NAME, your internet access code

Examples
nx9500-6C8809(config-guest-management-test)#email host 192.168.13.10 sender
[email protected] security ssl username guest1 password guest1@123
nx9500-6C8809(config-guest-management-test)#show context
guest-management test
email host 192.168.13.10 sender [email protected] security ssl username guest1
password guest1@123
nx9500-6C8809(config-guest-management-test)#
nx9500-6C8809(config-guest-management-test2)#email message Dear GM_Guest2, CR-NL
Your internet access passcode is GM_Guest2. CR-NL Use this for internet access.
nx9500-6C8809(config-guest-management-test2)#email subject GM_Guest2 Your internet access
code
nx9500-6C8809(config-guest-management-test2)#show context
guest-management test2
email subject GM_Guest2 Your internet access code
email message Dear GM_Guest2, CR-NL Your internet access passcode is GM_Guest2. CR-

Controller, Service Platform and Access Point

478 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

NL Use this for internet access.

nx9500-6C8809(config-guest-management-test2)#

Related Commands

no (guest- Removes the e-mail settings used to send notification mails to the guest user
management-policy-
config-commands) on
page 485

guest-database-backup
Enables periodic backup of a captive portal’s guest registration user database. This option is enabled by
default.
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
guest-database-backup enable {<TIME>}

Parameters
guest-database-backup enable {<TIME>}

guest-database-backup Enables periodic backup of a captive portal’s guest registration user

enable {<TIME>} database. This command also allows you to configure the time at which
the system starts backing up the database. The default backup-start
time is ‘00:00’ (midnight every day).
• <TIME> – Optional. Resets the periodic database backup-start time to
a user-defined value in the HH;MM format. When specified, the
system starts periodic backup of the database, every day, at the
specified time.

Examples
nx9500-6C8809(config-guest-management-test)#guest-database-backup enable 12:30
nx9500-6C8809(config-guest-management-test)#show context
guest-management test
guest-database-backup enable 12:30
nx9500-6C8809(config-guest-management-test)#

Related Commands

no (guest- Disables periodic backup of a captive portal’s guest registration user database
management-policy-
config-commands) on
page 485

guest-database-export
Schedules an export of the Guest Management user database to a specified external server. This option
is enabled by default.
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 479
global-config-commands Global Configuration Mode Commands

Syntax
guest-database-export <TIME> frequency <1-168> url-directory <URL>
{(format [csv|json]|last-visit-within <1-168>)}

Parameters
guest-database-export <TIME> frequency <1-168> url-directory <URL>
{(format [csv|json]|last-visit-within <1-168>)}

guest-database-export Schedules an export of the Guest Management User collection to an external

<TIME> server
• <TIME> – Configures the start time of the export operation in the HH:MM
format

frequency <1-168> Configures the user collection export frequency in hours

• <1-168> – Configures the frequency from 1 - 168 hours. If the frequency is
set at 3 hours, the user database is exported once in every 3 hours. The
default is 4 hours.

url-directory <URL> Configures external server’s URL and directory to where the collection is
exported
• <URL> – Specify the external server’s URL

format [csv|json] Optional. Configures the file format

• csv – Exports collection to the specified location in CSV format. This is the
default setting.
• json – Exports collection to the specified location in JSON format

last-visit-within <1-168> Configures a filters guest users who have last visited within a specified
period of time
• <1-168> – Specify a time period from 1 - 168 hours. If for example, the last-
visit-within value is set at 2 hours, then only the last two hours guest user
collections will be exported. The default is 4 hours.

Examples
nx9500-6C8809(config-guest-management-gm1)#guest-database-export 10:30 frequency 6 url-
directory ftp://admin:[email protected]/dbe_dir format json last-visit-within 168
nx9500-6C8809(config-guest-management-test)#show context
guest-management test
guest-database-export 12:30 frequency 20 url-directory ftp://admin:[email protected]/
dbe_dir format json last-visit-within 168
nx9500-6C8809(config-guest-management-test)#

Related Commands

no (guest-management- Reverts the guest database export parameters to default

policy-config-commands) on
page 485

sms
Configures guest user SMS notification settings. When configured, guest users can register themselves
with their e-mail or mobile device ID as the primary key for authentication. The captive portal provides

Controller, Service Platform and Access Point

480 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

the pass code for registration. Guest users use their registered e-mail or mobile device ID and the
received pass code for subsequent logins to the captive portal.

Note
When using SMS, ensure that the WLAN’s mode of authentication is set to none and the
mode of registration is set to user. In other words, captive portal authentication must always
enforce guest registration.

SMS is similar to MAC address-based self registration, but in addition the captive portal sends an SMS
message, containing an access code, to the user’s mobile phone number provided at the time of
registration. The captive portal verifies the code, returns the Welcome page and provides access. This
allows the administrator to verify the phone number provided and can be traced back to a specific
individual should the need arise.

The default gateway used with SMS is Clickatell. A pass code can be sent with SMS to the guest user
directly using Clickatell, or the pass code can be sent via e-mail to the SMS Clickatell gateway server,
and Clickatell sends the pass code SMS to the guest user.
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
sms [host|message]sms host clickatell username <USER-NAME> password <PASSWORD>
api-id <ID> user-agent <PYCLICKATELL> {source-number <WORD>}
sms message <LINE>

Parameters
sms host clickatell username <USER-NAME> password <PASSWORD>
api-id <ID> user-agent <PYCLICKATELL> {source-number <WORD>}

sms Configures guest user SMS notification settings

host clickatell By default, clickatell is the host SMS gateway server resource. Upon
receiving the pass code e-mail, the SMS gateway sends the actual
notification pass code SMS to the guest user.
username <USER-NAME> Configures a username unique to this SMS guest management
configuration. After configuring the username, specify the associated
password. Ensure that the password is correctly provided to receive the
pass code required for registering guest user credentials with SMS.
• <USER-NAME> – Specify the username (should not exceed 32
characters).

password <PASSWORD> Configures the password associated with the specified username
• <PASSWORD> – Specify the password (should not exceed 63
characters).

api-id <ID> Set a 32 character maximum API ID

• <API-ID> – Specify the API ID (should not exceed 32 characters).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 481
global-config-commands Global Configuration Mode Commands

user-agent Since the SMS service provider by default is Clickatell, set the user agent
<PYCLICKATELL> name to pyclickatell. The user-agent value ensures the Clickatell SMS
gateway server and its related credentials, needed for sending the pass
code to guest users, are configured.
source-number <WORD> Optional. Configures the long-address or the from-number associated
with this Clickatell user account
• <WORD> – Specify the source number (should not exceed 32
characters).

sms message <LINE>

sms Configures guest user SMS notification content

message <LINE> Configures the content of the SMS sent to the guest user notifying the
pass code (should not exceed 1024 characters)
• <LINE> – Specify the message content. When entering the
message, use the following tags:

GM-NAME – for the guest user’s name

GM_PASSCODE – for the pass code

For example: Dear GM_NAME, your internet access pass code is

GM_PASSCODE.

Examples
nx9500-6C8809(config-guest-management-test)#sms host clickatell username guest1
password guest1@123 api-id test user-agent pyclickatell
nx9500-6C8809(config-guest-management-test)#sms message Dear guest1, Your passcode for
internet access is GM-guest1
nx9500-6C8809(config-guest-management-test)#show context
guest-management test
email host 192.168.13.10 sender [email protected] security ssl username guest1
password guest1@123
sms host clickatell username guest1 password guest1@123 api-id test user-agent
pyclickatell
sms message Dear guest1, Your passcode for internet access is GM-guest1
nx9500-6C8809(config-guest-management-test)#

Related Commands

no (guest- Removes the SMS settings used to send SMS to the guest user
management-policy-
config-commands) on
page 485

sms-over-smtp
Configures an e-mail host server (for example: smtp.gmail.com) along with sender related credentials
and the recipient gateway e-mail address to which the message is E-mailed. The gateway server
converts the e-mail into SMS and sends the message to the guest user’s mobile device.

When sending an e-mail, the e-mail client interacts with a SMTP server to handle the content
transmission. The SMTP server on the host may have conversations with other SMTP servers to deliver
the e-mail.

Controller, Service Platform and Access Point

482 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
sms-over-smtp [host|message|subject]
sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS>
security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient <EMAIL-
ADDRESS>
sms-over-smtp message <LINE>
sms-over-smtp subject <LINE>

Parameters
sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security
[none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient <EMAIL-ADDRESS>

sms-over-smtp Configures guest user SMS over SMTP notification settings

host [<IP/HOSTNAME>| Configures the SMS gateway server resource’s IPv4 address or hostname
<HOST-ALIAS-NAME>] used for guest management SMS over SMTP traffic, guest user credential
validation and pass code reception. Optionally you can use an existing host
alias to identify the SMS gateway server resource.
• <IP/HOSTNAME> – Specify the SMTP gateway server resource’s IP
address or hostname.
• <HOST-ALIAS-NAME> – Specify the host alias name (should existing
and configured). Consider providing the host as an alias. A host alias is a
configuration item that maps the alias to a hostname. Once created, it
can be used across different configuration modes. Where ever used the
alias is replaced by the associated hostname.

sender <EMAIL- Configures the sender’s e-mail address. The sender here is the guest user
ADDRESS> receiving the pass code. Guest users require this pass code for registering
their guest e-mail credentials using SMTP.
• <EMAIL-ADDRESS> – Specify the e-mail address (should not exceed 64
characters).

security [none|ssl| Configures the encryption protocol used by the SMTP server when
starttls] communicating the pass code
• none – No encryption used. Use if no additional user authentication is
needed beyond the required username and password combination.
• SSL – Uses SSL encryption. This is the default setting.
◦ STARTTLS – Uses STARTTLS encryption

username <USER- Configures a username unique to this SMTP guest management

NAME> configuration. After configuring the username, specify the associated
password. Ensure that the correct password is provided to receive the pass
code required for registering guest user credentials with SMTP.
• <USER-NAME> – Specify the username (should not exceed 64
characters).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 483
global-config-commands Global Configuration Mode Commands

password <PASSWORD> Configures the password associated with the specified SMTP user name
• <PASSWORD> – Specify the password (should not exceed 64
characters).

recipient <EMAIL- Configures the e-mail recipient's e-mail address

ADDRESS> • <EMAIL-ADDRESS> – Specify the recipient’s e-mail address (should not
exceed 64 characters in length.

sms-over-smtp message <LINE>

sms-over-smtp Configures guest user SMS over SMTP notification message content
message <LINE> Configures the content of the SMS over SMTP sent to the guest user
notifying the pass code (should not exceed 1024 characters)
• <LINE> – Specify the message content. When entering the message,
use the following tags:

GM-NAME – for the guest user’s name

GM_PASSCODE – for the pass code

CR-NL – to enter a new line

For example: Dear GM_NAME, CR-NL your internet access pass

code is GM_PASSCODE. CR-NL Use this access code for internet
access.

sms-over-smtp subject <LINE>

sms-over-smtp Configures guest user e-mail notification subject line content

subject <LINE> Configures the subject line of the SMS over SMTP sent to the guest
user notifying the pass code (should not exceed 100 characters)
• <LINE> – Specify the subject line content. When entering the
subject line, use the following tag:

GM-NAME – for the guest user’s name

For example: GM_NAME, your internet access code

Examples
nx9500-6C8809(config-guest-management-test3)#sms-over-smtp host test sender
[email protected] security ssl username bob password bob@123 recipient
[email protected]
nx9500-6C8809(config-guest-management-test3)#show context
guest-management test3
sms-over-smtp host test sender [email protected] security ssl username bob
password bob@123 recipient [email protected]
nx9500-6C8809(config-guest-management-test3)#

Related Commands

no (guest-management- Removes the SMS over SMTP settings used to send SMS to the guest user
policy-config-commands)
on page 485

Controller, Service Platform and Access Point

484 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

no (guest-management-policy-config-commands)
Removes this guest management policy settings
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this guest management policy settings based on the

parameters passed

Examples
nx9500-6C8809(config-guest-management-test3)#show context
guest-management test3
sms-over-smtp host test sender [email protected] security ssl username bob
password bob@123 recipient [email protected]
nx9500-6C8809(config-guest-management-test3)#
nx9500-6C8809(config-guest-management-test)#no sms-over-smtp host
vnx9500-6C8809(config-guest-management-test3)#show context
guest-management test3
nx9500-6C8809(config-guest-management-test3)#

host
Enters the configuration context of a remote device using its hostname

Supported in the following platforms:

Syntax
host <DEVICE-NAME>

Parameters
host <DEVICE-NAME>

<DEVICE-NAME> Specify the device’s hostname. All discovered devices are displayed when ‘Tab’ is
pressed to auto complete this command.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 485
global-config-commands Global Configuration Mode Commands

Examples
NOC-NX9500(config)#host [TAB]
ap7522-8330A4 ap8163-74B45C
default/ap7522-8330A4 default/ap8163-74B45C
default/NOC-NX9500 default/RFS6K-SITE1-VLAN20
NOC-NX9500 RFS6K-SITE1-VLAN20
RFS6K-SITE2-VLAN192 default/RFS6K-SITE2-VLAN192
NOC-NX9500(config)#host ap7522-8330A4
NOC-NX9500(config-device-84-24-8D-83-30-A4)#

inline-password-encryption
Stores the encryption key in the startup configuration file. By default, the encryption key is not stored in
the startup-config file. Use the inline-password-encryption command to move the encrypted key to the
startup-config file. This command uses the master key to encrypt the password, then moves it to the
startup-config file.

Supported in the following platforms:

Syntax
inline-password-encryption

Parameters
None

Usage Guidelines

When the configuration file is imported to a different device, it first decrypts the encryption key using
the default key and then decrypts the rest of the configuration using the administrator configured
encryption key.

Examples

The following command uses the specified password for encryption key and stores it outside of startup-
config:
nx9500-6C8809(config)#password-encryption secret 2 12345678
nx9500-6C8809(config)#commit write memory

The following command moves the same password to the startup-config and encrypts it with the
master key:
nx9500-6C8809(config)#inline-password-encryption

Controller, Service Platform and Access Point

486 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (global-config-mode) on Disables storing of the encryption key in the startup configuration file
page 525
password-encryption on Enables password encryption
page 535

iot-device-type-imagotag-policy

Creates an IoT Device-Type Imagotag policy and enters its configuration mode. Use this option to
enable support for SES-imagotag’s ESL (Electronic Shelf Label) tags on WiNG APs with USB interfaces.

ESL tags are small, battery-powered devices used by retail businesses to display information, such as
product code, pricing, etc. These tags are activated, configured, and managed through an SES-
Imagotag provided server. The tags and server communicate through an ESL communicator (a USB
dongle), connected to the USB port on the WiNG AP. This communication is over the 2.4 GHz band
using a proprietary RF protocol. The ESL communicator acts as a bridge between the tags and the
server, using WiNG AP as an infrastructure device.

This policy, when applied on an AP, enables the AP recognize the ESL communicator, and facilitate
communication between communicator and tags.

The policy can be applied to the AP’s self (in case of stand alone AP), or pushed to the AP through the
adopting controller. In the latter case, apply the policy on the AP’s profile.

Supported in the following platforms:

• Access Points — AP-8432

• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Note
The policy is applicable only on the AP-8432 model access point, which supports the USB
interface.

Syntax
iot-device-type-imagotag-policy <POLICY-NAME>

Parameters
iot-device-type-imagotag-policy <POLICY-NAME>

iot-device-type-imagotag- Specify an IoT Device Type Imagotag policy name. If another policy by
policy <POLICY-NAME> the specified name does not exist, the policy is created.

Example
nx9500-6C8809(config)#iot-device-type-imagotag-policy ImagoTagPolicy
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#?
Iot Imagotag Policy Mode commands:
channel Auto channel selection
enable Enable ESL communicator
fcc-mode Enable fcc compatibility mode on ESL communicator

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 487
global-config-commands Global Configuration Mode Commands

no Negate a command or set its defaults

output-power Maximum output power
payload-size Configure payload size
server ESL server
ssl Enable ssl on ESL communicator
window-size Configure window size

clrscr Clears the display screen

nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (global-config-mode) Removes the specified IoT Device Type Imagotag policy

on page 525

iot-device-type-imagotag-policy config commands

The following table summarizes IoT Device-Type Imagotag policy configuration mode commands:

Table 26: IoT-Device-Type Imagotag Policy Config Commands

Command Description
channel (iot-device-type- Configures the channel assigned for ESL communicator to tag
imagotag-policy) on page 488 communication in the 2.4 GHz band
enable (iot-device-type- Enables the ESL communicator
imagotag-policy) on page 489
fcc-mode (iot-device-type- Enables the FCC compatibility mode on the ESL communicator
imagotag-policy) on page 490
output-power (iot-device-type- Configures the maximum output power for the ESL communicator
imagotag-policy) on page 490
payload-size (iot-device-type- Configures the maximum payload size in packets exchanged
imagotag-policy) on page 491 between ESL communicator and tags
server (iot-device-type- Configures the ESL SES-Imagotag server’s hostname or IP address
imagotag-policy) on page 493
ssl (iot-device-type-imagotag- Enables SSL (Secure Socket Layer) encryption mode of
policy) on page 494 communication between the AP and the SES-imagotag server.
window-size (iot-device-type- Configures the transmission window size for messages exchanged
imagotag-policy) on page 492 between ESL communicator and tags.
no (iot-device-type-imagotag- Reverts this IoT Device-Type Imagotag policy settings to default
policy) on page 494 values

channel (iot-device-type-imagotag-policy)

Controller, Service Platform and Access Point

488 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Manually configures the channel assigned for the ESL communicator to tag communication in the 2.4
GHz band. Or, enables ACS (Auto-Channel Selection) mode.
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
channel [<0-10>|acs]

Parameters
channel [<0-10>|acs]

channel [<0-10>|acs] Configures the 2.4 GHz frequency channel, using one of the following
options:
• <0-10> – Manually configures the channel from 0 - 10.
• acs – Enables ACS channel selection mode. This is the default
setting.

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type- Reverts the channel selection mode to ACS

imagotag-policy) on page
494

enable (iot-device-type-imagotag-policy)
Enables the ESL communicator
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
enable

Parameters
None

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#enable
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy
enable

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 489
global-config-commands Global Configuration Mode Commands

channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type-imagotag- Disables the ESL communicator

policy) on page 494

fcc-mode (iot-device-type-imagotag-policy)
Enables the FCC (Federal Communications Commission) compatibility mode on the ESL communicator.
This option is disabled by default.
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
fcc-mode

Parameters
None

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#fcc-mode
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy
enable
fcc-mode
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type- Disables FCC compatibility mode

imagotag-policy) on page
494

output-power (iot-device-type-imagotag-policy)
Configures the maximum output power for the ESL communicator.
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

490 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Note: SES-Imagotags recommends NOT to change the default setting,

which is in conformance to various country/region specific RF regulations.

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#output-power Level-B
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy
enable
output-power Level-B
fcc-enable
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type- Reverts the ESL communicator’s output-power to default (Level-A)

imagotag-policy) on page
494

payload-size (iot-device-type-imagotag-policy)
Configures the maximum size of the payload in packets exchanged between ESL communicator and
tags
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000
Syntax
payload-size <1-32>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 491
global-config-commands Global Configuration Mode Commands

Parameters
payload-size <1-32>

payload-size <1-32> Configures the packet’s payload size

• <1-32> – Specify the value from 1 - 32 bytes. The default setting is
32 bytes.

Note: SES-Imagotags recommends NOT to change the default

setting.

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#payload-size 25
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy
enable
output-power Level-B
payload-size 25
fcc-enable
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type- Reverts the payload size to default (32 bytes)

imagotag-policy) on page
494

window-size (iot-device-type-imagotag-policy)
Configures the transmission window size for messages exchanged between ESL communicator and
tags
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
window-size <1-14>

Parameters
window-size <1-14>

window-size <1-14> Configures the window size

• <1-14> – Specify a value from 1 - 14 bytes. The default value is 14
bytes.

Note: SES-Imagotags recommends NOT to change the default

setting.

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#window-size 12
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy

Controller, Service Platform and Access Point

492 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

enable
output-power Level-B
window-size 12
payload-size 25
port 200
ssl-enable
fcc-enable
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type- Reverts the window-size to 14 bytes.

imagotag-policy) on page
494

server (iot-device-type-imagotag-policy)

Configures the ESL SES-Imagotag server’s IP address or hostname. As per the current implementation,
at the ESL server end, the WiNG AP’s IP address was configured to enable the server contact the AP
and establish connection with the ESL communicator (USB Dongle). Starting with WiNG 5.9.3, the
WiNG AP will send a connection request to the ESL server. For this purpose, the ESL Imagotag server’s
IP address or hostname has to be configured in the IOT Imagotag policy. Use this command to provide
the SES-Imagotag server’s IP address or hostname.
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
server [hostname|ip-address]
server [hostname <HOST-NAME>|ip-address [<IP>|<HOST-ALIAS-NAME>]] {port <1-65535>}

Parameters
server [hostname <HOST-NAME>|ip-address [<IP>|<HOST-ALIAS-NAME>]] {port <1-65535>}

server Configures the ESL server’s hostname or IP address

hostname <HOST-NAME> Use this option to configure the ESL server’s hostname.
• <HOSTNAME> – Provide the hostname (could be FQDN, partial DN,
etc.)

ip-address [<IP>|<HOST- Use this option to configure the ESL server’s IP address
ALIAS-NAME>] • <IP> – Provide the IP address
• <HOST-ALIAS-NAME> – Provide a host alias name. Note, if using this
option, ensure that the host alias is existing and pointing to the ESL
server host.

port <1-65535> Optional. Configures the port on which the ESL server can be reached.
• <1-65535> – Specify the port from 1 - 65535.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 493
global-config-commands Global Configuration Mode Commands

Examples
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#server ip-address
10.234.160.225
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#show context
iot-device-type-imagotag-policy test
enable
output-power Level-B
window-size 12
payload-size 25
ssl
fcc-mode
channel 9
server ip-address 10.234.160.225
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#

Related Commands

no (iot-device-type-imagotag- Removes the ESL server’s hostname or IP address configuration

policy) on page 494

ssl (iot-device-type-imagotag-policy)
Enables secure, encrypted communication over the SSL (Secure Socket Layer) between the AP and
SES-imagotag server. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
ssl

Parameters
None

Examples
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#ssl
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#show context
iot-device-type-imagotag-policy ImagoTagPolicy
enable
output-power Level-B
payload-size 25
port 200
ssl
fcc-enable
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-ImagoTagPolicy)#

Related Commands

no (iot-device-type- Disables SSL encryption mode of communication

imagotag-policy) on page
494

no (iot-device-type-imagotag-policy)
Reverts this IoT Device-Type Imagotag policy settings to default values

Controller, Service Platform and Access Point

494 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

• Access Points — AP-8432
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Reverts this IoT Device-Type Imagotag policy settings to default

value

Examples

The following example shows the Imagotag policy settings before the no commands are executed:
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#no ?
iot-device-type-imagotag-policy test
enable
output-power Level-B
window-size 12
payload-size 25
ssl
fcc-mode
channel 9
server ip-address 10.234.160.225
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#no payload-size
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#no window-size
NOC-NX9500(config-iot-device-type-imagotag-policy-test)#no server

The following example shows the Imagotag policy settings after the ‘no’ commands are executed:
nx9500-6C8809(config-iot-device-type-imagotag-policy-test)#show context
iot-device-type-imagotag-policy test
enable
output-power Level-B
ssl-enable
fcc-enable
channel 9
nx9500-6C8809(config-iot-device-type-imagotag-policy-test)#

ip
Creates an access control list (ACL) and enters its configuration mode. Access lists define access
permissions to the network using a set of rules. Each rule specifies an action taken when a packet
matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is
allowed.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 495
global-config-commands Global Configuration Mode Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ip [access-list|ex3500-ext-access-list|ex3500-std-access-list|snmp-access-list]
ip ex3500-ext-access-list <EX3500-EXT-ACL-NAME>
ip ex3500-std-access-list <EX3500-STD-ACL-NAME>
ip access-list <IP-ACL-NAME>
ip snmp-access-list <IP-SNMP-ACL-NAME>

Parameters
ip access-list <IP-ACL-NAME>

access-list <IP-ACL- Creates an IP ACL and enters its configuration mode

NAME> • <IP-ACL-NAME> – Specify the ACL name. If the access list does not exist, it is
created.

ip ex3500-ext-access-list <EX3500-EXT-ACL-NAME>

ex3500-ext-access-list Creates an EX3500 Extended ACL and enters its configuration mode
<EX3500-EXT-ACL-NAME> • <EX3500-EXT-ACL-NAME> – Specify the ACL name. If an ACL
with the specified name does not exist, it is created.

ip ex3500-std-access-list <EX3500-STD-ACL-NAME>

ex3500-std-access-list Creates an EX3500 Standard ACL and enters its configuration mode
<EX3500-STD-ACL-NAME> • <EX3500-EXT-ACL-NAME> – Specify the ACL name. If an ACL
with the specified name does not exist, it is created.

ip snmp-access-list <IP-SNMP-ACL-NAME>

snmp-access-list <IP-SNMP- Creates a SNMP IP ACL and enters its configuration mode. An SNMP
ACL-NAME> IP ACL is an access control mechanism that uses a combination of IP
ACL and SNMP community string.
SNMP performs network management functions using a data
structure called a MIB. SNMP is widely implemented but not very
secure, since it uses only text community strings for accessing
controller or service platform configuration files.
Use SNMP ACLs (firewalls) to help reduce SNMP’s vulnerabilities, as
SNMP traffic can be easily exploited to produce a DoS.
• <IP-SNMP-ACL-NAME> – Specify the SNMP IP ACL name. If the
access list does not exist, it is created. After creating the SNMP
ACL, define the deny/permit rules based on the network and/or
host IP addresses. Once created and configured, link this SNMP IP
ACL with a SNMP community string.
To link the SNMP community string with the SNMP IP ACL, in the
management-policy-config-mode, use the following command:
snmp-server > community <COMMUNITY-STRING> > [ro|
rw] > ip-snmp-access-list <IP-SNMP-ACL-NAME>.

Controller, Service Platform and Access Point

496 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config)#ip access-list test
nx9500-6C8809(config-ip-acl-test)#?
ACL Configuration commands:
deny Specify packets to reject
disable Disable rule if not needed
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

nx9500-6C8809(config-ip-acl-test)#
nx9500-6C8809(config)#ip snmp-access-list SNMPAcl
nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#?
SNMP ACL Configuration commands:
deny Specify packets to reject
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#

Related Commands

no (global-config-mode) on Removes an existing IP access control list

page 525

Note
For more information on Access Control Lists, see ACCESS-LIST on page 1504.

ipv6

Creates an IPv6 ACL and enters its configuration mode. An IPv6 ACL defines a set of rules that filter
IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet
matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is
allowed.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 497
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Syntax
ipv6 access-list <IPv6-ACL-NAME>

Parameters
ipv6 access-list <IPv6-ACL-NAME>

access-list <IPv6-ACL- Configures an IPv6 access list and enters its configuration mode
NAME> • <IPv6-ACL-NAME> – Specify the IPv6 ACL name. If the access list
does not exist, it is created.

Examples
rfs4000-229D58(config)#ipv6 access-list IPv6ACLTest
rfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#?
IPv6 Access Control Mode commands:
deny Specify packets to reject
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

rfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#

Related Commands

no (global-config-mode) Removes an IPv6 access control list

on page 525

Note
For more information on access control lists, see ACCESS-LIST on page 1504.

ipv6-router-advertisement-policy

Creates an IPv6 RA policy and enters its configuration mode. An IPv6 router policy allows routers to
advertise their presence in response to solicitation messages. After receiving a neighbor solicitation
message, the destination node sends an advertisement message. which includes the link layer address
of the source node. After receiving the advertisement, the destination device replies with a neighbor

Controller, Service Platform and Access Point

498 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

advertisement message on the local link. After the source receives the advertisement it can
communicate with other devices.

Advertisement messages are also sent to indicate a change in link layer address for a node on the local
link. With such a change, the multicast address becomes the destination address for advertisement
messages.

Supported in the following platforms:

Syntax
ipv6-router-advertisement-policy <POLICY-NAME>

Parameters
ipv6-router-advertisement-policy <POLICY-NAME>

<POLICY-NAME> Specify an IPv6 RA policy name. If a policy with the specified name does
not exist, it is created.

Examples
rfs4000-229D58NOC-NX9500(config)#ipv6-router-advertisement-policy test
rfs4000-229D58NOC-NX9500(config-ipv6-radv-policy-test)#?
IPv6 Router Advertisement Policy Mode commands:
advertise Option to advertise in router advertisement
assist-neighbor-discovery Send the Source Link Layer address option
in Router Advertisement to assist in
neighbor discovery
check-ra-consistency Check if the parameters advertised by other
routers on the link are in conflict with
those configured on this router. Conflicts
are logged.
dns-server DNS Server
domain-name Configure domain-name
managed-config-flag Set the managed-address-configuration flag
in Router Advertisements. When set, it
indicates that the addresses are available
via DHCPv6
nd-reachable-time Time that a node assumes a neighbor is
reachable after having received a
reachability confirmation
no Negate a command or set its defaults
ns-interval Time between retransmitted Neighbor
Solicitation messages
other-config-flag Set the other-configuration flag in Router
Advertisememts. When set, it indicates that
other configuration information is
available via DHCPv6.
ra Router Advertisements
router-lifetime Lifetime associated with the default router
router-preference Preference of this router over other
routers
unicast-solicited-advertisement Unicast the solicited Router Advertisements

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 499
global-config-commands Global Configuration Mode Commands

clrscr Clears the display screen

Related Commands

no (global-config-mode) on Removes the specified IPv6 RA policy

page 525

ipv6-router-advertisement-policy config commands

The following table summarizes the IPv6 router advertisement (RA) policy configuration mode
commands:

Table 27: IPv6 Router Advertisement Policy Config Commands

Command Description
advertise on page 501 Enables advertisement of IPv6 MTU (maximum transmission unit)
and hop-count value in RAs
assist-neighbor-discovery on page Enables advertisement of the source link layer address in RAs
501
check-ra-consistency on page Enables checking of consistency in RA values advertised by this
502 router with those advertised by other routers, if any, on the same
link
dns-server on page 502 Configures the DNS server’s IPv6 address and lifetime advertised
in RAs
domain-name on page 503 Configures the Domain name search label advertised in RAs
managed-config-flag on page Sets the managed address configuration flag in RAs
504
nd-reachable-time on page 505 Enables advertisement of neighbor reachable time in RAs
ns-interval on page 506 Configures the interval between two successive retransmitted NS
(neighbor solicitation) messages
other-config-flag on page 507 Sets the other-configuration flag in RAs
ra on page 507 Configures RA related parameters, such as the interval between
two unsolicited successive RAs
router-lifetime on page 508 Configures the default router’s lifetime, in seconds, advertised in
RAs
router-preference on page 509 Configures the router preference field value advertised in RAs

Controller, Service Platform and Access Point

500 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Table 27: IPv6 Router Advertisement Policy Config Commands (continued)

Command Description
unicast-solicited-advertisement on Enables unicasting of solicited RAs
page 510
no (ipv6-ra-policy-config- Removes or reverts router advertisement policy settings
commands) on page 510

advertise

Enables advertisement of IPv6 MTU and hop-count value in RAs

Syntax
advertise [hop-limit|mtu]

Parameters
advertise [hop-limit|mtu]

advertise [hop-limit| Enables advertisement of IPv6 MTU and hop-count value in RAs. Both these
mtu] features are disabled by default.

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#advertise hop-limit
nx9500-6C8809(config-ipv6-radv-policy-test)#advertise mtu
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
advertise mtu
advertise hop-limit
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy- Disables advertisement of IPv6 MTU and hop-count value in RAs

config-commands) on
page 510

assist-neighbor-discovery

Enables advertisement of the source link layer address in RAs to facilitate neighbor discovery. This
feature is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 501
global-config-commands Global Configuration Mode Commands

Syntax
assist-neighbor-discovery

Parameters
None

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#assist-neighbor-discovery

Related Commands

no (ipv6-ra-policy-config- Disables the advertisement of the source link layer address in RAs
commands) on page 510

check-ra-consistency
Enables checking of consistency in RA values advertised by this router with those advertised by other
routers, if any, on the same link. If the values advertised are inconsistent, a conflict is logged.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
check-ra-consistency

Parameters
None

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#check-ra-consistency
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
advertise mtu
advertise hop-limit
check-ra-consistency
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy- Disables comparison of interface-specific parameters advertised by other

config-commands) on routers, within the link, with those advertised with this router
page 510

dns-server
Configures the DNS server’s IPv6 address and lifetime. The configured values are advertised in RAs.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

502 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}

Parameters
dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}

dns-server <IPv6> Configures the DNS server’s IPv6 address

Enables the use of a DNS server to resolve host names to IPv6
addresses. When an IPv6 host is configured with the address of a
DNS server, the host sends DNS name queries to the server for
resolution.
• <IPv6> – Specify the DNS server’s address. This address is
advertised in RAs. A maximum of four (4) entries can be made
per policy.

lifetime [<4-3600>|expired| Optional. Configures the DNS server’s (identified by the <IPv6>
infinite] parameter) lifetime
• <4-3600> – Configures a lifetime in seconds. Specify a value
form 4 - 3600 seconds. The default is 600 seconds.
• expired – Advertises that this DNS server’s lifetime has expired
and should not be used
• infinite – Advertises that this DNS server’s lifetime is infinite

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#dns-server 2002::2 lifetime 3000
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Removes the DNS server settings advertised in RAs. Once removed
commands) on page 510 these values are not advertised in RAs.

domain-name
Configures the Domain name search label advertised in RAs
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 503
global-config-commands Global Configuration Mode Commands

Parameters
domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}

domain-name <WORD> Configures the Domain name search label advertised in RAs
Enter a FQDN (fully qualified domain name), which is an unambiguous
domain name available in a router advertisement resource. To distinguish an
FQDN from a regular domain name, a trailing period is added. For example,
somehost.example.com.
• <WORD> – Specify the Domain name search label. A maximum of four
(4) entries can be made per policy.

lifetime [<4-3600>| Optional. Configures the Domain name search label's lifetime
expired|infinite] • <4-3600> – Configures a lifetime in seconds. Specify a value form 4 -
3600 seconds. The default is 600 seconds.
• expired – Advertises that this Domain name search label's lifetime has
expired and should not be used
• infinite – Advertises that this Domain name search label's lifetime is
infinite

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Removes the Domain name settings advertised in RAs. Once removed
commands) on page 510 these values are not advertised in RAs.

managed-config-flag
Sets the managed address configuration flag in RAs. When set, it indicates that IPv6 addresses are
available through DHCPv6. This feature is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
managed-config-flag

Parameters
None

Controller, Service Platform and Access Point

504 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#managed-config-flag
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
managed-config-flag
advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Removes the managed address configuration flag advertised in RAs

commands) on page
510

nd-reachable-time

Enables advertisement of neighbor discovery (ND) reachable time in RAs. This feature is disabled by
default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
nd-reachable-time [<5000-3600000>|global]

Parameters
nd-reachable-time [<5000-3600000>|global]

nd-reachable-time Configures the interval, in milliseconds, that a node assumes a

[<5000-3600000>| global] neighbor is reachable after receiving a reachability confirmation
from the neighbor. Therefore, a neighbor is reachable, after being
discovered, for a period specified here. This value is advertised in
RAs. Use one of the following options:
• <5000-3600000> – Configures an interface-specific value.
Specify a value from 5000 - 3600000 milliseconds. The default
is 5000 milliseconds.
• global – Advertises the neighbor reachable time configured for
the system. This is the value configured at the device
configuration mode. For more information, see use (profile/
device-config-mode-commands) on page 1363 (profile config
mode).

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#nd-reachable-time 6000
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
managed-config-flag
nd-reachable-time 6000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 505
global-config-commands Global Configuration Mode Commands

advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Disables advertisement of neighbor reachable time in RAs

commands) on page 510

ns-interval
Configures the neighbor solicitation (NS) retransmit timer value advertised in RAs. This is the interval
between two successive NS messages. When specified, it enables the sending of the specified value in
RAs. This feature is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ns-interval [<1000-3600000>|global]

Parameters
ns-interval [<1000-3600000>|global]

ns-interval Configures the NS interval advertised in RAs. Use one of the following
[<1000-3600000>|global] options:
• <1000-3600000> – Specify a value from 1000 - 3600000
milliseconds. The default is 1000 milliseconds.
• global – Advertises the NS interval configured for the system. This is
configured on the device in the device configuration mode. For
more information, see ipv6 on page 1288 (profile config mode).

Examples
nx9500-6C8809nx9500-6C8809(config-ipv6-radv-policy-test)#ns-interval 3000
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
managed-config-flag
nd-reachable-time global
ns-interval 3000
advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Disables advertisement of NS interval in RAs

commands) on page 510

Controller, Service Platform and Access Point

506 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

other-config-flag
Sets the other-configuration flag in RAs. When set, it indicates that other configuration details, such as
DNS-related information, are available through DHCPv6. This feature is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
other-config-flag

Parameters
None

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#other-config-flag

Related Commands

no (ipv6-ra-policy- Removes the other-config-flag advertised on RAs

config-commands) on
page 510

ra
Configures RA related parameters, such as the interval between two unsolicited successive RAs. It also
allows suppression of RAs.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ra [interval <3-1800>|suppress]

Parameters
ra [interval <3-1800>|suppress]

interval <3-1800> Configures the interval, in seconds, between two unsolicited successive RAs
• <3-1800> – Specify a value from 3 - 1800 seconds. The default is 300
seconds.

Note: The router-lifetime should be at least three times the specified router
interval.

suppress Enables the suppression of RAs. When enabled, the transmission of RAs in
IPv6 packets is suppressed. This option is disabled by default. The no >
ra > suppress command enables the sending of RAs.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 507
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#ra interval 200
nx9500-6C8809(config-ipv6-radv-policy-test)#ra suppress
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
ra suppress
ra interval 200
managed-config-flag
nd-reachable-time global
advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy- Removes the RA interval, and enables the sending of RAs

config-commands) on
page 510

router-lifetime
Configures the default router’s lifetime, in seconds, advertised in RAs
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
router-lifetime <0-9000>

Parameters
router-lifetime <0-9000>

router-lifetime <0-9000> Configures the default router’s lifetime

• <0-9000> – Specify a value from 0 - 9000 seconds. The default value is
1500 seconds.

Note: A value of “0” indicates that this router is not the default router.

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#router-lifetime 2000
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
ra suppress
ra interval 200
managed-config-flag
nd-reachable-time global
router-lifetime 2000
advertise mtu
advertise hop-limit
check-ra-consistency

Controller, Service Platform and Access Point

508 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

dns-server 2002::2 lifetime 3000

domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Removes the default router’s lifetime

commands) on page 510

router-preference
Configures the router preference field value advertised in RAs. The options are high, medium, and low.
This value is used to prioritize and select the default router when multiple routers are discovered.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
router-preference [high|medium|low]

Parameters
router-preference [high|medium|low]

router-preference [high| Sets this router’s preference over other routers, in the link, to be the default
medium|low] router. The options are high, low, and medium. The default value is
medium.
The following points should be taken into consideration when configuring
router preference:
• For a router to be selected as a default router, the router’s lifetime
should not be equal to “0”.
• To enable default router selection, using router information contained in
RAs, configure default router selection on that interface.

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#router-preference high
nx9500-6C8809-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
ra suppress
ra interval 200
managed-config-flag
nd-reachable-time global
router-lifetime 2000
advertise mtu
advertise hop-limit
router-preference high
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 509
global-config-commands Global Configuration Mode Commands

Related Commands

no (ipv6-ra-policy- Removes the router preference field value advertised in RAs

config-commands) on
page 510

unicast-solicited-advertisement
Enables unicasting of solicited RAs. This feature is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
unicast-solicited-advertisement

Parameters
None

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#unicast-solicited-advertisement
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
ra suppress
ra interval 200
unicast-solicited-advertisement
managed-config-flag
nd-reachable-time global
router-lifetime 2000
advertise mtu
advertise hop-limit
router-preference high
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

Related Commands

no (ipv6-ra-policy-config- Disables unicasting of solicited RAs

commands) on page 510

no (ipv6-ra-policy-config-commands)
Removes or reverts router advertisement policy settings. Use the no command to remove or revert the
interface-specific parameters that are advertised by link router.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

510 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this IPv6 router advertisement policy’s settings based
on the parameters passed

Examples
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
managed-config-flag
nd-reachable-time global
advertise mtu
advertise hop-limit
check-ra-consistency
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#
nx9500-6C8809(config-ipv6-radv-policy-test)#no managed-config-flag
nx9500-6C8809(config-ipv6-radv-policy-test)#no nd-reachable-time
nx9500-6C8809(config-ipv6-radv-policy-test)#no check-ra-consistency
nx9500-6C8809(config-ipv6-radv-policy-test)#show context
ipv6-router-advertisement-policy test
advertise mtu
advertise hop-limit
dns-server 2002::2 lifetime 3000
domain-name TechPubs lifetime infinite
nx9500-6C8809(config-ipv6-radv-policy-test)#

l2tpv3
Configures a L2TPv3 tunnel policy, used to create one or more L2TPV3 tunnels.

The L2TPv3 policy defines the control and encapsulation protocols needed for tunneling layer 2 frames
between two IP nodes. This policy enables creation of L2TPv3 tunnels for transporting Ethernet frames
between bridge VLANs and physical GE ports. L2TPv3 tunnels can be created between any vendor
devices supporting L2TPv3 protocol.

Supported in the following platforms:

Syntax
l2tpv3 policy <L2TPV3-POLICY-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 511
global-config-commands Global Configuration Mode Commands

Parameters
l2tpv3 policy <L2TPV3-POLICY-NAME>

l2tpv3 policy Configures an L2TPV3 tunnel policy

<L2TPV3-POLICY- • <L2TPV3-POLICY-NAME> – Specify a policy name. If a policy with the
NAME> specified does not already exist, it is created. To modify an existing L2TPV3,
specify its name.

Examples
nx9500-6C8809(config)#l2tpv3 policy L2TPV3Policy1
nx9500-6C8809(config-l2tpv3-policy-L2TPV3Policy1)#?
L2tpv3 Policy Mode commands:
cookie-size Size of the cookie field present in each l2tpv3 data
message
failover-delay Time interval for re-establishing the tunnel after
the failover (RF-Domain
manager/VRRP-master/Cluster-master failover)
force-l2-path-recovery Enables force learning of servers, gateways etc.,
behind the l2tpv3 tunnel when the tunnel is
established
hello-interval Configure the time interval (in seconds) between
l2tpv3 Hello keep-alive messages exchanged in l2tpv3
control connection
no Negate a command or set its defaults
reconnect-attempts Maximum number of attempts to reestablish the
tunnel.
reconnect-interval Time interval between the successive attempts to
reestablish the l2tpv3 tunnel
retry-attempts Configure the maximum number of retransmissions for
signaling message
retry-interval Time interval (in seconds) before the initiating a
retransmission of any l2tpv3 signaling message
rx-window-size Number of signaling messages that can be received
without sending the acknowledgement
tx-window-size Number of signaling messages that can be sent
without receiving the acknowledgement

clrscr Clears the display screen

nx9500-6C8809(config-l2tpv3-policy-L2TPV3Policy1)#

Controller, Service Platform and Access Point

512 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (global-config-mode) on Removes an existing L2TPV3 tunnel policy

page 525
mint-policy on page 521 Configures the global MiNT policy

Note
For more information on the L2TPV3 tunnel configuration mode and commands, see L2TPV3-
POLICY on page 1876.

location-policy
Creates a Location policy and enters its configuration mode. Use this command to configure a policy
that provides the ExtremeLocation server hostname, and the ExtremeLocation Tenant’s API key needed
to authenticate and authorize with the ExtremeLocation server. Apply this Location policy on the WiNG
devices (site controller, virtual controllers, and standalone APs). When applied, these devices push/
export site hierarchy to the ExtremeLocation server. The site hierarchy includes site details along with
details of APs deployed within the site.

Note
Once created and configured, apply this Location policy on the WiNG controller’s self, to
enable Tenant site hierarchy reporting by the controller to the ExtremeLocation server.

Note
The ExtremeLocation sensor capabilities are supported only on AP7522, AP7532, AP7562,
AP7612, AP7602, AP7622, AP8432 and AP8533 model access points.

Supported in the following platforms:

• Access Points — AP410i/e AP460i/e, AP505i, AP510i/e, AP560i/h, AP7522, AP7532, AP7562,
AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
location-policy <LOCATION-POLICY-NAME>

Parameters
location-policy <LOCATION-POLICY-NAME>

location-policy <LOCATION- Specify the Location Policy name. If a policy with the specified name
POLICY-NAME> does not exist, it is created.

Examples
nx9500-6C8809(config)#eloc-policy testLocPolicy
nx9500-6C8809(config-eloc-policy-testLocPolicy)#?
Eloc Policy Mode commands:
enable Enable this eloc policy
location-key API key used for location service
no Negate a command or set its defaults
server-host ExtremeLocation server configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 513
global-config-commands Global Configuration Mode Commands

clrscr Clears the display screen

nx9500-6C8809(config-eloc-policy-testLocPolicy)#

Related Commands

no (global-config-mode) on page Removes an existing Location policy from the system

525

location-policy-config-mode commands

The following table summarizes the Location Policy configuration commands:

Table 28: Location Policy Config Mode Commands

Command Description
enable on page 514 Enables the location policy
location-key on page 515 Configures the ExtremeLocation Tenant’s API key. This key is used
by the WiNG controller to authenticate with the ExtremeLocation
server.
server-host on page 515 Configures the ExtremeLocation server’s hostname
no (location-policy-config- Removes Location policy settings or reverts them to default values
commands) on page 516

enable
Enables this Location policy
Supported in the following platforms:
• Access Points — AP410i/e AP460i/e, AP505i, AP510i/e, AP560i/h, AP7522, AP7532, AP7562,
AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
enable

Parameters
None

Examples
nx9500-6C8809(config-location-policy-ELocPolicy)#enable
nx9500-6C8809(config-location-policy-ELocPolicy)#show context
location-policy ELocPolicy
enable
nx9500-6C8809(config-location-policy-ELocPolicy)#

Controller, Service Platform and Access Point

514 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (location-policy-config- Disables this Location policy

commands) on page 516

location-key
Configures the ExtremeLocation Tenant’s API key. The WiNG controller uses this key to authenticate
with the ExtremeLocation server, and stage the Tenant’s site hierarchy (includes site details and details
of AP deployed within the site).
Supported in the following platforms:
• Access Points — AP410i/e AP460i/e, AP505i, AP510i/e, AP560i/h, AP7522, AP7532, AP7562,
AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
location-key <API-KEY>

Parameters
location-key <API-KEY>

location-key <API-KEY> Enter the 64-bit key that the WiNG controller uses to authenticate
with the ExtremeLocation server.
• <API-KEY> – Enter the key.

Note: To generate API-Key, log into your ExtremeLocation Tenant

account and use the ExtremeLocation UI. Enter that key here in the
Location Policy.

Examples
nx9500-6C8809(config-location-policy-ELocPolicy)#location-key dGVzdEAxMjM0NQo
vnx9500-6C8809(config-location-policy-ELocPolicy)#show context
location-policy ELocPolicy
enable
location-key dGVzdEAxMjM0NQo
nx9500-6C8809(config-location-policy-ELocPolicy)#

Related Commands

no (location-policy- Removes the Tenant’s API-Key from the Location policy

config-commands) on
page 516

server-host
Configures the ExtremeLocation server’s hostname. When configured, the WiNG controller stages the
Tenant’s site hierarchy information to the specified server.
Supported in the following platforms:
• Access Points — AP410i/e AP460i/e, AP505i, AP510i/e, AP560i/h, AP7522, AP7532, AP7562,
AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 515
global-config-commands Global Configuration Mode Commands

Syntax
server-host 1 ip <HOSTNAME> {port <1-65535>}

Parameters
server-host 1 ip <HOSTNAME> {port <1-65535>}

server-host 1 ip <HOSTNAME> Identifies the ExtremeLocation server by its hostname

• <HOSTNAME> – Enter ExtremeLocation server’s hostname.

Note: Enter the server’s hostname and not the IP address, as the
IP address is likely to change periodically in order to balance
load across multiple Location server instances.

{port <1-65535>} optional. Configures the port on which the ExtremeLocation server
is reachable
• <1-63335> – Selects a port from 1 - 65535 for the
ExtremeLocation server.

Note: By default the ExtremeLocation server is reachable on

port 443.

Examples
nx9500-6C8809(config-location-policy-ELocPolicy)#server-host 1 ip xyz.com
nx9500-6C8809(config-location-policy-ELocPolicy)#show context
location-policy ELocPolicy
enable
server-host 1 ip xyz.com port 443
location-key dGVzdEAxMjM0NQo
nx9500-6C8809(config-location-policy-ELocPolicy)#

Related Commands

no (location-policy-config- Removes ExtremeLocation server's hostname from the policy

commands) on page 516

no (location-policy-config-commands)
Removes this Location Policy settings or reverts them to default values
Supported in the following platforms:
• Access Points — AP410i/e AP460i/e, AP505i, AP510i/e, AP560i/h, AP7522, AP7532, AP7562,
AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [enable|location-key|server-host]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this Location Policy settings or reverts to default values,

based on the paremeters passed

Examples

Controller, Service Platform and Access Point

516 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

The following example shows the 'ELocPolicy' policy settings before the ‘no’ commands were executed:
nx9500-6C8809(config-location-policy-ELocPolicy)#show context
location-policy ELocPolicy
enable
server-host 1 ip xyz.com port 443
location-key dGVzdEAxMjM0NQo
nx9500-6C8809(config-location-policy-ELocPolicy)#
nx9500-6C8809(config-location-policy-ELocPolicy)#no server-host 1
nx9500-6C8809(config-location-policy-ELocPolicy)#no enable
nx9500-6C8809(config-location-policy-ELocPolicy)#no location-key

The following example shows the 'ELocPolicy' policy settings after the ‘no’ commands were executed:
nx9500-6C8809(config-location-policy-ELocPolicy)#show context
location-policy ELocPolicy
nx9500-6C8809(config-location-policy-ELocPolicy)#

mac
Configures a MAC ACL. Access lists define access permissions to the network using a set of rules. Each
rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is
dropped. If the action is permit, the packet is allowed.

Supported in the following platforms:

Syntax
mac access-list <MAC-ACL-NAME>

Parameters
mac access-list <MAC-ACL-NAME>

access-list <MAC- Configures a MAC access control list

ACL-NAME> • <MAC-ACL-NAME> – Specify the ACL name. If a MAC ACL with the specified
name does not exist, it is created.

Examples
nx9500-6C8809(config)#mac access-list test
nx9500-6C8809(config-mac-acl-test)#?
MAC Extended ACL Configuration commands:
deny Specify packets to reject
disable Disable rule if not needed
ex3500 Ex3500 device
insert Insert this rule (instead of overwriting a existing rule)
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 517
global-config-commands Global Configuration Mode Commands

end End current mode and change to EXEC mode

exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-mac-acl-test)#

Related Commands

no (global-config-mode) on page 525 Removes an existing MAC access control list

Note
For more information on Access Control Lists, see ACCESS-LIST on page 1504.

management-policy
Configures a management policy. Management policies include services that run on a device, welcome
messages, banners, etc.

Supported in the following platforms:

Syntax
management-policy <MANAGEMENT-POLICY-NAME>

Parameters
management-policy <MANAGEMENT-POLICY-NAME>

<MANAGEMENT-POLICY-NAME> Specify the management policy name. If a policy with the

specified name does not exist, it is created.

Examples
nx9500-6C8809(config)#management-policy test
nx9500-6C8809(config-management-policy-test)#?
Management Mode commands:
aaa-login Set authentication for logins
allowed-locations Add allowed locations
banner Define a login banner
ftp Enable FTP server
http Hyper Text Terminal Protocol (HTTP)
https Secure HTTP
idle-session-timeout Configure idle timeout for a configuration session
(GUI or CLI)
ipv6 IPv6 management access restriction
no Negate a command or set its defaults
passwd-retry Lockout user if too many consecutive login failures
privilege-mode-password Set the password for entering CLI privilege mode
rest-server Enable rest server for device on-boarding

Controller, Service Platform and Access Point

518 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

functionality
restrict-access Restrict management access to the device
snmp-server SNMP
ssh Enable ssh
t5 T5 configuration
telnet Enable telnet
user Add a user account

clrscr Clears the display screen

nx9500-6C8809(config-management-policy-test)#

Related Commands

no (global-config-mode) on page Removes an existing management policy

525

Note
For more information on Management policy configuration, see MANAGEMENT-POLICY.

meshpoint
Creates a new meshpoint and enters its configuration mode. Use this command to select and configure
existing meshpoints.

Supported in the following platforms:

Syntax
meshpoint [<MESHPOINT-NAME>|containing <WORD>]

Parameters
meshpoint [<MESHPOINT-NAME>|containing <WORD>]

<MESHPOINT-NAME> Specify the meshpoint name. If the meshpoint does not exist, it is created.
containing <WORD> Selects existing meshpoints containing the sub-string <WORD> in their names

Examples
nx9500-6C8809(config)#meshpoint testMeshpoint
nx9500-6C8809(config-meshpoint-testMeshpoint)#?
Mesh Point Mode commands:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 519
global-config-commands Global Configuration Mode Commands

allowed-vlans Set the allowed VLANs

beacon-format The beacon format of this meshpoint
control-vlan VLAN for meshpoint control traffic
data-rates Specify the 802.11 rates to be supported on this meshpoint
description Configure a description of the usage of this meshpoint
force Force suboptimal paths
meshid Configure the Service Set Identifier for this meshpoint
neighbor Configure neighbor specific parameters
no Negate a command or set its defaults
root Set this meshpoint as root
security-mode The security mode of this meshpoint
shutdown Shutdown this meshpoint
use Set setting to use
wpa2 Modify ccmp wpa2 related parameters

clrscr Clears the display screen

nx9500-6C8809(config-meshpoint-testMeshpoint)#

Related Commands

no (global-config-mode) on page Removes an existing meshpoint

525

Note
For more information on Meshpoint configuration, see MESHPOINT.

meshpoint-qos-policy
Configures a set of parameters that defines the meshpoint QoS policy

Supported in the following platforms:

Syntax
meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>

Parameters
meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>

<MESHPOINT-QOS-POLICY- Specify the meshpoint QoS policy name. If a policy with the specified
NAME> name does not exist, it is created.

Controller, Service Platform and Access Point

520 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config)#meshpoint-qos-policy test
nx9500-6C8809(config-meshpoint-qos-test)#?
Mesh Point QoS Mode commands:
accelerated-multicast Configure accelerated multicast streams address and
forwarding QoS classification
no Negate a command or set its defaults
rate-limit Configure traffic rate-limiting parameters on a
per-meshpoint/per-neighbor basis

clrscr Clears the display screen

nx9500-6C8809(config-meshpoint-qos-test)#

Related Commands

no (global-config-mode) on page 525 Removes an existing meshpoint QoS policy

Note
For more information on Meshpoint QoS policy configuration, see MESHPOINT.

mint-policy
Configures the global MiNT policy and enters its configuration mode

Supported in the following platforms:

Syntax
mint-policy global-default

Parameters
mint-policy global-default

global-default Configures the global default MiNT policy

Examples
nx9500-6C8809(config)#mint-policy global-default
nx9500-6C8809(config-mint-policy-global-default)#?
Mint Policy Mode commands:
level Mint routing level

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 521
global-config-commands Global Configuration Mode Commands

lsp LSP
mtu Configure the global Mint MTU
no Negate a command or set its defaults
router Mint router
udp Configure mint UDP/IP encapsulation

clrscr Clears the display screen

nx9500-6C8809(config-mint-policy-global-default)#

Note
For more information on MiNT policy configuration, see MINT-POLICY on page 1672.

nac-list
Configures a Network Access Control (NAC) list that manages access to the network. A NAC list
configures a list of devices that can access a network based on their MAC addresses.

Supported in the following platforms:

Syntax
nac-list <NAC-LIST-NAME>

Parameters
nac-list <NAC-LIST-NAME>

<NAC-LIST-NAME> Specify the NAC list name. If a NAC list with the specified name does not exist, it
is created.

Examples
nx9500-6C8809(config)#nac-list test
nx9500-6C8809(config-nac-list-test)#?
NAC List Mode commands:
exclude Specify MAC addresses to be excluded from the NAC enforcement list
include Specify MAC addresses to be included in the NAC enforcement list
no Negate a command or set its defaults

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode

Controller, Service Platform and Access Point

522 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

help Description of the interactive help system

revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-nac-list-test)#

Related Commands

no (global-config-mode) on page Removes an existing NAC list

525

nac-list-mode-commands

The following table summarizes NAC list configuration mode commands:

Table 29: NAC-List Config Mode Commands

Command Description
exclude on page 524 Specifies the MAC addresses excluded from the NAC enforcement list
include on page 523 Specifies the MAC addresses included in the NAC enforcement list
no (nac-list-config- Cancels an exclude or include NAC list rule
commands) on page 525

include
Specifies the MAC addresses included in the NAC enforcement list
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

Parameters
include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

<START-MAC> Specifies a range of MAC addresses or a single MAC address to include in the NAC
enforcement list
• <START-MAC> – Specify the first MAC address in the range.

Note: Use this parameter to specify a single MAC address.

<END-MAC> Specifies the last MAC address in the range (optional if a single MAC is added to the
list)
• <END-MAC> – Specify the last MAC address in the range.

precedence Sets the rule precedence. Include entries are checked in the order of their rule
<1-1000> precedence.
• <1-1000> – Specify a value from 1 - 1000.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 523
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-nac-list-test)#include 00-15-70-38-06-49 precedence 2
nx9500-6C8809(config-nac-list-test)#show context
nac-list test
exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1
include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2
nx9500-6C8809(config-nac-list-test)#

Related Commands

no (nac-list-config- Removes an include rule from this NAC list

commands) on page 525

exclude
Specifies the MAC addresses excluded from the NAC enforcement list
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

Parameters
exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

<START-MAC> Specifies a range of MAC addresses or a single MAC address to exclude from the
NAC enforcement list
• <START-MAC> – Specify the first MAC address in the range.

Note: Use this parameter to specify a single MAC address.

<END-MAC> Specifies the last MAC address in the range (optional if a single MAC is added to the
list)
• <END-MAC> – Specify the last MAC address in the range.

precedence Sets the rule precedence. Exclude entries are checked in the order of their rule
<1-1000> precedence.
• <1-1000> – Specify a value from 1 - 1000.

Examples
nx9500-6C8809(config-nac-list-test)#exclude 00-40-96-B0-BA-2A precedence 1
nx9500-6C8809(config-nac-list-test)#show context
nac-list test
exclude 00-40-96-B0-BA-2A 00-40-96-B0-BA-2A precedence 1
nx9500-6C8809(config-nac-list-test)#

Related Commands

no (nac-list-config-commands) Removes an exclude rule from this NAC list

on page 525

Controller, Service Platform and Access Point

524 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

no (nac-list-config-commands)
Cancels an exclude or include NAC list rule
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [exclude|include]
no [exclude|include] <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this NAC list’s settings based on the parameters passed

Examples

The following example shows the NAC list ‘test’ settings before the ‘no’ command is executed:
nx9500-6C8809(config-nac-list-test)#show context
nac-list test
exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1
include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2
nx9500-6C8809(config-nac-list-test)#
nx9500-6C8809(config-nac-list-test)#no exclude 00-40-96-B0-BA-2A precedence 1

The following example shows the NAC list ‘test’ settings after the ‘no’ command is executed:
nx9500-6C8809(config-nac-list-test)#show context
nac-list test
include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2
nx9500-6C8809(config-nac-list-test)#

no (global-config-mode)
Negates a command, or reverts configured settings to their default

Supported in the following platforms:

Syntax
no [aaa-policy|aaa-tacacs-policy|alias|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|nx5500|nx75xx|nx9000|nx9600|application|
application-group|
application-policy|association-acl-policy|auto-provisioning-policy|bgp|ble-data-export-
policy|
bonjour-gw-discovery-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 525
global-config-commands Global Configuration Mode Commands

policy|captive-portal|
client-identity|client-identity-group|crypto-cmp-policy|customize|database-policy|device|
device-categorization|
dhcp-server-policy|dhcpv6-server-policy|dns-whitelist|event-system-policy|ex3500|ex3500-
management-policy|
ex3500-qos-class-map-policy|ex3500-qos-policy-map|ex3524|ex3548|firewall-policy|global-
association-list|
guest-management|igmp-snoop-policy|inline-password-encryption|iot-device-type-imagotag-
policy|ip|ipv6|
ipv6-router-advertisement-policy|l2tpv3|location-policy|mac|management-policy|meshpoint|
meshpoint-qos-policy|
nac-list|nsight-policy|passpoint-policy|password-encryption|profile|radio-qos-policy|
radius-group|
radius-server-policy|radius-user-pool-policy|rf-domain|rfs4000|roaming-assist-policy|role-
policy|route-map|
routing-policy|rtl-server-policy|schedule-policy|t5|sensor-policy|smart-rf-policy|url-
filter|url-list|vx9000|
web-filter-policy|wips-policy|wlan|wlan-qos-policy|service]
no alias [address-range <ADDRESS-RANGE-ALIAS-NAME>|host <HOST-ALIAS-NAME>|
network <NETWORK-ALIAS-NAME>|network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|
network]|
network-service <NETWORK-SERVICE-ALIAS-NAME>|number <NUMBER-ALIAS-NAME>|string <STRING-
ALIAS-NAME>|
vlan <VLAN-ALIAS-NAME>]
no [aaa-policy|aaa-tacacs-policy|application-policy|auto-provisioning-policy|
auto-provisioning-policy|ble-data-export-policy|bonjour-gw-discovery-policy|bonjour-gw-
forwarding-policy|
bonjour-gw-query-forwarding-policy|database-policy|captive-portal|crypto-cmp-policy|
device-categorization|dhcp-server-policy|dhcpv6-server-policy|dns-whitelist|event-system-
policy|
ex3500|ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy|firewall-
policy|
global-association-list|guest-management|igmp-snoop-policy|inline-password-encryption|ip|
ipv6|
iot-device-type-imagotag-policy|ipv6-router-advertisement-policy|l2tpv3|location-policy|
mac|management-policy|meshpoint|meshpoint-qos-policy|nac-list|nsight-policy|passpoint-
policy|
radio-qos-policy|radius-group|radius-server-policy|radius-user-pool-policy|roaming-assist-
policy|
role-policy|routing-policy|rtl-server-policy|schedule-policy|sensor-policy|smart-rf-
policy|
web-filter-policy|wips-policy|wlan-qos-policy] <POLICY-NAME>
no application <APPLICATION-NAME>
no application-group <APPLICATION-GROUP-NAME>
no [ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap8432|ap8533|ex3524|ex3548|rfs4000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000] <MAC>
no client-identity <CLIENT-IDENTITY-NAME>
no client-identity-group <CLIENT-IDENTITY-GROUP-NAME>
no device {containing <WORD>} {(filter type [ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap8163|ap8432|ap8533|ex3524|ex3548|rfs4000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000])}
no customize [hostname-column-width|show-wireless-client|show-wireless-client-stats|
show-wireless-client-stats-rf|show-wireless-meshpoint|show-wireless-meshpoint-neighbor-
stats|

Controller, Service Platform and Access Point

526 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

show-wireless-meshpoint-neighbor-stats-rf|show-wireless-radio|show-wireless-radio-stats|
show-wireless-radio-stats-rf]
no password-encryption secret 2 <OLD-PASSPHRASE>
no profile {ap6522|ap71xx|ap7502|ap7522|ap7532|ap7562|ap8163|ap8432|ap8533|ex3524|
ex3548|containing|filter|rfs4000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000} <PROFILE-NAME>
no wlan [<WLAN-NAME>|all|containing <WLAN-NAME-SUBSTRING>]
no service set [command-history|reboot-history|upgrade-history] {on <DEVICE-NAME>}

The following ‘no’ commands are specific to the vNX 95XX and vNX 96XX platforms:
no t5 <T5-DEVICE-MAC>
no bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list]
<LIST-NAME>
no route-map <ROUTE-MAP-NAME>

The following ‘no’ commands are specific to the AP 6522, AP 7161, AP 7502, AP-7522, AP 7532
platforms:
no url-filter <URL-FILTER-NAME>
no url-list <URL-LIST-NAME>

The following ‘no’ command is specific to the VX 9000 virtual machine platform:
no database-client-policy <POLICY-NAME>

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets settings, configurable in the global configuration

mode, based on the parameters passed

Examples
<DEVICE>(config)#no ?
aaa-policy Delete a aaa policy
aaa-tacacs-policy Delete a aaa tacacs policy
alias Alias
ap621 Delete an AP621 access point
ap622 Delete an AP622 access point
ap650 Delete an AP650 access point
ap6511 Delete an AP6511 access point
ap6521 Delete an AP6521 access point
ap6522 Delete an AP6522 access point
ap6532 Delete an AP6532 access point
ap6562 Delete an AP6562 access point
ap71xx Delete an AP71XX access point
ap7502 Delete an AP7502 access point
ap7522 Delete an AP7522 access point
ap7532 Delete an AP7532 access point
ap7562 Delete an AP7562 access point
ap7602 Delete an AP7602 access point
ap7612 Delete an AP7612 access point
ap7622 Delete an AP7622 access point
ap7632 Delete an AP7632 access point
ap7662 Delete an AP7662 access point
ap81xx Delete an AP81XX access point
ap82xx Delete an AP82XX access point
ap8432 Delete an AP8432 access point
ap8533 Delete an AP8533 access point

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 527
global-config-commands Global Configuration Mode Commands

application Delete an application

application-group Delete an application-group
application-policy Delete an application policy
association-acl-policy Delete an association-acl policy
auto-provisioning-policy Delete an auto-provisioning policy
bgp BGP Configuration
ble-data-export-policy Delete a policy
bonjour-gw-discovery-policy Disable Bonjour Gateway discovery policy
bonjour-gw-forwarding-policy Disable Bonjour Gateway Forwarding
policy
bonjour-gw-query-forwarding-policy Disable Bonjour Gateway Query Forwarding
policy
captive-portal Delete a captive portal
client-identity Client identity (DHCP Device
Fingerprinting)
client-identity-group Client identity group (DHCP Fingerprint
Database)
crypto-cmp-policy CMP policy
customize Restore the custom cli commands to
default
database-client-policy Configure database policy
database-policy Configure database policy
device Delete multiple devices
device-categorization Delete device categorization object
dhcp-server-policy DHCP server policy
dhcpv6-server-policy DHCPv6 server related configuration
dns-whitelist Delete a whitelist object
event-system-policy Delete a event system policy
ex3500 Ex3500 device
ex3500-management-policy Delete a ex3500 management policy
ex3500-qos-class-map-policy Delete a ex3500 qos class-map policy
ex3500-qos-policy-map Delete a ex3500 qos policy-map
ex3524 Delete an EX3524 wireless controller
ex3548 Delete an EX3548 wireless controller
firewall-policy Configure firewall policy
global-association-list Delete a global association list
guest-management Delete a guest management policy
igmp-snoop-policy Remove device onboard igmp snoop policy
inline-password-encryption Disable storing encryption key in the
startup configuration file
iot-device-type-imagotag-policy Delete a iot imagotag policy
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
ipv6-router-advertisement-policy IPv6 Router Advertisement related
configuration
l2tpv3 Negate a command or set its defaults
location-policy Delete a ExtremeLocation policy
mac MAC configuration
management-policy Delete a management policy
meshpoint Delete a meshpoint object
meshpoint-qos-policy Delete a mesh point QoS configuration
policy
nac-list Delete an network access control list
nsight-policy Delete a nsight policy
nx45xx Delete an NX45XX integrated services
platform
nx5500 Delete an NX5500 wireless controller
nx65xx Delete an NX65XX integrated services
platform
nx75xx Delete an NX75XX wireless controller
nx9000 Delete an NX9000 wireless controller
passpoint-policy Delete a passpoint configuration policy
password-encryption Disable password encryption in
configuration

Controller, Service Platform and Access Point

528 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

profile Delete a profile and all its associated

configuration
radio-qos-policy Delete a radio QoS configuration policy
radius-group Local radius server group configuration
radius-server-policy Remove device onboard radius policy
radius-user-pool-policy Configure Radius User Pool
rf-domain Delete one or more RF-domains and all
their associated configurations
rfs4000 Delete an RFS4000 wireless controller
rfs6000 Delete an RFS6000 wireless controller
rfs7000 Delete an RFS7000 wireless controller
roaming-assist-policy Delete a roaming-assist policy
role-policy Role based firewall policy
route-map Dynamic routing route map Configuration
routing-policy Policy Based Routing Configuration
rtl-server-policy Delete a rtl server policy
schedule-policy Delete a schedule policy
sensor-policy Delete a sensor policy
smart-rf-policy Delete a smart-rf-policy
t5 Delete an T5 DSL switch
url-filter Delete a url filter
url-list Delete a URL list
vx9000 Delete an VX9000 wireless controller
web-filter-policy Delete a web filter policy
wips-policy Delete a wips policy
wlan Delete a wlan object
wlan-qos-policy Delete a wireless lan QoS configuration
policy

service Service Commands

<DEVICE>(config)#

nsight-policy (global-config-mode)

Creates an NSight policy and enters its configuration mode. Starting with WiNG 5.9.3, Extreme NSight is
a separate target, with the Extreme NSight server enabled on an external VM appliance. On the WiNG
controller, the NSight policy configures this external NSight server's IP address or hostname.

Configure the NSight policy and apply to the RF Domain context. When applied, the RF Domain
manager posts statistics (polled from devices within the RF Domain) to the external Extreme NSight
server specified in the policy.

Note
Extreme NSight is a licensed feature. For more information on Extreme NSight™, please refer
to the Extreme NSight™ User Guide, available at https://extremenetworks.com/
documentation.

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
nsight-policy <NSIGHT-POLICY-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 529
global-config-commands Global Configuration Mode Commands

Parameters
nsight-policy <NSIGHT-POLICY-NAME>

<NSIGHT-POLICY-NAME> Specify the NSight policy name. If a policy with the specified name does
not exist, it is created.

Examples
nx9500-6C8809(config)#nsight-policy test
nx9500-6C8809(config-nsight-policy-test)#?
Nsight Policy Mode commands:
enable Enable this Nsight policy
mandatory Configure mandatory app stats reporting
no Negate a command or set its defaults
server Configure Nsight server

clrscr Clears the display screen

nx9500-6C8809(config-nsight-policy-test)#

Related Commands

no (global-config-mode) on Removes an existing NSight policy

page 525

nsight-policy config commands

The following table summarizes NSight policy configuration mode commands:

Table 30: NSight-Policy Config Mode Commands

Command Description
enable on page 530 Enables this NSight policy
mandatory on page 531 Enables mandatory Application Visibility and Control (AVC) statistics
reporting
server on page 532 Configures the external NSight server host's IP address or hostname.
no (nsight-policy-config- Removes this NSight policy settings
commands) on page 533

enable
Enables this NSight policy. The default setting is enabled.
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

530 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
enable

Parameters
None

Examples
nx9510-6C8A5C(config-nsight-policy-test2)#enable

Related Commands

no (nsight-policy-config- Disables this NSight policy

commands) on page 533

mandatory
Configures mandatory AVC statistics reporting for a specified application group. When configured, the
RF Domain manager reports usage stats for applications, in the specified group, to the NSight server. By
default, only the top-ten applications by usage are reported to the NSight server. This option allows you
to configure mandatory stats reporting for applications that are not in the top-ten list.

To enable mandatory statistics reporting for an application or set of applications, create an application
group, add the desired application(s), and enable mandatory stats reporting for the group. Once
enabled, the specified application(s) usage stats is always reported.

At any given time, only ten (10) applications can be reported to the NSight server. These are the top-ten
applications, by usage, identified by the system. However, if mandatory application stats reporting is
enabled, applications, within the specified application group, have to be included in the report. This is
done by dropping some of the top-ten applications. For example, if mandatory application reporting is
enabled for five (5) applications, the report will contain these 5 applications, plus first 5 of the top-ten
applications identified by the system, totaling the number to ten.
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
mandatory app stats app-group <APPLICATION-GROUP-NAME>

Parameters
mandatory app stats app-group <APPLICATION-GROUP-NAME>

mandatory app stats Enables mandatory AVC statistics reporting for a specified
application group
app-group <APPLICATION- Specifies the application group for which statistics reporting is to
GROUP-NAME> be made mandatory. When configured, usage statistics, for the
specified application group, is always reported to the NSight server.
• <APPLICATION-GROUP-NAME> – Specify the application group
name.

Note: An application group can have a maximum of eight (8)

applications.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 531
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-nsight-policy-test)#mandatory app stats app-group socialnetworking
nx9500-6C8809(config-nsight-policy-test)#show context
nsight-policy test
server host 1.2.3.4 https

nx9500-6C8809(config-nsight-policy-test)#

Following is the "socialnetworking" application-group configuration. It contains three applications,

which will be always reported to the NSight server even if they are not in the top-ten applications by
usage list.
nx9500-6C8809(config-app-group-socialnetworking)#show context
application-group socialnetworking
application facetime
application Facebook_chat
application "Google Hangouts_audio"
nx9500-6C8809(config-app-group-socialnetworking)#

Related Commands

no (nsight-policy-config- Disables mandatory application-usage statistics reporting

commands) on page 533

server
Configures the external NSight server's IP address or hostname

Note
Starting with WiNG 5.9.4 you will not be able to configure NSight server on an VX 9000, NX
95XX, or NX 96XX platform. Extreme NSight is a separate target that can only be deployed on
an external VM appliance.

Note
For more information on Extreme NSight™, please refer to the Extreme NSight™ User Guide,
available at https://extremenetworks.com/documentation.

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}

Controller, Service Platform and Access Point

532 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}

server host [<IP>| Configures the NSight server's IP address or hostname. Use one of the
<HOSTNAME>| <X:X::X:X>] following options to identify the NSight server:
• <IP> – Configures the NSight server’s IPv4 address
• <HOSTNAME> – Configures the NSight server’s hostname
• <X:X::X:X> – Configures the NSight server’s IPv6 address

Note: When this NSight policy is applied to an RF Domain, the RF

Domain manager posts statistics (polled from devices within the RF
Domain) to the external Extreme NSight server host specified here.

{http|https} Optional. Configures the protocol used to communicate with the NSight
server
• http – Optional. Uses HTTP to communicate
• https – Optional. Uses HTTPS to communicate (this is the default
setting)

Examples
nx9510-6C8A5C(config-nsight-policy-test2)#server host 172.22.0.153 http
nx9510-6C8A5C(config-nsight-policy-test2)#show context
nsight-policy test2
server host 172.22.0.153 http
nx9510-6C8A5C(config-nsight-policy-test2)#

Related Commands

no (nsight-policy- Removes NSight server's IP address or hostname configuration from this

config-commands) on NSight policy
page 533

no (nsight-policy-config-commands)
Removes NSight policy settings or reverts them to default values
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
no [enable|mandatory app stats app-group <APPLICATION-GROUP-NAME>|server host [<IPv4>|
<HOST-NAME>|<IPv6>]]]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes NSight policy settings based on the parameters passed

Examples

The following example shows the NSight policy ‘test2’ settings before the ‘no’ command is executed:
nx9510-6C8A5C(config-nsight-policy-test2)#show context
nsight-policy test2

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 533
global-config-commands Global Configuration Mode Commands

server host 172.22.0.153 http

nx9510-6C8A5C(config-nsight-policy-test2)#
nx9510-6C8A5C(config-nsight-policy-test2)#no server host 172.22.0.153

The following example shows the NSight policy ‘test2’ settings after the ‘no’ command is executed:
nx9510-6C8A5C(config-nsight-policy-test2)#show context
nsight-policy test2
nx9510-6C8A5C(config-nsight-policy-test2)#

passpoint-policy
Creates a new passpoint policy and enters its configuration mode. The passpoint policy implements the
Hotspot 2.0 Wi-Fi Alliance standard, enabling interoperability between clients, infrastructure, and
operators. It makes a portion of the IEEE 802.11u standard mandatory and adds Hotspot 2.0 extensions
that allow clients to query a network before actually attempting to join it.

The passpoint policy allows a single or set of Hotspot 2.0 configurations to be global and referenced by
the devices that use it. It is mapped to a WLAN. However, only primary WLANs on a BSSID will have
their passpoint policy configuration used.

Supported in the following platforms:

Syntax
passpoint-policy <POLICY-NAME>

Parameters
passpoint-policy <POLICY-NAME>

passpoint-policy Specify the passpoint policy name. If a passpoint policy with the specified
<POLICY-NAME> name does not exist, it is created.

Examples
rfs4000-229D58(config)#passpoint-policy test
rfs4000-229D58(config-passpoint-policy-test)#?
Passpoint Policy Mode commands:
3gpp Configure a 3gpp plmn (public land mobile network) id
access-network-type Set the access network type for the passpoint
connection-capability Configure the connection capability for the passpoint
domain-name Add a domain-name for the passpoint
hessid Set a homogeneous ESSID value for the passpoint
internet Advertise the passopint having internet access
ip-address-type Configure the advertised ip-address-type
nai-realm Configure a NAI realm for the passpoint
net-auth-type Add a network authentication type to the passpoint
no Negate a command or set its defaults
operator Add configuration related to the operator of the
passpoint
osu Online signup
roam-consortium Add a roam consortium for the passpoint

Controller, Service Platform and Access Point

534 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

venue Set the venue parameters of the passpoint

wan-metrics Set the wan-metrics of the passpoint

clrscr Clears the display screen

rfs4000-229D58(config-passpoint-policy-test)#

Related Commands

no (global-config-mode) Removes an existing passpoint policy

on page 525

Note
For more information on Passpoint policy, see PASSPOINT-POLICY

password-encryption
Enables password encryption and configures the passphrase used to encrypt passwords. When
enabled, passwords configured within the system are not displayed as clear text.

Supported in the following platforms:

Syntax
password-encryption secret 2 <LINE>

Parameters
password-encryption secret 2 <LINE>

secret 2 <LINE> Encrypts passwords with a secret phrase

• 2 – Specifies the encryption type as either SHA256-AES256
◦ <LINE> – Specify the encryption passphrase.

Examples
nx9500-6C8809(config)#password-encryption secret 2 test@123

To confirm if password encryption is enabled, execute the following command:

nx9500-6C8809(config)#show password-encryption status
Password encryption is enabled
nx9500-6C8809(config)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 535
global-config-commands Global Configuration Mode Commands

The following example shows the privilege-mode-password as encrypted text. Note, the digit ‘1’
preceding the password implies that displayed text is the encrypted password and not clear text.
nx9500-6C8809(config-management-policy-test)#show context include-factory |
include privilege-mode-password
privilege-mode-password 1
bc28e4d82bb11fa75a3c56346441d48f50f19c47184e2575a59a6a5d18e63925
nx9500-6C8809(config-management-policy-test)#

Related Commands

no (global-config-mode) Disables password encryption

on page 525

profile
Configures profile related commands. If no parameters are given, all profiles are selected.

Supported in the following platforms:

Syntax
profile {anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|ap7662|ap81xx|ap8432|ap8533|containing|filter|rfs4000|nx5500|nx75xx|nx9000|nx9600|
vx9000}
profile {anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000}
<DEVICE-PROFILE-NAME>
profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6522|ap6562|ap71xx|ap7502|
ap7522|ap7532|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx75xx|
nx9000|nx9600|
vx9000]}
profile {filter type [ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|
vx9000]}

Controller, Service Platform and Access Point

536 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
profile {anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000}
<DEVICE-PROFILE-NAME>

profile <DEVICE-TYPE> Configures device profile commands. If no device profile is specified, the
<DEVICE-PROFILE- system configures all device profiles.
NAME> • <DEVICE-TYPE> – Optional. Select the device type. The options are: AP
6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602,
AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS
4000, NX 5500, NX 75XX, NX 95XX, NX 96XX, and VX 9000.

After specifying the device type, specify the profile name.

◦ <DEVICE-PROFILE-NAME> – Specify the profile name.
Select ‘anyap’ to configure a profile applicable to any access point.

profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6522|ap6562|ap71xx|

ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|
rfs4000|nx5500|nx75xx|nx9000|nx9600|vx9000]}

profile Configures device profile commands

containing Optional. Configures profiles that contain a specified sub-string in the hostname
<DEVICE- • <DEVICE-PROFILE-NAME> – Specify a substring in the profile name to filter
PROFILE- profiles.
NAME>
filter type Optional. An additional filter used to configure a specific type of device profile. If no
device type is specified, the system configures all device profiles.
• type – Filters profiles by the device type. Select a device type from the following
options: AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP
7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS
4000, NX 5500, NX 75XX, NX 95XX, NX 96XX, and VX 9000

profile {filter type[ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|

ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|
nx9600|vx9000]}

profile Configures device profile commands

filter type Optional. An additional filter used to configure a specific type of device profile. If
no device type is specified, the system configures all device profiles.
• type – Filters profiles by the device type. Select a device type from the
following options: AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532,
AP 7562, AP 7602, AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432,
AP-8533, RFS 4000, NX 5500, NX 75XX, NX 95XX, NX 96XX, and VX 9000

Examples
<DEVICE>(config)#profile nx9000 test-NX9500
<DEVICE>(config-profile-test-NX9500)#?
Profile Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning
policy when adopted by another
controller
adoption Adoption configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 537
global-config-commands Global Configuration Mode Commands

adoption-mode Configure the adoption mode for the

access-points in this RF-Domain
alias Alias
application-policy Application Poicy configuration
area Set name of area where the system
is located
arp Address Resolution Protocol (ARP)
auto-learn Auto learning
autogen-uniqueid Autogenerate a unique id
autoinstall Autoinstall settings
bridge Ethernet bridge
captive-portal Captive portal
cdp Cisco Discovery Protocol
cluster Cluster configuration
configuration-persistence Enable persistence of configuration
across reloads (startup config
file)
controller WLAN controller configuration
critical-resource Critical Resource
crypto Encryption related commands
database Database command
device-onboard Device-onboarding configuration
device-upgrade Device firmware upgrade
diag Diagnosis of packets
dot1x 802.1X
dpi Enable Deep-Packet-Inspection
(Application Assurance)
dscp-mapping Configure IP DSCP to 802.1p
priority mapping for untagged
frames
eguest-server Enable ExtremeGuest Server
functionality
email-notification Email notification configuration
enforce-version Check the firmware versions of
devices before interoperating
environmental-sensor Environmental Sensors Configuration
events System event messages
export Export a file
file-sync File sync between controller and
adoptees
floor Set the floor within a area where
the system is located
gre GRE protocol
http-analyze Specify HTTP-Analysis configuration
interface Select an interface to configure
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
l2tpv3 L2tpv3 protocol
l3e-lite-table L3e lite Table
led Turn LEDs on/off on the device
led-timeout Configure the time for the led to
turn off after the last radio state
change
legacy-auto-downgrade Enable device firmware to auto
downgrade when other legacy devices
are detected
legacy-auto-update Auto upgrade of legacy devices
lldp Link Layer Discovery Protocol
load-balancing Configure load balancing parameter
logging Modify message logging facilities
mac-address-table MAC Address Table
mac-auth 802.1X
management-server Configure management server address
memory-profile Memory profile to be used on the

Controller, Service Platform and Access Point

538 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

device
meshpoint-device Configure meshpoint device
parameters
meshpoint-monitor-interval Configure meshpoint monitoring
interval
min-misconfiguration-recovery-time Time interval to check controller
connectivity after configuration is
received
mint MiNT protocol
misconfiguration-recovery-time Check controller connectivity after
configuration is received
neighbor-inactivity-timeout Configure neighbor inactivity
timeout
neighbor-info-interval Configure neighbor information
exchange interval
no Negate a command or set its
defaults
noc Configure the noc related setting
nsight NSight
ntp Ntp server WORD
offline-duration Set duration for which a device
remains unadopted before it
generates offline event
otls Omnitrail Location Server
power-config Configure power mode
preferred-controller-group Controller group this system will
prefer for adoption
preferred-tunnel-controller Tunnel Controller Name this system
will prefer for tunneling extended
vlan traffic
radius Configure device-level radius
authentication parameters
raid RAID
remote-debug Configure remote debug parameters
remove-override Remove configuration item override
from the device (so profile value
takes effect)
rf-domain-manager RF Domain Manager
router Dynamic routing
slot PCI expansion Slot
spanning-tree Spanning tree
traffic-class-mapping Configure IPv6 traffic class to
802.1p priority mapping for
untagged frames
traffic-shape Traffic shaping
trustpoint Assign a trustpoint to a service
tunnel-controller Tunnel Controller group this
controller belongs to
use Set setting to use
vrrp VRRP configuration
vrrp-state-check Publish interface via OSPF/BGP only
if the interface VRRP state is not
BACKUP
wep-shared-key-auth Enable support for 802.11 WEP
shared key authentication
zone Configure Zone name

clrscr Clears the display screen

commit Commit all changes made in this
session
do Run commands from Exec mode
end End current mode and change to EXEC
mode
exit End current mode and down to

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 539
global-config-commands Global Configuration Mode Commands

previous mode
help Description of the interactive help
system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to
memory or terminal

<DEVICE>(config-profile-test-NX9500)#

Related Commands

no (global-config- Removes a profile and its associated configurations

mode) on page 525

Note
For more information on profiles and how to configure profiles, see PROFILES on page 949.

radio-qos-policy
Configures a radio QoS policy

Supported in the following platforms:

Syntax
radio-qos-policy <RADIO-QOS-POLICY-NAME>

Parameters
radio-qos-policy <RADIO-QOS-POLICY-NAME>

<RADIO-QOS-POLICY- Specify the radio QoS policy name. If a policy with the specified name does
NAME> not exist, it is created.

Examples
nx9500-6C8809(config)#radio-qos-policy test
nx9500-6C8809(config-radio-qos-test)#?
Radio QoS Mode commands:
accelerated-multicast Configure multicast streams for acceleration
admission-control Configure admission-control on this radio for one or
more access categories
no Negate a command or set its defaults
smart-aggregation Configure smart aggregation parameters
wmm Configure 802.11e/Wireless MultiMedia parameters

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode

Controller, Service Platform and Access Point

540 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

help Description of the interactive help system

revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-radio-qos-test)#

Related Commands

no (global-config-mode) on page Removes an existing Radio QoS policy

525

Note
For more information on radio qos policy, see RADIO-QOS-POLICY on page 1756.

radius-group
Configures RADIUS user group and enters its configuration mode

Supported in the following platforms:

Syntax
radius-group <RADIUS-GROUP-NAME>

Parameters
radius-group <RADIUS-GROUP-NAME>

<RADIUS-GROUP- Specify a RADIUS user group name. The name should not exceed 64 characters. If
NAME> a RADIUS user group with the specified name does not exist, it is created.

Examples
nx9500-6C8809(config)#radius-group testRadiusGr
nx9500-6C8809(config-radius-group-testRadiusGr)#?
Radius user group configuration commands:
guest Make this group a Guest group
no Negate a command or set its defaults
policy Radius group access policy configuration
rate-limit Set rate limit for group

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 541
global-config-commands Global Configuration Mode Commands

nx9500-6C8809(config-radius-group-testRadiusGr)#

Related Commands

no (global-config-mode) on page 525 Removes an existing RADIUS group

Note
For more information on RADIUS user group commands, see RADIUS-POLICY on page 1722.

radius-server-policy
Creates a RADIUS server policy and enters its configuration mode

Supported in the following platforms:

Syntax
radius-server-policy <RADIUS-SERVER-POLICY-NAME>

Parameters
radius-server-policy <RADIUS-SERVER-POLICY-NAME>

<RADIUS-SERVER- Specify the RADIUS server policy name. If a policy with the specified name
POLICY-NAME> does not exist, it is created.

Examples
nx9500-6C8809(config)#radius-server-policy testRadiusServerPolicy
nx9500-6C8809(config-radius-server-policy-testRadiusServerPolicy)#?
Radius Configuration commands:
authentication Radius authentication
bypass Bypass Certificate Revocation List( CRL ) check
chase-referral Enable chasing referrals from LDAP server
crl-check Enable Certificate Revocation List( CRL ) check
ldap-agent LDAP Agent configuration parameters
ldap-group-verification Enable LDAP Group Verification setting
ldap-server LDAP server parameters
local RADIUS local realm
nas RADIUS client
no Negate a command or set its defaults
proxy RADIUS proxy server
session-resumption Enable session resumption/fast reauthentication by
using cached attributes
termination Enable Eap termination for proxy requests
use Set setting to use

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode

Controller, Service Platform and Access Point

542 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

help Description of the interactive help system

revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-radius-server-policy-testRadiusServerPolicy)#

Related Commands

no (global-config-mode) on page Removes an existing RADIUS server policy

525

Note
For more information on RADIUS server policy commands, see RADIUS-POLICY on page
1722.

radius-user-pool-policy
Configures a RADIUS user pool and enters its configuration mode

Supported in the following platforms:

Syntax
radius-user-pool-policy <RADIUS-USER-POOL-NAME>

Parameters
radius-user-pool-policy <RADIUS-USER-POOL-NAME>

<RADIUS-USER-POOL- Specify the RADIUS user pool policy name. If a policy with the specified
POLICY-NAME> name does not exist, it is created.

Examples
nx9500-6C8809(config)#radius-user-pool-policy testRadiusUserPool
nx9500-6C8809(config-radius-user-pool-testRadiusUserPool)#?
Radius User Pool Mode commands:
duration Set a guest user's access duration
no Negate a command or set its defaults
user Radius user configuration

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 543
global-config-commands Global Configuration Mode Commands

vnx9500-6C8809(config-radius-user-pool-testRadiusUserPool)#

Related Commands

no (global-config-mode) on page Removes an existing RADIUS user pool policy

525

Note
For more information on RADIUS user group commands, see RADIUS-POLICY on page 1722.

rename
Renames and existing TLO

Supported in the following platforms:

Syntax
rename tlo <TLO-NAME> <NEW-TLO-NAME>

Parameters
rename tlo <TLO-NAME> <NEW-TLO-NAME>

rename tlo <TLO- Renames an existing TLO object

NAME> <NEW-TLO- • <TLO-NAME> – Specify the TLO’s name. This is the TLO that is to be
NAME> renamed.
◦ <NEW-TLO-NAME> – Specify the new name for this TLO.

Examples

The following example shows the top level objects available for renaming:

Note
Enter rename and press Tab to list top level objects available for renaming.

nx9500-6C8809(config)#rename [TAB]
aaa_policy aaa_tacacs_policy
address_range_alias aif_policy
app_policy application
assoc_acl auto_provisioning_policy
bgp_as_path_list bgp_community_list
bgp_extcommunity_list bgp_ip_access_list
bgp_ip_prefix_list bonjour_gw_discovery_policy
bonjour_gw_forwarding_policy bonjour_gw_query_forwarding_policy
bridging_policy captive_portal
centro_policy client_identity
client_identity_group content_cache_policy
content_filter_policy crypto_cmp_policy
database_client_policy database_policy

Controller, Service Platform and Access Point

544 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

device_categorization dhcp_server_policy
dhcpv6_server_policy dns_whitelist
dr_route_map encrypted_string_alias
event_system_policy ex3500_ext_ip_acl
ex3500_management_policy ex3500_qos_class_map_policy
ex3500_qos_policy_map ex3500_std_ip_acl
ex3500_time_range firewall_policy
global_assoc_list guest_management
hashed_string_alias host_alias
ip_acl ip_snmp_acl
--More--
nx9500-6C8809(config)#

The following examples first clones the existing IP access list BROADCAST-MULTICAST-CONTROL, and
then renames the cloned IP access list:
nx9500-6C8809(config)#show context include-factory | include ip access-list
ip access-list BROADCAST-MULTICAST-CONTROL
nx9500-6C8809(config)#
nx9500-6C8809(config)#clone ip_acl BROADCAST-MULTICAST-CONTROL Test_IP_CLONED
nx9500-6C8809(config)#commit
nx9500-6C8809(config)#show context include-factory | include ip access-list
ip access-list BROADCAST-MULTICAST-CONTROL
ip access-list Test_IP_CLONED
nx9500-6C8809(config)#
nx9500-6C8809(config)#rename Test_IP_CLONED NEW_IP_CLONED
nx9500-6C8809nx9500-6C8809(config)#commit
nx9500-6C8809(config)#show context include-factory | include ip access-list
ip access-list BROADCAST-MULTICAST-CONTROL
ip access-list NEW_IP_CLONED
nx9500-6C8809(config)#

Related Commands

clone on page 385 Creates a replica of an existing TLO or device

replace

Selects an existing device by its MAC address or hostname and replaces it with a new device having a
different MAC address. Internally, a new device is created with the new MAC address. The old device’s
configuration is copied to the new device, and then removed from the controller’s configuration (i.e., the
old device’s configuration is no longer staged on the controller).

Supported in the following platforms:

Syntax
replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 545
global-config-commands Global Configuration Mode Commands

Parameters
replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>

replace-device Replaces an existing device with a new device, such that the old
device’s configuration is copied on to the new device
[<MAC-ADDRESS>| Identifies the device to replace by its MAC address or hostname
<HOSTNAME>] • <MAC-ADDRESS> – Identifies the device to replace by its MAC
address. Specify the device’s existing MAC address.
• <HOSTNAME> – Identifies the device to replace by its hostname.
Specify the device’s hostname.

<NEW-MAC-ADDRESS> Specifies the new device’s MAC address. Both the new and old
devices should of the same model type.

Examples
rfs4000-882A17(config)#replace device ap7532-4BF364 ?
AA-BB-CC-DD-EE-FF New device MAC address
rfs4000-882A17(config)#replace device ap7532-4BF364 00-15-0F-BB-98-30

The following example shows an existing AP 7502 (MAC: DD-AA-BB-88-12-43) configuration staged on
a VX 9000 controller:
VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#show context
ap7502 DD-AA-BB-88-12-43
use profile default-ap7502
use rf-domain default
hostname ap7502-881243
interface radio1
wlan theMOZART bss 1 primary
interface radio2
wlan theMOZART bss 1 primary
interface ge1
switchport mode access
switchport access vlan 1
controller host 12.12.12.2
VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#

The following example shows AP 7502 (MAC: DD-AA-BB-88-12-43) replaced by another vAP 7502
having MAC address 11-22-33-44-55-66:

Note that the new AP 7502 device has the same configuration as the old AP 7502 device. The
HOSTNAME remains the same. Consequently, objects that refer to this particular hostname need not be
updated. For example, an hostname alias identifying this particular device, and TLOs using this alias,
such as IP/MAC ACLs, remain unchanged.
VX9000-NOC-DE9D(config)#replace device DD-AA-BB-88-12-43 11-22-33-44-55-66
VX9000-NOC-DE9D(config)#ap7502 11-22-33-44-55-66
VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#show context
ap7502 11-22-33-44-55-66
use profile default-ap7502
use rf-domain default
hostname ap7502-881243
interface radio1
wlan theMOZART bss 1 primary
interface radio2
wlan theMOZART bss 1 primary
interface ge1
switchport mode access

Controller, Service Platform and Access Point

546 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

switchport access vlan 1

controller host 12.12.12.2
VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#

rf-domain
Creates an RF Domain or enters the RF Domain configuration context for one or more RF Domains.

The configuration of controllers (wireless controllers, service platforms, and access points) comprises of
RF Domains that define regulatory, location, and other relevant policies. At least one default RF Domain
is assigned to each controller. RF Domains allow administrators to assign configuration data to multiple
devices deployed in a common coverage area, such as in a floor, building, or site. Each RF Domain
contains policies that set the Smart RF or WIPS configuration.

RF Domains also enable administrators to override WLAN SSID name and VLAN assignments. This
enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN
assignments to groups of access points servicing the global WLAN. This WLAN override eliminates the
need to define and manage a large number of individual WLANs and profiles.

A controller’s configuration contains:

• A default RF Domain - Each controller utilizes a default RF Domain. Access Points are assigned to
this default RF Domain as they are discovered by the controller. A default RF Domain can be used
for single-site and multi-site deployments.
• Single-site deployment – The default RF Domain can be used for single site deployments, where
regional, regulatory, and RF policies are common between devices.
• Multi-site deployment – A default RF Domain can omit configuration parameters to prohibit
regulatory configuration from automatically being inherited by devices as they are discovered. This is
desirable in multi-site deployments with devices spanning multiple countries. Omitting specific
configuration parameters eliminates the risk of an incorrect country code from being automatically
assigned to a device.
• A user-defined RF Domain - Created by administrators. A user-defined RF Domain can be assigned
to multiple devices manually or automatically.
• Manually assigned – Use the CLI or UI to manually assign a user-defined RF Domain to controllers
and service platforms.
• Automatically assigned – Use a AP provisioning policy to automatically assign specific RF Domains
to access points based on the access point’s model, serial number, VLAN, DHCP option, and IP
address or MAC address. Automatic RF Domain assignments are useful in large deployments, as
they enable plug-n-play access point deployments by automatically applying RF Domains to remote
access points. For more information on auto provisioning policy, seeAUTO-PROVISIONING-POLICY
on page 1477 .

Configure and deploy user-defined RF Domains for single or multiple sites where devices require unique
regulatory and regional configurations, or unique Smart RF and WIPS policies. User-defined RF
Domains can be used to:
• Assign unique Smart RF or WIPS policies to access points deployed on different floors or buildings
within in a site.
• Assign unique regional or regulatory configurations to devices deployed in different states or
countries.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 547
global-config-commands Global Configuration Mode Commands

• Assign unique WLAN SSIDs and/or VLAN IDs to sites assigned a common WLAN without having to
define individual WLANs for each site.

Supported in the following platforms:

Syntax
rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}

Parameters
rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}

rf-domain Creates a new RF Domain or enters its configuration context

<RF-DOMAIN- Optional. Specify the RF Domain name (should not exceed 32 characters and
NAME> should represent the intended purpose). Once created, the name cannot be
edited.
containing <RF- Optional. Identifies an existing RF Domain that contains a specified sub-string
DOMAIN-NAME> in the domain name
• <RF-DOMAIN-NAME> – Specify a sub-string of the RF Domain name.

Examples
nx9500-6C8809(config)#rf-domain ecospace
nx9500-6C8809(config-rf-domain-ecospace)#?
RF Domain Mode commands:
alias Alias
channel-list Configure channel list to be advertised to wireless
clients
contact Configure the contact
control-vlan VLAN for control traffic on this RF Domain
controller-managed RF Domain manager for this domain will be an adopting
controller
country-code Configure the country of operation
geo-coordinates Configure geo coordinates for this device
layout Configure layout
location Configure the location
location-server Configuration ExtremeLocation server
location-tenantid Set ExtremeLocation tenant id
mac-name Configure MAC address to name mappings
no Negate a command or set its defaults
nsight-sensor Enable sensor for Nsight
override-smartrf Configured RF Domain level overrides for smart-rf
override-wlan Configure RF Domain level overrides for wlan
sensor-server AirDefense sensor server configuration
stats Configure the stats related setting
timezone Configure the timezone
tree-node Configure tree node under which this rf-domain appears
use Set setting to use

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode

Controller, Service Platform and Access Point

548 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

end End current mode and change to EXEC mode

nx9500-6C8809(config-rf-domain-ecospace)#

Related Commands

no (global-config-mode) on Removes an existing RF Domain. Specify the RF Domain's name.

page 525

rf-domain-mode-commands

The following table lists the RF Domain configuration mode commands:

Table 31: RF-Domain Config Mode Commands

Command Description
alias on page 550 Creates various types of aliases, such as network, VLAN, network-group,
network-service, encrypted-string, hashed-string, etc. at the RF Domain
level
channel-list on page 558 Configures the channel list advertised by radios
contact on page 559 Configures network administrator's contact information (needed in case
of any problems impacting the RF Domain)
control-vlan on page 559 Configures VLAN for traffic control on a RF Domain
controller-managed on Configures the adopting controller or service platform as this RF Domain’s
page 560 manager
country-code on page Configures the country of operation
560
geo-coordinates on page Configures the longitude and latitude of the RF Domain in order to fix its
561 exact geographical location on a map
layout Configures layout information
location on page 563 Configures the physical location of an RF Domain
location-server on page Configures an ExtremeLocation server on the selected RF Domain. This
564 command is supported only on the NX 95XX and NX 96XX series service
platforms.
location-tenantid on page Configures the ExtremeLocation Tenant’s account number
565
mac-name on page 566 Maps MAC addresses to names
override-smart-rf Configures RF Domain level overrides for Smart RF
override-wlan on page Configures RF Domain level overrides for a WLAN
568
sensor-server on page Configures an AirDefense sensor server on this RF Domain
570

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 549
global-config-commands Global Configuration Mode Commands

Table 31: RF-Domain Config Mode Commands (continued)

Command Description
stats on page 571 Configures stats related settings on this RF Domain. These settings define
how RF Domain statistics are updated.
timezone on page 572 Configures a RF Domain's geographic time zone
tree-node on page 573 Configures the hierarchical (tree-node) structure under which this RF
Domain appears
use (rf-domain-config- Enables the use of a specified Smart RF and/or WIPS policy with this RF
mode) on page 574 Domain
no (rf-domain-config- Negates a command or reverts configured settings to their default
mode) on page 576

alias
Configures network, VLAN, host, string, network-service, etc. aliases at the RF Domain level

For information on aliases, see alias.

Syntax
alias [address-range|encrypted-string|hashed-string|host|network|network-group|
network-service|number|string|vlan]
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> 1 <LINE>
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|
igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|
ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>

Controller, Service Platform and Access Point

550 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

address-range Creates a new address-range alias for this RF Domain. Or associates an existing
<ADRESS-RANGE- address-range alias with this RF Domain. An address-range alias maps a name
ALIAS-NAME> to a range of IP addresses.
• <ADRESS-RANGE-ALIAS-NAME> – Specify the address range alias name.

Note: Alias name should begin with ‘$’.

<STARTING-IP> to Associates a range of IP addresses with this address range alias

<ENDING-IP> • <STARTING-IP> – Specify the first IP address in the range.
◦ to <ENDING-IP> – Specify the last IP address in the range.

Note: Aliases defined at any given level can be overridden at the next lower
level. For example, a global alias can be redefined on a selected set of RF
Domains, profiles, or devices. Overrides applied at the device level take
precedence.

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

encrypted-string Creates an alias for an encrypted string. Use this alias for string configuration
<ENCRYPTED- values that are encrypted when "password-encryption" is enabled. For
STRING-ALIAS-NAME> example, in the management-policy, use it to define the SNMP community
string. For more information, see snmp-server on page 1701.
• <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias
name.

Note: Alias name should begin with ‘$’.

[0|2] <LINE> Configures the value associated with the alias name specified in the previous
step
• [0|2] <LINE> – Configures the alias value
Note, if password-encryption is enabled, in the show > running-config
output, this clear text is displayed as an encrypted string, as shown below:
nx9500-6C8809(config)#show running-config
!...............................
alias encrypted-string $enString 2
fABMK2is7UToNiZE3MQXbgAAA
AxB0ZIysdqsEJwr6AH/Da//
!
--More--
nx9500-6C8809
In the above output, the ‘2’ displayed before the encrypted-string alias value
indicates that the displayed text is encrypted and not a clear text.
However, if password-encryption is disabled the clear text is displayed as is:
nx9500-6C8809(config)#show running-config
!...............................
!
alias encrypted-string $enString 0 test11223344
!
--More--
nx9500-6C8809

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 551
global-config-commands Global Configuration Mode Commands

For more information on enabling password-encryption, see password-

encryption on page 535.

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

hashed-string Creates an alias for a hashed string. Use this alias for configuration values
<HASHED-STRING- that are hashed string, such as passwords. For example, in the management-
ALIAS-NAME> policy, use it to define the privilege mode password. For more information,
see privilege-mode-password on page 1696.
• <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias
name.

Note: Alias name should begin with ‘$’.

<LINE> Configures the hashed-string value associated with this alias.

nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2
sBqVCDAoxs3oByF5PCSuFAAA
AAd7HT2+EiT/l/BXm9c4SBDv
!
alias hashed-string $PriMode 1
faffdde27cb49ad634ea20df4f
7c8ef2685894d10ffcb1b2efba054112ecfc75
--More--
nx9500-6C8809
In the above show > running-config output, the ‘1’ displayed before
the hashed-string alias value indicates that the displayed text is hashed and
not a clear text.

alias host <HOST-ALIAS-NAME> <HOST-IP>

host <HOST-ALIAS- Creates a host alias for this RF Domain. Or associates an existing host alias
NAME> with this RF Domain. A host alias maps a name to a single network host.
• <HOST-ALIAS-NAME> – Specify the host alias name.

Note: Alias name should begin with ‘$’.

<HOST-IP> Associates the network host’s IP address with this host alias
• <HOST-IP> – Specify the network host’s IP address.

Note: Aliases defined at any given level can be overridden at the next lower
levels. For example, a global alias can be redefined on a selected set of RF
Domains, profiles, or devices. Overrides applied at the device level take
precedence.

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

network <NETWORK- Creates a network alias for this RF Domain. Or associates an existing network
ALIAS-NAME> alias with this RF Domain. A network alias maps a name to a single network
address.
• <NETWORK-ALIAS-NAME> – Specify the network alias name.

Controller, Service Platform and Access Point

552 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Note: Alias name should begin with ‘$’.

<NETWORK- Associates a single network with this network alias

ADDRESS/MASK> • <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-

IP>
{<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK>
{<NETWORK-ADDRESS/MASK>}]

network <NETWORK- Creates a network-group alias for this RF Domain. Or associates an existing
GROUP-ALIAS-NAME> network-group alias with this RF Domain.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias
name.

Note: Alias name should begin with ‘$’.

After specifying the name, specify the following: a range of IP addresses,

host addresses, or a range of network addresses.

address-range Associates a range of IP addresses with this network-group alias

<STARTING-IP> to • <STARTING-IP> – Specify the first IP address in the range.
<ENDING-IP> ◦ to <ENDING-IP> – Specify the last IP address in the range.
{<STARTING-IP> to
▪ <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than
<ENDING-IP>}
one range of IP addresses. A maximum of eight (8) IP address
ranges can be configured.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 553
global-config-commands Global Configuration Mode Commands

network <NETWORK- Associates a single or multiple networks with this network-group alias
ADDRESS/MASK> • <NETWORK-ADDRESS/MASK> – Specify the network’s address and
{<NETWORK- mask.
ADDRESS/MASK>} ◦ <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one
network. A maximum of eight (8) networks can be configured.

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|

igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|
proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}

alias network-service Creates a network-service alias for this RF Domain. Or associates an existing
<NETWORK-SERVICE- network-service alias with this RF Domain. A network-service alias maps a
ALIAS-NAME> name to network services and the corresponding source and destination
software ports.
• <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service alias
name.

Note: Alias name should begin with ‘$’.

proto [<0-254>| Use one of the following options to associate an Internet protocol with this
<WORD>|eigrp|gre| network-service alias:
igmp|igp|ospf|vrrp] • <0-254> – Identifies the protocol by its number. Specify the protocol
number from 0 - 254. This is the number by which the protocol is
identified in the Protocol field of the IPv4 header and the Next Header
field of IPv6 header. For example, the User Datagram Protocol’s (UDP's)
designated number is 17.
• <WORD> – Identifies the protocol by its name. Specify the protocol name.
• eigrp – Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The
protocol number 88.
• gre – Selects Generic Routing Encapsulation (GRE). The protocol number
is 47.
• igmp – Selects Internet Group Management Protocol (IGMP). The protocol
number is 2.
• igp – Selects Interior Gateway Protocol (IGP). The protocol number is 9.

Controller, Service Platform and Access Point

554 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• ospf – Selects Open Shortest Path First (OSPF). The protocol number is
89.
• vrrp – Selects Virtual Router Redundancy Protocol (VRRP). The protocol
number is 112.

<1-65535>|<WORD>| After specifying the protocol, you may configure a destination port for this
bgp|dns|ftp|ftp-data| service. These keywords are recursive and you can configure multiple
gopher|https|ldap| protocols and associate multiple destination and source ports.
nntp| ntp|pop3|proto| • <1-65535> – Optional. Configures a destination port number from 1 -
sip|smtp| sourceport 65535
[<1-65535>| <WORD>]| • <WORD> – Optional. Identifies the destination port by the service name
ssh|telnet| tftp|www)} provided. For example, the SSH service uses TCP port 22.
• bgp – Optional. Configures the default Border Gateway Protocol (BGP)
services port (179)
• dns – Optional. Configures the default Domain Name System (DNS )
services port (53)
• ftp – Optional. Configures the default File Transfer Protocol (FTP ) control
services port (21)
• ftp-data – Optional. Configures the default FTP data services port (20)
• gopher – Optional. Configures the default gopher services port (70)
• https – Optional. Configures the default HTTPS services port (443)
• ldap – Optional. Configures the default Lightweight Directory Access
Protocol (LDAP ) services port (389)
• nntp – Optional. Configures the default Newsgroup (NNTP) services port
(119)
• ntp – Optional. Configures the default Network Time Protocol (NTP )
services port (123)
• POP3 – Optional. Configures the default Post Office Protocol (POP3 )
services port (110)
• proto – Optional. Use this option to select another Internet protocol in
addition to the one selected in the previous step.
• sip – Optional. Configures the default Session Initiation Protocol (SIP )
services port (5060)
• smtp – Optional. Configures the default Simple Mail Transfer Protocol
(SMTP ) services port (25)
• sourceport [<1-65535>|<WORD>] – Optional. After specifying the
destination port, you may specify a single or range of source ports.
◦ <1-65535> – Specify the source port from 1 - 65535.
◦ <WORD> – Specify the source port range, for example 1-10.
• ssh – Optional. Configures the default SSH services port (22)
• telnet – Optional. Configures the default Telnet services port (23)
• tftp – Optional. Configures the default Trivial File Transfer Protocol (TFTP )
services port (69)
• www – Optional. Configures the default HTTP services port (80)

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias number Creates a new number alias or applies an existing number, identified by the
<NUMBER-ALIAS- <NUMBER-ALIAS-NAME> keyword
NAME> • <NUMBER-ALIAS-NAME> – Specify the number alias name.
<0-4294967295> ◦ <0-4294967295> – Specify the number, from 0 - 4294967295,
assigned to the number alias created.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 555
global-config-commands Global Configuration Mode Commands

Number aliases map a name to a numeric value. For example, ‘alias number
$NUMBER 100’.
• The number alias name is: $NUMBER
• The value assigned is: 100

Note: The value referenced by alias $NUMBER, wherever used, is 100.

alias string <STRING-ALIAS-NAME> <LINE>

alias string <STRING- Creates a string alias for this RF Domain. Or associates an existing string alias
ALIAS-NAME> with this RF Domain. String aliases map a name to an arbitrary string value.
For example, ‘alias string $DOMAIN test.example_company.com’. In this
example, the string alias name is: $DOMAIN and the string value it is mapped
to is: test.example_company.com. In this example, the string alias refers to a
domain name.
• <VLAN-ALIAS-NAME> – Specify the string alias name.
◦ <LINE> – Specify the string value.

Note: Alias name should begin with ‘$’.

alias vlan <VLAN-ALIAS-NAME> <1-4094>

alias vlan <VLAN- Creates a VLAN alias for this RF Domain. Or associates an existing VLAN alias
ALIAS-NAME> with this RF Domain. A VLAN alias maps a name to a VLAN ID.
• <VLAN-ALIAS-NAME> – Specify the VLAN alias name.

Note: Alias name should begin with ‘$’.

<1-4094> Maps the VLAN alias to a VLAN ID

• <1-4094> – Specify the VLAN ID from 1 - 4094.

Examples
rfs4000-229D58(config)#show context
!
! Configuration of RFS4000 version 5.9.2.0-008B

!
!
version 2.5
!
!
alias network-group $TestNetGrpAlias network 192.168.13.0/24 192.168.16.0/24
alias network-group $TestNetGrpAlias address-range 192.168.13.7 to 192.168.13.16
192.168.13.20 to 192.168.13.25

Controller, Service Platform and Access Point

556 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

!
alias network $TestNetworkAlias 192.168.13.0/24
!
alias host $TestHostAlias 192.168.13.10
!
alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13
!
alias network-service $NetworkServAlias proto udp
!
alias network-service $kerberos proto tcp 749 750 80 proto udp 68 sourceport 67
!
alias vlan $TestVLANAlias 1
--More--
rfs4000-229D58(config)#

In the following examples the global aliases ‘$kerberos’ and ‘$TestVLANAlias’ are associated with the RF
Domain ‘test’ and overrides applied:
rfs4000-229D58(config-rf-domain-test)#alias network-service $kerberos proto tcp
749 750 80
rfs4000-229D58(config-rf-domain-test)#alias vlan $TestVLANAlias 10
vrfs4000-229D58(config-rf-domain-test)#show context
rf-domain test
no country-code
alias network-service $kerberos proto tcp 749 750 80
alias vlan $TestVLANAlias 10
rfs4000-229D58(config-rf-domain-test)#
nx9500-6C8809(config-rf-domain-test)#alias string $test example_company.com
nx9500-6C8809(config-rf-domain-test)#show context
rf-domain test
no country-code
alias string $test example_company.com
nx9500-6C8809(config-rf-domain-test)#
Example 1:

In the following examples, the network-group alias ‘$test’ is configured to include hosts 192.168.1.10 and
192.168.1.11, networks 192.168.2.0/24 and 192.168.3.0/24 and address-range 192.168.4.10 to 192.168.4.20.
rfs4000-229D58(config)#alias network-group $test host 192.168.1.10 192.168.1.11
rfs4000-229D58(config)#alias network-group $test network 192.168.2.0/24 192.168.3.0/24
rfs4000-229D58(config)#alias network-group $test address-range 192.168.4.10 to
192.168.4.20

Associate this network-group alias ‘$test’ to the RF Domain ‘test’ and override the ‘host’ element of the
alias.
rfs4000-229D58rfs4000-229D58(config-rf-domain-test)#alias network-group $test host
192.168.10.10
rfs4000-229D58#show context
rf-domain test
no country-code
alias network-service $kerberos proto tcp 749 750 80
alias network-group $test host 192.168.10.10
alias network-group $test network 192.168.2.0/24 192.168.3.0/24
alias network-group $test address-range 192.168.4.10 to 192.168.4.20
alias vlan $TestVLANAlias 10
rfs4000-229D58(config-rf-domain-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 557
global-config-commands Global Configuration Mode Commands

In the preceding example, the ‘host’ element of the network-group alias ‘$test’ has been overridden. But
the ‘network’ and ‘address-range’ elements have been retained as is.
Related Commands

no (rf-domain-config-mode) on page Removes a network, network-group, network-service, VLAN,

576 or string alias from this RF Domain

channel-list
Configures the channel list advertised by the AP radios. This command also enables dynamic update of
a channel list.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
channel-list [2.4GHz|5GHz|dynamic]
channel-list dynamic
channel-list [2.4GHz|5GHz] <CHANNEL-LIST>

Parameters
channel-list dynamic

dynamic Configure this setting to enable the dynamic channel listing mode for
smart scans in the 2.4 and 5 GHz bands. This setting is disabled by default.

channel-list [2.4GHz|5GHz] <CHANNEL-LIST>

2.4GHz <CHANNEL-LIST> Configures the channel list advertised by radios operating in the 2.4 GHz
band
• <CHANNLE-LIST> – Specify the list of channels separated by commas
or hyphens.

5GHz <CHANNEL-LIST> Configures the channel list advertised by radios operating in the 5.0 GHz
mode
• <CHANNLE-LIST> – Specify the list of channels separated by commas
or hyphens.

Examples
nx9500-6C8809(config-rf-domain-default)#channel-list 2.4GHz 1-10
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
no country-code
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Removes the list of channels configured on the selected RF Domain for 2.4
mode) on page 576 GHz and 5.0 GHz bands. Also disables dynamic update of a channel list.

Controller, Service Platform and Access Point

558 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

contact
Configures the network administrator's contact details. The network administrator is responsible for
addressing problems impacting the network.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
contact <WORD>

Parameters
contact <WORD>

contact <WORD> Specify contact details, such as name and number.

Examples
nx9500-6C8809(config-rf-domain-default)#contact Bob+14082778691
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
no country-code
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Removes the network administrator's contact details

mode) on page 576

control-vlan
Configures the VLAN designated for traffic control in this RF Domain
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]

Parameters
control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]

control-vlan [<1-4094>| Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify
<VLAN-ALIAS-NAME>] the control VLAN. If using a vlan-alias, ensure that the alias is existing and
configured.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 559
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-rf-domain-default)#control-vlan 1
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
no country-code
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
control-vlan 1
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Disables the VLAN designated for controlling RF Domain traffic

mode) on page 576

controller-managed
Configures the adopting controller (wireless controller, access point, or service platform) as this RF
Domain’s manager. In other words, the RF Domain is controller managed, and the managing controller
is the device managing the RF Domain.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
controller-managed

Parameters
None

Examples
rfs4000-229D58(config-rf-domain-test)#controller-managed
rfs4000-229D58(config-rf-domain-test)#show context
rf-domain test
country-code in
controller-managed
network-alias techPubs host 192.168.13.8
network-alias techPubs address-range 192.168.13.10 to 192.168.13.15
service-alias testing index 10 proto 9 destination-port range 21 21
rfs4000-229D58(config-rf-domain-test)#

Related Commands

no (rf-domain-config- Removes the adopting controller or service platform as this RF Domain’s

mode) on page 576 manager

country-code
Configures a RF Domain's country of operation. Since device channels transmit in specific channels
unique to the country of operation, it is essential to configure the country code correctly or risk using
illegal operation.

Controller, Service Platform and Access Point

560 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
country-code <WORD>

Parameters
country-code <WORD>

country-code Configures the RF Domain's country of operation

<WORD> Specify the two (2) letter ISO-3166 country code.

Examples
nx9500-6C8809(config-rf-domain-default)#country-code ?
WORD The 2 letter ISO-3166 country code
ae United Arab Emirates
ag Antigua and Barbuda
ai Anguilla
al Albania
an Dutch Antilles
ar Argentina
at Austria
au Australia
ba Bosnia-Herzegovina
bb Barbados
bd Bangladesh
be Belgium
bf Burkina Faso
--More--
nx9500-6C8809(config-rf-domain-default)#
nx9500-6C8809(config-rf-domain-default)#country-code us
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
country-code us
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
control-vlan 1
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config-mode) Removes or resets this RF Domain’s configured country of operation

on page 576

geo-coordinates
Configures the longitude and latitude of the RF Domain in order to fix its exact geographical location on
a map. Use this command to define the geographical area where a common set of device configurations
are deployed and managed by this RF Domain policy.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 561
global-config-commands Global Configuration Mode Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>

Parameters
geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>

geo-coordinates Configures the geo-coordinates of this RF Domain

<-90.0000-90.0000> • <-90.0000-90.0000> – Specify the latitude from -90.0000 - 90.0000.
<-180.0000-180.0000> ◦ -180.0000-180.0000 – Specify the longitude from -180.0000 -
180.0000.

Examples
nx9500-6C8809(config-rf-domain-TechPubs)#geo-coordinates 12.971599 77.594563
nx9500-6C8809(config-rf-domain-TechPubs)#show context
rf-domain TechPubs
location Bangalore
geo-coordinates 12.9716 77.5946
timezone Asia/Calcutta
country-code in
use database-policy default
use nsight-policy AP-rfd
control-vlan 1
controller-managed
use license WEBF
nx9500-6C8809(config-rf-domain-TechPubs)#

Related Commands

no (rf-domain-config- Removes or resets this RF Domain’s configured geo-coordinates

mode) on page 576

layout
Configures the RF Domain'sayout in terms of area, floor, and location on a map. It allows users to place
APs across the deployment map. A maximum of 256 layouts is permitted.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
layout [area|description|floor|map-location] {(area|description|floor|map-location)}
layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|
map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|
floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}

Controller, Service Platform and Access Point

562 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|
map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|
floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}

layout Configures the RF Domain's layout in terms of area, floor, and location on a map
These are recursive parameters and you can configure one or all of these parameters.
area <AREA- Configures the RF Domain’s layout in terms of the area of location
NAME> • <AREA-NAME> – Specify the area name.
After configuring the RF Domain’s area of functioning, optionally specify the floor
name (and number), description, and/or the location on map.
description Configures a description for this RF Domain
<LINE> • <LINE> – Specify a description that enables you to identify the RF Domain. For a
multi-worded string, use double quotes.

floor <FLOOR- Configures the RF Domain’s layout in terms of the floor name and number
NAME> • <FLOOR-NAME> – Specify the floor name.
<1-4094> ◦ <1-4094> – Optional. Specifies the floor number from 1 - 4094. The default
floor number is 1.
After configuring the RF Domain’s floor name (and number), optionally specify the
area name, description, and/or the location on map.
map-location Configures the location of the RF Domain on the map
<URL> units • <URL> – Specify the URL to configure the map location.
[feet|meters] ◦ units [feet|meters] – Configures the map units. The options are: feet or meters
▪ feet – Configures the map units in terms of feet
▪ meters – Configures the map units in terms of meter

After configuring the location of the RF Domain on the map, optionally specify
the area name, floor name (and number), and/or description.

Examples
nx9500-6C8809(config-rf-domain-default)#layout map-location www.firstfloor.com units
meters area HamiltonAve floor Floor1
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
country-code us
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters
control-vlan 1
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Removes the RF Domain's layout details

mode) on page 576

location
Configures the RF Domain's physical location. The location could be as specific as the building name or
floor number. Or it could be generic and include an entire site. The location defines the physical area
where a common set of device configurations are deployed and managed by an RF Domain policy.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 563
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Parameters
location <WORD>

location <WORD> Configures the RF Domain location by specifying the area or building name
• <WORD> – Specify the location.

Examples
nx9500-6C8809(config-rf-domain-default)#location SanJose
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
location SanJose
contact Bob+14082778691
country-code us
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
control-vlan 1
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config-mode) Removes the RF Domain's location configuration

on page 576

location-server

Configures the ExtremeLocation server’s IP address or hostname on the selected RF Domain. When
configured, BLE-enabled WiNG access points, within the RF Domain, sense other BLE-enabled devices
and report device data, using a Websocket, to the specified ExtremeLocation server.

ExtremeLocation is a highly scalable indoor locationing platform that gathers location-related analytics,
such as visitor trends, peak and off-peak times, dwell time, heat-maps, etc. to enable entrepreneurs
deeper visibility at a venue. To enable the location tracking system, the ExtremeLocation server should
be up and running and the RF Domain configuration should point to the ExtremeLocation server.

The following WiNG access points support BLE data forwarding: AP-7612, AP7632, AP7662, AP-8432,
AP-8533

Note
Before enabling BLE data export, ensure that the APs’ Bluetooth radio is active and the mode
is set to ‘le-sensor’. For more information on configuring the Bluetooth settings on the AP’s
profile/device context, see interface-config-bluetooth-instance on page 1265.

Supported in the following platforms:

• Access Points — AP-7612, AP7632, AP7662, AP-8432, AP-8533

Controller, Service Platform and Access Point

564 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
location-server 1 ip <EL-SERVER-IP/HOSTNAME> {port <1-65535>}

Parameters
location-server 1 ip <IP/HOSTNAME> {port <1-65535>}

location-server 1 ip <IP/ Identifies the ExtremeLocation server by its hostname

HOSTNAME> • 1 – Sets the server ID as 1. As of now only one ExtremeLocation
server is configurable.
◦ ip <IP/HOSTNAME> – Enter ExtremeLocation server’s
hostname. This is the ExtremeLocation server designated to
receive RSSI scan data from a WiNG dedicated sensor.

Note: Enter the server’s hostname and not the IP address, as

the IP address is likely to change periodically in order to
balance load across multiple Location server instances.

port <1-65535> Optional. Configures the port where the ExtremeLocation server is
reachable.
• <1-65535> – Specify a port from 1 - 65535.

Note: By default, the ExtremeLocation server is reachable on port

443.

Examples
nx9500-6C8809(config-rf-domain-test)#location-server 1 ip 1.2.3.4 port 200
nx9500-6C8809(config-rf-domain-test)#show context
rf-domain test
no country-code
location-server 1 ip 1.2.3.4 port 200
nx9500-6C8809(config-rf-domain-test)#

Related Commands

no (rf-domain-config- Removes the ExtremeLocation server configurations

mode) on page 576

location-tenantid

Configures the ExtremeLocation Tenant’s account number. ExtremeLocation Tenants, at the time of
registration, are communicated (via, email) an account number uniquely identifying the Tenant.
Configure this account number in the RF Domain context. When configured, RF Domain AP reports,
pushed to the ExtremeLocation server, include the Tenant's account number along with the reporting
AP's MAC address. Including the Tenant account number reinforces the Tenant's identity.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 565
global-config-commands Global Configuration Mode Commands

Syntax
location-tenantid <WORD>

Parameters
location-tenantid <WORD>

location-tenantid Configures the ExtremeLocation Tenant’s account number

<WORD> • <WORD> – Specify the account number.

Examples
nx9500-6C8809(config-rf-domain-ExLocTenant1)#location-tenantid 123456
nx9500-6C8809(config-rf-domain-ExLocTenant1)#location-tenantid
testTenant123nx9500-6C8809(config-rf-domain-ExLocTenant1)#show context
rf-domain ExLocTenant1
country-code us
location-tenantid 123456
nx9500-6C8809(config-rf-domain-ExLocTenant1)#

Related Commands

no (rf-domain-config- Removes the ExtremeLocation Tenant’s account number configured on the RF

mode) on page 576 Domain

mac-name
Configures a relevant name for each MAC address. Use this command to associate client names to
specific connected client MAC addresses for improved client management.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
mac-name <MAC> <NAME>

Parameters
mac-name <MAC> <NAME>

mac-name Assigns a user-friendly name to this RF Domain’s member access point’s connected
<MAC> client to assist in its easy recognition
<NAME> • <MAC> – Specify the MAC address
◦ <NAME> – Specify the client name for the specified MAC address. The name
specified here will be used in events and statistics.

Examples
nx9500-6C8809(config-rf-domain-default)#mac-name 11-22-33-44-55-66 TestDevice
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
location SanJose
contact Bob+14082778691
country-code us
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10

Controller, Service Platform and Access Point

566 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

mac-name 11-22-33-44-55-66 TestDevice

layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
control-vlan 1
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Removes the MAC address to name mapping

mode) on page 576

nsight-server

Enables the use of sensor module by NSight.

Note
This option is disabled by default.

Supported in the following platforms:

Parameters
none

Examples
nx9500-6C8809(config-rf-domain-Test)#nsight-sensor
nx9500-6C8809(config-rf-domain-Test)#show context
nsight-sensor
nx9500-6C8809(config-rf-domain-Test)#
override-smart-rf
Enables dynamic channel switching for Smart RF radios. This command allows you to configure an
override list of channels that Smart RF can use for channel compensations on 2.4 GHz and 5.0 GHz
radios.

When a radio fails or is faulty, a Smart RF policy provides automatic recovery by instructing neighboring
access points to increase their transmit power to compensate for the coverage loss. Once correct access
point placement has been established, Smart-RF can optionally be leveraged for automatic detector
radio selection. Smart-RF uses detector radios to monitor RF events and can ensure availability of
adequate detector coverage.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 567
global-config-commands Global Configuration Mode Commands

Parameters
override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>

override-smartrf Enables dynamic channel switching for Smart RF radios

channel-list Configures a list of channels for 2.4 GHz and 5.0 GHz Smart RF radios
2.4GHz <CHANNEL-LIST> Selects the 2.4 GHz Smart RF radio channels
• <CHANNEL-LIST> – Specify a list of channels separated by commas.

5GHz <CHANNEL-LIST> Selects the 5.0 GHz Smart RF radio channels

• <CHANNEL-LIST> – Specify a list of channels separated by commas.

Examples
nx9500-6C8809(config-rf-domain-default)#override-smartrf channel-list 2.4GHz 1,2,3
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
country-code us
override-smartrf channel-list 2.4GHz 1,2,3
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Removes the override-smartrf list of channels configured for 2.4 GHz and
mode) on page 576 5.0 GHz radios

override-wlan
Configures RF Domain level overrides for a WLAN
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool|wep128|wpa-wpa2-psk]
override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-pool
<1-4094> {limit <0-8192>}]
override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]
override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key <1-4>]

Parameters
override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-pool
<1-4094> {limit <0-8192>}]

<WLAN-NAME> Configures the WLAN name. If applying RF Domain level overrides to an

existing WLAN, specify its name. If creating a new WLAN, specify a name
not exceeding 32 characters and representing the WLAN’s coverage area.
shutdown Shuts down WLAN operation on all mapped radios

Controller, Service Platform and Access Point

568 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

ssid <SSID> Configures a override SSID associated with this WLAN

• <SSID> – Specify the SSID (should not exceed 32 characters in length).
Each WLAN provides associated wireless clients with a SSID. This has
limitations, because it requires wireless clients to associate with different
SSIDs to obtain QoS and security policies. However, a WiNG-managed RF
Domain can have WLANs assigned and advertise a single SSID, and yet
allow users to inherit different QoS or security policies.
template <TEMPLATE- Configures a template name for this RF Domain
NAME> • <TEMPLATE-NAME> – Specify the template name (should not exceed
32 characters in length).

vlan-pool <1-4094> {limit Configures the override VLANs available to this WLAN
<0-8192>} • <1-4094> – Specify the VLAN ID from 1 - 4094.
◦ limit <0-8192> – Optional. Sets a limit to the number of users on this
VLAN from 0 - 8192. The default is 0.
Controllers and service platforms allow the mapping of a WLAN to more
than one VLAN. Wireless clients associating with a WLAN are assigned
VLANs, from the pool representative of the WLAN, in a way that ensures
proper load balancing across VLANs. Clients are tracked per VLAN, and
assigned to the least used/loaded VLAN. Client VLAN usage is tracked on a
per-WLAN basis. The maximum allowed client limit is 8192 per VLAN.

override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]

<WLAN-NAME> Configures the WLAN name. If applying RF Domain level overrides to an

existing WLAN, specify its name. If creating a new WLAN, specify a name
not exceeding 32 characters and representing the WLAN’s coverage area.
After creating the WLAN, configure its override parameters.
wpa-wpa2-psk Overrides a WLAN’s existing WPA-WPA2 pre-shared key or passphrase at
<PASSPHRASE> the RF Domain level. WPA2 is a newer 802.11i standard that provides
wireless security that is stronger than Wi-Fi Protected Access (WPA) and
WEP.
• <PASSPHRASE> – Specify a WPA-WPA2 key or passphrase. It is an
alphanumeric string of 8 to 64 ASCII characters or 64 HEX characters as
the primary string, which both the transmitting and receiving
authenticators must share in this new override PSK. The alphanumeric
string allows character spaces. The string is converted to a numeric
value. This passphrase saves the you the necessity of entering the 256-
bit key each time keys are generated.

override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key <1-4>]

<WLAN-NAME> Configures the WLAN name. If applying RF Domain level overrides to an

existing WLAN, specify its name. If creating a new WLAN, specify a name not
exceeding 32 characters and representing the WLAN’s coverage area. After
creating the WLAN, configure its override parameters.
wep128 Overrides a WLAN’s existing WEP128 keys at the RF Domain level (not the
profile level). WEP128 uses a 104 bit key, which is concatenated with a 24-bit
initialization vector (IV) to form the RC4 traffic key. WEP may be all a small-
business user needs for the simple encryption of wireless data on the WLAN.
However, networks that require more security are at risk from a WEP flaw. WEP
is only recommended if there are client devices incapable of using higher forms

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 569
global-config-commands Global Configuration Mode Commands

of security. The existing 802.11 standard alone offers administrators no effective

method to update keys.
key <1-4> hex [0 Configures the WEP128 key. A total of four keys can be configured.
<WORD>| 2 • <1-4> – Select the key index from 1- 4.
<WORD>] ◦ hex – Configures a hexadecimal key
▪ <WORD> – Specify the WEP128/Keyguard key (should not exceed 26
hexadecimal characters in length).

transmit-key <1-4> Configures transmit WEP/Keyguard key settings

• <1-4> – Transmit the key identified by the key index specified here. Specify
the index from 1 - 4.

Examples
nx9500-6C8809(config-rf-domain-default)#override-wlan test vlan-pool 2 limit 20
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
country-code us
override-smartrf channel-list 2.4GHz 1,2,3
override-wlan test vlan-pool 2 limit 20
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Resets the override WLAN settings to default

mode) on page 576

sensor-server
Configures an AirDefense sensor server on this RF Domain. Sensor servers allow network administrators
to monitor and download data from multiple sensors remote locations using Ethernet TCP/IP or serial
communications. This enables administrators to respond quickly to interferences and coverage
problems.

The Wireless Intrusion Protection System (WIPS) protects the controller managed network, wireless
clients and Access Point radio traffic from attacks and unauthorized access. WIPS provides tools for
standards compliance and around-the-clock wireless network security in a distributed environment.
WIPS allows administrators to identify and accurately locate attacks, rogue devices and network
vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device
connections upon acknowledgement of a threat.

In addition to dedicated AirDefense sensors, an access point radio can function as a sensor and upload
information to a dedicated WIPS server (external to the controller). Unique WIPS server configurations
can be used by RF Domains to ensure a WIPS server configuration is available to support the unique
data protection needs of individual RF Domains.

WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the access point
radio(s) available to each controller managed WLAN. When an access point radio is functioning as a
WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz
bands. Sensor support requires a AirDefense WIPS Server on the network. Sensor functionality is not
provided by the access point alone. The access point works in conjunction with a dedicated WIPS
server.

Controller, Service Platform and Access Point

570 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}

Parameters
sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}

Sensor-server <1-3> Configures the AirDefense sensor server parameters

• <1-3> – Select the server ID from 1 - 3. The server with the lowest defined
ID is reached first. The default is 1.

ip <IP/HOSTNAME> Configures the (non DNS) IPv4 address of the sensor server
• <IP/HOSTNAME> – Specify the sensor server’s IPv4 address or hostname.

port [443|<1-65535>] Optional. Configures the sensor server port. The options are:
• 443 – Configures port 443, the default port used by the AirDefense server
• <1-6553> – Allows you to select a WIPS/AirDefense sensor server port
from 1 - 65535

Examples
nx9500-6C8809(config-rf-domain-default)#sensor-server 2 ip 172.16.10.3 port 443
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
country-code us
sensor-server 2 ip 172.16.10.3
override-smartrf channel-list 2.4GHz 1,2,3
override-wlan test vlan-pool 2 limit 20
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Related Commands

sensor-server on page Disables the AirDefense sensor server parameters

570

stats
Configures settings that define how RF Domain statistics are updated
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
stats update-interval
stats update-interval [<5-300>|auto]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 571
global-config-commands Global Configuration Mode Commands

Parameters
stats update-interval [<5-300>|auto]

stats Configures stats related settings on this RF Domain

update-interval Configures the interval at which RF Domain statistics are updated. The options are:
[<5-300>|auto] • <5-300> – Specify an update interval from 5 - 300 seconds.
• auto – The RF Domain manager automatically adjusts the update interval based
on the load. This is the default setting.

Examples
nx9500-6C8809(config-rf-domain-default)#stats update-interval 200
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
stats update-interval 200
country-code us
sensor-server 2 ip 172.16.10.3
override-smartrf channel-list 2.4GHz 1,2,3
override-wlan test vlan-pool 2 limit 20
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Resets stats related settings

mode) on page 576

timezone
Configures the RF Domain’s geographic time zone. By default all WiNG devices are shipped with the
time zone and time format set to UTC (Universal Time Coordinated) and 24-hour clock respectively. If
the time zone is not reset, all devices within the RF Domain will display time relative to the UTC -
Greenwich Time. Resetting the time zone is recommended, especially for RF Domains deployed across
different geographical locations. The time zone can either be set on a specific device or on an RF
Domain. When configured as RF Domain setting, it applies to all devices within the domain. For more
information on configuring the time zone on a device, see timezone on page 1417 (device config
mode).
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
timezone <TIMEZONE>

Parameters
timezone <TIMEZONE>

time <TIMEZONE> Specify the RF Domain’s time zone. The configured time zone will apply to
all devices within the selected RF Domain.

Controller, Service Platform and Access Point

572 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-rf-domain-default)#timezone America/Los_Angeles
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
timezone America/Los_Angeles
stats update-interval 200
country-code us
sensor-server 2 ip 172.16.10.3
override-smartrf channel-list 2.4GHz 1,2,3
override-wlan test vlan-pool 2 limit 20
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Use [TAB] to view the built-in timezones.

nx9500-6C8809(config-rf-domain-test)#timezone <TAB>
Africa/ Asia/ Atlantic/ Australia/ CET CST6CDT
EET EST5EDT Etc/ Europe/ MST7MDT Pacific/
PST8PDT US/ America/
nx9500-6C8809(config-rf-domain-test)#

Each of these time zones are further differentiated into sub time zones. For example, as shown in the
following example:
nx9500-6C8809(config-rf-domain-test)#timezone Africa/
Africa/Cairo Africa/Casablanca Africa/Harare
Africa/Johannesburg Africa/Lagos Africa/Nairobi
nx9500-6C8809(config-rf-domain-test)#

Related Commands

no (rf-domain-config- Removes a RF Domain's time zone

mode) on page 576

tree-node
Configures the hierarchical (tree-node) structure under which this RF Domain is located
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
tree-node [campus|city|country|region] {(campus|city|country|region)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 573
global-config-commands Global Configuration Mode Commands

Parameters
tree-node [campus|city|country|region] {(campus|city|country|region)}

tree-node Configures the hierarchical tree structure defining the RF Domain’s location.
The tree node hierarchy can be configured in any order, but will always
appear as: country > region > city > campus. Further, a higher node, such as
country, cannot be defined under a lower node, such as region. An RF
Domain can be placed under any one of the tree nodes. But, an RF Domain at
the country level may have all four nodes defined. Whereas, an RF Domain
restricted to a campus, cannot have the country, city, and region nodes.
At least one of these four nodes must be defined. This feature is disabled by
default.
campus Configures the campus name for this RF Domain
city Configures the city for this RF Domain
country Configures the country for this RF Domain
region Configures the region for this RF Domain

Usage Guidelines

The following points need to be taken into consideration when creating the tree-node structure:
• Adding a country first is a good idea since region, city, and campus can all be added as sub-nodes in
the tree structure. However, the selected country is an invalid tree node until a RF Domain is
mapped.
• A city and campus can be added in the tree structure as sub-nodes under a region. An RF Domain
can be mapped anywhere down the hierarchy for a region and not just directly under a country. For
example, a region can have city, campus, and one RF Domain mapped.
• Only a campus can be added as a sub-node under a city. The city is an invalid tree node until a RF
Domain is mapped somewhere within the directory tree.
• A campus is the last node in the hierarchy before a RF Domain, and it is not valid unless it has a RF
Domain mapped.
• After creating the tree structure do a commit and save for the tree configuration to take effect and
persist across reboots.

Examples
rfs4000-229D58(config-rf-domain-test)#tree-node campus EcoSpace City Bangalore
country India region South
rfs4000-229D58(config-rf-domain-test)#
rfs4000-229D58(config-rf-domain-test)#show context
rf-domain test
country-code in
tree-node country India region South city Bangalore campus EcoSpace
rfs4000-229D58(config-rf-domain-test)#

Related Commands

no (rf-domain-config- Removes the RF Domain’s tree-node configuration

mode) on page 576

use (rf-domain-config-mode)

Controller, Service Platform and Access Point

574 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Associates the following with an RF Domain: database policy, NSight policy, sensor policy, Smart RF
policy, WIPS policy, RTL server policy, and Web filtering license.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

use Associates the following policies with the RF Domain: ble data export
policy, database policy, NSight policy, sensor policy, Smart RF policy,
WIPS policy. It also applies a Web filtering license to the selected RF
Domain.
ble-data-export-policy Associates a BLE data export policy with this RF Domain
<POLICY-NAME> • <POLICY-NAME> – Specify the BLE data export policy name (should
be existing and configured). When associated, access points within
the RF Domain send BLE data to an external, third-party locationing-
server using a Websocket and REST API. The BLE data export policy
provides the external, locationing-server's URL. For more
information on configuring the BLE data export policy, see ble-data-
export-policy on page 316.

Note:
This feature is supported only on the AP-7612, AP7632, AP7662,
AP-8432, and AP-8533 access point models.

database-policy Associates a database policy with the selected RF Domain

<DATABASE-POLICY- • <DATABASE-POLICY-NAME> – Specify the database policy name
NAME> (should be existing and configured).

license <WEB-FILTERING- Obtains the specified Web filtering license from the adopting controller
LICENSE> • <WEB-FILTERING-LICENSE> – Specify the WEBF license name.

nsight-policy <NSIGHT- Associates an NSight policy with the selected RF Domain

POLICY-NAME> • Specify the NSight policy name (should be existing and configured).
When applied, it enables the RF Domain manager to gather
statistical data from access points within the domain and forward to
the NOC running the NSight server.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 575
global-config-commands Global Configuration Mode Commands

rtl-server-policy <RTL- Associates an RTL (Real Time Locationing) server policy with the
SERVER-POLICY-NAME> selected RF Domain
• <RTL-SERVER-POLICY-NAME> – Specify the RTL server policy name
(should be existing and configured

sensor-policy <SENSOR- Associates a sensor policy with the selected RF Domain

POLICY-NAME> • <SENSOR-POLICY-NAME> – Specify the sensor policy name (should
be existing and configured).

smart-rf-policy <SMART-RF- Associates a Smart RF policy with the selected RF Domain. When
POLICY-NAME> associated, the Smart RF policy provides automatic recovery from
coverage loss (due to failed or faulty radio) by instructing neighboring
access points to increase their transmit power.
Once correct access point placement has been established, Smart-RF
can optionally be leveraged for automatic detector radio selection.
Smart-RF uses detector radios to monitor RF events to ensure
availability of adequate detector coverage.
• <SMART-RF-POLICY-NAME> – Specify the Smart RF policy name
(should be existing and configured).

wips-policy <WIPS-POLICY- Associates a WIPS policy with the selected RF Domain. A WIPS policy
NAME> provides protection against wireless threats and acts as a key layer of
security complementing wireless VPNs, encryption and authentication.
A WIPS policy uses a dedicated sensor for actively detecting and
locating rogue AP devices. After detection, WIPS uses mitigation
techniques to block the devices by manual termination, air lockdown, or
port suppression.
• <WIPS-POLICY-NAME> – Specify the WIPS policy name (should be
existing and configured).

Examples
nx9500-6C8809(config-rf-domain-default)#use smart-rf-policy Smart-RF1
nx9500-6C8809(config-rf-domain-default)#use wips-policy WIPS1
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
timezone America/Los_Angeles
stats update-interval 200
country-code us
use smart-rf-policy Smart-RF1
use wips-policy WIPS1
sensor-server 2 ip 172.16.10.3
override-smartrf channel-list 2.4GHz 1,2,3
override-wlan test vlan-pool 2 limit 20
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Related Commands

no (rf-domain-config- Removes policies associated with this RF Domain

mode) on page 576

no (rf-domain-config-mode)
Negates a command or reverts configured settings to their default. When used in the RF Domain
context, the no command removes the RF Domain settings, or reverts them to default values.

Controller, Service Platform and Access Point

576 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
no [alias|channel-list|contact|control-vlan|controller-managed|country-code|geo-
coordinates|layout|location|location-server|location-tenantid|mac-name|nsight-sensor|
override-smartrf|override-wlan|sensor-server|stats|timezone|tree-node|use]
no [channel-list [2.4GHz|5GHz|dynamic]|contact|control-vlan|controller-managed|country-
code|location|location-server 1|location-tenantid|mac-name <MAC>|nsight-sensor|sensor-
server <1-3>|stats update-interval|timezone|tree-node]
no alias [address-range|host|network|network-group [address-range|host|network]|network-
service|number|string|vlan] <ALIAS-NAME>
no layout {(area <AREA-NAME>|floor <FLOOR-NAME>)}
no override-smartrf channel-list [2.4GHz|5GHz]
no override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool [<1-4094>|all]|wep128 [key
<1-3>|transmit-key]|wpa-wpa2-psk]
no use [ble-data-export-policy|database-policy|license|nsight-policy|rtl-server-policy|
sensor-policy|smart-rf-policy|wips-policy]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this RF Domain’s settings based on the parameters

passed

Examples

The following example shows the default RF Domain settings before the ‘no’ commands are executed:
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
location SanJose
contact Bob+14082778691
country-code us
channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10
mac-name 11-22-33-44-55-66 TestDevice
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
control-vlan 1
nx9500-6C8809(config-rf-domain-default)#
nx9500-6C8809(config-rf-domain-default)#no channel-list 2.4GHz 1-10
nx9500-6C8809(config-rf-domain-default)#no mac-name 11-22-33-44-55-66
nx9500-6C8809(config-rf-domain-default)#no location
nx9500-6C8809(config-rf-domain-default)#no control-vlan

The following example shows the default RF Domain settings after the ‘no’ commands are executed:
nx9500-6C8809(config-rf-domain-default)#show context
rf-domain default
contact Bob+14082778691
country-code us
layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters
nx9500-6C8809(config-rf-domain-default)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 577
global-config-commands Global Configuration Mode Commands

rfs4000
Adds an RFS4010 wireless controller to the network

Supported in the following platforms:

• Wireless Controllers — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
rfs4000 <DEVICE-RFS4000-MAC>

Parameters
rfs4000 <DEVICE-RFS4000-MAC>

<DEVICE-RFS4000-MAC> Specify the RFS4010's MAC address.

Examples
nx9500-6C8809(config)#rfs4000 10-20-30-40-50-60
nx9500-6C8809(config-device-10-20-30-40-50-60)#

Related Commands

no (global-config-mode) on Removes an RFS4010 wireless controller from the network

page 525

nx5500
Adds an integrated NX5500 series service platform to the network. If a profile for this service platform
is not available, a new profile is created.

Supported in the following platforms:

• Wireless Controllers — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
nx5500 <DEVICE-NX5500-MAC>

Parameters
nx5500 <DEVICE-NX5500-MAC>

<DEVICE-NX5500-MAC> Specifies the MAC address of a NX5500 series service platform.

Examples
nx9500-6C8809(config)#nx5500 B4-C7-02-3C-FA-6E
nx9500-6C8809(config-device-B4-C7-02-3C-FA-6E)#

Controller, Service Platform and Access Point

578 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (global-config-mode) on Removes a NX5500 series service platform from the network

page 525

nx7500
Adds an integrated NX7500 series service platform to the network. If a profile for service platform is not
available, a new profile is created.

Supported in the following platforms:

• Service Platforms — NX7500, NX9500, NX9600, VX9000

Syntax
nx75xx <DEVICE-NX75XX-MAC>

Parameters
nx75xx <DEVICE-NX75XX-MAC>

<DEVICE-NX75XX-MAC> Specifies the MAC address of the NX7500 series service platform

Examples
nx9500-6C8809(config)#nx75xx B4-C9-81-6C-FA-7C
nx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#show context
nx75xx B4-C9-81-6C-FA-7C
use profile default-nx75xx
use rf-domain default
hostname nx75xx-6CFA7C
nx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#
nx75xx-6CFA7C>show adoption status
Adopted by:
Type : nx9000
System Name : nx9500-6C8809
MAC address : B4-C7-99-6C-88-09
MiNT address : 19.6C.88.09
Time : 1 days 01:57:50 ago

Adopted Devices:
---------------------------------------------------------------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME
---------------------------------------------------------------------------------------
ap7532-11E6C4 5.9.5.0-004D configured No nx75xx-6CFA7C 1 days 01:49:44 1 days 01:59:34
---------------------------------------------------------------------------------------
Total number of devices displayed: 1
nx75xx-6CFA7C>

Related Commands

no Removes an NX7500 series service platform from the network

nx9000
Adds an NX9500 series service platform to the network

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 579
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
nx9000 <DEVICE-NX9XXX-MAC>

Parameters
nx9000 <DEVICE-NX9XXX-MAC>

<DEVICE-NX9500-MAC> Specifies the MAC address of a NX9500 series service platform.

Examples
nx9500-6C8809(config)#nx9000 B4-C7-89-7C-81-08
nx9500-6C8809(config-device-B4-C7-89-7C-81-08)#

Related Commands

no (global-config-mode) on Removes a NX9500 series service platform from the network

page 525

roaming-assist-policy
Configures a roaming assist policy that enables access points to assist wireless clients in making
roaming decisions, such as which access point to connect, etc.

Supported in the following platforms:

Syntax
roaming-assist-policy <ROAMING-ASSIST-POLICY-NAME>

Parameters
roaming-assist-policy <ROAMING-ASSIST-POLICY-NAME>

<ROAMING-ASSIST-POLICY- Specify the roaming-assist policy name. If a policy with the

NAME> specified name does not exist, it is created.

Examples
nx9500-6C8809(config)#roaming-assist-policy test
nx9500-6C8809(config-roaming-assist-policy-test)#?
Roaming Assist Mode commands:
action Configure action - action is deauth / log /
assisted-roam
aggressiveness Configure the roaming aggressiveness for a wireless
client
detection-threshold Configure the detection threshold - when exceeded,
client monitoring starts

Controller, Service Platform and Access Point

580 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

disassoc-time Configure the disassociation time - time after which a

disassociation is sent
handoff-count Configure the handoff count - number of times client
can exceed handoff threshold
handoff-threshold Configure the handoff threshold - when exceeds an
action is taken.
monitoring-interval Configure the monitoring interval - interval at which
client monitoring occurs
no Negate a command or set its defaults
sampling-interval Configure the sampling interval - interval at which
client rssi values are checked

clrscr Clears the display screen

nx9500-6C8809(config-roaming-assist-policy-test)#

Related Commands

no (global-config-mode) on Removes an existing roaming-assist-policy

page 525

Note
For more information on the Roaming Assist Policy commands, ROAMING ASSIST POLICY on
page 2040.

role-policy
Creates a role-based firewall policy and enters its configuration mode

Supported in the following platforms:

Syntax
role-policy <ROLE-POLICY-NAME>

Parameters
role-policy <ROLE-POLICY-NAME>

<ROLE-POLICY- Specify the role policy name. If a policy with the specified name does not exist,
NAME> it is created.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 581
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config)#role-policy role1
nx9500-6C8809(config-role-policy-role1)#?
Role Policy Mode commands:
default-role Configuration for Wireless Clients not matching any role
ldap-deadperiod Ldap dead period interval
ldap-query Set the ldap query mode
ldap-server Add a ldap server
ldap-timeout Ldap query timeout interval
no Negate a command or set its defaults
user-role Create a role

clrscr Clears the display screen

nx9500-6C8809(config-role-policy-role1)#

Related Commands

no (global-config-mode) on Removes an existing role policy

page 525

Note
For more information on Role Policy commands, see ROLE-POLICY.

route-map

Creates a dynamic Border Gateway Protocol (BGP) route map and enters its configuration mode

BGP route maps are used by network administrators to define rules controlling redistribution of routes
between routers and routing processes. These route maps are also used to control and modify routing
information.

Supported in the following platforms:

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

route-map <ROUTE-MAP-NAME>

Parameters
route-map <ROUTE-MAP-NAME>

route-map <ROUTE-MAP- Creates a new BGP route map and enters its configuration mode
NAME>

Controller, Service Platform and Access Point

582 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config)#route-map test
nx9500-6C8809(config-dr-route-map-test)#?
Route Map Mode commands:
deny Add a deny route map rule to deny set operations
no Negate a command or set its defaults
permit Add a permit route map rule to permit set operations

clrscr Clears the display screen

nx9500-6C8809(config-dr-route-map-test)#

Related Commands

no (global-config-mode) on Removes an existing dynamic BGP route map

page 525

Note
For more information on BGP route maps, see BORDER GATEWAY PROTOCOL on page 2050.

routing-policy
Creates a routing policy and enters its configuration mode

Supported in the following platforms:

Syntax
routing-policy <ROUTING-POLICY-NAME>

Parameters
routing-policy <ROUTING-POLICY-NAME>

<ROUTING-POLICY-NAME> Specify the role policy name. If the policy does not exist, it is created.

Examples
nx9500-6C8809(config)#routing-policy test
nx9500-6C8809(config-routing-policy-test)#?
Routing Policy Mode commands:
apply-to-local-packets Use Policy Based Routing for packets generated by
the device

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 583
global-config-commands Global Configuration Mode Commands

logging Enable logging for this Route Map

no Negate a command or set its defaults
route-map Create a Route Map
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-routing-policy-test)#

Related Commands

no (global-config-mode) on Removes an existing routing policy

page 525

Note
For more information on Routing Policy commands, see ROUTING-POLICY on page 1925.

rtl-server-policy
Creates an RTL server policy and enters its configuration mode. When configured and applied on an
access point, this policy enables the sending of RSSI feeds from the access point to a server. The RTL
server policy provides the exact location (URL) of the server. The RSSI feeds sent are as per the sensor-
policy configured and applied on the access point. Therefore, ensure that a sensor-policy, with the rssi-
interval-duration specified, is existing, configured, and applied on the access points.

To initiate RSSI feed posts to the Euclid locationing server, use the RTL server policy on the:
• AP’s device/profile context, or
• AP’s RF Domain context.

Supported in the following platforms:

Syntax
rtl-server-policy <RTL-POLICY-NAME>

Controller, Service Platform and Access Point

584 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
rtl-server-policy <RTL-POLICY-NAME>

<RTL-POLICY-NAME> Specify the RTL server policy name. If an RTL server policy with the
specified name does not exist, it is created.

nx9500-6C8809(config)#rtl-server-policy test
nx9500-6C8809(config-rtl-server-policy-test)#?
RTL Server Policy Mode commands:
no Negate a command or set its defaults
url Configure the url to send the real time RSSI feed to

clrscr Clears the display screen

nx9500-6C8809(config-rtl-server-policy-test)#

no (global-config-mode) on Removes an existing RTL server policy

page 525
use (profile/device-config- Documents the ‘use’ command in a device’s profile or device
mode-commands) on page 1363 configuration context. Use this option to associate this RTL server
(profile/device configuration policy to an access point’s profile or device.
mode command)
use (rf-domain-config-mode) on Documents the ‘use’ command in the RF Domain configuration
page 574 context. Use this option to associate this RTL server policy to an RF
Domain. When associated, the policy is applied to all access points
within the RF Domain.

rtl-server-policy-config-commands

The following table summarizes the RTL server policy configuration mode commands:

Table 32: RTL Server Policy Config Mode Commands

Command Description
url on page 585 Configures the RTL server’s URL
no (rtl-server-policy- Removes the RTL server’s URL configuration
config-mode-commands)
on page 586

url
Configures the RTL server’s exact location. This is the URL at which the server can be reached.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 585
global-config-commands Global Configuration Mode Commands

Supported in the following platforms:

Syntax
url <URL>

Parameters
url <URL>

url <URL> Configures the RTL server’s URL

• <URL> – Specify the URL.

Examples
nx9500-6C8809(config-rtl-server-policy-test)#url https://testrtlsever.com
nx9500-6C8809(config-rtl-server-policy-test)#show context
rtl-server-policy test
url https://testrtlsever.com
nx9500-6C8809(config-rtl-server-policy-test)#

Related Commands

no (rtl-server-policy-config- Removes the RTL server’s configured URL

mode-commands) on page 586

no (rtl-server-policy-config-mode-commands)
Removes the locationing server’s URL configuration
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no <URL>

Parameters
no <URL>

no <URL> Removes the RTL server’s URL

Examples

The following example displays the RTL server policy ‘test’ settings before the ‘no’ command is
executed:
nx9500-6C8809(config-rtl-server-policy-test)#show context
rtl-server-policy test

Controller, Service Platform and Access Point

586 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

url https://testrtlsever.com
nx9500-6C8809(config-rtl-server-policy-test)#
nx9500-6C8809(config-rtl-server-policy-test)#no url

The following example displays the RTL server policy ‘test’ settings after the ‘no’ command is executed:
nx9500-6C8809(config-rtl-server-policy-test)#show context
rtl-server-policy test
nx9500-6C8809(config-rtl-server-policy-test)#

schedule-policy

Creates a schedule policy and enters its configuration mode. A schedule policy strategically enforces
application filter policy rules during administrator assigned intervals.

Supported in the following platforms:

Syntax
schedule-policy <SCHEDULE-POLICY-NAME>

Parameters
schedule-policy <SCHEDULE-POLICY-NAME>

schedule-policy <SCHEDULE- Specify the Schedule policy name. If a policy with the specified
POLICY-NAME> name does not exist, it is created. The name should not exceed 32
characters in length.

Examples
nx9500-6C8809(config)#schedule-policy test
nx9500-6C8809(config-schedule-policy-test)#?
Schedule Policy Mode commands:
description Schedule policy description
no Negate a command or set its defaults
time-rule Configure a time rule

clrscr Clears the display screen

nx9500-6C8809(config-schedule-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 587
global-config-commands Global Configuration Mode Commands

Related Commands

no (global-config-mode) on Removes an existing schedule policy

page 525

schedule-policy-config-commands

The following table summarizes schedule-policy configuration mode commands:

Table 33: Schedule Policy Config Mode Commands

Command Description
description on page 588 Configures a description for this schedule policy that differentiates it
from other policies with similar time rule configurations
time-rule on page 589 Configures a time rule specifying the days and optionally the start
and end times
no (schedule-policy-config- Removes the selected schedule policy’s settings
mode-commands) on page
590

description
Configures a description for this schedule policy that differentiates it from other policies with similar
time rule configurations
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
description <WORD>

Parameters
description <WORD>

description <WORD> Configures this schedule policy’s description

• <WORD> – Enter a description not exceeding 80 characters in
length. The description should uniquely identify the policy from
other policies with similar configuration.

Examples
nx9500-6C8809(config-schedule-policy-test)#description "Denies social networking
sites on weekdays."
nx9500-6C8809(config-schedule-policy-test)#show context
schedule-policy test
description "Denies social networking sites on weekdays."
nx9500-6C8809(config-schedule-policy-test)#

Controller, Service Platform and Access Point

588 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (schedule-policy-config- Removes or modifies this schedule policy’s description

mode-commands) on page 590

time-rule
Configures a time rule specifying the days and optionally the start and end times. When applied to an
application-policy rule, the schedule policy defines the enforcement time of the rule. For more
information, see application-policy on page 294.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|
weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}

Parameters
time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|
weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}

time-rule Configures a time rule in days and hours and minutes

A schedule policy can have more than one non-overlapping time-
rules. The following time-rules, having overlapping time periods, are
invalid: ‘weekdays, start-time 9:30 am, end-time 11:30 pm’ and ‘all,
start-time 12:00 am, end-time 12:00 pm’.
days [sunday|monday| tuesday| Specifies the days on which the time rule is applicable
wednesday|thursday|friday| • sunday – Applicable on Sundays only
saturday|all| weekends| • monday – Applicable on Mondays only
weekdays]
• tuesday – Applicable on Tuesdays only
• wednesday – Applicable on Wednesdays only
• thursday – Applicable on Thursdays only
• friday – Applicable on Fridays only
• saturday – Applicable on Saturdays only
• weekends – Applicable on weekends only
• weekdays – Applicable on weekdays only
• all – Applicable on all days

start-time <HH:MM> [end-time After specifying the days of enforcement, specify the following:
<HH:MM>] • start-time – Optional. Specifies the enforcement start time
◦ <HH:MM> – Specify the start time in hours and minutes in the
HH:MM format.
If no start time is specified, the time rule is enforced, on the
specified days, at all time.
• end-time – Specifies the enforcement end time
◦ <HH:MM> – Specify the time in hours and minutes in the
HH:MM format.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 589
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-schedule-policy-test)#time-rule days weekdays start-time 10:00 end-
time 23:30
nx9500-6C8809(config-schedule-policy-test)#show context
schedule-policy test
description "Denies social networking sites on weekdays."
time-rule days weekdays start-time 10:00 end-time 23:30
nx9500-6C8809(config-schedule-policy-test)#

Related Commands

no (schedule-policy-config- Removes the time-rule from the schedule policy

mode-commands) on page 590

no (schedule-policy-config-mode-commands)
Removes the selected schedule policy’s settings
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes the schedule policy’s settings based on the parameters

passed

Examples

The following example displays the schedule policy ‘test’ settings before the ‘no’ commands have been
executed:
nx9500-6C8809(config-schedule-policy-test)#show context
schedule-policy test
description "Denies social networking sites on weekdays."
time-rule days weekdays start-time 10:00 end-time 23:30
nx9500-6C8809(config-schedule-policy-test)#

The following example displays the schedule policy ‘test’ settings after the ‘no’ commands have been
executed:
nx9500-6C8809(config-schedule-policy-test)#no description
nx9500-6C8809(config-schedule-policy-test)#no time-rule days weekdays
nx9500-6C8809(config-schedule-policy-test)#show context
schedule-policy test
nx9500-6C8809(config-schedule-policy-test)#

Controller, Service Platform and Access Point

590 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

self
Invokes the logged device's configuration context

Supported in the following platforms:

Syntax
self

Parameters
None

Examples
nx9500-6C8809(config)#self
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

sensor-policy

Creates a sensor policy and enters its configuration mode.

Access point radios, functioning as sensors, along with AirDefense WIPS servers protect networks from
attacks and unauthorized access. These access point sensors scan legal channels and (based on a WIPS
policy settings) identify events potential threats to the managed network. These events are reported to
the AirDefense WIPS server, which determines the action taken.

In addition to WIPS support, sensor functionality has now been added for the Extreme Network’s
locationing system. The ExtremeLocation system for Wi-Fi locationing includes WiNG controllers, and
access points functioning as sensors. Within the Locationing architecture, sensors scan for RSSI data on
an administrator-defined interval and send to a dedicated ExtremeLocation Server resource, as
opposed to an ADSP server. The ExtremeLocation Server collects the RSSI data from WiNG sensor
devices, and calculates the location of Wi-Fi devices for ExtremeLocation administrators.

Use this command to configure a policy defining the mode of scanning, the channels to scan (in case
scan-mode is set to custom-scan), and the RSSI interval. For the sensor policy to take effect, use the
policy either in the access point’s RF Domain context or in the access point’s device context.

Note
If a dedicated sensor is utilized with WIPS for rogue detection, any sensor policy used is
discarded and not utilized by the sensor. To avoid this situation, use ADSP channel settings
exclusively to configure the sensor and not the WiNG interface.

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 591
global-config-commands Global Configuration Mode Commands

Syntax
sensor-policy <SENSOR-POLICY-NAME>

Parameters
sensor-policy <SENSOR-POLICY-NAME>

<SENSOR-POLICY-NAME> Specify the Sensor policy name. If a sensor policy with the specified
name does not exist, it is created. The name should not exceed 32
characters in length. No character spaces are permitted within the
name. Define a name unique to the policy’s channel and scan mode
configuration to help differentiate it from other policies.

Examples
nx9500-6C8809(config)#sensor-policy test
nx9500-6C8809(config-sensor-policy-test)#?
Sensor Policy Mode commands:
custom-scan Channel configuration in Custom Scan channels
no Negate a command or set its defaults
rssi-interval-duration Configure the periodicity of sending RSSI info from
sensor to server
scan-mode Configure the Scan mode

clrscr Clears the display screen

nx9500-6C8809(config-sensor-policy-test)#

Related Commands

no (global-config-mode) Removes an existing sensor policy

on page 525

sensor-policy-config-commands

The following table summarizes sensor-policy configuration mode commands:

Table 34: Sensor Policy Config Mode Commands

Command Description
custom-scan on page 593 Configures the channel scanning settings when the scan-mode is set to
custom-scan
rssi-interval-duration on Configures the interval at which dedicated sensors scan channels for
page 594 RSSI assessments and send the collected data to a specified MPact
server resource

Controller, Service Platform and Access Point

592 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Table 34: Sensor Policy Config Mode Commands (continued)

Command Description
scan-mode on page 595 Configures the mode of scanning used by dedicated sensors (access
point radios)
no (sensor-policy-config- Removes or reverts to default a sensor policy’s settings
mode-commands) on page
596

custom-scan
Configures the channel scanning settings when the scan-mode is set to custom-scan

Note
If the mode of scanning is set to Custom-Scan, use this command to configure the channels to
be scanned. To set the mode of scanning to custom-scan, use the scan-mode > Custom-Scan
command. For more information, see scan-mode on page 595.

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
custom-scan channel-frequency <CHANNEL-FREQUENCY> width
[20MHz|40MHz-Bth|40MHz-Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>

Parameters
custom-scan channel-frequency <CHANNEL-FREQUENCY> width
[20MHz|40MHz-Bth|40MHz-Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>

custom-scan Configures the custom-scan channel frequency, channel width, and scan
weight
channel-frequency Configures the channel frequency. A list of unique channels in the 2.4, 4.9, 5
<CHANNEL- and 6 GHz band can be collectively or individually enabled for customized
FREQUENCY> channel scans and RSSI reporting.
• <CHANNEL-FREQUENCY> – Specify a single or multiple, ‘comma-
separated’ channel frequencies.

width [20MHz| 40MHz- Configures the channel width. When custom channels are selected for RSSI
Both| 40MHz-Lower| scans, each selected channel can have its own width defined. Numerous
40MHz-Upper| 80MHz] channels have their width fixed at 20MHz, 802.11a radios support 20 and 40
MHz channel widths.
• 20MHz – Sets the channel width as 20 Mhz
• 40Mhz-Both – Sets the channel width as 40Mhz-Both
• 40Mhz-Lowe – Sets the channel width as 40Mhz-Lower
• 40Mhz-Upper – Sets the channel width as 40Mhz-Upper
• 80Mhz – Sets the channel width as 80Mhz

scan-weight <SCAN- Configures the scan-weight (scanning duration) for each of the selected
WEIGHT> channels. Each selected channel can have its weight prioritized in respect
to the amount of time a scan is permitted within the defined RSSI scan
interval.
• <SCAN-WEIGHT> – Specify the scan weightage given to each selected
channel.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 593
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2412 width 20MHz
scan-weight 1000
nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2417 width 20MHz
scan-weight 1000
nx9500-6C8809(config-sensor-policy-test)#show context
sensor-policy test
scan-mode Custom-Scan
custom-scan channel-frequency 2412 width 20MHz scan-weight 1000
custom-scan channel-frequency 2417 width 20MHz scan-weight 1000
nx9500-6C8809(config-sensor-policy-test)#

Related Commands

no (sensor-policy- Removes channels from the channels-to-scan list in case of scan-mode

config-mode- being set to Custom-Scan
commands) on page
596

rssi-interval-duration
Configures the interval, in seconds, at which dedicated sensors scan channels for RSSI assessments and
send the RSSI data obtained to a specified server resource
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
rssi-interval-duration <1-60>

Parameters
rssi-interval-duration <1-60>

rssi-interval-duration Configures the RSSI interval duration in seconds. This is the interval at
<1-60> which the sensor scans channels for RSSI data and forwards the data to a
dedicated server resource. The server calculates real-time locations of Wi-
Fi devices based on the this data.
• <1-60> – Specify the RSSI interval duration from 1 - 60 seconds. The
default is 1 second.
The channels scanned for RSSI assessment depends on the scan-mode
selected. For more information, see scan-mode on page 595 and
custom-scan on page 593.
Ensure that the server’s IP address or hostname has been configured in
the access point sensor’s RF Domain context.

Examples
nx9500-6C8809(config-sensor-policy-test)#rssi-interval-duration 30
nx9500-6C8809(config-sensor-policy-test)#show context
sensor-policy test
rssi-interval-duration 30
scan-mode Custom-Scan
custom-scan channel-frequency 2412 width 20MHz scan-weight 1000
custom-scan channel-frequency 2417 width 20MHz scan-weight 1000
nx9500-6C8809(config-sensor-policy-test)#

Controller, Service Platform and Access Point

594 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (sensor-policy- Resets the interval at which RSSI data is collected and sent by the sensor to
config-mode- the MPact server host to default (1 second)
commands) on page
596

scan-mode
Configures the mode of scanning used by dedicated sensors (access point radios)
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
scan-mode [Channel-Lock|Custom-Scan|Default-Scan]
scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>
scan-mode [Custom-Scan|Default-Scan]

Parameters
scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>

scan-mode Configures the mode of scanning used by the sensors to scan system-
defined or user-defined channels for RSSI assessments. The options are:
Channel-Lock, Custom-Scan, and Default-Scan.
Channel-Lock lock- Configures the mode of scanning as channel-lock
frequency <LOCK- • lock-frequency <LOCK-FREQUENCY> – Locks scanning for RSSI data to
FREQUENCY> one specific channel identified by the <LOCK-FREQUENCY> parameter.
◦ <LOCK-FREQUENCY> – Specify the channel frequency in MHz. When
specified, the sensor scans only this specified channel.

scan-mode [Custom-Scan|Default-Scan]

scan-mode Configures the mode of scanning used by the sensor. The options are:
channel-lock, custom-scan, and default-scan.
Custom-Scan Configures the mode of scanning as custom-scan
Select this option to restrict scanning to user-defined channels. If selecting
this option, use the custom-scan > channel-frequency command to
configure the channels scanned by the dedicated sensor. For more
information, see custom-scan on page 593.
Default-Scan Configures the mode of scanning as Default-Scan. This is the default
setting.
By default the system has a fixed, built-in list of channels that are scanned.
These channels are hard coded in a spread pattern of 1, 6, 11, 36, 40, 44, and
48. When selected, the dedicated sensor scans only these default channels.

Examples
nx9500-6C8809(config-sensor-policy-test)#scan-mode Custom-Scan
nx9500-6C8809(config-sensor-policy-test)#show context
sensor-policy test
rssi-interval-duration 30
scan-mode Custom-Scan
custom-scan channel-frequency 2412 width 20MHz scan-weight 1000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 595
global-config-commands Global Configuration Mode Commands

custom-scan channel-frequency 2417 width 20MHz scan-weight 1000

nx9500-6C8809(config-sensor-policy-test)#

Related Commands

no (sensor-policy-config- Reverts the scan-mode to default (Default-Scan)

mode-commands) on
page 596

no (sensor-policy-config-mode-commands)
Removes or reverts to default a sensor policy’s settings
Supported in the following platforms:
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
no [custom-scan|rss1-interval-duration|scan-mode]
no custom-scan channel-frequency <CHANNEL-FREQUENCY-LIST>
no rssi-interval-duration
no scan-mode

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts to default a sensor policy settings based on the

parameters passed

Examples

The following example shows the sensor-policy ‘test’ settings before the ‘no’ commands are executed:
nx9500-6C8809nx9500-6C8809(config-sensor-policy-test)#show context
sensor-policy test
rssi-interval-duration 30
scan-mode Custom-Scan
custom-scan channel-frequency 2412 width 20MHz scan-weight 1000
custom-scan channel-frequency 2417 width 20MHz scan-weight 1000
nx9500-6C8809(config-sensor-policy-test)#

The scan-mode is reverted back to the default setting of 'Default-Scan', as show in the following output:
nx9500-6C8809(config-sensor-policy-test)#no scan-mode
nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2412
nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2417
nx9500-6C8809(config-sensor-policy-test)#show context
sensor-policy test
rssi-interval-duration 30
scan-mode Default-Scan
nx9500-6C8809(config-sensor-policy-test)#

smart-rf-policy
Configures a Smart RF policy and enters its configuration mode

Controller, Service Platform and Access Point

596 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
smart-rf-policy <SMART-RF-POLICY-NAME>

Parameters
smart-rf-policy <SMART-RF-POLICY-NAME>

<SMART-RF-POLICY-NAME> Specify the Smart RF policy name. If a policy with the specified name
does not exist, it is created.

Examples
nx9500-6C8809(config)#smart-rf-policy test
nx9500-6C8809(config-smart-rf-policy-test)#?
Smart RF Mode commands:
area Specify channel list/ power for an area
assignable-power Specify the assignable power during power-assignment
avoidance-time Time to avoid a channel once dfs/adaptivity
avoidance is necessary
channel-list Select channel list for smart-rf
channel-width Select channel width for smart-rf
coverage-hole-recovery Recover from coverage hole
enable Enable this smart-rf policy
group-by Configure grouping parameters
interference-recovery Recover issues due to excessive noise and
interference
neighbor-recovery Recover issues due to faulty neighbor radios
no Negate a command or set its defaults
select-shutdown Select redundant 2.4GHz Radios to shutdown
sensitivity Configure smart-rf sensitivity (Modifies various
other smart-rf configuration items)
smart-ocs-monitoring Smart off channel scanning

clrscr Clears the display screen

nx9500-6C8809(config-smart-rf-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 597
global-config-commands Global Configuration Mode Commands

Related Commands

no (global-config-mode) on Removes an existing Smart RF policy

page 525

Note
For more information on Smart RF policy commands, see SMART-RF-POLICY on page 1808.

Invokes the configuration mode of a t5 wireless controller

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
t5 <T5-DEVICE-MAC>

Parameters
t5 <T5-DEVICE-MAC>

t5 <T5-DEVICE-MAC> Specify the T5 device’s MAC address. The system enters the identified
device’s configuration mode.
A T5 controller uses the IPX operating system to manage its connected
radio devices, as opposed to the WiNG operating system used by RFS
wireless controllers and NX service platforms. However, a T5 controller,
once enabled as a supported external device, can provide data to WiNG to
assist in a T5’s management within a WiNG supported subnet populated
by both types of devices. The Customer Premises Equipments (CPEs) are
the vT5 controller managed radio devices using the IPX operating system.
These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet
access mechanism using the CPE’s physical wallplate connection and
phone jack.
After logging on to the T5 device, use the ‘cpe’ keyword and configure the
following mandatory settings:
• vlan – Set a VLAN from 1 - 4,094 used as a virtual interface for
connections between the T5 controller and its managed CPE devices.
• start ip – Set a starting IP address used in a range of addresses available
to T5 controller connecting CPE devices.
• end ip – Set an end IP address used in a range of addresses available to
T5 controller connecting CPE devices.

Examples
nx9500-6C8809(config)#t5 B4:C7:99:ED:5C:2C
nx9500-6C8809(config-device-B4:C7:99:ED:5C:2C)#?
T5 Device Mode commands:
adsp-sensor-server Configure WIPS server
bridge Sets MAC address expiration time in the bridge address
table
clock Configure clock options
cpe T5 CPE configuration

Controller, Service Platform and Access Point

598 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

hostname Set system's network name

interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
ntp Configure NTP
override-wlan Configure RF Domain level overrides for wlan
password T5 password configuration
qos QOS settings
radius-server Radius server settings
t5 T5 configuration
t5-logging Modify message logging facilities
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-device-B4:C7:99:ED:5C:2C)#

Related Commands

no (global-config- Removes the T5 wireless controller identified by the device’s MAC address
mode) on page 525

web-filter-policy

Creates a Web Filtering policy and enters its configuration mode. This policy defines rules managing the
local classification database and the cached data. When configured and applied, this policy also enables
caching of URL classification records in a local database in a controller-based, hierarchically managed
(HM) deployment. Use this option to specify the following: classification server details, size of the local
database, time for which records are cached in the database, the action taken in case the classification
server is unavailable, etc.

The Web filter policy is applied at the profile or device level.

For more information on URL filtering, see url-filter on page 685.

Supported in the following platforms:

Syntax
web-filter-policy <WEB-FILTER-POLICY-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 599
global-config-commands Global Configuration Mode Commands

Parameters
web-filter-policy <WEB-FILTER-POLICY-NAME>

<WEB-FILTER-POLICY- Specify the Web filter policy name. If the policy with the specified name
NAME> does not exist, it is created.

Examples
nx9500-6C8809(config)#web-filter-policy test
nx9500-6C8809(config-web-filter-policy-test)#?
Content Filter Mode commands:
cache-max-recs Configure the maximum number of records in local cache
cache-save-interval Configure the time a record is saved in local cache
logging Select logging method
no Negate a command or set its defaults
server-host Configure URL classification server if it is not the
adopted controller
server-unreachable Permission to access website when classification server
is unreachable (default is pass)
uncategorized-url Permission to website when server fails to classify the
URL request (default is pass)

clrscr Clears the display screen

nx9500-6C8809(config-web-filter-policy-test)#

Related Commands

no (global-config-mode) Removes an existing Web filter policy

on page 525

web-filter-config-commands

The following table summarizes Web Filter policy configuration mode commands:

Table 35: Web Filter Config Mode Commands

Command Description
cache-max-recs on Configures the maximum number of records (URLs and Web pages) cached
page 601 in the local database
cache-save-interval on Configures the maximum time period for which a record (URL and Web page
page 602 classification entry) is cached in the local database
logging on page 602 Configures the method used to log Web filtering events
server-host on page Configures the URL classification server in case it is not the adopted
603 controller

Controller, Service Platform and Access Point

600 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Table 35: Web Filter Config Mode Commands (continued)

Command Description
server-unreachable on Configures the action taken in case the classification server is unreachable
page 604
uncategorized-url on Configures the action taken in case the classification server fails to classify a
page 604 URL/Website
no (web-filter-policy- Reverts the selected Web Filter policy settings to default
config-mode-
commands) on page
605

cache-max-recs
Configures the maximum number of records (URL and Web page classification entries) cached in the
local database
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
cache-max-recs <1-1000000>

Parameters
cache-max-recs <1-1000000>

cache-max-recs <1-1000000> Specify the maximum number of records cached in the local
database from 1 - 1000000.
When configuring this value take into consideration the type of
device using the Web Filter policy. The value should approximately
be as per the following information:
• NX95XX – <1-1000000> (default is 100000)
• NX75XX – <1-100000> (default is 10000)
• RFS Switches – <1-10000> (default is 1000)
• Access Points – <1-1500> (default is 500)

Examples
nx9500-6C8809(config-web-filter-policy-test)#cache-max-recs 9000
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-max-recs 9000
nx9500-6C8809(config-web-filter-policy-test)#

Related Commands

no (web-filter-policy- Reverts the maximum number of stored records to default. Please see the
config-mode- parameter table for default values for the different device types.
commands) on page
605

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 601
global-config-commands Global Configuration Mode Commands

cache-save-interval
Configures the maximum time period, in seconds, for which a record (URL and Web page classification
entry) is cached in the local database. Once the specified time has expired the record is removed from
the cache.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
cache-save-interval <1-86400>

Parameters
cache-save-interval <1-86400>

cache-save-interval Specify the maximum time period, in seconds, for which a record is
<1-86400> cached in the local database from 1 - 86400 seconds. The default is 60
seconds.

Examples
nx9500-6C8809(config-web-filter-policy-test)#cache-save-interval 1000
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-max-recs 9000
cache-save-interval 1000
nx9500-6C8809(config-web-filter-policy-test)#

Related Commands

no (web-filter-policy- Reverts the maximum time period for which a record (URL and Web page
config-mode- classification entry) is cached in the local database to default (60)
commands) on page
605

logging
Configures the method used to log Web filtering events
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
logging [logfile|syslog]

Controller, Service Platform and Access Point

602 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
logging [logfile|syslog]

logging [logfile|syslog] Selects the method used to log Web filtering events. The options are:
• logfile – Logs to a file.
• syslog – Logs to the syslog server. This is the default setting.

Examples
nx9500-6C8809(config-web-filter-policy-test)#logging logfile
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
logging logfile
nx9500-6C8809(config-web-filter-policy-test)#
server-host
Configures the URL classification server in case it is not the adopted controller
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id <SERVER-MiNT-
ID>]

Parameters
server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id <SERVER-MiNT-
ID>]

server-host [host-name Use one of the following options to identify the URL classification
<SERVER-HOST-NAME>|ip- server:
address <SERVER-IPv4>|mint- • host-name <SERVER-HOST-NAME> – Identifies the classification
id <SERVER-MiNT-ID>] server by its hostname.
• ip-address <SERVER-IPv4> – Identifies the classification server by
its IP address.
• mint-id <SERVER-MiNT-ID> – Identifies the classification server
by its MiNT ID.

Examples
nx9500-6C8809(config-web-filter-policy-test)#server-host ip-address 192.168.13.13
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-max-recs 9000
cache-save-interval 1000
server-host ip-address 192.168.13.13
nx9500-6C8809(config-web-filter-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 603
global-config-commands Global Configuration Mode Commands

Related Commands

no (web-filter-policy- Removes the URL classification server’s configured details, such as hostname,
config-mode- ip-address, or MiNT ID.
commands) on page
605

server-unreachable
Configures the action taken in case the classification server is unreachable. Based on the value
configured the an end user’s request for a URL/Website is either blocked or passed.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
server-unreachable [block|pass]

Parameters
server-unreachable [block|pass]

server-unreachable Configures the action taken in case the classification server is unreachable.
[block|pass] The options are:
• block – Denies access to the requested URL/Website
• pass – Allows access to the requested URL/Website. This is the default
value.

Examples
nx9500-6C8809(config-web-filter-policy-test)#server-unreachable block
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-max-recs 9000
cache-save-interval 1000
server-unreachable block
server-host ip-address 192.168.13.13
nx9500-6C8809(config-web-filter-policy-test)#

Related Commands

no (web-filter-policy- Reverts the action taken, in case the classification server is unreachable, to
config-mode-commands) default (pass),
on page 605

uncategorized-url
Configures the action taken in case the classification server fails to classify a URL/Website. Based on the
value configured the an end user’s request for a non-classified URL/Website is either blocked or passed.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

604 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
uncategorized-url [block|pass]

Parameters
uncategorized-url [block|pass]

uncategorized-url Configures the action taken in case the classification server fails to classify a
[block|pass] URL/Website. The options are:
• block – Denies access to the requested non-classified URL/Website
• pass – Allows access to the requested non-classified URL/Website. This is
the default value.

Examples
nx9500-6C8809(config-web-filter-policy-test)#uncategorized-url block
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-max-recs 9000
cache-save-interval 1000
uncategorized-url block
server-unreachable block
server-host ip-address 192.168.13.13
nx9500-6C8809(config-web-filter-policy-test)#

Related Commands

no (web-filter-policy- Reverts the action taken, in case the classification server fails to classify a
config-mode-commands) URL/ Website, to default (pass)
on page 605

no (web-filter-policy-config-mode-commands)
Reverts the selected Web Filter policy settings to default, based on the parameters passed
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [cache-max-recs|cache-save-interval|server-host|server-unreachable|uncategorized-url]

Parameters
no <PARAMETERS>

no <PARAMETERS> Reverts the selected Web Filter policy settings to default, based on the
parameters passed. Specify the parameters to revert back to default
value.

Examples

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 605
global-config-commands Global Configuration Mode Commands

The following example shows the Web Filter policy ‘test’ settings before the ‘no’ command is executed:
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-max-recs 9000
cache-save-interval 1000
uncategorized-url block
server-unreachable block
server-host ip-address 192.168.13.13
nx9500-6C8809(config-web-filter-policy-test)#
nx9500-6C8809(config-web-filter-policy-test)#no cache-max-recs
nx9500-6C8809(config-web-filter-policy-test)#no server-unreachable
nx9500-6C8809(config-web-filter-policy-test)#no uncategorized-url

The following example shows the Web Filter policy ‘test’ settings after the ‘no’ command has been
executed:
nx9500-6C8809(config-web-filter-policy-test)#show context
web-filter-policy test
cache-save-interval 1000
server-host ip-address 192.168.13.13
nx9500-6C8809(config-web-filter-policy-test)#

wips-policy
Configures a WIPS policy and enters its configuration mode

Supported in the following platforms:

Syntax
wips-policy <WIPS-POLICY-NAME>

Parameters
wips-policy <WIPS-POLICY-NAME>

<WIPS-POLICY-NAME> Specify the WIPS policy name. If a policy with the specified name does
not exist, it is created.

Examples
nx9500-6C8809(config)#wips-policy test
nx9500-6C8809(config-wips-policy-test)#?
Wips Policy Mode commands:
ap-detection Rogue AP detection
enable Enable this wips policy
event Configure an event
history-throttle-duration Configure the duration for which event duplicates
are not stored in history
interference-event Specify events which will contribute to smart-rf
wifi interference calculations
no Negate a command or set its defaults
signature Signature to configure

Controller, Service Platform and Access Point

606 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-wips-policy-test)#

Related Commands

no (global-config-mode) on Removes an existing WIPS policy

page 525

Note
For more information on WIPS Policy commands, see WIPS-POLICY on page 1837.

wlan
Configures a WLAN and enters its configuration mode. Use this command to modify an existing
WLAN’s settings.

A WLAN is a data-communications system that flexibly extends the functionality of a wired LAN. A
WLAN links two or more computers or devices using spread-spectrum or Orthogonal Frequency
Division Multiplexing (OFDM) modulation based technology. WLANs do not require lining up devices for
line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be
handed off from one access point to another, like a cellular phone system. WLANs can therefore be
configured around the needs of specific user groups, even when they are not in physical proximity.

WLANs can provide an abundance of services, including data communications (allowing mobile devices
to access applications), e-mail, file, and print services or even specialty applications (such as guest
access control and asset tracking).

Each WLAN configuration contains encryption, authentication and QoS policies and conditions for user
connections. Connected access point radios transmit periodic beacons for each BSS. A beacon
advertises the SSID, security requirements, supported data rates of the wireless network to enable
clients to locate and connect to the WLAN.

WLANs are mapped to radios on each access point. A WLAN can be advertised from a single access
point radio or can span multiple access points and radios. WLAN configurations can be defined to
provide service to specific areas of a site. For example, a guest access WLAN may only be mapped to a
2.4 GHz radio in a lobby or conference room providing limited coverage, while a data WLAN is mapped
to all 2.4 GHz and 5.0 GHz radios at the branch site to provide complete coverage.

The maximum number of WLANs supported by different devices is as follows:

• RFS 4000 wireless controllers - 32 WLANs
• NX 95XX series service platforms – 1000 WLANs

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 607
global-config-commands Global Configuration Mode Commands

• Access Points – 16 WLANs

Supported in the following platforms:

Syntax
wlan {<WLAN-NAME>|containing <WLAN-NAME>}

Parameters
wlan {<WLAN-NAME>|containing <WLAN-NAME>}

wlan <WLAN-NAME> Configures a new WLAN

• <WLAN-NAME> – Optional. Specify the WLAN name.

Note: The WLAN name could be a logical representation of its

coverage area (for example, engineering, marketing etc.). The name
cannot exceed 32 characters.

containing <WLAN-NAME> Optional. Configures an existing WLAN’s settings

• <WLAN-NAME> – Specify a sub-string in the WLAN name. Use
this parameter to filter a WLAN. This option allows you to select
and enter the configuration mode of one or more WLANs.

Examples
nx9500-6C8809(config)#wlan wlan1
nx9500-6C8809(config-wlan-wlan1)#?
Wireless LAN Mode commands:
802.11v Configure 802.11v parameters
accounting Configure how accounting records are
created for this wlan
acl Actions taken based on ACL
configuration [ packet drop being one
of them]
answer-broadcast-probes Include this wlan when responding to
probe requests that do not specify an
SSID
assoc-response Association response threshold
association-list Configure the association list for
the wlan
authentication-type The authentication type of this WLAN
bridging-mode Configure how packets to/from this
wlan are bridged
broadcast-dhcp Configure broadcast DHCP packet
handling
broadcast-ssid Advertise the SSID of the WLAN in
beacons
captive-portal-enforcement Enable captive-portal enforcement on
the wlan
client-access Enable client-access (normal data
operations) on this wlan
client-client-communication Allow switching of frames from one
wireless client to another on this

Controller, Service Platform and Access Point

608 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

wlan
client-load-balancing Configure load balancing of clients
on this wlan
controller-assisted-mobility Enable controller assisted mobility
to determine wireless clients' VLAN
assignment
data-rates Specify the 802.11 rates to be
supported on this wlan
description Configure a description of the usage
of this wlan
downstream-group-addressed-forwarding Enable downstream group addressed
forwarding of packets
dpi Deep-Packet-Inspection (Application
Assurance)
dynamic-vlan-assignment Dynamic VLAN assignment configuration
eap-types Configure client access based on
eap-type used for authentication
encryption-type Configure the encryption to use on
this wlan
enforce-dhcp Drop packets from Wireless Clients
with static IP address
fast-bss-transition Configure support for 802.11r Fast
BSS Transition
http-analyze Enable HTTP URL analysis on the wlan
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
kerberos Configure kerberos authentication
parameters
mac-authentication Configure mac-authentication related
parameters
no Negate a command or set its defaults
nsight Nsight Server
opendns OpenDNS related config for this wlan
protected-mgmt-frames Protected Management Frames (IEEE
802.11w) related configuration
proxy-arp-mode Configure handling of ARP requests
with proxy-arp is enabled
proxy-nd-mode Configure handling of IPv6 ND
requests with proxy-nd is enabled
qos-map Support the 802.11u QoS map element
and frame
radio-resource-measurement Configure support for 802.11k Radio
Resource Measurement
radius Configure RADIUS related parameters
registration Enable dynamic registration of device
(or) user
relay-agent Configure dhcp relay agent info
shutdown Shutdown this wlan
ssid Configure the Service Set Identifier
for this WLAN
t5-client-isolation Isolate traffic among clients
t5-security Configure encryption and
authentication
time-based-access Configure client access based on time
use Set setting to use
vlan Configure the vlan where traffic from
this wlan is mapped
vlan-pool-member Add a member vlan to the pool of
vlans for the wlan (Note:
configuration of a vlan-pool
overrides the 'vlan' configuration)
wep128 Configure WEP128 parameters
wep64 Configure WEP64 parameters
wing-extensions Enable support for WiNG-Specific

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 609
global-config-commands Global Configuration Mode Commands

extensions to 802.11
wireless-client Configure wireless-client specific
parameters
wpa-wpa2 Modify tkip-ccmp (wpa/wpa2) related
parameters

clrscr Clears the display screen

commit Commit all changes made in this
session
do Run commands from Exec mode
end End current mode and change to EXEC
mode
exit End current mode and down to previous
mode
help Description of the interactive help
system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory
or terminal

nx9500-6C8809(config-wlan-wlan1)#

The following example shows how to use the ‘containing’ keyword to enter the configuration mode of
an existing WLAN:
nx9500-6C8809(config)#wlan containing wlan1
nx9500-6C8809(config-wlan-{'containing': 'wlan1'})#

Related Commands

no (global-config-mode) Removes an existing WLAN from the system

on page 525

wlan-config-mode-commands

This section documents the WLAN configuration mode commands in detail.

Use the (config) instance to configure WLAN related parameters. To navigate to this instance, use the
following command:
<DEVICE>(config)#wlan <WLAN-NAME>

The following table lists the WLAN configuration mode commands:

Table 36: WLAN Config Mode Commands

Command Description
802.11v on page 612 Configures the IEEE 802.11v standard parameters on this
WLAN
accounting (wlan-config-mode) on page Defines a WLAN's accounting settings
613
acl on page 616 Defines the actions based on an ACL rule configuration
answer-broadcast-probes on page 617 Allows a WLAN to respond to probes for broadcast ESS

Controller, Service Platform and Access Point

610 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Table 36: WLAN Config Mode Commands (continued)

Command Description
assoc-response on page 618 Configures a minimum receive signal strength indication
(RSSI) value, below which the WLAN does not send a
response to a client’s association request
association-list on page 619 Attaches an existing global association list to a WLAN
authentication-type Sets a WLAN's authentication type
bridging-mode on page 621 Configures how packets are bridged to/from this WLAN
broadcast-dhcp on page 622 Configures broadcast DHCP packet handling
broadcast-ssid on page 623 Advertises a WLAN's SSID in beacons
captive-portal-enforcement on page 623 Configures a WLAN's captive portal enforcement
client-access on page 624 Enables WLAN client access (normal data operations)
client-client-communication on page 624 Allows the switching of frames from one wireless client
to another on a WLAN
client-load-balancing on page 625 Enables load balancing of WLAN clients
controller-assisted-mobility on page 626 Enables controller assisted mobility to determine
wireless clients' VLAN assignment
data-rates on page 627 Specifies the 802.11 rates supported on the WLAN
description on page 630 Sets a WLAN's description
downstream-group-addressed-forwarding Enables forwarding of downstream packets addressed
on page 630 to a group
dpi on page 631 Enables extraction of metadata flows on the WLAN
dynamic-vlan-assignment on page 632 Configures dynamic VLAN assignment on this WLAN
eap-types on page 633 Configures client access based on eap-type used for
authentication
encryption-type on page 634 Sets the WLAN's encryption type
enforce-dhcp on page 635 Drops packets from clients with a static IP address
fast-bss-transition on page 636 Configures support for 802.11r fast BSS transition on a
WLAN
http-analyze on page 637 Enables HTTP URL analysis on the WLAN
ip (wlan-config-mode) on page 638 Configures IPv4 settings on this WLAN
ipv6 (wlan-config-mode) on page 639 Configures IPv6 settings on this WLAN
kerberos on page 640 Configures Kerberos authentication parameters
mac-authentication on page 642 Configures MAC authentication parameters
nsight on page 643 Enables retention of guest client history in the NSight
database
opendns on page 644 Configures the device ID, which is embedded in each
DNS query packet going out from an access point,
wireless controller, or service platform to the OpenDNS
server

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 611
global-config-commands Global Configuration Mode Commands

Table 36: WLAN Config Mode Commands (continued)

Command Description
protected-mgmt-frames on page 645 Enables and configures the WLAN's frame protection
mode and security association
proxy-arp-mode on page 646 Enables the proxy ARP mode for ARP requests
proxy-nd-mode on page 647 Configures the proxy ND mode for this WLAN member
clients as either strict or dynamic
qos-map on page 648 Enables support for 802.11u QoS map element and
frames
radio-resource-measurement on page 649 Enables support for 802.11k radio resource measurement
radius on page 650 Configures RADIUS parameters
registration on page 651 Configures settings enabling dynamic registration of
devices. Use this command to specify the mode of
registration and to configure corresponding parameters.
relay-agent on page 654 Enables support for DHCP relay agent information
(option 82) feature on this WLAN
service (wlan-config-context) on page 655 Invokes service commands applicable in the WLAN
configuration mode
shutdown on page 661 Shuts down a WLAN
ssid on page 662 Configures the WLAN's SSID
t5-client-isolation on page 663 Disallows clients connecting to the WLAN to
communicate with one another
t5-security on page 664 Configures T5 PowerBroadband security settings
time-based-access on page 665 Configures time-based client access
use (wlan-config-mode) on page 666 Defines WLAN mode configuration settings
vlan on page 669 Assigns a VLAN for the WLAN
vlan-pool-member on page 670 Adds a member VLAN to the pool of VLANs for a
WLAN
wep128 on page 671 Configures WEP128 parameters
wep64 on page 673 Configures WEP64 parameters
wing-extensions on page 674 Enables support for WiNG specific extensions to 802.11
wireless-client on page 677 Configures the transmit power for wireless clients
transmission
wpa-wpa2 on page 679 Modifies TKIP and CCMP (WPA/WPA2) related
parameters
no (wlan-config-mode) on page 681 Negates a command or reverts settings to their default

802.11v

Use this command to configure 802.11v parameters on this WLAN. The IEEE 802.11 family of standards
includes the 802.11v standard. The 802.11v allows client devices to exchange information about the

Controller, Service Platform and Access Point

612 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

network topology, including information about the RF environment, making each client network aware,
facilitating overall improvement of the wireless network.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
802.11v [bss-transition|session-information-url <URL>]

Parameters
802.11v [bss-transition|session-information-url <URL>]

802.11v Configures IEEE 802.11v parameters, such as 'bss-transition' and

session-information-url'.
bss-transition Enables BSS (Base station Subsystem) transition management
capabilities on the WLAN APs. When enabled, WLAN APs send BSS
Transition Management Request frames to 802.11v capable clients.
These request frames suggest a specific AP, or a set of APs to which
the client can transition to for better throughput and QoS (Quality of
Service).

Note:
This feature is disabled by default.

session-information-url <URL> Configures the session information URL.

This is the URL containing specific information about the client
session. This is the URL to which the WLAN AP sends the BSS
Transition Management Request frames.
• <URL> - Specify the session information URL.

Examples
NOC-NX9500(config-wlan-test)#802.11v bss-transition
NOC-NX9500(config-wlan-test)#show context
wlan test
ssid test123
bridging-mode local
encryption-type none
authentication-type none
802.11v bss-transition
NOC-NX9500(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables 802.11v BSS Transition Management capabilities and removes

page 681 the session-information-url

accounting (wlan-config-mode)

Defines the WLAN’s accounting configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 613
global-config-commands Global Configuration Mode Commands

Accounting is the method of collecting user data, such as start and stop times, executed commands (for
example, PPP), number of packets and number of bytes received and transmitted. This data is sent to
the security server for billing, auditing, and reporting purposes. Accounting enables wireless network
administrators to track the services and network resources accessed and consumed by users. When
enabled, this feature allows the network access server to report and log user activity to a RADIUS
security server in the form of accounting records. Each accounting record is comprised of AV pairs and
is stored on the access control server. The data can be analyzed for network management, client billing,
and/or auditing. Accounting methods must be defined through AAA policies.

Accounting can be enabled and applied to access point, wireless controller, or service platform
managed WLANs. Once enabled, it uniquely logs accounting events specific to the managed WLAN.
Accounting logs contain information about the use of remote access services by users. This information
is of great assistance in partitioning local versus remote users and how to best accommodate each.
Remote user information can be archived to a location outside of the access point for periodic network
and user permission administration.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
accounting [radius|syslog|wait-client-ip]
accounting [radius|wait-client-ip]
accounting syslog [host|mac-address-format]
accounting syslog host <IP/HOSTNAME> {port <1-65535>}
{proxy-mode [none|through-controller|through-rf-domain-manager]}
accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|
pair-hyphen|quad-dot] case [lower|upper]

Controller, Service Platform and Access Point

614 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
accounting [radius|wait-client-ip]

accounting radius Enables support for WLAN RADIUS accounting messages. When enabled,
the WLAN uses an external RADIUS resource for accounting. This option is
disabled by default.
Use the use > aaa-policy > <AAA-POLICY-NAME> command to
associate an appropriate AAA policy with this WLAN. This AAA policy should
be existing and should define the accounting, authentication, and
authorization parameters.
accounting wait-client- Enables waiting for client’s IP before commencing the accounting procedure
ip

accounting syslog host <IP/HOSTNAME> {port <1-65535>}

{proxy-mode [none|through-controller|through-rf-domain-manager]}

accounting syslog Enables support for WLAN syslog accounting messages in standard syslog
format (RFC 3164). This option is disabled by default.
host <IP/HOSTNAME> Configures a syslog destination hostname or IP address for accounting
records
• <IP/HOSTNAME> – Specify the IP address or name of the destination
host.

port <1-65535> Optional. Configures the syslog server’s UDP port (this port is used to
connect to the server)
• <1-65535> – Specify the port from 1 - 65535. Default port is 514.

proxy-mode [none| Optional. Configures the request proxying mode

through-controller| • none – Requests are directly sent to the server from the device
through-rf-domain- • through-controller – Proxies requests through the controller (access
manager] point, wireless controller, or service platform) configuring the device
• through-rf-domain-manager – Proxies requests through the local RF
Domain manager

accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|

quad-dot] case [lower|upper]

accounting syslog Enables support for WLAN syslog accounting messages

mac-address-format Configures the MAC address format used in syslog messages
middle-hyphen Configures the MAC address format with middle hyphen (AABBCC-DDEEFF)
no-delim Configures the MAC address format without delimitors (AABBCCDDEEFF)
pair-colon Configures the MAC address format with pair-colon delimitors
(AA:BB:CC:DD:EE:FF)
pair-hyphen Configures the MAC address format with pair-hyphen deli mi tors (AA-BB-CC-
DD-EE-FF). This is the default setting.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 615
global-config-commands Global Configuration Mode Commands

quad-dot Configures the MAC address format with quad-dot deli mi tors
(AABB.CCDD.EEFF)
case [lower|upper] The following keywords are common to all:
• case – Specifies MAC address case (upper or lower)
◦ lower – Specifies MAC address is filled in lower case (for example, aa-bb-
cc-dd-ee-ff)
◦ upper – Specifies MAC address is filled in upper case (for example, AA-
BB-CC-DD-EE-FF)

Examples
nx9500-6C8809(config-wlan-test)#accounting syslog host 172.16.10.4 port 2 proxy-mode none
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
accounting syslog host 172.16.10.4 port 2
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Disables sending of accounting message to the RADIUS server, disables

on page 681 syslog accounting, or disables waiting for client’s IP before sending
accounting messages

acl
Defines the actions taken based on an ACL rule configuration. Use the use > ip-access-list
<IP-ACCESS-LIST-NAME> command to associate an ACL with the WLAN. The ACL rule is
determined by the associated ACL’s configuration.

A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting
proprietary information within the network. The means by which this is accomplished varies, but in
principle, a Firewall can be thought of as mechanisms allowing and denying data traffic in respect to
administrator defined rules.

WLANs use firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from
which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of
Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet
must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after
the first match.

IP based Firewall rules are specific to source and destination IP addresses and the unique rules and
precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by
applying both an IP ACL and a MAC.

Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC
Firewall rule uses source and destination MAC addresses for matching operations, where the result is a
typical allow, deny or mark designation to WLAN packet traffic.

Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP
ACL and a MAC ACL to the interface.

Controller, Service Platform and Access Point

616 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|
disassociate}

Parameters
acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|
disassociate}

acl exceed-rate Sets the action taken based on an ACL rule configuration (for example,
drop a packet)
• exceed-rate – Action is taken when the rate exceeds a specified value

wireless-client-denied- Sets the action to deny traffic to the wireless client when the rate exceeds
traffic <0-1000000> the specified value
• <0-1000000> – Specify a allowed rate threshold of disallowed traffic
in packets/sec.
If enabled, this option allows an associated client, exceeding the
thresholds configured for storm traffic, to be either de-authenticated or
blacklisted depending on the action selected. This option is disabled by
default.
blacklist <0-86400> Optional. Sets the time period for which an offending wireless client is
blacklisted.
• <0-86400> – Configures the blacklist duration from 0 - 86400
seconds. Offending clients are re-authenticated once the blacklist
duration, configured here, is over.

disassociate Optional. When enabled, disassociates a blacklisted wireless client.

Examples
nx9500-6C8809(config-wlan-test)#acl exceed-rate wireless-client-denied-traffic
20 disassociate
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
accounting syslog host 172.16.10.4 port 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Removes the action (de-authenticate or blacklist) to be taken when an

on page 681 associated client exceeds the thresholds configured for storm traffic

answer-broadcast-probes

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 617
global-config-commands Global Configuration Mode Commands

Allows the WLAN to respond to probe requests that do not specify an SSID. These probes are for
broadcast ESS. This feature is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
answer-broadcast-probes

Parameters
None

Examples
nx9500-6C8809(config-wlan-1)#answer-broadcast-probes
nx9500-6C8809(config-wlan-1)#

Related Commands

no (wlan-config-mode) Does not allow this WLAN to respond to probe requests that do not specify
on page 681 a SSID

assoc-response
Configures the deny-threshold and rssi-threshold values. These threshold values are considered when
responding to a client’s association/authentication request.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]

Parameters
assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]

assoc-response Configures the association response thresholds

deny-threshold <1-12> Configures the number of times association/authentication request, from
a client, is ignored if the RSSI is less than the configured RSSI threshold.
This option is disabled by default.
• <1-12> – Specify the deny-threshold from 1 - 12.

rssi-threshold <-100--40> Configures an association response RSSI threshold value. If the RSSI is
below the configured threshold value, the client’s association/
authentication request is ignored. This option is disabled by default. rssi-
threshold
• <-100--40> – Specify a value from -100 - -40 dBm.

Controller, Service Platform and Access Point

618 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-wlan-test)#assoc-response rssi-threshold -60
nx9500-6C8809(config-wlan-test)#assoc-response deny-threshold 4
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
assoc-response rssi-threshold -60
assoc-response deny-threshold 4
registration user group-name guest expiry-time 2000 agreement-refresh 14400
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Removes the configured deny-threshold and rssi-threshold values

on page 681

association-list
Attaches an existing global association list with this WLAN. For more information on global association
lists, see global-association-list on page 473.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
association-list global <GLOBAL-ASSO-LIST-NAME>

Parameters
association-list global <GLOBAL-ASSO-LIST-NAME>

association-list global Attaches an existing global association list with this WLAN
<GLOBAL-ASSO-LIST- • <GLOBAL-ASSO-LIST-NAME> – Specify the global association list
NAME> name (should be existing and configured).

Examples
rfs4000-229D58(config-wlan-test)#association-list global my-clients
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
association-list global my-clients
rfs4000-229D58(config-wlan-test)#

Related Commands

no (wlan-config-mode) Removes the global association list associated with this WLAN
on page 681

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 619
global-config-commands Global Configuration Mode Commands

authentication-type
Sets the WLAN's authentication type
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

authentication-type Configures a WLAN's authentication type

The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC,
and none.
eap Configures EAP authentication (802.1X)
EAP is the de-facto standard authentication method used to provide secure
authenticated access to controller managed WLANs. EAP provides mutual
authentication, secured credential exchange, dynamic keying and strong
encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2
encryption schemes to further protect user information forwarded over
controller managed WLANs.
The EAP process begins when an unauthenticated supplicant (client device)
tries to connect with an authenticator (in this case, the authentication
server). An Access Point passes EAP packets from the client to an
authentication server on the wired side of the Access Point. All other packet
types are blocked until the authentication server (typically, a RADIUS server)
verifies the client’s identity.
If using EAP authentication ensure that a AAA policy is mapped to the
WLAN.
eap-mac Configures EAP or MAC authentication depending on client. (This setting is
valid only with the None encryption type.
EAP-MAC is useful when in a hotspot environment, as some clients support
EAP and an administrator may want to authenticate based on just the MAC
address of the device.
eap-psk Configures EAP authentication or pre-shared keys depending on client (This
setting is only valid with Temporal Key Integrity Protocol (TKIP) or Counter
Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP) encryption types.
When using PSK with EAP, the controller sends a packet requesting a secure
link using a pre-shared key. The controller and authenticating device must
use the same authenticating algorithm and passcode during authentication.
EAP-PSK is useful when transitioning from a PSK network to one that
supports EAP.
If using eap-psk authentication ensure that a AAA policy is mapped to the
WLAN.

Controller, Service Platform and Access Point

620 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

kerberos Configures Kerberos authentication (encryption will change to WEP128 if it’s

not already WEP128 or Keyguard)
Kerberos (designed and developed by MIT) provides strong authentication
for client/server applications using secret-key cryptography. Using Kerberos,
a client must prove its identity to a server (and vice versa) across an insecure
network connection.
Once a client and server use Kerberos to validate their identity, they encrypt
all communications to assure privacy and data integrity. Kerberos can only
be used on the access point with 802.11b clients. Kerberos uses Network
Time Protocol (NTP) for synchronizing the clocks of its Key Distribution
Center (KDC) server(s).
mac Configures MAC authentication (RADIUS lookup of MAC address)
MAC is a device level authentication method used to augment other security
schemes when legacy devices are deployed using static WEP.
MAC authentication can be used for device level authentication by
permitting WLAN access based on device MAC address. MAC authentication
is typically used to augment WLAN security options that do not use
authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC
authentication can also be used to assign VLAN memberships, firewall
policies and time and date restrictions.
MAC authentication can only identify devices, not users.
If using mac authentication ensure that an AAA policy is mapped to the
WLAN.
none No authentication is used or the client uses pre-shared keys

Examples
nx9500-6C8809(config-wlan-test)#authentication-type eap
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type eap
accounting syslog host 172.16.10.4 port 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Resets the authentication mode used with this WLAN to default (none/
on page 681 pre-shared keys)

bridging-mode
Configures the mode used to bridge packets to and from a WLAN. Use this command to define which
VLANs are bridged, and how local VLANs are bridged between the wired and wireless sides of the
network.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 621
global-config-commands Global Configuration Mode Commands

Syntax
bridging-mode [local|tunnel]

Parameters
bridging-mode [local|tunnel]

bridging-mode Configures bridging mode on this WLAN. The options are local and tunnel.
local Bridges packets between WLAN and local ethernet ports. This is the default mode.
tunnel Tunnels packets to other devices (typically a wireless controller or service platform)

Examples
nx9500-6C8809(config-wlan-test)#bridging-mode local
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type eap
accounting syslog host 172.16.10.4 port 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
nx9500-6C8809(config-wlan-test)#
broadcast-dhcp
Configures broadcast DHCP packet handling parameters
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
broadcast-dhcp validate-offer

Parameters
broadcast-dhcp validate-offer

validate-offer Enables validation of the broadcast DHCP packet destination (a wireless

client associated to the radio) before forwarding over the air. This option is
disabled by default.

Examples
nx9500-6C8809(config-wlan-test)#broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type eap
accounting syslog host 172.16.10.4 port 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Controller, Service Platform and Access Point

622 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (wlan-config-mode) on Disables validation of the broadcast DHCP packet destination (a

page 681 wireless client associated to the radio) before forwarding over the air

broadcast-ssid
Advertises the WLAN SSID in beacons. If a hacker tries to isolate and hack a SSID from a client, the SSID
will display since the ESSID is in the beacon. This feature is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
broadcast-ssid

Parameters
None

Examples
nx9500-6C8809(config-wlan-1)#broadcast-ssid
nx9500-6C8809(config-wlan-1)#

Related Commands

no (wlan-config-mode) on Disables the broadcasting of the WLAN’s SSID in beacons

page 681

captive-portal-enforcement
Configures the captive portal enforcement on this WLAN. When enabled, provides successfully
authenticated guests temporary and restricted access to the network. If enforcing captive-portal
authentication, associate captive-portal policy with the WLAN. For more information, see use (wlan-
config-mode) on page 666.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
captive-portal-enforcement {fall-back}

Parameters
captive-portal-enforcement {fall-back}

captive-portal- Enables captive portal enforcement on a WLAN. This option is disabled by

enforcement default.
fall-back Optional. Enforces captive portal validation if WLAN authentication fails
(applicable to EAP or MAC authentication only)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 623
global-config-commands Global Configuration Mode Commands

Examples
nx9500-6C8809(config-wlan-test)#captive-portal-enforcement fall-back
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type eap
accounting syslog host 172.16.10.4 port 2
captive-portal-enforcement fall-back
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables captive portal enforcement

page 681

client-access
Enables WLAN client access (for normal data operations)
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
client-access

Parameters
None

Examples
nx9500-6C8809(config-wlan-1)#client-access
nx9500-6C8809(config-wlan-1)#

Related Commands

no (wlan-config-mode) on Disables WLAN client access

page 681

client-client-communication
Allows frame switching from one client to another on a WLAN. This option is enabled by default. It
allows clients to exchange packets with other clients. It does not necessarily prevent clients on other
WLANs from sending packets to this WLAN, but as long as this setting is also disabled on that WLAN,
clients are not permitted to interoperate.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

624 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
client-client-communication

Parameters
None

Examples
nx9500-6C8809(config-wlan-1)#client-client-communication
nx9500-6C8809(config-wlan-1)#

Related Commands

no (wlan-config-mode) Disables frame switching from one client to another on a WLAN

on page 681

client-load-balancing
Enforces client load balancing on a WLAN’s access point radios. When enforced, probe and association
requests are not responded to, forcing a client to associate with another access point radio. This feature
is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
client-load-balancing {allow-single-band-clients|band-discovery-intvl|capability-ageout-
time|
max-probe-req|probe-req-invl}
client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-intvl
<0-10000>|
capability-ageout-time <0-10000>}
client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>

Parameters
client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-intvl
<0-10000>|
capability-ageout-time <0-10000>}

client-load-balancin Configures client load balancing on a WLAN

allow-single-band- Optional. Allows single band clients to associate even during load balancing
clients [2.4GHz|5GHz] • 2.4GHz – Enables load balancing across 2.4 GHz channels
• 5GHz – Enables load balancing across 5.0 GHz channels
This option is enabled by default for 2.4 and 5.0 GHz bands.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 625
global-config-commands Global Configuration Mode Commands

band-discovery-intvl Optional. Configures time interval to discover a client's band capability

<0-10000> before connection
• <0-10000> – Specify a value from 0 - 10000 seconds. The default is 10
seconds.

capability-ageout-time Optional. Configures a client's capability ageout interval. This is the time for
<0-10000> which a client’s capabilities are retained in the device’s internal table. Once
this time is exceeded the client’s capabilities are aged out.
• <0-10000> – Specify a value from 0 - 10000 seconds. The default is
3600 seconds.

client-load-balancing {max-probe-req|probe-req-intvl} [2.4Ghz|5Ghz] <0-10000>

client-load-balancing Configures WLAN client load balancing

max-probe-req [2.4GHz| Optional. Configures the maximum client probe requests allowed for 2.4
5GHz] <0-10000> GHz and 5.0 GHz bands
• 2.4GHz – Configures maximum client probe requests on 2.4 GHz radios
• 5GHz – Configures maximum client probe requests on 5.0 GHz radios
◦ <0-10000> – Specify a client probe request threshold from 0 -
10000. The default for both 2.4 and 5.0 GHz radios is 60.

probe-req-intvl 2.4GHz| Optional. Configures client probe request interval limits for device
5GHz] <0-10000> association
• 2.4GHz – Configures the client probe request interval on 2.4 GHz radios
• 5GHz – Configures the client probe request interval on 5.0 GHz radios
◦ <0-10000> – Specify a value from 0 - 10000. The default for both
2.4 and 5.0 GHz radios is 10 seconds.

Examples
nx9500-6C8809(config-wlan-test)#client-load-balancing band-discovery-intvl 2
nx9500-6C8809(config-wlan-test)#client-load-balancing probe-req-intvl 5ghz 5
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type eap
accounting syslog host 172.16.10.4 port 2
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Disables client load balancing on a WLAN’s access point radios

on page 681

controller-assisted-mobility

Controller, Service Platform and Access Point

626 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Enables controller or service platform assisted mobility to determine a wireless client’s VLAN
assignment. When enabled, a controller or service platform’s mobility database is used to assist in
roaming between RF Domains. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
controller-assisted-mobility

Parameters
None

Examples
rfs4000-229D58(config-wlan-test)#controller-assisted-mobility
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
controller-assisted-mobility
rfs4000-229D58(config-wlan-test)#

Related Commands

no (wlan-config-mode) Disables controller or service platform assisted mobility to determine a

on page 681 wireless client’s VLAN assignment

data-rates
Specifies the 802.11 rates supported on a WLAN
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 627
global-config-commands Global Configuration Mode Commands

Parameters
data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]

data-rates Specifies the 802.11 rates supported when mapped to a 2.4 GHz radio
b-only Uses rates that support only 11b clients
bg Uses rates that support both 11b and 11g clients
bgn Uses rates that support 11b, 11g and 11n clients
default Uses the default rates configured for a 2.4 GHz radio
g-only Uses rates that support operation in 11g only
gn Uses rates that support 11g and 11n clients

data-rates 5GHz [a-only|an|default]

data-rates Specifies the 802.11 rates supported when mapped to a 5.0 GHz radio
a-only Uses rates that support operation in 11a only
an Uses rates that support 11a and 11n clients
default Uses default rates configured for a 5.0 GHz

data-rates [2.4GHz|5GHz] custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|

data-rates [2.4GHz|5GHz] Specifies the 802.11 rates supported when mapped to a 2.4 GHz or 5.0
GHz radio
custom Configures a data rates list by specifying each rate individually. Use
'basic-' prefix before a rate to indicate it is used as a basic rate (For
example, 'data-rates custom basic-1 basic-2 5.5 11').
The data-rates for 2.4 GHz and 5.0 GHz channels are the same with a
few exceptions. The 2.4 GHz channel has a few extra data rates: 1, 11, 2,
and 5.5.

Controller, Service Platform and Access Point

628 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

1,11,2,5.5 The following data rates are specific to the 2.4 GHz channel:
• 1 – 1-Mbps
• 11 – 11-Mbps
• 2 – 2-Mbps
• 5.5 – 5.5-Mbps

12,18,24,36,48,54,6,9, The following data rates are common to both the 2.4 GHz and 5.0 GHz
basic-1,basic-11, channels:
basic-12,basic-18, basic-2, • 12 – 12 Mbps
basic-36,basic-48, basic-5.5, • 18 – 18-Mbps
basic-54,basic-6, basic-9,
• 24 – 24 Mbps
basic-mcs0-7,mcs0-15,
mcs0-7,mcs8-15 • 36 – 36-Mbps
• 48 – 48-Mbps
• 54 – 54-Mbps
• 6 – 6-Mbps
• 9 – 9-Mbps
• basic-1 – basic 1-Mbps
• basic-11 – basic 11-Mbps
• basic-12 – basic 12-Mbps
• basic-18 – basic 18-Mbps
• basic-2 – basic 2-Mbps
• basic-36 – basic 36-Mbps
• basic-48 – basic 48-Mbps
• basic-5.5 – basic 5.5-Mbps
• basic-54 – basic 54-Mbps
• basic-6 – basic 6-Mbps
• basic-9 – basic 9-Mbps
• basic-mcs-1s – Modulation and coding scheme data rates for 1
Spatial Stream
• mcs-1s – Applicable to 1-spatial stream data rates
• mcs-2s – Applicable to 2-spatial stream data rates
• mcs-3s – Applicable to 3-spatial stream data rates

Examples
nx9500-6C8809(config-wlan-test)#data-rates 2.4GHz gn
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type eap
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 629
global-config-commands Global Configuration Mode Commands

Related Commands

no (wlan-config-mode) on Resets the 802.11 data rates supported on a WLAN for the 2.4 GHz or 5.0
page 681 GHz radios

description
Configures a description for this WLAN
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
description <LINE>

Parameters
description <LINE>

<LINE> Specify a description for this WLAN

The WLAN’s description should help differentiate it from others with similar
configurations. The description should not exceed 64 characters.

Examples
nx9500-6C8809(config-wlan-test)#description TestWLAN
nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type none
uthentication-type eap
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes the WLAN’s configured description

page 681

downstream-group-addressed-forwarding
Enables forwarding of downstream broadcast/multicast (BC/MC) packets to a group on this WLAN.
This feature is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

630 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
downstream-group-addressed-forwarding

Parameters
None

Examples
rfs4000-229D58(config-wlan-test)#downstream-group-addressed-forwarding

Related Commands

no (wlan-config-mode) on Disables forwarding of downstream BCMC packets to a group on this

page 681 WLAN

dpi
Enables DPI on this WLAN. When enabled, all traffic is subjected to DPI for detection of applications,
application categories, custom applications, and metadata extraction.

DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to
determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify
applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server
name, TCP-RTT, etc.) for further use by the WiNG firewall.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dpi metadata [http|ssl|tcp-rtt|voice-video]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 631
global-config-commands Global Configuration Mode Commands

Parameters
dpi metadata [http|ssl|tcp-rtt|voice-video]

dpi metadata [http|ssl|tcp-rtt| Enables extraction of the following metadata flows:

voice-video] • http – Extracts HTTP flows. When enabled, administrators can track
HTTP Websites accessed by both internal and guest clients and
visualize HTTP data usage, hits, active time and total clients on the
NSight application’s dashboard. This setting is disabled by default.
• ssl – Extracts SSL flows. When enabled, administrators can track
SSL Websites accessed by both internal and guest clients and
visualize SSL data usage, hits, active time and total clients on the
NSight application’s dashboard. This setting is disabled by default
• tcp-rtt – Extracts Round Trip Time (RTT) information from
Transmission Control Protocol (TCP) flows. However, this TCP-RTT
metadata is viewable only on the NSight dashboard. Therefore,
ensure the NSight server is up and NSight analytics data collection
is enabled.
• voice-video – Extracts voice and video flows. When enabled, voice
and video calls can be tracked by extracting parameters, such as
packets transferred and lost, jitter, and application name. Most
Enterprise VoIP applications like facetime, skype for business and
VoIP terminals can be monitored for call quality and visualized on
the NSight dashboard in manner similar to HTTP and SSL. Call
quality and metrics can only be determined from calls established
unencrypted. This setting is disabled by default.

Examples
nx9500-6C8809(config-wlan-test)#dpi metadata http
nx9500-6C8809(config-wlan-test)#dpi metadata ssl
nx9500-6C8809(config-wlan-test)#dpi metadata voice-video
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
dpi metadata voice-video
dpi metadata http
dpi metadata ssl
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables extraction of metadata flows on the WLAN

page 681

dynamic-vlan-assignment
Enables dynamic VLAN assignment on this WLAN, and adds or removes VLANs for the selected WLAN.
Configure this feature to allow an override to the WLAN configuration. If, as part of the authentication
process, the RADIUS server returns a client's VLAN-ID in a RADIUS Access-Accept packet, and this
feature is enabled, all client traffic is forward on that VLAN. If disabled, the RADIUS server returns
VLAN-ID is ignored and the WLAN’s VLAN configuration is used. For more information, see vlan on
page 669. This option is disabled by default.

Controller, Service Platform and Access Point

632 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Supported in the following platforms:

Syntax
dynamic-vlan-assignment allowed-vlan <VLAN-ID>

Parameters
dynamic-vlan-assignment allowed-vlan <VLAN-ID>

dynamic-vlan-assignment Enables dynamic VLAN assignment and configures a list of VLAN IDs or
allowed-vlan VLAN alias allowed access to the WLAN
<VLAN-ID> Specify the list of VLAN IDs or the VLAN alias names. For example,
10-20, 25, 30-35, $guest. For example, 10-20, 25, 30-35, $guest.
For information on VLAN aliases, see alias on page 267.

Examples
rfs4000-229D58(config-wlan-test)#dynamic-vlan-assignment allowed-vlans 10-20
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
dynamic-vlan-assignment allowed-vlans 10-20
rfs4000-229D58(config-wlan-test)#

Related Commands

no (wlan-config-mode) on page Disables dynamic VLAN assignment on this WLAN

681

eap-types
Configures client access based on the EAP type used
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|tls|ttls)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 633
global-config-commands Global Configuration Mode Commands

Parameters
eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|tls|ttls)}

eap-types Configures a list of allowed or denied EAP types

[allow| • allow – Configures a list of EAP types allowed for WLAN client authentication
deny] • deny – Configures a list of EAP types not allowed for WLAN client authentication

[aka|all| The following EAP types are common to the ‘allow’ and ‘deny’ keywords:
fast|peap| • aka – Configures EAP Authentication and Key Agreement (AKA) and EAP-AKA’ (AKA
sim| tls|ttls] Prime). EAP-AKA is one of the methods in the EAP authentication framework. It uses
Universal Mobile Telecommunications System (UMTS) and Universal Subscriber
Identity Module (USIM) for client authentication and key distribution.
• all – Allows or denies usage of all EAP types on the WLAN
• fast – Configures EAP Flexible Authentication via Secure Tunneling (FAST). EAP-FAST
establishes a Transport Layer Security (TLS) tunnel, to verify client credentials, using
Protected Access Credentials (PAC).
• peap – Configures Protected Extensible Authentication Protocol (PEAP). PEAP or
Protected EAP uses encrypted and authenticated TLS tunnel to encapsulate EAP.
• sim – Configures EAP Subscriber Identity Module (SIM ). EAP-SIM uses Global System
for Mobile Communications (GSMC) SIM for client authentication and key distribution.
• tls – Configures EAP TLS. EAP-TLS is an EAP authentication method that uses PKI to
communicate with a RADIUS server or any other authentication server.
• ttls – Configures Tunneled Transport Layer Security (TTLS). EAP-TTLS is an extension
of TLS. Unlike TLS, TTLS does not require every client to generate and install a CA-
signed certificate.
• These options are recursive, and more than one EAP type can be selected. The
selected options are added to the allowed or denied EAP types list.

Examples
nx9500-6C8809(config-wlan-test)#eap-types allow fast sim tls
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
eap-types allow fast sim tls
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Reverts to default setting - eap-types allow all

page 681

encryption-type
Sets the WLAN's encryption type
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

634 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

encryption-type Configures the WLAN's data encryption parameters

ccmp Configures Advanced Encryption Standard Counter Mode CBC-MAC
Protocol (AES-CCM/CCMP)
keyguard Configures Keyguard Mobile Computing Mode (MCM)
tkip-ccmp Configures the TKIP and AES-CCM/CCMP encryption modes
wep128 Configures WEP with 128 bit keys
wep128-keyguard Configures WEP128 as well as Keyguard-MCM encryption modes
wep64 Configures WEP with 64 bit keys. A WEP64 configuration is insecure when
two WLANs are mapped to the same VLAN, and one uses no encryption
while the other uses WEP.

Examples
nx9500-6C8809(config-wlan-test)#encryption-type tkip-ccmp
nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Resets the WLAN’s encryption type to default (none)

page 681

enforce-dhcp
Enables dropping of packets from clients with a static IP address. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
enforce-dhcp

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 635
global-config-commands Global Configuration Mode Commands

Parameters
None

Examples
nx9500-6C8809(config-wlan-test)#enforce-dhcp
nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
acl exceed-rate wireless-client-denied-traffic 20 disassociate
enforce-dhcp
broadcast-dhcp validate-offer
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables dropping of packets from clients with a static IP address

page 681

fast-bss-transition
Enables or disables support for 802.11r Fast-BSS Transition (FT) on the selected WLAN. This feature is
disabled by default.

802.11r is an attempt to undo the burden that security and QoS added to the handoff process, and
restore it back to an original four message exchange process. The central application for the 802.11r
standard is VOIP using mobile phones within wireless Internet networks. 802.11r FT redefines the
security key negotiation protocol, allowing parallel processing of negotiation and requests for wireless
resources.

Enabling FT standards provides wireless clients fast, secure and seamless transfer from one base station
to another, ensuring continuous connectivity.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
fast-bss-transition {over-ds}

Controller, Service Platform and Access Point

636 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
fast-bss-transition {over-ds}

fast-bss-transition over-ds Enables 802.11r FT support on this WLAN

• over-ds – Optional. Enables 802.11r client roaming over the Distribution
System (DS). When enabled, all client communication with the target
AP is via the current AP. This communication, carried in FT action
frames, is first sent by the client to the current AP, then forwarded to
the target AP through the controller.

Examples
nx9500-6C8809(config-wlan-test)#fast-bss-transition
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
fast-bss-transition
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables support for 802.11r FT on the WLAN

page 681

http-analyze
Enables HTTP URL analysis on the WLAN
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
http-analyze [filter|syslog]
http-analyze filter [images|post|query-string]
http-analyze syslog host <IP/HOSTNAME> {port <1-65535>}
{proxy-mode [none|through-controller|through-rf-domain-manager]}

Parameters
http-analyze filter [images|post|query-string]

filter Filters URLs, based on the parameters set, before forwarding them
images Filters out URLs referring to images (does not forward URL requesting
images)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 637
global-config-commands Global Configuration Mode Commands

post Filters out URLs requesting POST (does not forward POST requests). This
option is disabled by default.
query-string Removes query strings from URLs before forwarding them (forwards
requests and no data). This option is disabled by default.

http-analyze syslog host <IP/HOSTNAME> {port <1-65535>}

{proxy-mode [none|through-controller|through-rf-domain-manager]}

syslog host <IP/ Forwards client and URL information to a syslog server
HOSTNAME> • host <IP/HOSTNAME> – Specify the syslog server's IP address or
hostname

port <1-65535> Optional. Specifies the UDP port to connect to the syslog server from 1 -
65535
proxy-mode [none| Optional. Specifies if the request is to be proxied through another device
through-controller| • none – Requests are sent directly to syslog server from device
through-rf-domain- • through-controller – Proxies requests through the wireless controller
manager] configuring the device
• through-rf-domain-manager – Proxies the requests through the local
RF Domain manager

Examples
rfs4000-229D58(config-wlan-test)#http-analyze syslog host 192.168.13.10 port 21
proxy-mode through-controller
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
http-analyze syslog host 192.168.13.10 port 21 proxy-mode through-controller
rfs4000-229D58(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables HTTP URL analysis on the WLAN

page 681

ip (wlan-config-mode)
Configures IPv4 settings
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ip [arp|dhcp]
ip arp [header-mismatch-validation|trust]
ip dhcp trust

Controller, Service Platform and Access Point

638 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
ip arp [header-mismatch-validation|trust]

ip arp Configures the IP settings for ARP packets

header-mismatch- Verifies mismatch of source MAC address in the ARP and Ethernet
validation headers. This option is enabled by default.
trust Sets ARP responses as trusted for a WLAN/range. This option is disabled
by default.

ip dhcp trust

ip dhcp Configures the IP settings for DHCP packets

trust Sets DHCP responses as trusted for a WLAN/range. This option is
disabled by default.

Examples
nx9500-6C8809(config-wlan-test)#ip dhcp trust
nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
ip dhcp trust
acl exceed-rate wireless-client-denied-traffic 20 disassociate
enforce-dhcp
broadcast-dhcp validate-offer
http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Resets IP ARP or DHCP trust parameters to default. ARP trust is

page 681 disabled, ARP mismatch verification is enabled, or DHCP trust is
disabled.

ipv6 (wlan-config-mode)
Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this WLAN
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 639
global-config-commands Global Configuration Mode Commands

Syntax
ipv6 [dhcpv6|nd]
ipv6 dhcpv6 trust
ipv6 nd [header-mismatch-validation|raguard|trust]

Parameters
ipv6 dhcpv6 trust

ipv6 dhcpv6 trust Enables DHCPv6 trust state for DHCPv6 responses on this WLAN.
When enabled, all DHCPv6 responses received on this WLAN are
trusted and forwarded. This option is disabled by default.

ipv6 nd [header-mismatch-validation|raguard|trust]

ipv6 nd Sets the IPv6 ND settings for this WLAN

header-mismatch-validation Checks for mismatch of source MAC address in the ICMPv6 ND
message and Ethernet header (link layer option). This option is
enabled by default.
raguard Allows redirection of router advertisements (RAs) and ICMPv6
packets originating on this WLAN. This option is disabled by default.
trust Enables trust state for ND requests received on this WLAN. When
enabled, all ND requests on an IPv6 firewall, on this WLAN, are
trusted. This option is disabled by default.

Examples
nx9500-6C8809(config-wlan-test)#ipv6 dhcpv6 trust
nx9500-6C8809(config-wlan-test)#ipv6 nd trust
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
ipv6 dhcpv6 trust
ipv6 nd trust
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Resets IPv6 ND or DHCPv6 trust parameters to default. ND request

page 681 trust is disabled, ND header mismatch verification is enabled, ND RA
and ICMPv6 redirection is disabled, or DHCPv6 trust is disabled.

kerberos
Configures Kerberos authentication parameters on a WLAN. Kerberos (designed and developed by MIT)
provides strong authentication for client/server applications using secret-key cryptography. Using
Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network
connection.

Controller, Service Platform and Access Point

640 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Once a client and server use Kerberos to validate their identity, they encrypt all communications to
assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients.
Kerberos uses NTP for synchronizing the clocks of its KDC server(s).
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
kerberos [password|realm|server]
kerberos password [0 <LINE>|2 <LINE>|<LINE>]
kerberos realm <REALM>
kerberos server [primary|secondary|timeout]
kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}
kerberos server timeout <1-60>

Parameters
kerberos password [0 <LINE>|2 <LINE>|<LINE>]

kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.
password Configures a Kerberos KDC server password. The password should not
exceed 127 characters. The password options are:
• 0 <LINE> – Configures a clear text password
• 2 <LINE> – Configures an encrypted password
• <LINE> – Specify the password.

kerberos realm <REALM>

kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.
realm <REALM> Configures a Kerberos KDC server realm. The REALM should not exceed 127
characters.

kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}

kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.
server [primary|secondary] Configures the primary and secondary KDC server parameters
• primary – Configures the primary KDC server parameters
• secondary – Configures the secondary KDC server parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 641
global-config-commands Global Configuration Mode Commands

host <IP/HOSTNAME> Sets the primary or secondary KDC server address

• <IP/HOSTNAME> – Specify the IP address or name of the KDC server.

port <1-65535> Optional. Configures the UDP port used to connect to the KDC server
• <1-65535> – Specify the port from 1 - 65535. The default is 88.

kerberos server timeout <1-60>

kerberos Configures a WLAN's Kerberos authentication parameters

The parameters are: password, realm, and server.
timeout <1-60> Modifies the Kerberos KDC server‘s timeout parameters
• <1-60> – Specifies the wait time for a response from the Kerberos
KDC server before retrying. Specify a value from 1 - 60 seconds.

Examples
nx9500-6C8809(config-wlan-test)#kerberos server timeout 12
nx9500-6C8809(config-wlan-test)#kerberos server primary host 172.16.10.2 port 88
nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
kerberos server timeout 12
kerberos server primary host 172.16.10.2
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
ip dhcp trust
acl exceed-rate wireless-client-denied-traffic 20 disassociate
enforce-dhcp
broadcast-dhcp validate-offer
http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes Kerberos authentication related parameters on the WLAN

page 681

mac-authentication
Enables MAC authentication. When enabled, the system uses cached credentials (RADIUS server
lookups are skipped) to authenticate clients.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

642 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
mac-authentication [cached-credentials|enforce-always]

Parameters
mac-authentication [cached-credentials|enforce-always]

mac-authentication Enables MAC authentication on this WLAN and configures related

parameters
cached-credentials Uses cached credentials to skip RADIUS lookups. This option is disabled
by default.
enforce-always Enforces MAC authentication on this WLAN. When enabled, MAC
authentication is enforced, each time a client logs in, even when the
authentication type specified (using the authentication-type command)
is not MAC authentication. This option is disabled by default.

Examples
rfs4000-229D58(config-wlan-test)#mac-authentication cached-credentials
rfs4000-229D58(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables MAC authentication related parameters: Disables use of

page 681 cached credentials to skip RADIUS lookups, or disables enforcement of
MAC authentication on this WLAN.

nsight
Enables retention of client-history. A typical NSight-server enabled, guest access environment may be
visited by thousands of unique clients on a daily basis. Some of these guest clients are not regular
visitors, accessing the network infrequently. However, by default, historical data of all guest clients,
irrespective of their network access frequency, is retained by the NSight server for up to 180 days. This
results in the database containing thousands if not millions of unique MAC addresses of infrequent
guest clients. To address this potential problem it is recommended to disable client-history retention on
a guest WLAN, and use the nsight-policy context to configure a separate timer (8 hours by default)
specifying the guest client data lifespan in the database.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
nsight client-history

Parameters
nsight client-history

nsight client-history Enables retention of client-history in the database. This option is enabled
by default.

Examples

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 643
global-config-commands Global Configuration Mode Commands

On a WLAN, the client-history option is enabled by default. When enabled, all client history (including
guest-clients) is retained in the NSight server database for 180 days.

To disable this option, execute the no > nsight > client-history command. When disabled,
guest client history is retained only for 8 hours, which is the default setting defined by the NSight policy
applied on the access point (through which the guest client accesses the WLAN) or the access point’s
RF Domain. However, the default historical data retention duration for regular clients and devices
(access point and controllers) remains unchanged (180 days) as per the NSight policy settings.
nx9500-6C8809(config-wlan-test3)#no nsight client-history
nx9500-6C8809(config-wlan-test3)#show context
wlan test3
ssid test3
bridging-mode local
encryption-type none
authentication-type none
no nsight client-history
nx9500-6C8809(config-wlan-test3)#

Use the NSight policy context to define separate client-history retention time for regular clients, devices,
and guest clients. For more information, see nsight-policy (global-config-mode) on page 529.
Related Commands

no (wlan-config-mode) on Disables client-history retention in the NSight database

page 681

opendns
Configures the pre-fetched OpenDNS device_id. Once configured, all DNS queries originating from
wireless clients associating with the WLAN are appended with an additional 31 bytes of data
(representing the device ID) at the end of the DNS packet. The device ID is a sixteen (16) character hex
string representing a 64 bit unsigned integer and is fetched from the OpenDNS site.

This command is part of a series of configurations that are required to integrate WiNG access points,
wireless controllers, and service platforms with OpenDNS. When all the parameters have been
configured, DNS queries from wireless clients, associating with the WLAN, are redirected to OpenDNS
(208.67.220.220 OR 208.67.222.222). These OpenDNS resolvers act as proxy DNS servers that provide
additional functionalities, such as Web filtering, reporting, and performance enhancement. For more
information on the entire configuration, see opendns (user and privi exec modes) on page 99.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
opendns device-id <DEVICE-ID>

Controller, Service Platform and Access Point

644 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
opendns device-id <DEVICE-ID>

opendns device-id <DEVICE-ID> Configures the device ID to embed in DNS queries sent to
OpenDNS
• <DEVICE-ID> – Specify the device ID.

Examples

The following command fetches the device_id from the OpenDNS site.
ap7532-E6D512#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073
device_id = 0014AADF8EDC6C59
ap7532-E6D512#

Use this device_id in the WLAN configuration context.

ap7532-E6D512(config)#wlan opendns
ap7532-E6D512(config-wlan-opendns)#opendns device-id 0014AADF8EDC6C59
ap7532-E6D512(config-wlan-opendns)#commit
ap7532-E6D512(config-wlan-opendns)#show context
wlan opendns
ssid opendns
vlan 1
bridging-mode local
encryption-type none
authentication-type none
opendns device-id 0014AADF8EDC6C59
ap7532-E6D512(config-wlan-opendns)#

Related Commands

no (wlan-config-mode) on Removes the device ID configured to be embedded in the DNS queries

page 681 originating from the WiNG devices

protected-mgmt-frames
Configures the WLAN's frame protection mode and security association (SA) query parameters

802.11w provides protection for both unicast management frames and broadcast/multicast
management frames. The ‘robust management frames’ are action, disassociation, and de-authentication
frames. The standard provides one security protocol CCMP for protection of unicast robust
management frames. The Protected management frames (PMF) protocol only applies to robust
management frames after establishment of RSNA PTK. Robust management frame protection is
achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol for
broadcast/multicast management frames and SA query protocol for protection against (re)association
attacks.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 645
global-config-commands Global Configuration Mode Commands

Parameters
protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]

protected-mgmt-frames Enables and configures WLAN's frame protection mode and SA query
parameters. Use this command to specify whether management frames are
continually or optionally protected. Frame protection mode is disabled by
default.
mandatory Enforces PMF on this WLAN (management frames are continually
optionally protected)
optional Provides PMF only for those clients that support PMF (management frames
are optionally protected)
sa-query [attempts Configures the following SA parameters:
<1-10>| timeout • attempts <1-10> – Configures the number of SA query attempts from 1 -
<100-1000>] 10. The default is 5.
• timeout <100-1000> – Configures the interval, in milliseconds, used to
timeout association requests that exceed the defined interval. Specify a
value from 100 - 1000 milliseconds. The default value is 201
milliseconds.

Examples
nx9500-6C8809(config-wlan-test)#protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables enforcement of protected management frames on this

page 681 WLAN. And reverts protected management frames sa-query timeout
and attempts to 201 milliseconds and 5 respectively.

proxy-arp-mode
Enables proxy ARP mode for handling ARP requests. Proxy ARP is the technique used to answer ARP
requests intended for another system. By faking its identity, the access point accepts responsibility for
routing packets to the actual destination.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
proxy-arp-mode [dynamic|strict]

Controller, Service Platform and Access Point

646 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
proxy-arp-mode [dynamic|strict]

proxy-arp-mode Enables proxy ARP mode for handling ARP requests. The options available are
dynamic and strict.
dynamic Forwards ARP requests to the wireless side (for which a response could not be
proxied)
strict Does not forward ARP requests to the wireless side

Examples
nx9500-6C8809(config-wlan-test)#proxy-arp-mode strict
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
proxy-arp-mode strict
broadcast-dhcp validate-offer
http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Reverts the proxy ARP mode to default (dynamic)

page 681

proxy-nd-mode
Configures the proxy ND mode for this WLAN member clients as either strict or dynamic. ND proxy is
used in IPv6 to provide reachability by allowing a client to act as proxy. Proxy certificate signing can be
done either dynamically (requiring exchanges of identity and authorization information) or statically
when the network topology is defined.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
proxy-nd-mode [dynamic|strict]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 647
global-config-commands Global Configuration Mode Commands

Parameters
proxy-nd-mode [dynamic|strict]

proxy-nd-mode [dynamic| Configures the proxy ND mode for this WLAN member clients. The
strict] options are: dynamic and strict
• dynamic – Forwards ND request to wireless for which a response
could not be proxied. This is the default value.
• strict – Does not forward ND requests to the wireless side

Examples
nx9500-6C8809(config-wlan-test)#proxy-nd-mode strict
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
wpa-wpa2 server-only-authentication
proxy-nd-mode strict
opendns device-id 44-55-66
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Reverts the proxy ND mode to default (dynamic)

page 681

qos-map
Enables support for 802.11u QoS map element and frames
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
qos-map

Parameters
None

Examples
nx9500-6C8809(config-wlan-test)#qos-map
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
qos-map
wpa-wpa2 server-only-authentication
proxy-nd-mode strict
opendns device-id 44-55-66
nx9500-6C8809(config-wlan-test)#

Controller, Service Platform and Access Point

648 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Related Commands

no (wlan-config-mode) on Disables support for 802.11u QoS map element and frames
page 681

radio-resource-measurement
Enables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN.
802.11k improves how traffic is distributed. In a WLAN, devices normally connect to the access point
with the strongest signal. Depending on the number and location of clients, this arrangement can lead
to excessive demand on one access point and under utilization of others, resulting in degradation of
overall network performance. With 802.11k, if the access point with the strongest signal is loaded to its
capacity, a client connects to an under-utilized access point. Even if the signal is weaker, the overall
throughput is greater since it's an efficient use of the network's resources. This feature is disabled by
default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
radio-resource-measurement {channel-report|neighbor-report {hybrid}}

Parameters
radio-resource-measurement {channel-report|neighbor-report {hybrid}}

radio-resource- Enables support for 802.11k radio resource measurement capabilities

measurement
channel-report Optional. Includes the channel-report element in beacons and probe
responses
neighbor-report {hybrid} Optional. Enables responding to neighbor-report requests
• hybrid – Optional. Uses the hybrid model of smart-rf neighbors and
roaming frequency to neighbors

Examples
rfs4000-229D58(config-wlan-test)#radio-resource-measurement
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
radio-resource-measurement
controller-assisted-mobility
rfs4000-229D58(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables support for 802.11k radio resource measurement capabilities

page 681 (IEEE 802.11k) on this WLAN

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 649
global-config-commands Global Configuration Mode Commands

radius
Configures RADIUS related parameters
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|
vlan-assignment]

dynamic-authorization Enables support for disconnect and change of authorization messages

(RFC5176). When enabled, this option extends the RADIUS protocol to
support unsolicited messages from the RADIUS server. These messages
allow administrators to issue change of authorization (CoA) messages,
which affect session authorization, or disconnect messages (DM) that
terminate a session immediately. This option is disabled by default.
nas-identifier <NAS-ID> Configures the network access server (NAS) identifier attribute, a value that
identifies the access point or controller where the RADIUS messages
originate. The value specified here is included in the RADIUS NAS-Identifier
field for WLAN authentication and accounting packets.
• <NAS-ID> – Specify the NAS identifier attribute (should not exceed 256
characters in length).

nas-port-id <NAS-PORT- Configures the WLAN NAS port ID sent to the RADIUS server. The NAS port
ID> identifier should not exceed 256 characters.
• <NAS-PORT-ID> – Specify the NAS port ID attribute (should not exceed
256 characters in length).
The profile database on the RADIUS server consists of user profiles for each
connected NAS port. Each profile is matched to a username representing a
physical port. When authorizing users, it queries the user profile database
using a username representative of the physical NAS port making the
connection. Set the numeric port value from 0 - 4294967295.
vlan-assignment Configures the VLAN assignment of a WLAN. RADIUS VLAN assignment is
disabled by default.
When enabled, this option assigns clients to the RADIUS server specified
VLANs, overriding the WLAN configuration. This option is disabled by
default. If, as part of the authentication process, the RADIUS server returns
a client's VLAN-ID in a RADIUS access-accept packet, and this feature is
enabled, all client traffic is forwarded on that VLAN. If disabled, the RADIUS
server returned VLAN-ID is ignored and the VLAN specified using the vlan/
vlan-pool-member options (in the WLAN config mode) is used.
If both the RADIUS VLAN assignment and the post authentication VLAN
options are enabled, then RADIUS VLAN assignment takes priority over
post authentication VLAN configuration.

Controller, Service Platform and Access Point

650 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-wlan-test)#radius vlan-assignment
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables support for disconnect and change of authorization messages.

page 681 Disables the use of VLAN information received in RADIUS server
responses, instead uses the VLAN provided in the WLAN configuration.
Removes the NAS identifier and NAS port identifiers configured.

registration
Configures settings enabling dynamic registration and validation of devices by their MAC addresses.
When configured, this option registers a device’s MAC address, and allows direct access to a previously
registered device.

This command also configures the external guest registration and validation server details. If using an
external server to perform guest registration, authentication and accounting, use this command to
configure the external server’s IP address/hostname. When configured, access points and controllers
forward guest registration requests to the specified registration server. In case of EGuest deployment,
this external resource should point to the EGuest registration server.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
registration [device|device-OTP|external|user]
registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-refresh
<0-144000>|
expiry-time <1-43800>}
registration external [follow-aaa|host]
registration external follow-aaa {send-mode [http|https|udp]}
registration external host <IP/HOSTNAME> {proxy-mode|send-mode}
registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|
through-rf-domain-manager|through-centralized-controller]|send-mode [https|https|udp]}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 651
global-config-commands Global Configuration Mode Commands

Parameters
registration external follow-aaa {send-mode [http|https|udp]}

registration Enables dynamic guest-user registration and validation. This option is

disabled by default.
external Specifies that the guest registration is handled by an external resource.
Access points/controllers send registration requests to the external
registration server.
follow-aaa Uses an AAA policy to point to the guest registration, authentication, and
accounting server. When used, guest registration is handled by the
RADIUS server specified in the AAA policy used in the WLAN context.
In case of EGuest deployment, the RADIUS authentication and
accounting server configuration in the AAA policy should point to the
EGuest server. The use of ‘follow-aaa’ option is recommended in EGuest
replica-set deployments.
For more information on enabling the EGuest server, see eguest-server
(VX9000 only) on page 1092 (profile config mode).
For more information on configuring an EGuest deployment, see
configuring ExtremeGuest captive portal on page 370.
send-mode [https|https| Optional. Specifies the protocol used to forward registration requests to
udp] the external AAA policy servers. The options are:
• HTTPS – Sends registration requests as HTTPS packet
• HTTP – Sends registration requests as HTTP packet
• UDP – Sends registration requests as UDP packet, using the UPD port
12322. This is the default setting.

registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|

through-rf-domain-manager|through-centralized-controller]|send-mode [https|https|udp]}

registration Configures dynamic guest registration and validation parameters. This

option is disabled by default.
external Specifies that the guest registration is handled by an external resource.
Access points/controllers send registration requests to the external
registration server.
host <IP/HOSTNAME> Specifies the external registration server’s IP address or hostname. When
configured, access points/ controllers forward guest registration
requests to the external registration server specified here.

Controller, Service Platform and Access Point

652 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

proxy-mode {none| Optional. Specifies the proxy mode. If a proxy is needed for connection,
through-controller| specify the proxy mode as through-controller, through-rf-domain. If no
through-rf-domain- proxy is needed, select none.
manager|through- • none – Optional. Requests are sent directly to the controller from the
centralized-controller} requesting device
• through-controller – Optional. Requests are proxied through the
controller configuring the device
• through-rf-domain-manager – Optional. Requests are proxied
through the local RF Domain manager
• through-centralized-controller – Optional. Requests are proxied
through one of the controllers in a cluster, operating as the
designated forwarder. Select this option if capture and redirection is
on a cluster of wireless controller/service platforms managing
dependent/independent access points when redundancy is required.
After specifying the proxy-mode, optionally specify the protocol used to
send the requests to the external registration server host.
send-mode [https|https| Optional. Specifies the communication protocol used. The options are;
udp] • HTTPS – Sends registration requests as HTTPS packets
• HTTP – Sends registration requests as HTTP packets
• UDP – Sends registration requests as UDP packet, using the UPD port
12322. This is the default setting.

registration [device|device-OTP|user] group-name <RAD-GROUP-NAME>

{agreement-refresh <0-144000>|expiry-time <1-43800>}

registration Configures dynamic guest registration and validation parameters. This

option is disabled by default.
[device|device-OTP| user] Configures the mode used to register guest users of this WLAN.
Options include device, external, user, and device-OTP
• device-OTP – Registers a device by its MAC address. During
registration, the user, using the registered device, has to provide the
e-mail address, mobile number, or member id, and the one-time-
passcode (OTP)sent to the registered e-mail id or mobile number to
complete registration. On subsequent logins, the user has to enter
the OTP. If the MAC address of the device attempting login and the
OTP combination matches, the user is allowed access. If using this
option, set the WLAN authentication type as MAC authentication.
• device – Registers a device by its MAC address. On subsequent
logins, already registered MAC addresses are allowed access. If using
this option, set the WLAN authentication type as MAC
authentication.
• user – Registers guest users using one of the following options: e-
mail address, mobile-number, or member-id.
If using any one of the above modes of registration, specify the RADIUS
group to which the registered device or user is to be assigned post
authentication.
group-name <RAD-GROUP- Configures the RADIUS group name to which registered users are
NAME> associated. When left blank, users are not associated with a RADIUS
group.
• <RAD-GROUP-NAME> – Specify the RADIUS group name (should
not exceed 64 characters).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 653
global-config-commands Global Configuration Mode Commands

expiry-time <1-43800> Optional. Configures the amount of time, in hours, before registered
addresses expire and must be re-entered
• <1-43800> – Specify a value from 1 - 43800 hrs. The default is 1500
hrs.

agreement-refresh Optional. Sets the time, in minutes, after which an inactive user has to
<0-144000> refresh the WLAN’s terms of agreement. For example, if the agreement
refresh period is set to 1440 minutes, a user, who has been inactive for
more than 1440 minutes (1 day) is served the agreement page, and is
allowed access only after refreshing the terms of agreement.
• <0-100> – Specify a value from 0 - 144000. The default is 0 minutes.

Examples
nx9500-6C8809(config-wlan-test)#registration user group-name guest agreement-ref
resh 14400 expiry-time 2000
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
registration user group-name guest expiry-time 2000 agreement-refresh 14400
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables dynamic user registration and removes associated

page 681 configurations. Also disables forwarding of user information to an
external device.

relay-agent
Enables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-LDRA) feature on
this WLAN. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
relay-agent [dhcp-option82|dhcpv6-ldra]

Controller, Service Platform and Access Point

654 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
relay-agent [dhcp-option82|dhcpv6-ldra]

relay-agent Enables support for the following DHCP and DHCPv6 options: option 82
and Lightweight DHCPv6 Relay Agent (LDRA) respectively. When enabled,
this feature allows the DHCP/DHCPv6 relay agent to insert the relay agent
information option (option 82, LDRA) in client requests forwarded to the
DHCP/DHCPv6 server.
This information provides the following:
• circuit ID suboption – Provides the SNMP port interface index
• remote ID – Provides the controller’s MAC address

dhcp-option82 Enables DHCP option 82. DHCP option 82 provides client physical
attachment information. This option is disabled by default.
dhcpv6-ldra Enables the DHCPv6 relay agent. The LDRA feature allows DHCPv6
messages to be transmitted on existing networks that do not currently
support IPv6 or DHCPv6. This option is disabled by default.

Examples
rfs4000-229D58(config-wlan-test)#relay-agent dhcp-option82
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
radio-resource-measurement
relay-agent dhcp-option82
controller-assisted-mobility
rfs4000-229D58(config-wlan-test)#
nx9500-6C8809(config-wlan-test)#relay-agent dhcpv6-ldra
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
relay-agent dhcpv6-ldra
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables support for DHCP/DHCPv6 relay agent information (option

page 681 82 and DHCPv6-LDRA) feature on this WLAN

service (wlan-config-context)
Invokes service commands applicable in the WLAN configuration mode
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 655
global-config-commands Global Configuration Mode Commands

Syntax
service [accounting-migration-on-roaming|allow-ht-only|allow-open-passpoint|client-load-
balancing|
cred-cache|eap-mac-mode|eap-mac-multicopy|eap-mac-multikeys|eap-throttle|enforce-pmkid-
validation|
key-index|monitor|radio-crypto|reauthentication|session-timeout|tx-deauth-on-roam-
detection|
unresponsive-client|wpa-wpa2|show]
service accounting-migration-on-roaming
service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|clear-on-
disconnect]|
eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|
reauthentication seamless|
session-timeout mac|tx-deauth-on-roam-detection|show cli]
service eap-mac-mode [mac-always|normal]
service eap-throttle <0-254>
service key-index eap-wep-unicast <1-4>
service monitor [aaa-server|adoption|captive-portal|dhcp|dns]
service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]
service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>
service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|
timeout <1-60>]
service wpa-wpa2 exclude-ccmp

Parameters
service accounting-migration-on-roaming

accounting-migration-on- Enables migration of accounting session information and data

roaming usage details from one AP to another for roaming clients.
When a client roams from AP1 to AP2, accounting for the client
stops on AP1 and is resumed only after AP2 authenticates with the
accounting server. By enabling this feature, accounting session
information and data usage details migrates to the new AP, and the
AP does not have to re-authenticate with the accounting server.

Note: Accounting session information is supported on all WiNG

APs. In case of controllers, this feature is valid only when APs use
the controller as a proxy.

service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|

allow-ht-only Only allows clients capable of High Throughput (802.11n) data rates
to associate. This option is disabled by default.
allow-open-passpoint Enables non-WPA2 security for passpoint WLANs. This option is
disabled by default.
For more information on passpoint policy and configuration, see
PASSPOINT POLICY on page 1996.

Controller, Service Platform and Access Point

656 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

cred-cache [clear-on-4way- Clears credential cache based on the parameter passed

timeout| clear-on-disconnect] • clear-on-4way-timeout – Clears cached client credentials after
the 4way handshake with a client has timed out. This option is
enabled by default.
• clear-on-disconnect – Clears cached client credentials after the
client has disconnected from the network. This option is
disabled by default.

eap-mac-multicopy Enables sending of multiple copies of broadcast and unicast

messages. This option is disabled by default.
eap-mac-multikeys Enables configuration of different key indices for MAC
authentication. This option is disabled by default.
enforce-pmkid-validation Validates the Predictive real-time Pairwise Master Key Identifier
(PMKID) contained in a client’s association request against the one
present in the wpa-wpa2 handshake. This option is enabled by
default.
This functionality is based on the Proactive Key Caching (PKC)
extension of the 802.11i EEEE standard. Whenever a wireless client
successfully authenticates with a AP it receives a Pairwise Master
Key (PMK). PKC allows clients to cache this PMK and reuse it for
future re-authentications with the same AP. The PMK is unique for
every client and is identified by the PMKID. The PMKID is a
combination of the hash of the PMK, a string, the station and the
MAC addresses of the AP.
radio-crypto Uses radio hardware for encryption and decryption. This is
applicable only for devices using Counter Cipher Mode with Block
Chaining Message Authentication Code Protocol (CCMP) encryption
mode.
reauthentication seamless Enables seamless EAP client reauthentication without
disconnecting client after the session has timed out. This option is
enabled by default.
session-timeout mac Enables reauthentication of MAC authenticated clients without
disconnecting client after the session has timed out. This option is
enabled by default.
tx-deauth-on-roam-detection Transmits a de-authentication on the air while disassociating a
client because its roam is detected on the wired side. This option is
disabled by default.
show cli Displays the CLI tree of the current mode. When used in the WLAN
mode, this command displays the WLAN CLI structure.

service eap-mac-mode [mac-always|normal]

eap-mac-mode Configures the EAP and/or MAC authentication mode used with
this WLAN. This option is enabled by default.
mac-always Enables both EAP and MAC authentication. MAC authentication is
performed first, followed by EAP authentication. Clients are granted

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 657
global-config-commands Global Configuration Mode Commands

access based on the EAP authentication result. If a client does not

have EAP, the MAC authentication result is used to grant access.
normal Grants client access if the client clears either EAP or MAC
authentication. This is the default setting.

service eap-throttle <0-254>

eap-throttle <0-254> Enables EAP request throttling. Use this command to specify the
maximum number of parallel EAP sessions allowed on this WLAN.
Once this specified value is exceeded, all incoming EAP session
requests are throttled. This option is enabled by default.
• <0-254> – Specify a value from 0 - 254. This default value is 0.

service key-index eap-wep-unicast <1-4>

key-index eap-wep-unicast <1-4> Configures an index with each key during EAP authentication with
WEP. This option is enabled by default.
• <1-4> – Select a index from 1 - 4. The default value is 1.

service wpa-wpa2 exclude-ccmp

wpa-wpa2 exclude-ccmp Configures exclusion of CCMP requests when the authentication

mode is set to tkip-ccmp. When enabled, it provides compatibility
for client devices not compliant with tkip-ccmp. This option is
disabled by default.

service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]

monitor Enables critical resource monitoring. In a WLAN, service monitoring

enables regular monitoring of external AAA servers, captive portal
servers, access point adoption, DHCP and DNS servers. When
enabled, it allows administrators to notify users of a service’s
availability and make resource substitutions in case of unavailability
of a service.
aaa-server Enables external AAA server failure monitoring. When enabled
monitors an external RADIUS server resource’s AAA activity and
ensures its adoption and availability. This feature is disabled by
default.

Controller, Service Platform and Access Point

658 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

adoption vlan <1-4094> Enables adoption failure monitoring on an adopted AP. Also
configures a adoption failover VLAN. This feature is disabled by
default.
• VLAN <1-4094> – Specify the VLAN on which clients are placed
when the connectivity between the AAP and the controller is
lost.
Configure a DHCP pool and gateway for the failover VLAN. Ensure
the DHCP server is running on the AP. Also ensure that the DHCP
pool is configured to have less lease time.
When this feature is enabled on a WLAN, it allows adopted APs to
monitor their connectivity with the controller. If and when this
connectivity is lost, all new clients are placed in the configured
adoption failover VLAN. They are served an IP by the DHCP server
running on the AP. In this situation if a client tries to access a Web
URL, the AP redirects the client to a page stating that the service is
down.
When the AAP’s link to the switch is restored, clients are placed
back in the WLAN’s configured VLAN, and are served an IP from
the corresponding configured DHCP server (external or on the AP/
controller).
captive-portal external-server Enables external captive portal server failure monitoring. When
enabled, monitors externally hosted captive portal activity, and user
access to the controller or service platform managed network. This
feature is disabled by default.
When enabled, this feature enables APs to display, to an externally
located captive portal’s user, the no-service page when the captive
portal’s server is not reachable.

service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>

monitor Enables DHCP and/or DNS server monitoring on this WLAN.

dhcp Enables monitoring of a specified DHCP server. When the
connection to the DHCP server is lost, captive portal users
automatically migrate to a pre-defined VLAN. The feature is
disabled by default.
Use the crm keyword to specify the DHCP server to monitor.
dns Enables monitoring of a specified DNS server. When the connection
to the DNS server is lost, captive portal users automatically migrate
to a pre-defined VLAN. The feature is disabled by default.
Use the crm keyword to specify the DNS server to monitor.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 659
global-config-commands Global Configuration Mode Commands

crm <RESOURCE-NAME> This keyword is common to the ‘dhcp’ and ‘dns’ parameters.
• crm – Identifies the DHCP and/or DNS server to monitor
◦ <RESOURCE-NAME> – Specify the name of the DHCP or
DNS server.
Once enabled, the CRM server monitors the DHCP/DNS server and
updates their status as ‘up’ or ‘down’ depending on the availability
of the resource. When either of these resources is down the wireless
client is mapped to the failover VLAN and served with the ‘no-
service’ page through the access point.
vlan <1-4094> This keyword is common to the ‘dhcp’ and ‘dns’ parameters.
After specifying the DHCP/DNS sever resource, specify the failover
VLAN.
• VLAN <1-4094> – Configures the failover VLAN from 1 - 4094.

When the DHCP server resource becomes unavailable, the

device falls back to the VLAN defined here. This VLAN has a
DHCP server configured that provides a pool of IP addresses
with a lease time less than the main DHCP server.

When this DNS server resource becomes unavailable, the device

falls back to the VLAN defined here. This VLAN has a DNS server
configured that provides DNS address resolution until the main
DNS server becomes available.

service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|

timeout <1-60>]

unresponsive Configures handling of unresponsive clients

attempts <1-1000> Configures the maximum number of successive packets that failed
transmission
• <1-1000> – Specify a value from 1 - 1000. The default is 7.

ps-detect {threshold <1-1000>} Enables the detection of power-save mode clients, whose PS stats
has not been updated on the AP. This option is enabled by default.
• threshold – Optional. Configures the threshold at which power-
save client detection is triggered
◦ <1-1000> – Configures the number of successive
unacknowledged packets received before power-save
detection is triggered. Specify a value from 1 - 1000. The
default is 3.

timeout <1-60> Configures the interval, in seconds, for successive packets not
acknowledged by the client
• <1-60> – Specify a value from 1 - 60 seconds. The default is 3
seconds.

Examples
rfs4000-229D58(config-wlan-test)#service allow-ht-only
rfs4000-229D58(config-wlan-test)#service monitor aaa-server
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
vlan 1

Controller, Service Platform and Access Point

660 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

bridging-mode tunnel
encryption-type none
authentication-type none
service monitor aaa-server
service allow-ht-only
controller-assisted-mobility
rfs4000-229D58(config-wlan-test)#
rfs4000-1BE644(config-wlan-testEAP)#show context
wlan testEAP
ssid testEAP
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type eap
accounting radius
service accounting-migration-on-roam-detection
use aaa-policy test
rfs4000-1BE644(config-wlan-testEAP)*#

Related Commands

no (wlan-config-mode) on Removes or reverts to default WLAN settings configured using the

page 681 ‘service’ command

shutdown

Shuts down a WLAN. The shutdown mechanism helps regulate the availability of a WLAN based on an
administrator defined access period. Use this feature to shut down a WLAN on specific days and hours
and restrict periods when the WLAN traffic is either not desired or cannot be properly administrated.
The normal practice is to shut down WLANs when there are no users on the network, such as after
hours, weekends or holidays. This allows administrators more time to manage mission critical tasks
since the WLAN's availability is automated.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-link-loss|on-
unadoption}

Parameters
shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-link-loss|on-
unadoption}

shutdown Shuts down the WLAN when specified events occur. Disabled by default.
on-critical-resource Optional. Shuts down the WLAN when critical resource failure occurs.
<CR-NAME> Disabled by default.
• <CR-NAME> – Specifies the name of the critical resource being
monitored for this WLAN.

on-meshpoint-loss Optional. Shuts down the WLAN when the root meshpoint link fails (is
unreachable). Disabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 661
global-config-commands Global Configuration Mode Commands

on-primary-port-link- Optional. Shuts down the WLAN when a device losses its primary Ethernet
loss port (ge1/up1) link. Disabled by default.
on-unadoption Optional. Shuts down the WLAN when an adopted device becomes
unadopted. Disabled by default.

Usage Guidelines

If the shutdown on-meshpoint-loss feature is enabled, the WLAN status changes only if the meshpoint
and the WLAN are mapped to the same VLAN. If the meshpoint is mapped to VLAN 1 and the WLAN is
mapped to VLAN 2, then the WLAN status does not change on loss of the meshpoint.
Examples
nx9500-6C8809(config-wlan-test)#shutdown on-unadoption
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
proxy-arp-mode strict
broadcast-dhcp validate-offer
shutdown on-unadoption
http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables auto shut down WLAN. Use the optional keywords provided
page 681 to disable auto shut down of the WLAN upon critical resource failure,
when meshpoint links fail, when the primary Ethernet port (e1/up1)
loses link, or when the WLAN gets unadopted.

ssid
Configures the WLAN's SSID
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ssid <SSID>

Parameters
ssid <SSID>

<SSID> Specify the WLAN's SSID. The WLAN SSID is case sensitive and
alphanumeric. It's length should not exceed 32 characters.

Controller, Service Platform and Access Point

662 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-wlan-test)#ssid testWLAN1
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
proxy-arp-mode strict
broadcast-dhcp validate-offer
shutdown on-unadoption
http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes the WLAN’s SSID

page 681

t5-client-isolation
Disallows clients connecting to the WLAN to communicate with one another. This setting applies
exclusively to CPE devices managed by a T5 controller and is disabled by default.

A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the
WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5
controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s
management within the WiNG supported subnet populated by both types of devices. The CPEs are the
T5 controller managed radio devices using the IPX operating system. These CPEs use a DSL as their
high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.

Note
This setting is applicable only when this WLAN supports T5 controllers and their connected
CPEs.

Supported in the following platforms:

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
t5-client-isolation

Parameters
None

Examples
nx9500-6C8809(config-wlan-test)#t5-client-isolation
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 663
global-config-commands Global Configuration Mode Commands

authentication-type none
t5-client-isolation
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Allows clients connecting to the WLAN to communicate with one

page 681 another

t5-security
Configures T5 PowerBroadband security settings. A T5 controller uses the IPX operating system to
manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless
controllers and NX service platforms. However, a T5 controller, once enabled as a supported external
device, can provide data to WiNG to assist in a T5’s management within the WiNG supported subnet
populated by both types of devices. The CPEs are the T5 controller managed radio devices using the
IPX operating system. These CPEs use a DSL as their high speed Internet access mechanism using the
CPE’s physical wallplate connection and phone jack.

Note
This setting is applicable only when this WLAN supports T5 controllers and their connected
CPEs.

Supported in the following platforms:

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Parameters
t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase <STRING>]

t5-security static-wep Configures the T5 WLAN security type as static-wep

encryption-type Applies one of the following encryption algorithms to the T5 support WLAN
[wep128|wep64] configuration: WEP64 or WEP128

Controller, Service Platform and Access Point

664 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

hex <STRING> Configures the hex password (used to derive the security key)
• <STRING> – Specify the hex password (should not exceed the 10 - 26
characters).

passphrase <STRING> Configures the passphrase shared by both transmitting and receiving
authenticators
• <STRING> – Specify the passphrase. It could either be an alphanumeric
string of 8 to 63 ASCII characters or 64 HEX characters. The alphanumeric
string allows character spaces. This string is converted to a numeric value.
Configuring a passphrase saves you the need to create a 256-bit key each
time keys are generated.

t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp]

version [mixed|wpa|wpa2]

t5-security [wpa-enterprise| Configures the T5 WLAN security type as: wpa-enterprise OR wpa-
wpa-personal] personal
encryption-type [ccmp|tkip| The following parameters are common to the wpa-enterprise and
tkip-ccmp] wpa-personal keywords:
• [ccmp|tkip|tkip-ccmp] – Applies one of the following encryption
algorithms to the T5 support WLAN configuration: CCMP, TKIP,
or TKIP-CCMP.

version [mixed|wpa|wpa2] The following parameters are common to the wpa-enterprise and
wpa-personal keywords:
• version – Applies one of the following encryption schemes to the
vT5 support WLAN configuration: WPA, WPA2, or mixed.

Examples
nx9500-6C8809(config-wlan-test)#t5-security wpa-enterprise encryption-type ccmp version
wpa
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
t5-security wpa-enterprise encryption-type ccmp version wpa
t5-client-isolation
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes the configured T5 PowerBroadband security settings

page 681

time-based-access
Configures time-based client access to the network resources. Use this feature to assign fixed days and
time of WLAN access for wireless clients.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 665
global-config-commands Global Configuration Mode Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|
all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]

Parameters
time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|
all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]

day <option> Specifies the day or days on which the client can access the WLAN
• sunday – Allows access on Sundays only
• monday – Allows access on Mondays only
• Tuesdays – Allows access on Tuesdays only
• wednesday – Allows access on Wednesdays only
• thursday – Allows access on Thursdays only
• friday – Allows access on Fridays only
• saturday – Allows access on Saturdays only
• weekends – Allows access on weekends only
• weekdays – Allows access on weekdays only
• all – Allows access on all days

start <START-TIME> Optional. Specifies the access start time in hours and minutes (HH:MM)
end <END-TIME> Specifies the access end time in hours and minutes (HH:MM)

Examples
nx9500-6C8809(config-wlan-test)#time-based-access days weekdays start 10:00 end 16:30
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
time-based-access days weekdays start 10:00 end 16:30
--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes the configured time-based-access settings

page 681

use (wlan-config-mode)
This command associates an existing captive portal and other policies with a WLAN.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

666 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

aaa-policy <AAA-POLICY- Uses an existing AAA policy with a WLAN

NAME> • <AAA-POLICY-NAME> – Specify the AAA policy name.

application-policy <POLICY- Uses an existing application policy with a WLAN. An application policy
NAME> defines actions to perform on a packet when it matches a specified set
of pre-defined applications or application categories.
• <POLICY-NAME> – Specify the policy name.

association-acl Uses an existing association ACL policy with a WLAN

<ASSOCIATION-POLICY- • <ASSOCIATION-POLICY-NAME> – Specify the association ACL
NAME> policy name.

bonjour-gw-discovery-policy Uses an existing Bonjour GW Discovery policy with a WLAN. When

<POLICY-NAME> associated, the Bonjour GW Discovery policy defines a list of Apple
services clients can discover across subnets.
Bonjour enables discovery of services on a LAN. Bonjour allows the
setting up a network (without any configuration) in which services such
as printers, scanners and file-sharing servers can be found using
Bonjour. Bonjour only works within a single broadcast domain.
However, with a special DNS configuration, it can be extended to find
services across broadcast domains.
• <POLICY-NAME> – Specify the Bonjour GW Discovery policy name.
Should be existing and configured.

captive-portal <CAPTIVE- Specifies the captive-portal policy to use if enforcing captive-portal

PORTAL-NAME> authentication on this WLAN
• <CAPTIVE-PORTAL-NAME> – Specify the captive-portal policy
name. Should be existing and configured.

passpoint-policy Associates a passpoint policy (Hotspot2 configuration) with this WLAN.

<PASSPOINT-POLICY- • <PASSPOINT-POLICY-NAME> – Specify the Passpoint policy name.
NAME> Should be existing and configured.
Map a passpoint policy to a WLAN. Since the configuration gets applied
to the radio by BSS, only the Hotspot 2.0 configuration of primary
WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests
from clients are identified by their destination MAC addresses and are
handled by the passpoint policy from the primary WLAN on that BSS.
Define one passpoint policy for every WLAN configured.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 667
global-config-commands Global Configuration Mode Commands

roaming-assist-policy Associates an existing roaming assist policy with this WLAN

<POLICY-NAME> • <POLICY-NAME> – Specify the Roaming Assist policy name. Should
be existing and configured.

url-filter <URL-FILTER- Associates an existing URL list with this WLAN

NAME> • <URL-FILTER-NAME> – Specify the URL filter name. Should be
existing and configured.

wlan-qos-policy <WLAN- Uses an existing WLAN QoS policy with a WLAN

QOS-POLICY-NAME> • <WLAN-QOS-POLICY-NAME> – Specify the WLAN QoS policy
name. Should be existing and configured.

use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>

ip-access-list [in|out] <IP- Applies an IP access list to incoming and outgoing packets
ACCESS-LIST-NAME> • in – Applies the IP ACL to incoming packets
• out – Applies IP ACL to outgoing packets
◦ <IP-ACCESS-LIST-NAME> – Specify the IP access list name.

use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>

ipv6-access-list [in|out] Applies an IPv6 access list to incoming and outgoing packets
<IPv6-ACCESS-LIST-NAME> • in – Applies the IPv6 ACL to incoming packets
• out – Applies IPv6 ACL to outgoing packets
◦ <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list name.

use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>

mac-access-list [in|out] Applies a MAC access list to incoming and outgoing packets.
<MAC-ACCESS-LIST-NAME> • in – Applies the MAC ACL to incoming packets
• out – Applies MAC ACL to outgoing packets
◦ <MAC-ACCESS-LIST-NAME> – Specify the MAC access list
name.

Usage Guidelines

IP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark packets
based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL
contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of conditions (rules)
and the action taken in case of a match. The action can be permit, deny, or mark. Therefore, when a
packet matches an ACE’s conditions, it is either forwarded, dropped, or marked depending on the
action specified in the ACE. The order of conditions in the list is critical since filtering is stopped after
the first match.

IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule has a
precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by
applying both an IP ACL and a MAC.

Controller, Service Platform and Access Point

668 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC
firewall rule uses source and destination MAC addresses for matching operations, where the result is a
typical allow, deny, or mark designation to WLAN packet traffic.

Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP
ACL and a MAC ACL to the interface.
Examples
nx9500-6C8809(config-wlan-test)#use aaa-policy test
nx9500-6C8809(config-wlan-test)#use association-acl-policy test
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
time-based-access days weekdays start 10:00 end 16:30
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
use aaa-policy test
use association-acl-policy test
acl exceed-rate wireless-client-denied-traffic 20 disassociate
proxy-arp-mode strict
broadcast-dhcp validate-offer
shutdown on-unadoption
http-analyze controller
nx9500-6C8809(config-wlan-test)#
nx9500-6C8809(config-wlan-ipad_clients)#use bonjour-gw-discovery-policy generic
nx9500-6C8809(config-wlan-ipad_clients)#show context
wlan ipad_clients
ssid ipad_clients
vlan 41
bridging-mode local
encryption-type none
authentication-type none
use bonjour-gw-discovery-policy generic
nx9500-6C8809(config-wlan-ipad_clients)#

Related Commands

no (wlan-config-mode) on Removes the following policies associated with a WLAN: aaa-policy,

page 681 application-policy, association-acl-policy, bonjour-gw-discovery-policy,
captive-portal, ip-access-list, ipv6-access-list, mac-access-list,
passpoint-policy, roaming-assist-policy, url-filter, or wlan-qos-policy.

vlan
Sets the VLAN where traffic from this WLAN is mapped
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 669
global-config-commands Global Configuration Mode Commands

Syntax
vlan [<1-4094>|<VLAN-ALIAS-NAME>]

Parameters
vlan [<1-4094>|<VLAN-ALIAS-NAME>]

<1-4094> Sets a WLAN’s VLAN ID. This command starts a new VLAN assignment for a WLAN
index. All prior VLAN settings are erased.
Use this command to assign just one VLAN to the WLAN. Utilizing a single VLAN per
WLAN is a more typical deployment scenario than using a VLAN pool.
<VLAN- Assigns a VLAN alias to the WLAN. The VLAN alias should be pre-existing and
ALIAS- configured.
NAME> A VLAN alias maps a name to a VLAN ID. When applied to ports (for example GE ports)
using the trunk mode, a VLAN alias denies or permits traffic, on the port, to and from
the VLANs specified in the alias. For more information on aliases, see alias on page 267.

Examples
nx9500-6C8809(config-wlan-test)#vlan 4
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
vlan 4
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
time-based-access days weekdays start 10:00 end 16:30
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
use aaa-policy test
use association-acl-policy test
acl exceed-rate wireless-client-denied-traffic 20 disassociate
proxy-arp-mode strict
broadcast-dhcp validate-offer
shutdown on-unadoption
http-analyze controller
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes a WLAN’s default VLAN mapping

page 681

vlan-pool-member
Adds a member VLAN to a WLAN’s VLAN pool. Use this option to define the VLANs available to this
WLAN. Additionally, define the number of wireless clients supported by each VLAN.

Note
Configuration of a VLAN pool overrides the 'vlan' configuration.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

670 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
vlan-pool-member <WORD> {limit <0-8192>}

Parameters
vlan-pool-member <WORD> {limit <0-8192>}

vlan-pool-member Adds a member VLAN to a WLAN's VLAN pool

Since users belonging to separate VLANs can share the same WLAN, it is not
necessary to create a new WLAN for every VLAN in the network.
<WORD> Define the VLANs available to this WLAN. It is either a single index, or a list of
VLAN IDs (for example, 1,3,7), or a range (for example, 1-10)
limit <0-8192> Optional. Is ignored if the number of clients are limited and well within the
limits of the DHCP pool on the VLAN
• <0-8192> – Specifies the number of users allowed

Examples
nx9500-6C8809(config-wlan-test)#vlan-pool-member 1-10 limit 1
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
vlan-pool-member 1 limit 1
vlan-pool-member 2 limit 1
vlan-pool-member 3 limit 1
vlan-pool-member 4 limit 1
vlan-pool-member 5 limit 1
vlan-pool-member 6 limit 1
vlan-pool-member 7 limit 1
vlan-pool-member 8 limit 1
vlan-pool-member 9 limit 1
vlan-pool-member 10 limit 1
bridging-mode local
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
radius vlan-assignment
time-based-access days weekdays start 10:00 end 16:30
--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes the list of VLANs mapped to a WLAN

page 681

wep128
Configures WEP128 parameters
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 671
global-config-commands Global Configuration Mode Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]

wep128 Configures WEP128 parameters. The parameters are: key, key-from-

passkey, and transmit-key.
key <1-4> Use to configure the key number
• <1-4> – Specify the key number from 1 - 4.

ascii [0 <WORD>| 2 <WORD>| Sets keys as ASCII characters (5 characters for WEP64, 13 for
<WORD>] WEP128)
• 0 <WORD> – Configures a clear text key
• 2 <WORD> – Configures an encrypted key
• <WORD> – Configures keys as 13 ASCII characters converted to
hex, or 26 hexadecimal characters

hex [0 <WORD>| 2 <WORD>| Sets keys as hexadecimal characters (10 characters for WEP64, 26 for
<WORD>] WEP128)
• 0 <WORD> – Configures a clear text key
• 2 <WORD> – Configures an encrypted key
• <WORD> – Configures keys as 13 ASCII characters converted to
hex, or 26 hexadecimal characters

wep128 keys-from-passkey <WORD>

keys-from- Specifies a pass key. The pass key can be any alphanumeric string. Controllers, service
passkey platforms, Access Points and their connected clients use the algorithm to convert an
<WORD> ASCII string to the same hexadecimal number. Clients without adapters need to use
WEP keys manually configured as hexadecimal numbers.
• <WORD> – Specify a pass key from 4 - 32 characters.

wep128 transmit-key <1-4>

transmit-key Configures the key index used for transmission from an AP to a wireless client or
<1-4> service platform
• <1-4> – Specify a key index from 1 - 4.

Examples
NOC-NX9500(config-wlan-test)#wep128 key 1 ascii 123456789abcd
NOC-NX9500(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none

Controller, Service Platform and Access Point

672 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

wep128 key 1 hex 0 31323334353637383961626364

NOC-NX9500(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Resets the WEP128 parameters to factory-default values.

page 681

wep64
Configures WEP64 parameters
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]

wep64 Configures WEP64 parameters

The parameters are: key, key-from-passkey, and transmit-key.
key <1-4>] Configures pre-shared hex keys
• <1-4> – Configures a maximum of four key indexes. Select a key index from 1 -
4.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 673
global-config-commands Global Configuration Mode Commands

ascii [0 <WORD>| Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128)
2 <WORD>| • 0 <WORD> – Configures a clear text key
<WORD>] • 2 <WORD> – Configures an encrypted key
• <WORD> – Configures key (10 hex or 5 ASCII characters for WEP64, 26 hex or
13 ASCII characters for WEP128).

hex [0 <WORD>| 2 Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128)
<WORD>| • 0 <WORD> – Configures a clear text key
<WORD>] • 2 <WORD> – Configures an encrypted key
• <WORD> – Configures the key (10 hex or 5 ASCII characters for WEP64, 26
hex or 13 ASCII characters for WEP128)

wep64 keys-from-passkey <WORD>

keys-from-passkey <WORD> Specifies a pass key from which keys are derived
• <WORD> – Specify a pass key from 4 - 32 characters.

wep64 transmit-key <1-4>

transmit-key Configures the key index used for transmission from an AP to a wireless client or
<1-4> service platform
• <1-4> – Specify a key index from 1 - 4.

Examples
NOC-NX9500(config-wlan-test2)#wep64 key 1 hex 1CBF427D50
NOC-NX9500(config-wlan-test2)#wep64 transmit-key 1
NOC-NX9500(config-wlan-test2)#show context
wlan test2
ssid test2
bridging-mode local
encryption-type none
authentication-type none
wep64 key 1 hex 0 1CBF427D50
NOC-NX9500(config-wlan-test2)#

Related Commands

no (wlan-config-mode) on Resets the WEP64 parameters to factory-default values

page 681

wing-extensions
Enables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards that
potentially increase client roaming reliability and handshake speed
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

674 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
wing-extensions [ap-attributes-information {include-hostname}|
coverage-hole-detection {11k-clients|offset <5-20>|threshold <-80--60}|
ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|
smart-scan|wing-load-information|wmm-load-information]

Parameters
wing-extensions [ap-attributes-information {include-hostname}|
coverage-hole-detection {11k-clients|offset <5-20>|threshold <-80--60}|
ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|
smart-scan|wing-load-information|wmm-load-information]

wing-extensions Enables support for inclusion of WiNG-specific client extensions in radio

transmissions
ap-attributes-information Enables support for AP attributes IE (information element)
{include-hostname} • include-hostname – Optional. When enabled, includes AP’s hostname,
as a sub-element, in the AP attributes IE.

The AP attributes IE is vendor-specific and, when enabled, is added to

beacons and probe responses. Inclusion of AP attributes IE allows
Extreme Networks terminals to:
◦ - Recognize Extreme APs
◦ - Determine if the AP supports PAN BU features, irrespective of
whether these features are enabled or not.
AP attributes IE is not added to beacons and probe responses by default.
overage-hole-detection Enables coverage hole detection (CHD) and configures CHD parameters.
{11k-clients| offset <5-20>| When enabled, allows clients (MUs) to inform an access point when it
threshold <-80--60>} experiences a coverage hole. A coverage hole is an area of poor wireless
coverage not supported by a WiNG managed access point radio. Enable
radio resource measurement prior to enabling CHD. For enabling radio
resource measurement, see radio-resource-measurement on page 649.
CHD is disabled by default.
After enabling CHD, optionally configure the following parameters:
• 11k-clients – Optional. Provides coverage hole detection to 802.11k-
only-capable clients. This is a reduced set of coverage hole detection
capabilities (standard 11k messages and behaviors). This option is
disabled by default.
• offset <5-20> – Optional. Configures the offset added to the threshold
to obtain the access point’s signal strength (as seen by the client)
considered adequate.
◦ <5-20> – Specify the offset value from 5 - 20. The default is 5.
• threshold – Optional. Configures the access point’s signal strength
threshold. When Radio Resource Measurement and CVG Hole are
enabled, specify a threshold for the AP’s signal strength (as seen by
the client) below which a coverage hole incident is reported by the
client.
◦ <-80--60> – Specify the threshold from -80 - -60 dBm. The
default is -70 dBm.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 675
global-config-commands Global Configuration Mode Commands

ft-over-ds-aggregate Enables fast-transition (FT) aggregation of action frames. When enabled,

increases roaming speed by eliminating separate key exchange
handshake frames with potential roam candidates. Enable fast transition
to complete an initial FT over distribution system (DS) handshake with
multiple roam candidates (up to 6) at once, eliminating the need to send
separate FT over DS handshakes to each roam candidate.
This option is disabled by default.
move-command Enables use of Hyper Fast Secure Roaming (HFSR) for clients on this
WLAN. This feature applies only to certain client devices. This option is
disabled by default.
scan-assist {channel-info- Enables support for scanning assist. When enabled, allows faster roams
interval <6-9>} on Dynamic Frequency Selection (DFS) channels by eliminating passive
scans. Clients get channel information directly from possible roam
candidates. This option is disabled by default.
• channel-info-interval <6-9> – Optional. Configures the interval at
which channel information is periodically retrieved from potential
roam candidates without requesting scan assist.
◦ <6-9> – Specify the interval from 6 - 9 seconds. When enabled, the
default value is 8 seconds.

smart-scan Enables a smart scan to refine a clients channel scans to just a few
channels as opposed to all available channels. This option is disabled by
default.
wing-load-information Enables support for the WiNG load information element (Element ID 173)
with legacy Symbol Technology clients, thus making them optimally
interoperable with the latest Extreme Networks access points. This option
is enabled by default.
wmm-load-information Enables support for WiNG Wi-Fi MultiMedia (WMM) Load Information
Element in radio transmissions with legacy clients. This option is disabled
by default.

Examples
nx9500-6C8809(config-wlan-test)#wing-extensions wmm-load-information
nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
kerberos server timeout 12
kerberos server primary host 172.16.10.2
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Disables support for WiNG-specific client extensions to the IEEE 802.11x
page 681 WLAN standards. Use the keywords provided to disable a specific wing-
extension.

Controller, Service Platform and Access Point

676 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

wireless-client
Configures the transmit power indicated to clients
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

wireless-client Configures the transmit power indicated to wireless clients for transmission
count-per-radio Configures the maximum number of clients allowed on this WLAN per radio
<0-256> • <0-256> – Specify a value from 0 - 256.

cred-cache-ageout Configures the timeout period for which client credentials are cached across
<60-86400> associations
• <60-86400> – Specify a value from 60 - 86400 seconds.

hold-time <1-86400> Configures the time period for which wireless client state information is
cached post roaming
• <1-86400> – Specify a value from 1 - 86400 seconds.

inactivity-timeout Configures an inactivity timeout period in seconds. If a frame is not received

<60-86400> from a wireless client for this period of time, the client is disassociated.
• <60-86400> – Specify a value from 60 - 86400 seconds.

max-firewall-sessions Configures the maximum firewall sessions allowed per client on a WLAN
<10-10000> • <10-10000> – Specify the maximum number of firewall sessions allowed
from 10 - 10000.

reauthentication Configures periodic reauthentication of associated clients

<30-86400> • <30-86400> – Specify the client reauthentication interval from 30 -
86400 seconds.

t5-inactivity-timeout Configures and inactivity timeout, in seconds, for T5 devices. When

<60-86400> configured, the T5 device is disassociated if the time lapsed after the last
frame received from it exceeds the value specified here.
• <60-86400> – Specify a value from 60 - 86400 seconds. The default is
60 seconds.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 677
global-config-commands Global Configuration Mode Commands

tx-power <0-20> Configures the transmit power indicated to clients

• <0-20> – Specify a value from 0 - 20 dBm.

vlan-cache-ageout Configures the timeout period for which client VLAN information is cached
<60-86400> across associations.
• <60-86400> – Specify a value from 60 - 86400 seconds.

wireless-client roam-notification [after-association|after-data-ready|auto]

wireless-client Configures the transmit power indicated to wireless clients for transmission
roam-notification Configures when a roam notification is transmitted
after-association Transmits a roam notification after a client has associated
after-data-ready Transmits a roam notification after a client is data-ready (after completion of
authentication, handshakes etc.)
auto Transmits a roam notification upon client association (if the client is known to have
authenticated to the network)

Examples
nx9500-6C8809(config-wlan-test)#wireless-client cred-cache-ageout 65
nx9500-6C8809(config-wlan-test)#wireless-client hold-time 200
nx9500-6C8809(config-wlan-test)#wireless-client max-firewall-sessions 100
nx9500-6C8809(config-wlan-test)#wireless-client reauthentication 35
nx9500-6C8809(config-wlan-test)#wireless-client tx-power 12
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
vlan-pool-member 1 limit 1
vlan-pool-member 2 limit 1
vlan-pool-member 3 limit 1
vlan-pool-member 4 limit 1
vlan-pool-member 5 limit 1
vlan-pool-member 6 limit 1
vlan-pool-member 7 limit 1
vlan-pool-member 8 limit 1
vlan-pool-member 9 limit 1
vlan-pool-member 10 limit 1
bridging-mode local
encryption-type none
authentication-type none
wireless-client hold-time 200
wireless-client cred-cache-ageout 65
wireless-client max-firewall-sessions 100
protected-mgmt-frames mandatory
wireless-client reauthentication 35
wep64 key 1 hex 0 7465737431
wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75
wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315
wep128 key 3 hex 0 1ebf3394431700194762ebd5b2
wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b
radius vlan-assignment
time-based-access days weekdays start 10:00 end 16:30
wing-extensions wmm-load-information
wireless-client tx-power 12
client-load-balancing probe-req-intvl 5ghz 5

Controller, Service Platform and Access Point

678 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes or reverts to default configured wireless client related

page 681 parameters

wpa-wpa2
Modifies TKIP-CCMP (WPA/WPA2) related parameters
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
wpa-wpa2 [exclude-wpa2-tkip|handshake|key-rotation|opp-pmk-caching|pmk-caching|
preauthentication|server-only-authentication|psk|tkip-countermeasures|use-sha256-akm]
wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|
server-only-authentication|use-sha256-akm]
wpa-wpa2 handshake [attempts|init-wait|priority|timeout]
wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|
timeout <10-5000> {10-5000}]
wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]
wpa-wpa2 tkip-countermeasures holdtime <0-65535>

wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters

exclude-wpa2-tkip Excludes the Wi-Fi Protected Access II (WPA2) version of TKIP. It
supports the WPA version of TKIP only. This option is disabled by
default.
opp-pmk-caching Uses opportunistic key caching (same Pairwise Master Key (PMK) across
APs for fast roaming with EAP.802.1x. This option is enabled by default.
pmk-caching Uses cached pair-wise master keys (fast roaming with eap/802.1x). This
option is enabled by default.
preauthentication Uses pre-authentication mode (WPA2 fast roaming)
use-sha256-akm Uses sha256 authentication key management suite

wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|

timeout <10-5000> {10-5000}]

wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters

handshake Configures WPA/WPA2 handshake parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 679
global-config-commands Global Configuration Mode Commands

attempts <1-5> Configures the total number of times a message is transmitted towards a non-
responsive client
• <1-5> – Specify a value from 1 - 5. The default is 2.

init-wait Configures a minimum wait-time period, in microseconds, before the first

<5-1000000> handshake message is transmitted from the AP. This option is disabled by
default.
• <5-1000000> – Specify a value from 5 - 1000000 microseconds.

priority [high| Configures the relative priority of handshake messages compared to other data
normal] traffic
• high – Treats handshake messages as high priority packets on a radio. This is
the default setting.
• normal – Treats handshake messages as normal priority packets on a radio

timeout <10-5000> Configures the timeout period, in milliseconds, for a handshake message to
<10-5000> retire. Once this period is exceeded, the handshake message is retired.
• <10-5000> – Specify a value from 10 - 5000 millisceonds. The default is 500
milliseconds.
• <10-5000> – Optional. Configures a different timeout between the second
and third attempts'

wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>

wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters

key-rotation Configures parameters related to periodic rotation of encryption keys.
The periodic key rotation parameters are broadcast, multicast, and
unicast traffic.
broadcast <30-86400> Configures the periodic rotation of keys used for broadcast and multicast
traffic. This parameter specifies the interval, in seconds, at which keys are
rotated. This option is disabled by default.
• <30-86400> – Specify a value from 30 - 86400 seconds.

unicast <30-86400> Configures a periodic interval for the rotation of keys, used for unicast
traffic. This option is disabled by default.
• <30-86400> – Specify a value from 30 - 86400 seconds.

wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]

wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters

psk Configures a pre-shared key.
0 <LINE> Configures a clear text key
2 <LINE> Configures an encrypted key
<LINE> Enter the pre-shared key either as a passphrase not exceeding 8 - 63
characters, or as a 64 character (256bit) hexadecimal value.

wpa-wpa2 tkip-countermeasures holdtime <0-65535>

Modifies TKIP-CCMP (WPA/WPA2) parameters

Controller, Service Platform and Access Point

680 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

wpa-wpa2
tkip-countermeasures Configures a hold time period for implementation of TKIP counter
measures
holdtime <0-65535> Configures the amount of time a WLAN is disabled when TKIP counter
measures are invoked
• <0-65535> – Specify a value from 0 - 65536 seconds. <0-65535> –
Specify a value from 0 - 65535 seconds. The default is 60 seconds.

Examples
nx9500-6C8809(config-wlan-test)#wpa-wpa2 tkip-countermeasures hold-time 2
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid testWLAN1
vlan-pool-member 1 limit 1
vlan-pool-member 2 limit 1
vlan-pool-member 3 limit 1
vlan-pool-member 4 limit 1
vlan-pool-member 5 limit 1
vlan-pool-member 6 limit 1
vlan-pool-member 7 limit 1
vlan-pool-member 8 limit 1
vlan-pool-member 9 limit 1
vlan-pool-member 10 limit 1
bridging-mode local
encryption-type none
authentication-type none
wireless-client hold-time 200
wireless-client cred-cache-ageout 65
wireless-client max-firewall-sessions 100
protected-mgmt-frames mandatory
wireless-client reauthentication 35
wpa-wpa2 tkip-countermeasures hold-time 2
wep64 key 1 hex 0 7465737431
wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75
--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) on Removes or reverts to default TKIP-CCMP (WPA/WPA2) related

page 681 parameters

no (wlan-config-mode)
Negates WLAN mode commands and reverts values to their default
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no <PARAMETERS>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 681
global-config-commands Global Configuration Mode Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this WLAN's settings or reverts them to default values, based
on the parameters passed.

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.
Examples
nx9500-6C8809(config-wlan-test)#no ?
802.11v Configure 802.11v parameters
accounting Configure how accounting records are
created for this wlan
acl Actions taken based on ACL
configuration [ packet drop being one
of them]
answer-broadcast-probes Do not Include this wlan when
responding to probe requests that do
not specify an SSID
assoc-response Association response threshold
association-list Configure the association list for
the wlan
authentication-type Reset the authentication to use on
this wlan to default (none/Pre-shared
keys)
broadcast-dhcp Configure broadcast DHCP packet
handling
broadcast-ssid Do not advertise the SSID of the WLAN
in beacons
captive-portal-enforcement Configure how captive-portal is
enforced on the wlan
client-access Disallow client access on this wlan
(no data operations)
client-client-communication Disallow switching of frames from one
wireless client to another on this
wlan
client-load-balancing Disable load-balancing of clients on
this wlan
controller-assisted-mobility Disable configure assisted mobility
data-rates Reset data rate configuration to
default
description Reset the description of the wlan
downstream-group-addressed-forwarding Disable downstream group addressed
forwarding of packets
dpi Deep-Packet-Inspection (Application
Assurance)
dynamic-vlan-assignment Dynamic VLAN assignment configuration
eap-types Allow all EAP types on this wlan
encryption-type Reset the encryption to use on this
wlan to default (none)
enforce-dhcp Drop packets from Wireless Clients
with static IP address
fast-bss-transition Disable support for 802.11r Fast BSS
Transition
http-analyze Enable HTTP URL analysis on the wlan
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
kerberos Configure kerberos authentication
parameters

Controller, Service Platform and Access Point

682 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

mac-authentication Configure mac-authentication related

parameters
nsight Nsight Server
opendns OpenDNS related config for this wlan
protected-mgmt-frames Disable support for Protected
Management Frames (IEEE 802.11w)
proxy-arp-mode Configure handling of ARP requests
with proxy-arp is enabled
proxy-nd-mode Configure handling of IPv6 ND
requests with proxy-nd is enabled
qos-map Disable the 802.11u QoS map element
and frame
radio-resource-measurement Disable support for 802.11k Radio
Resource Measurement
radius Configure RADIUS related parameters
registration Dynamic registration of device (or)
user
relay-agent Configure dhcp relay agent info
shutdown Enable the use of this wlan
ssid Configure ssid
t5-client-isolation Do not Isolate traffic among clients
t5-security Configure encryption and
authentication
time-based-access Reset time-based-access parameters to
default
use Set setting to use
vlan Map the default vlan (vlan-id 1) to
the wlan
vlan-pool-member Delete a mapped vlan from this wlan
wep128 Reset WEP128 parameters
wep64 Reset WEP64 parameters
wing-extensions Disable support for WiNG-Specific
extensions to 802.11
wireless-client Configure wireless-client specific
parameters
wpa-wpa2 Modify tkip-ccmp (wpa/wpa2) related
parameters

service Service to monitor to show no-service

page to user

nx9500-6C8809(config-wlan-test)#

The WLAN 'test' settings before execution of the no command:

nx9500-6C8809(config-wlan-test)#show context
wlan test
description TestWLAN
ssid test
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
kerberos server timeout 12
kerberos server primary host 172.16.10.2
accounting syslog host 172.16.10.4 port 2
data-rates 2.4GHz gn
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
captive-portal-enforcement fall-back
ip dhcp trust
acl exceed-rate wireless-client-denied-traffic 20 disassociate
enforce-dhcp
broadcast-dhcp validate-offer

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 683
global-config-commands Global Configuration Mode Commands

http-analyze controller
nx9500-6C8809(config-wlan-test)#
nx9500-6C8809(config-wlan-test)#no accounting syslog
nx9500-6C8809(config-wlan-test)#no description
nx9500-6C8809(config-wlan-test)#no authentication-type
nx9500-6C8809(config-wlan-test)#no encryption-type
nx9500-6C8809(config-wlan-test)#no enforce-dhcp
nx9500-6C8809(config-wlan-test)#no kerberos server primary host
nx9500-6C8809(config-wlan-test)#no kerberos server timeout
nx9500-6C8809(config-wlan-test)#no data-rates 2.4GHz
nx9500-6C8809(config-wlan-test)#no ip dhcp trust
nx9500-6C8809(config-wlan-test)#no captive-portal-enforcement

The WLAN 'test' settings after the execution of the no command:

nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode local
encryption-type none
authentication-type none
wing-extensions wmm-load-information
client-load-balancing probe-req-intvl 5ghz 5
client-load-balancing band-discovery-intvl 2
acl exceed-rate wireless-client-denied-traffic 20 disassociate
broadcast-dhcp validate-offer
http-analyze controller
nx9500-6C8809(config-wlan-test)#

wlan-qos-policy
Configures a WLAN QoS policy and enters its configuration mode

Supported in the following platforms:

Syntax
wlan-qos-policy <WLAN-QOS-POLICY-NAME>

Parameters
wlan-qos-policy <WLAN-QOS-POLICY-NAME>

<WLAN-QOS-POLICY- Specify the WLAN QoS policy name. If a policy with the specified name does
NAME> not exist, it is created.

Examples
nx9500-6C8809(config)#wlan-qos-policy test
nx9500-6C8809(config-wlan-qos-test)#?
WLAN QoS Mode commands:

Controller, Service Platform and Access Point

684 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

accelerated-multicast Configure accelerated multicast streams address and

forwarding QoS classification
classification Select how traffic on this WLAN must be classified
(relative prioritization on the radio)
multicast-mask Egress multicast mask (frames that match bypass the
PSPqueue. This permits intercom mode operation
without delay even in the presence of PSP clients)
no Negate a command or set its defaults
qos Quality of service
rate-limit Configure traffic rate-limiting parameters on a
per-wlan/per-client basis
svp-prioritization Enable spectralink voice protocol support on this
wlan
voice-prioritization Prioritize voice client over other client (for
non-WMM clients)
wmm Configure 802.11e/Wireless MultiMedia parameters

clrscr Clears the display screen

nx9500-6C8809(config-wlan-qos-test)#

Related Commands

no (global-config-mode) on Removes an existing WLAN QoS POLICY

page 525

Note
For more information on WLAN QoS policy commands, see WLAN-QOS-POLICY on page
1860.

url-filter

Creates a new URL filter (Web filter) and enters its configuration mode. URL filtering is a licensed
feature. When applied to a WiNG device the license allows you to enable URL filtering on the device,
create and apply a URL filter defining the banned and/or allowed URLs. When enabled, the URL filter is
applied to all user-initiated URL requests to determine if the requested URL is banned or allowed. Only
if allowed is the user’s request (in the form of a HTTP request packet) forwarded to the Web server.

URL filters can be applied at any of the following points: the user’s application (browser/email reader),
the network’s gateway, at the Internet service provider (ISP) end, and also on a Web portal. For wireless
clients, the WLAN infrastructure is the best place to implement these filters.

A URL filter is a set of whitelist and/or blacklist rules. The whitelist allows access only to those Websites
and URLs specified in it. All other Websites and URLs, apart from those specified in the whitelist, are
banned. On the other hand, the blacklist bans all Websites and URLs specified in it. All other Websites
and URLs, apart from those specified in the blacklist, are allowed.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 685
global-config-commands Global Configuration Mode Commands

To simplify URL filter configuration, Websites have been classified into pre-defined category-types and
categories. The system provides 12 category-types and 64 categories. To further simplify configuration,
these 12 category-types have been grouped into five (5) pre-defined levels. (See Usage Guidelines
section for the list of category-types, categories, and levels). The actual classification of URLs (on the
basis of the pre-defined factors mentioned above) is done by the classification server. A local database
also helps by caching URL records for a user-defined time period. The classification server host is
specified in the Web filter policy. The Web filter policy also defines the URL database parameters. For
more information, see web-filter-policy on page 599 .

The WiNG software also allows you to create URL lists. Each URL list contains a list of user-defined
URLs. Use the URL list in a URL filter (whitelist or blacklist rule) to identify the URLs to ban or allow. For
example, a URL list named SocialNetworking is created listing the following three sites: Facebook,
Twitter, and LinkedIn. When applied to a URL filter’s blacklist these three sites are banned. Where as,
when applied to a whitelist only these three sites are allowed. For more information on configuring a
URL list, see url-list on page 697.

Note
URL filtering is a licensed feature. Procure and install the license in the device configuration
mode. For more information, see license on page 1400 (device config mode).

Supported in the following platforms:

Syntax
url-filter <URL-FILTER-NAME>

Parameters
url-filter <URL-FILTER-NAME>

<URL-FILTER-NAME> Creates a new URL filter and enters its configuration mode. Specify
the URL filter name. If a filter with the specified name does not exist,
it is created.

Usage Guidelines

Sl No. Category Type Category

1 Adult Content Alcohol & Tobacco, Dating & Personals, Gambling, Nudity,
Pornography/Sexually Explicit, Sex Education, Weapons
2 Business Web-based Email
3 Communication Chat, Instant Messaging
4 Entertainment Streaming Media & Downloads
5 File Sharing and Backup Download Sites
6 Gaming Games

Controller, Service Platform and Access Point

686 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Sl No. Category Type Category

7 News Sports and General Arts, Business, Computer & Technology, Education,
Entertainment, Fashion & Beauty, Finance, Forum &
Newsgroups, General, Government, Greeting Card, Health
& Medicine, Information Security, Job Search, Leisure &
Recreation, Network Errors, News, Non-Profits & NGO,
Personal Sites, Politics, Private IP Addresses, Real Estates,
Religion, Restaurants & Dinning, Search Engine & Portals,
Shopping, Sports, Transportation, Translators, Travel
8 Peer-to-Peer (P2P) Peer to Peer
9 Questionable/Unethical Child Abuse Images, Cults, Hacking, Hate & Intolerance,
Illegal Drug, Illegal Sharing, Illegal Software, School
Cheating, Tasteless, Violence
10 Security Risk Advertisement & Pop-ups, Anonymizers, Botnets,
Compromised, Criminal Activity, Malware, Parked
Domains, Phishing & Fraud, Spam Sites
11 Social and Photo Sharing Social Networking
12 Software Update N/A

Sl No. Level Description

1 Basic Blocks sites/URL categorized as Security Risk
2 Low Blocks sites/URL categorized as Adult Content + Basic
3 Medium Blocks sites/URL categorized as File Sharing and Backup,
P2P, Questionable / Unethical + Low
4 Medium High Blocks sites/URL categorized as Gaming + Medium
5 High Blocks sites/URL categorized as Communication,
Entertainment, Social and Photo Sharing + Medium High

Examples
nx9500-6C8809(config-url-filter-test)#?
URL Filter Mode commands:
blacklist Block access to URL
blockpage Configure blocking page parameters
description Url filter description
no Negate a command or set its defaults
whitelist Allow access to URL

clrscr Clears the display screen

nx9500-6C8809(config-url-filter-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 687
global-config-commands Global Configuration Mode Commands

Related Commands

no (global-config-mode) on Removes an existing URL filter policy

page 525

url-filter-config-commands

The following table summarizes URL filter configuration mode commands:

Table 37: URL Filter Config Mode Commands

Command Description
blacklist on page 688 Creates a blacklist rule defining a list of banned Websites and URLs
blockpage on page 691 Configures the parameters that retrieve the page or content displayed by
the client’s browser when a requested URL is blocked and cannot be
viewed
description on page 693 Configures an appropriate description for this URL filter
whitelist on page 694 Creates a whitelist rule defining a list of Websites and URLs allowed
access by clients.
no (url-filter-config-mode- Removes this URL filter’s configured parameters
commands) on page 696

blacklist
Creates a blacklist rule. A blacklist is a list of Websites and URLs denied access by clients. Clients
requesting blacklisted URLs are presented with a page displaying the ‘Web page blocked’ message.
Parameters relating to this page are configured using the ‘blockpage’ option.

URL filtering is based on the classification of Websites into pre-defined category-types. Some of the
category-types are further divided into multiple categories. Currently available are 12 built-in category
types, and 64 categories. These built-in category-types and categories cannot be modified.

Use the available options to identify the URL category-types and categories to include in the blacklist.

In addition to identifying URLs by the categories and category-types they are classified into, the system
also provides five (5) levels of Web filtering (basic, high, low, medium, and medium-high). Each level
identifies a specific set of URL categories to blacklist. For more information on category-types,
categories, and URL filtering levels, see url-filter on page 685.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

688 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Syntax
blacklist [category-type|level|url-list]
blacklist category-type [adult-content|all|business|communication|entertainment|
file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|
social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}
blacklist level [basic|high|low|medium|medium-high] precedence <1-500>
{description <LINE>}
blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 689
global-config-commands Global Configuration Mode Commands

photo-sharing|
software-updates] precedence <1-500> {description <LINE>}

blacklist category-type Selects the category-type to blacklist. A category is a pre-defined URL list
<SELECT-CATEGORY- available in the WiNG software. Categories are based on an external
TYPE> database, and cannot be modified or removed. Custom categories can
created with the URL List and added to the database.
Websites have been classified into the following 12 category types:
adult-content, business, communication, entertainment, file-sharing-
backup, gaming, news-sports-general, p2p, questionable, security-risk,
social-photo-sharing, and software-updates
Select ‘all’ to blacklist all category-types.
Some of the category-types are further classified into categories. For
example, the ‘adult-content’ category-type is differentiated into the
following categories:
• alcohol-tobacco, dating-personals, gambling, nudity, pornography-
sexually-explicit, sex-education, and weapons.
The system blocks all categories (URLs falling within their limits) within the
selected category-type.
precedence <1-500> Configures the precedence value for this blacklist rule. Rules are applied in
the increasing order of their precedence. Therefore, rules with lower
precedence are applied first.
description <LINE> Optional. Configures a description (not exceeding 80 characters) for this
blacklist rule. Enter a description that allows you to identify the purpose of
the rule.

blacklist level [basic|high|low|medium|medium-high] precedence <1-500> {description

<LINE>}

blacklist level [basic|high| Configures the Web filtering level as basic, high, low, medium, or
low| medium|medium- medium-high. Each of these filter-levels are pre-configured to use a set of
high] category types and this mapping cannot be modified.
precedence <1-500> Configures the precedence value for this blacklist rule. Rules are applied
in the increasing order of their precedence. Therefore, rules with lower
precedence are applied first.
description <LINE> Optional. Configures a description (not exceeding 80 characters) for this
blacklist rule. Enter a description that allows you to identify the purpose
of the rule.

blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

blacklist url-list <URL-LIST- Associates a URL list with this URL filter. When associated with a
NAME> blacklist rule, all URLs listed in the specified URL list are blacklisted.
URL lists are customized categories included in the custom filter-level
setting. URL lists enable an administrator to blacklist or whitelist URLs

Controller, Service Platform and Access Point

690 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

in addition to the built-in categories. For more information on

configuring a URL list, see url-list on page 697 .
• <URL-LIST-NAME> – Enter URL list name (should be existing and
configured)

precedence <1-500> Configures the precedence value for this blacklist rule. Rules are applied
in the increasing order of their precedence. Therefore, rules with lower
precedence are applied first.
description <LINE> Optional. Configures a description (not exceeding 80 characters) for
this blacklist rule. Enter a description that allows you to identify the
purpose of the rule.

Examples
nx9500-6C8809(config-url-filter-test)#blacklist level medium-high precedence 10
nx9500-6C8809(config-url-filter-test)#blacklist category-type adult-content category
alcohol-tobacco precedence 1
nx9500-6C8809(config-url-filter-test)#blacklist category-type security-risk category
botnets precedence 3
nx9500-6C8809(config-url-filter-test)#show context
url-filter test
blacklist level medium-high precedence 10
blacklist category-type security-risk category botnets precedence 3
blacklist category-type adult-content category alcohol-tobacco precedence 1
nx9500-6C8809(config-url-filter-test)#

Related Commands

no (url-filter-config- Removes a blacklist rule from this URL filter. Specify the category-type,
mode-commands) on category, and precedence to identify the blacklist rule. The identified rule is
page 696 removed form the URL filter.

blockpage
Configures the parameters that retrieve the page or content displayed by the client’s browser when a
requested URL is blocked and cannot be viewed
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 691
global-config-commands Global Configuration Mode Commands

Parameters
blockpage path [external|internal]

blockpage path [external| Specifies if the location of the page displayed, to the client when a
internal] requested URL is blocked, is external or internal
• external – Indicates the page displayed is hosted on an external
Web server resource. If selecting this option, use the blockpage
> external > url <URL> command to provide the path to
the external Web server hosting the page.
• internal – Indicates the page displayed is hosted internally. This is
the default setting. If selecting this option, use the blockpage
> internal > <SELECT-PAGE-TYPE> > <LINE/IMAGE-
URL> command to define the page configuration.

blockpage external url <URL>

blockpage external url <URL> Configures the URL of the external Web server hosting the page
(displayed to the client when a requested URL is blocked).
• url <URL> – Specify the URL of the Web server and the blocking
page name
Valid URLs should begin with http:// or https://
The URL can contain query strings.
Use '&' or '?' character to separate field-value pair.
Enter 'ctrl-v' followed by '?' to configure query strings

blockpage internal [content|footer|header|main-logo|org-name|org-signature|

small-logo|title] <LINE/IMAGE-URL>

blockpage internal [content| Configures the internally hosted blocking page parameters, such as
footer|header|main-logo|org- the content displayed, page footer and header, organization (the
name|org-signature| small- organization enforcing the Web page blocking) details (name,
logo|title] <LINE/IMAGE-URL> signature, and logo), and page title
• content – Configures the text (message) displayed on the blocking
page
• footer – Configures the text displayed as the blocking page footer
• header – Configures the text displayed as the blocking page
header
• org-name – Configures the organization’s name displayed on the
blocking page
• org-signature – Configures the organization’s signature displayed
on the blocking page
• title – Configures the title of the blocking page.
• main-logo – Configures the location of the main logo
(organization’s large logo)
• small-logo – Configures the location of the small logo
(organization’s small logo)
The following keyword is common to all of the above parameters:
• <LINE/IMAGE-URL> – Specify the location of the logo (main and
small) image file. The image is retrieved and displayed from the
location configured here. If you are using this option to provide
content, such as organization name, footer, header, etc. enter a text
string not exceeding 255 characters in length.

Controller, Service Platform and Access Point

692 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Examples
nx9500-6C8809(config-url-filter-test)#blockpage internal content "The requested Web page
is blocked and cannot be displayed for viewing"
nx9500-6C8809(config-url-filter-test)#show context
url-filter test
blacklist level medium-high precedence 10
blacklist category-type security-risk category botnets precedence 3
blacklist category-type adult-content category alcohol-tobacco precedence 1
blockpage internal content "The requested Web page is blocked and cannot be displayed
for viewing"
nx9500-6C8809(config-url-filter-test)#

Related Commands

no (url-filter-config-mode- Removes the blocking page configurations

commands) on page 696

description
Configures a description for this URL filter. Provide a description that enables you to identify the
purpose of this URL filter.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
description <LINE>

Parameters
description <LINE>

description <LINE> Enter an appropriate description for this URL filter. The description
should identify the URL filter’s purpose and should not exceed 80
characters in length.

Examples
nx9500-6C8809(config-url-filter-test)#description "Blacklists sites inappropriate for
children and are security risks."
nx9500-6C8809(config-url-filter-test)#show context
url-filter test
description "Blacklists sites inappropriate for children and are security risks."
blacklist level medium-high precedence 10
blacklist category-type security-risk category botnets precedence 3
blacklist category-type adult-content category alcohol-tobacco precedence 1
blockpage internal content "The requested Web page is blocked and cannot be displayed
for viewing"
nx9500-6C8809(config-url-filter-test)#

Related Commands

no (url-filter-config-mode- Removes this URL filter’s description

commands) on page 696

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 693
global-config-commands Global Configuration Mode Commands

whitelist
Creates a whitelist rule. A whitelist is a list of Websites and URLs allowed access by clients. URL filtering
is based on the classification of Websites into pre-defined category-types. Some of the category-types
are further divided into multiple categories. Currently available are 12 built-in category types, and 64
categories. These built-in category-types and categories cannot be modified.

Use the available options to identify the category-types and categories to include in the whitelist.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
whitelist [category-type|url-list]
whitelist category-type [adult-content|all|business|communication|entertainment|
file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|
social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}

Controller, Service Platform and Access Point

694 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
whitelist category-type [adult-content|all|business|communication|entertainment|
file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|
social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}

whitelist category-type Selects the category-type to add to this whitelist. A category is a pre-
<SELECT-CATEGORY-TYPE> defined URL list available in the WiNG software. Categories are based
on an external database, and cannot be modified or removed.
Custom categories can created with the URL List and added to the
database.
Websites have been classified into the following 12 category types:
adult-content, business, communication, entertainment, file-sharing-
backup, gaming, news-sports-general, p2p, questionable, security-
risk, social-photo-sharing, and software-updates.
Select ‘all’ to whitelist all category-types.
Some of the category-types are further classified into categories. For
example, the ‘adult-content’ category-type is differentiated into the
following categories:
• alcohol-tobacco, dating-personals, gambling, nudity,
pornography-sexually-explicit, sex-education, and weapons.
The system allows all categories (URLs falling within their limits)
within the selected category-type.
precedence <1-500> Configures the precedence value for this whitelist rule. Rules are
applied in the increasing order of their precedence. Therefore, rules
with lower precedence are applied first.
description <LINE> Optional. Configures a description (not exceeding 80 characters) for
this whitelist rule. Enter a description that allows you to identify the
purpose of the rule.

whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

whitelist url-list <URL-LIST- Associates a URL list with this URL filter. When associated with a
NAME> whitelist rule, all URLs listed in the specified URL list are allowed
access.
URL lists are customized categories included in the custom filter-level
setting. URL lists enable an administrator to blacklist or whitelist
URLs in addition to the built-in categories. For more information on
configuring a URL list, see url-list on page 697.
• <URL-LIST-NAME> – Enter URL list name (should be existing and
configured)

precedence <1-500> Configures the precedence value for this whitelist rule. Rules are
applied in the increasing order of their precedence. Therefore, rules
with lower precedence are applied first.
description <LINE> Optional. Configures a description (not exceeding 80 characters) for
this whitelist rule. Enter a description that allows you to identify the
purpose of the rule.

Examples
nx9500-6C8809(config-url-filter-test)#whitelist category-type communication category chat
precedence 7
nx9500-6C8809(config-url-filter-test)#show context
url-filter test
description "Blacklists sites inappropriate for children and are security risks."

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 695
global-config-commands Global Configuration Mode Commands

blacklist level medium-high precedence 10

whitelist category-type communication category chat precedence 7
blacklist category-type security-risk category botnets precedence 3
blacklist category-type adult-content category alcohol-tobacco precedence 1
blockpage internal content "The requested Web page is blocked and cannot be displayed
for viewing"
nx9500-6C8809(config-url-filter-test)#

Related Commands

no (url-filter-config-mode- Removes a whitelist rule from this URL filter. Specify the category-type,
commands) on page 696 category, and precedence to identify the blacklist rule. The identified rule
is removed form the URL filter.

no (url-filter-config-mode-commands)
Use the no command to remove this URL filter’s configured parameters
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this URL filter’s configured parameters based on the values
passed here

Examples

The following example displays the URL filter ‘test’ settings before the ‘no’ is executed:
nx9500-6C8809(config-url-filter-test)#show context
url-filter test
description "Blacklists sites inappropriate for children and are security risks."
blacklist level medium-high precedence 10
whitelist category-type communication category chat precedence 7
blacklist category-type security-risk category botnets precedence 3
blacklist category-type adult-content category alcohol-tobacco precedence 1
blockpage internal content "The requested Web page is blocked and cannot be displayed

Controller, Service Platform and Access Point

696 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

for viewing"
nx9500-6C8809(config-url-filter-test)#
nx9500-6C8809(config-url-filter-test)#no description
nx9500-6C8809(config-url-filter-test)#no blacklist category-type adult-content
category alcohol-tobacco precedence 1
nx9500-6C8809(config-url-filter-test)#no whitelist category-type communication
category chat precedence 7

The following example displays the URL filter ‘test’ settings after the ‘no’ is executed:
nx9500-6C8809(config-url-filter-test)#show context
url-filter test
blacklist level medium-high precedence 10
blacklist category-type security-risk category botnets precedence 3
blockpage internal content "The requested Web page is blocked and cannot be displayed
for viewing"
nx9500-6C8809(config-url-filter-test)#

url-list
Creates a URL list and enters its configuration mode. URL lists are a means of categorizing URLs on the
basis of various criteria, such as frequently used, not-permitted, etc. It is used in URL filters to identify
whitelisted/blacklisted URLs. Web requests are blocked or approved based on URL filter whitelist/
blacklist rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The
blacklist allows all sites except the categories and URL lists defined in the blacklist.

Supported in the following platforms:

Syntax
url-list <URL-LIST-NAME>

Parameters
url-list <URL-LIST-NAME>

<URL-LIST-NAME> • Specify the URL list name. The URL list is created if another list with the same
name does not exist.

Examples
nx9500-6C8809(config)#url-list URLlist1
nx9500-6C8809(config-url-list-URLlist1)#?
URL List Mode commands:
description Description of the category
no Negate a command or set its defaults
url Add a URL entry

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 697
global-config-commands Global Configuration Mode Commands

help Description of the interactive help system

revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-url-list-URLlist1)#
nx9500-6C8809(config-url-list-URLlist1)#url http://www.example_company.com depth 10
nx9500-6C8809(config-url-list-test)#show context
url-list test
url http://www.example_company.com depth 10
nx9500-6C8809(config-url-list-URLlist1)#

Related Commands

no (global-config-mode) on Removes an existing URL list

page 525

url-list-config-commands

The following table summarizes URL list configuration mode commands:

Table 38: URL List Config Mode Commands

Command Description
url on page 698 Adds URL entries to this URL list
description on page 699 Creates a blacklist rule defining a list of banned Web sites and
URLs
no (url-list-config-mode-commands) Removes this URL list’s settings
on page 700

url
Adds URL entries to this URL list
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
url <WORD> {depth <1-10>}

Controller, Service Platform and Access Point

698 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

Parameters
url <WORD> {depth <1-10>}

url <WORD> {depth Adds a URL entry

<1-10>} • <WORD> – Specify the URL to add.
◦ depth – Optional. Sets number of levels to be cached. Since Web
sites have different parameters to uniquely identify specific
content, the same content may be stored on multiple origin
servers. Smart caching uses subsets of these parameters to
recognize that the content is the same and serves it from cache.
▪ <1-10> – Specify the depth from 1 - 10.

Examples
nx9500-6C8809(config-url-list-test)#url http://www.facebook.com depth 5
nx9500-6C8809(config-url-list-test)#show context
url-list test
description “This URL list contains social media URLs.”
url https://www.facebook.com depth 5
nx9500-6C8809(config-url-list-test)#

Related Commands

no (url-list-config-mode- Removes a URL entry from this URL list

commands) on page 700

description
Configures a description for this URL list. The description should be unique and enable you to identify
the type of URLs listed in the URL list.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
description <LINE>

Parameters
description <LINE>

description <LINE> Provide a unique description for this URL list (should not exceed 500
characters in length).

Examples
nx9500-6C8809(config-url-list-test)#description ““This URL list contains social media
URLs.””
nx9500-6C8809(config-url-list-test)#show context
url-list test
description “This URL list contains social media URLs.”
nx9500-6C8809(config-url-list-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 699
global-config-commands Global Configuration Mode Commands

Related Commands

no (url-list-config-mode- Removes this URL list’s description

commands) on page 700

no (url-list-config-mode-commands)
Removes this URL list’s settings
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
no [description|url]
no description
no url <WORD>

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes this URL’s settings based on the parameters passed

Examples

The following example displays the URL list ‘test’ settings before the ‘no’ command is executed:
nx9500-6C8809(config-url-list-test)#show context
url-list test
description “This URL list contains social media URLs.”
url https://www.facebook.com depth 5
nx9500-6C8809(config-url-list-test)#
nx9500-6C8809(config-url-list-test)#no url www.facebook.com

The following example displays the URL list ‘test’ settings after the ‘no’ command is executed:
nx9500-6C8809(config-url-list-test)#show context
url-list test
description “This URL list contains social communication URLS”
nx9500-6C8809(config-url-list-test)#

vx9000

Configures a Virtual WLAN Controller (V-WLC) in a virtual machine (VM) environment. V-WLC can be
deployed on a shared, third-party server hardware, thereby reducing overhead costs of procuring and
maintaining dedicated appliances. The external, third-party hardware needs to have installed
hypervisors, such as VmWare, Xen, VirtualBox, KVM, Amazon EC2 or Hyper-V, enabling it to
communicate with V-WLC software.

The V-WLC controls and manages access points and other controllers (at NOC or as a site-controller) in
the network. The traffic between the access points and the V-WLC is over the layer-3 MINT protocol.

Controller, Service Platform and Access Point

700 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

V-WLC is a licensed feature, and the WiNG software provides the following two new licenses:
• VX – When installed, this license activates VM controller instance, and enables the V-WLC to trigger
adoption process allowing access points to adopt to the V-WLC. The adoption capacity of the V-
WLC is determined by the number of licenses installed on it.
• VX – When installed, this license activates VM controller instance, and enables the V-WLC to trigger
adoption process allowing access points to adopt to the V-WLC. The adoption capacity of the V-
WLC is determined by the number of licenses installed on it.

To install the VX or VX-DEMO license on an existing V-WLC instance, use the license command. For
more information, see the examples provided in this section.

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX

Syntax
vx9000 <MAC>

Parameters
vx9000 <MAC>

vx9000 <MAC> Configures a V-WLC and enters its configuration mode. The V-WLC
configuration is the same as that of a normal controller.

Examples
nx9500-6C8809(config)#vx9000 11-22-33-44-55-66
nx9500-6C8809(config-device-11-22-33-44-55-66)#?
Device Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning
policy when adopted by another
controller
adoption Adoption configuration

adoption-site Set system's adoption site

adoption-mode Configure the adoption mode for the
access-points in this RF-Domain
alias Alias
application-policy Application Poicy configuration
area Set name of area where the system
is located
arp Address Resolution Protocol (ARP)
auto-learn Auto learning
autogen-uniqueid Autogenerate a unique id
autoinstall Autoinstall settings
bluetooth-detection Detect Bluetooth devices using the
Bluetooth USB module - there will
be interference on 2.4 Ghz radio in
wlan mode
bridge Ethernet bridge
captive-portal Captive portal
cdp Cisco Discovery Protocol
channel-list Configure channel list to be
advertised to wireless clients
cluster Cluster configuration
configuration-persistence Enable persistence of configuration
across reloads (startup configfile)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 701
global-config-commands Global Configuration Mode Commands

contact Configure the contact

controller WLAN controller configuration
country-code Configure the country of operation
critical-resource Critical Resource
crypto Encryption related commands
database Database command
device-upgrade Device firmware upgrade
dot1x 802.1X
dpi Enable Deep-Packet-Inspection
(Application Assurance)
dscp-mapping Configure IP DSCP to 802.1p
priority mapping for untagged
frames
email-notification Email notification configuration
enforce-version Check the firmware versions of
devices before interoperating
environmental-sensor Environmental Sensors Configuration
events System event messages
export Export a file
file-sync File sync between controller and
adoptees
floor Set the floor within a area where
the system is located
geo-coordinates Configure geo coordinates for this
device
gre GRE protocol
hostname Set system's network name
http-analyze Specify HTTP-Analysis configuration
interface Select an interface to configure
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
l2tpv3 L2tpv3 protocol
l3e-lite-table L3e lite Table
layout-coordinates Configure layout coordinates for
this device
led Turn LEDs on/off on the device
led-timeout Configure the time for the led to
turn off after the last radio state
change
legacy-auto-downgrade Enable device firmware to auto
downgrade when other legacy devices
are detected
legacy-auto-update Auto upgrade of legacy devices
license License management command
lldp Link Layer Discovery Protocol
load-balancing Configure load balancing parameter
location Configure the location
logging Modify message logging facilities
mac-address-table MAC Address Table
mac-auth 802.1X
mac-name Configure MAC address to name
mappings
management-server Configure management server address
memory-profile Memory profile to be used on the
device
meshpoint-device Configure meshpoint device
parameters
meshpoint-monitor-interval Configure meshpoint monitoring
interval
min-misconfiguration-recovery-time Check controller connectivity after
configuration is received
mint MiNT protocol
mirror Mirroring
misconfiguration-recovery-time Check controller connectivity after

Controller, Service Platform and Access Point

702 CLI Reference Guide for version 5.9.7
Global Configuration Mode Commands global-config-commands

configuration is received
mpact-server MPACT server configuration
neighbor-inactivity-timeout Configure neighbor inactivity
timeout
neighbor-info-interval Configure neighbor information
exchange interval
no Negate a command or set its
defaults
noc Configure the noc related setting
nsight NSight
ntp Ntp server WORD
offline-duration Set duration for which a device
remains unadopted before it
generates offline event
override Override a command
override-wlan Configure RF Domain level overrides
for wlan
power-config Configure power mode
preferred-controller-group Controller group this system will
prefer for adoption
preferred-tunnel-controller Tunnel Controller Name this system
will prefer for tunneling extended
vlan traffic
radius Configure device-level radius
authentication parameters
raid RAID
remove-override Remove configuration item override
from the device (so profile value
takes effect)
rf-domain-manager RF Domain Manager
router Dynamic routing
rsa-key Assign a RSA key to a service
sensor-server AirDefense sensor server
configuration
slot PCI expansion Slot
spanning-tree Spanning tree
timezone Configure the timezone
traffic-class-mapping Configure IPv6 traffic class to
802.1p priority mapping for
untagged frames
trustpoint Assign a trustpoint to a service
tunnel-controller Tunnel Controller group this
controller belongs to
use Set setting to use
vrrp VRRP configuration
vrrp-state-check Publish interface via OSPF/BGP only
if the interface VRRP state is not
BACKUP
wep-shared-key-auth Enable support for 802.11 WEP
shared key authentication

clrscr Clears the display screen

commit Commit all changes made in this
session
do Run commands from Exec mode
end End current mode and change to EXEC
mode
exit End current mode and down to
previous mode
help Description of the interactive help
system
revert Revert changes
service Service Commands
show Show running system information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 703
global-config-commands Global Configuration Mode Commands

write Write running configuration to

memory or terminal

nx9500-6C8809(config-device-11-22-33-44-55-66)#

Related Commands

no (global-config-mode) on Removes a VX 9000 wireless controller

page 525

Controller, Service Platform and Access Point

704 CLI Reference Guide for version 5.9.7
Common Commands
COMMON COMMANDS on page 705

COMMON COMMANDS
This chapter describes the CLI commands common to the USER EXEC, PRIV EXEC, and GLOBAL
CONFIG modes.

The PRIV EXEC command set contains commands available within the USER EXEC mode. Some
commands can be entered in either mode. Commands entered in either the USER EXEC or PRIV EXEC
mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced
command can be entered in either mode.

common-commands
The following table summarizes the commands common to the User Exec, Priv Exec, Global Config
modes, and all other configuration contexts:

Table 39: Common Commands

Command Description
clrscr on page 705 Clears the display screen
commit on page 55 Commits (saves) changes made in the current session
exit on page 707 Ends and exits the current mode. In the Global cnfiguration
mode, this command and moves to the PRIV EXEC mode.
help on page 87 Displays the interactive help system
no on page 710 Negates a command or reverts values to their default settings
revert on page 712 Reverts changes to their last saved configuration
service on page 713 Invokes service commands to troubleshoot or debug (config-if)
instance configurations
show on page 767 Displays running system information
write on page 769 Writes the system's running configuration to memory or
terminal

clrscr
Clears the screen and refreshes the prompt, irrespective of the mode

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 705
common-commands Common Commands

Supported in the following platforms:

Syntax
clrscr

Parameters
None

Examples

The following example shows the terminal window or screen before the clrscr command is executed:
rfs4000-229D58#device-upgrade ?
DEVICE-NAME Name/MAC address of device
all Upgrade all devices
ap650 Upgrade AP650 Device
ap6522 Upgrade AP6522 Device
ap6532 Upgrade AP6532 Device
ap6562 Upgrade AP6562 Device
ap71xx Upgrade AP7161 Device
ap7502 Upgrade AP7502 Device
ap7522 Upgrade AP7522 Device
ap7532 Upgrade AP7532 Device
ap7562 Upgrade AP7562 Device
ap81xx Upgrade AP8163 Device
ap8432 Upgrade AP8432 Device
ap8533 Upgrade AP8533 Device
cancel-upgrade Cancel upgrading the device
load-image Load the device images to controller for device-upgrades
rf-domain Upgrade all devices belonging to an RF Domain
rfs4000 Upgrade RFS4010 Device

rfs4000-229D58#

The terminal window or screen after the clrscr command is executed:

rfs4000-229D58#

commit
Commits changes made in the active session. Use the commit command to save and invoke settings
entered during the current transaction.

Supported in the following platforms:

Controller, Service Platform and Access Point

706 CLI Reference Guide for version 5.9.7
Common Commands common-commands

Syntax
commit {write}{memory}

Parameters
commit {write}{memory}

write Optional. Commits changes made in the current session

memory Optional. Writes to memory. This option ensures current changes
persist across reboots.

Examples
nx9500-6C8809#commit write memory
[OK]
nx9500-6C8809#

exit
The exit command works differently in the User Exec, Priv Exec, and Global Config modes. In the Global
Config mode, it ends the current mode and moves to the previous mode, which is Priv Exec mode. The
prompt changes from (config)# to #. When used in the Priv Exec and User Exec modes, the exit
command ends the current session, and connection to the terminal device is terminated. If the current
session has changes that have not been committed, the system will prompt you to either do a commit
or a revert before terminating the session.

Supported in the following platforms:

Syntax
exit

Parameters
None

Examples
nx9500-6C8809(config)#exit
nx9500-6C8809#

help
Describes the interactive help system. Use this command to access the advanced help feature. Use "?"
anytime at the command prompt to access the help topic

Two kinds of help are provided:

• Full help is available when ready to enter a command argument

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 707
common-commands Common Commands

• Partial help is provided when an abbreviated argument is entered and you want to know what
arguments match the input (for example 'show ve?').

Supported in the following platforms:

Syntax
help {search|show}
help {search <WORD>} {detailed|only-show|skip-no|skip-show}

Parameters
help {search <WORD>} {detailed|only-show|skip-no|skip-show}

detailed Optional. Searches and displays help strings in addition to mode

and commands
only-show Optional. Displays only "show" commands. Does not display
configuration commands.
skip-no Optional. Displays only configuration commands. Does not display
"no" commands
skip-show Optional. Displays only configuration commands. Does not display
"show" commands

Examples
nx9500-6C8809>help search crypto detailed
found more than 64 references, showing the first 64

: clear crypto ipsec sa(|on DEVICE-NAME)

\ Clear
\ Encryption Module
\ IPSec database
\ Flush IPSec SAs

Controller, Service Platform and Access Point

708 CLI Reference Guide for version 5.9.7
Common Commands common-commands

\ On AP/Controller
\ AP/Controller name

: crypto key export rsa WORD URL (passphrase WORD|) (background|) ...
\ Encryption related commands
--More--
nx9500-6C8809>
nx9500-6C8809help search crypto only-show

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 709
common-commands Common Commands

: show wireless mint client (|on DEVICE-OR-DOMAIN-NAME)

: show wireless mint client portal-candidates(|(DEVICE-NAME (|<1-3...
: show wireless mint client statistics (|on DEVICE-OR-DOMAIN-NAME)...
: show wireless mint client statistics rf (|on DEVICE-OR-DOMAIN-NA...
: show wireless mint detail (|(DEVICE-NAME (|<1-3>))) (|(filter {|...
: show wireless mint links (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint portal (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint portal statistics (|on DEVICE-OR-DOMAIN-NAME)...
: show wireless mint portal statistics rf (|on DEVICE-OR-DOMAIN-NA...
nx9500-6C8809>

no
Negates a command or sets its default. Though the no command is common to the User Exec, Priv
Exec, and Global Config modes, it negates a different set of commands in each mode.

Supported in the following platforms:

Syntax
no <PARAMETER>

Parameters

no <PARAMETERS> The no command is common across all configuration modes and

sub modes. It resets or reverts settings based on the mode in
which executed. For example, when executed in the AAA policy
configuration mode, it allows you to reset or revert a specific AAA
policy settings. Similarly, when executed in the global configuration
mode, it only resets or reverts settings configured in the global
configuration mode.

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.

Global Config mode: No command options

ap8432-070235(config)#no ?
aaa-policy Delete a aaa policy
aaa-tacacs-policy Delete a aaa tacacs policy
alias Alias
ap7522 Delete an AP7522 access point
ap7532 Delete an AP7532 access point
ap7562 Delete an AP7562 access point
ap7602 Delete an AP7602 access point
ap7612 Delete an AP7612 access point
ap7622 Delete an AP7622 access point
ap7632 Delete an AP7632 access point
ap7662 Delete an AP7662 access point
ap8432 Delete an AP8432 access point
ap8533 Delete an AP8533 access point
application Delete an application

Controller, Service Platform and Access Point

710 CLI Reference Guide for version 5.9.7
Common Commands common-commands

application-group Delete an application-group

application-policy Delete an application policy
association-acl-policy Delete an association-acl policy
auto-provisioning-policy Delete an auto-provisioning policy
bonjour-gw-discovery-policy Disable Bonjour Gateway discovery policy
bonjour-gw-forwarding-policy Disable Bonjour Gateway Forwarding
policy
bonjour-gw-query-forwarding-policy Disable Bonjour Gateway Query Forwarding
policy
captive-portal Delete a captive portal
client-identity Client identity (DHCP Device
Fingerprinting)
client-identity-group Client identity group (DHCP Fingerprint
Database)
crypto-cmp-policy CMP policy
customize Restore the custom cli commands to
default
device Delete multiple devices
device-categorization Delete device categorization object
dhcp-server-policy DHCP server policy
dhcpv6-server-policy DHCPv6 server related configuration
dns-whitelist Delete a whitelist object
event-system-policy Delete a event system policy
ex3500-qos-class-map-policy Delete a ex3500 qos class-map policy
ex3500-qos-policy-map Delete a ex3500 qos policy-map
firewall-policy Configure firewall policy
global-association-list Delete a global association list
igmp-snoop-policy Remove device onboard igmp snoop policy
inline-password-encryption Disable storing encryption key in the
startup configuration file
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
ipv6-router-advertisement-policy IPv6 Router Advertisement related
configuration
l2tpv3 Negate a command or set its defaults
mac MAC configuration
management-policy Delete a management policy
meshpoint Delete a meshpoint object
meshpoint-qos-policy Delete a mesh point QoS configuration
policy
nac-list Delete an network access control list
nsight-policy Delete a nsight policy
passpoint-policy Delete a passpoint configuration policy
password-encryption Disable password encryption in
configuration
profile Delete a profile and all its associated
configuration
radio-qos-policy Delete a radio QoS configuration policy
radius-group Local radius server group configuration
radius-server-policy Remove device onboard radius policy
radius-user-pool-policy Configure Radius User Pool
rf-domain Delete one or more RF-domains and all
their associated configurations
roaming-assist-policy Delete a roaming-assist policy
role-policy Role based firewall policy
routing-policy Policy Based Routing Configuratino
rtl-server-policy Delete a rtl server policy
schedule-policy Delete a schedule policy
sensor-policy Delete a sensor policy
smart-rf-policy Delete a smart-rf-policy
url-filter Delete a url filter
url-list Delete a URL list
web-filter-policy Delete a web filter policy
wips-policy Delete a wips policy

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 711
common-commands Common Commands

wlan Delete a wlan object

wlan-qos-policy Delete a wireless lan QoS configuration
policy

service Service Commands

ap8432-070235(config)#

Priv Exec mode: No command options

ap8432-070235(config)#exit
ap8432-070235#no ?
adoption Reset adoption state of the device (& all devices adopted to
it)
captive-portal Captive portal commands
crypto Encryption related commands
debug Debugging functions
logging Modify message logging facilities
page Toggle paging
service Service Commands
terminal Set terminal line parameters
upgrade Remove a patch
wireless Wireless Configuration/Statistics commands

ap8432-070235#

User Exec mode: No command options

ap8432-070235#disable
ap8432-070235>no ?
adoption Reset adoption state of the device (& all devices adopted to
it)
captive-portal Captive portal commands
crypto Encryption related commands
debug Debugging functions
logging Modify message logging facilities
page Toggle paging
service Service Commands
terminal Set terminal line parameters
wireless Wireless Configuration/Statistics commands

ap8432-070235>

Related Commands

no (user-exec-mode) on page 96 User Exec no command

no (priv-exec-mode) on page 215 Priv Exec no command
no (global-config-mode) on Global Config no command
page 525

revert
Reverts changes made, in the current session, to their last saved configuration

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

712 CLI Reference Guide for version 5.9.7
Common Commands common-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
revert

Parameters
None

Examples
nx9500-6C8809revert
nx9500-6C8809

service
Service commands are used to view and manage configurations. The service commands and their
corresponding parameters vary from mode to mode. The User Exec mode and Priv Exec mode
commands provide same functionalities with a few minor changes. The Global Config service command
sets the size of history files. It also enables viewing the current mode's CLI tree.

This topic is organized into the following sections:

• Syntax (User Exec Mode)
• Parameters (User Exec Mode)
• Syntax (Privi Exec Mode)
• Parameters (Privi Exec Mode)
• Syntax - NX9XXX-Specific (Privi Exec Mode)
• Parameters - NX9XXX-Specific (Privi Exec Mode)
• Syntax (Global Config Mode)
• Parameters (Global Config Mode)
• Examples

Supported in the following platforms:

Syntax (User Exec Mode)

Service Commands - Intro

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 713
common-commands Common Commands

load-ssh-authorized-keys|locator|nsight|radio|radius|
request-full-config-from-adopter|set|show|smart-rf|ssm|snmp|syslog|wireless]
service [block-adopter-config-update|request-full-config-from-adopter]
service eguest [remove-data|restore]
service eguest restore factory-default
service clear [adoption|captive-portal-page-upload|command-history|device-upgrade|diag|
dpi|file-sync|noc|reboot-history|unsanctioned|upgrade-history|virtual-machine-history|web-
filter|wireless|xpath]
service clear adoption history {on <DEVICE-NAME>}
service clear device-upgrade history {on <DOMAIN-NAME>}
service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}
service clear diag pkts
service clear file-sync history {on <DOMAIN-NAME>}
service clear captive-portal-page-upload history {on <DOMAIN-NAME>}
service clear [command-history|reboot-history|upgrade-history|virtual-machine-history]
{on <DEVICE-NAME>}
service clear noc statistics
service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}
service clear web-filter cache {on <DEVICE-NAME>}
service clear wireless [ap|client|controller-mobility-database|dns-cache|radio|wlan]
service clear wireless controller-mobility-database
service clear wireless [ap|client|controller-mobility-database|dns-cache|radio|wlan]
service clear wireless controller-mobility-database
service clear wireless [ap|client] statistics {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
service clear wireless dns-cache on {(on <DEVICE-OR-DOMAIN-NAME)}
service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-NAME)}
service clear xpath requests {<1-100000>}
service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8] {grid}
service cluster force [active|configured-state|standby]
service database [authentication|start-shell]
service database authentication [create-user|delete-user]
service database authentication create-user username <USER-NAME> password <PASSWORD>
service database authentication delete-user username <USER-NAME>
service database start-shell
service delete-offline-aps [all|offline-for]
service delete-offline-aps offline-for days <0-999> {time <TIME>}
service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}
service force-update-vm-stats {on <DEVICE-NAME>}
service guest-registration [backup|delete|export|import]
service guest-registration backup [delete|restore]
service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|mac <MAC>|
mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|offline-for days <1-999>|otp-
incomplete-for days <1-999>|social [facebook|google]|wlan <WLAN-NAME>]
service guest-registration export format [csv|json] <DEST-URL> {(rfdomain <DOMAIN-NAME>|
time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-NAME>)}
service guest-registration import format <JSON> <SOURCE-URL>
service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}
service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}
Controller,service
Service locator
Platform{<1-60>}
and Access Point
{(on <DEVICE-NAME>)}
714 CLI Reference Guide
service for version
nsight 5.9.7
clear-offline [all|offline-for days <0-999> {time <TIME>}]
service radio <1-3> [adaptivity|channel-switch|dfs]
service radio <1-3> adaptivity
Common Commands common-commands

<SSID>} {(on <DEVICE-NAME>)}

service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME> <PASSWORD>
{wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}
service set validation-mode [full|partial] {on <DEVICE-NAME>}
service show [block-adopter-config-update|captive-portal|cli|client-identity-defaults|
command-history|configuration-revision|crash-info|dhcp-lease|diag|fast-switching|fib|fib6|
guest-registration|info|ip-access-list|
mac-vendor|mem|mint|noc|nsight|pm|process|reboot-history|rf-domain-manager|sites|snmp|ssh-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 715
common-commands Common Commands

authorized-keys|startup-log|sysinfo|top|upgrade-history|virtual-machine-history|watch-dog|
wireless|xpath-history]
service show block-adopter-config-update
service show captive-portal [log-internal|servers|user-cache]
service show captive-portal log-internal
service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}
service show [cli|client-identity-defaults|configuration-revision|mac-vendor <OUI/MAC>|
noc diag|snmp session|xpath-history]
service show [command-history|crash-info|info|mem|process|reboot-history|startup-log|ssh-
authorized-keys|
sysinfo|top|upgrade-history|watchdog] {on <DEVICE-NAME>}
service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-DOMAIN-NAME>}
service show dhcp-lease {<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1} (on <DEVICE-NAME>)}
service show diag [fds|led-status|pkts|psu|stats]
service show diag [fds|pkts]
service show diag [led-status|psu|stats] {on <DEVICE-NAME>}
service show fast-switching {on <DEVICE-NAME>}
service show [fib|fib6] {table-id <0-255>}
service show guest-registration [export-status|import-status|restore-status]
service show mint [adopted-devices {on <DEVICE-NAME>}|ports]
service show pm {history} {(on <DEVICE-NAME>)}
service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}
service show sites
service show virtual-machine-history {on <DEVICE-NAME>}
service show wireless [aaa-stats|adaptivity-status|client|config-internal|credential-
cache|dns-cache|log-internal|meshpoint|neighbors|radar-status|radio-internal|reference|
stats-client|vlan-usage]
service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|radar-
status|vlan-usage] {on <DEVICE-NAME>}
service show wireless [config-internal|log-internal|neighbors]
service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>} {{on <DEVICE-
OR-DOMAIN-NAME>)}
service show wireless radio-internal [radio1|radio2] <LINE>
service show wireless reference [channels|frame|handshake|mcs-rates|reason-codes|status-
codes]
service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}
service smart-rf [clear-config|clear-history|clear-interfering-aps|save-config]
service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}
service smart-rf [clear-history||clear-interfering-aps|save-config] {on <DOMAIN-NAME>}
service snmp sysoid wing5
service ssm [dump-core-snapshot|trace]
service ssm trace pattern <WORD> {on <DEVICE-NAME>}
service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|
informational|
notifications|warnings]} {(on <DEVICE-NAME>)}
service wireless [client|dump-core-snapshot|meshpoint|qos|trace|unsanctioned|wips]
service wireless client [beacon-request|quiet-element|trigger-bss-transition|trigger-wnm]
service wireless client beacon-request <MAC> mode [active|passive|table] ssid [<SSID>|
any]
channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}
service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535>} {url <URL>}

Controller, Service Platform and Access Point

716 CLI Reference Guide for version 5.9.7
Common Commands common-commands

{on <DEVICE-OR-DOMAIN-NAME>}
service wireless client trigger-wnm mac <MAC> type [deauth-imminent|subscription-
remediation] {uri <WORD>}
service wireless dump-core-snapshot
service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|timeout
<1-65535>}
service wireless qos delete-tspec <MAC> tid <0-7>
service wireless trace pattern <WORD> {on <DEVICE-NAME>}
service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}
service wireless wips [clear-client-blacklist|clear-event-history|dump-managed-config]
service wireless wips clear-client-blacklist [all|mac <MAC>]
service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 717
common-commands Common Commands

Parameters (User Exec Mode)

Service Commands - Intro

service [block-adopter-config-update|request-full-config-from-adopter]

block-adopter-config- update Blocks the configuration updates pushed from the Network
Operations Center (NOC) server to adopted devices
request-full-config-from- Configures a request for full configuration updates from the
adopter adopter device
In an hierarchically managed (HM) network devices are deployed in
two levels. The first level consists of the NOC controllers. The
second level consists of the site controllers that can be grouped to
form clusters. The NOC controllers adopt and manage the site
controllers. Access points within the network are adopted and
managed by the site controllers. The adopted devices (Access
Points and site controllers) are referred to as the adoptee. The
devices adopting the adoptee are the ‘adopters’.

service clear adoption history {on <DEVICE-NAME>}

clear adoption history Clears adoption history on this device and its adopted Access
Points
on <DEVICE-NAME> Optional. Clears adoption history on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service clear device-upgrade history {on <DOMAIN-NAME>}

clear device-upgrade history Clears device upgrade history

on <DOMAIN-NAME> Optional. Clears all firmware upgrade history on a specified RF
Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

service clear diag pkts

clear diag pkts Clears the looped packets queue logged by the dataplane. The
dataplane logs up to 16 looped packets at a time in a separate
queue, which has to be manually cleared to make space for new
packet logging.
For more information on viewing logged looped packet information
execute the service > show > diag > pkts command.

service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}

clear dpi Clears Deep Packet Inspection (DPI) statistics

When enabled, DPI allows application and/or application category
recognition. The DPI statistics are maintained by the system for
every hit registered by the DPI engine.
[all|app|app-category] stats Use the following filter options to clear all or specific DPI statistics:
• all – Clears all DPI related (application and app-category)
statistics

Controller, Service Platform and Access Point

718 CLI Reference Guide for version 5.9.7
Common Commands common-commands

• app – Clears only application related statistics

• app-category – Clears only app-category related statistics

on <DEVICE-OR-DOMAIN- Optional. Clears DPI statistics based on the parameters passed on a

NAME> specified device or RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access
point, controller, service platform, or RF Domain.

service clear file-sync history {on <DOMAIN-NAME>}

clear file-sync history Clears client-bridge certificate synchronization statistics

When an access point is configured as a client bridge, the EAP-TLS
X.509 (PKCS#12) certificate is synchronized between the staging-
controller and adoptee client-bridge access points. This command
allows you to clear client-bridge certificate synchronization
statistics.
on <DOMAIN-NAME> Optional. Clears file synchronization history on all devices within a
specified RF Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

service clear captive-portal-page-upload history {on <DOMAIN-NAME>}

clear captive-portal-page- Clears captive portal page upload history

upload-history
on <DOMAIN-NAME> Optional. Clears captive portal page upload history on a specified
RF Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

service clear [command-history|reboot-history|upgrade-history|virtual-machine-history]

{on <DEVICE-NAME>}

clear [command-history| reboot- Clears command history, reboot history, and/or device upgrade
history| upgrade-history] history
clear virtual-machine-history Clears virtual-machine history on the logged device or a specified
device
This command is applicable only on the NX9500 and NX9600
series service platforms.
on <DEVICE-NAME> Optional. Clears history on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform

Note: When executing the clear virtual-machine-history command,

provide the name of the service platform running the VMs.

service clear noc statistics

Clears NOC applicable statistics counters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 719
common-commands Common Commands

clear noc statistics

service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}

clear unsanctioned aps Clears the list of unsanctioned APs

on <DEVICE-OR-DOMAIN- Optional. Clears the list of unsanctioned APs on a specified device
NAME> or RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service clear wireless [ap|client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

clear wireless [ap|client] Clears wireless statistics counters based on the parameters passed
statistics • ap statistics – Clears applicable AP statistics counters
• client statistics – Clears applicable wireless client statistics
counters

<MAC> {on <DEVICE-OR- The following keywords are common to the ‘ap' and ‘client'
DOMAIN-NAME>} parameters:
• <MAC> – Optional. Clears statistics counters for a specified AP
or client. Specify the AP/client MAC address.
◦ on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears AP/
client statistics counters on a specified device or RF Domain.
Specify the name of the AP, wireless controller, service
platform, or RF Domain.

service clear wireless controller-mobility-database

clear wireless controller- Clears the controller assisted mobility database

mobility- database

service clear web-filter cache {on <DEVICE-NAME>}

clear web-filter cache Clears the cache used for Web filtering
on <DEVICE-NAME> Optional. Clears the Web filtering cache on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service clear wireless radio statistics {<MAC/HOSTNAME> {<1-3>}}

{(on <DEVICE-OR-DOMAIN-NAME>)}

Clears applicable wireless radio statistics counters

Controller, Service Platform and Access Point

720 CLI Reference Guide for version 5.9.7
Common Commands common-commands

clear wireless radio statistics

<MAC/HOSTNAME> <1-3> Optional. Specify the MAC address or hostname of the radio, or
append the interface number to form the radio ID in the AA-BB-CC-
DD-EE-FF:RX or HOSTNAME:RX format.
• <1-3> – Optional. Specify the radio interface index, if not
specified as part of the radio ID.

on <DEVICE-OR-DOMAIN- Optional. This is a recursive parameter, which clears wireless radio

NAME> statistics on a specified device or RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

clear wireless wlan statistics Clears WLAN statistics counters

<WLAN-NAME> Optional. Clears statistics counters on a specified WLAN. Specify
the WLAN name.
on <DEVICE-OR-DOMAIN- Optional. This is a recursive parameter, which clears WLAN statistics
NAME> on a specified device or RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service clear xpath requests {<1-100000>}

clear xpath Clears XPATH related information

requests Clears pending XPATH get requests
<1-100000> Optional. Specifies the session number (cookie from show sessions)
• <1-100000> – Specify the session number from 1 - 100000.

Note: Omits clearing the current session’s pending XPATH get

requests.

service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8] {grid}

cli-tables-skin [ansi|hashes| Selects a formatting layout or skin for CLI tabular outputs
minimal|none|percent|stars| • ansi – Uses ANSI characters for borders
thick| thin|uf-8] • hashes – Uses hashes (#) for borders
• minimal – Uses one horizontal line between title and data rows
• none – Displays space separated items with no decoration
• percent – Uses the percent sign (%) for borders
• stars – Uses asterisks (*) for borders
• thick – Uses thick lines for borders

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 721
common-commands Common Commands

• thin – Uses thin lines for borders

• utf-8 – Uses UTF-8 characters for borders

grid Optional. Uses a complete grid instead of just title lines

service cluster force [active|configured-state|standby]

cluster Enables cluster protocol management

force Forces action commands on a cluster (active, configured-state, and
standby)
active Changes the cluster run status to active
configured-state Restores a cluster to the configured state
standby Changes the cluster run status to standby

service database authentication create-user username <USER-NAME> password <PASSWORD>

database Performs database related actions

authentication create-user Creates users having access rights to the database. Execute this
username <USER-NAME> command on the database host. However, before creating users, on
password <PASSWORD> the database, generate the database keyfile. For more information
on generating the keyfile, see database (user exec mode).
• username <USER-NAME> – Configures database username
◦ password <PASSWORD> – Configures a password for the
username specified above
In the database-policy ensure that authentication is enabled and
username and password is configured. The database-client-policy
also should have the same username and password configured. For
more information on database-policy and database-client-policy,
see database-policy global config on page 403 and database-
client-policy global-config on page 399.

service database authentication delete-user username <USER-NAME>

database Performs database related actions

This command is supported only on the NX9500, NX9600, and
VX9000 platforms.
database authentication delete- Deletes the username requires to access rights the captive-portal/
user username <USER-NAME> NSight database
• username <USER-NAME> – Deletes the username identified by
the <USER-NAME> keyword
Once deleted, the database cannot be accessed using the specified
combination of username and password.

service database start-shell

database Performs database related actions

Controller, Service Platform and Access Point

722 CLI Reference Guide for version 5.9.7
Common Commands common-commands

This command is supported only on the NX9500, NX9600, and

VX9000 platforms.
start-shell Starts the database shell

service delete-offline-aps all

delete-offline-aps all Deletes all off-line Access Points

service delete-offline-aps offline-for days <0-999> {time <TIME>}

delete-offline-aps Deletes Access Points that have been off-line for a specified
number of days and time period
day <0-999> Specifies the number of days an Access Point stays off-line to be
deleted
• <0-999> – Specify the number of off-line days from 0 - 999.

time <TIME> Optional. Specifies the off-line time period. Access Points off-line
for this period of time are deleted.
• <TIME> – Specify the time in HH:MM:SS format.

service eguest remove-data [deleted-devices|offline-for days <0-999> {time <HH:MM:SS>}]

service eguets Enables ExtremeGuest server data maintenance

remove-data Removes offline and/or deleted devices from the ExtremeGuest
server database

Note: When enabled, the device configuration and database

collection is removed permanently.

Note: If a controller is removed, then its adopted APs are also

removed,

deleted-devices Removes deleted devices

offline-for days <0-999> {time Removes offline devices from the ExtremeGuest server database.
<HH:MM:SS>} Offline devices are devices that have not been reporting to the
ExtremeGuest server for a specified number of days. Use this
option to configure that threshold value. Devices that have not
reported to the ExtremeGuest server for the number of days
specified here are considered to be offline and removed.
• days <0-999> – Specify the threshold, in days, from 0 - 999.
◦ time <HH:MM:SS> – Option. In addition to the number of
days, you can also specify the time in hours, minutes, and
seconds. If specified, a device is removed if it has not
reported to the server for the specified number of days and
time.

service eguest restore factory-default

Enables ExtremeGuest server data maintenance

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 723
common-commands Common Commands

eguest
restore factory-default Reinitializes the ExtremeGuest server to factory-default settings.
Use this option to stop the ExtremeGuest server and database.

Note: Extreme caution is recommended, as this command deletes

data related to ExtremeGuest server and database. Debug log files
are also deleted.

service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}

force-send-config Resends configuration to device(s)

on <DEVICE-OR-DOMAIN- Optional. Resends configuration to a specified device or all devices
NAME> in a specified RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name of
the AP, wireless controller, service platform, or RF Domain.

service force-update-vm-stats {on <DEVICE-NAME>}

force-update-vm-stats Forcefully pushes VM statistics on to the NOC

on <DEVICE-NAME> Optional. Executes the command on a specified device
• <DEVICE-NAME> – Specify the name of the device.

service guest-registration backup [delete|restore]

service guest-registration Deletes or restores all guest registration backup snapshots based
backup [delete|restore] on the parameter passed
• delete – Deletes all guest registration backup snapshots
• restores – Restores all guest registration backup snapshots

Note: To view the status of the restore process, use the service >
show > guest-registration > restore-status
command.

service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|mac <MAC>|

mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|

Controller, Service Platform and Access Point

724 CLI Reference Guide for version 5.9.7
Common Commands common-commands

offline-for days <1-999>|wlan <WLAN-NAME>|otp-incomplete-for days <1-999>|social

[facebook|google]]

service guest-registration delete Deletes a specified user or all user records from the guest-
registration database
To delete a specific user, use one of the following options as an
identification parameter: email, group, mac, mobile number, name,
offline-for, wlan, otp-incomplete-for, or social.
[all|email <EMAIL-ADD>|group Following are the user filtering options: The user identified by one
<RAD-GROUP-NAME>| mac of the following parameters is deleted from the guest-registration
<MAC>|mobile <MOBILE- database.
NUMBER>| name <CLIENT- • email <EMAIL-ADD> – Identifies user by the e-mail address
FULL-NAME>]|non-social| ◦ <EMAIL-ADD> – Provide the user’s e-mail address.
offline-for days <1-999>|wlan
<WLAN-NAME>|otp- • mac <MAC> – Identifies user by the MAC address
incomplete-for days <1-999>| ◦ <MAC> – Provide the user’s MAC address.
social [facebook|google] • group <RAD-GROUP-NAME> – Identifies users by their RADIUS
group association
◦ <RAD-GROUP-NAME> – Specify the RADIUS group name.
• mobile <MOBILE-NUMBER> – Identifies user by the registered
mobile number
◦ <MOBILE-NUMBER> – Provide the user’s mobile number.
• name <CLIENT-FULL-NAME> – Identifies user by the registered
full name
◦ <CLIENT-FULL-NAME> – Provide the user’s full name.
• non-social – Identifies users that have not registered through
social authentication
• offline-for days <1-999> – Filters users who have not accessed
the network for a specified number of days
◦ days <1-999> – Specify the number of days from 1 - 999.
• wlan <WLAN-NAME> – Identifies users accessing a specified
WLAN
◦ <WLAN-NAME> – Specify the WLAN name.
• otp-incomplete-for days <1-999> – Identifies records of users
that have not used their OTP to complete registration within a
specified number of days
◦ days <1-999> – Specify the number of days from 1 - 999.
• social [facebook|google] – Identifies users using either
Facebook or Google credentials to access the network
◦ facebook – Identifies users using Facebook authentication
◦ google – Identifies users using Google authentication

service guest-registration export format [csv|json] <DEST-URL> {(rfdomain <DOMAIN-NAME>|

time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-NAME>)}

service guest-registration export Exports guest registration user data files in the Comma-Separated
Values (CSV) or JavaScript Object Notation (JSON) format
Use the ‘rfdomain’, ‘wlan’, and ‘time’ options to filter users for
a specified RF Domain, WLAN, and/or time period. These are

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 725
common-commands Common Commands

recursive parameters and you can apply all or any of these three
filters.
format [csv|json] Specifies the file format. The options are:
• csv – Exports user data files in the CSV format
• json – Exports user data files in the JSON format

<DEST-URL> Configures the destination URL. The files are exported to the
specified location. Both IPv4 and IPv6 address formats are
supported.
• IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file
• IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file

ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file

sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file

rfdomain <DOMAIN-NAME> Optional. Filters user data based on RF Domain name. Only the
filtered data are exported.
• <DOMAIN-NAME> – Specify the RF Domain name.

wlan <WLAN-NAME> Optional. Filters user data based on WLAN name. Only the filtered
data are exported.
• <WLAN-NAME> – Specify the WLAN name.

time [1-Day|1-Month| 1-Week|2- Optional. Filters user data for a specified time period. Only the
Hours| 30-Mins|5-Hours|all] filtered data are exported.
• 1-Day – Filters and exports previous day’s data
• 1-Month – Filters and exports previous month’s data
• 1-Week – Filters and exports previous week’s data
• 2-Hours – Filters and exports last 2 hours data
• 30-Mins – Filters and exports last 30 minutes data
• 5-Hours – Filters and exports last 5 hours data
• all – Exports the entire database

service guest-registration import format json <SOURCE-URL>

service guest-registration import Imports user data from a specified location

format json Specifies the file format
• json – Imports user data files in the JSON format

<SOURCE-URL> Configures the Source URL. The files are imported from the
specified location. Both IPv4 and IPv6 address formats are
supported.
• IPv4 URLs:

Controller, Service Platform and Access Point

726 CLI Reference Guide for version 5.9.7
Common Commands common-commands

tftp://<hostname|IP>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file
• IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file

ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file

sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file

service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}

load-balancing Enables wireless load balancing by clearing client capability records

clear-client-capability [<MAC>| Clears a specified client or all client capability records
all] • <MAC> – Clears capability records of a specified client. Specify
the client's MAC address in the AA-BB-CC-DD-EE-FF format.
• all – Clears the capability records of all clients

on <DEVICE-NAME> Optional. Clears client capability records on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}

load-ssh-authorized-keys Loads SSH public (client) key on a device

<PUBLIC-KEY> Enter the public key. The public key should be in the OpenSSH
rsa/dsa format.
on <DEVICE-NAME> Optional. Loads the specified public key on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service locator {<1-60>} {(on <DEVICE-NAME>)}

Enables LEDs

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 727
common-commands Common Commands

locator
<1-60> Sets LED flashing time from 1 - 60 seconds.
on <DEVICE-NAME> The following keyword is recursive and common to the <1-60>
parameter:
• on <DEVICE-NAME> – Optional. Enables LEDs on a specified
device
◦ <DEVICE-NAME> – Specify name of the AP, wireless
controller, or service platform.

service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]

nsight clear-offline [all|offline-for Clears NSight data received from offline controllers, based on the
days <0-999> {time <TIME>}] parameters passed. Select one of the following options:
• all – Clears NSight data received from all offline controllers
• offline-for days <0-999> time <TIME> – Clears NSight data
received from controllers that have been offline for a specified
time period
◦ days <0-999> – Specifies the number of days controllers
have been offline
▪ <0-999> – Specify the number of days from 0 - 999 days.
Select “0” to identify controllers offline less than 24 hours.
• time <TIME> – Optional. Specifies the total time for
which controllers have been offline
Unordered
<TIME> List
– Specify
bullet the
5 time in HH:MM:SS format.

Controller, Service Platform and Access Point

728 CLI Reference Guide for version 5.9.7
Common Commands common-commands

Note: This command is applicable only to the NX9500, NX9600,

and VX9000 platforms.

service radio <1-3> adaptivity

radio <1-3> Configures radio parameters

• <1-3> – Specify the radio index from 1 - 3.

adaptivity Simulates the presence of interference on the current channel

service radio <1-3> channel-switch <36-196> [160|20|40|80|80-80]

radio <1-3> Configures radio parameters

• <1-3> – Specify the radio index from 1 - 3.

channel-switch <36-196> [160| Enables channel switching

20|40|80| 80-80] • <36-196> – Specifies the channel to switch to from 36 - 196.
◦ 160|20|40|80|80-80] – Specifies the bandwidth for the
above specified channel. Select the appropriate option.

service radio <1-3> dfs simulate-radar [extension|primary]

radio <1-3> Configures radio parameters

• <1-3> – Specify the radio index from 1 - 3.

dfs Enables Dynamic Frequency Selection (DFS )

simulate-radar [extension| Simulates the presence of a radar on a channel. Select the channel
primary] type from the following options:
• extension – Simulates a radar on the radio's current extension
channel
• primary – Simulates a radar on the radio's current primary
channel

service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-NAME> ssid
<SSID>} {(on <DEVICE-NAME>)}

radius test Tests RADIUS server's account. This command sends an access-
request packet to the RADIUS server. Use this command to confirm
time and data/bandwidth parameters for valid wireless clients.
• test – Tests the RADIUS server's account with user provided
parameters

[<IP>|<HOSTNAME>] Sets the RADIUS server's IP address or hostname

• <IP> – Specifies the RADIUS server's IP address
• <HOSTNAME> – Specifies the RADIUS server's hostname

<WORD> Specify the RADIUS server's shared secret.

<USERNAME> Specify username for authentication.
<PASSWORD> Specify the password.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 729
common-commands Common Commands

wlan <WLAN-NAME> ssid Optional. Tests the RADIUS server on the local WLAN. Specify the
<SSID> local WLAN name.
• ssid <SSID> – Specify the WLAN SSID.

on <DEVICE-NAME> Optional. This is a recursive parameter also applicable to the WLAN

parameter. Performs tests on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service radius test [<IP>|<HOSTNAME>] <PORT> <1024-65535> <WORD> <USERNAME> <PASSWORD>

{wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}

radius test Tests a RADIUS server's account. This command sends an access-
request packet to the RADIUS server. Use this command to confirm
time and data/bandwidth parameters for valid wireless clients.
• test – Tests the RADIUS server's account with user provided
parameters

[<IP>|<HOSTNAME>] Sets the IP address or hostname of the RADIUS server

• <IP> – Specify the RADIUS server's IP address.
• <HOSTNAME> – Specify the RADIUS server's hostname.

<PORT> <1024-65535> Specify the RADIUS server port from 1024 - 65535. The default port
is 1812.
<WORD> Specify the RADIUS server's shared secret.
<USERNAME> Specify username for authentication.
<PASSWORD> Specify the password.
wlan <WLAN-NAME> ssid Optional. Tests the RADIUS server on the local WLAN. Specify the
<SSID> local WLAN name.
• ssid <SSID> – Specify WLAN SSID.

on <DEVICE-NAME> Optional. This is a recursive parameter also applicable to the WLAN

parameter. Performs tests on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service set validation-mode [full|partial] {on <DEVICE-NAME>}

set Sets the validation mode for running configuration validation

validation-mode [full|partial] Sets the validation mode
• full – Performs a full configuration validation

Controller, Service Platform and Access Point

730 CLI Reference Guide for version 5.9.7
Common Commands common-commands

• partial – Performs a partial configuration validation

on <DEVICE-NAME> Optional. Performs full or partial configuration validation on a

specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show block-adopter-conflict-update

show Displays running system statistics based on the parameters passed

block-adopter-config-update Displays NOC configuration blocking status

service show captive-portal log-internal

show Displays running system statistics based on the parameters passed

captive-portal Displays captive portal information
log-internal Displays recent captive portal debug logs (information and above
severity level)

service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}

show Displays running system statistics based on the parameters passed

captive-portal Displays captive portal information
servers Displays server information for active captive portals
user-cache Displays cached user details for a captive portal
on <DEVICE-NAME> Optional. Displays server information or cached user details on a
specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show [cli|client-identity-defaults|configuration-revision|mac-user-import-status|

mac-vendor <OUI/MAC>|noc diag|snmp session|xpath-history]

show Displays running system statistics based on the parameters passed

cli Displays CLI tree of the current mode
client-identity-defaults Displays default client-identities and their configuration
configuration-revision Displays current configuration revision number
mac-user-import-status Displays status of file import initiated by a MAC-user
mac-vendor <OUI/MAC> Displays vendor name for a specified MAC address or
Organizationally Unique Identifier (OUI) part of the MAC address
• <OUI/MAC> – Specify the MAC address or its OUI. The first six
digits of the MAC address is the OUI. Use the AABBCC or AA-
BB-CC format to provide the OUI.

noc diag Displays NOC diagnostic details

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 731
common-commands Common Commands

snmp session Displays SNMP session details

xpath-history Displays XPath history

service show [command-history|crash-info|info|mem|process|reboot-history|startup-log|ssh-

authorized-keys|sysinfo|top|upgrade-history|watchdog] {on <DEVICE-NAME>}

show Displays running system statistics based on the parameters passed

command-history Displays command history (lists all commands executed)
crash-info Displays information about core, panic, and AP dump files
info Displays snapshot of available support information
mem Displays a system's current memory usage (displays the total
memory and available memory)
process Displays active system process information (displays all processes
currently running on the system)
reboot-history Displays the device's reboot history
startup-log Displays the device's startup log
sysinfo Displays system's memory usage information
top Displays system resource information
upgrade-history Displays the device's upgrade history (displays details, such as date,
time, and status of the upgrade, old version, new version, etc.)
watchdog Displays the device's watchdog status
on <DEVICE-NAME> The following keywords are common to all of the above:
• on <DEVICE-NAME> – Optional. Displays information for a
specified device. If no device is specified, the system displays
information for logged device(s)
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-DOMAIN-NAME>}

show ip-access-list Displays status of IP ACL to WLAN mappings on a specified device

or all devices within a specified RF Domain. This command also
displays if IP ACLs are properly applied in the dataplane.
wlan <WLAN-NAME> Specifies the WLAN, for which the IP ACL to WLAN mapping status
is required
• <WLAN-NAME> – Specify the WLAN name.

Controller, Service Platform and Access Point

732 CLI Reference Guide for version 5.9.7
Common Commands common-commands

status detail Displays only failed IP ACL to WLAN mappings

• details – Optional. Displays all (failed as well as successful) IP
ACL to WLAN mapping status

on <DEVICE-OR-DOMAIN- Optional. Specifies the device name or the RF Domain name.

NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the device name or the
RF Domain. When specified, the system displays IP ACL to
WLAN mapping status on the specified device or all devices
within the specified RF Domain.

service show dhcp-lease {<INTERFACE-NAME>|on|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-

NAME>)}

show Displays running system statistics based on the parameters passed

dhcp-lease Displays DHCP lease information received from the server
<INTERFACE> Optional. Displays DHCP lease information for a specified router
interface
• <INTERFACE> – Specify the router interface name.

on Optional. Displays DHCP lease information for a specified device

pppoe1 Optional. Displays DHCP lease information for a PPP over Ethernet
interface
vlan <1-4094> Optional. Displays DHCP lease information for a VLAN interface
• <1-4094> – Specify a VLAN index from 1 - 4094.

wwan1 Optional. Displays DHCP lease information for a Wireless WAN

interface
on <DEVICE-NAME> The following keywords are common to all of the above:
• on <DEVICE-NAME> – Optional. Displays DHCP lease
information for a specified device. If no device is specified, the
system displays information for the logged device.
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show diag [fds|pkts]

show diag [fds|pkts] Displays diagnostic statistics, such as LED status, fan speed, sensor
temperature, open file descriptors, looped packets, etc.
fds Displays the number of file descriptors (fds) opened by key
processes, such as the CFGD. When executed, the command
displays only the file name and FD.
pkts Displays details of looped packets captured by the dataplane and
pushed to a separate queue. These queued packets are written to a
log file (named loop_pkt_info.log) available at the /var2/log/
directory. Use the service > start-shell command and
enter the path ‘cat /var2/log/’ to view if the loop_pkt_info.log file
exists. However, looped packet logging has to be enabled in the
profile/device context. For more information, see diag on page
1085 (profile config mode).
The dataplane can log up to 16 looped packets at a time. Once the
queue is full, no new loop packet is logged until the existing queue

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 733
common-commands Common Commands

is cleared. To clear the logged looped packet queue execute the

service > clear > diag > pkts command.
Following are the loop codes and the corresponding loop reasons:
• (5) - "pkt looping in dataplane"
• (51) - "loop in packet path"
• (367) - "wispe encapsulation loop"
• (432) - "mcx loop prevention"
• (532) - "Port loop detected"
• (536) - "packet loop detected by wireless bridge"
• (41) - "IPv4 TTL exceeded"
• (493) - "IPv6 TTL exceeded"
• (540) - "mint TTL exceeded"

service show diag [led-status|psu|stats] {(on <DEVICE-NAME>)}

show Displays running system statistics based on the parameters passed

diag Displays diagnostic statistics, such as LED status, fan speed, and
sensor temperature
led-status Displays LED state variables and the current state
psu Displays power supply information
stats Displays fan speed and sensor temperature statistics
on <DEVICE-NAME> Optional. Displays diagnostic statistics for a specified device. If no
device is specified, the system displays information for the logged
device.
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show guest-registration [export-status|import-status|restore-status]

show Displays running system statistics based on the parameters passed

guest-registration Displays status of the guest-registration database snapshot related
processes (export, import, and restore)

Note: To export, import, or restore a guest-registration database,

use the service > guest-registration > [backup|
export|import] command.]

export-status Displays the status of the latest export process initiated

import-status Displays the status of the latest import process initiated
export-status Displays the status of the latest restore process initiated

service show fast-switching {on <DEVICE-NAME>}

Displays running system statistics based on the parameters passed

Controller, Service Platform and Access Point

734 CLI Reference Guide for version 5.9.7
Common Commands common-commands

show
fast-switching Displays fast switching state (enabled or disabled)
on <DEVICE-NAME> Optional. Displays fast switching state for a specified device. If no
device is specified, the system displays information for the logged
device.
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show [fib|fib6] {table-id <0-255>}

show Displays running system statistics based on the parameters passed

fib Displays entries in the Forwarding Information Base (FIB)
fib6 Displays FIB IPv6 static routing entries
The WiNG software allows the IPv6 FIB to maintain only IPv6 static
and interface routes.
FIB is a collection of routing entries. A route entry consists of IPv6
network (which can also be a host) address, the prefix length for
the network (for IPv6 routes this is between 0 - 128), and the next
hop’s (gateway) IPv6 address. Since a destination can be reached
through multiple next hops, you can configure multiple routes to
the same destination with multiple next hops.
table-id <0-255> Optional. Displays FIB information maintained by the system based
on the table ID
• <0-255> – Specify the table ID from 0 - 255.

service show mint [adopted-devices {on <DEVICE-NAME>}|ports]

show Displays running system statistics based on the parameters passed

mint Displays MiNT protocol details
adopted-devices on <DEVICE- Displays adopted devices status in dpd2
NAME> • on <DEVICE-NAME> – Optional. Displays MiNT protocol details
for a specified device. If no device is specified, the system
displays information for the logged device.
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

ports Displays MiNT ports used by various services and features

service show pm {history} {(on <DEVICE-NAME>)}

show Displays running system statistics based on the parameters passed

pm Displays the Process Monitor (PM) controlled process details

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 735
common-commands Common Commands

history Optional. Displays process change history (the time at which the
change was implemented, and the events that triggered the
change)
on <DEVICE-NAME> Optional. Displays process change history for a specified device. If
no device is specified, the system displays information for the
logged device.
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show Displays running system statistics based on the parameters passed

rf-domain-manager Displays RF Domain manager information
diag Displays RF Domain manager related diagnostics statistics
info Displays RF Domain manager related information
<MAC/HOSTNAME> The following keyword is common to the ‘diag’ and ‘info’
parameters:
Optional. Specify the MAC address or hostname of the RF Domain
manager.
on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘diag’ and ‘info’
NAME> parameters:
Optional. Displays diagnostics statistics on a specified device or
domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service show sites

show Displays running system statistics based on the parameters passed

sites Displays NOC sites related information

service show virtual-machine-history {(on <DEVICE-NAME>)}

show virtual-machine-history Displays virtual machine history based on the parameters passed
This command is applicable only to the NX9500 and NX9600 series
service platforms. It is also available on the Privilege Executable
Mode of these devices.
on <DEVICE-NAME> Optional. Displays virtual machine history on a specified device. If
no device is specified, the system displays information for the
logged device.
• <DEVICE-NAME> – Specify the name of the service platform.

service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|radar-

status|vlan-usage] {on <DEVICE-NAME>}

show Displays running system statistics based on the parameters passed

wireless Displays WLAN statistics (WLAN AAA policy, configuration
parameters, VLAN assignment, etc.)

Controller, Service Platform and Access Point

736 CLI Reference Guide for version 5.9.7
Common Commands common-commands

aaa-stats Displays AAA policy statistics

adaptivity-status Displays the current list of channels (with interference levels
exceeding the configured threshold resulting in adaptivity kicking
in) and time when adaptivity kicked in on a device
credential-cache Displays clients cached credentials statistics (VLAN, keys, etc.)
dns-cache Displays cache of resolved names of servers related to wireless
networking
radar-status Displays radar discovery status. This option displays following
information:
• If a radar has been discovered by the AP
• The time of discovery

vlan-usage Displays VLAN statistics across WLANs

on <DEVICE-NAME> The following keywords are common to all of the above:
• on <DEVICE-NAME> – Optional. Displays running system
statistics on a specified device. If no device is specified, the
system displays information for the logged device.
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show wireless [config-internal|log-internal|neighbors]

show Displays running system statistics based on the parameters passed

wireless Displays WLAN statistics (WLAN AAA policy, configuration
parameters, VLAN usage, etc.)
config-internal Displays internal configuration parameters
log-internal Displays recent internal wireless debug logs (info and above
severity)
neighbors Displays neighboring device statistics for roaming and flow
migration

service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>} {(on <DEVICE-
OR-DOMAIN-NAME)}

show Displays running system statistics based on the parameters passed

wireless Displays WLAN statistics (WLAN AAA policy, configuration
parameters, VLAN usage, etc.)
client Displays WLAN client statistics
meshpoint neighbor Displays meshpoint related proc entries

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 737
common-commands Common Commands

proc The following keyword is common to client and meshpoint neighbor

parameters:
• proc – Displays dataplane proc entries based on the parameter
selected

Note: These proc entries provide statistics on each wireless client on

the WLAN.

Note: For the meshpoint parameter, it displays proc entries about

neighbors.

info This parameter is common to client and meshpoint neighbor

parameters. Displays information for a specified device (wireless
client or neighbor) or RF Domain.
stats This parameter is common to client and meshpoint neighbor
parameters. Displays information for a specified device (wireless
client or neighbor) or RF Domain.
<MAC> Displays information for a specified device (wireless client or
neighbor) or RF Domain.
on <DEVICE-OR-DOMAIN- This parameter is common to client and meshpoint neighbor
NAME> parameters. Displays information for a specified device (wireless
client or neighbor) or RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service show wireless radio-internal [radio1|radio2] <LINE>

show Displays running system statistics based on the parameters passed

wireless Displays WLAN statistics (WLAN AAA policy, configuration
parameters, VLAN usage, etc.)
radio-internal [radio1|radio2] Displays radio internal debug logs. Select the radio from the
following options:
• radio1 – Selects radio 1
• radio2 – Selects radio 2.

<LINE> Specify the radio internal debug command to enable.

service show wireless reference [channels|frame|handshake|mcs-rates|reason-codes|status-

codes]

show Displays running system statistics based on the parameters passed

wireless Displays WLAN statistics (WLAN AAA policy, configuration
parameters, VLAN usage, etc.)
reference Displays look up reference information related to standards,
protocols, etc.
channels Displays 802.11 channels information
frame Displays 802.11 frame structure
handshake Displays a flow diagram of 802.11 handshakes
mcs-rates Displays MCS rate information

Controller, Service Platform and Access Point

738 CLI Reference Guide for version 5.9.7
Common Commands common-commands

reason-codes Displays 802.11 reason codes (for deauthentication, disassociation,

etc.)
status-codes Displays 802.11 status codes (for association response)

service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME)}

show Displays running system statistics based on the parameters passed

wireless Displays WLAN statistics (WLAN AAA policy, configuration
parameters, VLAN usage etc.)
stats-client Displays managed AP statistics
<MAC/HOSTNAME> Optional. Specify the MAC address or hostname of the AP.
on <DEVICE-OR-DOMAIN- Optional. Displays statistics on a specified AP, or all APs on a
NAME> specified domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}

smart-rf Enables Smart RF management

clear-config Clears WLAN Smart RF configuration on a specified device or on all
devices
<MAC> Optional. Clears WLAN Smart RF configuration on a device
identified by its MAC address. Specify the device's MAC address in
the AA-BB-CC-DD-EE-FF format.
<DEVICE-NAME> Optional. Clears WLAN Smart RF configuration on a device
identified by its hostname. Specify the device's hostname.
on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a
specified RF Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

service smart-rf [clear-history|clear-interfering-aps|save-config] {on <DOMAIN-NAME>}

smart-rf Enables Smart RF management

clear-history Clears WLAN Smart RF history on all devices
clear-interfering-aps Clears Smart-RF interfering APs
save-config Saves the Smart RF configuration on all devices, and also saves the
history on the RF Domain Manager
on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a
specified RF Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

service snmp sysoid wing5

service snmp sysoid wing5 Configures a new sysObjectID (sysoid), in the MIB, for devices
running WiNG 5.X devices

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 739
common-commands Common Commands

When configured, the SNMP manager returns sysoid for WiNG 5.X
OS. Hardwares running the WiNG 4.X and WiNG 5.X images have
different sysoids. For example, the sysoid for a RFS4000 using the
WiNG 4.X image differs from another RFS4000 running the WiNG
5.X image.
This command is applicable only to RFS4000 platform, since it has
the same sysoid supported in WiNG 4.X and WiNG 5.X.
The WiNG 4.X sysoids are:
• RFS4000 – 1.3.6.1.4.1.388.18
The WiNG 5.X sysoids are:
• RFS4000 – 1.3.6.1.4.1.388.50.1.1.35

service ssm dump-core-snapshot

service ssm dump-core-snapshot Triggers a debug core dump of the SSM module

service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings]} {(on <DEVICE-NAME>)}

syslog test Sends a test message to the syslog server to confirm server
availability
Optional. Sets the logging level. In case syslog server is
unreachable, an event is logged based on the logging level defined.
This is an optional parameter, and the system configures default
settings, if no logging severity level is specified.
• <0-7> – Optional. Specify the logging severity level from 0-7.
The various levels and their implications are as follows:
◦ alerts – Optional. Immediate action needed (severity=1)
◦ critical – Optional. Critical conditions (severity=2)
◦ debugging – Optional. Debugging messages (severity=7)
◦ emergencies – Optional. System is unusable (severity=0)
◦ errors – Optional. Error conditions (severity=3)
◦ informational – Optional. Informational messages
(severity=6)
◦ notifications – Optional. Normal but significant conditions
(severity=5)
◦ warnings – Optional. Warning conditions (severity=4). This is
the default setting.

on <DEVICE-NAME> Optional. Executes the command on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service ssm trace pattern <WORD> {on <DOMAIN-NAME>}

Displays the SSM module trace based on parameters passed

Controller, Service Platform and Access Point

740 CLI Reference Guide for version 5.9.7
Common Commands common-commands

ssm trace
pattern <WORD> Configures the pattern to match
• <WORD> – Specify the pattern to match.

on <DEVICE-NAME> Optional. Displays the SSM module trace on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service wireless client beacon-request <MAC> mode [active|passive|table] ssid [<SSID>|

any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}

wireless client beacon-requests Sends beacon measurement requests to a wireless client

<MAC> Specify the wireless client's MAC address.
mode [active|passive|table] Specifies the beacon measurement mode. The following modes are
available:
• Active – Requests beacon measurements in the active mode
• Passive – Requests beacon measurements in the passive mode
• Table – Requests beacon measurements in the table mode

ssid [<SSID>|any] Specifies if the measurements have to be made for a specified SSID
or for any SSID
• <SSID> – Requests beacon measurement for a specified SSID
• any – Requests beacon measurement for any SSID

channel-report [<CHANNEL- Configures channel report in the request. The request can include a
LIST>| none] list of channels or can apply to all channels.
• <CHANNEL-LIST> – Request includes a list of channels. The
client has to send beacon measurements only for those channels
included in the request.
• none – Request applies to all channels

on <DEVICE-NAME> Optional. Sends requests on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service wireless client quiet-element [start|stop]

wireless client trigger-bss- Enables the quite-element information in beacons sent to wireless
transition clients
start Enables the quite-element information in beacons sent to wireless
clients. This is the start of the time period when wireless clients are
to remain quiet.
stop Disables the quite-element information in beacons sent to wireless
clients. Once disabled, this information is no longer included in
beacons.

service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535} {url <URL>}
{on <DEVICE-OR-DOMAIN-NAME>}

Sends a 80211v-Wireless Network Management BSS transition

request to a client

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 741
common-commands Common Commands

wireless client trigger-bss-

transition
<MAC> Specifies the wireless client's MAC address
timeout <0-65535> Specifies the time remaining, for this client. before BSS transition is
initiated. In other words on completion of the specified time period,
BSS transition is triggered.
• <0-65535> – Specify a time from 0 -65535 seconds.

url <URL> Specifies session termination URL

on <DEVICE-OR-DOMAIN- Optional. Sends request on a specified device
NAME> • <DEVICE-OR_DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

service wireless client trigger-wnm mac <MAC> type [deauth-imminent|subscription-

remediation] {uri <WORD>}

wireless client trigger-wnm Sends a WNM notification (action frame) to a wireless client
mac <MAC> Specifies the wireless client’s MAC address
type [deauth-imminent| Configures the WNM notification type
subscription-remediation] • deauth-imminent – Sends a de-authentication imminent frame
• subscription-remediation – Sends a subscription remediation
needed frame

uri <WORD> Optional. Specifies the unique resource identifier (URI)

service wireless dump-core-snapshot

wireless dump-core-snapshot Triggers a debug core dump of the wireless module

service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|timeout

<1-65535>}

service wireless meshpoint zl Triggers a zonal level debug of a specified meshpoint’s modules
<MESHPOINT-NAME> Specify the meshpoint name
on <DEVICE-NAME> Triggers zonal level debug of a specified meshpoint’s modules on a
specified device
• <DEVICE-NAME> – Specify the name of the device (AP, wireless
controller, or service platform)

Controller, Service Platform and Access Point

742 CLI Reference Guide for version 5.9.7
Common Commands common-commands

<ARGS> Optional. Specifies the zonal arguments. These zonal arguments

represent the meshpoint modules identified by the zonal and
subzonal arguments passed here. Also specify the debug level from
0 -7. Please see the Examples section, at the end of this topic, for
more information.
timeout <1-65535> Optional. Specifies a timeout value from 1 - 65535 seconds. When
specified, meshpoint logs are debugged for the time specified here.

service wireless qos delete-tspec <MAC> tid <0-7>

wireless qos delete-tspec Sends a delete TSPEC request to a wireless client

<MAC> Specify the MAC address of the wireless client.
tid <0-7> Deletes the Traffic Identifier (TID)
• <0-7> – Select the TID from 0 - 7.

service wireless trace pattern <WORD> {on <DEVICE-NAME>}

wireless trace Displays the wireless module trace based on parameters passed
pattern <WORD> Configures the pattern to match
• <WORD> – Specify the pattern to match.

on <DEVICE-NAME> Optional. Displays the wireless module trace on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}

wireless unsanctioned ap air- Enables unsanctioned access points termination

terminate
<MAC> Configures the unsanctioned access points’ BSSID (MAC address)
on <DOMAIN-NAME> Optional. Specifies the RD Domain of the access point
• <DOMAIN-NAME> – Specify the name of the RF Domain.

service wireless wips clear-client-blacklist [all|mac <MAC>]

wireless wips Enables management of WIPS parameters

clear-client-blacklist [all|mac Removes a specified client or all clients from the blacklist
<MAC>] • all – Removes all clients from the blacklist
• mac <MAC> – Removes a specified client form the blacklist
◦ <MAC> – Specify the wireless client's MAC address.

service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME}

Enables management of WIPS parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 743
common-commands Common Commands

wireless wips
clear-event-history Clears event history
on <DEVICE-OR-DOMAIN- Optional. Clears event history on a device or RF Domain
NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

Syntax (Privilege Exec Mode)

Service Commands - Intro

Note
The Priv Exec Mode "service" command is a superset of the User Exec Mode "service"
command. This section documents the commands that are only available in the Priv Execu
Mode. For the syntax and parameters of commands common to both modes refer to the
Syntax (User Exec Mode) and Parameters (User Exec Mode) sections of this chapter.

service [block-adopter-config-updates|clear|cli-tables-skin|cluster|copy|database|delete|
delete-offline-aps|force-send-config|force-update-vm-stats|guest-registration|load-
balancing|locator|mint|pktcap|pm|radio|radius|send|request-full-config-from-adopter|
restore|set|show|signal|smart-rf|snmp|ssm|start-shell|syslog|trace|wireless]
service clear crash-info {on <DEVICE-NAME>}
service copy [stats-report|tech-support]
service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>)
service copy tech-support [<FILE>|<URL>]
service database [authentication|compact|drop|maintenance-mode|primary-stepdown|remove-
all-files|replica-set|server|start-shell]
service database authentication [create-user|delete-user]
service database authentication create-user username <USER-NAME> password <PASSWORD>
service database authentication delete-user username <USER-NAME>
service database compact [all|captive-portal|nsight]
service database [maintenance-mode|primary-stepdown|remove-all-files|start-shell]
service database replica-set [add|delete]
service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]
service database replica-set delete member [<IP>|<FQDN>]
service database server [restart|start|stop]
service delete sessions <SESSION-COOKIES>
service mint [clear|debug-log|expire|flood]
service mint [clear [lsp-db|mlcp]|debug-log [flash-and-syslog|flash-only]|expire [lsp|
spf]|flood [csnp|lsp]]
service pktcap on [bridge|deny|drop|ext-vlan|interface|radio|rim|router|vpn|wireless]
service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name
<ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,rate
<1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}
service pktcap on interface [<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|pppoe1|vlan
<1-4094>|wwan1] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|

Controller, Service Platform and Access Point

744 CLI Reference Guide for version 5.9.7
Common Commands common-commands

outbound],filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|

tzsp [<IP/TZSP-HOSTNAME>])}
service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>,direction [any|
inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>,snap
<1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}
service pm stop {on <DEVICE-NAME>}
service restore analytics-support [<FILE>|<URL>]
service send discovery {mac <MAC>} {interface <INTERFACE>
service show discovered-devices {on <DEVICE-NAME>}
service reset discovered-device <MAC> serial-number <NUMBER> {interface <INTERFACE>}
service show discovered-devices {reset-log {mac <MAC>}} {on <DEVICE-NAME>}
service show last-passwd
service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]
service start-shell
service trace <PROCESS-NAME> {summary}

Parameters (Privilege Exec Mode)

Service Commands - Intro

service copy tech-support <FILE> <URL>

copy tech-support Copies extensive system information used for troubleshooting

<FILE> Specify the location of the file to be copied, using the following
format:
• usbX:/path/file

<URL> Specify the location URL of the file to be copied. Both IPv4 andIPv6
address formats are supported.
• tftp://<hostname|IPv4/IPv6>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file
• sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/
file

service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>)

copy stats-report Copies extensive statistical data useful for troubleshooting

[global|rf-domain <DOMAIN- Identifies the RF Domain to copy statistical data
NAME>] • global – Copies extensive statistical data of all configured RF
Domains
• rf-domain <DOMAIN-NAME> – Copies extensive statistical data
of a specified RF Domain. Specify the domain name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 745
common-commands Common Commands

<FILE> Specify the location to copy file using the following format:
• usbX:/path/file

service clear crash-info {on <DEVICE-NAME>}

clear crash-info Clears all crash files

on <DEVICE-NAME> Optional. Clears crash files on a specified device. These crash files
are core, panic, and AP dump
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service database authentication create-user username <USER-NAME> password <PASSWORD>

database Performs database related actions

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

service database authentication delete-user username <USER-NAME>

database Performs database related actions

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

database authentication delete- Deletes the username requires to access rights the captive-portal/
user username <USER-NAME> NSight database
• username <USER-NAME> – Deletes the username identified by
the <USER-NAME> keyword

Controller, Service Platform and Access Point

746 CLI Reference Guide for version 5.9.7
Common Commands common-commands

Once deleted, the database cannot be accessed using the specified

combination of username and password.

service database compact [all|captive-portal|nsight]

database Performs database related actions

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

compact [all| captive-portal| Compacts collections within the database. Each database (captive-
nsight] portal and NSight) contains one or more collection, where each
collection is a set of records. Use this command to make a single
compact set of all collections within a database.
• all – Compacts collections within all databases (captive-portal
and NSight) being maintained
• captive-portal – Compacts all collections within the captive
portal database only
• nsight – Compacts all collections within the NSight database
only

service database [maintenance-mode|primary-stepdown|remove-all-files|start-shell]

database Performs database related actions

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

maintenance-mode Places the database server in the maintenance mode

primary-stepdown Requests the primary replica-set to step down. For more
information on replica-sets and its creation, see database-policy
(global config mode).
remove-all-files Removes all database-server related files (captive-portal and
NSight). Use in a scenario where complete removal of all database
related files is necessary, such as when downgrading to 5.8.1 or
5.8.0 version. Extreme caution is recommended when using this
command.
start-shell Starts the database shell

service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]

database Performs database related actions

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

replica-set Adds members to the database replica set. A replica set is a group
of devices running the database instances that maintain the same
data set. Replica sets provide redundancy and high availability, and
are the basis for all production deployments. The replica set can
contain a maximum of fifty (50) members, with each member (with
the exception of the arbiter) hosting an instance of the database.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 747
common-commands Common Commands

For more information on creating replica sets, see database-policy

(global config mode) .
add member [<IP>|<FQDN>] Adds members to the database replica set
• <IP> – Identifies the member by its IP address. Specify the
member’s IP address.
• <FQDN> – Identifies the member by its FQDN. Specify the
member’s FQDN address.

Note: Ensure that the identified members have the database

instance running prior to being added to the replica set.

[arbiter| priority <0-255>] After identifying the new member, optionally specify if the member
is the arbiter or not. If not the arbiter, specify the member’s priority
value.
• arbiter – Identifies the new member as the arbiter. The arbiter
does not maintain a data set and is added to the replica set to
facilitate the election of the fall-back primary member. It
provides that one extra vote required in the election of the
primary member.
• priority <0-255> – Identifies the new member as not being the
arbiter and configures its priority value.
◦ <0-255> – Specify the priority value from 0 - 255. Not
applicable for the arbiter.
The priority value determines the member’s position within the
replica set as primary or secondary. It also helps in electing the fall-
back primary member in the eventuality of the current primary
member being unreachable.
All identified members should have the database instances running
prior to being added to the replica set.

service database replica-set delete member [<IP>|<FQDN>]

database Performs database related actions

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

replica-set Allows deletion of members in a database replica set. For each

database a single three-member replica-set can be created and
maintained. For more information on creating replica sets, see
database-policy (global config mode) .
delete member [<IP>|<FQDN>] Deletes members from an existing database replica set
• <IP> – Identifies the member by its IP address. Specify the
member’s IP address.
• <FQDN> – Identifies the member by its FQDN. Specify the
member’s FQDN address.

service database server [restart|start|stop]

database Performs database related actions

Controller, Service Platform and Access Point

748 CLI Reference Guide for version 5.9.7
Common Commands common-commands

Note: This command is supported only on the NX9500, NX9600,

and VX9000 platforms.

server [restart|start|stop] Performs the following actions on the database server:

• restart – Restarts the server
• start – Starts the server
• stop – Stops the server

service delete sessions <SESSION-COOKIES>

delete sessions <SESSION- Deletes session cookies

COOKIES> • <SESSION-COOKIES> – Provide a list of cookies to delete.

service mint [clear [lsp-db|mlcp]|debug-log [flash-and-syslog|flash-only]|expire [lsp|

spf]|flood [csnp|lsp]]

mint Enables MiNT protocol management (clears LSP database, enables

debug logging, enables running silence etc.)
clear [lsp-db|mlcp] Clears LSP database and MiNT Link Control Protocol (MLCP) links
• lsp-db – Clears MiNT Label Switched Path (LSP) database
• mlcp – Clears MLCP links

debug-log [flash-and-syslog| Enables debug message logging

flash-only] • flash-and-syslog – Logs debug messages to the flash and syslog
files
• flash-only – Logs debug messages to the flash file only

expire [lsp|spf] Forces expiration of LSP and recalculation of Shortest Path First
(SPF)
• lsp – Forces expiration of LSP
• spf – Forces recalculation of SPF

flood [csnp|lsp] Floods control packets

• csnp – Floods our Complete Sequence Number Packets (CSNP)
• lsp – Floods our LSP

service pm stop {on <DEVICE-NAME>}

Stops the PM

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 749
common-commands Common Commands

pm
stops Stops the PM from monitoring all daemons
on <DEVICE-NAME> Optional. Stops the PM on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name

<ACL>,count <1-1000000>,direction [any|inbound|outbound],filter,hex,rate <1-100>,snap
<1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}

pktcap on Captures data packets crossing at a specified location

• on – Defines the packet capture location

bridge Captures packets transiting through the Ethernet bridge

deny Captures packets denied by an ACL
drop Captures packets at the drop locations
ext-vlan Captures packets forwarded to or from an extended VLAN
rim Captures packets at the Radio Interface Module (RIM)
router Captures packets transiting through an IP router
vpn Captures packets forwarded to or from a VPN link
wireless Captures packets forwarded to or from a wireless device
acl-name <ACL> Optional. Specify the ACL that matches the ACL name for the 'deny'
location
count <1-1000000> Optional. Limits the captured packet count. Specify a value from 1
-1000000.
direction [any|inbound| Optional. Changes the packet direction with respect to a device.
outbound] The direction can be set as any, inbound, or outbound.

Controller, Service Platform and Access Point

750 CLI Reference Guide for version 5.9.7
Common Commands common-commands

filter [<LINE>|arp|capwap| cdp| Optional. Filters packets based on the option selected (must be
dot11|dropreason| dst|ether|host| used as a last option). The filter options are:
icmp| igmp|ip|ipv6|l2|l3|l4| lldp| • <LINE> – Defines user defined packet capture filter
mint|net|not|port| priority|radio| • arp – Matches ARP packets
src|tcp|udp| vlan|wlan]
• capwap – Matches CAPWAP packets
• cdp – Matches CDP packets
• dot11 – Matches 802.11 packets
• dropreason – Matches packet drop reason
• dst – Matches IP destination
• ether – Matches Ethernet packets
• failed – Matches failed 802.11 transmitted frames
• host – Matches host destination
• icmp – Matches ICMP packets
• icmp6 – Matches ICMPv6 frames
• ip – Matches IPV4 packets
• ipv6 – Matches IPV6 packets
• l2 – Matches L2 header
• l3 – Matches L3 header
• l4 – Matches L4 header
• mint – Matches MiNT packets
• lldp – Matches LLDP packets
• net – Matches IP in subnet
• not – Filters out any packet that matches the filter criteria (For
example, if not TCP is used, all tcp packets are filtered out)
• port – Matches TCP or UDP port
• priority – Matches packet priority
• radio – Matches radio
• rssi – Matches Received Signal Strength Indication (RSSI) of
received radio signals
• src – Matches IP source
• stp – Matches STP packets
• tcp – Matches TCP packets
• tcp6 – Matches TCP over IPv6 packets
• udp – Matches UDP packets
• udp6 – Matches UDP over IPv6 packets
• vlan – Matches VLAN
• wlan – Matches WLAN

hex Optional. Provides binary output of the captured packets

rate <1-100> Optional. Specifies the packet capture rate
• <1-100> – Specify a value from 1 - 100 seconds.

snap <1-2048> Optional. Captures the data length

• <1-2048> – Specify a value from 1 - 2048 characters.

tcpdump Optional. Decodes tcpdump. The tcpdump analyzes network

behavior, performance, and infrastructure. It also analyzes
applications that generate or receive traffic.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 751
common-commands Common Commands

verbose Optional. Displays full packet body

write Captures packets to a specified file. Provide the file name and
location in the following format:
FILE – flash:/path/file
• flash:/path/file
• usbX:/path/file
URL – Specify the location URL to capture file. Both IPv4 and IPv6
address formats are supported.
• nvram:startup-config
• tftp://<hostname|IP>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
• sftp://<user>@<hostname|IP>[:port]>/path/file
• tzsp – Tazman Sniffer Protocol (TZSP) host. Specify the TZSP
host’s IP address or hostname.

service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>,direction [any|

inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>,snap
<1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}

pktcap on radio Captures data packets on a radio (802.11)

<1-1024> Captures data packets on a specified radio
• <1-1024> – specify the radio index from 1 - 1024.

all Captures data packets on all radios

acl-name <ACL> Optional. Specify the ACL that matches the ACL name for the 'deny'
location
count <1-1000000> Optional. Sets a specified number of packets to capture
• <1-1000000> – Specify a value from 1 - 1000000.

direction [any|inbound| Optional. Changes the packet direction with respect to a device.
outbound] The direction can be set as any, inbound, or outbound.
filter <LINE> Optional. Filters packets based on the option selected (must be
used as a last option)
• <LINE> – Define a packet capture filter or select any one of the
available options.

hex Optional. Provides binary output of the captured packets

rate <1-100> Optional. Specifies the packet capture rate
• <1-100> – Specify a value from 1 - 100 seconds.

snap <1-2048> Optional. Captures the data length

• <1-2048> – Specify a value from 1 - 2048 characters.

tcpdump Optional. Decodes the TCP dump

Controller, Service Platform and Access Point

752 CLI Reference Guide for version 5.9.7
Common Commands common-commands

verbose Optional. Displays full packet body

write Captures packets to a specified file. Provide the file name and
location in the following format:
• flash:/path/file
• usbX:/path/file
URL – Specify the location URL to capture file. Both IPv4 and IPv6
address formats are supported.
• nvram:startup-config
• tftp://<hostname|IP>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
• sftp://<user>@<hostname|IP>[:port]>/path/file
• tzsp – TZSP host. Specify the TZSP host’s IP address or
hostname.

service pktcap on interface [<INTERFACE>|ge <1-4>|me|port-channel <1-2>|vlan <1-4094>]

{(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter
<LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-
HOSTNAME>])}

pktcap on Captures data packets at a specified interface

• on – Specify the capture location.

interface [<INTERFACE>| ge Captures packets at a specified interface. The options are:

<1-4>|me1| port-channel <1-2>| • <INTERFACE> – Specify the interface name.
vlan <1-4094>] • ge <1-4> – Selects a GigabitEthernet interface index from 1 - 4
• me1 – Selects the FastEthernet interface
• port-channel <1-2> – Selects a port-channel interface index from
1- 2
• vlan <1-4094> – Selects a VLAN ID from 1 - 4094

hex Optional. Provides binary output of the captured packets

rate <1-100> Optional. Specifies the packet capture rate
• <1-100> – Specify a value from 1 - 100 seconds.

snap <1-2048> Optional. Captures the data length

• <1-2048> – Specify a value from 1 - 2048 characters.

tcpdump Optional. Decodes the TCP dump

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 753
common-commands Common Commands

verbose Optional. Displays full packet body

service send discovery {mac <MAC>} {interface <INTERFACE>}

send discovery Broadcasts WNMP Ethernet discovery request frames to discover

Layer 2 devices that have lost MiNT connectivity and are without an
IP address.

Note: The command can be issued only by a network-admin,

system-admin, or device-provisioning-admin.

Starting with WiNG 5.9.7, controllers and service platforms can

broadcast WNMP discovery request frames. Layer 2 WiNG devices
respond to the WNMP broadcast.

Note: Only devices with radios will respond to the broadcast.

Starting with WiNG 5.9.7, controllers will not respond to WNMP
discovery frames.

The responses are processed and the discovered devices are saved
to a log. By default, these device entries are retained in the log for
10 minutes and can be viewed by issuing the following command:
#service show discovered-devices

Note: For command description, see the following table.

Post discovery, you can reset a discovered device to default by

issuing the following command:
#service reset discovered-device

Note: For command description, see table.

mac <MAC> Optional. Specify the MAC address for a specific device. This is an
optional parameter. Use it to discover a specific device.

Note: When specified, only the device with the specified MAC
address is discovered.

interface <INTERFACE> Optional. Specify the interface on which the WNMP discovery
request frames are to be broadcasted. The options available are:
• <WORD> - Specify the Layer 2 interface name.

Controller, Service Platform and Access Point

754 CLI Reference Guide for version 5.9.7
Common Commands common-commands

• ge <INF-NUMBER> - Select GE interface index.

• port-channel <INF-NUMBER> - Select the port-channel interface
number.

Note: If not specified, the frames are broadcasted across all

interfaces.

service show discovered-device {on <DEVICE-NAME}

show discovered-devices Displays Layer 2 devices that have responded to the WNMP
discovery request frames broadcasted by a controller or service
platform.

Note: This command can be issued by any of the management

users.

Note: For information on how to initiate WNMP device discovery,

see the preceding table.

on <DEVICE-NAME> Optional. Displays Layer 2 discovered devices on a specified device.

This parameter is optional. If not specified, the command is
executed on the self of the logged device.
• <DEVICE-NAME> - Specify the controller, service platform or
access point name.

service reset discovered-device <MAC> serial-number <NUMBER> {interface <INTERFACE>}

reset discovered-device Broadcasts a reset configuration request for a specified MAC

address and serial number.

Note: This command can be issued only by a network-admin,

system-admin, or device-provisioning-admin.

WiNG 5.9.7 introduces the capability of discovering and logging

Layer 2 devices that have lost MiNT connectivity and have no IP
address. Post discovery, you can use this command to reset a
specified device to default configuration.

Note: Starting with WiNG 5.9.7, virtual controllers will respond to

WNMP discovery requests, but will not reset their configuration on
receiving a WNMP reset message.

Only one device can be reset after each discovery process. Issue the
command with the MAC and serial number of the discovered device
that is to be reset to default configuration. However, note that the
device will reset only if:
• It's uptime is less than 10 minutes.
• It's serial number is an exact match.
• It is not adopted.

Note: To reset another device, run the discovery process again.

For information on how to initiate WNMP device discovery, see

table.
For information on how to view discovered devices, see table.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 755
common-commands Common Commands

For information on how to view discovered devices that have been

reset to default, see following table.
<MAC> Specify the MAC address of the discovered device that is to be reset
to default configuration.
serial-number <NUMBER> Specify the serial number of the discovered device that is to be
reset to default configuration.
interface <INTERFACE> Optional. Specify the interface on which the reset request frames
are to be broadcasted.

Note: If not specified, the reset request frame is broadcasted across

all interfaces.

service show discovered-device {reset-log {mac <MAC>}} {(on <DEVICE-NAME>)}

show discovered-devices Displays Layer 2 devices that have responded to the WNMP
Ethernet discovery request frames broadcasted by a controller or
service platform.

Note: This command can be issued by any of the management

users.

Note: For information on how to initiate WNMP device discovery,

see table.

reset-log {mac <MAC>} Optional. Displays Layer 2 discovered devices that have responded
to reset request frames. This parameter is optional. If not specified,
all devices responding to the WNMP discovery request frames are
displayed.

Note: For information on how to initiate a reset-request for a

specific device, see preceding table.

on <DEVICE-NAME> Optional. Displays Layer 2 discovered devices on a specified device.

This parameter is optional. If not specified, the command is
executed on the self of the logged device.
• <DEVICE-NAME> - Specify the controller, service platform or
access point name.

service show last-passwd

Displays running system statistics based on the parameters passed

Controller, Service Platform and Access Point

756 CLI Reference Guide for version 5.9.7
Common Commands common-commands

show
last-passwd Displays the last password used to enter shell

service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]

signal Sends a signal to a process

• tech-support – Copies extensive system information useful for
troubleshooting

abort Sends an abort signal to a process, and forces it to dump to core

• <PROCESS-NAME> – Specify the process name.

kill Sends a kill signal to a process, and forces it to terminate without a

core
• <PROCESS-NAME> – Specify the process name.

service start-shell

start-shell Provides shell access

service trace <PROCESS-NAME> {summary}

trace Traces a process for system calls and signals

<PROCESS-NAME> Specifies the process name
summary Optional. Generates summary report of the specified process

Syntax (Privilege Exec Mode: NX9500/NX9600)

Service Commands - Intro

The following service commands are specific to the NX9500/NX9600 series service platforms:
service copy analytics-support [<FILE>|<URL>]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 757
common-commands Common Commands

Parameters(Privilege Exec Mode: NX9500/NX9600)

Service Commands - Intro

service copy analytics-support [<FILE>|<URL>]

copy analytics-support Enables copying of analytics information to a specified. Use one of

the following options to specify the file:

Note: This information is useful to troubleshoot issues by the

Technical Support team.

<FILE> Specify the file name and location using one of the following
formats:
• usb1:/path/file
• usb2:/path/file

<URL> Specify the location URL to copy file. Both IPv4 and IPv6 formats
are supported.
• tftp://<hostname|IPv4/IPv6>[:port]/path/file
• ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file
• sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/
file

Usage Guidelines

The NX9500/NX9600 service platforms provide granular and robust analytic reporting for a managed
network. The data analyzed is collected at intervals specified by the administrator.

To enable data analytics, procure and apply a separate hot spare analytics license at the NOC. The
license restricts the number of Access Point streams processed at the NOC or forwarded to partner
systems for further processing. The analytics feature can be turned on at select APs by enabling them in
configuration. This way the customer can enable analytics on a select set of APs and not the entire
system as long as the number of APs on which it is enabled is less than or equal to the total number of
AP at the NOC controller.

In an NOC managed network, the analytics engine parses and processes Smart RF events as they are
received. The analytics engine parses the new channel and power information from the Smart RF event,
as opposed to retrieving the event from the devices themselves. analytics licenses available.

Syntax (Global Config Mode)

Service Commands - Intro

service [set|show cli]
service set [command-history <10-300>|upgrade-history <10-100>|reboot-history <10-100>|
virtual-machine-history <10-200>] {on <DEVICE-NAME>}
service show cli

Controller, Service Platform and Access Point

758 CLI Reference Guide for version 5.9.7
Common Commands common-commands

Parameters (Global Config Mode)

Service Commands - Intro

service set [command-history <10-300>|upgrade-history <10-100>|reboot-history <10-100>|
virtual-machine-history <10-200>] {on <DEVICE-NAME>}

set Sets the size of history files

command-history <10-300> Sets the size of the command history file
• <10-300> – Specify a value from 10 - 300. The default is 200.

upgrade-history <10-100> Sets the size of the upgrade history file

• <10-100> – Specify a value from 10 - 100. The default is 50.

reboot-history <10-100> Sets the size of the reboot history file

• <10-100> – Specify a value from 10 - 100. The default is 50.

virtual-machine-history Sets the size of the virtual-machine history file

<10-200> • <10-200> – Specify a value from 10 - 200. The default is 100.
This command is applicable only to the NX9500 and NX9600 series
service platforms. Use the no > service > set > virtual-
machine-history > {on <DEVICE-NAME>} command to
revert the history file size to 100.
on <DEVICE-NAME> Optional. Sets the size of history files on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

service show cli

show cli Displays running system configuration details

• cli – Displays the CLI tree of the current mode

Examples

Service Commands - Intro

nx9500-6C8809>service show cli
Command mode: +-do
+-help [help]
+-search
+-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-show
+-commands [show commands]
+-global
+-device-list [show global device-list (|(filter {|(online)|(offline)|(rf-domain (|
not) RF-DOMAIN)}))]
+-filter [show global device-list (|(filter {|(online)|(offline)|(rf-domain (|not)
RF-DOMAIN)}))]
+-online [show global device-list (|(filter {|(online)|(offline)|(rf-domain (|
not) RF-DOMAIN)}))]
+-offline [show global device-list (|(filter {|(online)|(offline)|(rf-domain (|
not) RF-DOMAIN)}))]
+-rf-domain

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 759
common-commands Common Commands

+-not
+-RF-DOMAIN [show global device-list (|(filter {|(online)|(offline)|(rf-
domain (|not) RF-DOMAIN)}))]
--More--
nx9500-6C8809>
nx9500-6C8809#service signal abort testprocess
Sending an abort signal to testprocess
nx9500-6C8809#
nx9500-6C8809#service show command-history on ap8432-070235
Configured size of command history is 200

Date & Time User Location Command

=====================================================================
Mar 11 15:36:04 2019 admin Console 7 change-passwd
nx9500-6C8809#
nx9500-6C8809#service show diag stats

fan 1 (System Fan 1) current speed: 2765 min_speed: 693 hysteresis: 250
fan 2 (System Fan 2) current speed: 3010 min_speed: 665 hysteresis: 250
fan 3 (System Fan 3) current speed: 2695 min_speed: 665 hysteresis: 250
fan 4 (System Fan 4) current speed: 3045 min_speed: 665 hysteresis: 250
fan 5 (System Fan 5) current speed: 6188 min_speed: 665 hysteresis: 250
fan 6 (System Fan 6) current speed: 5564 min_speed: 665 hysteresis: 250

Sensor 1 (Baseboard) Temperature 30.0 C

Sensor 2 (Front Panel) Temperature 20.0 C
Sensor 3 (PS1) Temperature 25.0 C
Sensor 4 (PS2) Temperature 27.0 C
Sensor 5 (HSBP) Temperature 21.0 C

nx9500-6C8809#
nx9500-6C8809#service show upgrade-history
Configured size of upgrade history is 50

Date & Time Old Version New Version Status

=====================================================================
Aug 12 20:11:33 2019 5.9.6.0-003D 5.9.6.0-004D Successful
Aug 06 12:01:49 2019 7.2.0.0-009D 5.9.6.0-003D Successful
Jul 01 13:56:23 2019 7.2.0.0-008D 7.2.0.0-009D Successful
Jun 28 12:36:41 2019 7.2.0.0-006D 7.2.0.0-008D Successful
Jun 25 14:00:09 2019 5.9.5.0-004D 7.2.0.0-006D Successful
Jun 18 14:45:09 2019 5.9.5.0-004D 5.9.5.0-007R Successful
Jun 03 14:00:51 2019 7.1.2.0-013R 5.9.5.0-004D Successful
May 30 11:39:17 2019 7.1.2.0-012D 7.1.2.0-013R Successful
May 27 17:06:05 2019 7.1.2.0-011D 7.1.2.0-012D Successful
--More--
nx9500-6C8809#
nx9500-6C8809#service show wireless reference reason-codes
CODE DESCRIPTION
0 Success
1 Unspecified Reason
2 Previous authentication no longer valid
3 Deauth because sending STA is leaving IBSS or ESS
4 Disassoc due to inactivity
5 Disassoc because AP is unable to handle all currently assoc STA
6 Class 2 frame received from non-authenticated STA
7 Class 3 frame received from nonassociated STA
8 Disassoc because STA is leaving BSS
9 STA requesting association is not authentication with corresponding STA
10 Disassoc because info in the power capability elem is unacceptable
11 Disassoc because info in the supp channels elem is unacceptable
12 Reserved

Controller, Service Platform and Access Point

760 CLI Reference Guide for version 5.9.7
Common Commands common-commands

--More--
nx9500-6C8809#
nx9500-6C8809#service show wireless reference reason-codes
CODE DESCRIPTION
0 Success
1 Unspecified Reason
2 Previous authentication no longer valid
3 Deauth because sending STA is leaving IBSS or ESS
4 Disassoc due to inactivity
5 Disassoc because AP is unable to handle all currently assoc STA
6 Class 2 frame received from non-authenticated STA
7 Class 3 frame received from nonassociated STA
8 Disassoc because STA is leaving BSS
9 STA requesting association is not authentication with corresponding STA
10 Disassoc because info in the power capability elem is unacceptable
11 Disassoc because info in the supp channels elem is unacceptable
--More--
nx9500-6C8809#
nx9500-6C8809>service show wireless config-internal
! Startup-Config-Playback Completed: Yes
no debug wireless
country-code in
nx9500-6C8809>
nx9500-6C8809#service show wireless log-internal
08:51:49.417: wlan:Starting credcache checkup/sync (credcache.c:1539)
08:31:47.416: wlan:Starting credcache checkup/sync (credcache.c:1539)
08:11:42.415: wlan:Starting credcache checkup/sync (credcache.c:1539)
07:51:42.412: wlan:Starting credcache checkup/sync (credcache.c:1539)
07:31:42.412: wlan:Starting credcache checkup/sync (credcache.c:1539)
07:11:37.409: wlan:Starting credcache checkup/sync (credcache.c:1539)
06:51:36.408: wlan:Starting credcache checkup/sync (credcache.c:1539)
06:31:27.408: wlan:Starting credcache checkup/sync (credcache.c:1539)
06:11:24.408: wlan:Starting credcache checkup/sync (credcache.c:1539)
05:51:21.407: wlan:Starting credcache checkup/sync (credcache.c:1539)
05:31:18.406: wlan:Starting credcache checkup/sync (credcache.c:1539)
05:11:11.405: wlan:Starting credcache checkup/sync (credcache.c:1539)

--More--
nx9500-6C8809#
nx9500-6C8809#service show xpath-history
------------------------------------------------------------------------------------------
---------------
DATE&TIME USER
XPATH DURATION(MS)
------------------------------------------------------------------------------------------
---------------
Mon Aug 12 22:09:49 2019 system wing-stats/device/B4-C7-99-6C-88-09/upgrade-
history 6
------------------------------------------------------------------------------------------
---------------
nx9500-6C8809#

Examples for the service > wireless > meshpoint command.

The following example displays meshpoint modules:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 761
common-commands Common Commands

| GEN TX RX NBR LQM LSA

3-ND | 0 0 0 0 0 0
| GEN
4-ORL | 0
| GEN TX RX HEL PRO
5-LQ | 0 0 0 0 0
| GEN
6-PS | 0
| GEN ROOT NBR REC
7-RS | 0 0 0 0
| GEN
8-IA | 0
| GEN SET GET
11-MGT | 0 0 0
| GEN RX TX R0 LMST LSUP LKEY KEY
13-LSA | 0 0 0 0 0 0 0 0
| GEN SCAN TRIG
14-ACS | 0 0 0
| GEN
15-EAP | 0
| GEN
16-L2P | 0

ROOT1-ap81xx-71174C#

In the preceding example,

• The meshpoint name is mesh_root
• The device on which the command is executed is ROOT1-ap81xx-71174C
• The vertical ZONE column represents meshpoint modules. For example, 3-ND presents the Neighbor
Discovery module.
• The SUBZONE 0 to 7 represents the available processes for each of the zonal modules.
• Debugging is disabled for all modules for the mesh-root meshpoint. A value of 0 (Zero) represents
debugging disabled.

To enable meshpoint module debugging, specify the module number and the process number
separated by a period (.). And then specify the debugging level from 0 - 7.
ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 3.2 7

In the preceding command,

• The meshpoint module number provided is 3 (ND)
• The process number provided is 2 (RX - Received signals from neighbors)
• The debugging level provided is 7 (highest level - warning)
ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C
| SUBZONE
| 0 1 2 3 4 5 6 7
-------+-----------------------------------------
ZONE |
| GEN TX RX BEA TXF
2-LLC | 0 0 0 0 0
| GEN TX RX NBR LQM LSA
3-ND | 0 0 7(D) 0 0 0
| GEN
4-ORL | 0
| GEN TX RX HEL PRO
5-LQ | 0 0 0 0 0
| GEN

Controller, Service Platform and Access Point

762 CLI Reference Guide for version 5.9.7
Common Commands common-commands

6-PS | 0
| GEN ROOT NBR REC
7-RS | 0 0 0 0
| GEN
8-IA | 0
| GEN SET GET
11-MGT | 0 0 0
| GEN RX TX R0 LMST LSUP LKEY KEY
13-LSA | 0 0 0 0 0 0 0 0
| GEN SCAN TRIG
14-ACS | 0 0 0
| GEN
15-EAP | 0
| GEN
16-L2P | 0

ROOT1-ap81xx-71174C#

In the preceding example, level 7 debugging has been enabled only for the ND module’s received
signals. Note that debugging for all other modules and processes are still disabled.

To disable debugging for all modules, specify 0 (zero) in the command. For example:
ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 0

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 763
common-commands Common Commands

ROOT1-ap81xx-71174C#

rfs4000-1BE644#service show ssh-authorized-keys

'extreme@extreme-quadcore'
rfs4000-1BE644#
rfs4000-1BE644#service load-ssh-autorized-keys "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDPERY9aTibRYlFMnERTYP2iyylJ00YElxjUElY7Zm9Ky2yeSmg15UKerJ
+IP161Gdm0AoEfXyeheRntK
+Z6NWHa341RWJ0UrQMcp7hSEE5jbDpLKJOuEoW22Ag45BZzMV7EnM7lHowboNsQhSzX5uBBlVViWlBxBqDroX4BcuB
/CFugezHTt95UQ2ZRUfHvePS6jQdOArf1alwk0Slcsz4HNSl5KDutJ4VY+6vRvlf5Gy/
3GNehMwNsmsRKK4UVKV5RpuuKIjkbZE+goPFAKYVPNmZngjaOyDfvNGE7JIwmYlti/
AId6tv2zAbM4qSomWAgUOO0hkXS9m4m74FnHPr extreme@extreme-quadcore"
Successfully added the ssh key
rfs4000-1BE644#
rfs4000-1BE644#no service load-ssh-autorized-keys rfs4000-1BE644
Successfully removed the ssh key
rfs4000-1BE644#
nx9500-6C8809#service show diag fds
Process open fds
cfgd 86
nx9500-6C8809#
nx9500-6C8809#service show diag pkts
Date: 11-4-2016, Time: 8:41:08.501033, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority:
0, Ingress: ge1, vlan1
Loop reason: Unknown(540)
TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytes

Date: 11-4-2016, Time: 8:41:08.707631, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority:
0, Ingress: ge1, vlan1
Loop reason: Unknown(540)
TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytes

Date: 11-4-2016, Time: 8:41:08.830963, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority:
0, Ingress: ge1, vlan1
Loop reason: Unknown(540)
TRUNCATED BB-7C-4D-83-30-A4 > 10-01-00-42-68-99 at 64 bytes

--More--
nx9500-6C8809#
nx9500-6C8809#service clear diag pkts
nx9500-6C8809#service show diag pkts
nx9500-6C8809#
nx9500-6C8809#service show diag psu
PSU1 (upper):
status unplugged
PSU2 (lower):
status normal
nx9500-6C8809#

The following examples show the purging of users from the guest-registration database:
nx7500-112233#service guest-registration delete ?
all Delete all users
email Email address
group Group
mac MAC address
mobile Mobile phone number
name Full name
offline-for Specify minimum amount of time offline

Controller, Service Platform and Access Point

764 CLI Reference Guide for version 5.9.7
Common Commands common-commands

otp-incomplete-for Specify minimum amount of time registration with

one-time-passcode incomplete
social Social site used to log in
wlan Wireless LAN

nx7500-112233#

Purges users belonging to a specified RADIUS group.

nx7500-112233#service guest-registration delete group mac_reg_gr1
delete user status: delete users matching a group will take time, please wait
nx7500-112233#

Purges users using social-site (Facebook or Google) credentials to login.

nx7500-112233#service guest-registration delete social facebook
delete user status: delete users matching a social category will take time, please wait
nx7500-112233#

Purges users inactive for a specified time period.

nx7500-112233#service guest-registration delete offline-for days 5
delete user status: Deleting users offline for minimum 5 days. This will take time,
please wait
nx7500-112233#

Purges users who have failed to complete registration using the OTP within a specified time period.
nx7500-112233#service guest-registration delete otp-incomplete-for days 5
delete user status: Deleting registration with one-time-passcode incomplete for minimum 5
days. This will take time, please wait
nx7500-112233#

The following example displays IP ACLs to WLAN mapping summary on the ‘TechPubs’ RF Domain:
nx9500-6C8809#service show ip-access-list wlan TechPubs status
Reporting Device: ap7532-80C2AC - success
Reporting Device: ap7562-84A224 - success
Reporting Device: nx9500-6C8809 - success
Reporting Device: ap8163-74B45C - success
Total reporting devices: 5
nx9500-6C8809#

Consider an RF Domain (name guest-domain) with 3 APs adopted to a controller. The CLI output for
the service > show > ip-access-list command in this set up varies for different scenarios,
as shown in the following examples:
• Scenario 1: Executing the command on a device (access point).
AP01#service show ip-access-list wlan status
Reporting Device: AP01 - fail
WLAN: XPO-Guest-PSK
use ip-access-list in guest_access_inbound : fail
Total reporting devices: 1
AP01#

AP01#service show ip-access-list wlan status detail

================================================================================
Reporting Device: AP01
--------------------------------------------------------------------------------
WLAN: XPO-Guest-PSK
use ip-access-list in guest_access_inbound : fail
use ip-access-list out BC-MC-CONTROL : success
--------------------------------------------------------------------------------
WLAN: PartnerNet
use ip-access-list in default : success

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 765
common-commands Common Commands

use ip-access-list out default : success

--------------------------------------------------------------------------------
Total reporting devices: 1
AP01#

• Scenario 2: IP ACL to WLAN mapping is successful for all APs in a specified RF Domain.
SW01#service show ip-access-list wlan status on guest-domain
Reporting Device: AP01 - success
Reporting Device: AP02 - success
Reporting Device: AP03 - success
Total reporting devices: 3
SW01#

• Scenario 3: IP ACL has failed in dataplane due to unknown reasons.

SW01#service show ip-access-list wlan status on guest-domain
Reporting Device: AP01 - fail
WLAN: XPO-Guest-PSK
use ip-access-list in guest_access_inbound : fail
Reporting Device: AP02 - success
Reporting Device: AP03 - success
Total reporting devices: 3
SW01#

SW01#service show ip-access-list wlan status detail on guest-domain

================================================================================
Reporting Device: AP02
--------------------------------------------------------------------------------
WLAN: PartnerNet
use ip-access-list in guest_access_inbound : success
use ip-access-list out BC-MC-CONTROL : success
--------------------------------------------------------------------------------

================================================================================
Reporting Device: AP03
--------------------------------------------------------------------------------
WLAN: PartnerNet
use ip-access-list in guest_access_inbound : success
use ip-access-list out BC-MC-CONTROL : success
--------------------------------------------------------------------------------
Total reporting devices: 3
SW01#

• Scenario 4: AP in RF Domain is unreachable or does not support this functionality.

SW01#service show ip-access-list wlan status on guest-domain
Reporting Device: AP01 - unreachable
Reporting Device: AP02 - success
Reporting Device: AP03 - success
Total reporting devices: 3
SW01#
SW01#service show ip-access-list wlan status detail on guest-domain

================================================================================

Controller, Service Platform and Access Point

766 CLI Reference Guide for version 5.9.7
Common Commands common-commands

Reporting Device: AP01

Timed out waiting for remote device: xpath=wing-stats/device/00-23-68-0B-86-38/
firewall/
ip_acl_intf_status/wlan[mac='*']

The following examples show the WiNG 5.9.7 WNMP discovery related command outputs:
ap8132-A0892C#service send discovery
ap8132-A0892C#service show discovered-devices
--------------------------------------------------------------------------------
Device ID MAC IP Address(es)
--------------------------------------------------------------------------------
active-switch B4-C7-99-6F-8D-1C 192.168.0.1,172.16.0.30
ap6521-087356 5C-0E-8B-08-73-56 172.16.0.33,169.254.115.86
ap8533-5C21D8 74-67-F7-5C-21-D8 172.16.0.39,169.254.33.216
rfs4000-22A0B4 00-23-68-22-A0-B4 10.1.7.1,10.1.1.100,172.16.0.11
standby-switch 00-23-68-88-2A-17 192.168.0.1,172.16.0.13
vx9000-320EC5 08-00-27-32-0E-C5 10.10.10.1,172.16.0.24
--------------------------------------------------------------------------------
ap8132-A0892C#
ap8132-A0892C#service reset discovered-device 5C-0E-8B-08-73-56 serial-number
11020521175025
ap8132-A0892C#service reset discovered-device 5C-0E-8B-08-73-56 serial-number
11020521175025
ap8132-A0892C#service show discovered-devices reset-log
2019-09-20 22:57:48:Device 5C-0E-8B-08-73-56 shall set its configuration to default and
reset.
2019-09-20 22:57:48:Reset request sent to 5C-0E-8B-08-73-56
2019-09-20 22:56:27:No reset - Device 74-67-F7-5C-21-D8 has been up more than 10 minutes.
2019-09-20 22:56:27:Reset request sent to 74-67-F7-5C-21-D8
2019-09-20 22:56:14:No reset - Device 74-67-F7-5C-21-D8 serial number mismatch.
2019-09-20 22:56:14:Reset request sent to 74-67-F7-5C-21-D8
2019-09-20 22:52:26:No reset - Device 5C-0E-8B-08-73-56 has been up more than 10 minutes.
2019-09-20 22:52:26:Reset request sent to 5C-0E-8B-08-73-56
--More--
ap8132-A0892C#

show
Displays specified system component settings. There are a number of ways to invoke the show
command.
• When invoked without any arguments, it displays information about the current context. If the
current context contains instances, the show command (usually) displays a list of these instances.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 767
common-commands Common Commands

• When invoked with the display parameter, it displays information about that component.

Supported in the following platforms:

Syntax
show <PARAMETERS>

Parameters
show <PARAMETERS>

show <PARAMETERS> The show command displays configuration details based on the
configuration mode, in which the command is executed, and the
parameters passed. For example, when executed in the AAA policy
configuration mode, it displays the logged AAA policy’s current
settings. The example below shows the configuration details that
can be viewed in the Priv Executable mode.

Examples
nx9500-6C8809#show ?
adoption Adoption related information
bluetooth Bluetooth Configuration/Statistics commands
bonjour Bonjour Gateway related commands
boot Display boot configuration.
captive-portal Captive portal commands
captive-portal-page-upload Captive portal internal and advanced page upload
cdp Cisco Discovery Protocol
classify-url Query the category of an URL
clock Display system clock
cluster Cluster Protocol
cmp-factory-certs Display the CMP certificate status
commands Show command lists
context Information about current context
critical-resources Critical Resources
crypto Encryption related commands
database Database
debug Debugging functions
debugging Debugging functions
device-upgrade Device Upgrade
dot1x 802.1X
dpi Deep Packet Inspection
eguest Registration EGuest process
environmental-sensor Display Environmental Sensor Module status
event-history Display event history
event-system-policy Display event system policy
ex3500 EX3500 device details
extdev External device (T5, Ex3500..)
file Display filesystem information
file-sync File sync between controller and adoptees
firewall Wireless Firewall
global Global-level information
gre Show l2gre tunnel info
guest-notification-config Show guest-notification information

Controller, Service Platform and Access Point

768 CLI Reference Guide for version 5.9.7
Common Commands common-commands

guest-registration Guest registration commands

interface Interface Configuration/Statistics commands
ip Internet Protocol (IP)
ip-access-list IP ACL
ipv6 Internet Protocol version 6 (IPv6)
ipv6-access-list IPV6 ACL
l2tpv3 L2TPv3 information
lacp LACP commands
ldap-agent LDAP Agent Configuration
licenses Show installed licenses and usage
lldp Link Layer Discovery Protocol
logging Show logging information
mac-access-list MAC ACL
mac-address-table Display MAC address table
mac-auth MAC authentication
mac-auth-clients MAC authenticated clients
mint MiNT protocol
mirroring Show mirroring sessions
nsight Nsight Server Module
ntp Network time protocol
password-encryption Pasword encryption
pppoe-client PPP Over Ethernet client
privilege Show current privilege level
radius RADIUS statistics commands
raid Show RAID status
reload Scheduled reload information
remote-debug Show details of remote debug sessions
rf-domain-manager Show RF Domain Manager selection details
role Role based firewall
route-maps Display Route Map Statistics
rtls RTLS Statistics
running-config Current operating configuration
session-changes Configuration changes made in this session
session-config This session configuration
sessions Display sessions
site-config-diff Difference between site configuration on the NOC
and actual site configuration
slot Expansion slots stats
smart-rf Smart-RF Management Commands
spanning-tree Display spanning tree information
startup-config Startup configuration
t5 Display T5 inventory information
terminal Display terminal configuration parameters
timezone The timezone
traffic-shape Display traffic shaping
upgrade-status Display last image upgrade status
version Display software & hardware version
virtual-machine Virtual Machine
vrrp VRRP protocol
web-filter Web filter
what Perform global search
wireless Wireless commands
wwan Display wireless WAN Status

nx9500-6C8809#

Note
For more information on the show command, see SHOW COMMANDS on page 771.

write
Writes the system running configuration to memory or terminal

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 769
common-commands Common Commands

Supported in the following platforms:

Syntax
write [memory|terminal]

Parameters
write [memory|terminal]

memory Writes to the non-volatile (NV ) memory

terminal Writes to the terminal

Examples
nx9500-6C8809>write memory
[OK]
nx9500-6C8809>

Controller, Service Platform and Access Point

770 CLI Reference Guide for version 5.9.7
Show Commands
SHOW COMMANDS on page 771

SHOW COMMANDS
Show commands displays configuration settings and statistical information. Use this command to view
the current running configuration as well as the start-up configuration. The show command also
displays the current context configuration.

This chapter describes the 'show' CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL
CONFIG modes. Commands entered in either USER EXEC mode or PRIV EXEC mode are referred to as
EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered
in either mode.

This chapter also describes the ‘show' commands in the ‘GLOBAL CONFIG' mode. The commands can
be entered in all three modes, except commands like file, IP access list statistics, MAC access list
statistics, and upgrade statistics, which cannot be entered in the USER EXEC mode.

show-commands
The following table summarizes the show commands:

Table 40: Show Commands

Command Description
show on page 774 Displays settings for the specified system component
adoption on page 780 Displays adoption related information
bluetooth on page 783 Displays Bluetooth radio statistics for RF Domain member access
points
boot on page 785 Displays a device's boot configuration
bonjour on page 786 Displays the configured Bonjour services available on local and
remote sites
captive-portal on page 787 Displays WLAN hotspot functions
captive-portal-page-upload (show Displays captive portal Web pages upload related information
commands) on page 789
cdp on page 790 Displays a CDP (Cisco Discovery Protocol) neighbor table

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 771
show-commands Show Commands

Table 40: Show Commands (continued)

Command Description
classify-url on page 792 Queries a specified global data center or a pre-configured
classification server for the category of a specified URL.
clock on page 792 Displays the system clock
cluster on page 793 Displays device-cluster related statistics
cmp-factory-certs on page 794 Displays factory installed CMP certificates
commands on page 795 Displays command list
context on page 795 Displays information about the current context
critical-resources on page 796 Displays critical resources deployed within the managed network
and associated statistics
crypto on page 797 Displays encryption mode information
database on page 801 Displays database-related statistics and status
device-upgrade on page 802 Displays device firmware upgradation information for devices
adopted by a wireless controller or access point
dot1x on page 804 Displays dot1x information on interfaces
dpi on page 806 Displays statistics for all configured and canned applications
environmental-sensor on page Displays environmental sensor’s historical data (applicable only to
810 AP 8132)
event-history on page 813 Displays event history
event-system-policy on page 813 Displays event system policy configuration information
ex3500 on page 814 Displays EX3500-related statistical data
extdev on page 817 Displays external device (T5 or EX3500) configuration error
history
fabric-attach on page 818 Displays the current status of VLAN to I-SID assignments for all
ports
file on page 819 Displays file system information
file-sync on page 820 Displays file synchronization settings and status on a controller.
The file-sync command syncs trustpoint/wireless-bridge
certificate between the staging-controller and its adopted access
points
firewall on page 821 Displays wireless firewall information
global on page 825 Displays global information for network devices based on the
parameters passed
gps (show command) on page Displays the geographical coordinates (latitude and longitude) of
827 the device for which the GPS coordinates search process has been
triggered
gre on page 828 Displays GRE tunnel related information
guest-registration on page 829 Displays guest registration statistics based on the option and time
entered
interface on page 837 Displays interface status

Controller, Service Platform and Access Point

772 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Table 40: Show Commands (continued)

Command Description
iot-device-type-imagotag on page Displays the configuration of ESL communicator on a specified AP
839 or on all APs within an RF Domain.
ip on page 841 DisplaysIP related information
ip-access-list-stats on page 849 Displays IP access list statistics
ipv6 on page 850 Displays IPv6 related information
ipv6-access-list on page 854 Displays IPv6 access list statistics
l2tpv3 on page 854 Displays L2TPv3 (Layer 2 Tunnel Protocol Version 3) information
lacp on page 857 Displays LACP (Link Aggregation Control Protocol) related
information
ldap-agent on page 860 Displays an LDAP agent’s join status (join status to a LDAP server
domain)
licenses on page 860 Displays installed licenses and usage information
lldp on page 862 Displays LLDP (Link Layer Discovery Protocol) information
logging on page 863 Displays logging information
mac-access-list-stats on page Displays MAC access list statistics
864
mac-address-table on page 865 Displays MAC address table entries
macauth on page 866 Displays details of wired ports that have MAC address-based
authentication enabled
mac-auth-clients on page 868 Displays MAC-authenticated clients based on the parameters
passed
mint on page 869 Displays MiNT protocol configuration commands
ntp on page 873 Displays NTP server related information
password-encryption on page Displays password encryption status
874
pppoe-client on page 874 Displays PPPoE (Point to Point Protocol over Ethernet) client
information
privilege on page 875 Displays current privilege level information
radius on page 876 Displays the amount of access time consumed and the access time
remaining for all guest users configured on a RADIUS server
reload on page 878 Displays scheduled reload information
rf-domain-manager on page 878 Displays RF Domain manager selection details
role on page 879 Displays role-based firewall information
route-maps on page 880 Display route map statistics
rtls on page 880 Displays RTLS (Real Time Location Service) statistics of access
points
running-config on page 882 Displays configuration file contents
session-changes on page 890 Displays configuration changes made in the current session

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 773
show-commands Show Commands

Table 40: Show Commands (continued)

Command Description
session-config on page 891 Displays configurations made in the current session
sessions on page 892 Displays a list of currently active open sessions on the device
site-config-diff on page 892 Displays the difference between site configuration available on
NOC and the actual site configuration
smart-rf on page 893 Displays Smart RF management statistics
snmpv3 (show command) on Displays the SNMPv3 Engine ID
page 899
spanning-tree on page 899 Displays spanning tree information
startup-config on page 901 Displays complete startup configuration script on the console
t5 on page 902 Displays adopted T5 controller details. This command is applicable
only on the RFS 4000, NX 95XX, NX 96XX, and VX 9000.
terminal on page 911 Displays terminal configuration parameters
timezone on page 911 Displays timezone information for the system and managed
devices
traffic-shape on page 912 Displays traffic-shaping related configuration details and statistics
tron (show command) on page Displays the TRON-capable and TRON-enabled WiNG AP’s
914 operating configuration.
upgrade-status on page 915 Displays image upgrade status
version on page 916 Displays a device's software and hardware version
vrrp on page 917 Displays VRRP details
virtual-machine on page 918 Displays the VM (virtual-machine) configuration, logs, and
statistics
web-filter on page 944 Displays pre-configured, in-built Web filter options available.
These options are: category (URL category), category-types, filter-
level, etc. This command also displays Web filter statistics and
status.
what on page 946 Displays details of a specified search phrase
wireless on page 921 Displays wireless configuration parameters
wwan on page 947 Displays the wireless WAN status

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

show
The show command displays the following information:
• A device's current configuration
• A device's start-up configuration

Controller, Service Platform and Access Point

774 CLI Reference Guide for version 5.9.7
Show Commands show-commands

• A device's current context configuration, such as profiles and policies

Supported in the following platforms:

Syntax
show <PARAMETER>

Parameters

show <PARAMETERS> The show command displays configuration details based on the
configuration mode, in which the command is executed, and the parameters
passed. For example, when executed in the AAA policy configuration mode,
it displays the logged AAA policy’s current settings. The examples below
show the configuration parameters that can be viewed in the User
Executable, Priv Executable, and Global Configurable modes.

Examples

The following examples list the show commands in the User Exec, Priv Exec, and Global Config modes:

Global Config Mode:

<DEVICE>(config)#show ?
adoption Adoption related information
bluetooth Bluetooth Configuration/Statistics commands
bonjour Bonjour Gateway related commands
boot Display boot configuration.
captive-portal Captive portal commands
captive-portal-page-upload Captive portal internal and advanced page upload
cdp Cisco Discovery Protocol
classify-url Query the category of an URL
clock Display system clock
cluster Cluster Protocol
cmp-factory-certs Display the CMP certificate status
commands Show command lists
context Information about current context
critical-resources Critical Resources
crypto Encryption related commands
database Database
debug Debugging functions
debugging Debugging functions
device-upgrade Device Upgrade
dot1x 802.1X
dpi Deep Packet Inspection
environmental-sensor Display Environmental Sensor Module status
event-history Display event history
event-system-policy Display event system policy
ex3500 EX3500 device details
extdev External device (T5, Ex3500..)
fabric-attach Fabric attach
file Display filesystem information
file-sync File sync between controller and adoptees
firewall Wireless Firewall
global Global-level information
gps GPS commands

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 775
show-commands Show Commands

gre Show l2gre tunnel info

guest-registration Guest registration commands
interface Interface Configuration/Statistics commands
iot-device-type-imagotag Iot device type imagotag
ip Internet Protocol (IP)
ip-access-list IP ACL
ipv6 Internet Protocol version 6 (IPv6)
ipv6-access-list IPV6 ACL
l2tpv3 L2TPv3 information
lacp LACP commands
ldap-agent LDAP Agent Configuration
licenses Show installed licenses and usage
lldp Link Layer Discovery Protocol
logging Show logging information
mac-access-list MAC ACL
mac-address-table Display MAC address table
mac-auth MAC authentication
mac-auth-clients MAC authenticated clients
mint MiNT protocol
mirroring Show mirroring sessions
ntp Network time protocol
password-encryption Password encryption
pppoe-client PPP Over Ethernet client
privilege Show current privilege level
radius RADIUS statistics commands
raid Show RAID status
reload Scheduled reload information
remote-debug Show details of remote debug sessions
rf-domain-manager Show RF Domain Manager selection details
role Role based firewall
route-maps Display Route Map Statistics
rtls RTLS Statistics
running-config Current operating configuration
session-changes Configuration changes made in this session
session-config This session configuration
sessions Display sessions
site-config-diff Difference between site configuration on the NOC
and actual site configuration
slot Expansion slots stats
smart-rf Smart-RF Management Commands
snmpv3 Snmpv3
spanning-tree Display spanning tree information
startup-config Startup configuration
t5 Display T5 inventory information
terminal Display terminal configuration parameters
timezone The timezone
traffic-shape Display traffic shaping
tron TRON functions
upgrade-status Display last image upgrade status
version Display software & hardware version
virtual-machine Virtual Machine
vrrp VRRP protocol
web-filter Web filter
what Perform global search
wireless Wireless commands
wwan Display wireless WAN Status

<DEVICE>(config)#
nx9500-6C8809(config)#show clock
2017-04-06 15:49:10 IST
nx9500-6C8809(config)#

Controller, Service Platform and Access Point

776 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Privilege Executable Mode:

<DEVICE>#show ?
adoption Adoption related information
bluetooth Bluetooth Configuration/Statistics commands
bonjour Bonjour Gateway related commands
boot Display boot configuration.
captive-portal Captive portal commands
captive-portal-page-upload Captive portal internal and advanced page upload
cdp Cisco Discovery Protocol
classify-url Query the category of an URL
clock Display system clock
cluster Cluster Protocol
cmp-factory-certs Display the CMP certificate status
commands Show command lists
context Information about current context
critical-resources Critical Resources
crypto Encryption related commands
database Database
debug Debugging functions
debugging Debugging functions
device-upgrade Device Upgrade
dot1x 802.1X
dpi Deep Packet Inspection
environmental-sensor Display Environmental Sensor Module status
event-history Display event history
event-system-policy Display event system policy
ex3500 EX3500 device details
extdev External device (T5, Ex3500..)
fabric-attach Fabric attach
file Display filesystem information
file-sync File sync between controller and adoptees
firewall Wireless Firewall
global Global-level information
gps GPS commands
gre Show l2gre tunnel info
guest-registration Guest registration commands
interface Interface Configuration/Statistics commands
iot-device-type-imagotag Iot device type imagotag
ip Internet Protocol (IP)
ip-access-list IP ACL
ipv6 Internet Protocol version 6 (IPv6)
ipv6-access-list IPV6 ACL
l2tpv3 L2TPv3 information
lacp LACP commands
ldap-agent LDAP Agent Configuration
licenses Show installed licenses and usage
lldp Link Layer Discovery Protocol
logging Show logging information
mac-access-list MAC ACL
mac-address-table Display MAC address table
mac-auth MAC authentication
mac-auth-clients MAC authenticated clients
mint MiNT protocol
mirroring Show mirroring sessions
ntp Network time protocol
password-encryption Pasword encryption
pppoe-client PPP Over Ethernet client
privilege Show current privilege level
radius RADIUS statistics commands
raid Show RAID status
reload Scheduled reload information
remote-debug Show details of remote debug sessions
rf-domain-manager Show RF Domain Manager selection details
role Role based firewall

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 777
show-commands Show Commands

route-maps Display Route Map Statistics

rtls RTLS Statistics
running-config Current operating configuration
session-changes Configuration changes made in this session
session-config This session configuration
sessions Display sessions
site-config-diff Difference between site configuration on the NOC
and actual site configuration
slot Expansion slots stats
smart-rf Smart-RF Management Commands
snmpv3 Snmpv3
spanning-tree Display spanning tree information
startup-config Startup configuration
t5 Display T5 inventory information
terminal Display terminal configuration parameters
timezone The timezone
traffic-shape Display traffic shaping
tron TRON functions
upgrade-status Display last image upgrade status
version Display software & hardware version
virtual-machine Virtual Machine
vrrp VRRP protocol
web-filter Web filter
what Perform global search
wireless Wireless commands
wwan Display wireless WAN Status

<DEVICE>#
nx9500-6C8809#show terminal
Terminal Type: xterm
Length: 24 Width: 80
nx9500-6C8809#

nx9500-6C8809#show adoption offline

------------------------------------------------------------------------------------------
------
MAC HOST-NAME TYPE RF-DOMAIN TIME OFFLINE CONNECTED-TO LAST-
KNOWN-IP
------------------------------------------------------------------------------------------
------
74-67-F7-5C-63-F0 ap8432-5C63F0 ap8432 default unknown None
unknown
74-67-F7-07-02-35 ap8432-070235 ap8432 default unknown None
unknown
------------------------------------------------------------------------------------------
------
Total number of devices displayed: 2
nx9500-6C8809#

User Executable Mode:

<DEVICE>>show ?
adoption Adoption related information
bluetooth Bluetooth Configuration/Statistics commands
bonjour Bonjour Gateway related commands
boot Display boot configuration.
captive-portal Captive portal commands
captive-portal-page-upload Captive portal internal and advanced page upload
cdp Cisco Discovery Protocol
classify-url Query the category of an URL
clock Display system clock
cluster Cluster Protocol
cmp-factory-certs Display the CMP certificate status
commands Show command lists

Controller, Service Platform and Access Point

778 CLI Reference Guide for version 5.9.7
Show Commands show-commands

context Information about current context

critical-resources Critical Resources
crypto Encryption related commands
database Database
debug Debugging functions
debugging Debugging functions
device-upgrade Device Upgrade
dot1x 802.1X
dpi Deep Packet Inspection
environmental-sensor Display Environmental Sensor Module status
event-history Display event history
event-system-policy Display event system policy
ex3500 EX3500 device details
extdev External device (T5, Ex3500..)
fabric-attach Fabric attach
file Display filesystem information
file-sync File sync between controller and adoptees
firewall Wireless Firewall
global Global-level information
gps GPS commands
gre Show l2gre tunnel info
guest-registration Guest registration commands
interface Interface Configuration/Statistics commands
iot-device-type-imagotag Iot device type imagotag
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
l2tpv3 L2TPv3 information
lacp LACP commands
ldap-agent LDAP Agent Configuration
licenses Show installed licenses and usage
lldp Link Layer Discovery Protocol
logging Show logging information
mac-access-list MAC ACL
mac-address-table Display MAC address table
mac-auth MAC authentication
mac-auth-clients MAC authenticated clients
mint MiNT protocol
mirroring Show mirroring sessions
ntp Network time protocol
password-encryption Pasword encryption
pppoe-client PPP Over Ethernet client
privilege Show current privilege level
radius RADIUS statistics commands
raid Show RAID status
reload Scheduled reload information
remote-debug Show details of remote debug sessions
rf-domain-manager Show RF Domain Manager selection details
role Role based firewall
route-maps Display Route Map Statistics
rtls RTLS Statistics
running-config Current operating configuration
session-changes Configuration changes made in this session
session-config This session configuration
sessions Display sessions
site-config-diff Difference between site configuration on the NOC
and actual site configuration
slot Expansion slots stats
smart-rf Smart-RF Management Commands
snmpv3 Snmpv3
spanning-tree Display spanning tree information
startup-config Startup configuration
t5 Display T5 inventory information
terminal Display terminal configuration parameters
timezone The timezone

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 779
show-commands Show Commands

traffic-shape Display traffic shaping

tron TRON functions
upgrade-status Display last image upgrade status
version Display software & hardware version
virtual-machine Virtual Machine
vrrp VRRP protocol
web-filter Web filter
what Perform global search
wireless Wireless commands
wwan Display wireless WAN Status

<DEVICE>>
nx9500-6C8809#show wireless ap configured
------------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
------------------------------------------------------------------------------------------
1 ap7522-8330A4 84-24-8D-83-30-A4 default-ap7522 default 00-15-70-38-06-49
2 ap8163-74B45C B4-C7-99-74-B4-5C default-ap81xx default B4-C7-99-6D-B5-D4
------------------------------------------------------------------------------------------
nx9500-6C8809#

adoption
Displays adoption related information, and is common to the User Exec, Priv Exec, and Global Config
modes.

Use this command to view details of devices adopted by the logged device.

Supported in the following platforms:

Syntax
show adoption [config-errors|controllers|history|info|log|offline|pending|status|timeline]
show adoption offline {all|on <DEVICE-NAME>}
show adoption config-errors <DEVICE-NAME>
show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}
show adoption [controllers {include-ipv6}|history|info|pending|status {summary}|timeline]
{on <DEVICE-NAME>}

Controller, Service Platform and Access Point

780 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show adoption offline

adoption Displays AP adoption history and status. It also displays configuration

errors.
offline Displays status of offline devices (unadopted devices)

Note: The show → adoption → offline command displays the

following information regarding offline (unadopted) devices: MAC
Address, Host-Name, Type, RF-Domain, Time Offline, Connected-To, and
Last-Know-IP.

show adoption config-errors <DEVICE-NAME>

adoption Displays AP adoption history and status. It also displays configuration

errors.
config-errors <DEVICE- Displays configuration errors for a specified adopted device
NAME> • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or
service platform.

show adoption log [adoptee|adopter] {on <DEVICE-NAME>}

adoption Displays adoption related information. It also displays configuration errors.

log [adoptee| Displays adoption logs, for the specified device. If no device name is specified,
adopter {MAC}] {on the system displays logs for the logged device.
<DEVICE-NAME>} • adoptee – Displays adoption logs for adoptee devices (APs, wireless
{on <DEVICE- controllers, and service platforms). To view logs for a specific adoptee,
NAME>} specify the device’s name. If no device name is specified, the system displays
logs for the logged device. If the logged device is not an adoptee, the system
states that the device is a controller.
2013-01-19 22:00:13:MLCP_TAG_CLUSTER_MASTER not
present
and this device is a controller. Ignoring
◦on <DEVICE-NAME> – Optional. Displays adoptee status and details for
the device identified by the <DEVICE-NAME> keyword
▪ <DEVICE-NAME> – Specify the device’s name.
• adopter – Displays adoption logs for adopter devices (APs, wireless
controllers, and service platforms). To view logs for a specified adopter,
specify the device’s name. If no device name is specified, the system displays
logs for the logged device.
◦ <MAC> – Optional. Filters adopters by the adoptee device’s MAC address.
Specify the adoptee device’s MAC address. The system displays logs for
the device that has adopted the device identified by the <MAC> keyword.
▪ on <DEVICE-NAME> – Optional. Displays adopter status and details
for the device identified by the <DEVICE-NAME> keyword. Specify the
adopter device’s name.
• <DEVICE-NAME> – Specify the adopter device’s name.

Note: A wireless controller or service platform cannot be configured as an

adoptee and an adopter simultaneously. In other words, an adopted wireless

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 781
show-commands Show Commands

controller or service platform cannot be configured to adopt another device and

vice versa.

show adoption [history|controllers {include-ipv6}|info|pending|status {summary}|timeline]

{on <DEVICE-NAME>}

adoption Displays AP adoption history and status. It also displays configuration

errors.
controllers {include-ipv6} Displays information about adopted controllers. This is applicable in a
Hierarchically managed network, where site controllers are adopted
by the NOC controllers.
• include-ipv6 – Optional. Displays the controller’s IPv6 address, if
assigned, in the output

history Displays the adoption history of the logged device and its adopted
access points
info Displays adopted device information
pending Displays information for devices pending adoption
status {summary} Displays adoption status for the logged device. When executed
without using the ‘on <DEVICE-NAME>’ parameter, this command
displays detailed information of all devices adopted by the logged
device.
• summary – Optional. Displays a summary of all devices or specific
adopted by the logged device.

Note: The show → adoption → status command displays the

following adopted device status information: Device Name, Version,
CFG-Stat, Msgs, Adopted-By, Last-adoption, Up-Time, and IP-
Address.

timeline Displays the logged device’s adoption timeline. It also shows the
adoption time for the logged device’s adopted APs. To view the
adoption timeline of a specific device, use the 'on <DEVICE-NAME>'
option to specify the device.
on <DEVICE-NAME> The following keywords are common to all of the above parameters:
• on <DEVICE-NAME> – Optional. Displays a device's adoption
information, based on the parameter passed.
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809(config)#show adoption status
------------------------------------------------------------------------------------------
------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION
UPTIME IPv4-ADDRESS
------------------------------------------------------------------------------------------
------------------
ap7562-84A224 5.9.6.0-004D configured No nx9500-6C8809 0 days 19:20:17 0 days
19:21:33 10.234.160.6
ap7532-DF9A4C 5.9.6.0-004D configured No nx9500-6C8809 0 days 19:20:19 0 days
19:21:34 10.234.160.12

Controller, Service Platform and Access Point

782 CLI Reference Guide for version 5.9.7
Show Commands show-commands

------------------------------------------------------------------------------------------
-------------------
nx9500-6C8809(config)#
nx9500-6C8809nx9500-6C8809(config)#show adoption offline
------------------------------------------------------------------------------------------
-------
MAC HOST-NAME TYPE RF-DOMAIN TIME OFFLINE CONNECTED-TO LAST-
KNOWN-IP
------------------------------------------------------------------------------------------
-------
74-67-F7-5C-63-F0 ap8432-5C63F0 ap8432 default unknown None
unknown
74-67-F7-07-02-35 ap8432-070235 ap8432 default unknown None
unknown
------------------------------------------------------------------------------------------
-------
nx9500-6C8809nx9500-6C8809(config)#
nx9500-6C8809#show adoption log adoptee on ap7532-DF9A4C
2019-08-12 21:31:36:Received OK from cfgd, adoption complete to 19.6C.88.09
2019-08-12 21:31:36:Waiting for cfgd OK, adopter should be 19.6C.88.09
2019-08-12 21:31:36:Adoption state change: 'Connecting to adopter' to 'Waiting for
Adoption OK'
2019-08-12 21:31:36:Adoption state change: 'No adopters found' to 'Connecting to adopter'
2019-08-12 21:31:36:Try to adopt to 19.6C.88.09 (cluster master 19.6C.88.09 in adopters)
2019-08-12 21:31:36:MLCP created VLAN link on VLAN 1, offer from B4-C7-99-6C-88-09
2019-08-12 21:31:36:MLCP VLAN link already exists
2019-08-12 21:31:36:Sending MLCP Request to B4-C7-99-6C-88-09 vlan 1
2019-08-12 21:28:19:Adoption state change: 'Waiting to retry' to 'No adopters found'
2019-08-12 21:28:09:cfgd notified dpd2 of unadoption, restart adoption after 10 seconds
2019-08-12 21:28:09:Adoption state change: 'Adopted' to 'Waiting to retry'
2019-08-12 21:28:09:Adopter 19.6C.88.09 is no longer reachable, cfgd notified
2019-08-12 21:28:09:All adopters lost, restarting MLCP
2019-08-12 21:28:05:MLCP link vlan-1 offerer 19.6C.88.09 lost, restarting discovery
2019-08-06 13:15:17:Received OK from cfgd, adoption complete to 19.6C.88.09
2019-08-06 13:15:17:Waiting for cfgd OK, adopter should be 19.6C.88.09
--More--
nx9500-6C8809#

bluetooth

Displays Bluetooth radio statistics for RF Domain member access points. The AP-8432 and AP-8533
model access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a
WiNG managed network. Both these model access points support the Bluetooth classic and Bluetooth
low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to sense other
Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP
server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an
alarm.

The AP-8432 and AP-8533 model access points support Bluetooth beaconing to emit either iBeacon or
Eddystone-URL beacons. The access point’s Bluetooth radio sends non-connectable, undirected low-
energy (LE) advertisement packets periodically. These advertisement packets are short and sent on
Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL
standards.

Supported in the following platforms:

• Access Points — AP-8432, AP-8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 783
show-commands Show Commands

Syntax
show bluetooth radio {detail|on}
show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac <BT-RADIO-
MAC>}}
{(on <DEVICE-OR-DOMAIN-NAME>)}

Parameters
show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac <BT-RADIO-
MAC>}}
{(on <DEVICE-OR-DOMAIN-NAME>)}

bluetooth radio Displays Bluetooth radio utilization statistics based on the parameters
passed
detail <DEVICE-NAME> <1-1> Optional. Displays detailed Bluetooth radio utilization statistics.
Optionally, to view detailed information for a specific access point’s
Bluetooth radio, specify the access point’s and the radio’s MAC
addresses.
• <DEVICE-NAME> <1-1> – Optional. Specify the access point’s
hostname or MAC address.
◦ <1-1> – Specify the bluetooth radio interface index number
from 1 - 1. As of now only one Bluetooth radio interface is
supported. The Interface index number is appended to the
AP’s hostname or MAC address in the following format:
ap8533-06FBE1:B1 OR 74-67-F7-06-FB-E1:B1
The following information is displayed:
• access point’s hostname as its network identifier
• access point’s alias. If an alias has been defined for the access
point its listed here. The alias value is expressed in the form of
<hostname>:B<Bluetooth_radio_number>. If the access point has
a administrator assigned hostname, it is used in place of the
access point’s default hostname.
• access point’s factory encoded MAC address
• access point and bluetooth radio’s administrator assigned area of
deployment (the AP’s geographical location)
• bluetooth radio’s state (on/off)
• bluetooth radio’s reason for inactivity (in case the radio is off)
• bluetooth radio’s factory encoded MAC address serving as this
device’s hardware identifier on the network
• bluetooth radio’s functional mode: bt-sensor or le-beacon
• bluetooth radio’s beacon period
• bluetooth radio’s beacon type
• descriptive text on any error that’s preventing the Bluetooth radio
from operating

Controller, Service Platform and Access Point

784 CLI Reference Guide for version 5.9.7
Show Commands show-commands

filter bluetooth-radio-mac <BT- Optional. Specifies additional filters to get table values. Filters data
RADIO-MAC> based on the Bluetooth radio’s MAC address.
• <BT-RADIO-MAC> – Specify the Bluetooth radio’s MAC address.
The system only displays statistics related to the specified
Bluetooth radio.

on <DEVICE-OR-DOMAIN- The following keywords are recursive and common to all of the above.
NAME> • on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays Bluetooth
radio statistics on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the
device or RF Domain. If the device name is explicitly given, the
results display data for the specified AP only. If the RF Domain
is explicitly given, the results display data for all APs within the
specified RF Domain.
If no device/RF Domain is specified, the results include data for all
Bluetooth radios within the controller’s RF Domain.
If the controller is in the “on rf-domain all” mode, the results include
data for all Bluetooth radios for all APs in each domain known to the
controller.

Examples
nx9500-6C8809(config)#show bluetooth radio on ap8533-06F808
-----------------------------------------------------------------------------
BLUETOOTH RADIO RADIO MAC MODES STATE
-----------------------------------------------------------------------------
ap8533-06F808:B1 74-67-F7-08-A3-B0 BLE-Beacon On
-----------------------------------------------------------------------------
Total number of Bluetooth radios displayed: 0
nx9500-6C8809(config)#
nx9500-6C8809(config)#show bluetooth radio detail 74-67-F7-06-F8-08 1
Radio: 74-67-F7-06-F8-08:B1, alias ap8533-06F808:B1
STATE : Off [shutdown in cfg]
PHY INFO : MAC: 74-67-F7-08-A3-B0
ACCESS POINT : Name: ap8533-06F808 Location: default Placement: Indoor
ENABLED MODES : BLE-Beacon
BEACON TYPES : Eddystone-URL
BEACON PERIOD : 1000ms
Last error :
nx9500-6C8809(config)#

boot
Displays a device’s boot configuration. Use this command to view the primary and secondary image
details, such as Build Date, Install Date, and Version. This command also displays the current boot and
next boot information.

Supported in the following platforms:

Syntax
show boot {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 785
show-commands Show Commands

Parameters
show boot {on <DEVICE-NAME>}

boot Displays primary and secondary image boot configuration details

(build date, install date, version, and the image used to boot the
current session)
on <DEVICE-NAME> Optional. Displays a specified device's boot configuration
• <DEVICE-NAME> – Specify the name of the AP, wireless controller,
or service platform.

Note: Use the on <DEVICE-NAME> option to view a remote device's

boot configuration.

Examples
ap7532-DF9A4C#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 05/25/2019 06:43:28 06/03/2019 15:25:22 5.9.5.0-004D
Secondary 07/31/2019 17:14:41 08/06/2019 13:10:02 5.9.6.0-003D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Secondary
Software Fallback : Enabled
ap7532-DF9A4C#
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 06/28/2019 09:31:40 07/01/2019 13:57:47 7.2.0.0-009D
Secondary 07/31/2019 18:44:43 08/06/2019 12:04:14 5.9.6.0-003D
--------------------------------------------------------------------------------
Current Boot : Secondary
Next Boot : Secondary
Software Fallback : Enabled
VM support : Not present
nx9500-6C8809#
nx9500-6C8809#device-upgrade rf-domain WiNG5 all
In progress ....
------------------------------------------------------------------------------------------
----------
CONTROLLER STATUS MESSAGE
------------------------------------------------------------------------------------------
----------
B4-C7-99-6C-88-09 Success WiNG5(device type-count: ap7562-1 ap8432-1 added for
upgrade),
------------------------------------------------------------------------------------------
----------
nx9500-6C8809#

bonjour
Displays the configured Bonjour services available on local and remote sites

Controller, Service Platform and Access Point

786 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Supported in the following platforms:

Syntax
show bonjour services {on <DEVICE-NAME>}

Parameters
show bonjour services {on <DEVICE-NAME>}

bonjour services Displays the configured Bonjour services available on local and
remote sites
on <DEVICE-NAME> Optional. Displays Bonjour services available on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809#show bonjour services on ap7532-11E6C4
------------------------------------------------------------------------------------------
------------------------------------------------------------
SERVICE_NAME INSTANCE_NAME
IP:PORT VLAN-ID VLAN_TYPE EXPIRY
------------------------------------------------------------------------------------------
------------------------------------------------------------
_pdl-datastream._tcp.local Brother MFC-8510DN._pdl-datastream._tcp.local
172.110.0.146:9100 110 Local Tue Sep 12 02:07:44 2017

_universal._sub._ipp._tcp.local Brother MFC-8510DN._ipp._tcp.local

172.110.0.146:631 110 Local Tue Sep 12 02:36:13 2017

_ipp._tcp.local Brother MFC-8510DN._ipp._tcp.local

172.110.0.146:631 110 Local Tue Sep 12 02:36:13 2017
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
nx9500-6C8809#

captive-portal
Displays WLAN captive portal information. Use this command to view a configured captive portal’s
client information.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 787
show-commands Show Commands

Syntax
show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|statistics}
{(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|ip [<IPv4>|not <IPv4>]|
ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not [pending|success]|vlan [<VLAN-ID>|
not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-NAME>]])}

Parameters
show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|statistics}
{(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|ip [<IPv4>|not <IPv4>]|
ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not [pending|success]|vlan [<VLAN-ID>|
not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-NAME>]])}

captive-portal Displays active captive portal client session details

sessions
include-ipv6 Optional. Includes IPv6 address (if known) of captive portal clients. By default the
system only displays IPv4 addresses. The include-ipv6 parameter includes IPv6
address (if known) of each client.
statistics Optional. Displays statistical information regarding client sessions
on <DEVICE-OR- Optional. Displays active captive portal session details on a specified device or RF
DOMAIN-NAME> Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

filter This parameter is recursive and can be used with any of the above parameters to
define additional filters.
Optional. Defines additional filters. Use one of the following options: captive-
portal, ip, ipv6, state, vlan, or wlan.
captive-portal Optional. Displays captive portal client and client session information, based on
[<CAPTIVE- the captive portal name passed
PORTAL>| not • <CAPTIVE-PORTAL> – Specify the captive portal name. Displays client details
<CAPTIVE- for the specified captive portal.
PORTAL>] • not <CAPTIVE-PORTAL> – Inverts the match selection. Displays client details
for all captive portals other than the specified captive portal.

ip [<IPv4>|not Optional. Displays captive portal client/client sessions information, based on the
<IPv4>] IPv4 address passed
• <IPv4> – Specify the client’s IPv4 address. Displays information of the client
identified by the <IPv4> parameter.
• not <IPv4> – Inverts the match selection. Displays client details for all clients
other than the one identified by the <IPv4> parameter.

ipv6 [<IPv6>|not This filter option is available only for the ‘include-ipv6’ keyword.
<IPv6>] Optional. Displays captive portal client/client sessions information, based on the
IPv6 address passed
• <IPv6> – Specify the client’s IPv6 address. Displays information of the client
identified by the <IPv6> parameter
• not <IPv6> – Inverts the match selection. Displays client details for all clients
other than the one identified by the <IPv6> parameter.

Controller, Service Platform and Access Point

788 CLI Reference Guide for version 5.9.7
Show Commands show-commands

state [pending| Optional. Filters clients/client sessions based on the client’s authentication state
success| not • pending – Displays information of clients redirected for authentication
[pending| • success – Displays information of successfully authenticated clients
success]]
• not [pending|success] – Inverts match selection
◦ pending – Displays information of successfully authenticated clients
(opposite of pending authentication)
◦ success – Displays information of clients redirected for authentication
(opposite of successful authentication)

vlan [<VLAN-ID>| Optional. Displays captive portal client/client sessions information based on the
not <VLAN-ID>] VLAN ID passed
• <VLAN-ID> – Specify the VLAN ID. Displays client details for the specified
VLAN.
• not <VLAN-ID> – Inverts match selection. Displays client details for all VLANs
other than the one identified by the <VLAN-ID> parameter.

wlan [<WLAN- Optional. Displays captive portal client/client sessions information based on the
NAME>| not WLAN name passed
<WLAN-NAME>] • <WLAN-NAME> – Specify the WLAN name. Displays client details for the
specified WLAN.
• not <WLAN-NAME> – Inverts match selection. Displays client details for all
WLANs other than the one identified by the <WLAN-NAME> parameter.

Examples
rfs4000-229D58#show captive-portal sessions
=======================================================================================
CLIENT IPv4 CAPTIVE-PORTAL WLAN/PORT VLAN STATE SESSION TIME
---------------------------------------------------------------------------------------
00-26-55-F4-5F-79 192.168.3.99 cappo rfs4000-229D58:ge2 400 Success
23:58:35
=======================================================================================
Total number of captive portal sessions displayed: 1
rfs4000-229D58#

captive-portal-page-upload (show commands)

Displays captive portal page information, such as upload history, upload status, and page file download
status

Supported in the following platforms:

Syntax
show captive-portal-page-upload [history|list-files|load-image-status|status]
show captive-portal-page-upload load-image-status
show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}
show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-MANAGER>]}
show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 789
show-commands Show Commands

Parameters
show captive-portal-page-upload load-image-status

load-image-status Displays captive portal advanced page file upload status on the
logged device

show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}

history {on <RF-DOMAIN- Displays captive portal page upload history

NAME>} • on <RF-DOMAIN-NAME> – Optional. Displays captive portal
page upload history within a specified RF Domain. Specify the
RF Domain name.

show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-MANAGER>]}

status {on [<RF-DOMAIN- Displays captive portal page upload status

NAME>|<RF-DOMAIN- • on <RF-DOMAIN-NAME> – Optional. Displays captive portal
MANAGER>]} page upload status within a specified RF Domain. Specify the RF
Domain name.
• on <RF-DOMAIN-MANAGER> – Optional. Displays captive portal
page upload status for a specified RF Domain Manager. Specify
the RF Domain Manager name.

show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>

list-files <CAPTIVE-PORTAL- Displays a list of all captive portal Web page files, of a specified
NAME> captive portal, uploaded (internal and advanced page files)
• <CAPTIVE-PORTAL-NAME> – Specify the captive portal name.

Examples
nx7500-7F2C13#captive-portal-page-upload CP-BW all
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
84-24-8D-7F-2C-13 Success Added 1 APs to upload queue
--------------------------------------------------------------------------------
nx7500-7F2C13#
nx7500-7F2C13#show captive-portal-page-upload load-file-status
Download of CP-BW page file is complete
nx7500-7F2C13#
nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW
--------------------------------------------------------------------------------
NAME SIZE LAST MODIFIED
--------------------------------------------------------------------------------
CP-BW-1.tar.gz 6133 2016-05-16 10:38:40
CP-BW.tar.gz 3370 2016-05-16 10:45:44
--------------------------------------------------------------------------------
nx7500-7F2C13#

cdp
Displays the CDP neighbor table

Controller, Service Platform and Access Point

790 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Supported in the following platforms:

Syntax
show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}

Parameters
show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}

cdp [neighbors|report] Displays CDP neighbors table or aggregated CDP neighbors table
detail {on <DEVICE-NAME>} Optional. Displays detailed CDP neighbors table or aggregated CDP
neighbors table
• on <DEVICE-NAME> – Optional. Displays table details on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

on <DEVICE-NAME> Optional. Displays table details on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples

The following example shows detailed CDP neighbors table:

nx9500-6C8809#show cdp neighbors detail
-------------------------
Device ID: ap8163-74B45C
Entry address(es):
IP Address: 192.168.13.26
Platform: AP-8163-66040-WR, Capabilities: Router Switch
Interface: ge1, Port ID (outgoing port): ge1
Hold Time: 165 sec

advertisement version: 2
Native VLAN: 1
Duplex: full
Version :
5.9.2.0-007D
-------------------------
Device ID: ap7532-80C2AC
Entry address(es):
IP Address: 192.168.13.28
Platform: AP-7532-67040-WR, Capabilities: Router Switch
Interface: ge1, Port ID (outgoing port): ge1
Hold Time: 169 sec

--More--
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 791
show-commands Show Commands

The following example shows a non-detailed CDP neighbors table:

nx9500-6C8809#show cdp neighbors
--------------------------------------------------------------------------------
Device ID Platform Local Interface Port ID Duplex
--------------------------------------------------------------------------------
rfs4000-880DA7 RFS-4010-11110-US ge2 ge1 full
--------------------------------------------------------------------------------
nx9500-6C8809#

classify-url

Displays a specified URL’s category. Use this command to query the category of a specific URL. The
query is sent to a configured classification server. This option is available only if a valid URL filter license
is available.

Supported in the following platforms:

Syntax
show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]

Parameters
show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]

classify-url Queries the category of a specified URL

<URL-TO-QUERY> Specify the URL to query. The query is sent to the configured
classification server.
datacenter <URL-TO-QUERY> The query is sent to a global classification datacenter
• <URL-TO-QUERY> – Specify the URL to query.

Examples
nx9500-6C8809#show classify-url www.google.com
Categories: search-engines-portals,
Custom Categories:
nx9500-6C8809#
nx9500-6C8809#show classify-url www.ndtv.com
Categories: news,
Custom Categories: list1,
nx9500-6C8809#

clock
Displays system clock on the logged device or on a specified device

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

792 CLI Reference Guide for version 5.9.7
Show Commands show-commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
show clock {on <DEVICE-NAME>}

Parameters
show clock {on <DEVICE-NAME>}

clock Displays a system's clock

on <DEVICE-NAME> Optional. Displays system clock on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless controller,
service platform, or RF Domain.

Examples
ap8432-070235>show clock
2018-01-09 02:34:22 UTC
ap8432-070235>

cluster
Displays cluster information (cluster configuration parameters, members, status, etc.)

Supported in the following platforms:

Syntax
show cluster [configuration|history|members|status]
show cluster [configuration|history {on <DEVICE-NAME>}|members {detail}|status]

Parameters
show cluster [configuration|history {on <DEVICE-NAME>}|members {detail}|status]

cluster Displays cluster information

configuration Displays cluster configuration details
history on <DEVICE-NAME> Displays cluster history status
• <DEVICE-NAME> – Optional. Specify the controller or access
point name. If the device name is not specified, the system
displays all cluster history.

members {detail} Displays cluster members configured on the logged device

• detail – Optional. Displays detailed information of known cluster
members

status Displays cluster status

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 793
show-commands Show Commands

Examples
nx9500-6C8809(config)#show cluster configuration
Cluster Configuration Information
Name : SiteConRFS6k
Configured Mode : Active
Master Priority : 128
Force configured state : Disabled
Force configured state delay : 5 minutes
Handle STP : Disabled
Radius Counter DB Sync Time : 5 minutes
nx9500-6C8809(config)#
nx9500-6C8809(config)#show cluster members detail
--------------------------------------------------------------------------------
-------
ID MAC MODE AP COUNT AAP COUNT AP LICENSE AAP
LICENSE VERSION
--------------------------------------------------------------------------------
-------
70.38.06.49 00-15-70-38-06-49 Active 0 1 0 0
5.9.2.0-007D
70.81.74.2D 00-15-70-81-74-2D Active 0 0 1 0
9.2.0-007D
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show cluster status
Cluster Runtime Information
Protocol version : 1
Cluster operational state : active
AP license : 0
AAP license : 0
AP count : 0
AAP count : 0
Max AP adoption capacity : 1024
Number of connected member(s): 0
nx9500-6C8809(config)#

cmp-factory-certs

Displays factory installed CMP certificates

Supported in the following platforms:

Syntax
show cmp-factory-certs {all}

Parameters
show cmp-factory-certs {all}

cmp-factory-certs {all} Displays factory installed CMP certificates on the logged device.
Optionally use the ‘all’ keyword to view certificate details.

Controller, Service Platform and Access Point

794 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Examples
nx9500-6C8809>show cmp-factory-certs
No CMP factory certificate exist
nx9500-6C8809>

commands
Displays commands available for the current mode

Supported in the following platforms:

Syntax
show commands

Parameters
None

context
Displays the current context details

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 795
show-commands Show Commands

Supported in the following platforms:

Syntax
show context {include-factory|session-config {include-factory}}

Parameters
show context {include-factory|session-config {include-factory}}

include-factory Optional. Includes factory defaults

session-config include-factory Optional. Displays running system information in the current
context
• include-factory – Optional. Includes factory defaults

Examples
ap8432-070235>show context
!
! Configuration of AP8432 version 5.9.2.0-008D
!
!
version 2.5
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP
replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny
windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local
broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
--More--
ap8432-070235>

critical-resources
Displays critical resource information. Critical resources are resources vital to the network.

Supported in the following platforms:

Controller, Service Platform and Access Point

796 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show critical-resources {on <DEVICE-NAME>}

Parameters
show critical-resources {on <DEVICE-NAME>}

critical-resources Displays critical resources information

on <DEVICE-NAME> Optional. Displays critical resource information on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service
platform.

Examples
rfs4000-229D58(config)#show critical-resources
--------------------------------------------------------------------------
CRITICAL RESOURCE IP VLAN PING-MODE STATE
--------------------------------------------------------------------------
172.168.1.103 1 arp-icmp up
--------------------------------------------------------------------------
rfs4000-229D58(config)#

crypto
Displays encryption mode information

Supported in the following platforms:

Syntax
show crypto [cmp|ike|ipsec|key|pki]
show crypto cmp request status
show crypto ike sa {detail|on|peer|version}
show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}
show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}
show crypto ipsec sa {detail|on|peer}
show crypto ipsec sa {detail} {on <DEVICE-NAME>}
show crypto ipsec sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}
show crypto key rsa {on|public-key-detail}
show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}
show crypto pki trustpoints {<TRUSTPOINT-NAME>|all|on}
show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 797
show-commands Show Commands

Parameters
show crypto cmp request status

crypto cmp request status Displays current status of in-progress certificate management
protocol (CMP) requests
For more information, see CRYPTO-CMP-POLICY on page 2027.

show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}

crypto ike sa Displays Internet Key Exchange (IKE) SA (security association)

statistics
detail Displays detailed IKE SA statistics
peer <IP> Optional. Displays IKE SA statistics for a specified peer
• <IP> – Specify the peer’s IP address in the A.B.C.D format

on <DEVICE-NAME> Optional. Displays IKE SA statistics on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless controller,
or service platform.

show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}

crypto ike sa Displays IKE SA details

version [1|2] Optional. Displays IKE SA version statistics
• 1 – Displays IKEv1 statistics
• 2 – Displays IKEv2 statistics

Controller, Service Platform and Access Point

798 CLI Reference Guide for version 5.9.7
Show Commands show-commands

peer <IP> Optional. Displays IKE SA version statistics for a specified peer
• <IP> – Specify the peer’s IP address in the A.B.C.D format

on <DEVICE-NAME> The following keyword is recursive and common to the ‘peer ip’
parameter:
• on <DEVICE-NAME> – Optional. Displays IKE SA statistics on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show crypto ipsec sa {detail} {on <DEVICE-NAME>}

crypto ipsec sa Displays Internet Protocol Security (IPSec) SA statistics. The IPSec
encryption authenticates and encrypts each IP packet in a
communication session
detail Optional. Displays detailed IPSec SA statistics
on <DEVICE-NAME> Optional. Displays IPSec SAs on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show crypto ipsec sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}

crypto ipsec sa Displays IPSec SA statistics. The IPSec encryption authenticates and
encrypts each IP packet in a communication session
peer <IP> detail Optional. Displays IPSec SA statistics for a specified peer
• <IP> – Specify the peer’s IP address in the A.B.C.D format.
◦ detail – Displays detailed IPSec SA statistics for the specified
peer

on <DEVICE-NAME> The following keyword is recursive:

• on <DEVICE-NAME> – Optional. Displays IPSec SAs on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}

crypto key rsa Displays RSA public keys

public-key-detail Optional. Displays public key in the Privacy-Enhanced Mail (PEM)
format
on <DEVICE-NAME> The following keyword is recursive:
• on <DEVICE-NAME> – Optional. Displays public key on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}

Displays PKI related information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 799
show-commands Show Commands

crypto pki
trustpoints Displays WLAN trustpoints
This command displays all trustpoints including CMP-generated
trustpoints.
<TRUSTPOINT-NAME> Optional. Displays a specified trustpoint details. Specify the
trustpoint name.
all Optional. Displays details of all trustpoints
on <DEVICE-NAME> The following keyword is recursive and common to the ‘trustpoint-
name' and ‘all' parameters:
• on <DEVICE-NAME> – Optional. Displays trustpoints configured
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809(config)#show crypto key rsa public-key-detail

RSA key name: ting Key-length: 2048

RSA key name: default_rsa_key Key-length: 2048

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hyJDk9aMk97X3PhoyMb
6nufFLFUkpF9YwSqO2fNyp9SutqpoML/VAMHHotmaa6SsxPURF8mC66bT7De32r7
wwPd7pIWwALTscwCzd3CrB1jY8s2OQ7ZHGCH6MLau+LeoNPE0c+uH3tNLloTAvSG
xtUAHfwFa4rM6vlzs/ejJ4InnboI8i4uIA
nx9500-6C8809(config)#
nx9500-6C8809(config)#show crypto key rsa
--------------------------------------------------------------------------------
# KEY NAME KEY LENGTH
--------------------------------------------------------------------------------
1 ting 2048
2 default_rsa_key 2048
--------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show crypto pki trustpoints all

Trustpoint Name: default-trustpoint (self signed)

-------------------------------------------------------------------------------
CRL present: no
Server Certificate details:
Key used: default_rsa_key
Serial Number: 051d
Subject Name:
/CN=NX9500-B4-C7-99-6C-88-09
Issuer Name:
/CN=NX9500-B4-C7-99-6C-88-09
Valid From : Thu Dec 5 04:15:59 2013 UTC
Valid Until: Sun Dec 3 04:15:59 2023 UTC

Controller, Service Platform and Access Point

800 CLI Reference Guide for version 5.9.7
Show Commands show-commands

nx9500-6C8809(config)#
nx9500-6C8809>show crypto cmp request status
CMP Request Status: ir-req-reset
nx9500-6C8809>

database

Displays database-related statistics and status

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX, VX 9000

Syntax
show database [backup-status|keyfile|restore-status|statistics|status|users]
{on <DEVICE-NAME>}

Parameters
show database [backup-status|keyfile|restore-status|statistics|status|users]
{on <DEVICE-NAME>}

database Displays all configured database-related statistics and status

backup-status Displays the last database backup status
keyfile Displays the keyfiles generated on the database host to enable
authenticated database access
back-restore Displays the last database restore status
statistics Displays database-related statistics, such as name of the database
(NSight or captive portal), data size, storage size, free disk space
available, etc.
status Displays database status, such as online time.
users Displays database users created. These are the users that can access
the databases.
on <DEVICE-NAME> Optional. Displays database-related information on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
vx9000-D031F2(config)#show database backup-status detail
Last Database Backup Status : Failed(Error in ftp: 1)
Last Database Backup Time : 2017-04-11 08:03:10
-----------------------------------------------
Starting backup of mart ...
connected to: 127.0.0.1
2015-05-20T14:02:46.340+0530 DATABASE: mart to dump/mart
2015-05-20T14:02:46.341+0530 mart.system.indexes to dump/mart/system.indexes.bson
2015-05-20T14:02:46.341+0530 61 documents
2015-05-20T14:02:46.341+0530 mart.wlan_info to dump/mart/wlan_info.bson
2015-05-20T14:02:46.341+0530 5 documents
2015-05-20T14:02:46.342+0530 Metadata for mart.wlan_info to dump/mart/
wlan_info.metadata.json
2015-05-20T14:02:46.342+0530 mart.rf_domain_info to dump/mart/rf_domain_info.bson

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 801
show-commands Show Commands

2015-05-20T14:02:46.342+0530 21 documents
2015-05-20T14:02:46.342+0530 Metadata for mart.rf_domain_info to dump/mart/
rf_domain_info.metadata.json
--More--
vx9000-D031F2(config)#
vx9000-D031F2(config)#show database status
--------------------------------------------------------------------------------
MEMBER STATE ONLINE TIME
--------------------------------------------------------------------------------
localhost PRIMARY 2 days 3 hours 45 min 24 sec
--------------------------------------------------------------------------------
Authentication: Disabled Authentication User: None
--------------------------------------------------------------------------------
[*] indicates this device.
vx9000-D031F2(config)#
vx9000-D031F2(config)#show database statistics
--------------------------------------------------------------------------------
DATABASE STORAGE SIZE DATA SIZE INDEX SIZE DISK FREE
--------------------------------------------------------------------------------
admin 32k 335 48k 594.5G
captive-portal 4k 0 24k 594.5G
nsightcache 96k 2.0k 264k 594.5G
nsight 26.1M 136.6M 18.9M 594.5G
--------------------------------------------------------------------------------
vx9000-D031F2(config)#
nx9500-6C8809#show database keyfile

SLz6lVXyi9vyTCChUKs04THRo3mWOjZheM58Dt6NC0MDkdgV+5+wWN9/IT6zfy1s
KPut4BPpUWyM8MEaRmapg4kRrN/SMSMlH6sPITMGTLMu6wRYFEUgKgO01Wn/BohE
5n+uuhY0xiZQsN0LS7IaA8Yb9rX859YRQ7v9By5aEpi1NIDR4KX09Xs3TqIB+5v2
jE3vv7OsKK+LX63bCIoYo35MX251T2pHdL+fMdLfKPMt8ZbzYzx2b22Yvukfg0gm
xHsMCB+bLAsfkjeCPgHCAq/WWi3Kxna6ysFjp8J4US2Bm+GL1COvALbCQBwkPPN+
o7M90qT40AubibBkeID2S9rkQkKcXqGESbL5xG6ip+26jIxiLv7GP6/SQZGFOqC/
ZZEkCNhGhkiyktiOIxBfoXwoy66sqQ4KBwLF449eqBe7Svel/dzpFPNfYZpW8SMY
LD6iLTPR9BddjsBBej8kGGc5R+M0R6lgQFEew2WX6Rqz45YTGEcfOkl8c9wl3taD
xn4imhI/esjMppFDu5muxRHF5RHa5RncTGnsMfc7ndvUl78QaGHLZvDqjNLBUnuP
c8QmyohEnKf70TYx/ruG9Vb2AP0Jw5OODTNh2lmaoFjicKYQr+xIHUJpHc0qY43C
5WzlWf84CK67cu7kOPiJoaxvufzSXhJB18BiCXTuv40+ZZ6e3PcisZuIrPXxCZup
GJ3KpuHq61IJyVCydFd5zl4Fho+RGaQ9dlDIlaLjbW+YT4CEH1bTiUmreUt+D/X2
zcB9nec77wIIAcdfl2qysgGIqmkI3jRI89d3XM5Y7Kc2TuXBVZOazYldPj+qE/yi
EgVWcbtvyS834jit35MGbVXhvQ2d45qgo42WZwdTVLXC9memzoKa3YIZoj32uP3U
iOrzD8E1gMte4gDE/KmGkYya+hsWswBmKC1v0gj5NQ6TejYS4z+nefqLHUSVXbQ8
NxRel1huGi8P1ns4dWCwClWp8GpxUTa7GuN1DySA7/l2OJM=

nx9500-6C8809#

device-upgrade
Displays firmware upgradation information for devices adopted by a wireless controller or access point

Supported in the following platforms:

Controller, Service Platform and Access Point

802 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show device-upgrade [history|load-image-status|status|versions]
show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|
versions {on <DEVICE-OR-DOMAIN-NAME>}
show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|
summary {on <DOMAIN-NAME>}}

Parameters
show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|
versions {on <DEVICE-OR-DOMAIN-NAME>}]

device-upgrade Displays firmware upgrade information based on the parameters passed

history {on Displays firmware upgrade history
<DOMAIN- • on <DOMAIN-NAME> – Optional. Displays upgrade history for all devices within a
NAME>} specified RF Domain. Specify the RF Domain name.

load-image- Displays firmware image loading status. The output displays the <DEVICE> image
status loading status in percentage.
For example,
#show device-upgrade load-image-status
Download of ap81xx firmware file is 47 percent complete
versions {on Displays firmware image versions
<DEVICE-OR- • on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays firmware image versions
DOMAIN- loaded on specified device or RF Domain.
NAME>} ◦ <DEVICE-OR-DOMAIN-NAME> – Specify the AP, wireless controller, service
platform, or RF Domain name.

show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|

summary {on <DOMAIN-NAME>}]}

device-upgrade Displays firmware upgrade information based on the parameters passed

status Displays in-progress device upgrade status
on [<DOMAIN-NAME>| rf- Optional. Displays in progress upgrade status of all devices within a
domain-manager] specified RF Domain, or all devices upgraded by the RF Domain
manager. Use this option to view upgrade status of multiple devices.
• <DOMAIN-NAME> – Specify the RF Domain name.
• rf-domain-manager – Select to view devices upgraded by the RF
Domain manager.

summary {on <DOMAIN- Displays a summary of in-progress upgrade processes

NAME>} • on <DOMAIN-NAME> – Optional. Displays in-progress upgrade
processes within a specified RF Domain
◦ <DOMAIN-NAME> – Specify the RF Domain name.

Examples
NOC-NX9500#device-upgrade rf-domain default all
In progress ....
------------------------------------------------------------------------------------------
----------
CONTROLLER STATUS MESSAGE
------------------------------------------------------------------------------------------

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 803
show-commands Show Commands

----------
B4-C7-99-6C-88-09 Success default(device type-count: ap7532-1 ap7562-1 added for
upgrade),
------------------------------------------------------------------------------------------
----------
NOC-NX9500#
NOC-NX9500#show device-upgrade status
Number of devices currently being upgraded : 1
Number of devices waiting in queue to be upgraded : 0
Number of devices currently being rebooted : 0
Number of devices waiting in queue to be rebooted : 1
Number of devices failed upgrade : 0
------------------------------------------------------------------------------------------
--------------------
DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE
ERROR UPGRADED BY
------------------------------------------------------------------------------------------
--------------------
ap7532-DF9A4C wait for reboot immediate immediate 0 0
- NOC-NX9500
ap7562-84A224 downloading immediate immediate 88 0
- NOC-NX9500
------------------------------------------------------------------------------------------
--------------------
NOC-NX9500#
NOC-NX9500#show device-upgrade history
------------------------------------------------------------------------------------------
-------
Device RESULT TIME RETRIES UPGRADED-BY LAST-
UPDATE-ERROR
------------------------------------------------------------------------------------------
-------

rfs4000-880DA7 done 2016-10-20 08:40:11 0 NOC-NX9500 -

ap7532-80C2AC done 2016-05-28 03:22:17 0 NOC-NX9500 -

ap7562-84A224 done 2016-07-02 03:18:19 0 NOC-NX9500 -

ap7532-DF9A4C done 2018-08-01 10:14:40 0 NOC-NX9500 -

ap7562-84A224 done 2016-05-21 01:21:15 0 NOC-NX9500 -

ap7532-DF9A4C done 2018-08-13 11:09:44 0 NOC-NX9500 -

--More--
NOC-NX9500#

dot1x
Displays dot1x information on interfaces. Dot1x (or 802.1x) is an IEEE standard for network
authentication. Devices supporting dot1x allow the automatic provision and connection to the wireless
network without launching a Web browser at login. When within range of a dot1x network, a device
automatically connects and authenticates without needing to manually login.

However, dot1x-enabled devices can be configured either as:

• supplicants only – Devices seeking network access
• authenticators only – Devices authenticating the supplicants, or

Controller, Service Platform and Access Point

804 CLI Reference Guide for version 5.9.7
Show Commands show-commands

• supplicants as well authenticators

Note
Dot.1x supplicant configuration is supported on the following platforms:
• Access Points – AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562,
AP-8163, AP-8432, AP-8533
• Wireless Controllers – RFS 4000
• Service Platforms – NX 5500, NX 75XX

Note
Dot.1x authenticator configuration is supported on the following platforms:
• Access Points – AP 6522, AP 7161, AP 7161, AP 7502, AP-8163
• Wireless Controllers – RFS 4000
• Service Platforms – NX 5500, NX 75XX

Supported in the following platforms:

Syntax
show dot1x {all|interface|on}
show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}
show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>} {on <DEVICE-NAME>}

Parameters
show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}

dot1x all {on <DEVICE- Optional. Displays dot1x information for all interfaces
NAME>} • on <DEVICE-NAME> – Optional. Displays dot1x information for all
interfaces on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

dot1x {on <DEVICE-NAME>} Optional. Displays dot1x information for interfaces on a specified
device
• <DEVICE-NAME> – Specify the name of AP, wireless controller, or
service platform.

show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>]} {on <DEVICE-NAME>}

dot1x interface Optional. Displays dot1x information for a specified interface or interface type
<INTERFACE-NAME> Displays dot1x information for the layer 2 (Ethernet port) interface specified by
the <INTERFACE-NAME> parameter

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 805
show-commands Show Commands

ge <1-4> Displays dot1x for a specified GigabitEthernet interface

• <1-4> – Select the interface index from 1 - 4.

port-channel <1-2> Displays dot1x for a specified port channel interface

• <1-2> – Select the interface index from 1 - 2.

on <DEVICE-NAME> The following keywords are common to all of the above parameters:
• on <DEVICE-NAME> – Optional. Displays dot1x interface information on a
specified device
◦ <DEVICE-NAME> – Specify the name of AP, wireless controller, or service
platform.

Examples
ap8432-070235>show dot1x all
802.1X information
------------------------------
SysAuthControl : disabled
Guest-Vlan : disabled
AAA-Policy : none
Holdtime : 60

802.1X information for interface GE1

--------------------------------------
Supplicant MAC N/A
Auth SM State : FORCE AUTHORIZED
Bend SM State : REQUEST
Port Status : AUTHORIZED
Host Mode : SINGLE
Auth Vlan : None
Guest Vlan : None

802.1X information for interface GE2

--------------------------------------
Supplicant MAC N/A
Auth SM State : FORCE AUTHORIZED
Bend SM State : REQUEST
Port Status : AUTHORIZED
Host Mode : SINGLE
Auth Vlan : None
Guest Vlan : None

ap8432-070235>

dpi

Displays Deep Packet Inspection (DPI) statistics for all configured and canned applications. DPI is an
advanced packet analysis technique, which analyzes packet and packet content headers to determine
the nature of network traffic. When DPI is enabled, packets of all flows are subjected to DPI to get
accurate results. DPI identifies applications (such as, Netflix, Twitter, Facebook, etc.) and also extracts
metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall.

Note
The show > dpi command returns results only if executed on a device that supports DPI
and has DPI logging enabled. DPI logging can be enabled either on the device or on the
profile applied to the device. For more information, see dpi on page 1088 (profile config
mode).

Controller, Service Platform and Access Point

806 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Supported in the following platforms:

Syntax
show dpi [app|app-category|application|application-policy|per-category]
show dpi app wireless-clients stats <MAC> {on <DEVICE-OR-DOMAIN-NAME>}
show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all]
{on <DEVICE-OR-DOMAIN-NAME>}
show dpi application-policy stats <APPLICATION-POLICY-NAME>
{on <DEVICE-OR-DOMAIN-NAME>}
show dpi application brief
show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes]
{on <DEVICE-OR-DOMAIN-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 807
show-commands Show Commands

Parameters
show dpi app wireless-clients stats <MAC> {<DEVICE-OR-DOMAIN-NAME>}

dpi app wireless-clients <MAC> Displays application-related statistics for all or a specified wireless
clients
• <MAC> – Displays statistics for a specified wireless client. Specify
the client’s MAC address.

on <DEVICE-OR-DOMAIN- Optional. Displays statistical data on a specified device or RF Domain

NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access
point, wireless controller, service platform, or RF Domain.

show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all]

{on <DEVICE-OR-DOMAIN-NAME>}

dpi [app| app-category] stats Displays statistics for a application or application category
• app – Displays statistics for a specified application or all
applications
• app-category – Displays statistics for a specified application
category or all categories.

Note: The applications are the RF Domain member allowed

applications whose data (bytes) are passing through the vWiNG
managed network. And, the application categories are existing WiNG
or user defined application groups (video, streaming, mobile, audio,
etc.) that assist administrators to permit or deny forwarding of
application data.

[<APPLICATION/APP- This parameter is common to the ‘app’ and ‘app-category’ keywords.

CATEGORY-NAME>|all] • <APPLICATION/APP-CATEGORY-NAME> – Displays statistics for
a specified application or application category, depending on the
option selected in the previous step. Specify the application name
or application category name.
• all – Displays statistics for all applications or application
categories, depending on the option selected in the previous step

on <DEVICE-OR-DOMAIN- Optional. Displays statistical data on a specified device or RF Domain

NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access
point, wireless controller, service platform, or RF Domain.

show dpi application-policy stats <APPLICATION-POLICY-NAME>

{on <DEVICE-OR-DOMAIN-NAME>}

Displays statistics for an existing application policy

Controller, Service Platform and Access Point

808 CLI Reference Guide for version 5.9.7
Show Commands show-commands

dpi application-policy stats

<APPLICATION-POLICY- Displays statistics for a specified application-policy. Specify the
NAME> application-policy name.
on <DEVICE-OR-DOMAIN- Optional. Displays application-policy related statistical data on a
NAME> specified device or RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access
point, wireless controller, service platform, or RF Domain.

show dpi application brief

dpi application brief Displays a brief summary of applications their status and configuration

show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes]

{on <DEVICE-OR-DOMAIN-NAME>}

dpi per-category stats Displays statistics for the top ten applications based on the
application category and the Sort ID specified. The Sort ID options
are: bytes-in, bytes-out or total-bytes.
<APP-CATEGORIES> Specify the application category name. The system displays statistics
for the top ten applications in this category.
[bytes-in|bytes-out| total-bytes] Filters and displays statistical data for the top ten utilized
applications in respect to the following:
• bytes-in – Displays total data bytes uploaded through the
controller managed network. If this application data is not
aligned with application utilization expectations, consider
allowing or denying additional applications and categories or
adjusting their precedence (priority).
• bytes-out – Displays total data bytes downloaded through the
controller managed network. If this application data is not
aligned with application utilization expectations, consider
allowing or denying additional applications and categories or
adjusting their precedence (priority).
• total-bytes – Displays total data bytes (uploaded and
downloaded) through the controller managed network. These are
only the administrator allowed applications approved for
proliferation within the managed network.

on <DEVICE-OR-DOMAIN- Optional. Displays statistical data on a specified device or RF

NAME> Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access
point, wireless controller, service platform, or RF Domain.

Examples
nx9500-6C8809>show dpi application brief
1-clickshare-com
This application recognizes DirectDownloadLink 1-clickshare
traffic
Application Category : filetransfer
Predefined Application : Yes
1-upload-com
This application recognizes DirectDownloadLink 1-upload-com
traffic
Application Category : filetransfer

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 809
show-commands Show Commands

Predefined Application : Yes

1-upload-to
This application recognizes DirectDownloadLink 1-upload-to
traffic
Application Category : filetransfer
Predefined Application : Yes
10upload-com
This application recognizes DirectDownloadLink 10upload-com
traffic
Application Category : filetransfer
Predefined Application : Yes
123upload-pl
This application recognizes DirectDownloadLink 123upload-pl
traffic
--More--
nx9500-6C8809>

environmental-sensor
Displays environmental sensor’s recorded data. The environmental sensor has to be enabled and
configured in order to collect data related to humidity, light, motion, and temperature.

Note
The environmental senor is supported only on an AP 8132. When executed on any controller
(other than an AP 8132), the show > environmental-sensor > <parameters>
command displays environmental-sensor details for adopted AP 8132s (if any).

Supported in the following platforms:

• AP 8132

Syntax
show environmental-sensor [history|humidity|light|motion|summary|temperature|
version]
show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}
show environmental-sensor [humidity|light|motion|summary|temperature|version]

Parameters
show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}

environmental-sensor history Displays environmental sensor history once in every hour, 20 minutes,
or 24 hours
History includes the humidity, light, motion, and temperature data
recorded by the sensor at specified time interval.
1 hour Optional. Displays environmental sensor history once in every 1 (one)
hour

Controller, Service Platform and Access Point

810 CLI Reference Guide for version 5.9.7
Show Commands show-commands

20-minute Optional. Displays environmental sensor history once in every 20

minutes
24-hour Optional. Displays environmental sensor history once in every 24
hours

show environmental-sensor [humidity|light|motion|summary|temperature|version]

environmental-sensor Displays environmental sensor’s recorded data, based on the

parameters passed. The system displays the specified recorded data.
The environmental sensor records data at the following intervals: 20
minutes, 1 hour, and 24 hours
humidity Displays the minimum, average, and maximum humidity recorded
light Displays the minimum, average, and maximum light recorded
motion Displays the minimum, average, and maximum motion recorded
temperature Displays the minimum, average, and maximum temperature recorded
version Displays the hardware and firmware versions
summary Displays a summary of the data recorded at following intervals:

Examples
ap8132-711728#show environmental-sensor summary
Maat Device uptime: 0 days 15:25:11
ERROR: Maat device is offline!
threshold polling-interval: 5
historical data polled 0 times per 2-minutes interval since Maat online
motion-sensor: Enabled(Demo)
current value: 0 detected
-------------------------------
motion detected
-------------------------------
20-minute 0
1-hour 0
6-hour 0
24-hour 0
temperature-sensor: Enabled(Demo)
current value: -40.00 deg. C
-------------------------------
min/average/max
-------------------------------
20-minute 0/0/0
1-hour 0/0/0
6-hour 0/0/0
24-hour 0/0/0
light-sensor: Enabled
threshold-high:+400.00 threshold-low:+200.00 holdtime:11
action radio-shutdown: radio-1 and radio-2
light-on:1
light-on/off event sent:0/0
current value: 0.00 lux
-------------------------------
min/average/max
-------------------------------
20-minute 0/0/0
1-hour 0/0/0
6-hour 0/0/0
24-hour 0/0/0
humidity-sensor: Enabled(Demo)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 811
show-commands Show Commands

current value: 0.00 %

-------------------------------
min/average/max
-------------------------------
20-minute 0/0/0
1-hour 0/0/0
6-hour 0/0/0
24-hour 0/0/0
ap8132-711728#
ap8132-711634#show env-sensor history
Current Time: 2015-06-20 14:08:01 UTC
-------------------------------------------------------------------------------
Sample-Interval Motion Temperature Light Humidity
(deg. C) (lux) (%)
----------- min/average/max ------------
-------------------------------------------------------------------------------
20-minute 1 64/65/66 77/80 58/60/61
1-hour 24 63/67/70 75/81 57/59/61
6-hour 128 60/62/69 71/79 52/56/71
24-hour 188 54/58/70 15/45 49/57/73
ap8132-711634#
ap8132-711634#show env-sensor history 20-min
---------------------------------------------------------------------------------
timestamp Motion Temperature Light Humidity
---------------------------------------------------------------------------------
2015-11-20 13:51:35 UTC 0 66 79 59
2015-11-20 13:53:35 UTC 0 66 79 59
2015-11-20 13:55:35 UTC 0 65 79 58
2015-11-20 13:57:35 UTC 1 66 80 59
2015-11-20 13:59:35 UTC 0 66 79 59
2015-11-20 14:02:35 UTC 0 65 79 60
2015-11-20 14:03:35 UTC 0 64 79 60
2015-11-20 14:05:35 UTC 2 66 80 60
2015-11-20 14:07:35 UTC 0 66 80 61
2015-11-20 14:09:35 UTC 0 66 80 61
ap8132-711634#
ap8132-711634#show env-sensor history 1-hr
----------------------------------------------------------------------------------
timestamp Motion Temperature Light Humidity
----------------------------------------------------------------------------------
2015-11-20 13:51:35 UTC 0 66 79 59
2015-11-20 13:53:35 UTC 0 66 79 59
2015-11-20 13:55:35 UTC 0 65 79 58
2015-11-20 13:57:35 UTC 1 66 80 59
2015-11-20 13:59:35 UTC 0 66 79 59
2015-11-20 14:01:35 UTC 0 65 79 60
2015-11-20 14:03:35 UTC 0 64 79 60
2015-11-20 14:05:35 UTC 2 66 80 60
2015-11-20 14:07:35 UTC 0 66 80 61
2015-11-20 14:09:35 UTC 0 66 80 61
2015-11-20 14:42:35 UTC 0 65 81 60
2015-11-20 14:43:35 UTC 0 64 80 59
2015-11-20 14:45:35 UTC 3 66 80 60
ap8132-711634#
<DEVICE-NAME>#show env-sensor history 24-hr
----------------------------------------------------------------------------------
timestamp Motion Temperature Light Humidity
----------------------------------------------------------------------------------
2015-11-20 10:10:20 UTC 27 66 80 60
2015-11-20 10:30:20 UTC 17 66 80 60
2015-11-20 10:50:20 UTC 17 66 81 60
2015-11-20 11:10:20 UTC 25 66 81 60
2015-11-20 11:30:20 UTC 24 66 81 60

Controller, Service Platform and Access Point

812 CLI Reference Guide for version 5.9.7
Show Commands show-commands

2015-11-20 11:50:20 UTC 26 66 81 60

2015-11-21 08:10:20 UTC 9 65 80 59
2015-11-21 08:30:20 UTC 7 65 80 59
2015-11-21 08:50:20 UTC 12 65 80 60
2015-11-21 09:10:20 UTC 10 65 80 60
2015-11-21 09:30:20 UTC 15 65 80 60
2015-11-21 09:50:20 UTC 19 66 80 60
<DEVICE-NAME>#

event-history
Displays event history report

Supported in the following platforms:

Syntax
show event-history {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show event-history {on <DEVICE-OR-DOMAIN-NAME>}

event-history Displays event history report

on <DEVICE-OR- Optional. Displays event history report on a device or RF Domain
DOMAIN- NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

Examples
nx9500-6C8809#show event-history
Generated on '2017-09-21 05:19:55 UTC' by 'admin'

2017-06-06 10:40:19 nx9500-6C8809 SYSTEM LOGIN

Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2017-06-06 10:38:36 nx9500-6C8809 SYSTEM LOGOUT
Logged out user 'admin' with privilege 'superuser' from '192.168.100.214'
2017-06-06 10:27:34 nx9500-6C8809 SYSTEM LOGIN
Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2017-06-06 10:27:34 nx9500-6C8809 SYSTEM LOGOUT
Logged out user 'admin' with privilege 'superuser' from '192.168.100.214'
2016-09-20 23:52:49 nx9500-6C8809 SYSTEM LOGIN
Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2016-09-20 05:39:01 nx9500-6C8809 SYSTEM LOGOUT
Logged out user 'admin' with privilege 'superuser' from '192.168.100.165'
2016-09-20 05:08:54 nx9500-6C8809 SYSTEM LOGIN
Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
--More--
nx9500-6C8809#

event-system-policy
Displays detailed event system configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 813
show-commands Show Commands

Supported in the following platforms:

Syntax
show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>

Parameters
show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>

event-system-policy Displays event system policy configuration

config Displays configuration for a specified policy
detail Displays detailed configuration for a specified policy
<EVENT-SYSTEM- POLICY-NAME> Specify the event system policy name.

Examples
nx9500-6C8809(config)#show event-system-policy config testpolicy
--------------------------------------------------------------------------
MODULE EVENT SYSLOG SNMP FORWARD EMAIL
--------------------------------------------------------------------------
aaa radius-discon-msg on on on default
--------------------------------------------------------------------------
nx9500-6C8809(config)#

ex3500

Displays EX3500-related statistical data

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX

Syntax
show ex3500 [dir|interfaces|system|upgrade|version|whichboot]
show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>}
{on <EX3500-DEVICE-NAME>}
show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|
ext-if-table stats|if-table stats|portUtil stats|rmon stats]
{on <EX3500-DEVICE-NAME>}
show ex3500 [system|upgrade|version|whichboot]
{on <EX3500-DEVICE-NAME>}

Controller, Service Platform and Access Point

814 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>}
{on <EX3500-DEVICE-NAME>}

ex3500 dir Displays EX3500 directory information based on the option

selected. The options are: boot-rom, config, opcode

Note: If none of the specified options is selected, all EX3500

system-related information is displayed.

boot-rom Optional. Displays only the Boot-ROM information

config Optional. Displays only the configuration file
opcode Optional. Displays only the run-time operation code
<FILE-NAME> Displays the contents of a specified file identified by the <FILE-
NAME> keyword. This is the name of configuration file or code
image.
on <EX3500-DEVICE-NAME> Optional. Executes the command on a specified EX3500 device
• <DEVICE-NAME> – Specify the device’s name.

show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|

ext-if-table stats|if-table stats|portUtil stats|rmon stats]
{on <EX3500-DEVICE-NAME>}

ex3500 interfaces counters Displays EX3500 interface counters based on the option selected.
The options are: ether-like, ethernet, ext-if-table, if-
table, portUtil, rmon
ether-like stats Displays Managed Information Base (MIB) object statistics for
Ethernet-like interfaces
ethernet <1-1> <1-52> Displays the Ethernet port statistics based on the unit identifier and
port number selected
• <1-1> – Specify the EX3500 unit’s identifier from 1 - 1.
◦ <1-52> – Specify the port number from 1 - 52. This range varies
for the EX3524 (1-28) and EX3548 (1-52) devices.

Note: This option displays the following for the selected Ethernet
interface: extended interface table stats, interface table stats, port
utilization information, and remote monitoring stats.

ext-if-table stats Displays only the extended interface table statistics

if-table stats Displays only the interface table statistics
portUtil stats Displays only the port utilization information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 815
show-commands Show Commands

rmon stats Displays only remote monitoring (RMon) statistics

on <EX3500-DEVICE-NAME> Optional. Executes the command on a specified EX3500 device
• <DEVICE-NAME> – Specify the device’s name.

show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}

ex3500 Displays the following information for a specified EX3500 device or

all EX3500 devices in the managed network
system Displays EX3500 system information, such as device description, OID
string, up time, name, location, contact, MAC address, etc. Some of
these information (example, system name) are configurable items,
and if not configured are left blank.
upgrade Displays the opcode upgrade configuration settings
version Displays hardware and software version information for a EX3500
system
whichboot Displays boot information
on <EX3500-DEVICE-NAME> Optional. Executes the command on a specified EX3500 device
• <DEVICE-NAME> – Specify the device’s name.

Examples
nx9500-6C8809#show ex3500 interfaces counters ethernet 1 17
Ethernet 1/ 17
===== IF table Stats =====
2166458 Octets Input
14734059 Octets Output
14707 Unicast Input
19806 Unicast Output
0 Discard Input
0 Discard Output
0 Error Input
0 Error Output
0 Unknown Protocols Input
0 QLen Output
===== Extended Iftable Stats =====
23 Multi-cast Input
5525 Multi-cast Output
170 Broadcast Input
11 Broadcast Output
===== Ether-like Stats =====
0 Alignment Errors
0 FCS Errors
0 Single Collision Frames
0 Multiple Collision Frames
0 SQE Test Errors
0 Deferred Transmissions
0 Late Collisions
0 Excessive Collisions
0 Internal Mac Transmit Errors
0 Internal Mac Receive Errors
0 Frames Too Long
0 Carrier Sense Errors
0 Symbol Errors
0 Pause Frames Input
0 Pause Frames Output
===== RMON Stats =====

Controller, Service Platform and Access Point

816 CLI Reference Guide for version 5.9.7
Show Commands show-commands

0 Drop Events
16900558 Octets
40243 Packets
170 Broadcast PKTS
23 Multi-cast PKTS
0 Undersize PKTS
0 Oversize PKTS
0 Fragments
0 Jabbers
0 CRC Align Errors
0 Collisions
21065 Packet Size <= 64 Octets
3805 Packet Size 65 to 127 Octets
2448 Packet Size 128 to 255 Octets
797 Packet Size 256 to 511 Octets
2941 Packet Size 512 to 1023 Octets
9187 Packet Size 1024 to 1518 Octets
===== Port Utilization (recent 300 seconds) =====
0 Octets Input in kbits per second
0 Packets Input per second
0.00 % Input Utilization
0 Octets Output in kbits per second
0 Packets Output per second
0.00 % Output Utilization
nx9500-6C8809#

extdev

Displays external device (T5 or EX3500) configuration error history

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 95XX, NX 96XX

Syntax
show extdev error history {on <T5/EX3500-DEVICE-NAME>}

Parameters
show extdev error history {on <T5/EX3500-DEVICE-NAME>}

extdev error history Displays external device error history. This command is applicable
only to the external devices T5, and EX3500 series switches. Use this
command to view configuration error history for all or a specified
external device adopted and managed by a WiNG NX series service
platform.
on <T5/EX3500-DEVICE- Optional. Displays configuration error history on a specified T5 or
NAME> EX3500 device
• <T5/EX3500-DEVICE-NAME> – Specify the name of the device.

Examples
nx9500-6C8809#show extdev error history on t5-ED5EAC
%% No History for this device
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 817
show-commands Show Commands

fabric-attach

Displays the current status of Fabric Attach (FA) VLAN to Individual Service Identifier (I-SID)
assignments for all ports.

Supported in the following platforms:

Syntax
show fabric-attach assignments {on <DEVICE-NAME>}

Parameters
show fabric-attach assignments {on <DEVICE-NAME>}

fabric-attach Displays the status of VLAN to I-SID mappings, if configured, on the

Ethernet ports of an FA Client. The status displays as:
• active – If the VLAN to I-SID mapping is accepted by the FA Server
and applied to the VLAN traffic from the client.
• pending – If the VLAN to I-SID mapping acceptance is not achieved
(i.e, pending acceptance)

on <DEVICE-NAME> Optional. Displays VLAN to I-SID mappings on a specified FA client. If

executing this command on a controller, you may, optionally, specify
the device for which the FA VLAN to I-SID assignments is to be
displayed.
• <DEVICE-NAME> – Specify the name of the AP, wireless controller,
or service platform.

Example

The Following example shows the fabric-attach VLAN to ISID assignment configured on the
ap7532-000100 access point:
nx9600-7F3B2C#
ap7532 B8-50-01-00-01-00
use profile default-ap7532
use rf-domain default
hostname ap7532-000100
interface ge1
switchport mode trunk
switchport trunk fabric-attach vlan 110 isid 10180110
switchport trunk native vlan 110
switchport trunk native tagged
switchport trunk allowed vlan 110
interface vlan110
ip address dhcp
ip dhcp client request options all
nx9600-7F3B2C#

Controller, Service Platform and Access Point

818 CLI Reference Guide for version 5.9.7
Show Commands show-commands

The following example shows the fabric-attach assignment status for the ap7532-000100 access point:
nx9600-7F3B2C#show fabric-attach assignments on ap7532-000100

Assignment status for port : ge1

VLAN ISID STATUS
---- ---- ------
110 10180110 Accepted

nx9600-7F3B2C#

file
Displays file system information

Note
This command is not available in the USER EXEC mode.

Supported in the following platforms:

Syntax
show file [information <FILE>|systems]

Parameters
show file [information <FILE>|systems]

information <FILE> Displays file information

• <FILE> – Specify the file name.

systems Lists all file systems present in the system

Examples
ap8432-070235#show file systems
File Systems:

Size(Mb) Free(Mb) Use% Type Prefix

64 62 3 flash nvram:
84 81 2 flash flash:
137 82 40 - vmsdb:
ap8432-070235#
nx9500-6C8809#show file information startup-config
nvram:startup-config:
type is configuration file
nx9500-6C8809#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 819
show-commands Show Commands

file-sync

Displays file synchronization settings and status on a controller. The file-sync command syncs
wireless-bridge certificate and trustpoint between the staging-controller and its adopted access points.
The show > file-sync command displays information related to this process.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 75XX, NX 95XX, NX 96XX

Syntax
show file-sync [configuration|history|load-file-status|status]
{on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show file-sync [configuration|history|load-file-status|status]
{on <DEVICE-OR-DOMAIN-NAME>}

file-sync Displays the following file-synchronization (trustpoint and wireless-

bridge certificate) related information: configuration, history, load-
file-status, and status
configuration Displays the following file-synchronization configuration details:
• automatic file-syncing enabled or disabled. The default setting is
disabled.

The X.509 certificate needs synchronization only if the access

point’s radio2 is configured to use EAP-TLS authentication. In
which case PKCS#12 certificate needs to be pushed on AP
adoption. To enable automatic file syncing, in the controller’s
device/profile configuration mode, execute the file-sync >
auto command. For more information, see file-sync on page
1100 (profile config mode).
• Number of access points to which the certificate can be
simultaneously uploaded. The default is 10.

To modify the number of simultaneous uploads, in the controller’s

device/profile configuration mode, execute the file-sync >
count <1-20> command. For more information, see file-sync
on page 1100 (profile config mode).
• Scheduled certificate upload, if any, details, such time and date of
upload.

To schedule certificate upload, use the file-sync >

wireless-certificate command. For more information,
see file-sync on page 1100 (profile config mode).

history Displays file synchronization history. Use this option to view

statistical data relating to wireless-bridge certificate synchronization
between staging controller and its access points. When executed, a
list of all certificate transfers made to the APs is displayed, with the
latest transfer listed at the top.

Controller, Service Platform and Access Point

820 CLI Reference Guide for version 5.9.7
Show Commands show-commands

load-file-status Displays the status of the file upload to the controller. Use this
command to view the status of a in-progress certificate upload. For
more information on initiating a PKCS#12 certificate upload, see file-
sync on page 1100 (profile config mode).
status Displays status of the file synchronization between the controller and
its adopted access point.
on <DEVICE-OR-DOMAIN- Optional. Displays file synchronization settings and status on a
NAME> specified device or RF Domain
• <DEVICE-OR-DOMAIN- NAME> – Specify the name of the
controller, service platform, or RF Domain.

Examples
nx9500-6C8809#show file-sync configuration
File Sync Configuration Information
Auto : Disabled
Simultaneous Upload Count : 128
Wireless Bridge Cert Load Time : Thu May 29 23:23:35 2015
nx9500-6C8809#
nx9500-6C8809#show file-sync load-file-status
Download of wireless_bridge certificate is complete
nx9500-6C8809#
nx9500-6C8809#show file-sync history
-------------------------------------------------------------------------------------
AP RESULT TIME RETRIES SYNCED-BY LAST-SYNC-ERROR
-------------------------------------------------------------------------------------
AP6522-491220 done 2015-05-27 01:37:32 B4-C7-99-6C-88-09 -
ME733ANACBMOT21 done 2015-05-27 02:02:51 0 B4-C7-99-6C-88-09 -
nx9500-6C8809#

firewall
Displays wireless firewall information, such as Dynamic Host Configuration Protocol (DHCP) snoop table
entries, denial of service statistics, active session summaries, etc.

Note
This command is not available in the USER EXEC mode.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 821
show-commands Show Commands

Syntax
show firewall [dhcp|flows|neighbors]
show firewall dhcp snoop-table {on <DEVICE-NAME>}
show firewall flows {filter|management|on|stats|wireless-client}
show firewall flows {filter} {(dir|dst port <1-65535>|ether|flow-type|icmp|
icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}
show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}
show firewall neighbors snoop-table {on <DEVICE-NAME>}

Parameters
show firewall dhcp snoop-table {on <DEVICE-NAME>}

firewall dhcp snoop-table {on Displays DHCP snoop table entries

<DEVICE-NAME>} • snoop-table – Displays DHCP snoop table entries
DHCP snooping acts as a firewall between non-trusted hosts and the
DHCP server. Snoop table entries contain MAC address, IP address,
lease time, binding type, and interface information of non-trusted
interfaces.
on <DEVICE-NAME> The following keyword is common to the ‘DHCP snoop table’ and
‘DoS stats’ parameters:
• on <DEVICE-NAME> – Optional. Displays snoop table entries, or
DoS stats on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show firewall flows {filter} {(dir|dst|ether|flow-type|icmp|icmpv6|igmp|ip|

ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}

firewall flows Notifies a session has been established

filter Optional. Defines additional firewall flow filter parameters
dir [wired-wired| wired- Optional. Matches the packet flow direction
wireless| wireless-wired| • wired-wired – Wired to wired flows
wireless-wireless] • wired-wireless – Wired to wireless flows
• wireless-wired – Wireless to wired flows
• wireless-wireless – Wireless to wireless flows

dst port <1-65535> Optional. Matches the destination port with the specified port
• port <1-65535> – Specifies the destination port number from 1 -
65535

ether [dst <MAC>| host Optional. Displays Ethernet filter options

<MAC>| src <MAC>| vlan • dst <MAC> – Matches only the destination MAC address
<1-4094>] • host <MAC> – Matches flows containing the specified MAC
address
• src <MAC> – Matches only the source MAC address
• vlan <1-4094> – Matches the VLAN number of the traffic with the
specified value. Specify a value from 1- 4094.

Controller, Service Platform and Access Point

822 CLI Reference Guide for version 5.9.7
Show Commands show-commands

flow-type [bridged|natted| Optional. Matches the traffic flow type

routed| wired|wireless] • bridged – Bridged flows
• natted – Natted flows
• routed – Routed flows
• wired – Flows belonging to wired hosts
• wireless – Flows containing a mobile unit

icmp {code|type} Optional. Matches flows with the specified Internet Control Message
Protocol (ICMP) version 4 code and type
• code – Matches flows with the specified ICMPv4 code
• type – Matches flows with the specified ICMPv4 type

icmpv6 {code|type} Optional. Matches flows with the specified ICMP version 6 code and
type
• code – Optional. Matches flows with the specified ICMPv6 code
• type – Optional. Matches flows with the specified ICMPv6 type

igmp Optional. Matches Internet Group Management Protocol (IGMP) flows

ip [dst <IP>| host <IP>| proto Optional. Filters firewall flows based on the IPv4 parameters passed
<0-254>| src <IP>] • dst <IP> – Matches destination IP address
• host <IP> – Matches flows containing IPv4 address
• proto <0-254> – Matches the IPv4 protocol number with the
specified number
• src <IPv4> – Matches source IP address

ipv6 [dst <IPv6>| host <IPv6>| Optional. Filters firewall flows based on the IPv6 parameters passed
proto <0-254>| src <IPv6>] • dst <IPv6> – Matches destination IPv6 address
• host <IPv6> – Matches flows containing IPv6 address
• proto <0-254> – Matches the IPv6 protocol number with the
specified number
• src <IPv6> – Matches source IPv6 address

max-idle <1-4294967295> Optional. Filters firewall flows idle for at least the specified duration.
Specify a max-idle value from 1 - 4294967295 bytes.
min-bytes <1-4294967295> Optional. Filters firewall flows with at least the specified number of
bytes. Specify a min-bytes value from 1 - 4294967295 bytes.
min-idle <1-4294967295> Optional. Filters firewall flows idle for at least the specified duration.
Specify a min-idle value from 1 - 4294967295 bytes.
min-pkts <1-4294967295> Optional. Filters firewall flows with at least the given number of
packets. Specify a min-bytes value from 1 - 4294967295 bytes.
not Optional. Negates the filter expression selected
port <1-65535> Optional. Matches either the source or destination port. Specify a port
from 1 - 65535.
src <1-65535> Optional. Matches only the source port with the specified port.
Specify a port from 1 - 65535.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 823
show-commands Show Commands

tcp Optional. Matches TCP flows

udp Optional. Matches UDP flows

show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|

wireless-client <MAC>|on <DEVICE-NAME>}

firewall flows Notifies a session has been established

management {on <DEVICE- Optional. Displays management traffic firewall flows
NAME>} • on <DEVICE-NAME> – Optional. Displays firewall flows on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

stats {on <DEVICE-NAME>} Optional. Displays active session summary

• on <DEVICE-NAME> – Optional. Displays active session summary
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

wireless-client <MAC> Optional. Displays wireless clients firewall flows

• <MAC> – Specify the MAC address of the wireless client.

on <DEVICE-NAME> Optional. Displays all firewall flows on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show firewall neighbors snoop-table {on <DEVICE-NAME>}

firewall neighbors snoop-table Displays IPv6 neighbors snoop table entries

on <DEVICE-NAME> Optional. Displays IPv6 neighbors snoop table entries on a specified
device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809(config)#show fi
file-sync firewall file
nx9500-6C8809(config)#show firewall dhcp snoop-table
Snoop Binding <192.168.13.24, 00-15-70-81-74-2D, Vlan 1>
Type switch-SVI, Touched 427779 seconds ago
-------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show firewall dos stats
--------------------------------------------------------------------------------
ATTACK TYPE COUNT LAST OCCURENCE
--------------------------------------------------------------------------------
udp-short-hdr 0 Never
multicast-icmpv6 0 Never
icmp-router-solicit 0 Never
tcp-xmas-scan 0 Never
ascend 0 Never
twinge 0 Never
tcp-post-syn 0 Never

Controller, Service Platform and Access Point

824 CLI Reference Guide for version 5.9.7
Show Commands show-commands

land 0 Never
broadcast-multicast-icmp 0 Never
ftp-bounce 0 Never
spoof 0 Never
source-route 0 Never
tcp-null-scan 0 Never
tcp-fin-scan 0 Never
ipv6-hop-limit-zero 0 Never
tcp-bad-sequence 97 0 days 02:24:32 ago
fraggle 0 Never
router-advt 0 Never
snork 0 Never
raguard 0 Never
--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show firewall flows management
========== Flow# 1 Summary ==========
Forward:
IPv4 Vlan 1, TCP 192.168.13.10 port 1646 > 192.168.13.24 port 22
00-02-B3-28-D1-55 > 00-15-70-81-74-2D, ingress port up1
Egress port: <local>, Egress interface: vlan1, Next hop: <local> (00-15-70-81-74-2D)
1170 packets, 99960 bytes, last packet 0 seconds ago
Reverse:
IPv4 Vlan 1, TCP 192.168.13.24 port 22 > 192.168.13.10 port 1646
00-15-70-81-74-2D > 00-02-B3-28-D1-55, ingress port local
Egress port: up1, Egress interface: vlan1, Next hop: 192.168.13.10 (00-02-B3-28-D1-55)
873 packets, 98797 bytes, last packet 0 seconds ago
TCP state: Established
Flow times out in 1 hour 30 minutes

nx9500-6C8809(config)#
nx9500-6C8809(config)#show firewall flows stats
Active Flows 2
TCP/IPv4 flows 2
UDP/IPv4 flows 0
DHCP/IPv4 flows 0
ICMP/IPv4 flows 0
IPsec/IPv4 flows 0
TCP/IPv6 flows 0
UDP/IPv6 flows 0
DHCP/IPv6 flows 0
ICMP/IPv6 flows 0
IPsec/IPv6 flows 0
L3/Unknown flows 0
nx9500-6C8809(config)#

global
Displays global information for network devices based on the parameters passed

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 825
show-commands Show Commands

Syntax
show global [device-list|domain]
show global device-list {filter {offline|online|rf-domain}}
show global device-list {filter {offline|online}}
show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}
show global domain managers

Parameters
show global device-list {filter {offline|online}}

global device -list Displays global information for all network devices. Use the
following keywords to specify additional filters: offline,
online, and rf-domain.
filter{offline|online} Optional. Specifies additional filters
• offline – Optional. Displays global information for offline
devices only
• online – Optional. Displays global information for online devices
only

show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}

global device -list Displays global information for all network devices. Use the
following keywords to specify additional filters: offline,
online, and rf-domain.
filter rf-domain [<DOMAIN- Optional. Specifies additional filters
NAME>| not <DOMAIN-NAME>] • rf-domain – Optional. Displays global information for all devices
in a specified RF Domain
◦ <DOMAIN-NAME> – Optional. Displays information for all
devices within the domain identified by the <DOMAIN-
NAME> keyword
◦ not <DOMAIN-NAME> – Optional. Displays information for
all devices in domains not matching the <DOMAIN-NAME>
keyword

show global domain managers

global domain managers Displays global information for all RF Domains managers in the network.

Examples
vnx9500-6C8809(config)#show global device-list filter rf-domain TechPubs
------------------------------------------------------------------------------------------
--------------------
MAC HOST-NAME TYPE CLUSTER RF-DOMAIN ADOPTED-
BY ONLINE
------------------------------------------------------------------------------------------
--------------------
00-15-70-81-74-2D rfs6000-81742D rfs6000 SiteConRFS6k TechPubs B4-
C7-99-6C-88-09 online
------------------------------------------------------------------------------------------
--------------------

Controller, Service Platform and Access Point

826 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Total number of clients displayed: 1

nx9500-6C8809(config)#
nx9500-6C8809(config)#show global domain managers
------------------------------------------------------------------------------------------
-----------
RF-DOMAIN MANAGER HOST-NAME
APS CLIENTS
------------------------------------------------------------------------------------------
-----------
default ? rf-domain manager 00-15-70-38-03-E7 not in
configuration
TechPubs 00-15-70-81-74-2D
rfs6000-81742D 0 0
------------------------------------------------------------------------------------------
-----------
Total number of RF-domain displayed: 2
nx9500-6C8809(config)#

gps (show command)

Displays the geographical coordinates (latitude and longitude) of the device for which the GPS
coordinates search process has been triggered. The system displays the last recorded GPS coordinates
of the device.

This feature is supported only on AP7662, which has a built-in, GPS hardware that starts and stops the
GPS coordinates search process. To view the GPS coordinates of an AP7622, initiate GPS coordinates
search and then execute the 'show > gps' command.

Note
For more information on starting and stopping the GPS coordinate search process, see gps
(user and privi exec modes) on page 89.

Supported in the following platforms:

• AP 7622

Syntax
show gps coordinates {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 827
show-commands Show Commands

Parameters
show gps coordinates {on <DEVICE-NAME>}

show gps coordinates Displays the GPS coordinates of a device

Note:
The command displays the last recorded GPS coordinates of the
device.

on <DEVICE-NAME> Optional. Specifies the name of the AP whose GPS coordinates are
to be displayed. Use this option if executing the command on the
controller or virtual controller to which the AP is adopted.

Note:
If you do not specify a device name, the system initiates the search
on the logged device. And if the logged device is not an AP7662
model access point, an error message returns. If

Examples
ap7662-8BDE4D#show gps coordinates
GPS Search is in progress.
Last location recorded at UTC time : Mon Apr 23 22:10:54 2018 : Latitude : 13.036N
Longitude : 77.3827E
ap7662-8BDE4D#

gre
Displays layer 2 Generic Routing Encapsulation (GRE) tunnel traffic flow information

GRE is one of the available tunneling mechanisms which uses IP as the transport protocol and can be
used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links
that have two endpoints identified by the tunnel source and tunnel destination addresses at each
endpoint.

Supported in the following platforms:

Syntax
show gre info {detail} {(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

828 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show gre info {detail} {(on <DEVICE-NAME>)}

gre info Displays GRE tunnel related information and stats.

detail Optional. Displays GRE tunnel information in detail, such as tunnel
state, tunnel’s remote-end peer device’s IP address, session ID of an
operational tunnel, total number of packets received and transmitted
through the tunnel, and the number of dropped packets during
tunneled exchanges between access point and a peer at the remote
end of the tunnel.
on <DEVICE-NAME> Optional. Executes the command on a specified device
• <DEVICE-NAME> – Specify the name of the access point,
controller, or service platform.

Examples
nx9500-6C8809#show gre info
Gre Tunnel info:
Tunnel info not found
nx9500-6C8809#

guest-registration

Displays information on the performance of clients using guest access permissions to obtain network
resources within the WiNG network. The reporting timeline can be adjusted as needed, as can the RF
Domain(s) and WLAN(s) used to filter and report guest client statistics.

Supported in the following platforms:

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
show guest-registration [age-range|backup-snapshots|browsers|client|devices|
gender|loyalty-app-status|notification-status|os|social|user-trends|visitors]
{on <DEVICE-NAME>}
show guest-registration backup-snapshots
show guest-registration [age-range|browsers|devices|gender|os|user-trends|
visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]
{(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}
show guest-registration client [email|mac|member|mobile|name|time]
show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|
member <MEMBER-ID>|mobile <MOBILE-NUMBER>|name <NAME>]
show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|
30-Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}
show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-Hours|
30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}
show guest-registration notification-status
show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|
5-Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 829
show-commands Show Commands

Parameters
show guest-registration backup-snapshots

guest-registration Displays guest registration statistics based on the parameters passed

backup-snapshots Displays a list of periodically backed up snapshots of the database.
By default, the system maintains a snapshot of the database on a
daily basis.

Note: Use the service > guest-registration > backup

[delete|restore] command to delete these snapshots and to
restore deleted snapshots. For more information, see service on page
713 (common commands).

show guest-registration [age-range|browsers|devices|gender|os|user-trends|visitors]

time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(rfdomain <DOMAIN-NAME>|
wlan <WLAN-NAME>)}

guest-registration Displays guest registration statistics based on the parameters and

time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords
to view guest registration statistics for a specified RF Domain and/or
WLAN.
age-range Displays the age ranges of logged guest users for a selected time
period
browser Displays the browsers used by guest users logged in within a
selected time period
devices Displays the device types used by guest users logged in within a
selected time period
gender Displays the gender of guest users logged in within a selected time
period
os Displays the operating system (OS) of devices logged in within a
selected time period
user-trends Displays guest user login trends for a selected time period. It
displays statistical data, such as number of new users, number of
return users, and total of number users.
visitors Displays type of visitors logged in within a selected time period

Controller, Service Platform and Access Point

830 CLI Reference Guide for version 5.9.7
Show Commands show-commands

time [1-Day|1-Month| 1-Week|2- Displays guest registration statistics, for a specified time period. The
Hours| 30-Mins|5-Hours|all] stats displayed depends on the option selected in the previous step.
Specify the time period using one of the following options:
• 1-Day – Displays previous day’s statistics
• 1-Month – Displays previous month’s statistics
• 1-Week – Displays previous week’s statistics
• 2-Hours – Displays last 2 hours statistics
• 30-Mins – Displays last 30 minutes statistics
• 5-Hours – Displays last 5 hours statistics
• all – Displays statistics from the day the database was created

[rfdomain <DOMAIN-NAME| Use the following options as additional filters:

wlan <WLAN-NAME>] • rfdomain <DOMAIN-NAME> – Optional. Displays guest
registration statistics for a specified RF Domain.
◦ <DOMAIN-NAME> – Specify the RF Domain name.
• wlan <WLAN-NAME> – Optional. Displays guest registration
statistics for a specified WLAN.
◦ <WLAN-NAME> – Specify the WLAN name.

show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-ID>|

mobile <MOBILE-NUMBER>|name <NAME>]

guest-registration Displays guest registration statistics based on the parameters and

time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords
to view guest registration statistics for a specified RF Domain
and/or WLAN.
client Displays statistical data for a specific client. Use the e-mail, mac,
member, mobile, name to provide a match criteria.
email <EMAIL-ADDRESS> Displays statistical data for the client with e-mail address matching
the <EMAIL-ADDRESS> parameter
• <EMAIL-ADDRESS> – Specify the client’s e-mail address.

mac <MAC> Displays statistical data for the client with MAC address matching
the <MAC> parameter
• <MAC> – Specify the client’s MAC address

member <MEMBER-ID> Displays statistical data for the client with member ID matching the
<MEMBER-ID> parameter
• <MEMBER-ID> – Specify the client’s member ID.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 831
show-commands Show Commands

mobile <MOBILE-NUMBER> Displays statistical data for the client with mobile number matching
the <MOBILE-NUMBER> parameter
• <MOBILE-NUMBER> – Specify the client’s mobile number.

name <NAME> Displays statistical data for the client with name matching the
<NAME> parameter
• <MOBILE-NUMBER> – Specify the client’s name.

show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|30-Secs|5-

Mins]
{(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}

guest-registration Displays guest registration statistics based on the parameters and

time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords to
view guest registration statistics for a specified RF Domain and/or
WLAN.
client Displays statistical data for all clients logged in within a specified time
period
time [1-Day|1-Month| 1-Week| Use one of the following options to specify the time period
2-Hours| 30-Mins|5-Hours|all] • 1-Day – Displays previous day’s statistics
• 1-Month – Displays previous month’s statistics
• 1-Week – Displays previous week’s statistics
• 2-Hours – Displays last 2 hours statistics
• 30-Mins – Displays last 30 minutes statistics
• 5-Hours – Displays last 5 hours statistics
• all – Displays statistics from the day the database was created

[rfdomain <DOMAIN-NAME| Use the following options as additional filters:

wlan <WLAN-NAME>] • rfdomain <DOMAIN-NAME> – Optional. Displays guest registration
statistics for a specified RF Domain.
◦ <DOMAIN-NAME> – Specify the RF Domain name.
• wlan <WLAN-NAME> – Optional. Displays guest registration
statistics for a specified WLAN.
◦ <WLAN-NAME> – Specify the WLAN name.

show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-Hours|

30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}

guest-registration Displays guest registration statistics based on the parameters and

time entered
loyalty-app-status Displays captive portal clients’ Loyalty Application analytics, such as
the number of guest clients with loyalty application detection
enabled, associating with the captive portal’s access point during a
specified time period.
Loyalty application detection occurs on the access point to which
the guest client is associated, allowing a retail administrator to
assess whether a captive portal client is using specific retail
(loyalty) applications in their captive portal.
For more information on enabling loyalty application detection on a
captive portal, see report-royalty-application on page 347 (captive
portal config mode).

Controller, Service Platform and Access Point

832 CLI Reference Guide for version 5.9.7
Show Commands show-commands

time [1-Day|1-Month| 1-Week|2- Use one of the following options to specify the time period
Hours| 30-Mins|5-Hours|all] • 1-Day – Displays previous day’s captive portal clients’ Loyalty
Application analytics
• 1-Month – Displays previous month’s captive portal clients’
Loyalty Application analytics
• 1-Week – Displays previous week’s captive portal clients’ Loyalty
Application analytics
• 2-Hours – Displays last 2 hours captive portal clients’ Loyalty
Application analytics
• 30-Mins – Displays last 30 minutes captive portal clients’ Loyalty
Application analytics
• 5-Hours – Displays last 5 hours captive portal clients’ Loyalty
Application analytics
• all – Displays the entire Loyalty Application analytics, from the
day the database was created

{rfdomain <RF-DOMAIN- Optional. Specifies the ‘rfdomain’ and/or ‘wlan’ to view guest
NAME>| wlan <WLAN-NAME>} registration statistics for a specified RF Domain and/or WLAN
• rfdomain <RF-DOMAIN-NAME> – Displays Loyalty App analytics
for a specified RF Domain
◦ <RF-DOMAIN-NAME> – Specify the RF Domain name.
• wlan <WLAN-NAME> – Displays Loyalty App analytics for a
specified WLAN
◦ <WLAN-NAME> – Specify the WLAN name.

show guest-registration notification-status

guest-registration Displays guest registration statistics based on the parameters and

time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords
to view guest registration statistics for a specified RF Domain
and/or WLAN.
notification-status Displays guest registration notification status

show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]

{(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}

guest-registration social Displays the social sites used by guests to register. Optionally, use
the ‘rfdomain’ and/or ‘wlan’ keywords to view social site used by
guests of a specified RF Domain and/or WLAN.
time [1-Day|1-Month| 1-Week|2- Displays social site statistics for a specified time period. Use one of
Hours| 30-Mins|5-Hours|all] the following time options:
• 1-Day – Displays previous day’s statistics
• 1-Month – Displays previous month’s statistics
• 1-Week – Displays previous week’s statistics
• 2-Hours – Displays last 2 hours statistics
• 30-Mins – Displays last 30 minutes statistics
• 5-Hours – Displays last 5 hours statistics
• all – Displays statistics from the day the database was created

facebook Displays guest users using Facebook to log in

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 833
show-commands Show Commands

rfdomain <DOMAIN-NAME> Displays guest users for a specific RF Domain

• <DOMAIN-NAME> – Specify the RF Domain name.

wlan <WLAN-NAME> Displays guest users for a specific WLAN

• <WLAN-NAME> – Specify the WLAN name.

google Displays guest users using Google to log in

Examples
nx9500-6C8809#show guest-registration age-range time all
Timeline:
all

---------------------------------
AGE RANGE COUNT
---------------------------------
less_than_18 0 ( 0%)
18_to_24 1 ( 20%)
25_to_34 0 ( 0%)
35_to_44 1 ( 20%)
45_to_54 1 ( 20%)
55_to_64 2 ( 40%)
greater_than_64 0 ( 0%)
---------------------------------

nx9500-6C8809#
nx9500-6C8809#show guest-registration browsers time 1-Day rfdomain Test-rfdomain-10
RF Domain: Test-rfdomain-10 Timeline: 1-
Day

-----------------------------------

BROWSER
COUNT

-----------------------------------

Safari 1 ( 50%)
Chrome 1 ( 50%)

nx9500-6C8809#
nx9500-6C8809#show guest-registration devices time 30-Mins wlan Test-ssid-9
WLAN: Test-ssid-9 Timeline: 30-Mins
-------------------------------
DEVICE COUNT
-------------------------------
Windows PC 1 (100%)

nx9500-6C8809#
nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain
Test-rfdomain-10
RF Domain: Test-rfdomain-10 WLAN: Test-ssid-10 Timeline: all
---------------------------------------------
GENDER COUNT
---------------------------------------------

Controller, Service Platform and Access Point

834 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Male 1 ( 50%)
Female 1 ( 50%)
Other 0 ( 0%)

nx9500-6C8809#
nx9500-6C8809#show guest-registration os time 1-Day
Timeline: 1-Day
-------------------------------
OS COUNT
-------------------------------
Windows 7 3 ( 30%)
Apple iOS 3 ( 30%)
Macintosh 3 ( 30%)
Windows 8 1 ( 10%)

nx9500-6C8809#
nx9500-6C8809#show guest-registration social time 30-Mins
Timeline: 30-Mins
---------------------------------------------
SOCIAL ONLINE TOTAL
---------------------------------------------
google 1 (100%) 1 ( 10%)
Local 0 ( 0%) 9 ( 90%)

nx9500-6C8809#
nx9500-6C8809#show guest-registration user-trends time all
Timeline: all
----------------------------------------------------------------------------
SAMPLE RANGE NEW USERS RETURN USERS TOTAL
----------------------------------------------------------------------------
2014-2-16 - 2014-4-17 0 ( 0%) 0 ( 0%) 0
2014-4-17 - 2014-6-16 0 ( 0%) 0 ( 0%) 0
2014-6-16 - 2014-8-15 0 ( 0%) 0 ( 0%) 0
2014-8-15 - 2014-10-14 0 ( 0%) 0 ( 0%) 0
2014-10-14 - 2014-12-13 0 ( 0%) 0 ( 0%) 0
2014-12-13 - 2015-2-11 10 (100%) 0 ( 0%) 10
----------------------------------------------------------------------------

nx9500-6C8809#
nx9500-6C8809#show guest-registration user-trends time 1-Day
Timeline: 1-Day
----------------------------------------------------------------------------
SAMPLE RANGE NEW USERS RETURN USERS TOTAL
----------------------------------------------------------------------------
23:16 - 3:16 0 ( 0%) 0 ( 0%) 0
3:16 - 7:16 0 ( 0%) 0 ( 0%) 0
7:16 - 11:16 0 ( 0%) 0 ( 0%) 0
11:16 - 15:16 0 ( 0%) 0 ( 0%) 0
15:16 - 19:16 0 ( 0%) 0 ( 0%) 0
19:16 - 23:16 0 ( 0%) 0 ( 0%) 0
----------------------------------------------------------------------------

nx9500-6C8809#
nx9500-6C8809#show guest-registration visitors time 30-Mins
Timeline: 30-Mins
-----------------------------------
VISITORS COUNT
-----------------------------------
New Users 7 ( 70%)
Return Users 3 ( 30%)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 835
show-commands Show Commands

nx9500-6C8809#
nx9500-6C8809#show guest-registration client time 30-Mins email [email protected]
-----------------------------------
ATTRIBUTE VALUE
-----------------------------------
city Brooklyn
wlan Test-ssid-10
name Guest_9
zip 11204
mobile 9131373709
gender female
llogintime 2015-01-20 19:11:14.001000
mobileok on
devtype Windows PC
createtime 2015-01-20 18:27:14.001000
email [email protected]
mac 10-00-00-10-00-09
reg_type otp
rfd Test-rfdomain-10
agerange <18
group mac_reg_gr1
mid 1234100009
os Windows 7
exptime 2015-11-16 19:21:14.001000
browser Safari
-----------------------------------

nx9500-6C8809#
nx9500-6C8809#show guest-registration client time 30-Mins rfdomain Test-rfdomain-8
-----------------------------------
ATTRIBUTE VALUE
-----------------------------------
loggedin yes
wlan Test-ssid-8
name Guest_1
locale en_US
llogintime 2015-01-20 19:15:14
devtype Macintosh
exptime 2015-11-16 19:21:14
lname Guest_100000
source google
mac 10-00-00-10-00-01
email [email protected]
id 657669862939196
reg_type device
fname Test-Guest_1
rfd Test-rfdomain-8
agerange 35-44
timezone 7
profilePic https://www.google.com/user_id/657669862939196/
os Macintosh
createtime 2015-01-20 18:45:14
group mac_reg_gr1
browser Chrome
-----------------------------------
city Santa Cruz
group mac_reg_gr1
name Guest_2
zip 95062
mobile 3700870747
mid 1234100001
llogintime 2015-01-20 19:18:14
mobileok on

Controller, Service Platform and Access Point

836 CLI Reference Guide for version 5.9.7
Show Commands show-commands

devtype Apple iPad

exptime 2015-11-16 19:21:14
createtime 2015-01-20 19:11:14
mac 10-00-00-10-00-02
reg_type otp
rfd Test-rfdomain-8
agerange 55-64
wlan Test-ssid-8
os Apple iOS
email [email protected]
browser Chrome
-----------------------------------
city Los Angeles
group mac_reg_gr1
name Guest_5
zip 90001
mobile 9129618672
mid 1234100005
llogintime 2015-01-20 19:20:14
devtype Macintosh
exptime 2015-11-16 19:21:14
createtime 2015-01-20 19:05:14
mac 10-00-00-10-00-05
reg_type device
rfd Test-rfdomain-8
agerange 18-24
wlan Test-ssid-8
os Macintosh
email [email protected]
browser Chrome
-----------------------------------

nx9500-6C8809#
nx7500-112233#show guest-registration loyalty-app-status time all

Timeline: all
---------------------------------------------
LOYALTY APP STATUS COUNT
---------------------------------------------
Loyalty App Users 491 ( 49%)
Others 510 ( 51%)

nx7500-112233#

interface
Displays configured system interfaces and their status

Supported in the following platforms:

Syntax
show interface {<INTERFACE-NAME>|brief|counters|ge|me1|port-channel|pppoe1|
switchport|vlan|wwan1}
show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-2>|
pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 837
show-commands Show Commands

Parameters
show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-2>|
pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}

interfaces Optional. Displays system interface status based on the

parameters passed
<INTERFACE-NAME> Optional. Displays status of the interface specified by the
<INTERFACE-NAME> parameter. Specify the interface name.
brief Optional. Displays a brief summary of the interface status and
configuration
counters Optional. Displays interface Tx or Rx counters
ge <1-4> Optional. Displays Gigabit Ethernet interface status and
configuration
• <1-4> – Select the Gigabit Ethernet interface index from 1 - 4.

me1 Optional. Displays Fast Ethernet interface status and

configuration
port-channel <1-2> Optional. Displays port channel interface status and configuration
• <1-2> – Specify the port channel index from 1 - 2.

pppoe1 Optional. Displays PPP over Ethernet interface status and

configuration
switch port Optional. Displays layer 2 interface status
vlan <1-4094> Optional. Displays VLAN interface status and configuration
• <1-4094> – Specify the Switch Virtual Interface (SVI) VLAN ID
from 1 - 4094.

wwan1 Optional. Displays Wireless WAN interface status, configuration,

and counters
on <DEVICE-NAME> The following keywords are common to all of the above interfaces:
• on <DEVICE-NAME> – Optional. Displays interface related
information on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809(config)#show interface switchport
---------------------------------------------------------------------------------------
INTERFACE STATUS MODE VLAN(S)
---------------------------------------------------------------------------------------
ge1 UP access 1
ge2 DOWN access 1
---------------------------------------------------------------------------------------
A '*' next to the VLAN ID indicates the native vlan for that trunk port
nx9500-6C8809(config)#
nx9500-6C8809(config)#show interface vlan 1
Interface vlan1 is UP
Hardware-type: vlan, Mode: Layer 3, Address: B4-C7-99-6C-88-09
Index: 5, Metric: 1, MTU: 1500
IP-Address: 192.168.13.13/24
input packets 4623946, bytes 568905032, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0

Controller, Service Platform and Access Point

838 CLI Reference Guide for version 5.9.7
Show Commands show-commands

output packets 458235, bytes 90317187, dropped 0

output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
IPv6 mode is disabled

nx9500-6C8809(config)#
nx9500-6C8809(config)#show interface ge 1
Interface ge1 is UP
Hardware-type: ethernet, Mode: Layer 2, Address: 00-1E-67-4B-BF-BC
Index: 2001, Metric: 1, MTU: 1500
Speed: Admin Auto, Operational 1G, Maximum 1G
Duplex: Admin Auto, Operational Full
Active-medium: n/a
Input packets 2326745, bytes 348775278, dropped 0
Received 2326745 unicasts, 4367 broadcasts, 1219173 multicasts
Input errors 0, runts 0, giants 0
CRC 0, frame 0, fragment 0, jabber 0
Output packets 1080901, bytes 244595966, dropped 0
Sent 1080901 unicasts, 392 broadcasts, 132573 multicasts
Output errors 0, collisions 0, late collisions 0
Excessive collisions 0

nx9500-6C8809(config)#
nx9500-6C8809(config)#show interface counters
------------------------------------------------------------------------------------------
--------------------
INTF MAC RX-PKTS RX-BYTES RX-DROP TX-PKTS TX-
BYTES TX-DROP
------------------------------------------------------------------------------------------
--------------------
vlan1 B4-C7-99-6C-88-09 2571193 341672167 0 625888
90924957 0
ge1 00-1E-67-4B-BF-BC 2326629 348759017 0 1080855
244588229 0
ge2 00-1E-67-4B-BF-BD 0 0 0 0
0 0
port..nel1 00-1E-67-4B-BF-BC 2326631 348759243 0 1080857
244588673 0
------------------------------------------------------------------------------------------
--------------------
nx9500-6C8809(config)#

iot-device-type-imagotag

Displays the configuration of ESL communicator on a specified AP or on all APs within an RF Domain.

Supported in the following platforms:

• Access Points — AP-8432

• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
show iot-device-type-imagotag status {on <DEVICE-OR-DOMAIN-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 839
show-commands Show Commands

Parameters
show iot-device-type-imagotag status {on <DEVICE-OR-DOMAIN-NAME>}

iot-device-type-imagotag Displays Imagotags ESL communicator configuration at device or

status domain level
on <DEVICE-NAME> Optional. Displays configuration on a specified device or RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP or RF
Domain.

Example
ap8432-9A5BD8#show iot-device-type-imagotag status
------------------------------------------------------------------------------------------
---------
Imagotag Policy Dongle-Status AP-ID Channel Window Payload Max Output SSL FCC-Mode
ACS
Size Size Power
------------------------------------------------------------------------------------------
---------
Enabled Disconnected 25982 7 14 32 A Enabled
Enabled Enabled
Enabled Connected 45290 10 14 32 A Enabled
Enabled Enabled
------------------------------------------------------------------------------------------
----------
Total devices: 2

ap8432-9A5BD8#
ap8432-9A5BD8#show iot-device-type-imagotag status on ap8432-9A5BD8
------------------------------------------------------------------------------------------
---------
Imagotag Policy Dongle-Status AP-ID Channel Window Payload Max Output SSL FCC-Mode
ACS
Size Size Power
------------------------------------------------------------------------------------------
---------
Enabled Connected 45290 10 14 32 A Enabled
Enabled Enabled
------------------------------------------------------------------------------------------
----------
Total devices: 1
ap8432-9A5BD8#
ap8432-9A5BD8#show iot-device-type-imagotag status on default
------------------------------------------------------------------------------------------
---------
Imagotag Policy Dongle-Status AP-ID Channel Window Payload Max Output SSL FCC-Mode
ACS
Size Size Power
------------------------------------------------------------------------------------------
---------
Enabled Disconnected 25982 7 14 32 A Enabled
Enabled Enabled
Enabled Connected 45290 10 14 32 A Enabled
Enabled Enabled
------------------------------------------------------------------------------------------
----------
Total devices: 2
ap8432-9A5BD8#
ap8432-9A5BD8#show iot-device-type-imagotag status on default/ap8432-9A5BD8
------------------------------------------------------------------------------------------

Controller, Service Platform and Access Point

840 CLI Reference Guide for version 5.9.7
Show Commands show-commands

---------
Imagotag Policy Dongle-Status AP-ID Channel Window Payload Max Output SSL FCC-Mode
ACS
Size Size Power
------------------------------------------------------------------------------------------
---------
Enabled Connected 45290 10 14 32 A Enabled
Enabled Enabled
------------------------------------------------------------------------------------------
----------
Total devices: 1
ap8432-9A5BD8#

ip
Displays IP related information

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 841
show-commands Show Commands

Syntax
show ip [arp|bgp|ddns|default-gateways|dhcp|dhcp-vendor-options|domain-name|
extcommunity-list|igmp|interface|name-server|nat|ospf|route|routing]
show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}
show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|
on|paths|prefix-list|regexp|route-map|state|summary}
show ip ddns bindings {on <DEVICE-NAME>}
show ip dhcp [binding|networks|status]
show ip dhcp binding {manual} {(on <DEVICE-NAME>)}
show ip dhcp [networks|status] {on <DEVICE-NAME>}
show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|routing]
{on <DEVICE-NAME>}
show ip extcommunity-list [<1-500>|<NAME>]
show ip igmp snooping [mrouter|querier|vlan]
show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}
show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}
show ip interface {<INTERFACE-NAME>|brief|on}
show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}
show ip nat translations verbose {on <DEVICE-NAME>}
show ip route {<INTERFACE-NAME>|ge|me1|on|port-channel|pppoe1|vlan|wwan1}
show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|
pppoe1|wwan1} {(on <DEVICE-NAME>)}
show ip ospf {border-router|interface|neighbor|on|route|state}
show ip ospf {border-router|neighbor|route|on|state} {on <DEVICE-NAME>}
show ip ospf {interface} {vlan|on}
show ip ospf {interface} {vlan <1-4094>} {(on <DEVICE-NAME>)}

Note
The show > ip > ospf command is also available under the ‘profile' and ‘device' modes.

Controller, Service Platform and Access Point

842 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}

ip arp Displays Address Resolution Protocol (ARP) mappings

<VLAN-NAME> Optional. Displays ARP mapping on a specified VLAN. Specify the
VLAN name.
on <DEVICE-NAME> The following keyword is recursive and common to the ‘vlan-name'
parameter:
• on <DEVICE-NAME> – Optional. Displays ARP configuration
details on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|

paths|prefix-list|regexp|route-map|state|summary}

ip bgp Displays BGP routing table statistics based on the match criteria
specified here. Routes matching the specified criteria are filtered.
Use available options to filter the information displayed.
This command is applicable to the RFS 4000, NX 95XX, and NX
96XX model devices.
<IP> Optional. Filters routes matching the specified IP address
<IP/M> Optional. Filters routes matching the specified network
community Optional. Filters routes based on the community attribute specified.
The options are:
• AA:NN – Filters routes based on the community number (AA: is
the autonomous system number (ASN), NN: is the community
number within the specified ASN)
• local-as – Filters routes carrying the local-as attribute (these
routes are not sent outside the local AS)
• no-advertise – Filters routes carrying the no-advertise attribute
(these routes are not advertised to any peers)
• no-export – Filters routes carrying no-export attribute (these
routes are not exported to next AS)

community-list Optional. Displays routes that are members of communities

included in the specified BGP community-list
• <1-500> – Specify the community-list number.
• <WORD> – Specify the community-list name.

filter-list Optional. Filters routes having AS-path matching the specified AS-
path access list. Specify the AS-path ACL name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 843
show-commands Show Commands

neighbors Optional. Displays BGP neighbor details. Specify the IP address, to

view a specific neighbor details. Use one of the following options to
filter information:
• advertised-routes – Displays route information for routes
advertised to the selected neighbor device
• received-routes – Displays route information for routes received
from the selected neighbor device
• routes – Displays the route information for routes learned from
the selected neighbor device
If no neighbor IP address is specified, the system displays all
neighbor-related routes on the logged device.
on <DEVICE-NAME> Optional. Displays BGP routing table statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

paths Optional. Displays BGP path details

prefix-list <PREFIX-LIST-NAME> Optional. Displays routes confirming to the specified prefix-list
• <PREFIX-LIST-NAME> – Specify the prefix list name.

regexp <LINE> Optional. Displays routes matching the specified AS path regular
expression
• <LINE> – Specify the regular expression.

route-map <ROUTE-MAP- Optional. Displays routes matching the specified route map
NAME> • <ROUTE-MAP-NAME> – Specify the route map name.

show ip ddns bindings {on <DEVICE-NAME>}

ip ddns Displays Dynamic Domain Name Server (DDNS) configuration details

bindings {on Displays DDNS address bindings
<DEVICE-NAME>} • on <DEVICE-NAME> – Optional. Displays address bindings on a specified
device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless controller, or
service platform.

show ip dhcp [networks|status] {on <DEVICE-NAME>}

ip dhcp Displays the DHCP server configuration details

networks Displays DHCP server network details
status Displays DHCP server status
on <DEVICE-NAME> The following keyword is common to all of the above parameters:
• on <DEVICE-NAME> – Optional. Displays server status and
network details on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip dhcp binding {manual} {(on <DEVICE-NAME>)}

Displays the DHCP server configuration details

Controller, Service Platform and Access Point

844 CLI Reference Guide for version 5.9.7
Show Commands show-commands

ip dhcp
bindings Displays DHCP address bindings
manual Displays static DHCP address bindings
on <DEVICE-NAME> The following keyword is recursive and common to the ‘manual'
parameter:
• on <DEVICE-NAME> – Optional. Displays DHCP address bindings
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip extcommunity-list [<1-500>|<NAME>]

ip extcommunity-list [<1-500>| Displays the specified extended community list details

<NAME>] • <1-500> – Specify the extended community number from 1 - 500.
• <NAME> – Specify the extended community name.
This command is applicable to the RFS 4000, NX 95XX, and NX
96XX model devices.

show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|routing]
{on <DEVICE-NAME>}

ip default-gateways Displays all learnt default gateways

ip dhcp-vendor-options Displays DHCP 43 parameters received from the DHCP server. This
output includes the interface from which the option was learned.
ip domain-name Displays the DNS default domain
ip name-server Displays the DNS name server details
ip routing Displays routing status
on <DEVICE-NAME> The following keywords are common to all of the above parameters:
• on <DEVICE-NAME> – Optional. Displays IP related information,
based on the parameters passed, on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}

ip igmp snooping Displays the IGMP snooping configuration

mrouter Displays the IGMP snooping multicast router (mrouter) configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 845
show-commands Show Commands

querier Displays the IGMP snooping multicast querier configuration

vlan <1-4095> {on Displays the IGMP snooping multicast router configuration for a VLAN
<DEVICE-NAME>} • <1-4095> – Specify the VLAN ID from 1 - 4095.
◦ on <DEVICE-NAME> – Optional. Displays the IGMP snooping mrouter
configuration on a specified device
▪ <DEVICE-NAME> – Specify the name of the AP, wireless controller, or
service platform.

show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}

ip igmp snooping Displays the IGMP snooping configuration

vlan <1-4095> Displays the VLAN IGMP snooping configuration
• <1-4095> – Specify the VLAN ID from 1 - 4095.

<IP> Optional. Specifies the multicast group IP address

on <DEVICE-NAME> The following keyword is recursive and common to the ‘ip'
parameter:
• on <DEVICE-NAME> – Optional. Displays configuration details on
a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}

ip interface Displays an administrative and operational status of all layer 3

interfaces or a specified layer 3 interface
<INTERFACE-NAME> Displays a specified interface status. Specify the interface name.
brief Displays a brief summary of all interface status and configuration
on <DEVICE-NAME> The following keyword is recursive and common to the ‘interface-
name' and ‘brief' parameters:
• on <DEVICE-NAME> – Optional. Displays interface status and
summary, based on the parameters passed, on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip nat translations verbose {on <DEVICE-NAME>}

Displays Network Address Translation (NAT) translations

Controller, Service Platform and Access Point

846 CLI Reference Guide for version 5.9.7
Show Commands show-commands

ip nat translations
verbose Displays detailed NAT translations
• on <DEVICE-NAME> – Optional.Displays NAT translations on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|pppoe1|

wwan1}
{(on <DEVICE-NAME>)}

ip route Displays route table details. The route tables use flags to distinguish
between routes. The different flags are:
• C – Connected
• G – Gateway
• O – OSPF route
• S – Static route

Note: Flags ‘S’ and ‘O’ identify static learned routes and dynamic
learned routes respectively.

<INTERFACE-NAME> Optional. Displays route table details for a specified interface.

Specify the interface name
ge <1-4> Displays GigabitEthernet interface route table details
• <1-4> – Specify the GigabitEthernet interface index from 1 - 4.

me1 Displays FastEthernet interface route table details

port-channel <1-2> Displays port channel interface route table details. Specify the port
channel index from 1 - 2.
vlan <1-4095> Displays VLAN interface route table details. Select the VLAN
interface ID from 1 - 4094.
pppoe1 Displays PPPoE interface route table details
wwan1 Displays Wireless WAN route table details
on <DEVICE-NAME> The following keywords are recursive and common to all of the
above parameters:
• on <DEVICE-NAME> – Displays route table details, based on the
parameters passed, on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ip ospf {border-router|interface|neighbor|route|on|state}{on <DEVICE-NAME>}

ip ospf Displays overall OSPF information

border-router Optional. Displays details of all the border routers connected

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 847
show-commands Show Commands

interface {on| vlan <1-4094>} {on Optional. Displays details of all the interfaces with OSPF enabled
<DEVICE-NAME>} • on <DEVICE-NAME> – Optional. Displays specified device
details
• vlan <1-4094> – Displays VLAN interface details
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

neighbor Optional. Displays an OSPF neighbors list

route Optional. Displays OFPS routes information
state Optional. Displays an OSPF process state
on <DEVICE-NAME> The following keywords are recursive and common to all of the
above parameters:
• on <DEVICE-NAME> – Optional. Displays overall OSPF
information, based on the parameters passed, on a specified
device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809(config)#show ip arp
--------------------------------------------------------------------------------
IP MAC INTERFACE TYPE
--------------------------------------------------------------------------------
192.168.13.10 00-02-B3-28-D1-55 vlan1 dynamic
192.168.13.13 B4-C7-99-6C-88-09 vlan1 dynamic
192.168.13.2 00-0F-8F-19-BA-4C vlan1 dynamic
--------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show ip interface brief
-------------------------------------------------------------------------------
INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL
-------------------------------------------------------------------------------
me1 unassigned n/a UP down
vlan1 192.168.13.24/24 primary UP up
-------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show ip route
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE
--------------------------------------------------------------------------------
default 192.168.13.2 S vlan1 0 1
192.168.13.0/24 0.0.0.0 C vlan1 0 0
--------------------------------------------------------------------------------
Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static
Gateway: N - Normalized Gateway Address
nx9500-6C8809(config)#
nx9500-6C8809(config)#show ip route port-channel 1
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE
--------------------------------------------------------------------------------
192.168.0.0/24 direct C me1 0 0
172.18.0.0/24 direct C vlan1 0 0
10.2.0.0/24 172.18.0.1 S vlan1 0 1
default 192.168.13.2 S vlan192 0 1
192.168.13.0/24 direct C vlan192 0 0
--------------------------------------------------------------------------------

Controller, Service Platform and Access Point

848 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static

Gateway: N - Normalized Gateway Address
nx9500-6C8809(config)#
nx9500-6C8809(config)#show ip routing on rfs6000-81742D
IP routing is enabled.
nx9500-6C8809(config)#
nx9500-6C8809(config)#show ip dhcp status
State of DHCP server: not-running
nx9500-6C8809(config)#
nx9500-6C8809(config)#show ip ospf state
Maximum number of OSPF routes allowed: 9216
Number of OSPF routes received: 0
Ignore-count allowed: 5, current ingore-count: 0
Ignore-time 60 seconds, reset-time 360 seconds
Current OSPF process state: Running
nx9500-6C8809(config)#

ip-access-list-stats
Displays IP access list statistics

Note
This command is not available in the USER EXEC Mode.

Supported in the following platforms:

Syntax
show ip-access-list-stats {<IP-ACCESS-LIST-NAME>|detail|on}
show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>}
{(on <DEVICE-NAME>)}

Parameters
show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>}
{(on <DEVICE-NAME>)}

ip-access-list-stats Displays IP access list statistics

<IP-ACCESS-LIST- Optional. Displays statistics for a specified IP access list. Specify the IP access
NAME> list name.
detail <IP-ACCESS - Optional. Displays detailed statistics for a specified IP access list. Specify the
LIST-NAME> IP access list name.
on <DEVICE-NAME> The following keyword is recursive and common to the ‘IP-ACCESS-LIST-
NAME' parameter:
• on <DEVICE-NAME> – Optional. Displays all or a specified IP access list
statistics on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless controller, or
service platform.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 849
show-commands Show Commands

Examples
nx9500-6C8809(config)#show ip-access-list stats
IP Access-list: # Restrict Management ACL #
permit tcp any any eq ftp rule-precedence 1 Hitcount: 0
permit tcp any any eq www rule-precedence 2 Hitcount: 4
permit tcp any any eq ssh rule-precedence 3 Hitcount: 448
permit tcp any any eq https rule-precedence 4 Hitcount: 0
permit udp any any eq snmp rule-precedence 5 Hitcount: 0
permit tcp any any eq telnet rule-precedence 6 Hitcount: 4
nx9500-6C8809(config)#

The following example displays the ‘auto-tunnel-acl’ IP ACL configuration:

nx9500-6C8809(config)#ip access-list auto-tunnel-acl
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#

The following example dispalys the statistics for the ‘auto-tunnel-acl’ ACL:
nx9500-6C8809#show ip-access-list stats
IP Access-list: auto-tunnel-acl
permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 Hitcount: 0
permit ip host 200.200.200.99 any rule-precedence 3 Hitcount: 0

nx9500-6C8809#

ipv6

Displays IPv6 related information and statistical data

Supported in the following platforms:

Syntax
show ipv6 [default-gateways|delegated-prefix|dhcp|hop-limit|interface|mld|
name-server|neighbors|route]
show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server]
{on <DEVICE-NAME>}
show ipv6 dhcp [client received-options|relay status|status]
{on <DEVICE-NAME>}
show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}
show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-4095>]
{on <DEVICE-NAME>}
show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}
show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|
t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

850 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server]
{on <DEVICE-NAME>}

ipv6 Displays IPv6 related information and statistical data

default-gateways Displays all learnt default gateways
delegated-prefix Displays prefix delegation information
hop-limit Displays the configured IPv6 hop count value
name-server Displays DNS name servers
on <DEVICE-NAME> This parameter is common to all of the above keywords.
• on <DEVICE-NAME> – Optional. Displays the specified
information on a device (access point, wireless controller, or
service platform)
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}

ipv6 Displays IPv6 related information and statistical data

dhcp Displays DHCPv6 related information
client received-options Displays DHCP options received from clients
relay status Displays the DHCPv6 relay agent’s running status
status Displays the DHCPv6 stateless server daemon’s status. In case the
DHCPv6 server is up and running, it also displays interface names.
on <DEVICE-NAME> This parameter is common to all of the above keywords.
• on <DEVICE-NAME> – Optional. Displays the specified
information on a device (access point, wireless controller, or
service platform)
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}

Displays IPv6 related information and statistical data

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 851
show-commands Show Commands

ipv6
interface {<IF-NAME>|brief} Displays IPv6 status and configuration on a specified interface related
information
• <IF-NAME> – Optional. Specify the interface name.
◦ brief – Optional. Displays a brief summary of IPv6 status and
configuration on the specified interface

on <DEVICE-NAME> This parameter is common to all of the above keywords.

• on <DEVICE-NAME> – Optional. Displays the specified
information on a device (access point, wireless controller, or
service platform)
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-4095>]
{on <DEVICE-NAME>}

ipv6 Displays IPv6 related information and statistical data

mld snooping Displays Multicast Listener Discovery Protocol (MLD) snooping
related information
mrouter vlan <1-4095> Displays IPv6 multicast router information on the specified VLAN
querier vlan <1-4095> Displays IPv6 multicast querier information on the specified VLAN
vlan <1-4095> Displays MLD snooping related information on the specified VLAN
on <DEVICE-NAME> This parameter is common to all of the above keywords.
• on <DEVICE-NAME> – Optional. Displays the specified
information on a device (access point, wireless controller, or
service platform)
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}

ipv6 Displays IPv6 related information and statistical data

neighbors <VLAN-NAME> Displays IPv6 neighbors on the specified VLAN
on <DEVICE-NAME> Optional. Displays IPv6 neighbors on a specified device (access
point, wireless controller, or service platform)
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|

t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}

ipv6 Displays IPv6 related information and statistical data

route Displays IPv6 route table
<IF-NAME> Optional. Displays IPv6 route table for the interface identified by
the <IF-NAME> keyword

Controller, Service Platform and Access Point

852 CLI Reference Guide for version 5.9.7
Show Commands show-commands

ge <1-X> Optional. Displays IPv6 route table for the selected GigabitEthernet
interface
me1 Optional. Displays IPv6 route table for the FastEthernet interface
port-channel <1-2> Optional. Displays IPv6 route table for the selected port-channel
interface
pppoe1 Optional. Displays IPv6 route table for the PPP over Ethernet
interface
vlan <1-4095> Optional. Displays IPv6 route table for the selected VLAN interface
up Optional. Displays IPv6 route table for the WAN Ethernet interface
wwan Optional. Displays IPv6 route table for the wireless WAN interface
xge <1-4> Optional. Displays IPv6 route table for the selected
TenGigabitEthernet interface
on <DEVICE-NAME> This parameter is common to all of the above keywords.
• on <DEVICE-NAME> – Optional. Displays the specified
information on a device (access point, wireless controller, or
service platform)
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
rfs4000-229D58(config)#show ipv6 route
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE
--------------------------------------------------------------------------------
2000:abcd::/64 fe80::300:1 S vlan300
default fe80::11:1 R vlan11
4444:1111::/64 direct C vlan1
--------------------------------------------------------------------------------
Flags: C - Connected G - Gateway S - Static R - IPv6-RA
rfs4000-229D58(config)#
rfs4000-229D58#show ipv6 default-gateways
--------------------------------------------------------------------------------
Source: IPv6-RA Gateway-address : fe80::100:1
Preference: medium Status : not-monitored
Installed : NO Interface : vlan100
Remaining Lifetime: 1471 sec
--------------------------------------------------------------------------------
Source: IPv6-RA Gateway-address : fe80::1:2
Preference: low Status : not-monitored
Installed : NO Interface : vlan1
Remaining Lifetime: 1488 sec
--------------------------------------------------------------------------------
Source: Static-Route Gateway-address : fe80::2000:1
Preference: NA Status : unreachable
Installed : NO Interface : vlan2000
Remaining Lifetime: forever
--------------------------------------------------------------------------------
Source: IPv6-RA Gateway-address : fe80::11:1
Preference: high Status : reachable
Installed : YES Interface : vlan11
Remaining Lifetime: 1471 sec
--------------------------------------------------------------------------------
rfs4000-229D58#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 853
show-commands Show Commands

ipv6-access-list

Displays IPv6 access list related information and statistics

Note
This command is not available in the USER EXEC Mode.

Supported in the following platforms:

Syntax
show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}

Parameters
show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}

ipv6-access-list stats Displays IPv6 access list related information and statistics
<IPv6-ACCESS-LIST-NAME> Optional. Displays statistics for a specified IPv6 access list. Specify
the IPv6 access list name.
If IPv6 ACL name is not provided, the system displays statistics for all
ACLs configured and applied.
on <DEVICE-NAME> Optional. Displays all or a specified IPv6 access list statistics on a
specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809#show ipv6-access-list stats
IPV6 Access-list: test
deny ipv6 any any rule-precedence 20 Hitcount: 4

nx9500-6C8809#

l2tpv3
Displays a L2TPv3 session information

Note
This command is not available in the USER EXEC mode.

Supported in the following platforms:

Controller, Service Platform and Access Point

854 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show l2tpv3 {on|statistics|tunnel|tunnel-summary}
show l2tpv3 {on <DEVICE-NAME>}
show l2tpv3 statistics {on <DEVICE-NAME>)}
show l2tpv3 {tunnel <L2TPv3-TUNNEL-NAME>} {session <L2TPv3-SESSION-NAME>} {on <DEVICE-
NAME>)}
show l2tpv3 {tunnel-summary} {down|on|up}
show l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}
show l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}

Parameters
show l2tpv3 {on <DEVICE-NAME>}

l2tpv3 {on <DEVICE-NAME>} Displays L2TPv3 tunnel and session details or summary
• on <DEVICE-NAME> – Optional. Displays L2TPv3 information
on a specified device
◦ <DEVICE-NAME> – Specify the name of AP, wireless
controller, or service platform.

show l2tpv3 statistics {on <DEVICE-NAME>)}

show l2tpv3 statistics Displays L2TPv3 Tunnel and session statistics. It displays the
information, such as the number of packets transmitted and
received, the rate of transmission, number of packets dropped, etc.
on <DEVICE-NAME> Optional. Executes the command on a specified device
• <DEVICE-NAME> - Specify the name of the access point,
wireless controller, or service platform.

Note:
If you do not specify a device name, the system executes the
command on the logged device.

show l2tpv3 {tunnel <L2TPv3-TUNNEL-NAME>} {session <L2TPv3-SESSION-NAME>} {(on <DEVICE-

NAME>)}

l2tpv3 Displays L2TPv3 tunnel and session details or summary

tunnel <L2TPv3-TUNNEL- Optional. Displays a specified L2TPv3 tunnel information
NAME> • <L2TPv3-TUNNEL-NAME> – Specify the L2TPv3 tunnel name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 855
show-commands Show Commands

session <L2TPv3-SESSION- Optional. Displays a specified L2TPv3 tunnel session information

NAME> • <L2TPv3-SESSION-NAME> – Specify the session name.

on <DEVICE-NAME> The following keyword is recursive and common to the ‘session

<L2TPv3-SESSION-NAME>' parameter.
• on <DEVICE-NAME> – Optional. Displays a L2TPv3 tunnel and
session details, based on the parameters passed, on a specified
device.
◦ <DEVICE-NAME> – Specify the name of AP, wireless
controller, or service platform.

show l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}

l2tpv3 Displays L2TPv3 tunnel and session details or summary

Note: For an L2TPv3 tunnel over Auto IPSec, the tunnel status is
displayed as: Established (secured by ipsec)

tunnel-summary {on <DEVICE- Optional. Displays L2TPv3 tunnel summary

NAME>} • on <DEVICE-NAME> – Optional. Displays L2TPv3 tunnel
summary on a specified device
◦ <DEVICE-NAME> – Specify the name of AP, wireless
controller, or service platform.

show l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}

l2tpv3 Displays L2TPv3 tunnel and session details or summary

tunnel-summary Optional. Displays L2TPv3 tunnel summary, based on the parameters
passed
down Optional. Displays un-established tunnels summary
up Optional. Displays established tunnels summary
on <DEVICE-NAME> The following keyword is common to the ‘down' and ‘up' parameters:
• on <DEVICE-NAME> – Optional. Displays summary, for un-
established or established tunnels, on a specified device
◦ <DEVICE-NAME> – Specify the name of AP, wireless
controller, or service platform.

Examples
ap7532-11E6C4#show l2tpv3 tunnel-summary
---------------------------------------------------------------------------------------
Sl No Tunnel Name Tunnel State Estd/Total Sessions Encapsulation
Protocol
---------------------------------------------------------------------------------------
1 testTunnel Established (secured by ipsec) 1/1 IP
Total Number of Tunnels 1
ap7532-11E6C4#
ap7532-11E6C4#show l2tpv3
-------------------------------------------------------------------------------
Tunnel Name : testTunnel
Control connection id : 2238970979
Peer Address : 30.1.1.1
Local Address : 30.1.1.30

Controller, Service Platform and Access Point

856 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Encapsulation Protocol : IP
MTU : 1460
Peer Host Name : rfss
Peer Vendor Name : Example Company
Peer Control Connection ID : 322606389
Tunnel State : Established (secured by ipsec)
Establishment Criteria : always
Sequence number of the next msg to the peer : 29
Expected sequence number of the next msg from the peer :42
Sequence number of the next msg expected by the peer : 29
Retransmission count : 0
Reconnection count : 0
Uptime : 0 days 1 hours 2 minutes 47 seconds
-------------------------------------------------------------------------------
Session Name : session1
VLANs : 30
Pseudo Wire Type : Ethernet_VLAN
Serial number for the session : 6
Local Session ID : 129538998
Remote Session ID : 8151374
Size of local cookie (0, 4 or 8 bytes) : 0
First word of local cookie : 0
Second word of local cookie : 0
Size of remote cookie (0, 4 or 8 bytes) : 0
First word of remote cookie : 0
Second word of remote cookie : 0
Session state : Established
Remote End ID : 444
Trunk Session : 1
Native VLAN tagged : Enabled
Native VLAN ID : 0
Number of packets received : 0
Number of bytes received : 0
Number of packets sent : 0
Number of bytes sent : 0
Number of packets dropped : 0
ap7532-11E6C4#

lacp

Displays Link Aggregation Control Protocol (LACP ) related information

Note
For more information on enabling dynamic LACP, see lacp on page 1130 (profile - inf - ge -
config mode), lacp-channel-group on page 1131 (profile - inf - ge - config mode), and lacp on
page 1399 (device config mode).

Supported in the following platforms:

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX

Syntax
show lacp [<1-4>|counters|details|sys-id]
show lacp <1-4> ([counters|details])
show lacp sys-id

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 857
show-commands Show Commands

Parameters
show lacp <1-4> ([counters|details])

show lacp <1-4> Shows the LACP related information for a specified port-channel or all
port-channels using LACP
• <1-4> – Select the port-channel index number from 1 - 4. Note, LACP
is supported only on the NX 5500, NX 75XX, NX 95XX, NX 96XX
model service platforms.
If the port-channel index number is not specified, the system displays
LACP counters and details for all port-channels configured on the device.
counters Shows LACP counters for LACP-enabled port-channels. When passed
without the <1-4> keyword, the system displays LACP counters for all
configured port-channels. However, if the port-channel index number is
specified, the system displays LACP counters only for the specified port-
channel.
details Shows details for LACP-enabled port-channels. When passed without
the <1-4> keyword, the system displays LACP details for all configured
port-channels. However, if the port-channel index number is specified,
the system displays LACP details only for the specified port-channel.

show lacp sys-id

show lacp sys-id Shows the LACP related information for all LACP-enabled port-channels
• sys-id – Shows the LACP system identifier and priority. This is the
identifier assigned to the LACP peers (devices).

Examples
NOC-controller#show interface port-channel 1
Interface port-channel1 is UP
Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C8
Index: 2018, Metric: 1, MTU: 1500
Speed: Admin Auto, Operational 20G, Maximum 20G
Duplex: Admin Auto, Operational Full
Active-medium: n/a
Channel-members: xge1 xge2
Switchport settings: trunk, access-vlan: n/a
Input packets 5121052, bytes 807510883, dropped 0
Received 5121052 unicasts, 0 broadcasts, 516544 multicasts
Input errors 0, runts 0, giants 0
CRC 0, frame 0, fragment 0, jabber 0
Output packets 4804420, bytes 1053174746, dropped 0
Sent 4804420 unicasts, 0 broadcasts, 0 multicasts
Output errors 0, collisions 0, late collisions 0
Excessive collisions 0

NOC-controller#
NOC-controller#show interface port-channel 4
Interface port-channel4 is UP
Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C4
Index: 2016, Metric: 1, MTU: 1500
Speed: Admin Auto, Operational 4G, Maximum 4G
Duplex: Admin Auto, Operational Full
Active-medium: n/a
Channel-members: ge2 ge3 ge4 ge5
Switchport settings: trunk, access-vlan: n/a
Input packets 5848499493, bytes 8772550780653, dropped 0

Controller, Service Platform and Access Point

858 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Received 5848499493 unicasts, 0 broadcasts, 120167 multicasts

Input errors 0, runts 0, giants 0
CRC 0, frame 0, fragment 0, jabber 0
Output packets 362245, bytes 33129264, dropped 0
Sent 362245 unicasts, 0 broadcasts, 0 multicasts
Output errors 0, collisions 0, late collisions 0
Excessive collisions 0

NOC-controller#
NOC-controller#show lacp counters
Port-Channel Interface LACPDU Marker
Packet error
Sent Recv Sent Recv
Sent Recv
pc1 xge1 11548 12479 0 0
0 0
pc1 xge2 11550 12469 0 0
0 0
pc4 ge2 14081 14041 0 0
0 0
pc4 ge3 15877 15874 0 0
0 0
pc4 ge4 15875 15874 0 0
0 0
pc4 ge5 14064 14052 0 0
0 0
NOC-controller#

NOC-controller#show lacp details

Port-Channel pc1 Interface xge1:
Actor admin port key : 1
Actor oper port key : 1
Actor port priority : 32768
Actor port number : 2011
Actor admin port state : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC
Defaulted
Actor oper port state : ActiveLACP LongTimeout Aggregatable IN_SYNC
Collecting Distributing
Partner admin system ID : 32768, 00-00-00-00-00-00
Partner oper system ID : 32768, 44-03-A7-BF-00-00
Partner admin key : 0
Partner oper key : 1
Partner admin port priority : 0
Partner oper port priority : 32768
Partner admin port number : 0
Partner oper port number : 286
Partner admin port state : PassiveLACP LongTimeout Aggregatable OUT_OF_SYNC
Defaulted
Partner oper port state : ActiveLACP LongTimeout Aggregatable IN_SYNC
Collecting Distributing
Receive machine state : Current
Periodic transmission machine state : Slow periodic
Mux machine state : Collecting/Distributing
Port-Channel pc1 Interface xge2:
Actor admin port key : 1
Actor oper port key : 1
Actor port priority : 32768
Actor port number : 2012
Actor admin port state : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC
Defaulted
--More--
NOC-controller#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 859
show-commands Show Commands

ldap-agent
Displays an LDAP agent’s join status (join status to a LDAP server domain). Use this command When
LDAP is specified the external resource (as opposed to local RADIUS resources) to validate PEAP-MS-
CHAP v2 authentication requests, user credentials, and password information needs to be made
available locally to successfully connect to the external LDAP server. Up to two LDAP Agents (primary
and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2
authentication requests.

Note
This command is not available in USER EXECUTABLE ,mode

Supported in the following platforms:

Syntax
show ldap-agent join-status {on <DEVICE-NAME>}

Parameters

ldap-agent Displays LDAP agent related configuration

join-status Displays if the LDAP agent has successfully joined a LDAP server’s
domain
on <DEVICE-NAME> Optional. Displays if the LDAP agent has successfully joined a specified
LDAP server’s domain.
• <DEVICE-NAME> – Specify the name of the device running the
LDAP server (access point, wireless controller, or service platform).

Examples
nx9500-6C8809#show ldap-agent join-status
Primary LDAP Server's agent join-status : Joined domain TEST.

Secondary LDAP Server's agent join-status : Not Configured

nx9500-6C8809#

licenses
Displays installed licenses and usage information

Supported in the following platforms:

Controller, Service Platform and Access Point

860 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show licenses {borrowed|lent}

Parameters
show licenses {borrowed|lent}

licenses {borrowed|lent} Displays installed licenses and usage information

• borrowed – Optional. Displays information on licenses borrowed
• lent – Optional. Displays information on licenses lent.

Usage Guidelines

The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a
single NOC controller, The NOC and the site controllers constitute the first and second tiers of the
hierarchy respectively. The site controllers in turn adopt and manage access points that form the third
tier of the hierarchy. The site controllers may or may not be grouped to form clusters.

At the time of adoption, access points and adaptive access points are provided license by the adopting
controller. These license packs can be installed on both the NOC and site controllers. When a AP/AAP is
adopted by a controller, the controller pushes a license on to the device. At this point the various
possible scenarios are:
• AP/AAP license packs installed on the NOC controller only. The NOC controller provides the site
controllers with the AP licenses, ensuring that per platform limits are not exceeded.
• AP/AAP license packs installed on the NOC and site controllers. The site controller uses its installed
licenses and, in case of a shortage, the site controller borrows additional licenses from the NOC. If
the NoC controller is unable to allocate sufficient licenses, the site controller unadopts some of the
AP/AAPs.
• AP/AAP license packs installed on one controller within a cluster. The site controller shares its
installed and borrowed licenses with other cluster controllers.

Examples
rfs4000-229D58#show licenses
Serial Number : 9184521800027

Device Licenses:
AP-LICENSE
String : DEFAULT-6AP-LICENSE
Value : 6
Borrowed : 0
Total : 6
Used : 0
AAP-LICENSE
String :
Value : 0
Borrowed : 0
Total : 0
Used : 0
ADVANCED-SECURITY
String : DEFAULT-ADV-SEC-LICENSE
rfs4000-229D58#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 861
show-commands Show Commands

The following example shows the show > licenses command output on a NOC controller:
NOC-NX9500#show licenses
Serial Number : B4C7996C8809

Device Licenses:
AP-LICENSE
String :
Value : 0
Lent : 0
Total : 0
Used : 0
AAP-LICENSE
String :
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1
Value : 10250
Lent : 1
Total : 10249
Used : 2
HOTSPOT-ANALYTICS
String :
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497
NSIGHT
String :
66069c24b3bb12596b3d07672fdf5ccc99dd408f0ff891e719a98e92028e10e7a7461de1b5e70f32
Value : 50

Total Licenses Including Licenses in Adopted Controllers:

AP-LICENSE
Value : 8
Used : 1
AAP-LICENSE
Value : 10250
Used : 3
NOC-NX9500#
NOC-NX9500#show licenses lent
------------------------------------------------------------------------------------------
------------------
MAC HOST-NAME TYPE LENT BORROWER-MAC BORROWER-HOST-NAME
VALIDITY
------------------------------------------------------------------------------------------
------------------
B4-C7-99-6C-88-09 NOC-NX9500 AAP 1 00-15-70-38-06-49 RFS6K-SITE1-VLAN20
current
------------------------------------------------------------------------------------------
------------------
NOC-NX9500#

lldp
Displays Link Layer Discovery Protocol (LLDP) related information

Supported in the following platforms:

Controller, Service Platform and Access Point

862 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show lldp [neighbors|report]
show lldp neighbors {on <DEVICE-NAME>}
show lldp report {detail|on}
show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

Parameters
show lldp neighbors {on <DEVICE-NAME>}

lldp Displays L2TPv3 neighbors table or aggregated LLDP neighbors

table
neighbors Displays LLDP neighbors table
on <DEVICE-NAME> Optional. Displays L2TPv3 neighbors table on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

lldp Displays L2TPv3 neighbors table or aggregated LLDP neighbors

table
report detail Displays aggregated LLDP neighbors table
• detail – Optional. Displays detailed aggregated LLDP neighbors
table

Note: If the ‘on’ keyword is used without the ‘detail’ keyword, the
system displays LLDP neighbors table summary on the specified
device or RF Domain.

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘report detail'
NAME> parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Displays aggregated LLDP
neighbors table on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

Examples
nx9500-6C8809#show lldp neighbors
-------------------------
Chassis ID: 00-18-71-D0-0B-00
System Name: TechPubs-ProCurve-Switch
Platform: ProCurve J8697A Switch 5406zl, revision K.12.1X, ROM K.11.03 (/sw/code/build/
btm(sw_esp1))
Capabilities: Bridge Router
Enabled Capabilities: Bridge
Local Interface: ge1, Port ID(Port Description) (outgoing port): 5(A5)
TTL: 113 sec
Management Addresses: 192.168.13.40
nx9500-6C8809#

logging
Displays the network's activity log

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 863
show-commands Show Commands

Supported in the following platforms:

Syntax
show logging {on <DEVICE-NAME>}

Parameters
show logging {on <DEVICE-NAME>}

logging {on <DEVICE- Displays logging information on a specified device

NAME>} • <DEVICE-NAME> – Optional. Specify the name of the AP or wireless
controller.

Examples
NOC-NX9500#show logging

Logging module: enabled

Aggregation time: disabled
Console logging: level debugging
Monitor logging: disabled
Buffered logging: level warnings
Syslog logging: level warnings
Facility: local7

Log Buffer (2096166 bytes):

Feb 09 10:49:16 2018: NOC-NX9500 : %DIAG-4-PWRSPLY_FAIL: Power supply redundancy failure

Feb 09 10:39:11 2018: NOC-NX9500 : %DIAG-4-PWRSPLY_FAIL: Power supply redundancy failure
Feb 09 10:29:06 2018: NOC-NX9500 : %DIAG-4-PWRSPLY_FAIL: Power supply redundancy failure
Feb 09 10:19:01 2018: NOC-NX9500 : %DIAG-4-PWRSPLY_FAIL: Power supply redundancy failure
Feb 09 10:08:55 2018: NOC-NX9500 : %DIAG-4-PWRSPLY_FAIL: Power supply redundancy failure
Feb 09 09:58:49 2018: NOC-NX9500 : %DIAG-4-PWRSPLY_FAIL: Power supply redundancy--More--
NOC-NX9500#

mac-access-list-stats
Displays MAC access list related statistics

Note
This command is not present in USER EXEC mode.

Supported in the following platforms:

Controller, Service Platform and Access Point

864 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show mac-access-list-stats {<MAC-ACCESS-LIST-NAME>|on}
show mac-access-list-stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}

Parameters
show mac-access-list-stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}

mac-access-list-stats Displays MAC access list statistics

<MAC-ACCESS-LIST> Optional. Displays statistics for a specified MAC access list. Specify
the MAC access list name.

Note: The system displays all configured ACL statistics if no ACL

name is specified.

on <DEVICE-NAME> Optional. Displays all or a specified MAC access list statistics on a

specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809#show mac-access-list stats scalemacacl | i 311
permit D0-67-E5-3F-C0-00 FF-FF-FF-FF-F0-00 host 00-1E-EC-F2-0A-76 rule-precedence 311
Hitcount: 0 Hardware Hitcount: 0
nx9500-6C8809#

mac-address-table
Displays MAC address table entries

Supported in the following platforms:

Syntax
show mac-address-table {on <DEVICE-NAME>}

Parameters
show mac-address-table {on <DEVICE-NAME>}

mac-address-table Displays MAC address table entries

on <DEVICE-NAME> Optional. Displays MAC address table entries on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 865
show-commands Show Commands

Examples
NOC-NX9500#show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 172 ge2 5C-0E-8B-1C-53-2C forward
1 1 ge1 00-18-71-D0-1B-E6 forward
1 172 ge2 5C-0E-8B-1C-53-2D forward
1 1 ge1 74-67-F7-07-02-35 forward
1 1 ge1 84-24-8D-84-A2-24 forward
1 1 ge1 00-04-96-9C-F1-25 forward
1 1 ge1 84-24-8D-DF-9A-4C forward
1 1 ge1 B4-C7-99-71-17-28 forward
--------------------------------------------------------
Total number of MACs displayed: 8
NOC-NX9500#

macauth
Displays details of wired ports that have MAC address authentication enabled.

Use this command to view MAC authentication configuration and authentication state. The command
displays the current authentication state of the wired host, the authorization state of the Ge1 port, and
the wired hosts’ MAC address. The port status displays as Authorized if the wired host has successfully
authenticated and Not Authorized if the wired host has not authenticated or has failed MAC
authentication.

For more information on enabling MAC address authentication on a wired port, see mac-auth on page
1311 (profile-config-mode).

Supported in the following platforms:

Syntax
show mac-auth {all|interface|on}
show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|
t1e1 <1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}

Parameters
show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|
t1e1 <1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}

macauth Displays MAC authentication related information for all interfaces or a

specified interface
all • Displays MAC authentication related information for all interfaces

Controller, Service Platform and Access Point

866 CLI Reference Guide for version 5.9.7
Show Commands show-commands

interface [<INTERFACE- Optional. Displays MAC authentication related information for a

NAME>|ge <1-5>| port-channel specified interface. Specify the interface using one of the following
<1-3>| t1e1 <1-4>|up <1-2>| xge options:
<1-4>] • <INTERFACE-NAME> – Selects the interface identified by the
<INTERFACE-NAME> keyword
• ge <1-5> – Selects the GigabitEthernet interface identified by the
index number
• port-channel <1-3> – Selects the port channel interface identified
by the index number
• t1e1 <1-4> – Selects the layer 2 interface (Ethernet port)
• up <1-2> – Selects the WAN Ethernet interface identified by the
index number
• xge <1-4> – Selects the TenGigabitEthernet interface identified by
the index number

on <DEVICE-NAME> The following keywords are common to the ‘all’ and ‘interface’
parameters:
• on <DEVICE-NAME> – Optional. Displays MAC authentication
related information on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless controller,
or service platform.

Note: When the ‘on’ keyword is used exclusively, without the ‘all’ and
‘interface’ options, the system displays MAC authentication related
information for interfaces configured on the specified device.

Examples
rfs4000-229D58(config)#show mac-auth all
AAA-Policy is none

Mac Auth info for interface GE1

-----------------------------------
Mac Auth Enabled
Mac Auth Not Authorized

Mac Auth info for interface GE2

-----------------------------------
Mac Auth Disabled
Mac Auth Not Authorized

Mac Auth info for interface GE3

-----------------------------------
Mac Auth Disabled
Mac Auth Not Authorized

Mac Auth info for interface GE4

-----------------------------------
Mac Auth Disabled
Mac Auth Authorized

Mac Auth info for interface GE5

-----------------------------------
Mac Auth Disabled
Mac Auth Not Authorized

Mac Auth info for interface UP1

-----------------------------------
Mac Auth Disabled

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 867
show-commands Show Commands

Mac Auth Not Authorized

rfs4000-229D58(config)#

mac-auth-clients

Displays MAC authenticated clients

Supported in the following platforms:

Syntax
show mac-auth-clients [all|interface]
show mac-auth-clients all {on <DEVICE-NAME>}
show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|
xge <1-4>}

Controller, Service Platform and Access Point

868 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show mac-auth-clients all {on <DEVICE-NAME>}

mac-auth-clients Displays MAC authenticated clients based on the parameters

passed. The options are: all and interface.
all Displays MAC authenticated clients for all interfaces
on <DEVICE-NAME> Optional. Displays MAC authenticated clients for all interfaces on a
specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|

xge <1-4>}

mac-auth-clients Displays MAC authenticated clients based on the parameters

passed. The options are: all and interface.
interface [<INF-NAME>| ge <1- Displays MAC authenticated clients for the specified interface. Select
X>| port-channel <1-2>| xge the interface type from the following options:
<1-4>] • <INF-NAME> – Optional. Displays MAC authenticated clients for
the interface identified by the <INF-NAME> keyword. Specify the
layer 2 (ethernet port) interface name.
• ge <1-X> – Optional. Displays MAC authenticated clients for the
selected GigabitEthernet interface. Specify the GE interface
index from 1 - X. This will vary for different device types.
• port-channel <1-2> – Optional. Displays MAC authenticated
clients for the selected port channel interface. Specify the port
channel interface index from 1 - 2.
• xge <1-4> – Optional. Displays MAC authenticated clients for the
selected TenGigabitEthernet interface. Specify the interface
index from 1 - 4.

on <DEVICE-NAME> Optional. Displays MAC authenticated clients for the specified

interface on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
rfs4000-229D58(config-device-B4-C7-99-22-9D-58)#show mac-auth-clients interface ge 1
-----------------------------------------------
MAC STATE INTERFACE
-----------------------------------------------
-----------------------------------------------
Total number of MACs displayed: 0
rfs4000-229D58(config-device-B4-C7-99-22-9D-58)#

mint
Displays MiNT protocol related statistics and configuration

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 869
show-commands Show Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
show mint [config|dis|id|info|known-adopters|links|lsp|lsp-db|mlcp|neighbors|route|
stats|tunnel-controller|tunneled-vlans]
show mint [config|id|info|known-adopters|route|stats|tunneled-vlans]
{on <DEVICE-NAME>}
show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}
show mint lsp
show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}
show mint mlcp {history} {(on <DEVICE-NAME>)}

Parameters
show mint [config|id|info|known-adopters|route|stats|tunneled-vlans]
{on <DEVICE-NAME>}

mint Displays MiNT protocol information based on the parameters passed

config Displays MiNT configuration
id Displays local MiNT ID
info Displays MiNT status
known-adopters Displays known, possible, or reachable adopters
route Displays MiNT route table details
stats Displays MiNT related statistics
tunneled-vlans Displays MiNT tunneled VLAN details
on <DEVICE-NAME> The following keywords are common to all of the above parameters:
• on <DEVICE-NAME> – Optional. Displays MiNT protocol details
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}

mint Displays MiNT protocol information based on the parameters passed

dis Displays MiNT network Designated Intermediate Systems (DISes)
and Ethernet Virtualization Interconnects (EVISes)
links Displays MiNT networking link details
neighbors Displays adjacent MiNT peer details

Controller, Service Platform and Access Point

870 CLI Reference Guide for version 5.9.7
Show Commands show-commands

tunnel-controller Displays details of MiNT VLAN network tunnel wireless controllers

for extended VLAN load balancing
details {(on <DEVICE-NAME>)} The following keywords are common to the ‘dis', ‘links', ‘neighbors',
and ‘tunnel-controller' parameters:
• details – Optional. Displays detailed MiNT information
◦ on <DEVICE-NAME> – Optional. This is a recursive parameter,
which displays MiNT information on a specified device
▪ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show mint lsp

mint Displays MiNT protocol information based on the parameters

passed
lsp Displays this router's MiNT Label Switched Paths (LSPs)

show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}

mint Displays MiNT protocol information based on the parameters

passed
lsp-db Displays MiNT LSP database entries
details <MINT_ADDRESS> Optional. Displays detailed MiNT LSP database entries
• <MINT_ADDRESS> – Specify the MiNT address in the
AA.BB.CC.DD format.

on <DEVICE-NAME> The following keyword is recursive and common to the ‘details'

parameter:
• on <DEVICE-NAME> – Optional. Displays MiNT LSP database
entries on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show mint mlcp {history} {(on <DEVICE-NAME>)}

mint Displays MiNT protocol information based on the parameters

passed
This command displays the ‘hello-interval’ and ‘hold-time’ default
values for both IP and VLAN links.
mlcp Displays MiNT Link Creation Protocol (MLCP) status
history Optional. Displays MLCP client history
on <DEVICE-NAME> The following keyword is recursive and common to the ‘history'
parameter:
• on <DEVICE-NAME> – Optional. Displays MLCP client history
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 871
show-commands Show Commands

Examples
NOC-NX9500#show mint stats
2 Level-1 neighbors
Level-1 LSP DB size 5 LSPs (1 KB)
Last Level-1 SPFs took 0.000s
Level-1 SPF (re)calculated 6 times.
5 Level-1 paths.
0 Level-2 neighbors
Level-2 LSP DB size 0 LSPs (0 KB)
Last Level-2 SPFs took 0.000s
Level-2 SPF (re)calculated 0 times.
0 Level-2 paths.
NOC-NX9500#
NOC-NX9500#show mint lsp
id 19.6C.88.09, level 1, 2 adjacencies, 0 extended-vlans
seqnum 1519955, expires in 22 minutes, republish in 774 seconds
90 bytes, can-adopt: True, adopted-by: 00.00.00.00, dis-priority 5, Level-2-gateway: False
hostname "NOC-NX9500"
rf-domain "default", priority vector: 0xe0dc0000
adjacent to 70.38.06.49, cost 100
adjacent to 19.6D.B5.D4, cost 100
NOC-NX9500#
NOC-NX9500#show mint lsp-db
5 LSPs in LSP-db of 19.6C.88.09:
LSP 19.6C.88.09 at level 1, hostname "NOC-NX9500", 2 adjacencies, seqnum 1519955
LSP 19.6D.B5.D4 at level 1, hostname "RFS6K-SITE2-VLAN192", 2 adjacencies, seqnum 1972642
LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 1 adjacencies, seqnum 1742227
LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 1 adjacencies, seqnum 519924
LSP 70.38.06.49 at level 1, hostname "RFS6K-SITE1-VLAN20", 2 adjacencies, seqnum 1391030
NOC-NX9500#
NOC-NX9500#show mint route
Destination : Next-Hop(s)
19.6D.B5.D4 : 19.6D.B5.D4 via ip-192.168.13.2:24576
19.74.B4.5C : 19.6D.B5.D4 via ip-192.168.13.2:24576
19.6C.88.09 : 19.6C.88.09 via self
70.38.06.49 : 70.38.06.49 via ip-20.168.10.2:24576
4D.83.30.A4 : 70.38.06.49 via ip-20.168.10.2:24576
NOC-NX9500#
NOC-NX9500#show mint config
Base priority 5
DIS priority 5
Control priority 220
UDP/IP Mint encapsulation port 24576
Global Mint MTU 1500
NOC-NX9500#
NOC-NX9500#show mint mlcp
MLCP VLAN state: MLCP_INIT
MLCP VLAN Hello Interval: 4s(default), Adjacency hold time: 13s(default)
Potential VLAN links: None
All VLANs were scanned 1 times
MLCP IP: ENABLED
MLCP IPv6: ENABLED
MLCP IP/IPv6 state: MLCP_INIT
MLCP IP Hello Interval: 15s(default), Adjacency hold time: 46s(default)
Potential L3 Links:
None
NOC-NX9500#

Controller, Service Platform and Access Point

872 CLI Reference Guide for version 5.9.7
Show Commands show-commands

ntp
Displays Network Time Protocol (NTP) information. NTP enables clock synchronization within a
network.

Supported in the following platforms:

Syntax
show ntp [associations|status]
show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]

Parameters
show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]

ntp associations {detail|on} Displays existing NTP associations. The interaction between the
controller or service platform and a SNTP server constitutes an
association. SNTP associations are of two kinds:
• peer associations - where a controller or service platform
synchronizes to another system or allows another system to
synchronize to it, or
• - server associations - where only the controller or service
platform synchronizes to the SNTP resource, not the other way
around.
Specify the following parameters to view NTP association details:
• detail – Optional. Displays detailed NTP associations
◦ on <DEVICE-NAME> – Optional. Displays NTP associations on
a specified device
▪ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Note: If the ‘on’ keyword is used without the ‘detail’ keyword, the
system displays a summary of existing NTP associations on the
specified device or RF Domain.

ntp status {on <DEVICE- Displays the performance (status) information relative to the NTP
NAME>} association status. Use this command to view the access point,
controller, or service platform’s current NTP resource.
• on <DEVICE-NAME> – Optional. Displays NTP association status
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform

Examples
nx9500-6C8809#show ntp associations
------------------------------------------------------------------------------------------
-------------------------
STATUS NTP SERVER IP ADDR REF CLOCK IP ADDR STRATUM WHEN POLL REACH

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 873
show-commands Show Commands

DELAY OFFSET DISPERSION

------------------------------------------------------------------------------------------
-------------------------
~ 12.12.12.12 INIT 16 - 1024 0
0.0 0.0 15937.5
~ 11.11.11.11 INIT 16 - 1024 0
0.0 0.0 15937.5
------------------------------------------------------------------------------------------
-------------------------
STATUS Notation: * master (synced), # master (unsynced), + selected, - candidate, ~
configured
nx9500-6C8809#
nx9500-6C8809#show ntp status
--------------------------------------------------------------------------------
ITEM VALUE
--------------------------------------------------------------------------------
Leap Clock is unsynchronized
Stratum 16
Reference INIT
Frequency 0.0000 Hz
Precision 2^-20
Reference time 00000000.00000000 (Feb 07 11:58:16 UTC 2036)
Clock Offset 0.000 msec
Root delay 0.000 msec
Root Dispersion 0.000 msec
--------------------------------------------------------------------------------
nx9500-6C8809#

password-encryption

Displays password encryption status (enabled/disabled)

Supported in the following platforms:

Syntax
show password-encryption status

Parameters
show password-encryption status

password-encryption status Displays password encryption status (enabled/disabled)

Examples
nx9500-6C8809(config)#show password-encryption status
Password encryption is enabled
nx9500-6C8809(config)#

pppoe-client
Displays PPPoE client information. Use this command to view PPPoE statistics derived from access to
high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and

Controller, Service Platform and Access Point

874 CLI Reference Guide for version 5.9.7
Show Commands show-commands

compression methods as specified by the PPPoE protocol. PPPoE enables point-to-points connection to
an ISP over existing Ethernet interface.

Supported in the following platforms:

Syntax
show pppoe-client [configuration|status] {on <DEVICE-NAME>}

Parameters
show pppoe-client [configuration|status] {on <DEVICE-NAME>}

pppoe-client Displays PPPoE client information (configuration and status)

configuration Displays detailed PPPoE client configuration
status Displays detailed PPPoE client status
on <DEVICE-NAME> The following keywords are common to ‘configuration' and ‘status'
parameters:
• on <DEVICE-NAME> – Optional. Displays detailed PPPoE client
status or configuration on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

nx9500-6C8809#

privilege
Displays the logged-in user's privilege level

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 875
show-commands Show Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
show privilege

Parameters
None

Examples
nx9500-6C8809(config)#show privilege
Current user privilege: superuser
nx9500-6C8809(config)#

radius

Displays the amount of access time consumed and the amount of access time remaining for all guest
users configured on a RADIUS server

Every captive portal guest user can access the captive portal for a specified duration. This results in
following three scenarios:
• Scenario 1: Access duration not specified (in this case the default of 1440 minutes is applied)
• Scenario 2: Access duration is specified and is greater than 0
• Scenario 3: Access duration is specified and equals to 0 (in this case the guest user has unlimited
access)

In all the three scenarios the access time consumed is the duration for which the guest user has logged.

But the access time remaining varies. It is calculated as follows:

• Scenarios 1 & 2 - It is the lesser of the following two values: difference between the configured
access duration and the time consumed AND the time until user account expiration.
• Scenario 3 - It is the time until user account expiration.

Supported in the following platforms:

Syntax
show radius [guest-users|server]
show radius guest-users {brief|<GUEST-USER-NAME>}
show radius server

Controller, Service Platform and Access Point

876 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Parameters
show radius guest-users {brief|<GUEST-USER-NAME>}

radius guest-users {brief| Displays RADIUS server’s guest user’s access details: total time for
<GUEST-USER-NAME>} which the user has logged in, and the amount of access time
remaining.
• brief – Displays the total number of guest users provided RADIUS
access
• <GUEST-USER-NAME> – Optional. Provide the name of the guest
user (whose access details are to be viewed). If no name is
provided, the system displays details of all guest users who have
successfully logged in at least once.
Use this command in the captive-portal context to view time and
data statistics for guest user(s) having bandwidth-based or time-
based vouchers configured. In such a scenario, the system displays
the following information: data configured, data remaining,
configured and current bandwidths (for both downlink and uplink),
time configured, and time remaining.
If bandwidth-based voucher is not applicable to a guest user, the
data configured and data remaining values are displayed as
‘unlimited’. The bandwidth columns are blank. If time-based voucher
is not applicable to a guest user, the only value displayed is the time
remaining (which is the time till the expiration of the guest user’s
account).

Note: For more information on configuring bandwidth-based and

time-based vouchers, see user on page 1751 (radius user policy
config mode).

show radius server

radius server Displays RADIUS server related statistical data

Examples
rfs4000-229D58#show radius guest-users
TIME (min:sec)
USED REMAINING GUEST USER
0:00 9:00 time9
0:00 5:00 time5
0:00 15:00 time15
0:00 305416:35 notime
2:31 7:29 time10
rfs4000-229D58#

The following example shows a RADIUS user pool with guest users having bandwidth-based, time-
based, bandwidth and time based, and no bandwidth or time based vouchers:
rfs4000-229D58(config-captive-portal-wdws)#show context
radius-user-pool-policy wdws
user time_and_data password 0 both group wdws guest expiry-time 12:00 expiry-date
12/31/2015 access-duration 8000 data-limit 500 committed-downlink 3000 committed-
uplink 2000 reduced-downlink 1000 reduce4
user neither password 0 nine group wdws guest expiry-time 12:00 expiry-date 12/31/2015
user data_only password 0 data group wdws guest expiry-time 12:00 expiry-date 12/31/2015
data-limit 125 committed-downlink 1000 committed-uplink 800 reduced-downlink 500

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 877
show-commands Show Commands

reduced-uplink 400
rfs4000-229D58(config-captive-portal-wdws)#

The following example shows the captive portal access details for the above mentioned RADIUS user
pool users:
rfs4000-229D58(config-captive-portal-wdws)#show radius guest-users
TIME (DD:HH:MM:SS) DATA (kilobytes)
BANDWIDTH (kbps)
GUEST USER CONFIGURED REMAINING CONFIGURED REMAINING CFGD DN CURR
DN CFGD UP CURR UP
time_and_data 5:13:20:00 5:12:00:50 512000 433727 3000
0 2000 0
neither till expiry 221:19:44:54 unlimited unlimited
data_only till expiry 221:19:44:54 128000 127587 1000
0 800 0
time_only 3:11:20:00 3:11:19:47 unlimited unlimited
Current time: 17:15:07
rfs4000-229D58(config-captive-portal-wdws)#

reload
Displays scheduled reload information for a specific device

Note
This command is not present in the USER EXEC mode.

Supported in the following platforms:

Syntax
show reload {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show reload {on <DEVICE-OR-DOMAIN-NAME>}

reload {on <DEVICE-OR- Displays scheduled reload information for a specified device
DOMAIN-NAME>} • on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays
configuration on a specified device
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

Examples
nx9500-6C8809(config)#show reload
No reload is scheduled.
nx9500-6C8809(config)#

rf-domain-manager
Displays RF Domain manager selection details

Controller, Service Platform and Access Point

878 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Supported in the following platforms:

Syntax
show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}

rf-domain-manager Displays RF Domain manager selection details

on <DEVICE-OR- Optional. Displays RF Domain manager selection details on a specified
DOMAIN-NAME> device or domain
• <DEVICE-OR-DOMAIN-NAME> – specify the name of the AP, wireless
controller, service platform, or RF Domain.

Examples
nx9500-6C8809#show rf-domain-manager
RF Domain TechPubs
RF Domain Manager:
ID: 19.6C.88.09
Controller Managed
Device under query:
Priority: 220
Has IP MiNT links
Has wired MiNT links
nx9500-6C8809#

role
Displays role based firewall information

Supported in the following platforms:

Syntax
show role [ldap-stats|wireless-clients]
show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 879
show-commands Show Commands

Parameters
show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}

role ldap-stats Displays LDAP server status and statistics

role wireless-clients Displays clients associated with roles
on <DEVICE-NAME> The following parameters are common to the ‘ldap-stats’ and
‘wireless-clients’ keywords:
• on <DEVICE-NAME> – Optional. Displays clients associated with
roles on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, and service platform.

Examples
nx9500-6C8809(config)#show role wireless-clients
No ROLE statistics found.
nx9500-6C8809(config)#

route-maps
Displays route map statistics for defined routes

Supported in the following platforms:

Syntax
show route-maps {on <DEVICE-NAME>}

Parameters
show route-maps {on <DEVICE-NAME>}

route-maps Displays configured route map statistics for all defined routes
For more information on route maps, see route-map on page 1927.
on <DEVICE-NAME> Optional. Displays route map statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless controller,
or service platform.

Examples
nx9500-6C8809(config)#show route-maps
nx9500-6C8809(config)#

rtls
Displays Real Time Location Service (RTLS) statistics for Access Points contributing locationing
information

Controller, Service Platform and Access Point

880 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Supported in the following platforms:

Syntax
show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

Parameters
show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

rtls Displays Access Point RTLS statistics

aeroscout Displays Access Point Aeroscout statistics
ekahau Displays Access Point Ekahau statistics
omnitrail Displays access point Omnitrail statistics
<MAC/HOSTNAME> Optional. Displays Aeroscout or Ekahau statistics for a specified Access Point.
Specify the MAC address or hostname of the Access Point.
on <DEVICE-OR- The following keyword is recursive and common to all of the above
DOMAIN-NAME> parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays Aeroscout or
Ekahau statistics on a specified device or domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

Examples
rfs4000-229D58(config)#show rtls aeroscout

Aeroscout Engine IP: 0.0.0.0 Port: 0

Send Count : 0
Recv Count : 0
Tag Reports : 0
Nacks : 0
Acks : 0
Lbs : 0
AP Status : 0
AP Notif : 0
Send Err : 0
Errmsg Count : 0

Total number of APs displayed: 1

rfs4000-229D58(config)#
ap8533-84A224##show rtls omnitrail
Engine IP: 157.235.90.41
Control Port: 8890
Otls 2.4 GHz Engine status: CONNECTED
Otls 5 GHz Engine status: CONNECTED
Data Port configured for forwarding 2.4GHz Radio detected beacons: 8888
Data Port configured for forwarding 5GHz Radio detected beacons:8889
Heart beats sent for 2.4GHz Port : 1
Heart beats sent for 5GHz Port : 0
Beacon tags received on 2.4GHz Radio and forwarded: 6883

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 881
show-commands Show Commands

Beacon tags received on 5GHz Radio and forwarded: 0

Beacon tags received on Sensor Radio (2.4GHz Band) and forwarded: 5187
Beacon tags received on Sensor Radio (5Ghz Band) and forwarded: 0
Total number of APs displayed: 1
ap8533-84A224#

running-config
Displays configuration files (where all configured MAC and IP access lists are applied to an interface)

Supported in the following platforms:

Syntax
show running-config {aaa-policy|application|application-group|application-policy|
association-acl-policy|auto-provisioning-policy|captive-portal-policy|device|database-
client-policy|
database-policy|device|device-overrides|dhcp-server-policy|dhcpv6-server-policy|
ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|exclude-
devices|
firewall-policy|flag-unwritten-changes|guest-management-policy|hide-encrypted-values|
include-factory|interface|ip-access-list|ipv6-access-list|mac-access-list|management-
policy|
meshpoint|nsight-policy|profile|radio-qos-policy|rf-domain|roaming-assist-policy|rtl-
server-policy|
schedule-policy|smart-rf-policy|url-filter|url-list|web-filter-policy|wlan|wlan-qos-
policy}
show running-config {aaa-policy|application-policy|association-acl-policy|auto-
provisioning-policy|
captive-portal-policy|database-client-policy|database-policy|dhcp-server-policy|dhcpv6-
server-policy|
ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|guest-
management-policy|
firewall-policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|
rtl-server-policy|

Controller, Service Platform and Access Point

882 CLI Reference Guide for version 5.9.7
Show Commands show-commands

schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-policy}<POLICY-NAME> {include-
factory}
show running-config {flag-unwritten-changes}
show running-config {application <APPLICATION-NAME>|application-group <APPLICATION-GROUP-
NAME>}
show running-config exclude-devices
show running-config {device [<MAC>|self]} {include-factory}
show running-config {device-overrides {brief}}
show running-config {hide-encrypted-values {exclude-devices|include-factory}}
show running-config {include-factory}
show running-config {interface} {<INTERFACE-NAME>|ge|include-factory|me|port-channel|
pppoe1|vlan|wwan1}
show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-factory|me1|
port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}
show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-
LIST-NAME>|
mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}
show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}
show running-config {profile [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|
nx75xx|nx9000|nx9600] <PROFILE-NAME>} {include-factory}
show running-config {rf-domain <DOMAIN-NAME>} {include-factory}
show running-config {wlan <WLAN-NAME>} {include-factory}
show running-config url-filter <URL-FILTER-NAME>
show running-config url-list <URL-LIST-NAME> {include-factory}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 883
show-commands Show Commands

Parameters
show running-config {flag-unwritten-changes}

running-config flag- Flags unsaved changes in the show > running-config command
unwritten-changes output. Optionally use the flag-unwritten-changes keyword to view
changes that have been committed but not saved in the startup
configuration. When used, all unsaved changes are marked with a
“===” marker, as shown in the following show > running-config > flag-
unwritten-changes output:
nx9500-6C8809(config)#show running-config flag-
unwritten-changes
!
! Configuration of NX9500 version 5.9.2.0-017D
!
!
version 2.5
!
!
client-identity-group default
load default-fingerprints
!
client-identity-group test2
load default-fingerprints
!
===alias encrypted-string $WRITE 2 o5gA2zqj/q/
REWi8rTa7vQAAAAh4yA1YNBjqTVf4mMBsGA4i
!
===alias encrypted-string $enAlias2 2
JI4lPuMaCdMMx7rfBeyIAwAAAAoZ6tR1FfTlFXWvSicTMVZc
!
--More--
nx9500-6C8809(config)#
Execute the write > memory command to save these changes.

show running-config {aaa-policy|application-policy|association-acl-policy|

Controller, Service Platform and Access Point

884 CLI Reference Guide for version 5.9.7
Show Commands show-commands

radio-qos-policy|roaming-assist-policy|rtl-server-policy|schedule-policy|smart-rf-policy|
web-filter-policy|wlan-qos-policy} <POLICY-NAME> {include-factory}

running-config Displays current running configuration

Optionally, execute the command along with one of the associated
keywords to view the running configuration for that top-level object. For
example, to view a policy and its configuration, specify the policy type
and provide the policy name.

Note: If the command is executed without a keyword, the system displays

the entire running configuration.

<POLICY-TYPE> <POLICY- Optional. Select the policy type, for example, aaa-policy, auto-
NAME> provisioning-policy, captive-portal-policy, etc. and then specify the policy
name. The system displays the selected policy’s configuration.
• <POLICY-NAME> – Specify the name of the policy (should be existing
and configured).

include-factory The following keyword is common to all policies:

• include-factory – Optional. Includes factory defaults

show running-config {application <APPLICATION-NAME>|apllication-group <APPLICATION-GROUP-

NAME>}

running-config Displays current running configuration

Optionally, execute the command along with one of the associated
keywords to view the running configuration for that top-level object.
For example, to view a policy and its configuration, specify the policy
type and provide the policy name.

Note: If the command is executed without a keyword, the system

displays the entire running configuration.

application <APPLICATION- Displays an application’s configuration. The application can be system-

NAME> provided or user-defined.
• <APPLICATION-NAME> – Specify the application name (should be
existing).

application-group Displays an application-group’s configuration

<APPLICATION-GROUP- • <APPLICATION-GROUP-NAME> – Specify the application-group
NAME> name (should be existing and configured).

show running-config {device [<MAC>|self]} {include-factory}

running-config Displays current running configuration

Optionally, execute the command along with one of the associated
keywords to view the running configuration for that top-level object.
For example, to view a policy and its configuration, specify the policy
type and provide the policy name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 885
show-commands Show Commands

Note: If the command is executed without a keyword, the system

displays the entire running configuration.

device [<MAC>|self] Optional. Displays device configuration

• <MAC> – Displays a specified device configuration. Specify the MAC
address of the device.
• self – Displays the logged device’s configuration

include-factory This keyword is common to all of the above keywords:

• include-factory – Optional. Includes factory defaults

show running-config {hide-encrypted-values {exclude-devices|include-factory}}

running-config Displays current running configuration

Optionally, execute the command along with one of the associated
keywords to view the running configuration for that top-level object.
For example, to view a policy and its configuration, specify the policy
type and provide the policy name.

Note: If the command is executed without a keyword, the system

displays the entire running configuration.

hide-encrypted-values Optional. Replaces all encrypted passwords with the standard

{exclude-devices|include- characters ****** in the show > running-config output
factory} • exclude-devices – Optional. Excludes devices from the running
configuration displayed
• include-factory – Optional. Includes factory default values in the
running configuration displayed

show running-config {device-overrides {brief}}

running-config Displays current running configuration

device-overrides brief Optional. Displays overrides applied at the device’s configuration
• brief – Optional. Displays a brief summary of device overrides

show running-config {exclude-devices}

running-config Displays current running configuration

exclude-devices Optional. Excludes device configuration details from the running
configuration displayed

show running-config {include-factory}

running-config Displays current running configuration

include-factory Optional. Includes factory defaults

show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-factory|

me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}

Displays current running configuration

Controller, Service Platform and Access Point

886 CLI Reference Guide for version 5.9.7
Show Commands show-commands

running-config
interface Optional. Displays interface configuration
<INTERFACE-NAME> Optional. Displays a specified interface configuration. Specify the interface
name.
ge <1-4> Optional. Displays GigabitEthernet interface configuration
• <1-4> – Specify the GigabitEthernet interface index from 1 - 4.

me1 Optional. Displays FastEthernet interface configuration

port-channel <1-2> Optional. Displays port channel interface configuration
• <1-2> – Specify the port channel interface index from 1 - 2.

pppoe1 Optional. Displays PPP over Ethernet interface configuration

vlan <1-4094> Displays VLAN interface configuration
• <1-4094> – Specify the VLAN interface number from 1 - 4094.

wwan1 Optional. Displays Wireless WAN interface configuration

include-factory The following keyword is common to all interfaces:
• include-factory - Optional. Includes factory defaults

show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list

<IPv6-ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}

running-config Displays current running configuration

Optionally, execute the command along with one of the associated
keywords to view the running configuration for that top-level
object. For example, to view a policy and its configuration, specify
the policy type and provide the policy name.

Note: If the command is executed without a keyword, the system

displays the entire running configuration.

ip-access-list <IP-ACCESS-LIST- Optional. Displays IP access list configuration

NAME> • <IP-ACCESS-LIST-NAME> – Specify the IP access list name

<ACL-TYPE> <IP/IPv6/MAC- Optional. Select the ACL type, for example, ip-access-list, ipv6-
ACL-NAME> access-list, or mac-access-list, and then specify the ACL name. The
system displays the selected ACL’s configuration.
• <IP/IPv6/MAC-ACL-NAME> – Specify the name of the ACL
(should be existing and configured).

include-factory The following keyword is common to the ‘ip-access-list' and ‘mac-

access-list' parameters:
• include-factory - Optional. Includes factory defaults

show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}

Displays current running configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 887
show-commands Show Commands

running-config
meshpoint <MESHPOINT-NAME> Optional. Displays meshpoint configuration
• <MESHPOINT-NAME> – Specify the meshpoint name

include-factory Optional. Includes factory defaults along with running

configuration details

show running-config {profile [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|
nx9000|nx9600] <PROFILE-NAME>} {include-factory}

running-config Displays current running configuration

profile <DEVICE-TYPE> Optional. Displays current configuration for a specified profile. Select
<PROFILE-NAME> the device type, and then specify the profile name.
• <DEVICE-TYPE> – Select the device type. The options are: AP
6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, vAP 7562,
AP 7602, AP-7612, vAP 7622, AP7632, AP7662, AP-8163,
AP-8432, AP-8533, RFS 4000, NX 5500, NX 75XX, NX 95XX, NX
96XX, and VX 9000.
◦ <PROFILE-NAME> – Specify the profile name for the selected
<DEVICE-TYPE>.

Note: Select the ‘anyap’ option to view the running configuration of

any type of device.

include-factory Optional. This parameter is common to all profiles. When selected, it

includes factory defaults in the output.

show running-config {rf-domain <DOMAIN-NAME>} {include-factory}

running-config Displays current running configuration

rf-domain <DOMAIN- Optional. Displays current configuration for a RF Domain
NAME> • <DOMAIN-NAME> – Displays current configuration for a specified RF
Domain. Specify the RF Domain name.

include-factory Optional. Includes factory defaults

show running-config {wlan <WLAN-NAME>}{include-factory}

running-config Displays current running configuration

wlan <WLAN-NAME> Optional. Displays current configuration for a WLAN
• <WLAN-NAME> – Displays current configuration for a specified
WLAN. Specify the WLAN name.

include-factory Optional. Includes factory defaults

show running-config url-filter <URL-FILTER-NAME>

Displays current running configuration

Controller, Service Platform and Access Point

888 CLI Reference Guide for version 5.9.7
Show Commands show-commands

running-config
url-filter <URL-FILTER-NAME> Optional. Displays current configuration for the URL filter identified
by the <URL-FILTER-NAME> keyword
• <URL-FILTER-NAME> – Specify the URL filter’s name.

show running-config url-list <URL-LIST-NAME> {include-factory}

running-config Displays current running configuration

url-list <URL-LIST-NAME> Optional. Displays current configuration for the URL list identified by
the <URL-LIST-NAME> keyword
• <URL-LIST-NAME> – Specify the URL list’s name.

include-factory Optional. Includes factory defaults

Examples
nx9500-6C8809#show running-config device self
!
version 2.5
!
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
!
management-policy default
no telnet
no http server
https server
no ftp
ssh
user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1
role superuser access all
--More--
nx9500-6C8809#
nx9500-6C8809#show running-config profile ap8432 default-ap8432
profile ap8432 default-ap8432
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface bluetooth1
shutdown

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 889
show-commands Show Commands

interface ge1
interface ge2
interface vlan1
--More--
nx9500-6C8809#
nx9500-6C8809#show running-config url-filter URL_FILTER_Shopping include-factory
url-filter URL_FILTER_Shopping
no description
blacklist category-type p2p precedence 20 description description
blacklist category-type news-sports-general category shopping precedence 10 description
description
blockpage path internal
blockpage internal org-name Your Organization Name
blockpage internal org-signature Your Organization Name, All Rights Reserved.
blockpage internal title This URL may have been filtered.
blockpage internal header The requested URL could not be retrieved.
blockpage internal footer If you have any questions please contact your IT department.
blockpage internal content The site you have attempted to reach may be considered
inappropriate for access.
no blockpage internal main-logo
no blockpage internal small-logo
no blockpage external
nx9500-6C8809#
nx9500-6C8809#show running-config url-list AllowedShopping
url-list AllowedShopping
url ebay.com depth 10
url amazon.com depth 10
nx9500-6C8809#
nx9500-6C8809#show running-config application Bing
application Bing
app-category streaming
use url-list Bing
nx9500-6C8809#
nx9500-6C8809#sho running-config application-group amazon
application-group amazon
application amazon_cloud
application amazon_shop
application amazon-prime-music
application amazon-prime-video
nx9500-6C8809#

session-changes
Displays configuration changes made in the current session

Supported in the following platforms:

Syntax
show session-changes

Parameters
None

Controller, Service Platform and Access Point

890 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Examples
nx9500-6C8809#show session-changes

No changes in this session

nx9500-6C8809#

session-config
Lists active open sessions on a device

Supported in the following platforms:

Syntax
show session-config {exclude-devices|include-factory}

Parameters
show session-config {exclude-devices|include-factory}

session-config {exclude- Displays current session configuration

devices|include-factory} • exclude-devices – Optional. Excludes device configuration details
from the output
• include-factory – Optional. Includes factory defaults

Examples
nx9500-6C8809(config)#show session-config
!
! Configuration of NX9500 version 5.9.2.0-017D
!
!
version 2.5
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP
replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny
windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local
broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 tra
--More--
nx9500-6C8809(config)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 891
show-commands Show Commands

sessions
Displays CLI sessions initiated on a device

Supported in the following platforms:

Syntax
show sessions all {on <DEVICE-NAME>}

Parameters
show sessions all {on <DEVICE-NAME>}

sessions Displays CLI sessions initiated on a device

all Displays all sessions including internal
on <DEVICE- Optional. This is a recurring keyword and is common to the ‘all’ parameter.
NAME> Displays CLI sessions on a specified device.
• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service
platform.

Examples
nx9500-6C8809#show sessions
INDEX COOKIE NAME START TIME FROM ROLE
1 2 snmp 2018-02-02 08:39:28 127.0.0.1 superuser
2 3 snmp2 2018-02-02 08:39:28 127.0.0.1 superuser
3 53 admin 2018-02-09 14:43:19 134.141.244.24 superuser

nx9500-6C8809#

site-config-diff
Displays the difference in site configuration available on the NOC and a site.

The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a
single NOC controller, The NOC controller constitutes the first and the site controllers constitute the
second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site
controllers in turn adopt and manage Access Points that form the third tier of the hierarchy.

NOC controllers possess default site configuration details. Overrides applied at the site level result in a
mismatch of configuration at the site and the default site configuration available on the NOC controller.
Use this command to view this difference.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

Controller, Service Platform and Access Point

892 CLI Reference Guide for version 5.9.7
Show Commands show-commands

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Note
This command returns an output only when executed on a NOC controller.

Syntax
show site-config-diff <SITE-NAME>

Parameters
show site-config-diff <SITE-NAME>

site-config-diff <SITE-NAME> Displays the configuration difference for the specified site
• <SITE-NAME> – Specify the site name.

Examples
nx9500-6C8809#show site-config-diff 5C-0E-8B-18-06-F4
---- Config diff for switch 5C-0E-8B-18-06-F4 ----
rfs4000 5C-0E-8B-18-06-F4
interface pppoe1
no shutdown
nx9500-6C8809#

smart-rf
Displays Self-Monitoring At Run Time RF (Smart RF) statistical history to assess adjustments made to
device configurations to compensate for detected coverage holes or device failures

When invoked by an administrator, Smart RF instructs access point radios to change to a specific
channel and begin beaconing using the maximum available transmit power. Within a well-planned
deployment, any RF Domain member access point radio should be reachable by at least one other
radio. Smart RF records signals received from its neighbors as well as signals from external, un-
managed radios. AP-to-AP distance is recorded in terms of signal attenuation. The information from
external radios is used during channel assignment to minimize interference.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 893
show-commands Show Commands

Syntax
show smart-rf [ap|channel-distribution|history|history-timeline|interfering-ap|
interfering-neighbors|radio|select-shutdown]
show smart-rf ap {<MAC>|<DEVICE-NAME>|activity|energy|neighbors|on <DOMAIN-NAME>}
show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}
show smart-rf ap (activity|energy|neighbors) [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-NAME>)}
show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-NAME>}
show smart-rf radio {<MAC>|activity|all-11an|all-11bgn|channel|energy|neighbors|on
<DOMAIN-NAME>}
show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}
show smart-rf radio {activity|neighbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-NAME>}
show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}
show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|threshold
<50-100>}
show smart-rf select-shutdown {AP-MAC|<AP-DEVICE-NAME>|on <RF-DOMAIN-NAME>}

Parameters
show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}

smart-rf Displays Smart RF related information

ap Displays access point related Smart RF information
<MAC> Optional. Uses MAC addresses to identify access points. Displays all
access points, if no MAC address is specified.
<DEVICE-NAME> Optional. Uses an administrator defined name to identify an access
point
on <DOMAIN-NAME> Optional. Displays access point details on a specified RF Domain
• <DOMAIN-NAME> – Specify the domain name.

show smart-rf ap (activity|energy|neighbors) [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-NAME>)}

smart-rf Displays Smart RF related information

ap Displays AP related Smart RF information

Controller, Service Platform and Access Point

894 CLI Reference Guide for version 5.9.7
Show Commands show-commands

activity Optional. Displays Smart RF activity related information

Use this option to view the following:
• Time-period – Lists the frequency Smart RF activity is trended
for the RF Domain. Trending periods include the current hour,
last 24 hours, or the last seven days. Comparing Smart RF
adjustments versus the last seven days enables an administrator
to assess whether periods of interference and poor performance
were relegated to just specific periods.
• Power changes – Displays the number of Smart RF initiated
power level changes needed for RF Domain member devices
during each of the three trending periods. Determine whether
power compensations were relegated to known device outages
or if compensations were consistent over the course of a day or
week.
• Channel changes – Lists the number of Smart RF initiated
channel changes needed for RF Domain member devices during
each of the three trending periods. Determine if channel
adjustments were relegated to known device count increases or
decreases over the course of a day or week.
• Coverage changes – Displays the number of Smart RF initiated
coverage changes needed for RF Domain member devices
during each of the three trending periods. Determine if coverage
changes were relegated to known device failures or known
periods of interference over the course of a day or week.

energy Optional. Displays AP energy for a specified AP or all APs

Use this option to view an RF Domain member access point’s
operating channels, noise level and neighbor count. This
information helps assess whether Smart RF neighbor recovery is
needed in respect to poorly performing access points.
neighbors Optional. Displays AP neighbors
Use this option to view attributes of neighbor radio resources
available for Smart RF radio compensations for other RF Domain
member device radios.
{<MAC>| <DEVICE-NAME>} The following keywords are common to all of the above parameters:
• <MAC> – Displays all of the above mentioned information for a
specified AP, identified by its MAC address. Specify the AP’s
MAC address.
• <DEVICE-NAME> – Displays all of the above mentioned
information for a specified AP, identified by its hostname.
Specify the AP’s hostname.

on <DOMAIN-NAME> Optional. Displays Access Point details on a specified RF Domain.

• <DOMAIN-NAME> – Specify the domain name.

show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-NAME>}

smart-rf Displays Smart RF related information

channel-distribution Displays Smart RF channel distribution information. This provides an
overview of how RF Domain member devices are utilizing different
channels to optimally support connect devices and avoid congestion
and interference with neighboring devices. Assess whether the
channel spectrum is being effectively utilized and whether channel

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 895
show-commands Show Commands

changes are warranted to improve RF Domain member device

performance.
history Displays Smart RF calibration history. Use this option to view
description and types of Smart RF events impacting RF Domain
member devices.
history-timeline Displays extended Smart RF calibration history on an hourly or daily
timeline. Use this option to view the time stamp when Smart RF
status was updated on behalf of a Smart RF adjustment within the
selected RF Domain.
on <DOMAIN-NAME> This parameter is common to all of above smart RF options:
• on <DOMAIN-NAME> – Optional. Displays Smart RF
configuration, based on the parameters passed, on a specified RF
Domain
• on <DOMAIN-NAME> – Specify the RF Domain name.

show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}

smart-rf Displays Smart RF related information

radio Displays radio related commands
<MAC> Optional. Displays details of a specified radio. Specify the radio's
MAC address in the AA-BB-CC-DD-EE-FF format.
all-11an Optional. Displays all 11a radios currently in the configuration
all-11bgn Optional. Displays all 11bg radios currently in the configuration
energy {<MAC>} Optional. Displays radio energy
Specify the MAC address of the radio
• <MAC> – Optional. Specify the radio's MAC address in the AA-
BB-CC-DD-EE-FF format.
Use this option to view an RF Domain member access point radio’s
operating channel, noise level and neighbor count. This information
helps assess whether Smart RF neighbor recovery is needed in
respect to poorly performing radios.
on <DOMAIN-NAME> The following keyword is common to all of the above parameters:
• on <DOMAIN-NAME> – Optional. Displays radio details on a
specified RF Domain
◦ <DOMAIN-NAME> – Specify the RF Domain name.

show smart-rf radio {activity|neighbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-NAME>}

smart-rf Displays Smart RF related information

radio Displays radio related commands
activity Optional. Displays changes related to radio power, number of radio
channels, or coverage holes. Use additional filters to view specific
details.
<MAC> Optional. Displays radio activity for a specified radio
• <MAC> – Specify the radio's MAC address.

all-11an Optional. Displays radio activity of all 11a radios in the configuration

Controller, Service Platform and Access Point

896 CLI Reference Guide for version 5.9.7
Show Commands show-commands

all-11bgn Optional. Displays radio activity of all 11bg radios in the

configuration
on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF
Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}

smart-rf Displays Smart RF related information

interfering-ap Displays interfering access points (requiring potential isolation)
information
<MAC> Optional. Displays information of a specified interfering access
point
• <MAC> – Specify the Access Point's MAC address.

Note: Considers all APs if this parameter is omitted

<DEVICE-NAME> Optional. Displays interfering Access Point information on a

specified device
• <DEVICE-NAME> – Specify the device name.

Note: Considers all APs if this parameter is omitted

on <DOMAIN-NAME> Optional. Displays all interfering Access Point information within a

specified RF Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|

threshold <50-100>}

smart-rf Displays Smart RF related information

interfering-ap Displays interfering neighboring Access Point information
<MAC> Optional. Displays interfering neighboring Access Point
information
• <MAC> – Specify the Access Point's MAC address.

Note: Considers all APs if this parameter is omitted

<DEVICE-NAME> Optional. Displays all interfering neighboring Access Point

information on a specified device
• <DEVICE-NAME> – Specify the device name.

Note: Considers all APs if this parameter is omitted

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 897
show-commands Show Commands

threshold <50-100> Optional. Specifies the maximum attenuation threshold of

interfering neighbors
• <50-100> – Specify a value from 50 -100 dB.
Attenuation is a measure of the reduction of signal strength
during transmission. Attenuation is the opposite of amplification,
and is normal when a signal is sent from one point to another. If
the signal attenuates too much, it becomes unintelligible.
Attenuation is measured in decibels.
on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF
Domain
• <DOMAIN-NAME> – Specify the RF Domain name.

show smart-rf select-shutdown {AP-MAC|<AP-DEVICE-NAME>|on <RF-DOMAIN-NAME>}

smart-rf Displays Smart RF related information

select-shutdown Displays 2.4 GHz APs shutdown to maintain co-channel
interference (CCI) levels within specified limits. Note, this
information is displayed only if select-shutdown is enabled in the
smart-rf policy context. For more information, see select-shutdown
on page 1827.
<AP-MAC> Optional. Displays if a specified AP, identified by its MAC address,
was shutdown as part of the select-shutdown feature.
• <AP-MAC> – Specify the access point’s MAC address.

Note: Considers all APs if this parameter is omitted.

<AP-DEVICE-NAME> Optional. Displays if a specified AP, identified by its device name,

was shutdown as part of the select-shutdown feature.
• <DEVICE-NAME> – Specify the AP’s device name.

Note: Considers all APs if this parameter is omitted.

on <RF-DOMAIN-NAME> Optional. Displays APs, within a specified RF Domain, that were

shutdown as part of the select-shutdown feature.
• <RF-DOMAIN-NAME> – Specify the RF Domain name.

Examples
nx9500-6C8809(config)#show smart-rf calibration-status
No calibration currently in progress
nx9500-6C8809(config)#
nx9500-6C88096#show smart-rf select-shutdown
--------------------------------------------------------------------------------
RADIO RADIO-MAC STATE
--------------------------------------------------------------------------------
ap7532-15E868:R1 FC-0A-81-A3-27-60 On
ap7532-82C614:R1 84-24-8D-93-E7-D0 On
ap7532-15E54C:R1 FC-0A-81-A3-1A-90 Hidden
ap7522-189548:R1 84-24-8D-2C-02-C0 On
ap7522-847CC8:R1 84-24-8D-9F-F3-B0 On
ap7532-1601A4:R1 FC-0A-81-A3-14-A0 Hidden
--------------------------------------------------------------------------------
nx9500-6C8809#

Controller, Service Platform and Access Point

898 CLI Reference Guide for version 5.9.7
Show Commands show-commands

snmpv3 (show command)

Displays the SNMPv3 engineID

Supported in the following platforms:

• Access Points — AP 6522, AP 6562, AP 7161, AP 7502, AP 7532, AP 7562, AP 7602, AP-7612, AP
7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533
• Wireless Controllers — RFS 4000
• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
show snmpv3 engineID

Parameters
show snmpv3 engineID

show snmpv3 engineID displays the SNMPv3 engineID

Examples
NOC-NX9500>show snmpv3 engineID
SNMPv3 EngineID: 8000018480e3a66a6699599451
NOC-NX9500>

spanning-tree
Displays spanning tree utilization information

Supported in the following platforms:

Syntax
show spanning-tree mst {configuration|detail|instance|on}
show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}
show spanning-tree mst {detail} {interface|on}
show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|
port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}
show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>}
{(on <DEVICE-NAME>)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 899
show-commands Show Commands

Parameters
show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}

spanning-tree Displays spanning tree utilization information

mst Displays Multiple Spanning Tree (MST) related information
configuration {on <DEVICE- Optional. Displays MST configuration
NAME>} • on <DEVICE-NAME> – Optional. Displays MST configuration on a
specified device
◦ <DEVICE-NAME> – Specify the name of the AP,wireless
controller, or service platform.

show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|

port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}

spanning-tree Displays spanning tree information

mst Displays MST configuration
detail Optional. Displays detailed MST configuration, based on the
parameters passed
interface [<INTERFACE>| age Displays detailed MST configuration for a specified interface
<1-4>|me1| port-channel <1-2>| • <INTERFACE> – Displays detailed MST configuration for a
pppoe1| vlan <1-4094> wwan1] specified interface. Specify the interface name.
• age <1-4> – Displays GigabitEthernet interface MST
configuration
◦ <1-4> – Select the GigabitEthernet interface index from 1 - 4.
• me1 – Displays FastEthernet interface MST configuration
• port-channel – Displays port channel interface MST configuration
◦ <1-2> – Select the port channel interface index from 1 - 2.
• pppoe1 – Displays PPP over Ethernet interface MST configuration
• vlan – Displays VLAN interface MST configuration
◦ <1-4094> – Select the SVI VLAN ID from 1 - 4094.
• wwan1 – Displays Wireless WAN interface MST configuration

on <DEVICE-NAME> The following keyword is common to all interfaces:

Optional. Displays detailed MST configuration on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>}

{(on <DEVICE-NAME>)}

spanning-tree Displays spanning tree information

mst Displays MST configuration. Use additional filters to view specific details.
instance <1-15> Optional. Displays information for a particular MST instance
• <1-15> – Specify the instance ID from 1 - 15.

Controller, Service Platform and Access Point

900 CLI Reference Guide for version 5.9.7
Show Commands show-commands

interface <INTERFACE- Optional. Displays MST configuration for a specific interface instance. The
NAME> options are:
• <INTERFACE-NAME> – Displays MST configuration for a specified
interface. Specify the interface name.

on <DEVICE-NAME> Optional. Displays MST configuration on a specified device

• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or
service platform.

Examples
nx9500-6C8809#show spanning-tree mst configuration
%%
% MSTP Configuration Information for bridge 1 :
%%------------------------------------------------------
% Format Id : 0
% Name : My Name
% Revision Level : 0
% Digest : 0xac36177f50283cd4b83821d8ab26de62
%%------------------------------------------------------

nx9500-6C8809#
nx9500-6C8809#show spanning-tree mst detail interface ge 1
% Bridge up - Spanning Tree Disabled
% CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 32768
% Forward Delay 15 - Hello Time 2 - Max Age 20 - Max hops 20
% 1: CIST Root Id 800000157081742e
% 1: CIST Reg Root Id 800000157081742e
% 1: CIST Bridge Id 800000157081742e
% portfast bpdu-filter disabled
% portfast bpdu-guard disabled
% portfast portfast errdisable timeout disabled
% portfast errdisable timeout interval 300 sec
% cisco interoperability not configured - Current cisco interoperability off

% ge1: Port 2001 - Id 87d1 - Role Disabled - State Forwarding

% ge1: Designated External Path Cost 0 - Internal Path Cost 0
%
--More--
nx9500-6C8809#

startup-config
Displays complete startup configuration script

Supported in the following platforms:

Syntax
show startup-config {include-factory}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 901
show-commands Show Commands

Parameters
show startup-config {include-factory}

startup-config include-factory Displays startup configuration script

• include-factory – Optional. Includes factory defaults

Examples
nx9500-6C8809#show startup-config
!
! Configuration of NX9500 version 5.9.2.0-017D
!
!
version 2.5
!
password-encryption-version 1.0
inline-password-encryption
password-encryption-key secret 2
2cd258b63fa0e16a753394d779cbc5a20000002065d2c29edf373ed42131fa410426d5cb8b0296ffea49331cb7
2e122e421acc9c
!
client-identity-group default
load default-fingerprints
!
client-identity-group test2
load default-fingerprints
!
alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16
192.168.13.20 to 192.168.13.25
alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24
!
alias network $NetworkAlias 192.168.13.0/24
!
--More--
nx9500-6C8809#

Displays adopted T5 controller statistics

Note
This command is applicable only on WiNG controllers with adopted and managed T5
controllers.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

902 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show t5 [boot|clock|cpe|interface|mac|system|temperature|uptime|version|
wireless] {on <T5-DEVICE-NAME>}
show t5 [boot|clock|system|temperature|uptime|version]
{on <T5-DEVICE-NAME>}
show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version]
{on <T5-DEVICE-NAME>}
show t5 interface [dsl|fe|ge|radio]
show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization]
{on <T5-DEVICE-NAME>}
show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses]
{on <T5-DEVICE-NAME>}
show t5 interface radio [stats|status|wlam-map]
{on <T5-DEVICE-NAME>}
show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>]
{on <T5-DEVICE-NAME>}
show t5 wireless [client|wlan]
show t5 wireless client {filter name [association-status|authentication-status|
bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}
show t5 wireless wlan counters [qos|rate|size]
{on <T5-DEVICE-NAME>}

Parameters
show t5 [boot|clock|system|temperature|uptime|version]
{on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

boot Displays the T5 device’s boot details. Use this option to view the
primary and secondary image files available to use for booting up.
clock Displays the T5 controller’s system time, as reported from the
controller itself or its remote NTP time resource
system Displays T5 controller’s system information, which includes the T5
controller’s hostname, MAC address, RF Domain, system clock,
uptime
temperature Displays T5 controller’s current temperature
uptime Displays the T5 controller’s uptime (the time it has been actively
deployed and operational)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 903
show-commands Show Commands

version Displays the T5 controller’s primary and secondary firmware

images
on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device
• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An
error message is displayed if no T5 device name is specified.

show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version]

{on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

cpe Displays the T5 controller managed Customer Premises Equipment
(CPE) statistics based on the parameters passed. Use this command
to verify each CPE address credentials and whether currently
disconnected or ready for radio coverage area support.
address Displays each linked CPE's current IP address used as its network
identifier
boot Displays the primary and secondary firmware versions available to
each CPE, along with status of the most recent upgrade operation
details
ether port status Displays Ethernet port status
led Displays whether the CPEs currently have their LEDs enabled or
disabled. In places like hospitals, its not uncommon for access
points to be operational, but their LEDs off as to not disturb
patients.
reset Displays the number times a CPE has been reset
system Displays device hardware and SKU information for each CPE. Use
this information to assess whether a controller is managing the
correct CPE devices out of the total number of CPEs available.
uptime Displays the time each CPE device has been actively deployed and
operational
version Displays the application and boot versions utilized by the CPE
devices
on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device
• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An
error message is displayed if no T5 device name is specified.

show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization]

{on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

interface Displays T5 interface-related statistics based on the interface
selected

Controller, Service Platform and Access Point

904 CLI Reference Guide for version 5.9.7
Show Commands show-commands

[dsl|fe|ge|radio] [counter| Select the interface type. The options are: dsl, fe, and ge.
description| errors|status| • dsl – Displays Digital Subscriber Line (DSL) interface related
utilization] information
• fe – Displays Fast Ethernet (FE) interface related information
• ge – Displays Gigabit Ethernet (GE) interface related
information
The system displays the following information for the DSL, GE, and
FE ports:
• counter – Displays the following:
◦ Number of octets (bytes) received and transmitted on this
port
◦ Number of data packets received and transmitted on this
port
◦ Number of flow control (layer 2) packets received and
transmitted on this port
• description – Displays the following:
◦ The selected port’s name
◦ The numeric index assignable to each port
◦ The 64 character maximum, unique, administrator-assigned
description to each port
• errors – Displays the following DSL interface related errors:
◦ The name of the DSL utilized by each T5 controller
connected CPE device
◦ The number of FECs detected in the downstream direction.
Forward Error Correction (FEC) or channel coding is used for
controlling errors over unreliable or noisy communication
channels.
◦ The number of CPE DSL coding violations (badly coded
packets) detected in the downstream direction.
◦ The number of FECs detected in the upstream direction.
◦ The number of CPE DSL coding violations (badly coded
packets) detected in the upstream direction.
• status – Displays the following:
◦ The selected port’s name
◦ Whether the port is currently up or down as a T5 controller
transmit and receive resource
◦ The port's current speed in MB
◦ Whether pause packet utilization is currently off or on for
the selected port
◦ Whether each listed port is enabled or disabled by the
administrator
• utilization – Displays the following:
◦ The selected port’s name
◦ The port’s receive and transmit data rates (in Kbps)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 905
show-commands Show Commands

◦ The packet per second port receive and transmit rates (p/s)
◦ Each port's receive and transmit direction utilization as a
percentage of the total transmit bandwidth available.

on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An
error message is displayed if no T5 device name is specified.

show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses]

{on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

interface Displays T5 interface-related statistics based on the interface
selected
dsl Selects A T5 controller’s DSL interface.
A T5 controller uses the operating system to manage its connected
radio devices, as opposed to the WiNG operating used by RFS
controllers and NX service platforms. However, a T5 controller, once
enabled as a supported external device, can provide data to WiNG
to assist in a T5’s management within a WiNG supported subnet
populated by both types of devices. The CPEs are the T5 controller
managed radio devices using the operating system. These CPEs
use a DSL as their high speed Internet access mechanism using the
CPE’s physical wallplate connection and phone jack.
custom [avg|dses|dsses|peak| Displays following custom CPE DSL data:
uses|usses] • avg – Each DSL's average response time in microseconds
• dses – The number of seconds downstream DSL transmissions
were negatively impacted by code violations.
• dsses – The number of seconds downstream DSL transmissions
were severely negatively impacted by code violations.
• peak – Each DSL's maximum (best to date since the screen was
refreshed) response time in microseconds.
• uses – The number of seconds upstream DSL transmissions
were negatively impacted by code violations.
• usses – The number of seconds upstream DLS transmissions
were severely negatively impacted by code violations.

on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An
error message is displayed if no T5 device name is specified.

show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

interface Displays T5 interface-related statistics based on the interface
selected

Controller, Service Platform and Access Point

906 CLI Reference Guide for version 5.9.7
Show Commands show-commands

radio [stats|status| wlan-map] Displays following radio interface related information:

• stats – Displays T5 radio interface statistics. A T5 controller uses
the operating system to manage its connected radio devices, as
opposed to the WiNG operating used by RFS controllers and NX
service platforms. However, a T5 controller, once enabled as a
supported external device, can provide data to WiNG to assist in a
T5’s management within a WiNG supported subnet populated by
both types of devices. The CPEs are the T5 controller managed
radio devices using the operating system. Use this option to view
the following:
◦ name – The administrator assigned name of each listed CPE
radio as its unique identifier
◦ Rx (Kbps) – The listed CPE radio's receive data rate (in Kbps).
Use this information to assess RF activity versus other T5
managed CPE radios in the same radio coverage area.
◦ Rx Octets – The number of octets (bytes) received with no
errors by the listed T5 controller managed CPE radio.
◦ Rx Packets – The number of data packets received for the
listed T5 managed CPE radio since this screen was last
refreshed.
◦ Tx (Kbps) – The listed CPE radio's transmit data rate (in Kbps).
Use this information to assess RF activity versus other T5
managed CPE radios in the same radio coverage area.
◦ Tx Octets – Displays the number of octets (bytes) transmitted
with no errors by the listed T5 controller managed CPE radio.
◦ Tx Packets – The number of data packets transmitted from the
listed T5 managed CPE radio since this screen was last
refreshed.
• status – Displays T5 radio interface status information
◦ name – The administrator assigned name of each listed CPE
radio as its unique identifier.
◦ Operational status – The radio interface’s operational status
(enabled/disabled).
◦ mac – The T5 radio interface's MAC address.
◦ transmit power – The T5 radio interface’s transmit power.
◦ Channel – The T5 radio interface’s channel of operation.
• wlan-map – Displays WLAN map membership data for T5
controller managed CPE radio devices. Use this option to view the
following:
◦ name – The administrator assigned name of each listed CPE
radio as its unique identifier.
◦ status – Whether a CPE radio is currently enabled or disabled
as a radio resource for the WLAN(s) the CPE radio has been
mapped to.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 907
show-commands Show Commands

◦ wlan-radio-mapping – The managed WLAN(s) each listed

radio has been mapped to.

on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error
message is displayed if no T5 device name is specified.

show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>]

{on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

mac table [dsl<1-24>|ge <1-2>| Displays T5 MAC address table. The T5 MAC table displays a dynamic
vlan <1-4094>| wlan <1-24>] list of MAC addresses learned by the T5 controller over its ethernet
interfaces. Use this information to identify devices and the interfaces
on which they can be found.
Use the following additional filters to filter on the basis of the VLAN
or DSL interface:
• dsl <1-24> – Filters information on the basis of the selected DSL
port
• ge <1-2> – Filters information on the basis of the selected GE port
• vlan <1-4094 – Filters information on the basis of the selected
VLAN port
• wlan <1-24> – Filters on the basis of the selected CPE

on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error
message is displayed if no T5 device name is specified.

show t5 wireless client {filter name [association-status|authentication-status|bss|

mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

wireless client Displays the T5 wireless client and WLAN related statistics
• client – Displays read-only device information for wireless clients
associated with the selected T5 controller and its connected CPE
device radios. Use this information to assess if configuration
changes are required to improve client performance.
Use the additional filters available to view specific client-related
information. The options are:
• association-status
• authentication-status
• bss

Controller, Service Platform and Access Point

908 CLI Reference Guide for version 5.9.7
Show Commands show-commands

• retry-percentage
• rssi-value

on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error
message is displayed if no T5 device name is specified.

show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}

t5 Displays adopted T5 controller statistics

wireless wlan [qos|rate|size] Displays the T5 wireless WLAN related statistics
• wlan – Displays following T5 controller traffic counter statistics:
◦ qos – Displays T5 controller WLAN QoS utilization. Displays
the number of background (low priority) and best-effort
packets received and transmitted on each listed T5 controller
managed WLANs
◦ rates – Displays T5 controller's WLAN utilization data rate
statistics
▪ Lists the number of data packets received and transmitted
in the WLAN that have been relegated to a 1 Mbps data
rate
▪ Lists the number of data packets received and transmitted
in the WLAN by T5 controller connected devices at
54Mbps
◦ size – Displays the number of data packets received and
transmitted, in each listed WLAN, greater than 1024 bytes

on <T5-DEVICE-NAME> Optional. Executes the command on a specified T5 device

• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error
message is displayed if no T5 device name is specified.

Examples

The following examples are for show commands executed on the ‘t5-ED7C6C’ controller adopted by the
‘nx9500-6C8809’ wireless controller:
nx9500-6C8809(config)#show t5 boot on t5-ED7C6C
Primary Version: 5.4.2.0-010R
Secondary Version: 5.4.2.0-006B
Next Boot: Primary
Upgrade Status: none
Upgrade Progress %: 0
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 version on t5-ED7C6C
Bootloader Version: 5.4.2.0-010R
Application Version: 5.4.2.0-010R
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 system on t5-ED7C6C
Serial Number 14213522400004
SKU TS-0524-WR
Hardware Rev 5
Mac Address B4-C7-99-ED-7C-6C
Description 24-port PowerBroadband VDSL2 Switch Version 5.4.2.0-010R
Contact NULL
Name t5-ED7C6C

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 909
show-commands Show Commands

Location NULL
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 clock on t5-ED7C6C
Time 6-6-2017 17:14:30 UTC
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 interface ge counter on t5-ED7C6C
------------------------------------------------------------------------------------------
-------------------------
INTERFACE RECEIVE OCTETS RECEIVE PACKETS RECEIVE PAUSE PKTS TRANSMIT OCTETS TRANSMIT
PACKETS TRANSMIT PAUSE PKTS
------------------------------------------------------------------------------------------
-------------------------
ge1 711128918 89636040 0 2558110037
133720283 0
ge2 2515775064 133311355 0 3422167586
78735853 0
------------------------------------------------------------------------------------------
-------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 uptime on t5-ED7C6C
Up Time 0 days 1 day, 3:19:43
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 temperature on t5-ED7C6C
============ Temperature ============
--------------------------------------------------------------------
INDEX CURRENT (C) FANS @ FULL SPEED (C) FANS @ VARIABLE SPEED (C)
--------------------------------------------------------------------
1 39 70 60
--------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 cpe address on t5-ED7C6C
--------------------------------------------------------------------------------

DEVICE STATUS IP ADDRESS MAC ADDRESS

--------------------------------------------------------------------------------

cpe1 ready 192.168.13.32 00-C0-23-69-80-CD

cpe2 ready 192.168.13.33 74-6F-F7-40-16-62
cpe3 disconnected 0.0.0.0 00-00-00-00-00-00
cpe4 disconnected 0.0.0.0 00-00-00-00-00-00
cpe5 disconnected 0.0.0.0 00-00-00-00-00-00

--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 cpe led on t5-ED7C6C
---------------------------------------------------------------------------------------
DEVICE LED STATUS
-----------------------------------------------------------------------------------
cpe1 enable
cpe2 enable
cpe3 enable
cpe4 enable
cpe5 enable
--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 mac table filter name vlan 1 on t5-ED7C6C
---------------------------------------------------------------------------------------
T5-MAC VLAN ADDRESS INTERFACE VENDOR
---------------------------------------------------------------------------------------
B4-C7-99-ED-7C-6C 1 00-02-B3-28-D1-55 ge1 Intel Corp
B4-C7-99-ED-7C-6C 1 00-1E-67-4B-BF-BD ge1 Intel Corp
B4-C7-99-ED-7C-6C 1 00-23-68-11-E6-C4 ge1 Extreme

Controller, Service Platform and Access Point

910 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Tech
B4-C7-99-ED-7C-6C 1 00-23-68-88-0D-A7 ge1 Extreme
Tech
B4-C7-99-ED-7C-6C 1 00-23-68-99-BB-7C ge1 Extreme
Tech
B4-C7-99-ED-7C-6C 1 00-A0-F8-68-D5-70 ge1 Extreme
Tech
B4-C7-99-ED-7C-6C 1 00-C0-23-69-80-CD dsl1 00-C0-23
B4-C7-99-ED-7C-6C 1 1C-7E-E5-18-FA-67 ge1 D-Link
Corp
B4-C7-99-ED-7C-6C 1 3C-CE-73-F4-47-83 ge1 Cisco
Systems
B4-C7-99-ED-7C-6C 1 74-6F-F7-40-16-62 dsl2 Wistron
Corp
--More--
nx9500-6C8809(config)#

terminal
Displays terminal configuration parameters

Supported in the following platforms:

Syntax
show terminal

Parameters
None

Examples
nx9500-6C8809(config)#show terminal
Terminal Type: xterm
Length: 24 Width: 200
nx9500-6C8809(config)#

timezone
Displays a device's timezone

Supported in the following platforms:

Syntax
show timezone

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 911
show-commands Show Commands

Parameters
None

Examples
nx9500-6C8809(config)#show timezone
Timezone is America/Los_Angeles
nx9500-6C8809(config)#

traffic-shape

Displays traffic-shaping related configuration details and statistics. Traffic shaping regulates network
data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined
as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface
to match its flow to the speed of a remote target’s interface and ensure traffic conforms applied
policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion
when data rates are in conflict.

Apply traffic shaping to specific applications to apply application categories. When application and ACL
rules are conflicting, ACL rules take precedence for the traffic shaping class. Using traffic shaping, an
application takes precedence over an application category.

Supported in the following platforms:

Syntax
show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-NAME>}

Parameters
show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-NAME>}

traffic-shape Displays traffic-shaping related configuration details and statistics

priority-map Displays the traffic shaper queue priority. There are 8 queues (0 - 7),
and traffic is queued in each based on incoming packets 802.1p
markings.
statistics class <1-4> Displays traffic-shaping related statistics for all traffic shaper classes
or for a selected class
• class <1-4> – Optional. Specify the traffic class from 1 - 4. The
system displays traffic shaping statistics for the selected class. If
not selected, the system statistics for all classes.

Controller, Service Platform and Access Point

912 CLI Reference Guide for version 5.9.7
Show Commands show-commands

status Displays the controller or service platform’s traffic shaping status

(whether running or not)
on <DEVICE-NAME> Optional. Displays traffic-shaping related configuration details and
statistics on a specified device
• <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
ap7532-DEB9B0#show traffic-shape priority-map
----------------------------------------
DOT1P-PRIORITY TX-SHAPER-PRIORITY
----------------------------------------
0 2
1 0
2 1
3 3
4 4
5 5
6 6
7 7
----------------------------------------
ap7532-DEB9B0#
ap7532-DEB9B0#show traffic-shape status
State of Traffic shaper: running
ap7532-DEB9B0#
ap7532-DEB9B0#show traffic-shape statistics

Traffic shaper class : 1

Class 1 is not configured:

Traffic shaper class : 3

Class 3 is not configured:

Traffic shaper class : 2

Rate: 1500 Kbps
---------------------------------------------------------------------------------------
PRIORITY PKTS-SENT PKTS-DELAYED PKTS-DROPPED CURRENT-QUEUE-LEN CURRENT-LATENCY(IN
USECS)
---------------------------------------------------------------------------------------
1 0 0 0 0 0
0 0 0 0 0 0
3 0 0 0 0 0
2 152153035 151924251 1508343 11 33447
5 0 0 0 0 0
4 0 0 0 0 0
7 0 0 0 0 0
6 0 0 0 0 0
---------------------------------------------------------------------------------------

Traffic shaper class : 4

Class 4 is not configured:
ap7532-DEB9B0#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 913
show-commands Show Commands

tron (show command)

Displays the TRON-capable and TRON-enabled, WiNG AP’s operating configuration.

Note
This command is applicable on TRON-capable, WiNG APs and controllers. And, the controller
should have the TRON license applied, and TRON-capable and enabled AP(s) adopted to it.

Supported in the following platforms

• Access Points — AP-8533

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
show tron operating-config {on <DEVICE-NAME>}

Parameters
show tron operating-config {on <DEVICE-NAME>}

show tron operating-config Displays the operating configuration parameters

on <DEVICE-NAME> Optional. Executes the command on a specified AP, controller, or
service platform
Following are the error outputs of this command:
• % Error: Not available under current working
mode

Note:
You will get this message, if the device (AP or controller) on
which you have executed the command does not have TRON up
and running, or does not support the TRON feature.
• TRON Operating Configuration: (none)

Note:
You will get this message, when the FedEx backend server has
not yet pushed the operating configuration to the WiNGAP. For
more information on configuring TRON parameters, see tron on
page 1274.

Examples
NOC-NX9500#show tron operating-config on ap8533-070154
TRON Operating Configuration:
Device_Master_Type: 0x00 (Fixed)
Device_BLE_Scanner: xx:xx:xx:xx:xx:xx
BLE_Scan_Type: 0 (passive)
BLE_Scan_Interval: 16 (.625msec slots)
BLE_Scan_Window: 16 (.625msec slots)
BLE_Own_Address_Type: 0 (public)
BLE_Scan_Filter_Policy: 0 (accept_all)
Node_Table_Monitor_Interval: 3 (seconds)
Heartbeat_Interval: 3 (minutes)
Company_ID_List: 0x0141
Status_Change_Alert_Set_Enable: 0x00

Controller, Service Platform and Access Point

914 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Status_Change_Alert_Clear_Enable: 0x00
MQTT_Broker_Host: xx.xx.xx.xx
MQTT_Broker_Port: 1883
MQTT_Topic_Publish_Prefix: /TOPICS/PACKETS
MQTT_Topic_Subscribe_Prefix: /TOPICS/COMMANDS
MQTT_QoS: 2 (exactly_once)
MQTT_Client_Id_Prefix: FMN
MQTT_Username: myname
MQTT_Password: <encrypted string>
MQTT_Clean_Session: 0 (preserve_previous)
NOC-NX9500#

upgrade-status
Displays the last image upgrade status

Note
This command is not available in the USER EXEC Mode.

Supported in the following platforms:

Syntax
show upgrade-status {detail|on}
show upgrade-status {detail} {(on <DEVICE-NAME>)}

Parameters
show upgrade-status {detail} {(on <DEVICE-NAME>)}

upgrade-status Displays last image upgrade status and log

detail Optional. Displays last image upgrade status in detail
on <DEVICE-NAME> The following keyword is recursive and common to the ‘detail'
parameter:
• on <DEVICE-NAME> – Optional. Displays last image upgrade
status on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Note: If the ‘on’ keyword is used without the ‘detail’ keyword, the
system displays a summary of upgrade status and log on the
specified device.

Examples
nx9500-6C8809#show upgrade-status
Last Image Upgrade Status :In_Progress(17 percent completed)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 915
show-commands Show Commands

Last Image Upgrade Time : 2017-02-11 12:26:29

nx9500-6C8809#
nx9500-6C8809#show upgrade-status detail
Last Image Upgrade Status : Successful
Last Image Upgrade Time : 2017-06-02 14:22:51
-----------------------------------------------
Running from partition /dev/sda8
var2 is 1 percent full
/tmp is 4 percent full
Free Memory 33357504 kB
FWU invoked via Linux shell
Validating image file header
Removing other partition
Tue May 30 10:43:36 IST 2017
debug: cmdline -C /boot/lilo.conf -R 5.9.0.0-028B -P fix
LILO version 22.6-CCB, Copyright (C) 1992-1998 Werner Almesberger
--More--
nx9500-6C8809#

version
Displays a device's software and hardware version

Supported in the following platforms:

Syntax
show version {on <DEVICE-NAME>}

Parameters
show version {on <DEVICE-NAME>}

version {on Displays software and hardware versions on all devices or a specified device
<DEVICE- • on <DEVICE-NAME> – Optional. Displays software and hardware versions on a
NAME>} specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service
platform.

Examples
nx9500-6C8809#show version
NX9500 version 5.9.3.0-006D
Copyright (c) 2004-2018 Extreme Networks, Inc. All rights reserved.
Booted from primary

NOC-NX9500 uptime is 7 days, 00 hours 12 minutes

CPU is Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, No. of CPUs 24
Base ethernet MAC address is B4-C7-99-6C-88-09
System serial number is B4C7996C8809
Model number is NX-9500-100R0-WR

Controller, Service Platform and Access Point

916 CLI Reference Guide for version 5.9.7
Show Commands show-commands

nx9500-6C8809#
ap8432-070235>show version
AP8432 version 5.9.3.0-007D
Copyright (c) 2004-2018 Extreme Networks, Inc. All rights reserved.
Booted from secondary

ap8432-070235 uptime is 0 days, 00 hours 04 minutes

CPU is ARMv7, No. of CPUs 2
Base ethernet MAC address is 74-67-F7-07-02-35
System serial number is 16009522200002
Model number is AP-8432-680B30-US

ap8432-070235>

vrrp
Displays Virtual Router Redundancy Protocol (VRRP )protocol details

Supported in the following platforms:

Syntax
show vrrp [brief|details|error-stats|stats]
show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}
show vrrp error-stats {on <DEVICE-NAME>}

Parameters
show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}

vrrp Displays VRRP related statistics in brief or in detail depending on

the option selected
brief Displays virtual router information in brief
details Displays virtual router information in detail
stats Displays virtual router statistics

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 917
show-commands Show Commands

<1-255> The following keyword is common to all of the above parameters:

• <1-255> – Optional. Displays information for a specified Virtual
Router. Specify the router's ID from 1 -255.

on <DEVICE-NAME> The following keyword is recursive and common to the ‘<1-255>'

parameter:
• on <DEVICE-NAME> – Optional. Displays specified router
information on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show vrrp error-stats {on <DEVICE-NAME>}

vrrp Displays VRRP related statistics in brief or in detail depending on the

option selected
error-stats {on <DEVICE- Displays global error statistics
NAME>} • on <DEVICE-NAME> – Optional. Displays global error statistics
on a specified device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

Examples
nx9500-6C8809(config)#show vrrp error-stats
Last protocol error reason: none
IP TTL errors: 0
Version mismatch: 0
Packet Length error: 0
Checksum error: 0
Invalid virtual router id: 0
Authentication mismatch: 0
Invalid packet type: 0
nx9500-6C8809(config)#
nx9500-6C8809(config)#show vrrp details
VRRP Group 1:
version 2
interface none
configured priority 1
advertisement interval 1 sec
preempt enable, preempt-delay 0
virtual mac address 00-00-5E-00-01-01
sync group disable
nx9500-6C8809(config)#

virtual-machine
Displays the virtual-machine (VM) configuration, logs, and statistics

Supported in the following platforms:

• Service Platforms — NX 95XX, NX 96XX

Controller, Service Platform and Access Point

918 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Syntax
show virtual-machine [configuration|debugging|export|statistics]
show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|
team-vowlan} {(on <DEVICE-NAME>)}
show virtual-machine debugging {level|on}
show virtual-machine debugging {level [debug|error|info|warning]} {on <DEVICE-NAME>}
show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}
show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}

Parameters
show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|
team-vowlan} {(on <DEVICE-NAME>)}

virtual-machine Displays the following VM-related information: configuration or

statistics
configuration Displays detailed VM configuration
statistics Displays VM statistics
[<VM-NAME>| team-urc|team-rls| The following keywords are common to the ‘configuration’ and
team-vowlan] ‘statistics’ parameters:
• VM-NAME> – Optional. Displays VM configuration or
statistics for the virtual machine identified by the <VM-
NAME> keyword. Specify the VM name.
• team-urc – Optional. Displays TEAM-URC (IP-PBX) VM
configuration/statistics
• team-rls – Optional. Displays TEAM-RLS (Radio Link Server)
VM configuration/statistics<
• team-vowlan – Optional. Displays TEAM-VoWLAN (Voice
over WLAN) VM configuration/statistics

on <DEVICE-NAME> Specifies the name of the device on which the command is

executed
• <DEVICE-NAME> – Specify the name of the service platform.

show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}

{(on <DEVICE-NAME>)}

virtual-machine Displays the following VM-related information: configuration or

statistics
configuration Displays detailed VM configuration
statistics Displays VM statistics

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 919
show-commands Show Commands

[<VM-NAME>|adsp| team-cmt] The following keywords are common to the ‘configuration’ and
‘statistics’ parameters:
• VM-NAME> – Optional. Displays VM configuration or statistics
for the virtual machine identified by the <VM-NAME> keyword.
Specify the VM name.
• adsp – Optional. Displays Air-Defense Services Platform (ADSP)
VM configuration/statistics
• team-cmt – Optional. Displays TEAM-CMT VM configuration/
statistics

on <DEVICE-NAME> Specifies the name of the device on which the command is

executed
• <DEVICE-NAME> – Specify the name of the service platform.

show virtual-machine debugging {level[debug|error|info|warning]}

{on <DEVICE-NAME>}

virtual-machine Displays the following VM-related information: configuration or

statistics
debugging Displays VM debugging logs
level [debug| error|info|warning] Optional. Displays VM debugging logs based on the level selected.
The available options are:
• debug – Displays VM logs of level debug and above
• error – Displays VM logs of level error
• info – Displays VM logs of level Info and above
• warning – Displays logs of level warning and above

on <DEVICE-NAME> Specifies the name of the device on which the command is

executed
• <DEVICE-NAME> – Specify the name of the service platform.

show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}

virtual-machine Displays the following VM-related information: configuration or

statistics
export Displays VM configuration export related information
<VM-NAME>] Displays VM configuration export related information for the virtual
machine identified by the <VM-NAME> keyword. Specify the VM
name.
The NX 95XX and NX 96XX series service platforms will display
ADSP and TEAM-CMT VM configuration export information.
on <DEVICE-NAME> Specifies the name of the device on which the command is
executed
• <DEVICE-NAME> – Specify the name of the service platform.

Examples
nx9500-6C874D#show virtual-machine statistics
--------------------------------------------------------------------------------
NAME STATE VCPUS MEM (MB) BRIDGE-IF IP
--------------------------------------------------------------------------------

Controller, Service Platform and Access Point

920 CLI Reference Guide for version 5.9.7
Show Commands show-commands

WiNG - - 18432 - -
adsp Halted - - unknown -
team-cmt Halted - - unknown -
--------------------------------------------------------------------------------
nx9500-6C874D#
nx9500-6C874D#show virtual-machine configuration
--------------------------------------------------------------------------------
NAME AUTOSTART MEMORY(MB) VCPUS
--------------------------------------------------------------------------------
WiNG - 18432 -
adsp ignore 12000 12
team-cmt ignore 1024 1
--------------------------------------------------------------------------------

nx9500-6C874D#
nx9500-6C874D>show virtual-machine statistics adsp
VM name: adsp
Base Version : unknown
Install Status : not_installed
nx9500-6C874D>

wireless
Displays wireless configuration information and statistics

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 921
show-commands Show Commands

Syntax
show wireless [ap|bridge|client|coverage-hole-incidents|location-server|meshpoint|mint|
ml-rrm|mobility-database|radio|regulatory|rf-domain|sensor-server|unsanctioned|wips|wlan]
show wireless ap {configured|detail|load-balancing|on <DEVICE-NAME>}
show wireless ap {configured}
show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless ap {load-balancing} {client-capability|events|neighbors} {(on <DEVICE-
NAME>)}
show wireless bridge {candidate-ap|certificate|config|hosts|on|statistics}
show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac <RADIO-
MAC>)}
{(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless bridge {certificate} status {on <DEVICE-NAME>}
show wireless bridge {config}
show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless client {association-history|detail|filter|include-ipv6|on <DEVICE-OR-DOMAIN-
NAME>|
statistics|tspec}
show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless client {filter [ip|on|state|wlan]}
show wireless client {filter} {ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {filter} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {filter} {state [data-ready|not [data-ready|roaming]|roaming]} {on
<DEVICE-OR-DOMAIN-NAME>}
show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-OR-DOMAIN-
NAME>}
show wireless client {include-ipv6} {detail|on|filter}
show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}
show wireless client {statistics} {detail|on|rf|window-data}
show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on <DEVICE-OR-
DOMAIN-NAME>)}
show wireless client {tspec <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless coverage-hole-incidents [detail|on|summary]
show wireless coverage-hole-incidents detail {filter [ap <MAC/HOSTNAME>|client-mac <MAC>]|
summary} {(on <DOMAIN-NAME>)}]
show wireless location-server {on <AP-NAME>}
show wireless meshpoint {config|detail|multicast|neighbor|on|path|proxy|root|security|
statistics|tree|usage-mappings}
show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>]}
show wireless meshpoint {detail} {<MESHPOINT-NAME>}
show wireless meshpoint {on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint {multicast|path|proxy|root|security|statistics}
[<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint neighbor [<MESHPOINT-NAME>|detail|statistics {rf}]
{on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint {usage-mappings}
show wireless mobility-database {on <DEVICE-NAME>}

Controller,show wireless
Service mint
Platform [client|detail|links|portal]
and Access Point
922 CLI Reference Guide for version 5.9.7
show wireless ml-rrm history
show wireless [client|detail] {on|portal-candidates {<DEVICE-NAME>|filter <RADIO-MAC>}|
Show Commands show-commands

statistics} (<DEVICE-OR-DOMAIN-NAME>)
show wireless mint links {on <DEVICE-OR-DOMAIN-NAME>}
show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}

show wireless radio {detail|on <DEVICE-OR-DOMAIN-NAME>|statistics|tspec|wlan-map}

show wireless radio {detail} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>}
show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}
show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless radio {statistics} {detail|on|rf|windows-data}
show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-DOMAIN-
NAME>}}
show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-3>|filter
<RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>|option}
show wireless radio {wlan-map} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless regulatory [channel-info <WORD>|country-code <WORD>|device-type]
show wireless regulatory [channel-info <WORD>|country-code <WORD>|device-type]
show wireless regulatory device-type [ap505|ap510] <WORD>
show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}
show wireless unsanctioned aps {detail|statistics} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}
show wireless wlan {config|detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|
statistics|usage-mappings}
show wireless wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-
mappings}
show wireless {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}}
show wireless wlan statistics {<WLAN>|detail|traffic} {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show wireless ap {configured}

wireless Displays wireless configuration parameters

ap Displays managed access point information
configured Optional. Displays configured AP information, such as name, MAC
address, profile, RF Domain and adoption status.

show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

ap Displays managed access point information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 923
show-commands Show Commands

detail <MAC/HOST-NAME> Optional. Displays detailed information for all APs or a specified AP
• <MAC/HOST-NAME> – Optional. Displays information for a
specified AP. Specify the AP’s MAC address.

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘detail

NAME>} <MAC/HOST-NAME>' parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays
information on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless ap {load-balancing} {client-capability|events|neighbors} {(on <DEVICE-

NAME>)}

wireless Displays wireless configuration parameters

ap Displays managed access point information
load-balancing {client-capability| Optional. Displays load balancing status. Use additional filters to
events|neighbors} view specific details.
• client-capability – Optional. Displays client band capability
• events – Optional. Displays client events
• neighbors – Optional. Displays neighboring clients

on <DEVICE-NAME> The following keyword is recursive and common to the ‘client-

capability', ‘events', and ‘neighbors' parameters:
• on <DEVICE-NAME> – Optional. Displays load balancing
information, based on the parameters passed, on a specified
device
◦ <DEVICE-NAME> – Specify the name of the AP, wireless
controller, or service platform.

show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac <RADIO-

MAC>)}
{(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration statistics

bridge candidate-ap Optional. Displays information about the candidate infrastructure
access points as well as the infrastructure access point that the
client-bridge radio has selected.

Note: When enabled, the client-bridge radio scans its defined

channels to locate the best candidate access point servicing the
infrastructure WLAN.

<MAC/HOSTNAME> <1-3> Optional. Specify the client-bridge access point’s hostname or MAC
address. Optionally append the radio interface’s number to form
client-bridge in the form of AA-BB-CC-DD-EE-FF:RX or
HOSTNAME:RX.
• <1-3> – Optional. Radio interface index if not specified as part of
mesh ID.

Controller, Service Platform and Access Point

924 CLI Reference Guide for version 5.9.7
Show Commands show-commands

filter radio-mac <RADIO-MAC> This is a recursive parameter and common to all of the above
options.
• filter radio-mac – Optional. Provides additional filters to
specifically identify the radio by its MAC address
◦ <RADIO-MAC> – Specify the radio’s MAC address.

on <DEVICE-OR-DOMAIN- This is a recursive parameter and common to all of the above

NAME> options.
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Executes the
command on a specified device or devices within a specified RF
Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the AP, controller,
service platform, or RF Domain name.

show wireless bridge {certificate} status {on <DEVICE-NAME>}

wireless Displays wireless configuration statistics

bridge certificate status Optional. Displays all client bridges in configuration and the status
of their PKCS#12 certificates
on <DEVICE-NAME> Optional. Executes the command on a specified device
• <DEVICE-NAME> – Specify the AP, controller, service platform
name.

show wireless bridge {config}

wireless Displays wireless configuration statistics

bridge config Optional. Displays all client bridges in configuration
The output displays the configured client-bridges’ hostname, MAC
address, profile, RF Domain, SSID, band, encryption, authentication,
and EAP username.

show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration statistics

bridge hosts Optional. Displays the client bridge host information
The output displays the configured client-bridges’ host’s MAC
Address, bridge MAC address, IPv4 address, bridging status, and
activity.

Note: The HOST MAC column displays real MAC addresses of wired
hosts, while the BRIDGE MAC column displays the translated MAC
addresses. The BRIDGE MAC column is based on the radio 2 base

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 925
show-commands Show Commands

MAC address and increments by 1 for each wired host connected to

the client bridges Ge1 port.

on <DEVICE-OR-DOMAIN- Optional. Executes the command on a specified device or devices

NAME> within a specified RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the AP,
controller, service platform, or Domain name.

show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration statistics

bridge statistics Optional. Displays the client-bridge related statistics
rf Optional. Displays the client-bridge related RF statistics
The output displays the signal, noise, SNR, TX/RX rates, retries, and
errors.
traffic Optional. Displays the client-bridge related traffic statistics
The output displays TX/RX bytes, TX/RX packets, TX/RX bits/
second, and dropped packets.
on <DEVICE-OR-DOMAIN- Optional. Executes the command on a specified device or devices
NAME> within a specified RF Domain
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the AP,
controller, service platform, or Domain name.

show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed
association-history <MAC> Optional. Displays association history for a specified client
• <MAC> – Specify the MAC address of the client.

on <DEVICE-OR-DOMAIN- Optional. Displays association history on a specified device or RF

NAME> Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed

Controller, Service Platform and Access Point

926 CLI Reference Guide for version 5.9.7
Show Commands show-commands

detail <MAC> Optional. Displays detailed wireless client(s) information

• <MAC> – Optional. Displays detailed information for a specified
wireless client. Specify the MAC address of the client.

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘detail

NAME> <MAC>' parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed
information on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {filter ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed
filter IP [<IP>|not <IP>] Optional. Uses IP addresses to filter wireless clients
• <IP> – Selects clients with IP address matching the <IP>
parameter
• not <IP> – Inverts the match selection

on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘IP' and ‘not IP'
NAME> parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays selected
wireless client information on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {filter} {state [data-ready|not [data-ready|roaming]|roaming]} {on

<DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed
filter state [data-ready| not Optional. Filters clients based on their state
[data-ready| roaming]| roaming] • data-ready – Selects wireless clients in the data-ready state
• not [data-ready|roaming] – Inverts match selection. Selects
wireless clients neither ready nor roaming
• Roaming – Selects roaming clients

on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘ready', ‘not', and ‘roaming'
NAME> parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays selected
client details on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-OR-DOMAIN-

NAME>}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 927
show-commands Show Commands

filter wlan [<WLAN-NAME>| not Optional. Filters clients on a specified WLAN

<WLAN-NAME>] • <WLAN-NAME> – Specify the WLAN name.
• not <WLAN-NAME> – Inverts the match selection

on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘WLAN and ‘not'

NAME> parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Filters clients on a
specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>}

{(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed
statistics {detail <MAC>|rf| Optional. Displays detailed client statistics. Use additional filters to
window-data <MAC>} view specific details.
• detail <MAC> – Optional. Displays detailed client statistics
◦ <MAC> – Optional. Displays detailed statistics for a specified
client. Specify the client's MAC address.
• rf – Optional. Displays detailed RF statistics on a specified device
or RF Domain
• window-data <MAC> – Optional. Displays historical data, for a
specified client
◦ <MAC> – Optional. Specify the client's MAC address

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘detail

NAME> <MAC>', ‘RF', and ‘window-data <MAC>' parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays client
statistics, based on the parameters passed, on a specified device
or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {tspec} {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed

Controller, Service Platform and Access Point

928 CLI Reference Guide for version 5.9.7
Show Commands show-commands

tspec <MAC> Optional. Displays detailed TSPEC (traffic specification) information

for all clients or a specified client
• <MAC> – Optional. Displays detailed TSPEC information for a
specified client. Specify the MAC address of the client.

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘tspec

NAME> <MAC>' parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed
TSPEC information for wireless clients on a specified device or
RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

client Displays client information based on the parameters passed
include-ipv6 Includes IPv6 address (if known) of wireless clients
detail <MAC> Optional. Displays detailed wireless client(s) information
• <MAC> – Optional. Displays detailed information for a specified
wireless client. Specify the MAC address of the client.

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘detail

NAME> <MAC>’ parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed
information on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}

wireless Displays wireless configuration parameters

client Displays wireless client information based on the parameters
passed
include-ipv6 {filter} Optional. Includes IPv6 address (if known) of wireless clients
• filter – Optional. Defines additional filters. Use one of the
following options to filter clients: ip, ipv6, state, and wlan.
By default the system only displays the IPv4 address of clients. The
include-ipv6 parameter includes the known IPv6 address of each
client.
ip [<IPv4>|not <IPv4>] Optional. Displays wireless client information based on the IPv4
address passed
• <IPv4> – Displays information of the client identified by the
<IPv4> parameter
• not <IPv4> – Inverts the match selection

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 929
show-commands Show Commands

ipv6 [<IPv6>| not <Pv6>] Optional. Displays wireless client information based on the IPv6
address passed
• <IPv6> – Displays information of the client identified by the
<IPv6> parameter
• not <IPv6> – Inverts the match selection

filter state [data-ready| not Optional. Filters wireless client information based on their state
[data-ready| roaming]|roaming] • data-ready – Displays information of wireless clients in the data-
ready state
• not [data-ready|roaming] – Inverts match selection. Displays
information of wireless clients neither ready nor roaming
• Roaming – Displays information of roaming clients

wlan [<WLAN-NAME>| not Optional. Displays wireless client information based on the WLAN
<WLAN-NAME>] name passed
• <WLAN-NAME> – Specify the WLAN name.
• not <WLAN-NAME> – Inverts match selection

show wireless coverage-hole-incidents {detail} {filter [ap <MAC/HOSTNAME>|

client-mac <MAC>]|summary} {(on <DOMAIN-NAME>)}

wireless Displays wireless configuration parameters. Use this option to view

coverage-hole related incidents encountered by wireless clients and
reported to associated access points.
coverage-hole-incidents Displays coverage-hole related statistics
detail filters [ap <MAC/ Optional. Displays detailed coverage-hole related statistics
HOSTNAME>| client-mac • filters – Optional. Displays detailed coverage-hole related
<MAC>] statistics on a per access point or wireless-client basis
◦ ap <MAC/HOSTNAME> – Displays detailed coverage-hole
related statistics for a specified access point
▪ <MAC/HOSTNAME> – Specify the access point’s device
name or MAC address.
◦ client-mac <MAC> – Displays detailed coverage-hole related
statistics encountered by a specified wireless client
▪ <MAC> – Specify the wireless client’s MAC address

Note: If the command is executed without any parameters being

included, the system displays all coverage-hole related statistics.

Controller, Service Platform and Access Point

930 CLI Reference Guide for version 5.9.7
Show Commands show-commands

summary Optional. Displays a summary of coverage-hole related statistics

on <DOMAIN-NAME> This parameter is recursive and is common to the ‘detail’ and
‘summary’ keywords:
• on <DOMAIN-NAME> – Optional. Displays detailed or summary
coverage-hole related statistics on a specified RF Domain
◦ <DOMAIN-NAME> – Specify the domain name.

show wireless location-server {on <AP-NAME>}

show wireless location-server on Displays location server connection status on a specified access
<AP-NAME> point
• <DEVICE-NAME> - Specify the AP name.

show wireless ml-rrm history

show wireless ml-rrm hsitory Displays statistical data of changes made to the radio metrics
through ml-rrm. If you have enabled ml-rrm (machine-learning
radio resource management) on your radio, use this command to
view the changes made the radio's channel, power, etc. settings
through the ml-rrm agent.

show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>]}

wireless Displays wireless configuration parameters.

meshpoint Displays meshpoint related information. Use this option to view
detailed statistics on each Mesh-capable client available within
controller’s adopted access point’s radio coverage area.
A mesh network is where one where each node is able to
communicate with other nodes and maintain more then one path to
the other mesh nodes within the mesh network. A mesh network
provides robust, reliable and redundant connectivity to all the
members of the mesh network. When one member of the mesh
network becomes unavailable, the other mesh nodes are still able to
communicate with one another either directly or indirectly through
intermediate nodes.
config Optional. Displays all meshpoint configuration
filters [device <DEVICE-NAME>| Optional. Provides additional filter options, such as device name
rf-domain <DOMAIN-NAME>] and RF Domain name.
• device <DEVICE-NAME> – Displays meshpoints applied to a
specified device
◦ <DEVICE-NAME> – Specify the device name
• rf-domain <DOMAIN-NAME> – Displays meshpoints applied to a
specified RF Domain
◦ <DOMAIN-NAME> – Specify the domain name

show wireless meshpoint {detail} {<MESHPOINT-NAME>}

Displays wireless configuration parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 931
show-commands Show Commands

wireless
meshpoint Displays meshpoint related information. Use this option to view
detailed statistics on each Mesh-capable client available within
controller’s adopted access point’s radio coverage area.
A mesh network is where one where each node is able to
communicate with other nodes and maintain more then one path to
the other mesh nodes within the mesh network. A mesh network
provides robust, reliable and redundant connectivity to all the
members of the mesh network. When one member of the mesh
network becomes unavailable, the other mesh nodes are still able to
communicate with one another either directly or indirectly through
intermediate nodes.
detail <MESHPOINT-NAME> Optional. Displays detailed information for all meshpoints or a
specified meshpoint
• <MESHPOINT-NAME> – Optional. Displays detailed information
for a specified meshpoint. Specify the meshpoint name.

show wireless meshpoint {multicast|path|proxy|root|security|statistics}

[<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

meshpoint Displays meshpoint related information. Use this option to view
detailed statistics on each Mesh-capable client available within
controller’s adopted access point’s radio coverage area.
A mesh network is where one where each node is able to
communicate with other nodes and maintain more then one path to
the other mesh nodes within the mesh network. A mesh network
provides robust, reliable and redundant connectivity to all the
members of the mesh network. When one member of the mesh
network becomes unavailable, the other mesh nodes are still able to
communicate with one another either directly or indirectly through
intermediate nodes.
multicast Optional. Displays meshpoint multicast information
path Optional. Displays meshpoint path information
proxy Optional. Displays meshpoint proxy information
root Optional. Displays meshpoint root information
security Optional. Displays meshpoint security information
statistics Optional. Displays meshpoint statistics

Controller, Service Platform and Access Point

932 CLI Reference Guide for version 5.9.7
Show Commands show-commands

[<MESHPOINT-NAME>| detail] The following keywords are common to all of the above parameters:
• <MESHPOINT-NAME> – Displays meshpoint related information
for a specified meshpoint. Specify the meshpoint name.
• detail – Displays detailed multicast information for all
meshpoints

on <DEVICE-OR-DOMAIN- The following keyword is common to all of the above parameters:

NAME> • on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed
multicast information on a specified device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless meshpoint {neighbor} [<MESHPOINT-NAME>|detail|statistics {rf}]

{on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

meshpoint Displays meshpoint related information. Use this option to view
detailed statistics on each Mesh-capable client available within
controller’s adopted access point’s radio coverage area.
A mesh network is where one where each node is able to
communicate with other nodes and maintain more then one path to
the other mesh nodes within the mesh network. A mesh network
provides robust, reliable and redundant connectivity to all the
members of the mesh network. When one member of the mesh
network becomes unavailable, the other mesh nodes are still able to
communicate with one another either directly or indirectly through
intermediate nodes.
neighbor Optional. Displays meshpoint neighbor information, based on the
parameters passed
[<MESHPOINT-NAME>| detail| Select one of the following parameter to view neighbor related
statistics {rf}] information
• <MESHPOINT-NAME> – Displays detailed multicast information
for a specified meshpoint. Specify the meshpoint name.
• detail – Displays detailed multicast information for all
meshpoints
• statistics – Displays neighbors related statistics
◦ rf – Optional. Displays RF related statistics for neighbors

on <DEVICE-OR-DOMAIN- The following keyword is common to all of the above parameters:

NAME> • on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays
meshpoint neighbor information, based on the parameters
passed, on a specified device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN- NAME>}

wireless Displays wireless configuration parameters

meshpoint Displays meshpoint related information

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 933
show-commands Show Commands

Note: The show > wireless > meshpoint > tree

command can be executed only from a wireless controller.

tree Optional. Displays meshpoint network tree

on <DEVICE-OR-DOMAIN- Optional. Displays meshpoint network tree on a specified device or
NAME> RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name of
AP, wireless controller, service platform, or RF Domain

show wireless meshpoint {usage-mappings|on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

meshpoint Displays meshpoint related information
usage-mappings Optional. Lists all devices and profiles using the meshpoint
on <DEVICE-OR-DOMAIN- Optional. Displays meshpoint applied to a specified device or RF
NAME> Domain
• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name of
AP, wireless controller, service platform, or RF Domain

show wireless mobility-database {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

mobility-database Displays controller-assisted mobility database
on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘filter
NAME> <RADIO-MAC>’ parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed
radio operation status for all or a specified radio on a specified
device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless mint [client|detail] {portal-candidates {<DEVICE-NAME>|filter <RADIO-MAC>}|

statistics} (on <DEVICE-OR-DOMAIN-NAME>)

wireless mint [client|detail] Displays radio MiNT-mesh related statistics

• client – Displays MiNT-mesh client related information. Use the
‘client’ option to view detailed statistics on each Mesh capable
client available within the selected access point’s radio coverage
area.
• detail – Displays detailed MiNT-mesh related information

portal-candidates Displays detailed information about portal candidates for a MiNT-

mesh. Mesh points connected to an external network and
forwarding traffic in and out are Mesh portals. Mesh points must
find paths to a portal to access the Internet. When multiple portals
exist, the mesh point must select one.
Use the additional filter option to view specific portal candidate
details.

Controller, Service Platform and Access Point

934 CLI Reference Guide for version 5.9.7
Show Commands show-commands

statistics This option is common to the ‘client’ and ‘detail’ keyword.

Displays MiNT-mesh client statistical data.
on <DEVICE-OR-DOMAIN- This option is common to the ‘client’ and ‘detail’ keyword.
NAME> Displays MiNT-mesh client related information on a specific device
or RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the access point,
controller, or RF Domain name.

show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}

wireless mint Displays radio MiNT-mesh related statistics

links Displays MiNT-mesh links related information. MiNT Links are
automatically created between controllers and access points during
adoption using MLCP (MiNT Link Creation Protocol). They can also
be manually created between a controller and access point (or)
between access points. MiNT links are manually created between
controllers while configuring a cluster.
Level 2 (or) remote MiNT links are controller aware links, and
requires IP network for communication. This level 2 MiNT links at
access points are intended for remote adaptive AP deployment and
management from NOC. With Level2 MiNT links, access points are
only aware of the controllers and not about other access points.
Level 2 MiNT links also provide partitioning, between access points
deployed at various remote sites.
on <DEVICE-OR-DOMAIN- Displays MiNT-mesh links on a specific device or RF Domain
NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the access point,
controller, or RF Domain name.

show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}

wireless mint Displays radio MiNT-mesh related statistics

portal Displays legacy client on MiNT-mesh portal
on <DEVICE-OR-DOMAIN- Displays legacy client on MiNT-mesh portal on a specific device or
NAME> RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the access point,
controller, or RF Domain name.

show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}

wireless Displays wireless configuration parameters

radio Displays radio operation status and other related information. Use
this option to view radio association data, including radio ID,
connected APs, radio type, quality index and Signal to Noise Ratio
(SNR). This data is reported to the managing controller or service
platform from connected access point radios and should be
refreshed periodically.
A radio’s RF Mode displays as:
• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN
service
• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 935
show-commands Show Commands

• bridge – If it is configured to provide client-bridge operation

detail Optional. Displays detailed radio operation status

<DEVICE-NAME> Optional. Displays detailed information for a specified radio. Specify
the MAC address or hostname, or append the interface number to
form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX
format.
<1-3> Optional. Specify the radio interface index from 1 - 3 (if not specified
as part of the radio ID)
filter <RADIO-MAC> Optional. Provides additional filters
• <RADIO-MAC> – Optional. Filters based on the radio MAC
address

on <DEVICE-OR-DOMAIN- Optional. After specifying the radio MAC address, further refine the
NAME> search by specifying a device or RF Domain.
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

radio Displays radio operation status and other related information. Use
this option to view radio association data, including radio ID,
connected APs, radio type, quality index and SNR. This data is
reported to the managing controller or service platform from
connected access point radios and should be refreshed periodically.
A radio’s RF Mode displays as:
• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN
service
• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service
• bridge – If it is configured to provide client-bridge operation

detail Optional. Displays detailed radio operation status

filter <RADIO-MAC> Optional. Provides additional filter options
• <RADIO-MAC> – Uses MAC address to filter radios

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘filter

NAME> <RADIO-MAC>' parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed
radio operation status for all or a specified radio on a specified
device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-DOMAIN-

NAME>}}

wireless Displays wireless configuration parameters

radio Displays radio operation status and other related information. Use
this option to view radio association data, including radio ID,
connected APs, radio type, quality index and SNR. This data is

Controller, Service Platform and Access Point

936 CLI Reference Guide for version 5.9.7
Show Commands show-commands

reported to the managing controller or service platform from

connected access point radios and should be refreshed periodically.
A radio’s RF Mode displays as:
• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN
service
• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service
• bridge – If it is configured to provide client-bridge operation

statistics Optional. Displays radio traffic and RF statistics

on <DEVICE-OR-DOMIAN- Optional. Displays traffic and RF related statistics on a specified
NAME> device or RF Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

rf {on <DEVICE-OR-DOMAIN- Optional. Displays RF statistics on a specified device or RF Domain

NAME>} • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-3>|filter

<RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

radio Displays radio operation status and other related information. Use
this option to view radio association data, including radio ID,
connected APs, radio type, quality index and SNR. This data is
reported to the managing controller or service platform from
connected access point radios and should be refreshed periodically.
A radio’s RF Mode displays as:
• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN
service
• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service
• bridge – If it is configured to provide client-bridge operation

statistics {detail|window-data} Optional. Displays radio traffic and RF statistics. Use additional
filters to view specific details. The options are: are:
• detail – Displays detailed traffic and RF statistics of all radios
• window-data – Displays historical data over a time window

<1-3> Optional. Specify the radio interface index from 1- 3, if not specified
as part of the radio ID using the preceding parameter.
filter <RADIO-MAC> Optional. Provides additional filters
• <RADIO-MAC> – Optional. Filters based on the radio MAC
address

show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>|option}

Displays wireless configuration parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 937
show-commands Show Commands

wireless
radio Displays radio operation status and other related information. Use
this option to view radio association data, including radio ID,
connected APs, radio type, quality index and SNR. This data is
reported to the managing controller or service platform from
connected access point radios and should be refreshed periodically.
A radio’s RF Mode displays as:
• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN
service
• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service
• bridge – If it is configured to provide client-bridge operation

tspec Optional. Displays TSPEC information on a radio

<DEVICE-NAME> Optional. Specify the MAC address or hostname, or append the
interface number to form the radio ID in the AA-BB-CC-DD-EE-
FF:RX or HOSTNAME:RX format.
filter Optional. Provides additional filters
• <RADIO-MAC> – Optional. Filters based on the radio MAC
address

show wireless regulatory [channel-info <WORD>|county-code <WORD>]

wireless Displays wireless configuration parameters

regulatory Displays wireless regulatory information
channel-info <WORD> Displays channel information
• <WORD> – Specify the channel number.

country-code <WORD> Displays country code to country name information

• <WORD> – Specify the two letter ISO-3166 country code.

show wireless regulatory device-type [ap505|ap510] <WORD>

wireless Displays wireless configuration parameters

regulatory Displays wireless regulatory information
device-type <DEVICE-TYPE> Displays wireless regulatory information based on the device type
<WORD> selected. Select the device type. The options are:
AP505, AP510
After specifying the device type, specify the country code.
• <WORD> – Specify the two letter ISO-3166 country code.

show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

rf-domain statistics Displays RF Domain statistics

Controller, Service Platform and Access Point

938 CLI Reference Guide for version 5.9.7
Show Commands show-commands

details Optional. Displays detailed RF Domain statistics

on <DEVICE-OR-DOMAIN- The following keyword is recursive and common to the ‘detail’
NAME> parameter:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays RF
Domain statistics on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

sensor- server {on <DEVICE-OR- Displays AirDefense sensor server configuration details
DOMAIN- NAME>} • on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays
AirDefense sensor server configuration on a specified device or
RF Domain

show wireless unsanctioned aps {detailed|statistics} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

unsanctioned aps Displays unauthorized APs. Use additional filters to view specific
details.
detailed Optional. Displays detailed unauthorized APs information
statistics Optional. Displays channel statistics
on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘detailed' and ‘statistics'
NAME> parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name
of the AP, wireless controller, service platform, or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters

wips [client-blacklist|event- Displays the WIPS details
history] • client-blacklist – Displays blacklisted clients
• event-history – Displays event history

on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘client-blacklist' and

NAME> ‘event-history' parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays the WIPS
details on a specified device or RF Domain.
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

show wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-mappings}

Displays wireless configuration parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 939
show-commands Show Commands

wireless
wlan Displays WLAN related information based on the parameters
passed
detail <WLAN> Optional. Displays WLAN configuration
• <WLAN> – Specify the WLAN name.

on <DEVICE-OR-DOMAIN- Optional. Displays WLAN configuration on a specified device or RF

NAME> Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

policy-mappings Optional. Displays WLAN policy mappings

usage-mappings Optional. Lists all devices and profiles using the WLAN

show wlan {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}}

wireless Displays wireless configuration parameters

wlan Displays WLAN related information based on the parameters passed
config filter Optional. Filters WLAN information based on the device name or RF Domain
device <DEVICE-NAME> Optional. Filters WLAN information based on the device name
• <DEVICE-NAME> – Specify the device name.

rf-domain <DOMAIN- Optional. Filters WLAN information based on the RF Domain

NAME> • <DOMAIN-NAME> – Specify the RF Domain name.

show wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-mappings}

wireless Displays wireless configuration parameters

wlan Displays WLAN related information based on the parameters
passed
detail <WLAN> Optional. Displays WLAN configuration
• <WLAN> – Specify the WLAN name.

on <DEVICE-OR-DOMAIN- Optional. Displays WLAN configuration on a specified device or RF

NAME> Domain
• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

policy-mappings Optional. Displays WLAN policy mappings

usage-mappings Optional. Lists all devices and profiles using the WLAN

show wlan {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}}

wireless Displays wireless configuration parameters

wlan Displays WLAN related information based on the parameters
passed
config filter Optional. Filters WLAN information based on the device name or
RF Domain

Controller, Service Platform and Access Point

940 CLI Reference Guide for version 5.9.7
Show Commands show-commands

device <DEVICE-NAME> Optional. Filters WLAN information based on the device name
• <DEVICE-NAME> – Specify the device name.

rf-domain <DOMAIN-NAME> Optional. Filters WLAN information based on the RF Domain

<DOMAIN-NAME> – Specify the RF Domain name.

show wlan {statistics {<WLAN>|detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless Displays wireless configuration parameters

wlan Displays WLAN related information based on the parameters
passed
statistics {<WLAN>|detail} Optional. Displays WLAN statistics. Use additional filters to view
specific details
• <WLAN> – Optional. Displays WLAN statistics. Specify the
WLAN name.
• detail – Optional. Displays detailed WLAN statistics

on <DEVICE-OR-DOMAIN- The following keyword is common to the ‘WLAN’ and ‘detail’

NAME> parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays WLAN
statistics on a specified device or RF Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP,
wireless controller, service platform, or RF Domain.

Examples
nx9500-6C8809(config)#show wireless wlan config
--------------------------------------------------------------------------------
NAME ENABLE SSID ENCRYPTION AUTHENTICATION VLAN BRIDGING MODE
--------------------------------------------------------------------------------
test Y test wep64 none 1 local
--------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show wireless wips client-blacklist
No wireless clients blacklisted
nx9500-6C8809(config)#
nx9500-6C8809(config)#show wireless regulatory country-code
--------------------------------------------------------------------------------
ISO CODE NAME
--------------------------------------------------------------------------------
gt Guatemala
co Colombia
cn China
cm Cameroon
cl Chile

--More--
nx9500-6C8809(config)#
nx9500-6C8809#show wireless regulatory device-type ap505 us
------------------------------------------------------------------------------------------
----------
# Channel Set Power(mW) Power (dBm) Placement DFS CAC(mins)
TPC
------------------------------------------------------------------------------------------
----------
1 1-11 4000 36 Indoor/Outdoor NA NA NA
2 36-48 4000 36 Indoor/Outdoor Not Required 0 Not

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 941
show-commands Show Commands

Required
3 52-64 1000 30 Indoor/Outdoor Required 1 Required
4 52-64 500 27 Indoor/Outdoor Required 1 Not
Required
5 100-140 1000 30 Indoor/Outdoor Required 1 Required
6 100-140 500 27 Indoor/Outdoor Required 1 Not
Required
7 149-165 4000 36 Indoor/Outdoor Not Required 0 Not
Required
------------------------------------------------------------------------------------------
----------
nx9500-6C8809#
nx9600-7F5124#show wireless meshpoint tree on PTP-AP
In progress .......
1:PTP-Radio2 [7 MPs(2 roots, 5 bound)]
|-ap7562-84A484-ROOT1
| |-ap7562-84A2CC-VMM
| |-ap7532-80C28C-NR
| |-ap7532-82CCA4-NR
| |-ap7562-84A22C-NR2
| |-ap7532-160114
|-ap7562-84A280-ROOT2

Total number of meshes displayed: 1

nx9600-7F5124#
rfs4000-22A24E#show wireless client
------------------------------------------------------------------------------------------
-----------------------
Report start on RF-Domain: qs1
MAC IP VENDOR RADIO-ID
WLAN VLAN STATE
------------------------------------------------------------------------------------------
-----------------------
Report end on RF-Domain: qs1
------------------------------------------------------------------------------------------
-----------------------

------------------------------------------------------------------------------------------
-----------------------
Report start on RF-Domain: Store-1
MAC IP VENDOR RADIO-ID
WLAN VLAN STATE
------------------------------------------------------------------------------------------
-----------------------
00-01-02-03-04-10 2.3.4.16 3Com Corp 00-01-02-03-04-00:R1 sim-
wlan-1 1 Data-Ready
00-01-02-03-05-10 2.3.5.16 3Com Corp 00-01-02-03-04-00:R2 sim-
wlan-1 1 Data-Ready
Report end on RF-Domain: Store-1
------------------------------------------------------------------------------------------
-----------------------

------------------------------------------------------------------------------------------
-----------------------
Report start on RF-Domain: default
database not available
Report end on RF-Domain: default
------------------------------------------------------------------------------------------
-----------------------

Controller, Service Platform and Access Point

942 CLI Reference Guide for version 5.9.7
Show Commands show-commands

Total number of clients displayed: 2

rfs4000-22A24E#
NX9500(config)#show wireless bridge hosts
-----------------------------------------------------------------------------
HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY
(sec ago)
-----------------------------------------------------------------------------
FC-0A-81-16-75-98 FC-0A-81-16-69-50 172.16.34.55 UP 00:00:00
-----------------------------------------------------------------------------
Total number of hosts displayed: 1
NX9500(config)#
NX9500(config)#show wireless bridge statistics
---------------------------------------------------------------------------------------
LOCAL RADIO CONNECTED AP SIGNAL SNR TX-RATE RX-RATE Tx Rx RETRY
(dbm) db (Mbps) (Mbps) bps bps AVG
---------------------------------------------------------------------------------------
ap6562-167598:R2 B4-C7-99-CA-A1-F0 -52 50 53 36 1 k 3 k 10
---------------------------------------------------------------------------------------
Total number of radios displayed: 1
NX9500(config)#

The following example shows the location-server status as online:

vx9000-739FF8#show wireless location-server on ap7532-1600B0
--------------------------------------------------------------------------------
# LOCATION SERVER HOST PORT STATUS
--------------------------------------------------------------------------------
1 testws.extremelocation.com 443 ONLINE
--------------------------------------------------------------------------------
vx9000-739FF8#

If the location-server IP address/hostname is not configured in the AP's RF-Domain, then the status
displays as "no server defined" as shown in the following example:
vx9000-739FF8(config)#show wireless location-server on ap7612-3B363D
--------------------------------------------------------------------------------
# LOCATION SERVER HOST PORT STATUS
--------------------------------------------------------------------------------
1 0 no server defined
--------------------------------------------------------------------------------
vx9000-739FF8(config)#

The following example displays ml-rrm driven radio metric changes:

ap7632-9AECE1#show wireless ml-rrm history
------------------------------------------------------------------------------------------
--------------------------------------
TIME EVENT
DESCRIPTION
------------------------------------------------------------------------------------------
--------------------------------------
Thu Feb 28 20:03:43 2019 Mangement Rate Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) mgmt rate is set to 30
Thu Feb 28 20:03:43 2019 Probe Response Threshold Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) probe is set to -20
Thu Feb 28 20:03:43 2019 Cell Size Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) cell size is set to -10
Thu Feb 28 20:03:43 2019 Mangement Rate Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) mgmt rate is set to 30
Thu Feb 28 20:03:43 2019 Probe Response Threshold Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) probe is set to -20
Thu Feb 28 20:03:43 2019 Cell Size Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) cell size is set to -10

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 943
show-commands Show Commands

Thu Feb 28 20:02:02 2019 Mangement Rate Radio ap7632-9AECE1:R2 (D8-84-66-9A-

DA-10) mgmt rate is set to 30
Thu Feb 28 20:02:02 2019 Probe Response Threshold Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) probe is set to -20
Thu Feb 28 20:02:02 2019 Cell Size Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) cell size is set to -10
Thu Feb 28 20:02:02 2019 Mangement Rate Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) mgmt rate is set to 30
Thu Feb 28 20:02:02 2019 Probe Response Threshold Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) probe is set to -20
Thu Feb 28 20:02:02 2019 Cell Size Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) cell size is set to -10
Thu Feb 28 20:01:57 2019 Channel Change Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) channel changed from 36 to 52w
Thu Feb 28 20:01:57 2019 Power Adjustment Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) power changed from 20 to 12
Thu Feb 28 20:01:57 2019 Mangement Rate Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) mgmt rate is set to 30
Thu Feb 28 20:01:57 2019 Probe Response Threshold Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) probe is set to -20
Thu Feb 28 20:01:57 2019 Cell Size Radio ap7632-9AECE1:R2 (D8-84-66-9A-
DA-10) cell size is set to -10
Thu Feb 28 20:01:52 2019 Channel Change Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) channel changed from 1 to 6w
Thu Feb 28 20:01:52 2019 Power Adjustment Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) power changed from 23 to 18
Thu Feb 28 20:01:52 2019 Mangement Rate Radio ap7632-9AECE1:R1 (D8-84-66-9A-
DA-00) mgmt rate is set to 30
------------------------------------------------------------------------------------------
--------------------------------------
ap7632-9AECE1#

web-filter

Displays Web filtering related information. Use this command to view information on Web requests for
content and whether the requests were blocked or approved based on URL filter settings defined for
the selected controller or service platform. A URL filter is comprised of several filter rules. A whitelist
bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites
except the categories and URL lists defined in the blacklist.

Supported in the following platforms:

• Access Points — AP 6522, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562

• Wireless Controllers — RFS 4000
• Service Platforms — NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
show web-filter [category|category-type|config|filter-level [basic|high|low|
medium|medium-high]|statistics {on <DEVICE-NAME>}|status]

Parameters
show web-filter [category|category-type|config|filter-level [basic|high|low|
medium|medium-high]|statistics {on <DEVICE-NAME>}|status]

web-filter Displays an existing and configured Web filter details

category Displays Web filter categories. A category is a pre-defined URL list
available in the WiNG software.

Controller, Service Platform and Access Point

944 CLI Reference Guide for version 5.9.7
Show Commands show-commands

category-type Displays the Web filter category types. This is a pre-configured list of
categories and sub-categories in to which commonly accessed URLs
have been classified.
config Displays all existing Web filters and their configuration details
filter-level [basic| high|low| Displays category types for the selected filter-level. Each filter level is
medium| medium-high] pre-configured to use a set of category types. You cannot change the
categories in the category types used for these pre-configured filter-
level setting. Nor can you add, modify, or remove the category types
mapped to a filter-level setting. The options are:
• basic – Displays all category types configured for the basic filter-
level
• high – Displays all category types configured for the high filter-
level
• low – Displays all category types configured for the low filter-level
• medium – Displays all category types configured for the medium
filter-level
• medium-high – Displays all category types configured for the
medium-high filter-level

statistics {on <DEVICE- Displays Web filter statistics on a specified device

NAME>} • on <DEVICE-NAME> – Optional. Specifies the device name
◦ <DEVICE-NAME> – Specify the name of the AP, controller, or
service platform.

Note: Web filtering is a licensed feature, and only when enforced can
the system display Web filtering statistics.

status {on <DEVICE-NAME>} Displays Web filter status on a specified device

• on <DEVICE-NAME> – Optional. Specifies the device name
◦ <DEVICE-NAME> – Specify the name of the AP, controller, or
service platform.

Note: Web filtering is a licensed feature, and only when enforced can
the system display Web filtering status.

Examples
nx9500-6C8809(config)#show web-filter category
advertisement-popups
Sites that provide advertising graphics or other ad content
files such as banners and pop-ups.
alcohol-tobacco
Sites that promote or sell alcohol- or tobacco-related
products or services.
anonymizers
Sites and proxies that act as an intermediary for surfing to
other websites in an anonymous fashion, whether to
circumvent web filtering or for other reasons.
arts
Sites with artistic content or relating to artistic
institutions such as theaters, museums, galleries, dance
companies, photography, and digital graphic resources.
botnets
Sites that use bots (zombies) including command-and-control
sites.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 945
show-commands Show Commands

--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show web-filter config
URL filters configured for this device are:
WebFilter_ShoppingSites
Blacklisted categories:
shopping,
Whitelisted categories:
<AllowedShopping>,
nx9500-6C8809(config)#

what
Displays details of a specified search phrase (performs global search)

Supported in the following platforms:

Syntax
show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}

contain <WORD> Searches for all items that contain a specified word
• <WORD> – Specify the string to use as match criteria (for example, MAC
address, hostname, etc.).

is <WORD> Searches for items exactly matching a specified string

• Specify the string to use as match criteria (for example, MAC address,
hostname, etc.).

on <DEVICE-OR- Optional. Performs global search on a specified device or RF Domain

DOMAIN-NAME> • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless
controller, service platform, or RF Domain.

Examples
rfs4000-229D58#show what contain default
------------------------------------------------------------------------------------------
----------------------------------------------------------
NO. CATEGORY MATCHED OTHER KEY INFO (1)
OTHER KEY INFO (2) OTHER KEY INFO (3)
NAME/VALUE NAME/VALUE
NAME/VALUE NAME/VALUE
------------------------------------------------------------------------------------------
----------------------------------------------------------

https-trustpoint type
mac rf_domain_name
1 device-cfg fault-finders rfs4000
00-23-68-22-9D-58 default

Controller, Service Platform and Access Point

946 CLI Reference Guide for version 5.9.7
Show Commands show-commands

__obj_name__
name
2 firewall_policy
default

__obj_name__ name
HTTPS idle_session_timeout
3 management_policy default
True 30

qos_policy name
control_vlan beacon_format

--More--
rfs4000-229D58#

wwan
Displays wireless WAN status

Supported in the following platforms:

Syntax
show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}

Parameters
show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}

wwan Displays wireless WAN configuration and status details

configuration Displays wireless WAN configuration information
status Displays wireless WAN status information
on <DEVICE-OR-DOMAIN-NAME> The following keyword is common to the ‘configuration' and
‘status' parameters:
• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays
configuration or status details on a specified device or RF
Domain
◦ <DEVICE-OR-DOMAIN-NAME> – Specify the AP, wireless
controller, service platform, or RF Domain name.

Examples
rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan configuration
>>> WWAN Configuration:
+-------------------------------------------
| Access Port Name : isp.cingular
| User Name : testuser
| Cryptomap : map1

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 947
show-commands Show Commands

+-------------------------------------------
rfs4000-229D58(config-device-00-23-68-22-9D-58)#
rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan status
>>> WWAN Status:
+-------------------------------------------
| State : ACTIVE
| DNS1 : 209.183.54.151
| DNS2 : 209.183.54.151
+-------------------------------------------
rfs4000-229D58(config-device-00-23-68-22-9D-58)#

Controller, Service Platform and Access Point

948 CLI Reference Guide for version 5.9.7
Profile Commands
PROFILES on page 949

PROFILES
Profiles enable administrators to assign a common set of configuration parameters, policies, and
WLANs to service platforms, controllers, and access points across a large, multi segment, site. The
configuration parameters within a profile are based on the hardware model the profile was created to
support.

The service platforms, wireless controllers, and access points support both default and user-defined
profiles. Each default and user-defined profile contains policies and configurations that are applied to
devices assigned to the profile. Changes made to these configurations are automatically inherited by
the devices. The central benefit of a profile is its ability to update devices collectively without having to
modify individual device configurations.

Default profiles are system maintained and are automatically applied to service platforms and wireless
controllers. The default AP profile is automatically applied to a AP (discovered by a wireless controller
or service platform), unless an AP auto-provisioning policy is defined specifically to assign APs to a
user-defined profile. After adoption, changes made to a profile’s parameters are reflected across all
devices using the profile. Default profiles are ideal for single site deployments where service platforms,
wireless controllers, and access points share a common configuration.

User-defined profiles, on the other hand, are manually created for each supported service platform,
wireless controller, and access point model. User-defined profiles are recommended for larger
deployments using centralized controllers and service platforms when groups of devices on different
floors, buildings or sites share a common configuration. These user-defined profiles can be manually, or
automatically assigned to through an auto provisioning policy. An auto provisioning policy provides the
means to assign profiles to access points based on model, serial number, VLAN ID, DHCP options, IP
address (subnet) and MAC address. For more information, see AUTO-PROVISIONING-POLICY on page
1477.

A user-defined profile can be created for each of the following device type:
• AP7502 – Adds an AP7502 access point profile
• AP7522 – Adds an AP7522 access point profile
• AP7532 – Adds an AP7532 access point profile
• AP7562 – Adds an AP7562 access point profile
• AP7602 – Adds an AP7602 access point profile
• AP7612 – Adds an AP7612 access point profile

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 949
PROFILES Profile Commands

• AP7622 – Adds an AP7622 access point profile

• AP7632 – Adds an AP7632 access point profile
• AP7662 – Adds an AP7662 access point profile
• AP8163 – Adds an AP8163 access point profile
• AP8432 – Adds an AP8432 access point profile
• AP8533 – Adds an AP8533 access point profile
• EX3524 – Adds an EX3524 wireless controller profile
• EX3548 – Adds an EX3548 wireless controller profile
• RFS4000 – Adds an RFS4000 wireless controller profile
• NX5500 – Adds an NX5500 wireless controller profile
• NX75XX – Adds an NX75XX series service platform profile
• NX9000 – Adds an NX95XX series service platform profile
• NX9600 – Adds an NX96XX series service platform profile
• VX9000 – Adds a VX9000 virtual controller profile
• T5 – Adds a T5 controller profile

Note
A T5 profile can be created only on the following platforms: RFS 4000, NX 95XX, and NX
96XX.

Although profiles assign a common set of configuration parameters across devices, individual devices
can still be assigned unique configuration parameters that follow the flat configuration model. As
individual device updates are made, these devices no longer share the profile based configuration they
originally supported. Therefore, changes made to a profile are not automatically inherited by devices
who have had their configuration customized. These devices require careful administration, as they
cannot be tracked as profile members. Their customized configurations overwrite their profile
configurations until the profile is re-applied.

Note
The commands present under ‘Profiles’ are also available under the ‘Device mode’. The
additional commands specific to the ‘Device mode’ are listed separately.

This chapter is organized into the following topics:

• Profile Config Commands on page 954
• Device Config Commands on page 1386
• T5 Profile Config Commands on page 1421
• EX3524 & EX3548 Profile/Device Config Commands on page 1432

To view the list of device profiles supported, use the following command:
<DEVICE>(config)#profile ?

nx9500-6C8809(config)#profile ?
anyap Any access point profile
ap505 AP505 access point profile
ap510 AP510 access point profile
containing Specify profiles that contain a sub-string in the profile name
ex3524 EX3524 wireless controller profile

Controller, Service Platform and Access Point

950 CLI Reference Guide for version 5.9.7
Profile Commands PROFILES

ex3548 EX3548 wireless controller profile

filter Specify addition selection filter
nx45xx NX45XX integrated services platform profile
nx5500 NX5500 wireless controller profile
nx65xx NX65XX integrated services platform profile
nx75xx NX75XX wireless controller profile
nx9000 NX9000 wireless controller profile
rfs4000 RFS4000 wireless controller profile
rfs6000 RFS6000 wireless controller profile
rfs7000 RFS7000 wireless controller profile
t5 T5 DSL switch profile
vx9000 VX9000 wireless controller profile
<cr>

nx9500-6C8809(config)#

nx9500-6C8809(config)#profile nx9000 default-nx9000

nx9500-6C8809(config-profile-default-nx9000)#

nx9500-6C8809(config)#profile ap505 default-ap505

nx9500-6C8809(config-profile-default-ap505)#

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>

<DEVICE>(config-profile-<PROFILE-NAME>)#

nx9500-6C8809(config)#profile ap505 testap505

nx9500-6C8809(config-profile-testap505)#?
Profile Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning
policy when adopted by another
controller
adoption Adoption configuration
adoption-mode Configure the adoption mode for the
access-points in this RF-Domain
alias Alias
antenna-id Configure the antenna on the AP
application-policy Application Poicy configuration
area Set name of area where the system
is located
arp Address Resolution Protocol (ARP)
auto-learn Auto learning
autogen-uniqueid Autogenerate a unique id
autoinstall Autoinstall settings
bridge Ethernet bridge
captive-portal Captive portal
cdp Cisco Discovery Protocol
cluster Cluster configuration
configuration-persistence Enable persistence of configuration
across reloads (startup config
file)
controller WLAN controller configuration
critical-resource Critical Resource
crypto Encryption related commands
database Database command
device-onboard Device-onboarding configuration
device-upgrade Device firmware upgrade
diag Diagnosis of packets
dot1x 802.1X
dpi Enable Deep-Packet-Inspection
(Application Assurance)
dscp-mapping Configure IP DSCP to 802.1p
priority mapping for untagged
frames
eguest-server Configure ExtremeGuest server

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 951
PROFILES Profile Commands

email-notification Email notification configuration

enforce-version Check the firmware versions of
devices before interoperating
environmental-sensor Environmental Sensors Configuration
events System event messages
export Export a file
file-sync File sync between controller and
adoptees
floor Set the floor within a area where
the system is located
gre GRE protocol
http-analyze Specify HTTP-Analysis configuration
interface Select an interface to configure
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
l2tpv3 L2tpv3 protocol
l3e-lite-table L3e lite Table
led Turn LEDs on/off on the device
led-timeout Configure the time for the led to
turn off after the last radio state
change
legacy-auto-downgrade Enable device firmware to auto
downgrade when other legacy devices
are detected
legacy-auto-update Auto upgrade of legacy devices
lldp Link Layer Discovery Protocol
load-balancing Configure load balancing parameter
logging Modify message logging facilities
mac-address-table MAC Address Table
mac-auth 802.1X
management-server Configure management server address
memory-profile Memory profile to be used on the
device
meshpoint-device Configure meshpoint device
parameters
meshpoint-monitor-interval Configure meshpoint monitoring
interval
min-misconfiguration-recovery-time Time interval to check controller
connectivity after configuration is
received
mint MiNT protocol
misconfiguration-recovery-time Check controller connectivity after
configuration is received
neighbor-inactivity-timeout Configure neighbor inactivity
timeout
neighbor-info-interval Configure neighbor information
exchange interval
no Negate a command or set its
defaults
noc Configure the noc related setting
nsight NSight
ntp Ntp server WORD
offline-duration Set duration for which a device
remains unadopted before it
generates offline event
otls Omnitrail Location Server
power-config Configure power mode
preferred-controller-group Controller group this system will
prefer for adoption
preferred-tunnel-controller Tunnel Controller Name this system
will prefer for tunneling extended
vlan traffic
radius Configure device-level radius
authentication parameters

Controller, Service Platform and Access Point

952 CLI Reference Guide for version 5.9.7
Profile Commands PROFILES

raid RAID
remote-debug Configure remote debug parameters
remove-override Remove configuration item override
from the device (so profile value
takes effect)
rf-domain-manager RF Domain Manager
router Dynamic routing
slot PCI expansion Slot
spanning-tree Spanning tree
traffic-class-mapping Configure IPv6 traffic class to
802.1p priority mapping for
untagged frames
traffic-shape Traffic shaping
trustpoint Assign a trustpoint to a service
tunnel-controller Tunnel Controller group this
controller belongs to
use Set setting to use
vrrp VRRP configuration
vrrp-state-check Publish interface via OSPF/BGP only
if the interface VRRP state is not
BACKUP
wep-shared-key-auth Enable support for 802.11 WEP
shared key authentication
zone Configure Zone name

clrscr Clears the display screen

commit Commit all changes made in this
session
do Run commands from Exec mode
end End current mode and change to EXEC
mode
exit End current mode and down to
previous mode
help Description of the interactive help
system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to
memory or terminal

nx9500-6C8809(config-profile-testap505)#

nx9500-6C8809(config-profile-T5Profile)#?
T5 Profile Mode commands:
cpe T5 CPE configuration
interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
ntp Configure NTP
override-wlan Configure RF Domain level overrides for wlan
t5 T5 configuration
t5-logging Modify message logging facilities
use Set setting to use

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 953
Profile Config Commands Profile Commands

write Write running configuration to memory or terminal

nx9500-6C8809(config-profile-T5Profile)#

nx9500-6C8809(config-profile-Ex3524Profile)#?
EX35xx Profile Mode commands:
interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
power Ex3500 Power over Ethernet Command
upgrade Configures upgrade option for ex3500 system
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-profile-Ex3524Profile)#

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

Profile Config Commands

PROFILES on page 949

The following table summarizes profile configuration mode commands:

Table 41: Profiles Config Mode Commands

Command Description
adopter-auto-provisioning- Enables the use of a centralized auto provisioning policy on this
policy-lookup on page 958 profile
adoption on page 959 Configures a minimum and maximum delay time in the initiation of
the device adoption process
adoption-mode on page 960 Sets the adoption mode for access points to Controller, cloud, or
Extreme Services
alias on page 963 Creates various types of aliases, such as network, VLAN, network-
group, network-service, encrypted-string, hashed -string, etc. at the
profile level
application-policy on page 971 Associates a RADIUS server provided application policy with this
profile. When associated, the application policy allows wireless
clients (MUs) to always find the RADIUS-supplied application policy
in the dataplane.
area on page 972 Sets the system’s area of location (the area name)

Controller, Service Platform and Access Point

954 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Table 41: Profiles Config Mode Commands (continued)

Command Description
arp on page 973 Configures static address resolution protocol
auto-learn on page 974 Enables controllers or service platforms to maintain a local
configuration record of devices requesting adoption and
provisioning. The command also enables learning of a device’s host
name via DHCP options.
autogen-uniqueid on page 975 Auto-generates a unique local ID for devices using this profile.
When executed in the device configuration mode, this command
generates a unique ID for the logged device.
autoinstall on page 977 Configures the automatic install feature
bridge on page 979 Configures bridge specific parameters
captive-portal on page 1009 Configures captive portal advanced Web page upload on a device
profile
cdp on page 1010 Enables CDP (Cisco Discovery Protocol) on a device
cluster on page 1011 Configures a cluster name
configuration-persistence on Enables persistence of configuration across reloads
page 1014
controller on page 1014 Configures a wireless controller or service platform
critical-resource on page 1019 Monitors resources that are critical to the health of the service
platform, wireless controller, or access point managed network.
These critical resources are identified by their configured IP
addresses.
crypto on page 1030 Configures data encryption related protocols and settings
database on page 1080 Backs up captive-portal and/or NSight database to a specified
location and file and configures a low-disk-space threshold value
device-onboard on page 1081 Configures the logo image file name and title displayed on the
EGuest device-onboarding portal. This is the portal a vendor-admin
user uses to onboard devices.
device-upgrade on page 1082 Configures device firmware upgrade settings on this profile
diag on page 1085 Enables looped packet logging
dot1x on page 1086 Configures 802.1x standard authentication controls
dpi on page 1088 Enables DPI (Deep Packet Inspection) on this profile
dscp-mapping on page 1091 Configures an IP DSCP to 802.1p priority mapping for untagged
frames
eguest-server (VX9000 only) on Enables the EGuest daemon when executed without the ‘host’
page 1092 option
eguest-server (NOC Only) on Points to the EGuest server, when executed along with the ‘host’
page 1092 option
email-notification on page 1093 Configures e-mail notification settings
enforce-version on page 1095 Enables checking of a device’s firmware version before attempting
adoption or clustering

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 955
Profile Config Commands Profile Commands

Table 41: Profiles Config Mode Commands (continued)

Command Description
environmental-sensor on page Configures the environmental sensor settings on this profile
1096 (applicable to AP8132 model access point only)
events on page 1099 Enables system event logging and message generation. This
command also configures event message forwarding settings.
export on page 1099 Enables export of startup.log file after every boot
file-sync on page 1100 Configures parameters enabling synching of trustpoint and/or
wireless-bridge certificate between the staging-controller and
adopted access point
floor on page 1102 Sets the floor name where the system is located
gre on page 1102 Enables Generic Routing Encapsulation (GRE) tunneling on this
profile
http-analyze on page 1112 Configures HTTP analysis settings
interface on page 1115 Configures an interface (VLAN, radio, GE, etc.)
ip on page 1280 Configures IPv4 components
ipv6 on page 1288 Configures IPv6 components
l2tpv3 on page 1293 Defines the L2TP (Layer 2 Tunnel Protocol) for tunneling layer 2
payloads using VPNs (Virtual Private Networks)
l3e-lite-table on page 1295 Configures L3e Lite Table with this profile
led on page 1296 Turns device LEDs on or off
led-timeout on page 1296 Configures LED-timeout timer. This command is specific to the
NX9500 series service platforms.
legacy-auto-downgrade on page Auto downgrades a legacy device firmware
1298
legacy-auto-update on page Auto upgrades a legacy device firmware
1298
lldp on page 1299 Configures LLDP (Link Layer Discovery Protocol) settings
load-balancing on page 1300 Configures load balancing parameters
logging on page 1306 Modifies message logging settings
mac-address-table on page 1309 Configures the MAC address table
mac-auth on page 1311 Enables 802.1x user authentication protocol on this profile
management-server on page Configures a management server with this profile
1313
meshpoint-device on page 1314 Configures a meshpoint device parameters
meshpoint-monitor-interval on Configures meshpoint monitoring interval
page 1315
min-misconfiguration-recovery- Configures the minimum device connectivity verification time
time on page 1316
mint on page 1317 Configures MiNT protocol settings

Controller, Service Platform and Access Point

956 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Table 41: Profiles Config Mode Commands (continued)

Command Description
misconfiguration-recovery-time Verifies device connectivity after a configuration is received
on page 1326
neighbor-inactivity-timeout on Configures neighbor inactivity timeout
page 1327
neighbor-info-interval on page Configures neighbor information exchange interval
1328
no on page 1329 Removes or reverts settings to their default. The no command,
when used in the profile configuration mode, removes the selected
profile’s settings or reverts them to their default.
noc on page 1331 Configures NOC settings
nsight on page 1332 Configures NSight database related parameters
ntp on page 1337 Configures NTP server settings
otls on page 1340 Configures support for detection and forwarding of OmniTrail
beacon tags
offline-duration on page 1343 Sets the duration, in minutes, for which a device remains un-
adopted before it generates offline event
power-config on page 1344 Configures the power mode
preferred-controller-group on Specifies the wireless controller or service platform group preferred
page 1346 for adoption
preferred-tunnel-controller on Configures the tunnel wireless controller or service platform
page 1346 preferred by the system to tunnel extended VLAN traffic
radius on page 1347 Configures device-level RADIUS authentication parameters
raid on page 1420 Enables alarm on the array. This command is supported only on the
NX9500 series service platform profile/device config modes.
rf-domain-manager on page Enables devices using this profile to be elected as RF Domain
1348 manager. Also sets the priority value for devices using this profile in
the RF Domain manager election process.
router on page 1349 Configures dynamic router protocol settings
spanning-tree on page 1351 Configures spanning tree related settings
traffic-class-mapping on page Maps the IPv6 traffic class value of incoming IPv6 untagged packets
1354 to 802.1p priority
traffic-shape on page 1355 Enables traffic shaping and configures traffic shaping parameters
trustpoint (profile-config-mode) Configures the trustpoint assigned for validating a CMP auth
on page 1361 Operator
tunnel-controller on page 1363 Configures the name of tunneled WLAN (extended VLAN) wireless
controller or service platform
use (profile/device-config- Uses pre configured policies with this profile
mode-commands) on page 1363
vrrp on page 1370 Configures VRRP (Virtual Router Redundancy Protocol) group
settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 957
Profile Config Commands Profile Commands

Table 41: Profiles Config Mode Commands (continued)

Command Description
vrrp-state-check on page 1374 Publishes interface via OSPF or BGP based on VRRP status
virtual-controller on page 1374 Enables an access point as a VC (virtual-controller) or DVC
(dynamic virtual controller). Note, DVC is supported only on the
AP-7522, AP 7532, and model access points.
wep-shared-key-auth on page Enables support for 802.11 WEP shared key authentication
1377
ws-controller on page 1378 Configure multiple ws-controller hosts and enables rediscovery of
new controllers. This option is required for WiNG APs with
'adoption-mode' set to 'ws-controller'. That is WiNG APs adopting
to the ExtremeCloud Appliance controller.
service on page 1379 Service commands are used to view and manage configurations.
The service commands and their corresponding parameters vary
from mode to mode.
zone on page 1385 Configures the zone for devices using this profile. The zone can also
be configured on the device’s self context.

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

adopter-auto-provisioning-policy-lookup
Profile Config Commands on page 954

Enables the use of a centralized auto provisioning policy on this profile. When enabled, the auto-
provisioning policy applied on the NOC gets precedence over the one applied at the site controller level.
Optionally, use the ‘evaluate-always’ option to set flag to run centralized auto-provisioning policy every
time a device (access point/controller) is adopted. The device’s previous adoption status is not taken
into consideration.

This command is also applicable in the device configuration context.

Supported in the following platforms:

Syntax
adopter-auto-provisioning-policy-lookup {evaluate-always}

Controller, Service Platform and Access Point

958 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
adopter-auto-provisioning-policy-lookup {evaluate-always}

adopter-auto- Enables the use of a centralized auto provisioning policy on this profile or
provisioning-policy- device
lookup {evaluate-always} • evaluate-always – Optional. Sets flag to run centralized auto-
provisioning policy every time a device (access point/controller) is
adopted.

Examples
nx9500-6C8809(config-profile-test4K)#adopter-auto-provisioning-policy-lookup evaluate-
always
nx9500-6C8809(config-profile-test4K)#show context include-factory | include adopter-auto-
provisioning-policy-lookup
adopter-auto-provisioning-policy-lookup evaluate-always
nx9500-6C8809(config-profile-test4K)#

Related Commands

no on page 1329 Disables the application of centralized auto

provisioning policy on this profile or device

adoption
Profile Config Commands on page 954

Configures a minimum and maximum delay time in the initiation of the device adoption process. When
configured, devices do not attempt adoption immediately on coming up. The process is initiated after
the lapse of a specified period of time (configured using this command as the start-delay minimum
time).

Once configured and applied, this setting is applicable on all devices using this profile. This option is
also available in the device-configuration mode.

Supported in the following platforms:

Syntax
adoption start-delay min <0-30> max <0-30>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 959
Profile Config Commands Profile Commands

Parameters
adoption start-delay min <0-30> max <0-30>

adoption start-delay Delays start of the device adoption process

min <0-30> max • min <0-30> – Configures the minimum time to lapse before a device
<0-30> attempts adoption. Specify a value from 0 - 30 seconds.
A device, on coming up, attempts adoption only after the lapse of the time
specified here. The default is 5 seconds.
• max <0-30> – Configures the maximum time to lapse before a device
attempts adoption. Specify a value from 0 - 30 seconds. The default is 20
seconds.

Example
nx9500-6C8809(config-profile-test4K)#adoption start-delay min 10 max 30
nx9500-6C8809(config-profile-test4K)#show context include-factory | include adoption
enforce-version adoption strict
controller adoption
adoption start-delay min 10 max 30
adoption-mode controller
nx9500-6C8809(config-profile-test4K)#

Related Commands

no on page 1329 Removes the configured minimum start-delay value. When removed,
devices attempt adoption immediately on coming up.

adoption-mode
Profile Config Commands on page 954

Configures the mode of adoption in an access point profile. This command is also applicable to the
device configuration context.

By default, any WiNG AP, on being powered-up for the first time, starts the following auto-discovery
process. The AP:

1. Moves to MLCP_DISCOVERY state and tries to discover a local controller. If a local controller is found,
it

a. adopts to the controller, and

b. marks itself as “local-controller” adopted, and
c. moves to the MLCP_MODE.
2. If a local controller is not found, the AP switches to the CLOUD_DISCOVERY state, and tries
connecting to the ExtremeCloud. If the AP succeeds in connecting to the cloud, it

a. marks itself as “cloud-adopted”, and

b. moves to the CLOUD_MODE.
3. If the AP is unable to discover and adopt to the ExtremeCloud, it switches to the
WS_CONTROLLER_DISCOVERY state, and tries connecting to the WebSocket (WS) Controller. If it
succeeds in connecting to the ws_controller, it

a. marks itself as “ws-controller-adopted”, and

Controller, Service Platform and Access Point

960 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

b. moves to the WS_CONTROLLER_MODE.

4. The AP continues to switch between the three discovery states (local controller, cloud, and
ws_controller) until it gets adopted.
5. Once adopted, an AP’s adoption mode does not change unless,

a. It is changed from the controller’s CLI (using the adoption-mode command), the Cloud
dashboard, or the WS controller dashboard.
b. If the AP is reverted to factory settings, in which case the AP starts the auto-discovery process
on bootup.

Supported in the following platforms:

Syntax
adoption-mode [cloud|controller|ws-controller]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 961
Profile Config Commands Profile Commands

Parameters
adoption-mode [cloud|controller|ws-controller]

adoption-mode [cloud| Use to set the adoption-mode to:

controller|ws-controller] • cloud – Sets the adoption-mode to Extreme Cloud. The factory-
default, management server setting, in WiNG AP profiles
contexts, points to the Extreme Cloud Web address. If the
adoption-mode is set to cloud, the AP on coming up, will search
for and adopt to the ExtremeCloud.
• controller – Sets the adoption mode to the local WiNG
controller. This is the default setting. Note, APs with the
‘controller > host > configuration’ specified are marked as local-
controller APs and never try adopting to the CLOUD or WS-
Controller
• ws-controller – Sets the adoption mode to the ExtremeCloud
Appliance ws-controller. If selecting this option, use the
‘management-server’ command to configure the ExtremeCloud
Appliance controller’s IP address or hostname. For information
on configuring the management-server, see management-
server on page 1313.

Note: Alternately, the AP auto-adopts to the WS controller, if its

receives DHCP IP address, and the DHCP option 191 poo1 string
configuration is as shown in the following examples:
In the DHCP server policy, define an alias for option 191:
VX(config-dhcp-policy-DHCP)#
dhcp-server-policy DHCP
option AP-adoption 191 ascii
In the DHCP pool config, define the option 191 string:
dhcp-pool AP
option AP-adoption pool1=<ws-controller-ip-
adress>;
adoption-mode=ws-controller

Examples
nx9500-6C8809(config-profile-testAP8432)#adoption-mode cloud
nx9500-6C8809(config-profile-testAP8432)#show context
profile ap8432 testAP8432
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface bluetooth1
shutdown
interface ge1
interface ge2

Controller, Service Platform and Access Point

962 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

interface pppoe1
use firewall-policy default
service pm sys-restart
router ospf
adoption-mode cloud
nx9500-6C8809(config-profile-testAP8432)#

Related Commands

no on page 1329 Reverts the adoption-mode to default (controller)

alias
Profile Config Commands on page 954

Configures network, VLAN, and service aliases. The aliases defined on this profile applies to all devices
using this profile. Aliases can be also defined at the device level.

Note
You can apply overrides to aliases at the device level. Overrides applied at the device level
take precedence. For more information on aliases, see alias on page 267 (global config mode).

Supported in the following platforms:

Syntax
alias [address-range|encrypted-string|hashed-string|host|network|network-group|network-
service|number|string|vlan]
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-
IP>|host <HOST-IP>|network <NETWORK-ADDRESS/MASK>]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp| gre|igmp|
igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https| ldap|nntp|ntp|pop3|
proto|sip|smtp|
sourceport|ssh|telnet|tftp|www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 963
Profile Config Commands Profile Commands

Parameters
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

address-range <ADDRESS- Creates a new address-range alias for this profile. Or associates an
RANGE-ALIAS-NAME> existing address-range alias with this profile. An address-range alias
maps a name to a range of IP addresses. Use this option to create
unique address-range aliases for different deployment scenarios.
For example, if an ACL defines a pool of network addresses as
192.168.10.10 through 192.168.10.100 for an entire network, and a
remote location’s network range is 172.16.13.20 through 172.16.13.110,
the remote location’s ACL can be overridden using an alias. At the
remote location, the ACL works with the 172.16.13.20-110 address
range. A new ACL need not be created specifically for the remote
deployment location.
• <ADDRESS-RANGE-ALIAS-NAME> – Specify the address range
alias name.

Note: Alias name should begin with ‘$’.

<STARTING-IP> to <ENDING-IP> Associates a range of IP addresses with this address range alias
• <STARTING-IP> – Specify the first IP address in the range.
◦ to <ENDING-IP> – Specify the last IP address in the range.
Aliases defined at any given level can be overridden at the next
lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> <LINE>

encrypted-string <ENCRYPTED- Creates an alias for an encrypted string. Use this alias for string
STRING-ALIAS-NAME> configuration values that are encrypted when "password-
encryption" is enabled. For example, in the management-policy, use
it to define the SNMP community string. For more information, see
snmp-server on page 1701 (management policy config mode).
• <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-
string alias name.
Alias name should begin with ‘$’.
<LINE> Configures the value associated with the alias name specified in the
previous step
• <LINE> – Configures the alias value

Note: If password-encryption is enabled, in the show >

running-config output, this clear text is displayed as an
encrypted string, as shown below:

nx9500-6C8809(config)#show running-config
!...............................
alias encrypted-string $enString 2
fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/
Da//
!
--More--

Controller, Service Platform and Access Point

964 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809

In the above output, the ‘2’ displayed before

the encrypted-string alias value indicates
that the displayed text is encrypted and not a
clear text.
However, if password-encryption is disabled
the clear text is displayed as is:
nx9500-6C8809(config)#show running-config
!...............................
!
alias encrypted-string $enString 0 test11223344
!
--More--
nx9500-6C8809

For more information on enabling password-encryption, see

password-encryption on page 535.

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

hashed-string <HASHED- Creates an alias for a hashed string. Use this alias for configuration
STRING-ALIAS-NAME> values that are hashed strings, such as passwords. For example, in
the management-policy, use it to define the privilege mode
password. For more information, see privilege-mode-password on
page 1696 (management-policy mode).
• <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string
alias name.
Alias name should begin with ‘$’.
<LINE> Configures the hashed-string value associated with this alias.
nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2
sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/
BXm9c4SBDv
!
alias hashed-string $PriMode 1
faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b
2efba054112ecfc75
--More--
nx9500-6C8809
In the above show > running-config output, the ‘1’ displayed
before the hashed-string alias value indicates that the displayed
text is hashed and not clear text.

alias host <HOST-ALIAS-NAME> <HOST-IP>

host <HOST-ALIAS-NAME> Creates a new host alias for this profile. Or associates an existing
host alias with this profile. A host alias configuration is for a
particular host device’s IP address. Use this option to create unique
host aliases for different deployment scenarios. For example, if a
central network DNS server is set a static IP address, and a remote
location’s local DNS server is defined, this host can be overridden at
the remote location. At the remote location, the network is
functional with a local DNS server, but uses the name set at the
central network. A new host need not be created at the remote

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 965
Profile Config Commands Profile Commands

location. This simplifies creating and managing hosts and allows an

administrator to better manage specific local requirements.
• <HOST-ALIAS-NAME> – Specify the host alias name.
Alias name should begin with ‘$’.
<HOST-IP> Associates the network host’s IP address with this host alias
• <HOST-IP> – Specify the network host’s IP address.
Aliases defined at any given level can be overridden at the next
lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

network <NETWORK-ALIAS- Creates a new network alias for this profile. Or associates an
NAME> existing network alias with this profile. A network alias configuration
is utilized for an IP address on a particular network. Use this option
to create unique Network aliases for different deployment
scenarios. For example, if a central network ACL defines a network
as 192.168.10.0/24, and a remote location’s network range is
172.16.10.0/24, the ACL can be overridden at the remote location to
suit their local (but remote) requirement.
At the remote location, the ACL functions with the 172.16.10.0/24
network. A new ACL need not be created specifically for the remote
deployment. This simplifies ACL definition and allows an
administrator to better manage specific local requirements.
• <NETWORK-ALIAS-NAME> – Specify the network alias name.
Alias name should begin with ‘$’.
<NETWORK-ADDRESS/MASK> Associates a single network with this network alias
• <NETWORK-ADDRESS/MASK> – Specify the network’s address
and mask.
Aliases defined at any given level can be overridden at the next
lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-

IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}| network <NETWORK-ADDRESS/
MASK> {<NETWORK-ADDRESS/MASK>}]

network <NETWORK-GROUP- Creates a new network-group alias for this profile. Or associates an
ALIAS-NAME> existing network-group alias with this profile.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-
group alias name.
Alias name should begin with ‘$’.
The network-group aliases are used in ACLs, to define the network-
specific components. ACLs using aliases can be used across sites by
re-defining the network-group alias elements at the device or
profile level.
After specifying the name, specify the following: a range of IP
addresses, host addresses, or a range of network addresses.

Controller, Service Platform and Access Point

966 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Aliases defined at any given level can be overridden at the next

lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.
address-range <STARTING-IP> Associates a range of IP addresses with this network-group alias
to <ENDING-IP> {<STARTING- • <STARTING-IP> – Specify the first IP address in the range.
IP> to <ENDING-IP>} ◦ to <ENDING-IP> – Specify the last IP address in the range.
▪ <STARTING-IP> to <ENDING-IP> – Optional. Specifies
more than one range of IP addresses. A maximum of
eight (8) IP address ranges can be configured.

host <HOST-IP> {<HOST-IP>} Associates a single or multiple hosts with this network-group alias
• <HOST-IP> – Specify the host’s IP address.
◦ <HOST-IP> – Optional. Specifies more than one host. A
maximum of eight (8) hosts can be configured.

network <NETWORK-ADDRESS/ Associates a single or multiple networks with this network-group

MASK> {<NETWORK-ADDRESS/ alias
MASK>} • <NETWORK-ADDRESS/MASK> – Specify the network’s address
and mask.
◦ <NETWORK-ADDRESS/MASK> – Optional. Specifies more
than one network. A maximum of eight (8) networks can be
configured.

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|

igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|
proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}

alias network-service Creates a new network-service alias for this profile. Or associates an
<NETWORK-SERVICE-ALIAS- existing network-service alias with this profile. A network service
NAME> alias is a set of configurations that consist of protocol and port
mappings. Both source and destination ports are configurable. For
each protocol, up to 2 source port ranges and up to 2 destination
port ranges can be configured. A maximum of 4 protocol entries
can be configured per network service alias.
<NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service
alias name.

Note: Alias name should begin with ‘$’.

The network-service aliases are used in ACLs, to define the service-

specific components. ACLs using aliases can be used across sites by
re-defining the network-service alias elements at the device or
profile level.

Note: Aliases defined at any given level can be overridden at the

next lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 967
Profile Config Commands Profile Commands

protocol is identified in the Protocol field of the IPv4 header and

the Next Header field of IPv6 header. For example, the UDP
(User Datagram Protocol) designated number is 17.
• <WORD> – Identifies the protocol by its name. Specify the
protocol name.
• eigrp – Selects EIGRP (Enhanced Interior Gateway Routing
Protocol). The protocol number 88.
• gre – Selects GRE (Generic Routing Encapsulation). The protocol
number is 47.
• igmp – Selects IGMP (Internet Group Management Protocol).
The protocol number is 2.
• igp – Selects IGP (Interior Gateway Protocol). The protocol
number is 9.
• ospf – Selects OSPF (Open Shortest Path First). The protocol
number is 89.
• vrrp – Selects VRRP (Virtual Router Redundancy Protocol). The
protocol number is 112.

{(<1-65535>| <WORD>|bgp|dns| After specifying the protocol, you may configure a destination port
ftp|ftp-data|gopher| https|ldap| for this service. These keywords are recursive and you can configure
nntp|ntp| pop3|proto|sip|smtp| multiple protocols and associate multiple destination and source
sourceport [<1-65535>| ports.
<WORD>]|ssh|telnet| tftp|www)} • <1-65535> – Optional. Configures a destination port number
from 1 - 65535
• <WORD> – Optional. Identifies the destination port by the
service name provided. For example, the SSH (secure shell)
service uses TCP port 22.
• bgp – Optional. Configures the default BGP (Border Gateway
Protocol) services port (179)
• dns – Optional. Configures the default DNS (Domain Name
System) services port (53)
• ftp – Optional. Configures the default FTP (File Transfer
Protocol) control services port (21)
• ldap – Optional. Configures the default LDAP (Lightweight
Directory Access Protocol) services port (389)
• ftp-data – Optional. Configures the default FTP data services
port (20)
• gopher – Optional. Configures the default gopher services port
(70)
• https – Optional. Configures the default HTTPS services port
(443)
• nntp – Optional. Configures the default Newsgroup (NNTP)
services port (119)
• ntp – Optional. Configures the default NTP (Network Time
Protocol) services port (123)
• proto – Optional. Use this option to select another Internet
protocol in addition to the one selected in the previous step.
• sip – Optional. Configures the default SIP (Session Initiation
Protocol) services port (5060).

Controller, Service Platform and Access Point

968 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• sourceport [<1-65535>|<WORD>] – Optional. After specifying

the destination port, you may specify a single or range of source
ports.
◦ <1-65535> – Specify the source port from 1 - 65535.
◦ <WORD> – Specify the source port range, for example 1-10.
• ssh – Optional. Configures the default SSH services port (22)
• telnet – Optional. Configures the default Telnet services port
(23)
• tftp – Optional. Configures the default TFTP (Trivial File Transfer
Protocol) services port (69)
• www – Optional. Configures the default HTTP services port (80)

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias number <NUMBER-ALIAS- Creates a number alias identified by the <NUMBER-ALIAS-NAME>

NAME> <0-4294967295> keyword. Number aliases map a name to a numeric value. For
example, ‘alias number $NUMBER 100’. In this exmple,
• The number alias name is: $NUMBER
• The value assigned is: 100
The value d by alias $NUMBER, wherever used, is 100.
• <NUMBER-ALIAS-NAME> – Specify the number alias name.
◦ <0-4294967295> – Specify the number, from 0 -
4294967295, assigned to the number alias created.

Note: Alias name should begin with ‘$’.

alias string <STRING-ALIAS-NAME> <LINE>

alias string <STRING-ALIAS- Creates a new string alias for this profile. Or associates an existing
NAME> string alias with this profile. String aliases map a name to an
arbitrary string value. Use this option to create unique string aliases
for different deployment scenarios. For example, if the main domain
at a remote location is called loc1.domain.com and at another
deployment location it is called loc2.domain.com, the alias can be
overridden at the remote location to suit the local (but remote)
requirement. At one remote location, the alias functions with the
loc1.domain.com domain and at the other with the loc2.domain.com
domain.
• <STRING-ALIAS-NAME> – Specify the string alias name.
◦ <LINE> – Specify the string value.

Note: Alias name should begin with ‘$’.

Aliases defined at any given level can be overridden at the next

lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.

alias vlan <VLAN-ALIAS-NAME> <1-4094>

alias vlan <VLAN-ALIAS-NAME> Creates a new VLAN alias for this profile. Or associates an existing
VLAN alias with this profile. A VLAN alias maps a name to a VLAN

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 969
Profile Config Commands Profile Commands

ID. A VLAN alias is a configuration for optimal VLAN re-use and

management for local and remote deployments. Use this option to
create unique VLANs aliases for different deployment scenarios. For
example, if a VLAN ID is set as 10 for the central network, and the
VLAN is set as 26 at a remote location, the VLAN can be overridden
at the remote location using an alias.
At the remote location, the network is functional with an ID of 26,
but utilizes the name defined at the central local network. A new
VLAN need not be created specifically at the remote location.
• <VLAN-ALIAS-NAME> – Specify the VLAN alias name.

Note: Alias name should begin with ‘$’.

<1-4094> Maps the VLAN alias to a VLAN ID

• <1-4094> – Specify the VLAN ID from 1 - 4094.
Aliases defined at any given level can be overridden at the next
lower levels. For example, a global alias can be redefined on a
selected set of RF Domains, profiles, or devices. Overrides applied
at the device level take precedence.

Example

The following example shows the global aliases configured. Note the network-service alias ‘$kerberos’
settings:
nx9500-6C8809(config)#show running-config | include alias
alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16
192.168.13.20 to 192.168.13.25
alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24
alias network $NetworkAlias 192.168.13.0/24
alias host $HostAlias 192.168.13.10
alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13
alias network-service $kerberos proto tcp 23 proto udp 25
alias vlan $VlanAlias 1
alias string $AREA Ecospace
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 2 CdO6glQ9w29hybKxfbd6JwAAAAa7lKMBMk9EiDQfFRf9kegO
alias hashed-string $PriMode 1
faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75
nx9500-6C8809(config)#

The following examples show the overrides applied to the network-service alias ‘$kerberos’ at the
profile level:
nx9500-6C8809(config-profile-testRFS4k)#alias network-service $kerberos proto tcp 22
proto udp 389

The following example shows the overrides applied to the network-service alias ‘$kerberos’ at the
profile level:
nx9500-6C8809(config-profile-testRFS4k)#show running-config | include alias
alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16
192.168.13.20 to 192.168.13.25
alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24
alias network $NetworkAlias 192.168.13.0/24
alias host $HostAlias 192.168.13.10
alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13
alias network-service $kerberos proto tcp 22 proto udp 389
alias vlan $VlanAlias 1
alias string $AREA Ecospace

Controller, Service Platform and Access Point

970 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

alias string $IN-Blr-EcoSpace-Floor-4 IBEF4

alias encrypted-string $READ 2 /Mfbt1Et8XRhybKxfbd6JwAAAAZ9yrIYq7mNl4+gNNiiMIZI
alias hashed-string $PriMode 1
faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75
alias network-service $kerberos proto tcp 88 proto udp 389
nx9500-6C8809(config-profile-testRFS4k)#

Related Commands

no on page 1329 Removes a specified alias configuration

application-policy
Profile Config Commands on page 954

Associates a RADIUS server provided application policy with this profile. This command is also
applicable to the device configuration mode. When associated, the application policy allows wireless
clients (MUs) to always find the RADIUS-supplied application policy in the dataplane.

An application policy defines the actions executed on recognized HTTP (Facebook), enterprise (Webex)
and peer-to-peer (gaming) applications or application-categories. The following are the actions that
can be applied in an application policy:
• Allow - Allows packets for a specific application and its defined category type (for e.g., social
networking)
• Deny - Denies (restricts) packets to a specific application and its defined category type
• Mark - Marks recognized packets with DSCP/8021p value
• Rate-limit - Rate limits packets from specific application type

For more information on configuring an application policy, see application-policy on page 294.

Supported in the following platforms:

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
application-policy radius <APP-POLICY-NAME>

Parameters
application-policy radius <APP-POLICY-NAME>

application-policy radius <APP- Associates a RADIUS server provided application policy with this
POLICY-NAME> profile
• <APP-POLICY-NAME> – Specify the application policy name
(should be existing and configured).

Example
nx9500-6C8809(config-profile-testNX9500)#application-policy radius Bing

nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include

application-policy
application-policy radius Bing
nx9500-6C8809(config-profile-testNX9500)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 971
Profile Config Commands Profile Commands

nx9500-6C8809(config-application-Bing)#Show context
application Bing
app-category streaming
use url-list Bing
nx9500-6C8809(config-application-Bing)#

Related Commands

no on page 1329 Removes the RADIUS-server provided application policy associated with this
profile

area
Profile Config Commands on page 954

Sets the system’s area of location (the physical area of deployment)

Supported in the following platforms:

Syntax
area <WORD>

Parameters
area <WORD>

area <WORD> Sets the system’s area of location

• <WORD> – Specify the area name (should not exceed 64
characters).

Example
nx9500-6C8809(config-profile-default-rfs4000)#area Ecospace

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
ip igmp snooping
ip igmp snooping querier
area Ecospace
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
interface me1
interface ge1

Controller, Service Platform and Access Point

972 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Resets the configured area name

arp
Profile Config Commands on page 954

Adds a static ARP (Address Resolution Protocol) IP address in the ARP cache

The ARP protocol maps an IP address to a hardware MAC address recognized on the network. ARP
provides protocol rules for making this correlation and providing address conversion in both directions.

When an incoming packet destined for a host arrives, ARP finds a physical host or MAC address that
matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet
can be converted to the right packet length, formatted, and sent to its destination. If no entry is found
for the IP address, ARP broadcasts a request packet in a special format on the LAN to locate a device
that recognizes the IP address. A device that recognizes the IP address as its own returns a reply
indicating it. ARP updates the ARP cache for future reference and then sends the packet to the MAC
address that replied.

Supported in the following platforms:

Syntax
arp [<IP>|timeout]
arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|
serial <1-4> <1-1> <1-1>] {dhcp-server|router}
arp timeout <15-86400>

Parameters
arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-4> <1-1>
<1-1>] {dhcp-server|router}

arp <IP> Adds a static ARP IPv4 address in the ARP cache
• <IP> – Specify the static IP address.

<MAC> Specify the MAC address associated with the IP and the Switch
Virtual Interface (SVI).
arpa Sets ARP encapsulation type to ARPA
<L3-INTERFACE-NAME> Configures static ARP entry for a specified router interface
• <L3-INTERFACE-NAME> – Specify the router interface name.

pppoe1 Configures static ARP entry for PPP over Ethernet interface

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 973
Profile Config Commands Profile Commands

vlan <1-4094> Configures static ARP entry for a VLAN interface

• <1-4094> – Specify a SVI VLAN ID from 1 - 4094.

wwan1 Configures static ARP entry for Wireless WAN interface

{dhcp-server|router} The following keywords are common to all off the above interface
types:
• dhcp-server – Optional. Sets ARP entries for a DHCP server
• router – Optional. Sets ARP entries for a router

arp timeout <15-86400>

arp timeout <15-86400> Sets ARP entry timeout

• <TIME> – Sets the ARP entry timeout in seconds. Specify a value
from 15 - 86400 seconds. The default is 3600 seconds.

Example
nx9500-6C8809(config-profile-default-rfs4000)#arp timeout 2000

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
arp timeout 2000
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
interface me1
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Removes an entry from the ARP cache

auto-learn
Profile Config Commands on page 954

Enables controllers or service platforms to maintain a local configuration record of devices requesting
adoption and provisioning. The command also enables learning of a device’s host name via DHCP
options.

Controller, Service Platform and Access Point

974 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

Syntax
auto-learn [host-name-via-dhcp <WORD>|staging-config]

Parameters
auto-learn [host-name-via-dhcp <WORD>|staging-config]

auto-learn [host-name-via-dhcp Enables auto-learning of:

<WORD>| staging-config] • host-name-via-dhcp – A device’s host name via DHCP option.
◦ <WORD> – Provide the optional template with substitution
token. For example, 'outdoor-$DHCP[1:3]-ap', where the
$DHCP token references DHCP Option value received by the
adopting device. The $DHCP token should be present. This
option is disabled by default.
• staging-config – The network configuration of devices
requesting adoption. This option is enabled by default. For
dependent access points that are pre-staged prior to
deployment, it is recommended that the auto-learn-staging-
config parameter remains enabled so that hostnames, VLAN
and IP addressing configuration can be maintained upon initial
adoption. However, if dependent access points are to be
centrally managed and configured, it is recommended that the
auto-learn-staging-config parameter be disabled

Example
nx9500-6C8809(config-profile-test)#auto-learn staging-config

nx9500-6C8809(config-profile-test)#show context include-factory | include auto-learn

auto-learn staging-config
no auto-learn host-name-via-dhcp
nx9500-6C8809(config-profile-test)#

Related Commands

no on page 1329 Disables automatic recognition of devices’ hostname and devices

pending adoption

autogen-uniqueid
Profile Config Commands on page 954

Auto-generates a unique ID for devices using this profile. When executed in the device configuration
mode, this command generates a unique ID for the logged device. A device’s unique ID is a combination
of a user-defined string (prefix, suffix, or both) and a substitution token. The WiNG implementation
provides two built-in substitution tokens: $SN and $MiNT-ID that represent the device’s serial number
and MiNT-ID respectively. The value referenced by these substitution tokens are internally retrieved and
combined with the user-defined string to auto generate a unique identity for the device.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 975
Profile Config Commands Profile Commands

The general format of this command is: <PREFIX><SUBSTITUTION-TOKEN><SUFFIX>. You can provide
both (prefix and suffix) or just a prefix or suffix.

For example, given the following set of inputs:

• user-defined prefix – TestAP6522
• substitution token – $SN

The unique ID is generated using TestAP6522$SN, where $SN is replaced with the device’s serial
number.

When executed on an AP6522 (having serial number B4C7996C8809), the autogen-uniqueid

TestAP6522$SN command generates the unique ID: TestAP6522B4C7996C8809. When configured on
an AP6522 profile, all AP6522s using the profile auto-generate a unique ID in which the device’s serial
number is preceded by the string ‘TestAP6522’.

Supported in the following platforms:

Syntax
autogen-uniqueid <WORD>

Parameters
autogen-uniqueid <WORD>

autogen-uniqueid <WORD> Auto-generates a device’s unique ID (not exceeding 64 characters

in length)
The ID generated is a combination of the text provided and the
value referenced through the substitution token $SN or $MiNT-ID.
Where ever the autogen-uniqueid is used the device’s serial number
OR MiNT-ID is referenced depending on the substitution token
used.
• <WORD> – Specify a auto generate unique ID format using one
of the following substitution tokens:
Available tokens:
• $SN - references SERIAL NUMBER of the device
• $MINT-ID - references MINT-ID of the device
For example, Test-$SN-TechPubs. In this example ‘Test’ and
‘TechPubs’ represent the user-defined prefix and suffix respectively.
And $SN is the substitution token.

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#autogen-uniqueid Test-$MiNT-ID-TechPubs

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context
nx9000 B4-C7-99-6C-88-09
use profile default-nx9000
use rf-domain TechPubs

Controller, Service Platform and Access Point

976 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

hostname nx9500-6C8809
license AAP
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1
license HTANLT
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497
timezone Asia/Calcutta
use database-policy default
use nsight-policy noc
autogen-uniqueid Test-$MiNT-ID-TechPubs
ip default-gateway 192.168.13.2
device-upgrade auto rfs4000 ap81xx ap71xx ap7562 ap7532
interface ge1
switchport mode access
switchport access vlan 1
interface ge2
--More--
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Related Commands

no on page 1329 When executed in the device configuration mode, removes the
device’s autogen-uniqueid. When executed in the profile
configuration mode, removes the autogen-uniqueid on all devices
using the profile.

autoinstall
Profile Config Commands on page 954

Automatically installs firmware image and startup configuration parameters on to the selected device.

Extreme Networks controllers and access points support an AutoInstall feature that allows
administrators to distribute configuration files and firmware images from a FTP or TFTP server based on
the DHCP options received from a DHCP server. AutoInstall ensures the correct firmware or
configuration is applied to controllers or access points during pre-staging. Autoinstall also distributes
firmware images to access points in standalone or virtual controller based deployments.

Autoinstall-enabled controllers and access points check the firmware image version each time they
boot to determine if a newer version of firmware resides on the FTP / TFTP server. In case of a firmware
version mismatch, the controller or access point downloads and installs the new firmware image and
reboots. If the firmware versions are the same, the controller or access point reboots without and
upgrade.

Default profiles of all WiNG 5 devices have the AutoInstall feature enabled by default. However it is
disabled in all user-defined profiles. You can use this command to enable/disable autoinstall on the
profile. AutoInstall can also be enabled/disabled on device. Access points and controllers only attempt
AutoInstall if it is explicitly in the profile context or specifically enabled in the device context.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 977
Profile Config Commands Profile Commands

Syntax
autoinstall [configuration|firmware|start-interval <WORD>]

Parameters
autoinstall [configuration|firmware|start-interval <WORD>]

configuration Autoinstalls startup configuration. Setup parameters are

automatically configured on devices using this profile. This option is
disabled by default.
firmware Autoinstalls firmware image. Firmware images are automatically
installed on devices using this profile. This option is disabled by
default.
start-interval <WORD> Configures the interval between system boot and start of autoinstall
process (this is the time, from system boot, after which autoinstall
should start)
• <WORD> – Specify the interval in minutes. The default is 10
minutes.

Note: Zero (0) implies firmware or startup configuration

installation can start any time.

Usage Guidelines

Option Description Format Example

186 TFTP server Information ASCII or String <server-ip>
186 FTP server information ASCII or String ftp://
<username>:<password
>@<server-ip>
187 Firmware image path & ASCII or String path/<fw-image-
name filename>
188 Configuration file path & ASCII or String path/<config-filename>
name

Example
nx9500-6C8809(config-profile-default-rfs4000)#autoinstall configuration

nx9500-6C8809(config-profile-default-rfs4000)#autoinstall firmware

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
arp timeout 2000
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac

Controller, Service Platform and Access Point

978 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

crypto ikev1 remote-vpn

crypto ikev2 remote-vpn

--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables the auto install settings

bridge
Profile Config Commands on page 954

The following table summarizes Ethernet bridge configuration commands:

Command Description
bridge on page 979 Enables Ethernet bridge configuration context
bridge-vlan-mode Summarizes bridge VLAN configuration mode commands
commands on page
982

bridge

bridge on page 979

Configures VLAN Ethernet bridging parameters. Use this command to configure a Bridge NAT or Bridge
VLAN settings

Configuring bridge NAT (Network Address Translation) parameters, allows management of Internet
traffic originating at a remote site. In addition to traditional NAT functionality, bridge NAT provides a
means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged
traffic through the access point, and matching packets are NATed to the WAN link instead of being
bridged on their way to the router. Using bridge NAT, a tunneled VLAN (extended VLAN) is created
between the NOC and a remote location. When a remote client needs to access the Internet, Internet
traffic is routed to the NOC, and from there routed to the Internet. This increases the access time for the
end user on the client. To resolve latency issues, bridge NAT identifies and segregates traffic heading
towards the NOC and outwards towards the Internet. Traffic towards the NOC is allowed over the secure
tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet.

A VLAN (Virtual LAN) is a separately administrated virtual network within the same physical managed
network. VLANs are broadcast domains defined within wireless controllers or service platforms to allow
control of broadcast, multicast, unicast, and unknown unicast within a layer 2 device. Administrators
often need to route traffic between different VLANs. Bridging VLANs are only for non-routable traffic,
like tagged VLAN frames destined to some other device, which will untag it. When a data frame is
received on a port, the VLAN bridge determines the associated VLAN based on the port of reception.
Using forwarding database information, the bridge VLAN forwards the data frame on the appropriate
port(s). VLANs are useful to set separate networks to isolate some computers from others, without
actually having to have separate cabling and Ethernet switches. Controllers can do this on their own,
without need for the computer or other gear to know itself what VLAN it is on (this is called port-based
VLAN, since it is assigned by port of the switch). Another common use is to put specialized devices like
VoIP Phones on a separate network for easier configuration, administration, security, or service quality.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 979
Profile Config Commands Profile Commands

Supported in the following platforms:

nat Configures bridge NAT parameters

source Configures NAT source addresses
list <IP-ACCESS-LIST-NAME> Associates an access control list (ACL) with this bridge NAT policy.
precedence <1-500> The ACL specifies the IP address permit/deny rules applicable to
this bridge NAT policy.
• <IP-ACCESS-LIST-NAME> – Specify access list name.
◦ precedence <1-500> – Specifies a precedence value for this
bridge NAT policy.

Controller, Service Platform and Access Point

980 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

interface [<LAYER3-INTERFACE- Selects one of the following as the primary interface (between the
NAME>| pppoe1|vlan <1-4094>| source and destination points):
wwan1] • <LAYER3-INTERFACE-NAME> – A router interface. Specify
interface name.
• pppoe1 – A PPP over Ethernet interface.
• vlan <1-4094> – A VLAN interface. Specify the VLAN interface
index from 1 - 4094.
• wwan1 – A Wireless WAN interface.

[(address|interface| overload| The following keywords are recursive and common to all interface
pool <NAT-POOL-NAME>)] types:
• address – Configures the interface IP address used for NAT
• interface – Configures the failover interface (default setting)
• overload – Enables use of one global address for multiple local
addresses (terminates command)
• pool <NAT-POOLNAME> – Configures the NAT pool used with
this bridge NAT policy. Specify the NAT pool name. For more
information on configuring a NAT pool, see nat-pool-config-
instance on page 1286.

bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]

vlan <1-4094> Configures the numerical identifier for the Bridge VLAN when it
was initially created.
• <1-4094> – Specify a VLAN index from 1 - 4094.

vlan <VLAN-ALIAS-NAME> Configures the VLAN alias (should be existing and configured)
identifying the bridge VLAN
• <VLAN-ALIAS-NAME> – Specify a VLAN alias name.

Usage Guidelines

Creating customized filter schemes for bridged networks limits the amount of unnecessary traffic
processed and distributed by the bridging equipment.

If a bridge does not hear Bridge Protocol Data Units (BPDUs) from the root bridge within the specified
interval, defined in the max-age (seconds) parameter, assume the network has changed and
recomputed the spanning-tree topology.
Example
nx9500-6C8809(config-profile-default-rfs4000)#bridge vlan 1
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#?
Bridge VLAN Mode commands:
Bridge VLAN Mode commands:
bridging-mode Configure how packets on this
VLAN are bridged
captive-portal Captive Portal
captive-portal-enforcement Enable captive-portal enforcement
on this extended VLAN
description Vlan description
edge-vlan Enable edge-VLAN mode
firewall Enable vlan firewall(IPv4)
http-analyze Forward URL and Data to
controller
ip Internet Protocol (IP)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 981
Profile Config Commands Profile Commands

ipv6 Internet Protocol version 6

(IPv6)
l2-tunnel-broadcast-optimization Enable broadcast optimization
l2-tunnel-forward-additional-packet-types Forward additional packet types
not normally forwarded by l2
broadcast optimization
mac-auth Enable mac-auth for this bridge
vlan
name Vlan name

no Negate a command or set its

defaults
stateful-packet-inspection-l2 Enable stateful packet inspection
in layer2 firewall
registration Enable dynamic registration of
device (or) user
tunnel Vlan tunneling settings
tunnel-over-level2 Tunnel extended VLAN traffic over
level 2 MiNT links
use Set setting to use

clrscr Clears the display screen

commit Commit all changes made in this
session
do Run commands from Exec mode
end End current mode and change to
EXEC mode
exit End current mode and down to
previous mode
help Description of the interactive
help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to
memory or terminal

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

bridge-vlan-mode commands

bridge on page 979

The following table summarizes bridge VLAN configuration mode commands:

Table 42: Bridge VLAN Config Mode Commands

Command Description
bridging-mode on Configures how packets on this VLAN are bridged
page 983
captive-portal on page Enables IP packet snooping on wired captive portals, and also configures the
984 subnet to snoop
captive-portal- Enables auto-enforcement of captive portal rules on this extended VLAN
enforcement on page interface
985
description on page Configures VLAN bridge description
986

Controller, Service Platform and Access Point

982 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Table 42: Bridge VLAN Config Mode Commands (continued)

Command Description
edge-vlan on page Enables edge VLAN mode
987
firewall on page 987 Enables firewall on this bridge VLAN interface
http-analyze on page Enables the analysis of URLs and data traffic on this Bridge VLAN
988
ip on page 989 Configures IP components
ipv6 on page 992 Configures IPv6 components
l2-tunnel-broadcast- Enables broadcast optimization
optimization on page
996
l2-tunnel-forward- Enables forwarding of WNMP (Wireless Network Management Protocol)
additional-packet- packets across L2 tunnels. These WNMP packets are normally not forwarded
types on page 997 if L2 tunnel broadcast optimization is enabled.
mac-auth on page Enables MAC authentication for Extended VLAN and Tunneled traffic (both
998 MiNT and L2TPv3)
name on page 999 Configures a name for the selected Bridge VLAN
no on page 1005 Negates a command or reverts settings to their default
stateful-packet- Enables stateful packet inspection in the layer 2 fire wall
inspection-l2 on page
1002
registration on page Enables forwarding of bridge-vlan information (such as, name and vlan) to
1000 the ExtremeGuest (EGuest) server.
tunnel on page 1003 Enables tunneling of unicast messages to unknown MAC destinations, on the
selected VLAN bridge
tunnel-over-level2 on Enables extended VLAN traffic over level 2 MiNT links
page 1004
use on page 1007 Associates a captive-portal, access control list (IP, IPv6, or MAC), and a URL
filter with this bridge VLAN

bridging-mode

bridge-vlan-mode commands on page 982

Configures how packets are bridged on the selected VLAN

Syntax
bridging-mode [auto|isolated-tunnel|local|tunnel]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 983
Profile Config Commands Profile Commands

Parameters
bridging-mode [auto|isolated-tunnel|local|tunnel]

bridging-mode Configures the VLAN bridging mode

auto Automatically selects the bridging mode to match the WLAN,
VLAN and bridging mode configurations. When selected, the
controller or access point determines the best bridging mode for
the VLAN. (default setting)
isolated-tunnel Bridges packets between local Ethernet ports and local radios, and
passes tunneled packets through without de-tunneling
Select this option for a dedicated tunnel for bridging VLAN traffic.
local Bridges packets normally between local Ethernet ports and local
radios (if any)
Local mode is typically configured in remote branch offices where
traffic on remote private LAN segments need to be bridged locally.
Local mode implies that traffic, wired and wireless, is to be bridged
locally.
tunnel Bridges packets between local Ethernet ports, local radios, and
tunnels to other APs, wireless controllers, or service platforms
Select this option to use a shared tunnel for bridging VLAN traffic.
In tunnel mode, the traffic at the AP is always forwarded through
the best path. The APs decide the best path to reach the
destination and forward packets accordingly. Setting the VLAN to
tunnel mode ensures packets are bridged between local Ethernet
ports, any local radios, and tunnels to other APs, wireless
controllers, and service platforms.

Usage Guidelines

ACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and
automatic modes.
Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#bridging-mode isolated-tunnel

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#show context
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Resets bridging mode to auto

captive-portal

bridge-vlan-mode commands on page 982

Enables IP (IPv4 and IPv6) packet snooping on wired captive portals, and also configures the subnet to
snoop. When enabled, IP packets received from wired captive portal clients, on the specified subnet, are
snooped to learn IP to MAC mapping.

Controller, Service Platform and Access Point

984 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

Syntax
captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-address
<IPv4|IPv6>}

Parameters
captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-address
<IPv4|IPv6>}

captive-portal [ipv4-snooping| Enables snooping of IPv4 or IPv6 packets (based on the option
ipv6-snooping] selected) for wired captive portal clients
subnet <IPv4/M| IPv6/M> Enables IPv4 or IPv6 packet snooping on a specified subnet
• <IPv4/M|IPv6/M> – Specify the subnet address in the A.B.C.D/M
or X:X::X:X/M format to identify an IPv4 or IPv6 subnet
respectively. When specified, this is the IPv4/IPv6 subnet on
which IP packets are to be snooped.

excluded-address <IPv4|IPv6> Optional. Configures the IPv4 or IPv6 address excluded from
snooping within the specified IPv4|IPv6 subnet.
• <IPv4|IPv6> – Specify the IPv4 or IPv6 address. Use this
parameter to configure the gateway’s address.

Example
nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#captive-portal ip-snooping subnet
192.168.13.0/24 excluded-address 192.168.13.7

nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#show context

bridge vlan 4
captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#

Related Commands

no on page 1005 Disables IP packet snooping on wired captive portals

captive-portal-enforcement

bridge-vlan-mode commands on page 982

Enables auto-enforcement of captive portal rules on this extended VLAN interface. This option is
disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 985
Profile Config Commands Profile Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
captive-portal-enforcement {fall-back}

Parameters
captive-portal-enforcement {fallback}

captive-portal-enforcement Enables auto-enforcement of captive portal access permission rules

to data transmitted over this extended VLAN interface. When
enforced, wired network users can pass traffic through the captive
portal without being redirected to an authentication page.
Authentication instead takes place when the RADIUS server is
queried against the wired user's MAC address. If the MAC address is
in the RADIUS server's user database, the user is allowed access.
A captive portal is an access policy for providing temporary and
restrictive access using a standard Web browser. Captive portals
capture and re-direct a wired/wireless user's Web browser session
to a captive portal login page where the user must enter valid
credentials to access the network.
fall-back Optional. If enabling source MAC authentication for Extended VLAN
and tunneled traffic on this bridge VLAN, use this option to enforce
captive-portal authentication as the fall-back mode of
authentication in case MAC authentication fails.

Example
nx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#show context
bridge vlan 20
captive-portal-enforcement
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#

Related Commands

no on page 1005 Disables auto-enforcement of captive portal rules on this extended

VLAN interface

description

bridge-vlan-mode commands on page 982

Configures this extended VLAN’s description

Syntax
description <WORD>

Controller, Service Platform and Access Point

986 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
description <WORD>

description <WORD> Configures a description for this VLAN bridge

• <WORD> – Enter a description. The description should be
unique to the VLAN’s specific configuration to help differentiate
it from other VLANs with similar configurations.

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#description “This is a
description for the bridged VLAN”

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#show context
bridge vlan 1
description "This is a description for the bridged VLAN"
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Removes VLAN’s description

edge-vlan

bridge-vlan-mode commands on page 982

Enables the edge VLAN mode. In the edge VLAN mode, a protected port does not forward traffic to
another protected port on the same wireless controller or service platform. This feature is enabled by
default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
edge-vlan

Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#edge-vlan
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables the edge VLAN mode

firewall

bridge-vlan-mode commands on page 982

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 987
Profile Config Commands Profile Commands

Enables IPv4 firewall on this Bridge VLAN. This feature is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
firewall

Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#firewall
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables firewall on this bridge VLAN interface

http-analyze

bridge-vlan-mode commands on page 982

Enables the analysis of URLs and data traffic on this Bridge VLAN. When enabled, URLs and data are
forwarded to the controller running the HTTP analytics engine.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
http-analyze {filter [images|post|query-string]}

Parameters
http-analyze {filter [images|post|query-string]}

http-analyze filter [images|post| Enables URL and HTTP data analysis. Optionally use the filter
query-string] keyword to filter out specific URLs
• filter – Optional. Filters out specific URLs
◦ images – Filters out URLs referring to images
◦ post – Filters out URLs referring to POSTs
◦ query-string – Filters out query strings received from URLs

Example
rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#http-analyze filter images

rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#show context

bridge vlan 4

Controller, Service Platform and Access Point

988 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

http-analyze filter images

rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#

Related Commands

no on page 1005 Disables forwarding of URLs and data to the controller running the
HTTP analytics engine

bridge-vlan-mode commands on page 982

Configures this Bridge VLAN’s IP components

Syntax
ip [arp|dhcp|igmp]
ip [arp|dhcp] trust
ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count| mrouter|
querier}
ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count <1-7>}
ip igmp snooping {mrouter [interface|learn]}
ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}
ip igmp snooping {querier} {address|max-response-time|timer|version}
ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|timer expiry <60-300>|
version <1-3>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 989
Profile Config Commands Profile Commands

Parameters
ip [arp|dhcp] trust

ip Configures the VLAN bridge IP parameters

arp trust Configures the ARP trust parameter. Trusted ARP packets are used
to update the DHCP snoop table to prevent IP spoof and arp-cache
poisoning attacks. This option is disabled by default.
• trust – Trusts ARP responses on the VLAN bridge

dhcp trust Configures the DHCP trust parameter. Uses DHCP packets, from a
DHCP server, as trusted and permissible within the access point,
wireless controller, or service platform managed network. DHCP
packets are used to update the DHCP snoop table to prevent IP
spoof attacks. This feature is enabled by default.
• trust – Trusts DHCP responses on the VLAN bridge

ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count <1-7>}

ip Configures the VLAN bridge IP parameters

igmp snooping Configures Internet Group Management Protocol (IGMP) snooping
parameters. IGMP snooping is enabled by default.
IGMP establishes and maintains multicast group memberships for
interested members. Multicasting allows a networked device to
listen to IGMP network traffic and forward IGMP multicast packets
to radios on which the interested hosts are connected. The device
also maintains a map of the links that require multicast streams,
there by reducing unnecessary flooding of the network with
multicast traffic.
fast-leave Optional. Enables fast leave processing. When enabled, layer 2 LAN
interfaces are removed from the IGMP snooping forwarding table
entry without initially sending IGMP group-specific queries to the
interface. When receiving a group specific IGMPv2 leave message,
IGMP snooping removes the interface from the Layer 2 forwarding
table entry for that multicast group, unless a multicast router was
learned on the port. Fast-leave processing enhances bandwidth
management for all hosts on the network. This option is disabled by
default.
This feature is supported only on the AP7502, AP8533 model
access points.
forward-unknown-multicast Optional. Enables forwarding of multicast packets from
unregistered multicast groups. If disabled, the unknown multicast
forward feature is also disabled for individual VLANs. This option is
enabled by default.
last-member-query-count <1-7> Optional. Configures the last member query count used in
determining the number of group-specific queries sent before
removing the snoop entry
• <1-7> – Specify the count from 1 - 7. The default value is 2.

ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}

ip Configures the VLAN bridge IP parameters

igmp snooping Configures the IGMP snooping parameters

Controller, Service Platform and Access Point

990 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

mrouter Optional. Configures the multicast router parameters

interface <INTERFACE-LIST> Configures the multicast router interfaces. This option is disabled by
default.
• <INTERFACE-LIST> – Specify a comma-separated list of
interface names.

learn pim-dvmrp Configures the multicast router learning protocols. This option is
disabled by default.
• pim-dvmrp – Enables Protocol-Independent Multicast (PIM) and
Distance-Vector Multicast Routing Protocol (DVMRP) snooping
of packets

ip igmp snooping {querier} {address <IP>|max-response-time <1-25>| timer expiry <60-300>|

version <1-3>}

ip Configures the VLAN bridge IP parameters

igmp snooping Configures the IGMP snooping parameters
querier Optional. Configures the IGMP querier parameters. This option is
disabled by default.
Enables IGMP querier. IGMP snoop querier keeps host memberships
alive. It is primarily used in a network where there is a multicast
streaming server and hosts subscribed to the server and no IGMP
querier present. The access point, wireless controller, or service
platform performs the IGMP querier role. An IGMP querier sends out
periodic IGMP query packets. Interested hosts reply with an IGMP
report packet. IGMP snooping is only conducted on wireless radios.
IGMP multicast packets are flooded on wired ports. IGMP multicast
packet are not flooded on the wired port. IGMP membership is also
learnt on it and only if present, then it is forwarded on that port.
address <IP> Optional. Configures the IGMP querier source IP address. This
address is used as the default VLAN querier IP address.
• <IP> – Specify the IGMP querier source IP address.

max-response-time <1-25> Optional. Configures the IGMP querier maximum response time.
This option is disabled by default.
• <1-25> – Specify the maximum response time from 1 - 25
seconds.
The access point, wireless controller, or service platform forwards
multicast packets only to radios present in the snooping table. IGMP
reports from wired ports are forwarded to the multicast router
ports.
If no reports are received from a radio, it is removed from the
snooping table. The radio then stops receiving multicast packets.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 991
Profile Config Commands Profile Commands

timer expiry <60-300> Optional. Configures the IGMP querier expiry time. The value
specified is used as the timeout interval for other querier resources.
This option is disabled by default.
• expiry – Configures the IGMP querier timeout
◦ <60-300> – Specify the IGMP querier timeout from 60 - 300
seconds.

version <1-3> Optional. Configures the IGMP version. This option is disabled by
default.
• <1-3> – Specify the IGMP version. The versions are 1- 3.

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip arp trust

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip dhcp trust

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip igmp snooping mrouter

interface ge1 ge2

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip igmp snooping mrouter

learn pim-dvmrp

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip igmp snooping querier max-

response-time 24

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip igmp snooping querier

timer expiry 100

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#ip igmp snooping querier

version 2

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#show context
bridge vlan 1
description “This is a description for the bridged VLAN”
ip arp trust
ip dhcp trust
ip igmp snooping
ip igmp snooping querier
ip igmp snooping querier version 2
ip igmp snooping querier max-response-time 24
ip igmp snooping querier timer expiry 100
ip igmp snooping mrouter interface ge2 ge1
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables or reverts the VLAN Ethernet bridge parameters

ipv6

bridge-vlan-mode commands on page 982

Configures this Bridge VLAN’s IPv6 components

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

992 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ipv6 [dhcpv6|firewall|mld|nd]
ipv6 dhcpv6 trust
ipv6 firewall
ipv6 mld snooping {forward-unknown-multicast|mrouter|querier}
ipv6 mld snooping {forward-unknown-multicast}
ipv6 mld snooping {mrouter [interface|learn]}
ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}
ipv6 mld snooping {querier} {max-response-time|timer|version}
ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>| version
<1-2>}
ipv6 nd raguard

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 993
Profile Config Commands Profile Commands

Parameters
ipv6 dhcpv6 trust

ipv6 Configures the VLAN bridge IPv6 parameters

dhcpv6 trust Enables the DHCPv6 trust option. When enabled all DHCPv6
responses are trusted on this bridge VLAN. This option is enabled
by default.
• trust – Trusts DHCPv6 responses on this bridge VLAN

ipv6 firewall

ipv6 Configures the VLAN bridge IPv6 parameters

firewall Enables IPv6 firewall on this bridge VLAN. This option is enabled by
default.
Devices utilizing IPv6 addressing require firewall protection unique
to IPv6 traffic.
IPv6 addresses are composed of eight groups of four hexadecimal
digits separated by colons. IPv6 hosts can configure themselves
automatically when connected to an IPv6 network using the ND
(neighbor discovery) protocol via ICMPv6 router discovery
messages. When first connected to a network, a host sends a link-
local router solicitation multicast request for its configuration
parameters. Routers respond to such a request with a RA (router
advertisement) packet that contains Internet layer configuration
parameters.

ipv6 mld snooping {forward-unknown-multicast}

ipv6 Configures the VLAN bridge IPv6 parameters

mld snooping Configures MLDP (Multicast Listener Discovery Protocol) snooping
parameters
MLD snooping enables a access point, wireless controller, or service
platform to examine MLD packets and make forwarding decisions
based on the content. MLD is used by IPv6 devices to discover
devices wanting to receive multicast packets destined for specific
multicast addresses. MLD uses multicast listener queries and
multicast listener reports to identify which multicast addresses have
listeners and join multicast groups.
MLD snooping caps the flooding of IPv6 multicast traffic on
controller, service platform or access point VLANs. When enabled,
MLD messages between hosts and multicast routers are examined
to identify the hosts receiving multicast group traffic. The access
point, wireless controller, or service platform forward multicast
traffic only to those interfaces connected to interested receivers
instead of flooding traffic to all interfaces.
This option is enabled by default.
forward-unknown-multicast Optional. Enables forwarding of multicast packets from
unregistered multicast groups. If disabled, the unknown multicast

Controller, Service Platform and Access Point

994 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

forward feature is also disabled for individual VLANs. This option is

enabled by default.

ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}

ipv6 Configures the VLAN bridge IPv6 parameters

mld snooping Configures MLD snooping parameters. This option is enabled by
default.
mrouter Optional. Configures the multicast router parameters, such as
interfaces and learning protocol used.
interface <INTERFACE-LIST> Configures the multicast router interfaces. This option is disabled by
default.
• <INTERFACE-LIST> – Specify a comma-separated list of
interface names.

learn pim-dvmrp Configures the multicast router learning protocols. This option is
disabled by default.
• pim-dvmrp – Enables PIM and DVMRP snooping of packets

ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>| version

<1-2>}

ipv6 Configures the VLAN bridge IPv6 parameters

mld snooping Configures IPv6 MLD snooping parameters. This option is disabled
by default.
querier Optional. Enables and configures the MLD querier parameters.
When enabled, the device (access point, wireless controller, and
service platform) sends query messages to discover which network
devices are members of a given multicast group. This option is
disabled by default.
max-response-time <1-25000> Optional. Configures the IPv6 MLD querier’s maximum response
time. This option is disabled by default.
• <1-25000> – Specify the maximum response time from 1 -
25000 milliseconds.

timer expiry <60-300> Optional. Configures the IPv6 MLD other querier’s timeout. This
option is disabled by default.
• <60-300> – Specify the MLD other querier’s timeout from 60 -
300 seconds.

version <1-2> Optional. Configures the IPv6 MLD querier version. This option is
disabled by default.
• <1-2> – Specify the MLD version. The versions are 1- 2.

ipv6 nd raguard

ipv6 Configures the VLAN bridge IPv6 parameters

nd raguard Allows RA or ICMPv6 redirects on this VLAN bridge. This option is
enabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 995
Profile Config Commands Profile Commands

Example
rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 dhcpv6 trust

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 firewall

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping forward-unknown-

multicast

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter interface ge1

ge2

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter learn pim-

dvmrp

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier max-response-

time 20000

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier timer expiry

200

rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier version 2

rfs7000-37FABE(config-profile test-bridge-vlan-2)#show context

bridge vlan 2
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
ipv6 mld snooping mrouter interface ge2 ge1
ipv6 mld snooping querier version 2
ipv6 mld snooping querier max-response-time 20000
ipv6 mld snooping querier timer expiry 200
rfs7000-37FABE(config-profile test-bridge-vlan-2)#

Related Commands

no on page 1005 Disables or reverts the VLAN Ethernet bridge IPV6 parameters

l2-tunnel-broadcast-optimization

bridge-vlan-mode commands on page 982

Enables broadcast optimization on this bridge VLAN. L2 Tunnel Broadcast Optimization prevents
flooding of ARP packets over the virtual interface. Based on the learned information, ARP packets are
filtered at the wireless controller level.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
l2-tunnel-broadcast-optimization

Parameters
None

Controller, Service Platform and Access Point

996 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#l2-tunnel-broadcast
-optimization

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#show context
bridge vlan 1
description “This is a description for the bridged VLAN”
l2-tunnel-broadcast-optimization
bridging-mode isolated-tunnel
ip arp trust
ip dhcp trust
ip igmp snooping
ip igmp snooping querier
ip igmp snooping mrouter interface ge2 ge1
ip igmp snooping querier version 2
ip igmp snooping querier max-response-time 24
ip igmp snooping querier timer expiry 100
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables L2 tunnel broadcast optimization

l2-tunnel-forward-additional-packet-types

bridge-vlan-mode commands on page 982

Enables forwarding of WNMP (Wireless Network Management Protocol) packets across L2 tunnels.
Under normal circumstances, if L2 tunnel broadcast optimization is enabled. WNMP packets are not
forwarded across the L2 tunnels. Use this option to enable the forwarding of only WNMP packets.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
l2-tunnel-forward-additional-packet-types wnmp

Parameters
None

Example
nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#l2-tunnel-forward-additional-
packet-types wnmp

nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#show context

bridge vlan 1
l2-tunnel-broadcast-optimization
l2-tunnel-forward-additional-packet-types wnmp
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 997
Profile Config Commands Profile Commands

Related Commands

no on page 1005 Disables WNMP packet forwarding across L2 tunnel

mac-auth

bridge-vlan-mode commands on page 982

Enables source MAC authentication for Extended VLAN and tunneled traffic (MiNT and L2TPv3) on this
bridge VLAN. When enabled, it provides fast path authentications of clients, whose captive portal
session has expired.
Supported in the following platforms:
• Wireless Controllers — RFS4000
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
mac-auth {attempts <1-5>|throttle <0-255>}

Parameters
mac-auth {attempts <1-5>|throttle <0-255>}]

mac-auth Enables MAC Authentication

attempts <1-5> Optional. Configures the maximum number of retries allowed for
MAC authentication requests.
• <1-5> – Specify the maximum allowed authentication retries
from 1 - 5. The default is 3.

throttle <0-255> Optional. Configures the throttle value for MAC authentication
requests
• <0-255> – Specify the MAC authentication request throttle value
from 0 -255. The default is 64.

Usage Guidelines : Applying AAA Policy for MAC Authentication

To enable MAC authentication,

• Create an AAA policy.
nx9500-6C8809(config)#aaa-policy MAC-Auth

• Use the AAA policy on the device for MAC Authentication.

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#mac-auth use aaa-policy MAC-Auth

• In the bridge VLAN context, enable MAC Authentication,

nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth

• Optionally, configure the following MAC Authentication parameters. If not specified, default values
are applied.
nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth attempts 2
nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth throttle 100

Usage Guidelines: Enabling Fall-back Captive Portal Authentication

Controller, Service Platform and Access Point

998 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

To enable fall-back captive-portal authentication on the bridge VLAN,

• apply a captive-portal policy to the bridge VLAN.
nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#use captive-portal test

• enable captive-portal authentication as the fall-back authentication mode.

nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#captive-portal-
enforcement fall-back

Example
nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth attempts 2

nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth throttle 80

nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#show context

bridge vlan 20
mac-auth attempts 2
mac-auth throttle 80
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#

Related Commands

no on page 1005 Disables MAC authentication for Extended VLAN and Tunneled
traffic on this bridge VLAN

name

bridge-vlan-mode commands on page 982

Configures a name for this Bridge VLAN. This name uniquely identifies the bridge-vlan interface, and is
forwarded to the EGuest server along with configuration details.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
name <NAME>

Parameters
name <NAME>

name <NAME> Provide a name for this Bridge VLAN, uniquely identifying it from
other Bridge VLAN interfaces with similar configurations. It should
exceed 32 characters in length.

nx9500-6C8809(config-profile testNX5500-bridge-vlan-200)#name InterLabs1-2

nx9500-6C8809(config-profile testNX5500-bridge-vlan-200)#show context

bridge vlan 200
name InterLabs1-2
ip igmp snooping

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 999
Profile Config Commands Profile Commands

ip igmp snooping querier

ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testNX5500-bridge-vlan-200)#

Related Commands

no on page 1005 Removes or modifies this Bridge VLANs configured name

registration

bridge-vlan-mode commands on page 982

Enables forwarding of bridge-vlan information (such as, name and vlan) to the ExtremeGuest (EGuest)
server. The EGuest server updates its WLAN information collection with the received wired-network
information.

Note
Ensure that the bridge-vlan interface has a name that uniquely identifies it from other bridge-
vlan interfaces with similar configurations. For more information, see name on page 999.

Captive-portal Web pages for wired clients are hosted on the gateway controller’s bridge-vlan interface.
By updating the EGuest server with bridge-vlan information, you enable the EGuest server to apply of
captive-portal’s Splash templates to the bridge-vlan interface.

This command also configures the external guest registration and validation server details. If using an
external server to perform wired client registration, authentication and accounting, use this command
to configure the external server’s IP address/hostname. When configured, the gateway controller
forwards guest registration requests to the specified registration server. In case of EGuest deployment,
this external resource should point to the EGuest server.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
registration [device|device-OTP|external|user]
registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {expiry-time <1-43800>}
registration external follow-aaa send-mode [http|https|udp]

Controller, Service Platform and Access Point

1000 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {expiry-time <1-43800>}

registration Enables wired guest-user registration and validation. This option is

disabled by default.
Use to configure registration and validation parameters for wired
captive-portal clients. Specify the client registration mode used. If
using an external resource as authenticating server, use this
command to point to the external resource.
[device|device-OTP| user] Configures the mode used to register wired clients on this bridge-
vlan interface. The options are: device, user, and device-OTP.
• device-OTP – Registers device by its MAC address. During
registration the user, provides e-mail address or mobile number,
and an OTP (one-time-passcode) is sent to the registered e-mail
id or mobile number to complete registration.
• device – Registers device by its MAC address, and allows access
to already registered clients.

Note: If using the above two options, ensure MAC authentication

is enabled on the bridge-vlan interface.
• user – Registers guest users using one of the following options:
e-mail address, mobile-number, or member-id.
If using any one of the above modes of registration, specify the
RADIUS group to which the registered device or user is to be
assigned post authentication.
group-name <RAD-GROUP- Configures the RADIUS group name in which registered users are
NAME> placed. When left blank, users are not associated with a RADIUS
group.
• <RAD-GROUP-NAME> – Specify the RADIUS group name
(should not exceed 64 characters).

expiry-time <1-43800> Optional. Configures the duration in hours, or which registered MAC
addresses are retained. Once this duration is over, registered MAC
addresses expire and need to be re-entered.
• <1-43800> – Specify a value from 1 - 43800 hrs. The default is
1500 hrs.

registration external follow-aaa send-mode [http|https|udp]

registration Enables wired guest-user registration and validation. This option is

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1001
Profile Config Commands Profile Commands

follow-aaa Uses an AAA policy to point to the guest registration,

authentication, and accounting server. When used, guest
registration is handled by the RADIUS server specified in the AAA
policy. This is the AAA policy used in the captive-portal applied on
the bridge-vlan interface.
In case of EGuest deployment, in the AAA policy, the RADIUS
authentication and accounting server configuration should point to
the EGuest server. The use of ‘follow-aaa’ option is recommended in
EGuest replica-set deployments.
For more information on enabling the EGuest server, see eguest-
server (VX9000 only) on page 1092 (profile config mode).
send-mode [https|https|udp] Specifies the protocol used to forward registration requests to the
external AAA policy server. The options are:
• HTTPS – Sends registration requests as HTTPS packet
• HTTP – Sends registration requests as HTTP packet
• UDP – Sends registration requests as UDP packet. This is the
default setting.

Example
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#registration device
group-name test expiry-time 200
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#registration external
follow-aaa send-mode https
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context
bridge vlan 20
registration device group-name test expiry-time 200
registration external follow-aaa send-mode https
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#

Related Commands

no on page 1005 Disables self-registration of captive-portal users on this bridge-vlan

interface.

stateful-packet-inspection-l2

bridge-vlan-mode commands on page 982

Enables a SIP (stateful packet inspection) at the layer 2 firewall. SPI, also referred to as dynamic packet
filtering, is a security feature that tracks the operating state and characteristics of network connections
traversing it. It distinguishes legitimate packets for different types of connections, and only allows
packets matching a known active connection to pass.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

Controller, Service Platform and Access Point

1002 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

stateful-packet-inspection-l2

Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#stateful-packet-ins
inspection-l2
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables stateful packet inspection at the layer 2 firewall

tunnel

bridge-vlan-mode commands on page 982

Enables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
tunnel [rate-limit|unknown-unicast]
tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-threshold
[background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}
tunnel unknown-unicast

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1003
Profile Config Commands Profile Commands

Parameters
tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-threshold
[background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}

tunnel rate-limit level2 rate Configures a rate-limit parameters (max-burst-size and rate) for
<50-1000000> max-burst-size tunneled VLAN traffic over level 2 MiNT links
<2-1024> • rate – Optional. Configures the data rate, in kilobits per second,
for the incoming and outgoing extended VLAN traffic tunneled
over MiNT level 2 links
◦ <50-1000000> – Specify a value from 50 - 1000000 Kbps.
The default is 5000 Kbps.
• max-burst-size – Optional. Configures the maximum burst size
◦ <2-1024> – Specify the maximum burst size from 2 - 1024
kbytes. The default is 320 kbytes.
After specifying the max-burst-size, optionally specify the red-
threshold value for the different traffic types. The red-threshold is
configured as a % of the specified max-burst-size.
• red-threshold – Optional. Configures the random early detection
(red) threshold for the different traffic types
◦ background – Configures the red-threshold for low priority
traffic from 0 - 100. The default is 50% of the specified max-
burst-size.
◦ best-effort – Configures the red-threshold for normal priority
traffic from 0 - 100. The default is 50% of the specified max-
burst-size.
◦ video – Configures the red-threshold for video traffic from 0
- 100. The default is 25% of the specified max-burst-size.
◦ voice – Configures the red-threshold for voice traffic from 0 -
100. The default is 0% of the specified max-burst-size.

tunnel unknown-unicast

tunnel unknown-unicast Enables tunneling of unicast packets destined for unknown MAC
addresses

Example
nx9500-6C8809(config-profile TestAP81xx-bridge-vlan-1)#tunnel unknown-unicast

nx9500-6C8809(config-profile TestAP81xx-bridge-vlan-1)#no tunnel unknown-unicast

nx9500-6C8809(config-profile TestAP81xx-bridge-vlan-1)#show context

bridge vlan 1
ip igmp snooping
ip igmp snooping querier
no tunnel unknown-unicast
nx9500-6C8809(config-profile TestAP81xx-bridge-vlan-1)#

Related Commands

no on page 1005 Disables tunneling of unicast messages, to unknown MAC

destinations, on the selected VLAN bridge

tunnel-over-level2

Controller, Service Platform and Access Point

1004 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

bridge-vlan-mode commands on page 982

Enables extended VLAN (tunneled VLAN) traffic over level 2 MiNT links. This option is disabled by
default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
tunnel-over-level2

Parameters
None

Example
rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#tunnel-over-level2

rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#show context

bridge vlan 1
description “This is a description for the bridged VLAN”
l2-tunnel-broadcast-optimization
bridging-mode isolated-tunnel
tunnel-over-level2
ip arp trust
ip dhcp trust
ip igmp snooping
ip igmp snooping querier
rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables extended VLAN traffic over level 2 MiNT links

bridge-vlan-mode commands on page 982

Negates a command or reverts settings to their default. The no command, when used in the bridge
VLAN mode, negates the VLAN bridge settings or reverts them to their default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1005
Profile Config Commands Profile Commands

no [bridging-mode|captive-portal-enforcement|description|edge-vlan|firewall|l2-tunnel-
broadcast-optimization|l2-tunnel-forward-additional-packet-types| mac-auth|name|
stateful-packet-inspection-l2|tunnel-over-level2]
no captive-portal [ip-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-address
<IPv4|IPv6>}
no http-analyze {filter [images|post|query-string]}
no ip [arp|dhcp|igmp]
no ip [arp|dhcp] trust
no ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count|mrouter|
querier}
no ip igmp snooping {forward-unknown-multicast}
no ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}
no ip igmp snooping {querier} {address|max-response-time|timer expiry|version}
no ipv6 [dhcpv6|firewall|mld|nd]
no ipv6 dhcpv6 trust
no ipv6 firewall
no ipv6 mld snooping {forward-unknown-multicast}
no ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}
no ipv6 mld snooping {querier} {max-response-time|timer expiry|version}
no ipv6 nd raguard
no registration {external}
no tunnel [rate-limit level2|unknown-unicast]
no use [application-policy|captive-portal|ip-access-list|ipv6-access-list| mac-access-
list|url-list] tunnel out

Parameters
no <PARAMETERS>

no <PARAMETERS> Resets or reverts this bridge VLAN’s settings based on the

parameters passed

Example

The following example displays bridge VLAN 20 settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context
bridge vlan 20
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#

nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ip igmp snooping

nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ipv6 mld snooping

The following example displays bridge VLAN 20 settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context
bridge vlan 20
no ip igmp snooping
ip igmp snooping querier
no ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#

Controller, Service Platform and Access Point

1006 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context

bridge vlan 20
mac-auth attempts 2
mac-auth throttle 80
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier

nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#

nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#no mac-auth

nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context

bridge vlan 20
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#
use

bridge-vlan-mode commands on page 982

Associates a captive-portal, access control list (IPv4, IPv6, or MAC), and/or a URL filter with this bridge
VLAN
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1007
Profile Config Commands Profile Commands

Parameters
use application-policy <APP-POLICY-NAME>

use application-policy <APP- Enforces application detection on this VLAN bridge

POLICY-NAME> • <APP-POLICY-NAME> – Specify the application policy name
(should be existing and configured).
• For more information on application definitions and application
policy, see application on page 285 and application-policy on
page 294.

use captive-portal <CAPTIVE-PORTAL-NAME>

use captive-portal Applies an existing captive portal configuration to restrict access to

the bridge VLAN configuration
A captive portal is an access policy for providing temporary and
restrictive access using a standard Web browser. Captive portals
provide authenticated access by capturing and re-directing a
wireless user's Web browser session to a captive portal login page
where the user must enter valid credentials to access to the
network. Once logged into the captive portal, additional terms and
agreement, welcome, fail, and no-service pages provide the
administrator with a number of options on captive portal screen
flow and user appearance.
• <CAPTIVE-PORTAL-NAME> – Specify the captive portal name.

use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/IPv6/MAC-ACCESS-LIST-

NAME>

use Sets this VLAN bridge policy to use an IPv4/IPv6 access list or a
MAC access list
ip-access-list Associates a pre-configured IPv4 access list with this VLAN-bridge
interface
ipv6-access-list Associates a pre-configured IPv6 access list with this VLAN-bridge
interface
mac-access-list Associates a pre-configured MAC access list with this VLAN- bridge
interface
tunnel out <IP/IPv6/MAC- The following keywords are common to the ‘IPv4/IPv6 access list’
ACCESS-LIST-NAME> and ‘MAC access list’ parameters:
• tunnel – Applies IPv4/IPv6 access list or MAC access list to all
packets going into the tunnel
◦ out – Applies IPv4/IPv6 access list or MAC access list to all
outgoing packets
▪ <IP/IPv6/MAC-ACCESS-LIST-NAME> – Specify the IP/
IPv6 access list or MAC access list name.

use url-filter <URL-FILTER-NAME>

use url-filter Sets this VLAN bridge to use a URL filter

<URL-FILTER-NAME> Specify the URL filter name. It should be existing and configured.
This option enforces URL filtering on the VLAN bridge.

Controller, Service Platform and Access Point

1008 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#use mac-access-list tunnel
out PERMIT-ARP-AND-IPv4

nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#show context
bridge vlan 1
ip igmp snooping
ip igmp snooping querier
use mac-access-list tunnel out PERMIT-ARP-AND-IPv4
nx9500-6C8809(config-profile-default-rfs4000-bridge-vlan-1)#

Related Commands

no on page 1005 Disables or reverts VLAN Ethernet bridge settings

captive-portal
Profile Config Commands on page 954

Configures captive portal advanced Web page uploads on this profile

A captive portal is a means of providing guests temporary and restrictive access to the controller
managed wireless network. A captive portal provides secure authenticated controller access by
capturing and re-directing a wireless user’s Web browser session to a captive portal login page, where
the user must enter valid credentials. Once the user is authenticated and logged into the controller
managed network, additional agreement, welcome, and fail pages provide the administrator with
options to control the captive portal’s screen flow and user appearance.

Supported in the following platforms:

Syntax
captive-portal page-upload count <1-20>

Parameters
captive-portal page-upload count <1-20>

page-upload Enables captive portal advanced Web page upload

count <1-20> Sets the maximum number of APs that can be uploaded
concurrently
• <1-20> – Set a value from 1 - 20. The default is 10.

Example
nx9500-6C8809(config-profile-testNX9500)#captive-portal page-upload count 15

nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include

captive-portal
captive-portal page-upload count 15
no captive-portal-enforcement

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1009
Profile Config Commands Profile Commands

no captive-portal-enforcement
no captive-portal-enforcement
no captive-portal-enforcement
no captive-portal-enforcement
no captive-portal-enforcement
service captive-portal-server connections-per-ip 3
nx9500-6C8809(config-profile-testNX9500)#

cdp
Profile Config Commands on page 954

Enables CDP (Cisco Discovery Protocol), a proprietary data link layer network protocol implemented in
Cisco networking equipment and used to share network information amongst different vendor wireless
devices

Supported in the following platforms:

Syntax
cdp [holdtime|run|timer]
cdp [holdtime <10-1800>|run|timer <5-900>]

Parameters
cdp [holdtime <10-1800>|run|timer <5-900>]

holdtime <10-1800> Specifies the holdtime after which transmitted packets are
discarded
• <10-1800> – Specify a value from 10 - 1800 seconds. The default
is 180 seconds.

run Enables CDP sniffing and transmit globally. This feature is enabled
by default.
timer <5-900> Specifies the interval, in seconds, between successive CDP packet
transmission
• <5-900> – Specify a value from 5 - 900 seconds. The default is
60 seconds.

Example
nx9500-6C8809(config profile-default-rfs4000)#cdp run

nx9500-6C8809(config profile-default-rfs4000)#cdp holdtime 1000

nx9500-6C8809(config profile-default-rfs4000)#cdp timer 900

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
no edge-vlan
l2-tunnel-broadcast-optimization

Controller, Service Platform and Access Point

1010 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

.............................................................
qos trust 802.1p
interface pppoe1
use firewall-policy default
cdp holdtime 1000
cdp timer 900
service pm sys-restart
router ospf
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables CDP on this profile

cluster
Profile Config Commands on page 954

Sets the cluster configuration

Supported in the following platforms:

Syntax
cluster [force-configured-state|force-configured-state-delay|handle-stp|master-priority|
member|mode|name|radius-counter-db-sync-time]
cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp| master-
priority <1-255>]
cluster member [ip|vlan]
cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]
cluster mode [active|standby]
cluster name <CLUSTER-NAME>
cluster radius-counter-db-sync-time <1-1440>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1011
Profile Config Commands Profile Commands

Parameters
cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp|master-
priority <1-255>]

force-configured-state Forces adopted APs to auto revert when a failed wireless controller
or service platform (in a cluster) restarts
When an active controller (wireless controller, or service platform)
fails, a standby controller in the cluster takes over APs adopted by
the failed active controller. If the failed active controller were to
restart, it starts a timer based on the ‘force-configured-state-delay’
interval specified. At the expiration of this interval, the standby
controller releases all adopted APs and goes back to a monitoring
mode. If the active controller fails during this interval, the ‘force-
configured-state-delay’ timer is stopped. The timer restarts as soon
as the active controller comes back up.
This feature is disabled by default.
force-configured-state-delay Forces cluster transition to the configured state after a specified
<3-1800> interval
• <3-1800> – Specify a delay from 3 - 1800 minutes. The default is
5 minutes.
This is the interval a standby controller waits before releasing
adopted APs when a failed primary controller becomes active
again.
handle-stp Enables STP (Spanning Tree Protocol) convergence handling. This
feature is disabled by default.
In layer 2 networks, this protocol is enabled to prevent network
looping. If enabled, the network forwards data only after STP
convergence. Enabling STP convergence delays the redundancy
state machine execution until the STP convergence is completed
(the standard protocol value for STP convergence is 50 seconds).
Delaying the state machine is important to load balance APs at
startup.
master-priority <1-255> Configures cluster master priority
• <1-255> – Specifies cluster master election priority. Assign a
value from 1 - 255. Higher the value higher is the precedence.
The default is 128.
In a cluster environment one device from the cluster is elected as
the cluster master. A device’s master priority value decides the
device’s priority to become cluster master.

cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]

member Adds a member to the cluster. It also configures the cluster VLAN
where members can be reached.
ip <IP> level [1|2] Adds IP address of the new cluster member
• <IP> – Specify the IP address.
◦ level – Optional. Configures routing level for the new
member. Select one of the following routing levels:
▪ 1 – Level 1, local routing

Controller, Service Platform and Access Point

1012 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

▪ 2 – Level 2, In-site routing

vlan <1-4094> Configures the cluster VLAN where members can be reached
• <1-4094> – Specify the VLAN ID from 1- 4094.

cluster mode [active|standby]

mode [active|standby] Configures cluster member’s mode as active or standby

• active – Configures cluster mode as active. This is the default
setting.
• standby – Configures cluster mode as standby
A member can be in either an Active or Standby mode. All active
member controllers can adopt access points. Standby members
only adopt access points when an active member has failed or sees
an access point not adopted by a controller.

cluster name <CLUSTER-NAME>

name <CLUSTER-NAME> Configures the cluster name

• <CLUSTER-NAME> – Specify the cluster name.

cluster radius-counter-db-sync-time <1-1440>

radius-counter-db-sync-time Configures the interval, in minutes, at which the RADIUS counter

<1-1440> database is synchronized with the dedicated NTP server resource.
• <1-1440> – Specify a value from 1 - 1440 minutes. The default is 5
minutes.
Use the show > cluster > configuration command to
view RADIUS counter DB sync time.

Example
nx9500-6C8809(config-profile-default-rfs4000)#cluster name cluster1

nx9500-6C8809(config-profile-default-rfs4000)#cluster member ip 172.16.10.3

nx9500-6C8809(config-profile-default-rfs4000)#cluster mode active

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
description Vlan1
.......................................................................
cluster name cluster1
cluster member ip 172.16.10.3
cluster member vlan 1
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Removes cluster member

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1013
Profile Config Commands Profile Commands

configuration-persistence
Profile Config Commands on page 954

Enables configuration persistence across reloads. This option is enabled by default.

Supported in the following platforms:

Syntax
configuration-persistence {auto|secure}

Parameters
configuration-persistence {auto|secure}

auto Optional. Assigns default value based on the device type

secure Optional. Ensures parts of a file that contain security information
are not written during a reload

Example
nx9500-6C8809(config-profile-default-rfs4000)#configuration-persistence secure

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
no edge-vlan
ip igmp snooping
no ip igmp snooping unknown-multicast-fwd
no ip igmp snooping mrouter learn pim-dvmrp
autoinstall configuration
autoinstall firmware
..........................................................................
cluster name cluster1
cluster member ip 1.2.3.4 level 2
cluster member ip 172.16.10.3
cluster member vlan 4094
cluster handle-stp
cluster force-configured-state
holdtime 1000
timer 900
configuration-persistence secure
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables automatic write up of startup configuration file

controller
Profile Config Commands on page 954

Configures the WiNG controller (wireless controller or service platform) adoption settings

Controller, Service Platform and Access Point

1014 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Adoption is the process a controller or service platform uses to discover available access points and/or
peer controllers/service platforms, establish an association and provision the adopted device. Adoption
settings are configurable and supported within a profile and applied to all devices supported by the
profile.

Use this command to add a controller to a pool and group. This command also enables and disables
adoption on controllers, and specifies the device types that can be adopted by a controller.

Supported in the following platforms:

Syntax
controller [adopted-devices|adoption|group|hello-interval|vlan|host]
controller adopted-devices [aps {controllers}|controllers {aps}|external-devices|
external-devices-monitoring-only]
controller adoption
controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]
controller hello-interval <1-120> adjacency-hold-time <2-600>
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure|level|pool|remote-vpn-client}
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]} {ipsec-
secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}

Parameters
controller adopted-devices [aps {controllers}|controllers {aps}|external-devices|external-
devices-monitoring-only]

controller Configures the WLAN’s controller adoption settings

adopted-devices Configures the types of device (AP/controller) this controller can
adopt
aps {controllers} Enables the adoption of network access points by this controller.
This option is enabled by default.
• controllers – Optional. Enables the adoption of peer controllers
by this controller
All adopted devices (referred to as adoptee) receive complete
configuration from the adopting controller (referred to as adopter).
controllers {aps} Enables the adoption of peer controllers by this controllers
• aps – Optional. Enables the adoption of network access points
by this controller
A controller cannot be configured as an adoptee and an adopter
simultaneously. In other words, an adopted controller (adoptee)
cannot be configured to adopt another controller.
Use the no > controller > adopted-devices command
to remove this setting.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1015
Profile Config Commands Profile Commands

external-devices Enables adoption of external devices by this controller. This option

is disabled by default.
When enabled, a WiNG controller can adopt and manage T5
controllers and EX3500 switches (using the IPX operating system)
within a WiNG managed device subnet. This setting is disabled by
default.
To disable T5 or EX3500 adoption, use the no > controller >
external-devices command.
This feature is supported only on RFS4010, NX9500, NX9510,
NX9600, and VX9000 platforms.
external-devices-monitoring- Enables only monitoring of external devices by this controller or
only service platform. This option is disabled by default.

controller adoption

controller adoption Enables the adoption of the logged device (wireless controller or
service platform) by other controllers. This option is disabled by
default.
Use the no > controller > adoption command to disable
adoption.

controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]

controller Configures the WLAN’s controller adoption settings

group <CONTROLLER-GROUP- Configures the wireless controller or service platform group
NAME> • <CONTROLLER-GROUP-NAME> – Specify the wireless
controller or service platform group name.

vlan <1-4094> Configures the wireless controller or service platform VLAN

• <1-4094> – Specify the VLAN ID from 1 - 4094.

controller hello-interval <1-120> adjacency-hold-time <2-600>

controller Configures the WLAN’s controller settings

hello-interval <1-120> Configures the hello-interval in seconds. This is the interval between
consecutive hello packets exchanged between AP and wireless
controller or service platform.
• <1-120> – Specify a value from 1 - 120 seconds.

adjacency-hold-time <2-600> Configures the adjacency hold time in seconds. This is the time
since the last received hello packet, after which the adjacency
between wireless controller or service platform and AP is lost, and
the link is re-established.
• <2-600> – Specify a value from 2 - 600 seconds.

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}

Configures the WLAN’s controller adoption settings

Controller, Service Platform and Access Point

1016 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

controller
host [<IPv4>|<IPv6>| Configures wireless controller or service platform’s IPv4/IPv6
<HOSTNAME>] address or hostname
• <IPv4> – Configures wireless controller or service platform’s
IPv4 address
• <IPv6> – Configures wireless controller or service platform’s
IPv6 address
• <HOSTNAME> – Configures wireless controller or service
platform’s hostname

ipsec-secure {gw [<IP>| Optional. Enables Internet Protocol Security (IPSec) peer
<HOSTNAME>]} authentication on the connection (link) between the adopting
devices. This option is disabled by default.
• gw – Optional. Specifies a IPSec gateway other than the wireless
controller or service platform
◦ <IP> – Use this option to specify the IPSec gateway’s IP
address.
◦ <HOSTNAME> – Use this option to specify the IPSec
gateway’s hostname.
If the gateway’s IP address or hostname is not specified, the system
assumes the logged controller as the IPSec gateway.

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]}

{ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}

controller Configures the WLAN’s controller adoption settings

host [<IPv4>|<IPv6>| Configures wireless controller or service platform’s IPv4/IPv6
<HOSTNAME>] address or name
• <IPv4> – Configures wireless controller or service platform’s
IPv4 address
• <IPv6> – Configures wireless controller or service platform’s
IPv6 address
• <HOSTNAME> – Configures wireless controller or service
platform’s name

level [1|2] The following keywords are common to the ‘IP’, ‘IPv6’, and
‘hostname’ parameters:
Optional. After providing the wireless controller or service
platform’s address, optionally select one of the following routing
levels:
• 1 – Optional. Level 1, local routing
• 2 – Optional. Level 2, inter-site routing

Note: After specifying the routing level, you can, optionally

enable IPSec Secure authentication and remote VPN client.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1017
Profile Config Commands Profile Commands

pool <1-2> level [1|2] The following keywords are common to the ‘IP’, ‘IPv6’, and
‘hostname’ parameters:
Optional. Sets the wireless controller or service platform’s pool
• <1-2> – Select either 1 or 2 as the pool. The default is 1. After
selecting the pool, optionally select one of the following two
routing levels:
◦ 1 – Optional. Level 1, local routing
◦ 2 – Optional. Level 2, inter-site routing

{ipsec-secure {gw [<IP>| After specifying the routing level and or device’s pool, you can
<HOSTNAME>]}| remote-vpn- optionally specify the following:
client} • ipsec-secure – Optional. Enables IPSec peer authentication on
the connection (link) between the adopting devices. This option
is disabled by default.
• gw – Optional. Specifies a IPSec gateway other than the wireless
controller or service platform
◦ <IP> – Use this option to specify the IPSec gateway’s IP
address.
◦ <HOSTNAME> – Use this option to specify the IPSec
gateway’s hostname.

Note: If the gateway’s IP address or hostname is not

specified, the system assumes the logged controller as the
IPSec gateway.
• remote-vpn-client – Forces MiNT link creation protocol (MLCP)
to use remote VPN connection on the controller
The controller uses remote VPN tunnel for this traffic. If multiple
controller hosts are configured, either all the hosts should use
remote-vpn-client or none.
When enabled, an MLCP connection is not initiated until remote
VPN connection is UP and virtual IP, DNS server, source route, etc.
are installed on the AP.

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}

controller Configures the WLAN’s controller settings

host [<IPv4>|<IPv6>| Configures wireless controller or service platform’s IPv4/IPv6
<HOSTNAME>] address or hostname
• <IP> – Configures wireless controller or service platform’s IPv4
address
• <IPv6> – Configures wireless controller or service platform’s
IPv6 address
• <HOSTNAME> – Configures wireless controller or service
platform’s name

remote-vpn-client Forces MLCP to use remote VPN connection on the controller

The controller uses remote VPN tunnel for this traffic. If multiple
controller hosts are configured, either all the hosts should use
remote-vpn-client or none.
When enabled, an MLCP connection is not initiated until remote
VPN connection is UP and virtual IP, DNS server, source route, etc.
are installed on the AP.

Controller, Service Platform and Access Point

1018 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-default-rfs4000)controller group test

nx9500-6C8809(config-profile-default-rfs4000)#controller host 1.2.3.4 pool 2

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
no autoinstall configuration
no autoinstall firmware
crypto isakmp policy default
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
..........................................................
interface ge4
ip dhcp trust
qos trust dscp
qos trust 802.1p
use firewall-policy default
controller host 1.2.3.4 pool 2
controller group test
service pm sys-restart
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

rfs4000-229D58(config-profile-testRFS4000)#controller adopted-devices aps controllers

rfs4000-229D58(config-profile-testRFS4000)#show context
profile rfs4000 testRFS4000
autoinstall configuration
....................................................................
logging on
service pm sys-restart
router ospf
controller adopted-devices aps controllers
rfs4000-229D58(config-profile-testRFS4000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

critical-resource
Profile Config Commands on page 954

Enables monitoring of resources critical to the health of the service platform, wireless controller, or
access point managed network. These critical resources are identified by their configured IP addresses.
When enabled, the system monitors these devices regularly and logs their status. Use this command to
create a CRM (critical resource monitoring) policy.

A critical resource can be a gateway, AAA server, WAN interface, any hardware, or a service on which
the stability of the network depends. Monitoring these resources is therefore essential. When enabled,
this feature pings critical resources regularly to ascertain their status. If there is a connectivity issue, an
event is generated stating a critical resource is unavailable. By default, there is no enabled critical
resource policy and one needs to be created and implemented.

Critical resources can be monitored directly through the interfaces on which they are discovered. For
example, a critical resource on the same subnet as an AP8132 access point can be monitored by its IP
address. However, a critical resource located on a VLAN must continue to be monitored on that VLAN.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1019
Profile Config Commands Profile Commands

Critical resource monitoring can be enabled on service platforms, wireless controllers, and access points
through their respective device profiles.

Supported in the following platforms:

Syntax
critical-resource [<CR-NAME>|monitor|retry-count]
critical-resource <CR-NAME> [monitor|monitor-using-flows]
critical-resource <CR-NAME> monitor [direct|via]
critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees]
{<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>] {<IP/HOST-ALIAS-
NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}
critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-NAME>|
pppoe1|vlan|wwan1]
critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-NAME>|
pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees] {<IP/HOST-
ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>] {<IP/HOST-ALIAS-NAME>|port
[<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}
critical-resource <CR-NAME> monitor-using-flows [all|any] [criteria|dhcp|dns|sync-
adoptees]
critical-resource <CR-NAME> monitor-using-flows [all|any] criteria [all|cluster-master|rf-
domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>)
{dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
critical-resource <CR-NAME> monitor-using-flows [all|any] dhcp vlan <1-4094> {dhcp vlan
[<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
critical-resource <CR-NAME> monitor-using-flows [all|any] dns <IP/HOST-ALIAS-NAME> {dhcp
[vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
critical-resource <CR-NAME> monitor-using-flows [all|any] sync-adoptees criteria [all|
cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/
HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>| <VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
critical-resource monitor interval <5-86400>
critical-resource retry-count <0-10>

Parameters
critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees]
{<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>] {<IP/HOST-ALIAS-NAME>|
port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}

<CR-NAME> Identifies the critical resource to be monitored. Provide the name of

the critical resource.
monitor Enables critical resource(s) monitoring

Controller, Service Platform and Access Point

1020 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

direct [all|any] [<IP/HOST- Monitors critical resources using the default routing engine
ALIAS-NAME>| sync-adoptees] • all – Monitors all resources that are going down (generates an
event when all specified critical resources are unreachable)
• any – Monitors any resource that is going down (generates an
event when any one of the specified critical resource is
unreachable)
◦ <IP/HOST-ALIAS-NAME> – Configures the IP address of the
critical resource being monitored (for example, the DHCP or
DNS server). Specify the IP address in the A.B.C.D format.
You can use a host-alias to identify the critical resource. If
using a host-alias, ensure that the host-alias is existing and
configured.
◦ sync-adoptees – Syncs adopted access points with the
controller. In the stand-alone AP scenario, where the CRM
policy is running on the AP, the AP is directly intimated in
case a critical resource goes down. On the other hand, when
an AP is adopted to a controller (running the CRM policy), it
is essential to enable the sync-adoptees option in order to
sync the AP with the controller regarding the latest CRM
status.

arp-only vlan [<1-4094>|<VLAN- The following keywords are common to the ‘all’ and ‘any’
ALIAS-NAME>] {<IP/HOST- parameters:
ALIAS-NAME>| port [<LAYER2- • arp-only vlan <1-4094> – Optional. Uses ARP to determine if the
IFNAME>|ge| port-channel]} IP address is reachable (use this option to monitor resources
that do not have IP addresses). ARP is used to resolve hardware
addresses when only the network layer address is known.
◦ vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Specifies the VLAN
ID on which to send the probing ARP requests. Specify the
VLAN ID from 1 - 4094. Alternately, use a vlan-alias to
identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.
▪ <IP/HOST-ALIAS-NAME> – Optional. Limits ARP to a
device specified by the <IP> parameter. You can use a
host-alias to specify the IP address. If using a host-alias,
ensure that the host-alias is existing and configured.
▪ port [<LAYER2-IF-NAME>|ge|port-channel] – Optional.
Limits ARP to a specified port

critical-resource <CRM-POLICY-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-

NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees] {<IP/
HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>] {<IP>|port [<LAYER2-IFNAME>|
ge|port-channel]}}

<CR-NAME> Identifies the critical resource to be monitored. Provide the name of

the critical resource.
monitor Enables critical resource(s) monitoring
via Specifies the interface or next-hop via which the ICMP pings should
be sent.
Configures the interface or next-hop via which ICMP pings are sent.
This does not apply to IP addresses configured for arp-only. For
interfaces which learn the default-gateway dynamically (like DHCP
clients and PPP interfaces), use an interface name for VIA, or use an
IP address.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1021
Profile Config Commands Profile Commands

<IP/HOST-ALIAS-NAME> Specify the IP address of the next-hop via which the critical
resource(s) are monitored. Configures up to four IP addresses for
monitoring. All the four IP addresses constitute critical resources.
You can use a host-alias to specify the IP address. If using a host-
alias, ensure that the host-alias is existing and configured.
<LAYER3-INTERFACE-NAME> Specify the layer 3 Interface name (router interface)
pppoe1 Specifies PPP over Ethernet interface
vlan [<1-4094>|<VLAN-ALIAS- Specifies the wireless controller or service platform’s VLAN
NAME>] interface. Specify VLAN ID from 1 - 4094. Alternately, use a vlan-
alias to identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.
wwan1 Specifies Wireless WAN interface

Controller, Service Platform and Access Point

1022 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

[all|any] [<IP/HOST-ALIAS- Monitors critical resources using the default routing engine
NAME>| sync-adoptees] • all – Monitors all resources that are going down (generates an
event when all specified critical resource IP addresses are
unreachable)
• any – Monitors any resource that is going down (generates an
event when any one of the specified critical resource IP address
is unreachable)
◦ <IP/HOST-ALIAS-NAME> – Configures the IP address of the
critical resource being monitored (for example, the DHCP or
DNS server). Specify the IP address in the A.B.C.D format.
You can use a host-alias to specify the IP address. If using a
host-alias, ensure that the host-alias is existing and
configured.
◦ sync-adoptees – Syncs adopted access points with the
controller. In the stand-alone AP scenario, where the CRM
policy is running on the AP, the AP is directly intimated in
case a critical resource goes down. On the other hand, when
an AP is adopted to a controller (running the CRM policy), it
is essential to enable the sync-adoptees option in order to
sync the AP with the controller regarding the latest CRM
status.

arp-only vlan [<1-4094>|<VLAN- The following keywords are common to the ‘all’ and ‘any’
ALIAS-NAME>] {<IP/HOST- parameters:
ALIAS-NAME>| port [<LAYER2- • arp-only vlan <1-4094> – Optional. Uses ARP to determine if the
IFNAME>|ge| port-channel]} IP address is reachable (use this option to monitor resources
that do not have IP addresses). ARP is used to resolve hardware
addresses when only the network layer address is known.
• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Specifies the VLAN ID
to send the probing ARP requests. Specify the VLAN ID from 1 -
4094. Alternately, use a vlan-alias to identify the VLAN. If using
a vlan-alias, ensure that the alias is existing and configured.
◦ <IP’HOST-ALIAS-NAME> – Optional. Limits ARP to a device
specified by the <IP> parameter. You can use a host-alias to
specify the IP address. If using a host-alias, ensure that the
host-alias is existing and configured.
◦ port [<LAYER2-IF-NAME>|ge|port-channel] – Optional.
Limits ARP to a specified port

critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] criteria [all|cluster-

master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-
NAME>) {dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

<CR-NAME> Identifies the critical resource to be monitored. Provide the name of

the critical resource.
monitor-using-flows Enables critical resource(s) monitoring using message flows for
DHCP or DNS (DHCP discover, DHCP offer, etc.) instead of ICMP or
ARP packets in order to reduce the amount of traffic on the
network.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1023
Profile Config Commands Profile Commands

[all|any] Configures how critical resource event messages are generated.

Options include all and any.
• all – Monitors all resources that are going down (generates an
event when all specified critical resources are unreachable)
• any – Monitors any resource that is going down (generates an
event when any one of the specified critical resource is
unreachable)

criteria [all|cluster-master| rf- Configures the resource that will monitor critical resources and
domain-manager] update the rest of the devices in a group. Options include all, rf-
domain-manager, or cluster-master.
• all – Configures all devices within a group (cluster or RF
Domain) as the monitoring resource
• cluster-master – Configures the cluster master as the monitoring
resource
• rf-domain-manager – Configures the RF Domain manager as the
monitoring resource

dhcp vlan [<1-4094>| <VLAN- The following parameters are recursive and common to the ‘all’,
ALIAS-NAME>] ‘cluster-master’, and ‘rf-domain-manager’ keywords:
• dhcp – Configures DHCP as the mode of monitoring critical
resources. When configured, DHCP message flows (DHCP
Discover, DHCP Offer, etc.) are used instead of ICMP or ARP
packets to confirm critical resource availability.
◦ vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the
VLAN on which the critical resource(s) is available. Specify
the VLAN from 1 - 4094. Alternately, use a vlan-alias to
identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.

Controller, Service Platform and Access Point

1024 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dns <IP/HOST-ALIAS-NAME> The following parameters are recursive and common to the ‘all’,
‘cluster-master’, and ‘rf-domain-manager’ keywords:
• dns – Configures DNS as the mode of monitoring critical
resources. When configured, DNS message flows are used
instead of ICMP or ARP packets to confirm critical resource
availability.
◦ <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or
host alias of the critical resource. Specify the IPv4 address or
host alias name (should be existing and configured).

{dhcp [vlan <1-4094>| <VLAN- The ‘dhcp’ and ‘dns’ parameters are recursive and you can
ALIAS-NAME>]| dns <IP/HOST- optionally configure multiple VLANs and critical resource IPv4
ALIAS-NAME>} addresses (or host alias names).
• dhcp – Optional. Configures DHCP as the mode of monitoring
critical resources. When configured, DHCP message flows
(DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or
ARP packets to confirm critical resource availability.
◦ vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the
VLAN on which the critical resource(s) is available. Specify
the VLAN from 1 - 4094. Alternately, use a vlan-alias to
identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.
• dns – Optional. Configures DNS as the mode of monitoring
critical resources. When configured, DNS message flows are
used instead of ICMP or ARP packets to confirm critical resource
availability.
◦ <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or
host alias of the critical resource. Specify the IPv4 address or
host alias name (should be existing and configured).

critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dhcp vlan [<1-4094>|

<VLAN-ALIAS-NAME>] {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

<CR-NAME> Identifies the critical resource to be monitored. Provide the name of

the critical resource.
monitor-using-flows Enables critical resource(s) monitoring using message flows for
DHCP or DNS (DHCP Discover, DHCP Offer, etc.) instead of ICMP or
ARP packets in order to reduce the amount of traffic on the
network.
[all|any] Configures how critical resource event messages are generated.
Options include all and any.
• all – Monitors all resources that are going down (generates an
event when all specified critical resources are unreachable)
• any – Monitors any resource that is going down (generates an
event when any one of the specified critical resource is
unreachable)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1025
Profile Config Commands Profile Commands

dhcp vlan [<1-4094>| <VLAN- Configures DHCP as the mode of monitoring critical resources.
ALIAS-NAME>] When configured, DHCP message flows (DHCP Discover, DHCP
Offer, etc.) are used instead of ICMP or ARP packets to confirm
critical resource availability.
• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN
on which the critical resource(s) is available. Specify the VLAN
from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN.
If using a vlan-alias, ensure that the alias is existing and
configured.

{dhcp vlan [<1-4094>| <VLAN- The following parameters are recursive and optional. Use them to
ALIAS-NAME>]| dns <IP/HOST- configure multiple VLANs and critical resource IPv4 addresses (or
ALIAS-NAME>} host alias names):
• dhcp – Optional. Configures DHCP as the mode of monitoring
critical resources. When configured, DHCP message flows
(DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or
ARP packets to confirm critical resource availability.
◦ vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the
VLAN on which the critical resource(s) is available. Specify
the VLAN from 1 - 4094. Alternately, use a vlan-alias to
identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.
• dns – Optional. Configures DNS as the mode of monitoring
critical resources. When configured, DNS message flows are
used instead of ICMP or ARP packets to confirm critical resource
availability.
◦ <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or
host alias of the critical resource. Specify the IPv4 address or
host alias name (should be existing and configured).

critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dns <IP/HOST-ALIAS-

NAME> {dhcp vlan [<1-4094><VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

<CR-NAME> Identifies the critical resource to be monitored. Provide the name of

Controller, Service Platform and Access Point

1026 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dns <IP/HOST-ALIAS-NAME> Configures DNS as the mode of monitoring critical resources. When
configured, DNS message flows are used instead of ICMP or ARP
packets to confirm critical resource availability.
• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host
alias of the critical resource. Specify the IPv4 address or host
alias name (should be existing and configured).

{dhcp vlan [<1-4094>| <VLAN- The following parameters are recursive and optional. Use them to
ALIAS-NAME>| dns <IP/HOST- configure multiple VLANs and critical resource IPv4 addresses (or
ALIAS-NAME>} host alias names):
• dhcp – Optional. Configures DHCP as the mode of monitoring
critical resources. When configured, DHCP message flows
(DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or
ARP packets to confirm critical resource availability.
◦ vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the
VLAN on which the critical resource(s) is available. Specify
the VLAN from 1 - 4094. Alternately, use a vlan-alias to
identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.
• dns – Optional. Configures DNS as the mode of monitoring
critical resources. When configured, DNS message flows are
used instead of ICMP or ARP packets to confirm critical resource
availability.
◦ <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or
host alias of the critical resource. Specify the IPv4 address or
host alias name (should be existing and configured).

critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] sync-adoptees criteria

[all|cluster-master|rf-domain-manager] (dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/
HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

<CR-NAME> Identifies the critical resource to be monitored. Provide the name of

syn-adoptees Syncs adopted access points with the controller. In the stand-alone
AP scenario, where the CRM policy is running on the AP, the AP is
directly intimated in case a critical resource goes down. On the
other hand, when an AP is adopted to a controller (running the
CRM policy), it is essential to enable the sync-adoptees option in
order to sync the AP with the controller regarding the latest CRM
status.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1027
Profile Config Commands Profile Commands

Controller, Service Platform and Access Point

1028 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

{dhcp vlan {<1-4094>| <VLAN- The ‘dhcp’ and ‘dns’ parameters are recursive and you can
ALIAS-NAME>]| dns <IP/HOST- optionally configure multiple VLANs and critical resource IPv4
ALIAS-NAME>} addresses (or host alias names).
• dhcp – Optional. Configures DHCP as the mode of monitoring
critical resources. When configured, DHCP message flows
(DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or
ARP packets to confirm critical resource availability.
◦ vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the
VLAN on which the critical resource(s) is available. Specify
the VLAN from 1 - 4094. Alternately, use a vlan-alias to
identify the VLAN. If using a vlan-alias, ensure that the alias
is existing and configured.
• dns – Optional. Configures DNS as the mode of monitoring
critical resources. When configured, DNS message flows are
used instead of ICMP or ARP packets to confirm critical resource
availability.
◦ <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or
host alias of the critical resource. Specify the IPv4 address or
host alias name (should be existing and configured).

critical-resource monitor interval <5-86400>

monitor interval <5-86400> Configures the critical resource monitoring frequency. This is the
interval between two successive pings to the critical resource being
monitored.
• <5-86400> – Specifies the frequency in seconds. Specify the
time from 5 - 86400 seconds. The default is 30 seconds.

critical-resource retry-count <0-10>

retry-count <0-10> Configures the maximum number of failed attempts allowed to

connect to a critical resource, using DHCP/DNS message flows,
before marking it as down
• <0-10> – Specifies the maximum number of retries from 0 - 10.
The default value is 3 attempts.

Example
NOC-NX9500(config-profile-testNX9000)#critical-resource test monitor direct any
19.234.160.5 arp-only vlan 1

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include cri

tical-resource
critical-resource monitor interval 30
service critical-resource port-mode-source-ip 0.0.0.0

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1029
Profile Config Commands Profile Commands

critical-resource test monitor direct any 19.234.160.5 arp-only vlan 1

critical-resource retry-count 3
NOC-NX9500(config-profile-testNX9000)#

crypto
Profile Config Commands on page 954

Use the crypto command to define a system-level local ID for Internet Security Association and Key
Management Protocol (ISAKMP) negotiation and to enter the ISAKMP policy, ISAKMP client, or ISAKMP
peer command set.

The following table summarizes crypto configuration mode commands:

Command Description
crypto on page Invokes commands used to configure ISAKMP policy, ISAKMP client, and
1030 ISAKMP peer
crypto-auto-ipsec- Creates an auto IPSec VPN tunnel and enters its configuration mode
tunnel commands
on page 1037
crypto-ikev1/ikev2- Creates a crypto IKEv1/IKEv2 policy and enters its configuration mode
policy commands on
page 1043
crypto-ikev1/ikev2- Creates a IKEv1/IKEv2 peer and enters its configuration mode
peer commands on
page 1049
crypto-map-config- Creates a crypto map and enters its configuration mode
commands on page
1056
crypto-remote-vpn- Creates a remote VPN client and enters its configuration mode
client commands on
page 1075

crypto

crypto on page 1030

Use the crypto command to define a system-level local ID for ISAKMP negotiation and enter the
ISAKMP policy, ISAKMP client, or ISAKMP peer configuration mode.

A crypto map entry is a single policy that describes how certain traffic is secured. There are two types
of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the
ordered list).

When a non-secured packet arrives on an interface, the crypto map associated with that interface is
processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is discarded.

When a packet is transmitted on an interface, the crypto map associated with that interface is
processed. The first crypto map entry that matches the packet is used to secure the packet. If a suitable
SA (Security Association) exists, it is used for transmission. Otherwise, IKE is used to establish a SA with
the peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.

Controller, Service Platform and Access Point

1030 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

When a secured packet arrives on an interface, its SPI (Security Parameter Index) is used to look up a
SA. If a SA does not exist (or if the packet fails any of the security checks), it is discarded. If all checks
pass, the packet is forwarded normally.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
crypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec|
load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client]
crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]
crypto ike-version [ikev1-only|ikev2-only]
crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|
peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]
crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries
<1-100>|
nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]
crypto ipsec [df-bit|security-association|transform-set]
crypto ipsec df-bit [clear|copy|set]
crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds
<120-86400>]
crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|esp-aes-256|
esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-sha256-hmac]
crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]
crypto pki import crl <TRUSTPOINT-NAME> URL <1-168>
crypto plain-text-deny-acl-scope [global|interface]
crypto remote-vpn-client

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1031
Profile Config Commands Profile Commands

Parameters
crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]

auto-ipsec-secure Configures the Auto IPSec Secure parameter settings. For Auto
IPSec tunnel configuration commands, see crypto-auto-ipsec-
tunnel commands on page 1037.
enable-ike-uniqueids Enables IKE (Internet Key Exchange) unique ID check. For more
information on IKE unique IDs, see remotegw on page 1041.
load-management Configures load management for platforms using software
cryptography

crypto ike-version [ikev1-only|ikev2-only]

ike-version [ikev1-only|ikev2- Selects and starts the IKE daemon

only] • ikev1-only – Enables support for IKEv1 tunnels only
• ikev2-only – Enables support for IKEv2 tunnels only

crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer

<IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]

ikev1 Configures the IKE version 1 parameters

dpd-keepalive <10-3600> Sets the global DPD (Dead Peer Detection) keep alive interval from
10 - 3600 seconds. This is the interval between successive IKE keep
alive messages sent to detect if a peer is dead or alive. The default
is 30 seconds.
dpd-retries <1-1000> Sets the global DPD retries count from 1 - 1000. This is the number
of keep alive messages sent to a peer before the tunnel connection
is declared as dead. The default is 5.
nat-keepalive <10-3600> Sets the global NAT keep alive interval from 10 - 3600 seconds. This
is the interval between successive NAT keep alive messages sent to
detect if a peer is dead or alive. The default is 20 seconds.
peer <IKEV1-PEER> Specify the name/Identifier for the IKEv1 peer. For IKEV1 peer
configuration commands, see crypto-ikev1/ikev2-peer commands
on page 1049.
policy <IKEV1-POLICY-NAME> Configures an ISKAMP policy. Specify the name of the policy.
The local IKE policy and the peer IKE policy must have matching
group settings for successful negotiations.
For IKEV1 policy configuration commands, see crypto-ikev1/ikev2-
policy commands on page 1043.
remote-vpn Specifies the IKEV1 remote-VPN server configuration (responder
only)

crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries

<1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]

ikev2 Configures the IKE version 2 parameters

cookie-challenge-threshold Starts the cookie challenge mechanism after the number of half
<1-100> open IKE SAs exceeds the specified limit. Specify the limit from 1 -
100. The default is 5.

Controller, Service Platform and Access Point

1032 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dpd-keepalive <10-3600> Sets the global DPD keepalive interval from 10 - 3600 seconds. The
default is 30 seconds.
dpd-retries <1-100> Sets the global DPD retries count from 1 - 100. The default is 5.
nat-keepalive <10-3600> Sets the global NAT keepalive interval from 10 - 3600 seconds. The
default is 20 seconds.
peer <IKEV2-PEER> Specify the name/Identifier for the IKEv2 peer
policy <IKEV2-POLICY-NAME> Configures an ISKAMP policy. Specify the policy name.
The local IKE policy and the peer IKE policy must have matching
group settings for successful negotiations.
remote-vpn Specifies an IKEv2 remote-VPN server configuration (responder
only)

crypto ipsec df-bit [clear|copy|set]

ipsec Configures the IPSec policy parameters

df-bit [clear|copy|set] Configures DF (Don’t-Fragment) bit handling for encapsulating
header. The options are:
• clear – Clears the DF bit in the outer header and ignores in the
inner header
• copy – Copies the DF bit from the inner header to the outer
header. This is the default setting.
• set – Sets the DF bit in the outer header

crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds

<120-86400>]

ipsec Configures the IPSec policy parameters

security-association Configures the IPSec SAs parameters
lifetime [kilobyte |seconds] Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values
can be entered in both kilobytes and seconds, which ever limit is
reached first, ends the SA. When the SA lifetime ends it is
renegotiated as a security measure.
• kilobytes – Specifies a volume-based key duration (minimum is
500 KB and maximum is 2147483646 KB)
◦ <500-2147483646> – Specify a value from 500 -
2147483646 KB. The default is 4608000 KB.
• seconds – Specifies a time-based key duration (minimum is 120
seconds and maximum is 86400 seconds)
◦ <120-86400> – Specify a value from 120 - 86400 seconds.
The default is 3600 seconds.
The security association lifetime can be overridden under crypto
maps.

crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192| esp-aes-256|

esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac| esp-sha256-hmac]

Configures the IPSec policy parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1033
Profile Config Commands Profile Commands

ipsec
transform-set <TRANSFORM- Defines the transform set configuration (authentication and
SET-TAG> encryption) for securing data. A transform set is a combination of
security protocols, algorithms and other settings applied to IPSec
protected traffic.
• <TRANSFORM-SET-TAG> – Specify the transform set name.
After specifying the transform set used by the IPSec transport
connection, set the encryption method and the authentication
scheme used with the transform set.
The encryption methods are: DES, 3DES, AES, AES-192 and
AES-256.

Note: The authentication schemes available are: esp-md5-hmac and

esp-sha-hmac.

esp-3des Configures the ESP transform using 3DES cipher (168 bits). The
transform set is assigned to a crypto map using the map’s set >
transform-set command.
esp-aes Configures the ESP transform using AES (Advanced Encryption
Standard) cipher. The transform set is assigned to a crypto map
using the map’s set > transform-set command.
esp-aes-192 Configures the ESP transform using AES cipher (192 bits). The
transform set is assigned to a crypto map using the map’s set >
transform-set command.
esp-aes-256 Configures the ESP transform using AES cipher (256 bits). The
transform set is assigned to a crypto map using the map’s set >
transform-set command. This is the default setting.
esp-des Configures the ESP transform using DES (Data Encryption
Standard) cipher (56 bits). The transform set is assigned to a crypto
map using the map’s set > transform-set command.

Controller, Service Platform and Access Point

1034 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

esp-null Configures the ESP transform with no encryption

[esp-aes-xcbc-mac| esp-md5- The following keywords are common to all of the above listed
hmac| esp-sha-hmac| esp- transform sets.
sha256-hmac] After specifying the transform set type, configure the
authentication scheme used to validate identity credentials. The
options are:
• esp-aes-xcbc-mac – Configures ESP transform using AES-XCBC
authorization
• esp-md5-hmac – Configures ESP transform using HMAC-MD5
authorization
• esp-sha-hmac – Configures ESP transform using HMAC-SHA
authorization. This is the default setting.
• esp-sha256-hmac – Configures ESP transform using HMAC-
SHA256 authorization

crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]

map <CRYPTO-MAP-TAG> Configures the crypto map, a software configuration entity that
selects data flows that require security processing. The crypto map
also defines the policy for these data flows.
• <CRYPTO-MAP-TAG> – Specify a name for the crypto map. The
name should not exceed 32 characters. For crypto map
configuration commands, see crypto-map-ipsec-manual-
instance on page 1057.

<1-1000> Defines the crypto map entry sequence. Each crypto map uses a list
of entries, each entry having a specific sequence number.
Specifying multiple sequence numbers within the same crypto map
provides the flexibility to connect to multiple peers from the same
interface. Specify a value from 1 - 1000.
ipsec-isakmp {dynamic} Configures IPSEC w/ISAKMP.
• dynamic – Optional. Configures dynamic map entry (remote
VPN configuration) for XAUTH with mode-config or ipsec-l2tp
configuration

ipsec-manual Configures IPSEC w/manual keying. Remote configuration is not

allowed for manual crypto map.

crypto pki import crl <TRUSTPOINT-NAME> <URL> <1-168>

pki Configures certificate parameters. The PKI (Public Key

Infrastructure) protocol creates encrypted public keys using digital
certificates from certificate authorities.
import Imports a trustpoint related configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1035
Profile Config Commands Profile Commands

crl <TRUSTPOINT-NAME> Imports a CRL (Certificate Revocation List). Imports a trustpoint

including either a private key and server certificate or a certificate
authority (CA) certificate or both.
A CRL is a list of revoked certificates that are no longer valid. A
certificate can be revoked if the CA had improperly issued a
certificate, or if a private-key is compromised. The most common
reason for revocation is the user no longer being in sole possession
of the private key.
• <TRUSTPOINT-NAME> – Specify the trustpoint name.

<URL> Specify the CRL source address in the following format. Both IPv4
and IPv6 address formats are supported.
tftp://<hostname|IPv4 or IPv6>[:port]/path/file
ftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]/path/file
sftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]>/path/
file
http://<hostname|IPv4 or IPv6>[:port]/path/file
cf:/path/file
usb<n>:/path/file
<1-168> Sets command replay duration from 1 - 168 hours. This is the interval
(in hours) after which devices using this profile copy a CRL file from
an external server and associate it with a trustpoint.

crypto plain-text-deny-acl-scope [global|interface]

plain-text-deny-acl-scope Configures plain-text-deny-acl-scope parameters

global Applies the plain text deny ACL globally. This is the default setting.
interface Applies the plain text deny ACL to the interface only

crypto remote-vpn-client

remote-vpn-client Configures remote VPN client settings. For more information, see
crypto-remote-vpn-client commands on page 1075.

Example
nx9500-6C8809(config-profile-default-rfs4000)#crypto ipsec transform-set tpsec-tag1 esp-
aes-256 esp-md5-hmac
nx9500-6C8809(config-profile-default-rfs4000)#crypto map map1 10 ipsec-isakmp dynamic
nx9500-6C8809(config-profile-default-rfs4000)#crypto plain-text-deny-acl-scope interface

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
tunnel-over-level2
ip igmp snooping
ip igmp snooping querier
no autoinstall configuration
no autoinstall firmware
device-upgrade persist-images
crypto ikev1 dpd-retries 1
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac

Controller, Service Platform and Access Point

1036 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

crypto map map1 10 ipsec-isakmp dynamic

crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto plain-text-deny-acl-scope interface
interface radio1
interface radio2
interface up
nx9500-6C8809(config-profile-default-rfs4000)#

nx9500-6C8809(config-profile-default-rfs4000)#crypto ipsec transform-set tag1 esp-null

esp-md5-hmac

nx9500-6C8809(config-profile-default-rfs4000-transform-set-tag1)#?
Crypto Ipsec Configuration commands:
mode Encapsulation mode (transport/tunnel)
no Negate a command or set its defaults

clrscr Clears the display screen

nx9500-6C8809(config-profile-default-rfs4000-transform-set-tag1)#

Related Commands

no on page 1329 Disables or reverts settings to their default

crypto-auto-ipsec-tunnel commands

crypto on page 1030

Creates an auto IPSec VPN tunnel and changes the mode to auto-ipsec-secure mode for further
configuration

Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service
platforms and associated access points that are within a range of valid IP addresses. You can define
which packets are sent within the tunnel, and how they are protected. When a tunneled peer sees a
sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer
destination or associated access point.

Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive
packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in
both the inbound and outbound direction. SAs are established per the rules and conditions of defined
security protocols (AH or ESP).

The IKE protocol is a key management protocol used in conjunction with IPSec. IKE enhances IPSec by
providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables
secure communications without time consuming manual pre-configuration for auto IPSec tunneling.
nx9500-6C8809(config-profile-default-rfs4000)#crypto auto-ipsec-secure
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#?
Crypto Auto IPSEC Tunnel commands:
groupid Local/Remote identity and Authentication credentials for Auto

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1037
Profile Config Commands Profile Commands

IPSec Secure IKE negotiation

ike-lifetime Set lifetime for ISAKMP security association
ikev2 IKEv2 configuration commands
ip Internet Protocol config commands
no Negate a command or set its defaults
remotegw Auto IPSec Secure Remote Peer IKE

clrscr Clears the display screen

nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#

The following table summarizes the crypto IPSec auto tunnel configuration mode commands:

Command Description
groupid on page Specifies the identity string used for IKE authentication
1038
ip on page 1039 Enables the controller or service platform to uniquely identify APs and the hosts
present in the AP’s subnet
ike-lifetime on Configures the IKE SA’s key lifetime in seconds
page 1040
ikev2 on page Enables the forced re-authentication of IKEv2 peer
1041
remotegw on page Defines the IKE version used for an auto IPSec tunnel using secure gateways
1041
no on page 1042 Removes or reverts the crypto auto IPSec tunnel settings

groupid

crypto-auto-ipsec-tunnel commands on page 1037

Specifies the identity string used for IKE authentication

Syntax
groupid <WORD> [psk|rsa]
groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

Controller, Service Platform and Access Point

1038 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

<WORD> Specify a string not exceeding 64 characters. This is the group

identity used for IKE exchange for auto IPSec secure peers. After
providing a group ID, specify the authentication method used to
authenticate peers on the auto IPSec secure tunnel. The options are:
psk and rsa.
psk [0 <WORD>| 2 <WORD>| Configures the PSK (pre-shared key) as the authentication type for
<WORD>] secure peer authentication on the auto IPSec secure tunnel
• 0 <WORD> – Configures a clear text key
• 2 <WORD> – Configures an encrypted key
• <WORD> – Specify a string value from 8 - 21 characters.

rsa Configures the RSA (Rivest-Shamir-Adleman) key.

RSA is an algorithm for public key cryptography. It is the first
algorithm known to be suitable for signing, as well as encryption.
This is the default setting.

Note
Only one group ID is supported on the controller or service platform. All APs, controllers, and
service platform must use the same group ID.

Example
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#groupid
testgroup@123 rsa

nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#show context
crypto auto-ipsec-secure
groupid testgroup@123 rsa
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#
ip

crypto-auto-ipsec-tunnel commands on page 1037

Enables the controller to uniquely identify APs and the hosts present in the AP’s subnet. This allows the
controller to correctly identify the destination host and create a dynamic site-to-site VPN tunnel
between the host and the private network behind the controller.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ip nat crypto

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1039
Profile Config Commands Profile Commands

Parameters
ip nat crypto

ip nat crypto Enables unique identification of APs and the hosts present in each
AP’s subnet
Providing a unique ID enables the access point, wireless controller,
or service platform to uniquely identify the destination device. This
is essential in networks where there are multiple APs behind a
router, or when two (or more) APs behind two (or more) different
routers have the same IP address. Further, the same subnet exists
behind these APs.
For example, let us consider a scenario where there are two APs (A
and B) behind two routers (1 and 2). AP ‘A’ is behind router ‘1’. And
AP ‘B’ is behind router ‘2’. Both these APs have the same IP address
(192.168.13.8). The subnet behind APs A and B is also the same
(100.1.1.0/24). In such a scenario the controller fails to uniquely
identify the hosts present in either AP’s subnet.
For more information, see remotegw on page 1041 and crypto on
page 1030.

Example
rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#ip nat crypto

rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context
crypto auto-ipsec-secure
remotegw ike-version ikev2 uniqueid
ip nat crypto
rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#
ike-lifetime

crypto-auto-ipsec-tunnel commands on page 1037

Configures the IKE SA’s key lifetime in seconds

The lifetime defines how long a connection (encryption/authentication keys) should last, from
successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if
they do not, there is some clutter for a superseded connection on the peer defining the lifetime as
longer.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ike-lifetime <600-86400>

Parameters
ike-lifetime <600-86400>

ike-lifetime <600-86400> Sets the IKE SA’s key lifetime in seconds

• <600-86400> – Specify a value fro m 600 - 86400 seconds.
The default is 8600 seconds.

Controller, Service Platform and Access Point

1040 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ike-lifetime 800

rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto

auto-ipsec-secure
ike-lifetime 800
rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#
ikev2

crypto-auto-ipsec-tunnel commands on page 1037

Enables the forced IKEv2 peer re-authentication. This option is disabled by default.

In most IPSec tunnel configurations, the lifetime of IKE SAs between peers is limited. Once the IKE SA
key expires it is renegotiated. In such a scenario, the IKEv2 tunnel peers may or may not re-authenticate
themselves. When enabled, IKE tunnel peers have to re-authenticate each time the IKE SA is
renegotiated.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ikev2 peer reauth

Parameters
ikev2 peer reauth

ikev2 peer reauth Enables IKEv2 peer re-authentication. When enabled, IKE tunnel
peers are forced to re-authenticate each time the IKE key is
renegotiated.

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ikev2 peer reauth
remotegw

crypto-auto-ipsec-tunnel commands on page 1037

Defines the IKE version used for auto IPSEC tunnel negotiation with the IPSec remote gateway other
than the controller
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1041
Profile Config Commands Profile Commands

Parameters
remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}

remotegw ike-version Configures the IKE version used for initiating auto IPSec tunnel with
secure gateways other than the controller
ikev1-aggr Aggregation mode is used by the auto IPSec tunnel initiator to set
up the connection
ikev1-main Main mode is used by the auto IPSec tunnel initiator to establish the
connection
ikev2 IKEv2 is the preferred method when wireless controller/AP only is
used
uniqueid This keyword is common to all of the above parameters.
• uniqueid – Optional. Enables the assigning of a unique ID to APs
(using this profile) behind a router by prefixing the MAC address
to the group ID
Providing a unique ID enables the access point, wireless controller,
or service platform to uniquely identify the destination device. This
is essential in networks where there are multiple APs behind a
router, or when two (or more) APs behind two (or more) different
routers have the same IP address. For example, let us consider a
scenario where there are two APs (A and B) behind two routers (1
and 2). AP ‘A’ is behind router ‘1’. And AP ‘B’ is behind router ‘2’.
Both these APs have the same IP address (192.168.13.8). In such a
scenario, the controller fails to establish an Auto IPSec VPN tunnel
to either APs, because it is unable to uniquely identify them.
After enabling unique ID assignment, enable IKE unique ID check.
For more information, see crypto on page 1030.

Example
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#remotegw
ike-version ikev2 uniqueid

nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#show context
crypto auto-ipsec-secure
remotegw ike-version ikev2 uniqueid
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#
no

crypto-auto-ipsec-tunnel commands on page 1037

Removes or resets this auto IPSec tunnel settings

Syntax
no [groupid|ike-lifetime|ikev2 peer reauth|ip nat crypto]

Controller, Service Platform and Access Point

1042 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this auto IPSec tunnel’s settings based on the
parameters passed

Example

The following example shows the Auto IPSec VLAN bridge settings before the ‘no’ command is
executed:
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#show context
crypto auto-ipsec-secure
groupid testpassword@123 rsa
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#

nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#no groupid

The following example shows the Auto IPSec VLAN bridge settings after the ‘no’ command is executed:
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#show context
crypto auto-ipsec-secure
nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#

crypto-ikev1/ikev2-policy commands

crypto on page 1030

Defines crypto-IKEv1/IKEv2 commands in detail

IKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances
IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE
automatically negotiates IPSec SAs and enables secure communications without time consuming
manual pre-configuration.

Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands.

To navigate to the IKEv1/IKEv2 policy config instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 policy <IKEV1/IKEV2-POLICY-
NAME>

nx9500-6C8809(config-profile-default-rfs4000)#crypto ikev1 policy ikev1-testpolicy

rfs7000-37FABE(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#?
Crypto IKEv1 Policy Configuration commands:
dpd-keepalive Set Dead Peer Detection interval in seconds
dpd-retries Set Dead Peer Detection retries count
isakmp-proposal Configure ISAKMP Proposals
lifetime Set lifetime for ISAKMP security association
mode IKEv1 mode (main/aggressive)
no Negate a command or set its defaults

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1043
Profile Config Commands Profile Commands

show Show running system information

write Write running configuration to memory or terminal

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#

nx9500-6C8809(config-profile-test-ikev2-policy-ikev2-testpolicy)#?
Crypto IKEv2 Policy Configuration commands:
dpd-keepalive Set Dead Peer Detection interval in seconds
isakmp-proposal Configure ISAKMP Proposals
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
sa-per-acl Setup single SA for all rules in the ACL (ONLY APPLICABLE
FOR SITE-TO-SITE VPN)

clrscr Clears the display screen

nx9500-6C8809(config-profile-test-ikev2-policy-ikev2-testpolicy)#

Note
IKEv2 being an improved version of the original IKEv1 design, is recommended in most
deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall
traversal, attack resistance, etc.

The following table summarizes crypto IKEv1/iKEv2 configuration mode commands:

Command Description
dpd-keepalive on page Sets DPD keep alive packet interval
1044
dpd-retries on page 1045 Sets the maximum number of attempts for sending DPD keep alive
packets (applicable only to the IKEv1 policy)
isakmp-proposal on page Configures ISAKMP proposals
1046
lifetime on page 1047 Specifies how long an IKE SA is valid before it expires
mode on page 1047 Sets the mode of the tunnels (applicable only to the IKEv1 policy)
no on page 1048 Removes or reverts IKEv1/IKEv2 policy settings

dpd-keepalive

crypto-ikev1/ikev2-policy commands on page 1043

Sets the DPD keep-alive packet interval

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

1044 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dpd-keepalive <10-3600>

Parameters
dpd-keepalive <10-3600>

<10-3600> Specifies the interval, in seconds, between successive DPD keep

alive packets.The IKE keep alive message is used to detect a dead
peer on the remote end of the IPSec VPN tunnel. Specify the time
from 10 - 3600 seconds. The default is 30 seconds.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#dpd-keepalive
11

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-testpolicy)#show context
crypto ikev1 policy testpolicy
dpd-keepalive 11
isakmp-proposal default encryption aes-256 group 2 hash sha
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-testpolicy)#
dpd-retries

crypto-ikev1/ikev2-policy commands on page 1043

Sets the maximum number of times DPD keep-alive packets are sent to a peer. Once this value is
exceeded, without a response from the peer, the VPN tunnel connection is declared dead. This option is
available only for the IKEv1 policy.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dpd-retries <1-100>

Parameters
dpd-retries <1-100>

<1-100> Declares a peer dead after the specified number of retries. Specify a
value from 1 - 100. The default is 5.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#dpd-retries 10

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#show context
crypto ikev1 policy testpolicy
dpd-keepalive 11
dpd-retries 10
isakmp-proposal default encryption aes-256 group 2 hash sha
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1045
Profile Config Commands Profile Commands

isakmp-proposal

crypto-ikev1/ikev2-policy commands on page 1043

Configures ISAKMP proposals and their parameters

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [aes-
xcbc-mac|md5|sha|sha256]

Parameters
isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [aes-
xcbc-mac|md5|sha|sha256]

<WORD> Assigns the target peer (tunnel destination) a 32 character

maximum name to distinguish it from others with a similar
configuration.
encryption [3des|aes|aes-192| Configures the encryption method used by the tunneled peers to
aes-256] securely inter-operate
• 3des – Configures triple data encryption standard
• aes – Configures AES (128 bit keys)
• aes-192 – Configures AES (192 bit keys)
• aes-256 – Configures AES (256 bit keys). This is the default
setting.

group [14|2|5] Specifies the DH (Diffie-Hellman) group identifier used by VPN

peers to derive a shared secret password without having to
transmit. DH groups determine the strength of the key used in key
exchanges. The higher the group number, the stronger and more
secure the key. Options include 2, 5 and 14.
• 14 – Configures DH group 14
• 2 – Configures DH group 2. This is the default setting.
• 5 – Configures DH group 5

hash [maes-xcbc-mac| md5|sha| Specifies the hash algorithm used to authenticate data transmitted
sha256] over the IKE SA. The hash algorithm specified here is used by VPN
peers to exchange credential information.
• aes-xcbc-mac – Uses AES XCBC Auth hash algorithm. This
option is applicable only to the IKEv2 policy configuration
context.
• md5 – Uses MD5 (Message Digest 5) hash algorithm
• sha – Uses SHA (Secure Hash Authentication) hash algorithm.
This is the default setting.
• sha256 – Uses Secure Hash Standard 2 algorithm

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#isakmp-
proposal testproposal encryption aes group 2 hash sha

Controller, Service Platform and Access Point

1046 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#show context
crypto ikev1 policy testpolicy
dpd-keepalive 11
dpd-retries 10
isakmp-proposal default encryption aes-256 group 2 hash sha
isakmp-proposal testpraposal encryption aes group 2 hash sha
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#
lifetime

crypto-ikev1/ikev2-policy commands on page 1043

Specifies how long an IKE SA (encryption/authentication keys) is valid. The value specified is the
validity period of the IKE SA from successful key negotiation to expiration.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
lifetime <600-86400>

Parameters
lifetime <600-86400>

lifetime <600-86400> Specifies how many seconds an IKE SA lasts before it expires. Set a
time stamp from 600 - 86400 seconds.
• <600-86400> – Specify a value from 600 - 86400 seconds. The
default is 86400 seconds.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#lifetime 655

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#show context
crypto ikev1 policy testpolicy
dpd-keepalive 11
dpd-retries 10
lifetime 655
isakmp-proposal default encryption aes-256 group 2 hash sha
isakmp-proposal testpraposal encryption aes group 2 hash sha
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#
mode

crypto-ikev1/ikev2-policy commands on page 1043

Configures the IPSec mode of operation for the IKEv1 policy. This option is not available for IKEv2 policy.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1047
Profile Config Commands Profile Commands

Syntax
mode [aggresive|main]

Parameters
mode [aggresive|main]

mode [aggresive|main] Sets the mode of the tunnels

• aggressive – Initiates the aggressive mode
• main – Initiates the main mode
If configuring the IKEv1 IPSec policy, define the IKE mode as either
main or aggressive. In the aggressive mode, 3 messages are
exchanged between the IPSec peers to setup the SA. On the other
hand, in the main mode, 6 messages are exchanged. The default
setting is main.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#mode
aggressive

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#show context
crypto ikev1 policy testpolicy
dpd-keepalive 11
dpd-retries 10
lifetime 655
isakmp-proposal default encryption aes-256 group 2 hash sha
isakmp-proposal testpraposal encryption aes group 2 hash sha
mode aggressive
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#
no

crypto-ikev1/ikev2-policy commands on page 1043

Removes or reverts IKEv1/IKEv2 policy settings

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this IKEv1/IKEv2 policy settings based on

parameters passed

Example

The following example shows the IKEV1 Policy settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#show context
crypto ikev1 policy testpolicy
dpd-keepalive 11

Controller, Service Platform and Access Point

1048 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dpd-retries 10
lifetime 655
isakmp-proposal default encryption aes-256 group 2 hash sha
isakmp-proposal testpraposal encryption aes group 2 hash sha
mode aggressive
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#no mode
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#no dpd-
keepalive
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#no dpd-retries

The following example shows the IKEV1 Policy settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)# show context
crypto ikev1 policy testpolicy
lifetime 655
isakmp-proposal default encryption aes-256 group 2 hash sha
isakmp-proposal testpraposal encryption aes group 2 hash sha
nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#

crypto-ikev1/ikev2-peer commands

crypto on page 1030

Use the (config) instance to configure IKEv1/IKEv2 peer configuration commands. To navigate to the
IKEv1/IKEv2 peer config instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 peer <IKEV1/IKEV2-PEER-NAME>

nx9500-6C8809(config-profile-default-rfs4000)#crypto ikev1 peer peer1

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#?
Crypto IKEV1 Peer Configuration commands:
authentication Configure Authentication credentials
ip Configure peer address/fqdn
localid Set local identity
no Negate a command or set its defaults
remoteid Configure remote peer identity
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#

nx9500-6C8809(config-profile-default-rfs4000)#crypto ikev2 peer peer1

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#?
Crypto IKEV2 Peer Configuration commands:
authentication Configure Authentication credentials
ip Configure peer address/fqdn
localid Set local identity
no Negate a command or set its defaults
remoteid Configure remote peer identity
use Set setting to use

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1049
Profile Config Commands Profile Commands

commit Commit all changes made in this session

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#

The following table summarizes crypto IPSec IKEv1/IKEv2 peer configuration mode commands:

Command Description
authentication on page Configures a peer’s authentication mode and the pre-shared key
1050
ip on page 1051 Configures the peer’s IP address
localid on page 1052 Configures a peer’s local identity details
remoteid on page 1053 Configures a remote peer’s identity details
use on page 1054 Associates an IKEv1 policy and IKEv2 policy with the IKEv1 and IKEv2 peer
respectively
no on page 1055 Negates a command or reverts settings to their default. The no command,
when used in the ISAKMP policy mode, defaults the ISAKMP protection
suite settings.

authentication

crypto-ikev1/ikev2-peer commands on page 1049

Configures IKEv1/IKEv2 peer’s authentication mode and the pre-shared key

Syntax
authentication [psk|rsa]
authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}
authentication rsa

Controller, Service Platform and Access Point

1050 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}

psk [0 <WORD>| 2 <WORD>| Configures the authentication mode as PSK. The PSK is a string, 8 -
<WORD>] {local|remote} 12 characters long. It is shared by both ends of the VPN tunnel
connection. If using IKEv2, both a local and remote string must be
specified for handshake validation at both ends (local and remote)
of the VPN connection.
• 0 <WORD> – Configures a clear text key
• 2 <WORD> – Configures an encrypted key
• <WORD> – Configures the pre-shared key
The following keywords are available only in the IKEv2 peer
configuration mode:
• local – Optional. Uses the specified key for local peer
authentication only
• remote – Optional. Uses the specified key for remote peer
authentication only

Note: In case the peer type is not specified, this string is used for
authenticating both local and remote peers.

authentication rsa

rsa Configures the authentication mode as RSA This is the default

setting (for both IKEv1 and IKEv2).
RSA is the first known public-key cryptography algorithm designed
signing and encryption. If configuring the IKEv2 peer, the ‘rsa’
option allows you to enable authentication at both ends of the VPN
connection (local and remote).

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#authentication rsa

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#authentication
psk 0 key@123456

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#show context
crypto ikev2 peer peer1
authentication psk 0 key@123456 local
authentication psk 0 key@123456 remote
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#
ip

crypto-ikev1/ikev2-peer commands on page 1049

Sets the IP address or FQDN (Fully Qualified Domain Name) of the IPSec VPN peer used in the tunnel
setup
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1051
Profile Config Commands Profile Commands

Syntax
ip [address <IP>|fqdn <WORD>]

Parameters
ip [address <IP>|fqdn <WORD>]

address <IP> Specify the peer device’s IP address.

fqdn <WORD> Specify the peer device’s FQDN hostname.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#ip address 172.16.10.12

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#show context
crypto ikev1 peer peer1
ip address 172.16.10.12
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#ip address 192.168.10.6

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#show context
crypto ikev2 peer peer1
ip address 192.168.10.6
authentication psk 0 test@123456 local
authentication psk 0 test@123456 remote
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#
localid

crypto-ikev1/ikev2-peer commands on page 1049

Sets a IKEv1/IKEv2 peer’s local identity. This local identifier is used with this peer configuration for an
IKE exchange with the target VPN IPSec peer.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
localid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]

address <IP> Configures the peer’s IP address. The IP address is used as local
identity.
autogen-uniqueid <WORD> Generates a localid using the device's unique identity. The system
prefixes the device's unique identity to the string provided here. The
device’s unique identity should be existing and configured. For
more information on configuring a device’s unique identity, see
autogen-uniqueid on page 975.
• <WORD> – Provide the string.

Controller, Service Platform and Access Point

1052 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dn <WORD> Configures the peer’s distinguished name. (for example, "C=us

ST=<state> L=<location> O=<organization> OU=<org unit>". The
maximum length is 128 characters.
email <WORD> Configures the peer’s e-mail address. The maximum length is 128
characters.
fqdn <WORD> Configures the peer’s FQDN. The maximum length is 128 characters.
string <WORD> Configures the peer’s identity string. The maximum length is 128
characters. This is the default setting.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#localid email
[email protected]

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#show context
crypto ikev1 peer peer1
ip address 172.16.10.12
localid email [email protected]
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#
remoteid

crypto-ikev1/ikev2-peer commands on page 1049

Configures a IKEv1/IKEV2 peer’s remote identity. This remote identifier is used with this peer
configuration for an IKE exchange with the target VPN IPSec peer.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]

Parameters
remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>

address <IP> Configures the remote IKEv1/IKEV2 peer’s IP address. The IP

address is used as the peer’s remote identity.
dn <WORD> Configures the remote peer’s distinguished name. For example,
"C=us ST=<state> L=<location> O=<organization> OU=<org unit>".
The maximum length is 128 characters.
email <WORD> Configures the remote peer’s e-mail address. The maximum length
is 128 characters.
fqdn <WORD> Configures a peer’s FQDN. The maximum length is 128 characters.
string <WORD> Configures a peer’s identity string. The maximum length is 128
characters.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#remoteid dn SanJose

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1053
Profile Config Commands Profile Commands

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#show context
crypto ikev1 peer peer1
ip address 172.16.10.12
remoteid dn SanJose
localid email [email protected]
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#remoteid address
157.235.209.63

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#show context
crypto ikev2 peer peer1
remoteid address 157.235.209.63
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#
use

crypto-ikev1/ikev2-peer commands on page 1049

Associates IKEv1/IKEv2 policy with the IKEv1/IKEv2 peer respectively

Syntax
use ikev1-policy <IKEV1-POLICY-NAME>
use ikev2-policy <IKEV2-POLICY-NAME>

Parameters
use ikev1-policy <IKEV1-POLICY-NAME>

use ikev1-policy <IKEV1-POLICY- Specify the IKEv1 policy name.

NAME> The local IKEv1 policy and the peer IKEv1 policy must have matching
group settings for successful negotiations.

use ikev2-policy <IKEV2-POLICY-NAME>

use ikev2-policy <IKEV2-POLICY- Specify the IKEv2 policy name.

NAME> The local IKEv2 policy and the peer IKEv2 policy must have
matching group settings for successful negotiations.

Example
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#use ikev1-policy test-
ikev1policy

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#show context
crypto ikev1 peer peer1
ip address 172.16.10.12
remoteid dn SanJose
localid email [email protected]
use ikev1-policy test-ikev1policy
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#use ikev2-policy test-

ikev2policy

Controller, Service Platform and Access Point

1054 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#show context
crypto ikev2 peer peer1
remoteid address 157.235.209.63
use ikev2-policy test-ikev2policy
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#
no

crypto-ikev1/ikev2-peer commands on page 1049

Removes or reverts IKEv1/IKEv2 peer settings

Syntax
no [authentication|ip|localid|remoteid|use <IKEv1/IKEv2-POLICY-NAME>]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts IKEv1/IKEv2 peer settings based on the

parameters passed

Example

The following example shows the Crypto IKEV1 peer1 settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#show context
crypto ikev1 peer peer1
ip address 172.16.10.12
remoteid dn SanJose
localid email [email protected]
use ikev1-policy test-ikev1policy
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#

nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#no localid
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#no remoteid

The following example shows the Crypto IKEV1 peer1 settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#show context
crypto ikev1 peer peer1
ip address 172.16.10.12
use ikev1-policy test-ikev1policy
nx9500-6C8809(config-profile-default-rfs4000-ikev1-peer-peer1)#

The following example shows the Crypto IKEV2 peer1 settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#show context
crypto ikev2 peer peer1
remoteid address 157.235.209.63
use ikev2-policy test
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1055
Profile Config Commands Profile Commands

The following example shows the Crypto IKEV2 peer1 settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#no use ikev2-policy

nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#show context
crypto ikev2 peer peer1
remoteid address 157.235.209.63
nx9500-6C8809(config-profile-default-rfs4000-ikev2-peer-peer1)#

crypto-map-config-commands

crypto on page 1030

This section explains crypto map configuration mode commands in detail.

A crypto map entry is a single policy that describes how certain traffic is secured. There are two types
of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index (used to sort the
ordered list).

IPSec VPN provides a secure tunnel between two networked peers. Administrators can define which
packets are sent within the tunnel, and how they're protected. When a tunneled peer sees a sensitive
packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer
destination.

IKE is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by
providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE
automatically negotiates IPSec SAs, and enables secure communications without time consuming
manual pre-configuration.

Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec
SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols,
algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each
IPSec peer, however for remote VPN deployments one crypto map is used for all the remote IPSec
peers.

Use the (config) instance to enter thecrypto map configuration mode. To navigate to the crypto-map
configuration instance, use the following commands:
In the device-config mode:
<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp
{dynamic}|ipsec-manual]

In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-
isakmp {dynamic}|ipsec-manual]

There are three different configurations defined for each listed crypto map: site-to-site manual (ipsec-
manual), site-to-site-auto tunnel (ipsec-isakmp), and remote VPN client (ipsec-isakmp dynamic). With
site-to-site deployments, an IPSec tunnel is deployed between two gateways, each at the edge of two
different remote networks. With remote VPN, an access point located at remote branch defines a tunnel

Controller, Service Platform and Access Point

1056 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

with a security gateway. This facilitates the end points in the branch office to communicate with the
destination endpoints (behind the security gateway) in a secure manner.

Each crypto map entry is given an index (used to sort the ordered list).
nx9500-6C8809(config-profile-default-rfs4000)#crypto map map1 1 ipsec-manual
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#?
Manual Crypto Map Configuration commands:
local-endpoint-ip Use this IP as local tunnel endpoint address, instead
of the interface IP (Advanced Configuration)
mode Set the tunnel mode
no Negate a command or set its defaults
peer Set peer
security-association Set security association parameters
session-key Set security session key parameters
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#

The following table summarizes crypto map configuration mode commands:

Command Description
crypto-map-ipsec-isakmp- Configures an auto site-to-site VPN or remote VPN client
instance on page 1064
crypto-map-ipsec-manual- Configures a manual site-to-site VPN
instance on page 1057

crypto-map-ipsec-manual-instance

crypto-map-config-commands on page 1056

To navigate to the automatic IPSec manual VPN tunnel configuration instance, use the following
command:

In the device-config mode:

<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-manual

In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-manual

rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 3 ipsec-manual

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#?
Manual Crypto Map Configuration commands:
local-endpoint-ip Use this IP as local tunnel endpoint address, instead
of the interface IP (Advanced Configuration)
mode Set the tunnel mode

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1057
Profile Config Commands Profile Commands

no Negate a command or set its defaults

peer Set peer
security-association Set security association parameters
session-key Set security session key parameters
use Set setting to use

clrscr Clears the display screen

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#

The following table summarizes IPSec manual VPN tunnel configuration mode commands:

Command Description
local-endpoint-ip Uses the configured IP as local tunnel endpoint address, instead of the interface IP
on page 1058 (Advanced Configuration)
mode on page Sets the tunnel mode
1059
peer on page 1059 Sets the peer device’s IP address
security- Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by a crypto
association on map
page 1060
session-key on Defines encryption and authentication keys for a crypto map
page 1060
use on page 1063 Uses the configured IP access list
no on page 1063 Removes or reverts crypto map IPSec manual settings

local-endpoint-ip

crypto-map-ipsec-manual-instance on page 1057

Uses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced
Configuration)
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
local-endpoint-ip <IP>

Controller, Service Platform and Access Point

1058 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
local-endpoint-ip <IP>

local-endpoint-ip <IP> Uses the configured IP as local tunnel’s endpoint address

• <IP> – Specify the IP address. The specified IP address must be
available on the interface.

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#local-endpoint-ip
172.16.10.3
mode

crypto-map-ipsec-manual-instance on page 1057

Sets the crypto map tunnel mode

Syntax
mode [transport|tunnel]

Parameters
mode [transport|tunnel]

mode [transport|tunnel] Sets the mode of the tunnel for this crypto map
• transport – Initiates transport mode
• tunnel – Initiates tunnel mode (default setting)

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#mode transport

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#show context
crypto map map1 1 ipsec-manual
mode transport
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#
peer

crypto-map-ipsec-manual-instance on page 1057

Sets the peer device’s IP address. This can be set for multiple remote peers. The remote peer can be an
IP address.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1059
Profile Config Commands Profile Commands

Syntax
peer <IP>

Parameters
peer <IP>

peer <IP> Enter the peer device’s IP address. If not configured, it implies
respond to any peer.

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#peer 172.16.10.12

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#show context
crypto map map1 1 ipsec-manual
peer 172.16.10.12
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#
security-association

crypto-map-ipsec-manual-instance on page 1057

Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by this crypto map
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

Parameters
security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

lifetime [kilobytes Values can be entered in both kilobytes and seconds. Which ever
<500-2147483646>| seconds limit is reached first, ends the security association.
<120-86400>] • kilobytes <500-2147483646> – Defines volume based key
duration. Specify a value from 500 - 2147483646 bytes.
• seconds <120-86400> – Defines time based key duration.
Specify the time frame from 120 - 86400 seconds.

Note
This command is not applicable to the ipsec-manual crypto map.

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map2#2)#security-association
lifetime seconds 123

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map2#2)#show context
Command not applicable to this crypto map
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map2#2)#
session-key

crypto-map-ipsec-manual-instance on page 1057

Controller, Service Platform and Access Point

1060 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Defines encryption and authentication keys for this crypto map

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1061
Profile Config Commands Profile Commands

Parameters
session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]] <WORD>

session-key [inbound|outbound] Defines the manual inbound and outbound security association key
parameters
ah <256-4294967295> Configures authentication header (AH) as the security protocol for
the security session
• <256-4294967295> – Sets the SPI for the security association
from 256 - 4294967295
The SPI (in combination with the destination IP address and
security protocol) identifies the security association.
[0|2|authenticator [md5|sha] Specifies the key type
<WORD>] • 0 – Sets a clear text key
• 2 – Sets an encrypted key
• authenticator – Sets AH authenticator details
◦ md5 <WORD> – AH with MD5 authentication
◦ sha <WORD> – AH with SHA authentication
▪ <WORD> – Sets security association key value. The
following key lengths (in hex characters) are required
(w/o leading 0x).AH-MD5: 32, AH-SHA: 40

session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-192|aes-256|

des|esp-null]] <WORD> authenticator [md5|sha] <WORD>

session-key [inbound|outbound] Defines the manual inbound and outbound security association key
parameters
esp <256-4294967295> Configures Encapsulating Security Payloads (ESP) as the security
protocol for the security session. This is the default setting.
• <256-4294967295> – Sets the SPI for the security association
from 256 - 4294967295
The SPI (in combination with the destination IP address and
security protocol) identifies the security association.
[0|2|cipher [3des|aes|aes-192| • 0 – Sets a clear text key
aes-256|des| esp-null]] • 2 – Sets an encrypted key
• cipher – Sets encryption/decryption key details
◦ 3des – ESP with 3DES encryption
◦ aes – ESP with AES encryption
◦ aes-192 – ESP with AES-192 encryption
◦ aes-256 – ESP with AES-256 encryption
◦ des – ESP with DES encryption
◦ esp-null – ESP with no encryption
▪ authenticator – Specify ESP authenticator details
▪ md5 <WORD> – ESP with MD5 authentication
▪ sha <WORD> – ESP with SHA authentication

<WORD> – Sets security association key value. The

following key lengths (in hex characters) are required
(w/o leading 0x).AH-MD5: 32, AH-SHA: 40

Controller, Service Platform and Access Point

1062 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#session-key inbound esp
273 cipher esp-null authenticator sha 58768979

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#show context
crypto map map1 1 ipsec-manual
peer 172.16.10.2
mode transport
session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#
use

crypto-map-ipsec-manual-instance on page 1057

Associates an existing IP access list with this crypto map. The ACL protects the VPN traffic.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
use ip-access-list <IP-ACCESS-LIST-NAME>

Parameters
use ip-access-list <IP-ACCESS-LIST-NAME>

ip-access-list <IP-ACCESS-LIST- Specify the IP access list name.

NAME>

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#use ip-access-list test

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#show context
crypto map map1 1 ipsec-manual
use ip-access-list test
peer 172.16.10.12
mode transport
session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#
no

crypto-map-ipsec-manual-instance on page 1057

Removes or resets this crypto map’s settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1063
Profile Config Commands Profile Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this crypto map settings based on the

parameters passed

Example
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#show context
crypto map map1 1 ipsec-manual
use ip-access-list test
peer 172.16.10.12
mode transport
session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#no use ip-access-list

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#no peer
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#no mode

nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#show context
crypto map map1 1 ipsec-manual
session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979
nx9500-6C8809(config-profile-default-rfs4000-cryptomap-map1#1)#
crypto-map-ipsec-isakmp-instance

crypto-map-config-commands on page 1056

To navigate to the remote VPN client configuration instance, use the following command:
In the device-config mode:
<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-isakmp
{dynamic}

In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-isakmp
{dynamic}

rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 2 ipsec-isakmp dynamic

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#?
Dynamic Crypto Map Configuration commands:
local-endpoint-ip Use this IP as local tunnel endpoint address, instead
of the interface IP (Advanced Configuration)
modeconfig Set the mode config method
no Negate a command or set its defaults
peer Add a remote peer
pfs Specify Perfect Forward Secrecy
remote-type Set the remote VPN client type
security-association Security association parameters
transform-set Specify IPSec transform to use
use Set setting to use

clrscr Clears the display screen

Controller, Service Platform and Access Point

1064 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

The following table lists this configuration mode commands:

Command Description
ip on page 1065 Enables this setting to utilize IP/Port NAT on the VPN tunnel. This
command is applicable only to the site-to-site VPN tunnel.
local-endpoint-ip on page Uses the configured IP as local tunnel endpoint address, instead of the
1066 interface IP. This command is applicable to the site-to-site VPN tunnel
and remote VPN client.
modeconfig on page 1067 Configures the mode config method (pull or push) associated with the
remote VPN client. This command is applicable only to the remote VPN
client.
peer on page 1067 Configures the IKEv1 or IKEv2 peer for the VPN tunnel. This command is
applicable to the site-to-site VPN tunnel and remote VPN client.
pfs on page 1068 Configures the Perfect Forward Secrecy (PFS) for the VPN tunnel. This
command is applicable to the site-to-site VPN tunnel and remote VPN
client.
remote-type on page 1069 Configures the remote VPN client type as either None or XAuth. This
command is applicable only to the remote VPN client.
security-association on page Defines this automatic VPN tunnel’s IPSec SA settings. This command is
1070 applicable to the site-to-site VPN tunnel and remote VPN client.
transform-set on page 1072 Applies a transform set (encryption and hash algorithms) to the VPN
tunnel. This command is applicable to the site-to-site VPN tunnel and
remote VPN client.
use on page 1073 Applies an existing and configured IP access list to the VPN tunnel. This
command is applicable to the site-to-site VPN tunnel and remote VPN
client.
no (crypto-map-ipsec- Removes or reverts site-to-site VPN tunnel or remote VPN client
isakmp) on page 1074 settings

crypto-map-ipsec-isakmp-instance on page 1064

Enables this setting to utilize IP/Port NAT on this auto site-to-site VPN tunnel. This option is disabled by
default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ip nat crypto

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1065
Profile Config Commands Profile Commands

Parameters
ip nat crypto

ip nat crypto Enables this setting to utilize IP/Port NAT on the site-to-site VPN
tunnel. This setting is disabled by default.

Example
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#ip nat crypto

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
local-endpoint-ip

crypto-map-ipsec-isakmp-instance on page 1064

Uses the configured IP as local tunnel endpoint address, instead of the interface IP
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
local-endpoint-ip <IP>

Parameters
local-endpoint-ip <IP>

local-endpoint-ip <IP> Configures the local VPN tunnel’s (site-to-site VPN tunnel or remote
VPN client) endpoint IP address
• <IP> – Specify the IP address. The specified IP address must be
available on the interface.

Example
Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#local-endpoint-ip
192.168.13.10

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
local-endpoint-ip 192.168.13.10
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#local-endpoint-ip
157.235.204.62

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic

Controller, Service Platform and Access Point

1066 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

local-endpoint-ip 157.235.204.62
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
modeconfig

crypto-map-ipsec-isakmp-instance on page 1064

Configures the mode config method (pull or push) associated with the remote VPN client
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
modeconfig [pull|push]

Parameters
modeconfig [pull|push]

modeconfig [pull|push] Configures the mode config method associated with a remote VPN
client. The options are: pull and push.
The mode (pull or push) defines the method used to assign a virtual
IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the
configuration payload in pull mode. The default setting is push.

Example
Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#modeconfig pull

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
modeconfig pull
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)
peer

crypto-map-ipsec-isakmp-instance on page 1064

Configures the IKEv1 or IKEv2 peer for the auto site-to-site VPN tunnel or remote VPN client. The peer
device can be specified either by its hostname or by its IP address. A maximum of three peers can be
configured.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1067
Profile Config Commands Profile Commands

Parameters
peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>

peer <1-3> Creates a new peer and configures the peer’s priority level. Peer ‘1’
is the primary peer, and peer ‘3’ is redundant.
ikev1 <IKEv1-PEER-NAME> Configures an IKEv1 peer
• <IKEv1-PEER-NAME> – Specify the IKEv1 peer’s name.

ikev2<IKEv2-PEER-NAME> Configures an IKEv2 peer

• <IKEv2-PEER-NAME> – Specify the IKEv2 peer’s name.

Example
Site-to-site tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#peer 1 ikev2 ikev2Peer1

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
peer 1 ikev2 ikev2Peer1
local-endpoint-ip 192.168.13.10
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#peer 1 ikev1 Re
moteIKEv1Peer1

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
peer 1 ikev1 RemoteIKEv1Peer1
local-endpoint-ip 157.235.204.62
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
pfs

crypto-map-ipsec-isakmp-instance on page 1064

Configures PFS (Perfect Forward Secrecy) for the auto site-to-site VPN tunnel or remote VPN client

PFS is the key-establishment protocol, used to secure VPN communications. If one encryption key is
compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used
to protect data transmissions must not be used to derive any additional keys. Options include 2, 5 and
14. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
pfs [14|2|5]

Controller, Service Platform and Access Point

1068 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
pfs [14|2|5]

pfs [14|2|5] Configures PFS

• 14 – Configures D-H Group14 (2048-bit modp)
• 2 – Configures D-H Group2 (1024-bit modp)
• 5 – Configures D-H Group5 (1536-bit modp)

Example
Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#pfs 5

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
peer 1 ikev2 ikev2Peer1
local-endpoint-ip 192.168.13.10
pfs 5
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#pfs 14

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
peer 1 ikev1 RemoteIKEv1Peer1
local-endpoint-ip 157.235.204.62
pfs 14
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
remote-type

crypto-map-ipsec-isakmp-instance on page 1064

Configures the remote VPN client type as either None or XAuth

Syntax
remote-type [none|xauth]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1069
Profile Config Commands Profile Commands

Parameters
remote-type [none|xauth]

remote-type [none|xauth] Specify the remote VPN’s client type

• none – Configures remote VPN client with No XAUTH
• xauth – Configures remote VPN client as using XAUTH
(applicable only for IKEv1). This is the default setting.
XAuth (extended authentication) provides additional authentication
validation by permitting an edge device to request extended
authentication information from an IPSec host. This forces the host
to respond with additional authentication credentials. The edge
device respond with a failed or passed message.

Example
Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#remote-type none

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
peer 1 ikev1 RemoteIKEv1Peer1
local-endpoint-ip 157.235.204.62
pfs 14
remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
security-association

crypto-map-ipsec-isakmp-instance on page 1064

Defines the IPSec SA’s (created by this auto site-to-site VPN tunnel or remote VPN client) settings
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
security-association [inactivity-timeout|level|lifetime]
security-association [inactivity-timeout <120-86400>|level perhost]
security-association lifetime [kilobytes <500-2147483646>|seconds
<120-86400>]

Controller, Service Platform and Access Point

1070 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
security-association [inactivity-timeout <120-86400>|level perhost]

inactivity-timeout <120-86400> Specifies an inactivity period, in seconds, for this IPSec VPN SA.
Once the set value is exceeded, the association is timed out.
• <120-86400> – Specify a value from 120 - 86400 seconds. The
default is 900 seconds.

level perhost Specifies the granularity level for this IPSec VPN SA
• perhost – Sets the IPSec VPN SA’s granularity to the host level

security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

lifetime [kilobytes Defines the IPSec SA’s lifetime (in kilobytes and/or seconds). Values
<500-2147483646>| seconds can be entered in both kilobytes and seconds. Which ever limit is
<120-86400>] reached first, ends the security association.
• kilobytes <500-2147483646> – Defines volume based key
duration. Specify a value from 500 - 2147483646 kilobytes.
Select this option to define a connection volume lifetime (in
kilobytes) for the duration of the IPSec VPN SA. Once the set
volume is exceeded, the association is timed out. This option is
disabled by default.
• seconds <120-86400> – Defines time based key duration.
Specify the time frame from 120 - 86400 seconds. Select this
option to define a lifetime (in seconds) for the duration of the
IPSec VPN SA. Once the set value is exceeded, the association is
timed out. This option is disabled by default.

Example
Site-to-site tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association
inactivity-timeout 200

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association
level perhost

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association
lifetime kilobytes 250000

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
security-association level perhost
peer 1 ikev2 ikev2Peer1
local-endpoint-ip 192.168.13.10
pfs 5
security-association lifetime kilobytes 250000
security-association inactivity-timeout 200
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#security-association
lifetime seconds 10000

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1071
Profile Config Commands Profile Commands

peer 1 ikev1 RemoteIKEv1Peer1

local-endpoint-ip 157.235.204.62
pfs 14
security-association lifetime seconds 10000
remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
transform-set

crypto-map-ipsec-isakmp-instance on page 1064

Applies a transform set (encryption and hash algorithms) to site-to-site VPN tunnel or remote VPN
client. This command allows you to provide customized data protection for each crypto map can be
customized with its own data protection and peer authentication schemes.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}

Parameters
transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}

transform-set <TRANSFORM- Applies a transform set. The transform set should be existing and
SET-TAG> <TRANSFORM-SET- configured.
TAG> • <TRANSFORM-SET-TAG> – Specify the transform set’s name.
◦ <TRANSFORM-SET-TAG> – Optional. Specify a second
transform set. You can provide multiple, space-separated,
transform set tags.

Example
Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#transform-set AutoVPN

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
security-association level perhost
peer 1 ikev2 ikev2Peer1
local-endpoint-ip 192.168.13.10
pfs 5
security-association lifetime kilobytes 250000
security-association inactivity-timeout 200
transform-set AutoVPN
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#transform-set RemoteVPN

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
peer 1 ikev1 RemoteIKEv1Peer1

Controller, Service Platform and Access Point

1072 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

local-endpoint-ip 157.235.204.62
pfs 14
security-association lifetime seconds 10000
transform-set RemoteVPN
remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
use

crypto-map-ipsec-isakmp-instance on page 1064

Applies an existing and configured IP access list to the auto site-to-site VPN tunnel or remote VPN
client. Based on the IP access list’s settings traffic is permitted or denied across the VPN tunnel.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
use ip-access-list <IP-ACCESS-LIST-NAME>

Parameters
use ip-access-list <IP-ACCESS-LIST-NAME>

ip-access-list <IP-ACCESS-LIST- Specify the IP access list name.

NAME>

Example
Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#use ip-access-list test

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
use ip-access-list test
security-association level perhost
peer 1 ikev2 ikev2Peer1
local-endpoint-ip 192.168.13.10
pfs 5
security-association lifetime kilobytes 250000
security-association inactivity-timeout 200
transform-set AutoVPN
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#use ip-access-list test1

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
' crypto map test 2 ipsec-isakmp dynamic
use ip-access-list test1
peer 1 ikev1 RemoteIKEv1Peer1
local-endpoint-ip 157.235.204.62
pfs 14
security-association lifetime seconds 10000
transform-set RemoteVPN

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1073
Profile Config Commands Profile Commands

remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
no (crypto-map-ipsec-isakmp)

crypto-map-ipsec-isakmp-instance on page 1064

Removes or reverts the auto site-to-site VPN tunnel or remote VPN client settings
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this auto site-to-site/remote VPN settings based

on the parameters passed

Example

The following example shows the IPSec site-to-site VPN tunnel ‘test’ settings before the ‘no’ commands
are executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
use ip-access-list test
security-association level perhost
peer 1 ikev2 ikev2Peer1
local-endpoint-ip 192.168.13.10
pfs 5
security-association lifetime kilobytes 250000
security-association inactivity-timeout 200
transform-set AutVPN
ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no use ip-access-list

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no security-association
level perhost
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no pfs
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no local-endpoint-ip

The following example shows the IPSec site-to-site VPN tunnel ‘test’ settings after the ‘no’ commands
are executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
crypto map test 1 ipsec-isakmp
peer 1 ikev2 ikev2Peer1
security-association lifetime kilobytes 250000
security-association inactivity-timeout 200
transform-set AutoVPN
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Controller, Service Platform and Access Point

1074 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

The following example shows the IPSec remote VPN client ‘test’ settings before the ‘no’ commands are
executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
use ip-access-list test2
peer 1 ikev1 RemoteIKEv1Peer1
local-endpoint-ip 157.235.204.62
pfs 14
security-association lifetime seconds 10000
transform-set RemoteVPN
remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no use ip-access-list

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no peer 1
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no transform-set

The following example shows the IPSec remote VPN client ‘test’ settings after the ‘no’ commands are
executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
crypto map test 2 ipsec-isakmp dynamic
local-endpoint-ip 157.235.204.62
pfs 14
security-association lifetime seconds 10000
remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

crypto-remote-vpn-client commands

crypto on page 1030

This section documents the IKEV2 remote VPN client configuration settings. Use this command to
define the server resources used to secure (authenticate) a remote VPN connection with a target peer.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1075
Profile Config Commands Profile Commands

Use the profile-config instance to configure remote VPN client settings. To navigate to the remote-vpn-
client configuration instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto remote-vpn-client
<DEVICE>(config-profile-<PROFILE-NAME>-crypto-ikev2-remote-vpn-client)#

Note
To configure remote VPN client settings on a device, on the device’s configuration mode, use
the crypto > remote-vpn-client command. For example:
rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto remote-vpn-client

The following configuration enables a access point to adopt to a controller over the remote
VPN link:
• On a profile: rfs4000-229D58(config-profile-testRFS4000)#controller
host <HOST-IP> remote-vpn-client
• On a device: rfs4000-229D58(config-00-23-68-22-9D-58)#controller
host <HOST-IP> remote-vpn-client
rfs4000-229D58(config)#profile rfs4000 testRFS4000
rfs4000-229D58(config-profile-testRFS4000)#

rfs4000-229D58(config-profile-testRFS4000)#crypto remote-vpn-client
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#?
Crypto IKEV2 Remote Vpn Client Config commands:
dhcp-peer Configure parameters for peers received via DHCP option
no Negate a command or set its defaults
peer Add a remote peer
shutdown Disable remote vpn client
transform-set Specify IPSec transform to use

clrscr Clears the display screen

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

The following table summarizes crypto remote VPN client configuration mode commands:

Command Description
dhcp-peer on page 1076 Configures DHCP peer’s local ID and authentication settings
peer on page 1077 Adds a remote IKEv2 peer
shutdown on page 1078 Disables the remote VPN client
transform-set on page 1079 Associates an existing IPSec transform set with this remote VPN client
no on page 1079 Removes the remote VPN client settings

dhcp-peer

Controller, Service Platform and Access Point

1076 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

crypto-remote-vpn-client commands on page 1075

Configures DHCP peer’s local ID and authentication settings

Parameters
dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

dhcp-peer authentication psk [0 Configures the DHCP peer’s authentication type as PSK
<WORD>| 2 <WORD>| • 0 <WORD> – Configures a clear text authentication key
<WORD>] • 2 <WORD> – Configures an encrypted authentication key
• <WORD> – Provide a 8 - 21 character shared key password for
DHCP peer authentication

dhcp-peer authentication rsa Configures the DHCP peer’s authentication type as RSA. This is the
default setting.

dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]

dhcp-peer localid [autogen- Configures the DHCP peer's localid using one of the following
uniqueid <WORD>| string options:
<WORD>] • autogen-uniqueid - Generates a localid using the device's unique
identity. The system prefixes the device's unique identity to the
string provided here. The device’s unique identity should be
existing and configured. For more information on configuring a
device’s unique identity, see autogen-uniqueid on page 975.
◦ <WORD> – Provide the string.
• string - Uses the value provided here as the DHCP peer’s localid.
◦ <WORD> - Provide the string.

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#dhcp-peer
authentication psk 0 @123testing

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context
crypto remote-vpn-client
dhcp-peer authentication psk 0 @123testing
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
peer

crypto-remote-vpn-client commands on page 1075

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1077
Profile Config Commands Profile Commands

Configures IKEv2 peers and assigns them priorities for utilization with remote VPN client connections. A
maximum of three (3) peers can be added to support redundancy.

IKEv2 uses an initial handshake in which VPN peers negotiate cryptographic algorithms, mutually
authenticate, and establish a session key, creating an IKE-SA. Additionally, a first IPSec SA is established
during the initial SA creation. All IKEv2 messages are request/response pairs. It is the responsibility of
the side sending the request to retransmit if it does not receive a timely response.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
peer <1-3> ikev2 <IKEV2-PEER-NAME>

Parameters
peer <1-3> ikev2 <IKEV2-PEER-NAME>

peer <1-3> Adds a IKEv2 peer. You can add maximum of three (3) peers to
achieve redundancy.
• <1-3> – Specify a priority level for the peer from 1 - 3 (1 =
primary, 2 = secondary, and 3 = redundant).

ikev2 <IKEV2-PEER-NAME> Specify the IKEv2 peer’s name.

Note: The peer should be existing and configured. To configure an

IKEv2 peer use the crypto > ikev2 > peer > <IKEv2-
PEER-NAME> command.

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer
1 ikev2 ikev2Peer1

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer 2
ikev2 ikev2Peer2

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context
crypto remote-vpn-client
peer 1 ikev2 ikev2Peer1
peer 2 ikev2 ikev2Peer2
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
shutdown

crypto-remote-vpn-client commands on page 1075

Disables remote-vpn-client on this profile or device. Remote VPN client feature is enabled by default.

To enable a disabled remote VPN client execute the no > shutdown command.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

1078 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
shutdown

Parameters
None

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
shutdown
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
transform-set

crypto-remote-vpn-client commands on page 1075

Specifies the IPSec Transform set to use with this remote VPN client. A transform set is a combination
of security protocols, algorithms, and other settings applied to IPSec protected client traffic.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}

Parameters
transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}

transform-set <IPSEC-XFORM- Associates an IPSec Transform (should be existing and configured)

TAG> <IPSEC-XFORM-TAG> set with this remote VPN client. You can optionally associate more
than one transform set with this remote VPN client configuration.
List the transform set tags separated by a space.

Note: To configure a transform-set, use the

crypto > ipsec > transform-set
command in the profile or device configuration mode.

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#transform-set
TransformSet1

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show
context
crypto remote-vpn-client
peer 1 ikev2 ikev2Peer1
transform-set TransformSet1
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
no

crypto-remote-vpn-client commands on page 1075

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1079
Profile Config Commands Profile Commands

Removes the remote VPN client settings

Syntax
no [dhcp-peer|peer <1-3>|shutdown|transform-set]
no dhcp-peer [authentication|localid]
no peer <1-3>
no shutdown
no transform-set

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets this remote VPN client settings based on the
parameters passed

Example
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context
crypto remote-vpn-client
peer 1 ikev2 peer5
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#no peer 1

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context
crypto remote-vpn-client
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

database
Profile Config Commands on page 954

Backs up captive-portal and/or NSight database to a specified location and file. When applied to
devices, this profile will enable the back up of the specified database. This command also enables you to
configures a low-disk-space threshold value.

These parameters can also be configured in the device configuration context of the NX9500, NX9600
series service platforms.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
database [backup|low-disk-space-threshold]
database backup database [captive-portal|nsight] <URL>
database low-disk-space-threshold <10-50>

Controller, Service Platform and Access Point

1080 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
database backup database [captive-portal|nsight] <URL>

database backup database Backs up captive portal and/or NSight database to a specified
[captive-portal| nsight] location and file. Select the database to backup.
• database – Selects the database to backup
◦ captive-portal – Backs up captive portal database
◦ nsight – Backs up NSight database
After specifying the database type, configure the destination
location and file name.
<URL> Configures the destination location. The database is backed up at
the specified location. Specify the location URL in one of the
following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz
sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz
tftp://<hostname|IP>[:port]/path

database low-disk-space-threshold <10-50>

database low-disk-space- Configures the low disk space threshold for syslog warning. Once
threshold <10-50> the threshold value configured here is reached a syslog warning is
sent.
• <10-50> – Specify the threshold from 10 - 50. The default is 30.

Example
nx9500-6C8809(config-profile-testNX9500)#database backup database nsight ftp://
anonymous:[email protected]/backups/nsight/nsight.tar.gz

Related Commands

no on page 1329 Removes database backup configurations

device-onboard
Profile Config Commands on page 954

Configures the logo image file name and title displayed on the EGuest device-onboarding portal. The
EGuest UI can be accessed only by vendor-admin users.

Note
Vendor admin users are configured in the Management policy context. For more information,
see user (management-policy) on page 1711.

Supported in the following platforms:

• Service Platforms — NX9500, NX9600, VX9000

Syntax
device-onboard [logo|title] <WORD>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1081
Profile Config Commands Profile Commands

Parameters
device-onboard [logo|title] <WORD>

device-onboard [logo|title] Configures the logo and page title displayed on the device-
<WORD> onboarding portal
• logo – Specify the logo image file name. Note, logo image
dimensions must not exceed 109 pixel and 52 pixel in width and
height respectively.
• title – Specify the UI portal title. Note, the title should not exceed
32 characters in length.
The following keyword is common to both of the above parameters:
• <WORD> – Specify the logo image file name/page title.

Split-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard logo extremenetworks.png

Split-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard title EXTREME NETWORKS

ONBOARDING UI

Split-EG-Server(config-device-00-0C-29-09-3C-CC)#show context include-factory | include

device-onboard
device-onboard title EXTREME NETWORKS ONBOARDING UI
device-onboard logo extremenetworks.png
Split-EG-Server(config-device-00-0C-29-09-3C-CC)#

Following example shows a Management Policy, vendor-admin user configuration:

EC-NOC(config-management-policy-EGuest)#show context include-factory | include user

user onboard-user password 1
1d5e9d60425bde727261b66b5e7eb0236058e7aae45225961ce7b872ea238240 role vendor-admin group
Samsung,Philips,Nest1,Orbit1
EC-NOC(config-management-policy-EGuest)#

Related Commands

no on page 1329 Removes the device-onboarding UI portal’s logo image file name
and title configuration

device-upgrade
Profile Config Commands on page 954

Configures device firmware upgrade settings on this profile

Administrators can customize profiles with unique device configuration file and firmware upgrade
support. In a clustered environment, operations performed on one device are propagated to each
member of the cluster and then onwards to devices managed by each cluster member. The number of
concurrent device upgrades and their start times can be customized to ensure a sufficient number of
devices remain in duty while upgrades are administered to others.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

1082 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
device-upgrade [add-auto|auto|count|persist-images]
device-upgrade add-auto [(ap6522|ap6562|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|
nx9600|vx9000)]
device-upgrade auto {(ap6522|ap6562|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|
nx9600|vx9000)}
device-upgrade count <1-128>
device-upgrade persist-images

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1083
Profile Config Commands Profile Commands

Parameters
device-upgrade add-auto[(ap6522|ap6562|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000||nx5500|nx75xx|
nx9000|nx9600)]

device-upgrade add-auto Configures a list of devices types for automatic firmware upgrade
This command specifies the types of devices that can be
automatically upgraded (if enabled). To enable automatic device
firmware upgrade, use the ‘auto’ command. When enabled, access
points, wireless controllers, and service platforms, using this profile,
will automatically upgrade firmware on adopted devices that match
the specified device types.
[<DEVICE-TYPE>] Specifies the type of devices to be upgraded. Select the device
type. The options are: The options are: AP6522, AP6562, AP7161,
AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,
AP7632, AP7662, AP8163, AP8432, AP8533, RFS4000, NX5500,
NX75XX, NX95XX, NX96XX, VX9000.

Note: Multiple device types can be added to the add-auto list.

device-upgrade auto {(ap6522|ap6562|ap7502|ap7522|ap7532|ap7562|ap7602

|ap7612|ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|nx9600|
vx9000)}

device-upgrade auto Enables automatic firmware upgrade on specified device types.

When used along with the add-auto command, the auto command
allows access points, wireless controllers, and service platforms to
automatically upgrade firmware on adopted devices matching the
specified device types.
<DEVICE-TYPE> Optional. Specifies the type of device to be lined up for automatic
firmware upgrade. The options are: The options are: AP6522,
AP6562, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612,
AP7622, AP7632, AP7662, AP8163, AP8432, AP8533, RFS4000,
NX5500, NX75XX, NX95XX, NX96XX, VX9000.

Note: Multiple device types can be added to the auto list.

device-upgrade count <1-128>

device-upgrade count Configures the maximum number of concurrent upgrades possible

<1-128> • <1-128> – specify a value from 1 - 128. The default is 10.

device-upgrade persist-images

device-upgrade Configures parameters for automatic firmware upgrade of adopted

devices. Use this command to select the device types and the
maximum number of concurrent upgrades.
persist-images Enables RF Domain manager to retain AP firmware image after
upgrade, subject to availability of space. This option is enabled by
default.
This option is enabled for all controllers and service platforms RF
Domain managers with the flash memory capacity to store

Controller, Service Platform and Access Point

1084 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

firmware images for the selected access point models they

provision. This feature is disabled for access point RF Domain
managers that do not typically have the flash memory capacity
needed.

Example
rfs4000-229D58(config-profile-default-rfs4000)#device-upgrade auto ap7532

rfs4000-229D58config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
autoinstall configuration
autoinstall firmware
device-upgrade auto ap7532
device-upgrade persist-ap-image
crypto ikev1 policy ikev1-default
qos trust 802.1p
--More--
rfs4000-229D58(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Removes device firmware upgrade settings on this profile

device-upgrade on page 802 Displays device upgrade details
(show commands)

diag
Profile Config Commands on page 954

Enables looped packet logging. When enabled, devices, using this profile, start logging looped packets
to a separate queue. This option is disabled by default.

Looped packet logging can also be enabled in the device configuration context.

Note
To view logged looped packets, execute the service > show > diag > pkts
command. For more information, see service on page 713.

Supported in the following platforms:

Syntax
diag pkts

Parameters
diag pkts

diag pkts Enables looped packet logging

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1085
Profile Config Commands Profile Commands

Example
nx9500-6C8809(config-profile-default-nx75xx)#diag pkts

nx9500-6C8809(config-profile-default-nx75xx)#show context include-factory | include diag

diag pkts
nx9500-6C8809(config-profile-default-nx75xx)#

Related Commands

no on page 1329 Disables looped packet logging

dot1x
Profile Config Commands on page 954

Configures 802.1x standard authentication controls

Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access
control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x
allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or
disabled depending on user identity or device connection.

Devices supporting dot1x allow the automatic provision and connection to the wireless network without
launching a Web browser at login. When within range of a dot1x network, a device automatically
connects and authenticates without needing to manually login.

Dot1x authentication capabilities is supported on the following platforms:

Supported in the following platforms:

Dot1x supplicant capabilities is supported on the following platforms:

Supported in the following platforms:

Syntax
dot1x [guest-vlan|holdtime|system-auth-control|use]
dot1x holdtime <0-600>
dot1x system-auth-control

Controller, Service Platform and Access Point

1086 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dot1x guest-vlan supplicant

dot1x use aaa-policy <AAA-POLICY-NAME>

Parameters
dot1x system-auth-control

system-auth-control Enables system auth control. Enables dot1x authorization globally

for the controller. This feature is disabled by default.

dot1X holdtime <0-600>

holdtime <0-600> Configures a holdtime value. This is the interval after which an
authentication attempt is ignored or failed.
• <0-600> – Specify a value from 0 - 600 seconds. A value of ‘0’
indicates no holdtime. The default is 600 seconds or 10 minutes.
Adding a hold time at startup allows time for the network to
converge before receiving or transmitting 802.1x authentication
packets.

dot1x guest-vlan supplicant

guest-vlan Configures guest VLAN and supplicant behavior. This feature is

disabled by default.
supplicant Allows 802.1x capable supplicant to enter guest VLAN. When
enabled, this is the VLAN that supplicant’s traffic is bridged on.

dot1x use aaa-policy <AAA-POLICY-NAME>

use aaa-policy <AAA-POLICY- Associates a specified 802.1x AAA policy (for MAC authentication)
NAME> with this access point profile
• <AAA-POLICY-NAME> – Specify the AAA policy name. Once
specified, this AAA policy is utilized for authenticating user
requests.

Example
nx9500-6C8809(config-profile-test-nx5500)#dot1x use aaa-policy OnBoarding

nx9500-6C8809(config-profile-test-nx5500)#dot1x system-auth-control

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1087
Profile Config Commands Profile Commands

interface ge2
interface ge3
interface ge4
interface ge5
interface ge6
interface pppoe1
use firewall-policy default
service pm sys-restart
router ospf
router bgp
dot1x system-auth-control
dot1x use aaa-policy OnBoarding
nx9500-6C8809(config-profile-test-nx5500)#

Related Commands

no on page 1329 Disables or reverts settings to their default

dpi
Profile Config Commands on page 954

Enables DPI (Deep Packet Inspection) on this profile. DPI is an advanced packet analysis technique,
which analyzes packet and packet content headers to determine the nature of network traffic. When
enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook,
etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the
WiNG firewall.

This command is also available in the device configuration mode.

Supported in the following platforms:

• Access Points — AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dpi {custom-app|logging|metadata}
dpi {custom-app <CUSTOM-APP-NAME>}
dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings]|on]}
dpi {metadata [http|ssl|tcp-rtt|voice-video]}
dpi {metadata [http|ssl|voice-video]}
dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}

Controller, Service Platform and Access Point

1088 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
dpi {custom-app <CUSTOM-APP-NAME>}

dpi Enables DPI on this profile/device context and configures DPI

settings. When enabled, all flow traffic is subjected to DPI for
detection of applications, application categories, custom
applications, and metadata extraction.
custom-app <CUSTOM-APP- Optional. Adds custom application to this profile
NAME> • <CUSTOM-APP-NAME> – Specify custom application name
(should be existing and configured)
If no custom application is specified, the system detects the PACE
built-in applications.

Note: For more information on application categories and

application detection, see application on page 285.

dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors| informational|

notifications|warnings]|on]}

dpi Enables DPI on this profile/device context and configures DPI

settings. When enabled, all flow traffic is subjected to DPI for
detection of applications, application categories, custom
applications, and metadata extraction.
logging [level [<0-7>| alerts| Optional. Enables DPI logging and sets the logging level
critical| debugging| • level – Configures the DPI logging level. Use one of the following
emergencies|errors| options to specify the logging level:
informational| notifications| ◦ <0-7> Logging severity level
warnings]|on]
◦ alerts Immediate action needed (1)
◦ critical Critical conditions (2)
◦ debugging Debugging messages (7)
◦ emergencies System is unusable (0)
◦ errors Conditions (3)
◦ nformational Informational messages (6)
◦ notifications Normal but significant conditions (5) - Default
setting
◦ warnings Warning conditions (4)
Either specify the logging level index (from 0 - 7) or the description.
For example, to log all alerts either enter ‘1’ or ‘alerts’.
• on – Enables application detection event logging. DPI logging is
disabled by default.

dpi {metadata [http|ssl|voice-video]}

dpi Enables DPI on this profile/device context and configures DPI

settings. When enabled, all flow traffic is subjected to DPI for
detection of applications, application categories, custom
applications, and metadata extraction.
metadata [http|ssl|voice-video] Optional. Enables metadata extraction from following flows:
• http – HTTP flows. This option is disabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1089
Profile Config Commands Profile Commands

• ssl – SSL flows. This option is disabled by default.

• voice-video – Voice and video classified flows. This option is
disabled by default.

dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}

dpi Enables DPI on this profile/device context and configures DPI

settings. When enabled, all flow traffic is subjected to DPI for
detection of applications, application categories, custom
applications, and metadata extraction.
metadata tcp-rtt {app-group Optional. Enables TCP-RTT (Transmission Control Protocol - Round
<APPLICATION-GROUP- Trip Time) metadata collection for application groups. Before
NAME>} executing this command, ensure that you have created at least one
application group.
Enable this option in the profile/device contexts of the AP7522,
AP7532, AP7562, AP8432, AP8533 access point models, as only
these APs support TCP-RTT metadata collection.
• app-group – Optional. Specifies the customized application-
group name containing the applications for which TCP-RTT is to
be collected
◦ <APPLICATION-GROUP-NAME> – Specify the app-group
name (should be existing and configured). If not specified,
the system collects TCP-RTT metadata for all the customized
app-groups created. You can enable TCP-RTT metadata
collection on eight (8) application groups at a time.
For more information on creating customized application-groups,
see application-group on page 290.
The TCP-RTT metadata is viewable only on the NSight dashboard.
Therefore, ensure the NSight server and database is up and NSight
analytics data collection is enabled.

Example
nx9500-6C8809(config-profile-testNX9500)#dpi logging on

nx9500-6C8809(config-profile-testNX9500)#dpi logging level 7

nx9500-6C8809(config-profile-testNX9500)#show context
profile nx9000 testNX9500
bridge vlan 10
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
.........................................................
router bgp
dpi logging on
dpi logging level debugging
nx9500-6C8809(config-profile-testNX9500)#

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#dpi metadata tcp-rtt app-group amazon

Related Commands

no on page 1329 Disables DPI (application assurance) on this profile

Controller, Service Platform and Access Point

1090 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dscp-mapping
Profile Config Commands on page 954

Configures IP DSCP (Differentiated Services Code Point) to 802.1p priority mapping for untagged
frames

Supported in the following platforms:

Syntax
dscp-mapping <WORD> priority <0-7>

Parameters
dscp-mapping <word> priority <0-7>

<WORD> Specifies the DSCP value of a received IP packet. This could be a

single value or a list. For example, 10-20, 25, 30-35.
priority <0-7> Specifies the 802.1p priority to use for a packet if untagged. The
priority is set on a scale of 0 - 7. The priority values are:
• 0 – Best effort
• 1 – Background
• 2 – Spare
• 3 – Excellent effort
• 4 – Controlled load
• 5 – Video
• 6 – Voice
• 7 – Network control

Note: The specified 802.1p priority value is added as a 3-bit IP

precedence value in the Type of Service (ToS) field of the IP
header used to set the priority. Up to 64 entries are permitted.

Example
nx9500-6C8809(config-profile-default-rfs4000)#dscp-mapping 20 priority 7

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs7000 default-rfs4000
dscp-mapping 20 priority 7
no autoinstall configuration
no autoinstall firmware
crypto isakmp policy default
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
interface me1
interface ge1
ip dhcp trust
qos trust dscp
nx9500-6C8809(config-profile-default-rfs4000)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1091
Profile Config Commands Profile Commands

Related Commands

no on page 1329 Disables or reverts settings to their default

eguest-server (VX9000 only)

Profile Config Commands on page 954

Enables the ExtremeGuest (EGuest) server

The WiNG EGuest solution is an independently installable VM/Server that provides integrated guest
management and analytics. Use this command to enable the EGuest daemon on the EGuest server.

Note
EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest
server’s self context. For more information, see license on page 1400.

Supported in the following platforms:

• Service Platforms — VX9000

Note
For more information on configuring an EGuest captive-portal deployment, see
configuring ExtremeGuest captive portal on page 370.

Syntax
eguest-server

Parameters
eguest-server

eguest-server
Note: Execute this command, without the ‘host’ option, on the
EGuest server. When executed, the EGuest daemon is enabled on
the host.

EGuest server can be hosted only a VX 9000 platform.

Example

On the EGuest server, execute the command without the ‘host’ option to enable the EGuest daemon.
EG-Server(config-device-02-EE-1A-7E-AE-5B)#eguest-server

EG-Server(config-device-02-EE-1A-7E-AE-5B)#show context include-factory | include eguest-

server
eguest-server
EG-Server(config-device-02-EE-1A-7E-AE-5B)#

Related Commands

no on page 1329 Disables the EGuest server by stopping the EGuest daemon

eguest-server (NOC Only)

Profile Config Commands on page 954

Controller, Service Platform and Access Point

1092 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Points to the EGuest server when executed along with the ‘host’ option.

Supported in the following platforms:

Syntax
eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}

Parameters
eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}

eguest-server <1-3> host <IPv4/ Configures the EGuest server details in the profile/device context of
IPv6/HOSTNAME> {http|https} the NOC (access point/controller). When configured, the NOC posts
registration requests and captive-portal related data directly to the
specified EGuest server.
• <1-3> – Configures the EGuest server index number. A maximum
of three EGuest servers can be configured.
◦ host <IPv4/IPv6/HOSTNAME> – Configures the EGuest
server’s IPv4/IPv6 address or hostname.
▪ {http|https} – Optional. Configures the mode of
connection as HTTP or HTTPS.

Note: HTTPS is recommended as it uses encryption for

transmission and is therefore more secure.

Example

On the NOC, execute along with the ‘host’ option to point to the EGuest server.
EG-NOC(config-device-74-67-F7-5C-64-4A)#eguest-server 1 host EG-Server https

EG-NOC(config-device-74-67-F7-5C-64-4A)#show context include-factory | include eguest-

server
no eguest-server
eguest-server 1 host EG-Server https
EG-NOC(config-device-74-67-F7-5C-64-4A)#

Related Commands

no on page 1329 Removes the EGuest server IP address/hostname configuration

email-notification
Profile Config Commands on page 954

Configures e-mail notification settings. When a system event occurs e-mail notifications are sent
(provided message logging is enabled) based on the settings configured here. Use this option to
configure the outgoing SMTP server settings.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1093
Profile Config Commands Profile Commands

Supported in the following platforms:

Syntax
email-notification [host|recipient]
email-notification recipient <RECIPIENT-NAME>
email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [port|security|
username]
email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port <1-65535>,
security [none|ssl|starttls], username <SMTP-USERNAME> password [2 <WORD>|<WORD>])]

Parameters
email-notification recipient <RECIPIENT-EMAIL>

recipient <RECIPIENT-EMAIL> Defines the recipient’s e-mail address. A maximum of 6 (six) e-mail
addresses can the configured.
• <RECIPIENT-EMAIL> – Specify the recipient’s e-mail address
(should not exceed 64 characters in length).

email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port <1-65535>,

security [none|ssl|starttls], username <SMTP-USERNAME> password [2 <WORD>|<WORD>])]

host <SMTP-SERVER-IP/ Configures the host SMTP server’s IP address or hostname

HOSTNAME> • <SMTP-SERVER-IP/HOSTNAME> – Specify the SMTP server’s IP
address or hostname.

sender <SENDER-EMAIL> Defines the sender’s e-mail address. This is the from address on
notification e-mails.
• <SENDER-EMAIL> – Specify the sender’s e-mail address (should
not exceed 64 characters in length). Use the email-notification >
recipient > <EMAIL-ADDRESS> command to configure the
recipient's address.

port <1-65535> This option is recursive and applicable to the ‘security‘ and
‘username’ parameters.
Configures the SMTP server port. Use this option to configure a
non-standard SMTP port on the outgoing SMTP server. The
standard SMTP port is 25.
• <1-65535> – Specify the port from 1 - 65535.

Controller, Service Platform and Access Point

1094 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

security [none|ssl|starttls] This option is recursive and applicable to the ‘port‘ and ‘username’
parameters.
Configures the SMTP encryption type used
• none – No encryption used
• ssl – Uses SSL (Secure Sockets Layer) encryption between the
SMTP server and the client
• starttls – Uses STARTTLS encryption between the SMTP server
and the client

username <SMTP-USERNAME> This option is recursive and applicable to the ‘port‘ and ‘security’
password [2 <WORD>| parameters.
<WORD>] Configures the SMTP sender’s username. Many SMTP servers
require users to authenticate with a username and password before
sending e-mail through the server.
• <SMTP-USERNAME> – Specify the SMTP username (should not
exceed 64 characters in length).
◦ password – Configures the SMTP server password. Specify
the password associated with the username of the sender on
the outgoing SMTP server.
▪ 2 <WORD> – Configures an encrypted password

<WORD> – Specify the password (should not exceed 127

characters in length).

Example
nx9500-6C8809(config-profile-default-rfs4000)#email-notification recipient
[email protected]

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
dscp-mapping 20 priority 7
no autoinstall configuration
no autoinstall firmware
.............................................................
interface ge4
ip dhcp trust
qos trust dscp
qos trust 802.1p
use firewall-policy default
email-notification recipient [email protected]
service pm sys-restart
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

enforce-version
Profile Config Commands on page 954

Enables checking of a device’s firmware version before attempting adoption or clustering

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1095
Profile Config Commands Profile Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

adoption Verifies firmware versions before adopting. This option is enabled

by default.
cluster Verifies firmware versions before clustering. This option is enabled
by default.
full Allows adoption or clustering when the first four octets of the
firmware versions match (for example 5.9.3.0)
major Allows adoption or clustering when the first two octets of the
firmware versions match (for example 5.9)
minor Allows adoption or clustering when the first three octets of the
firmware versions match (for example 5.9.3)
none Allows adoption or clustering between any firmware versions
strict Allows adoption or clustering only when firmware versions exactly
match (for example 5.9.3.0-010D). This is the default setting for
both ‘adoption’ and ‘cluster’ options.

Example
nx9500-6C8809(config-profile-test-nx5500)#enforce-version cluster full
nx9500-6C8809(config-profile-test-nx5500)#enforce-version adoption major

Related Commands

no on page 1329 Disables or reverts settings to their default

environmental-sensor
Profile Config Commands on page 954

Controller, Service Platform and Access Point

1096 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Configures the environmental sensor settings

An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point. It
provides a variety of sensing mechanisms, allowing the monitoring and reporting of the AP8132's radio
coverage area.

Supported in the following platforms:

• Access Points — AP8132

Syntax
environmental-sensor [humidity|light|motion|polling-interval|temperature]
environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]
environmental-sensor light {holdtime|radio-shutdown|threshold}
environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|radio-2]}
environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}

Parameters
environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]

environmental-sensor Configures environmental sensor settings on this profile

humidity Enables (turns on) humidity sensors. This setting is enabled by
default.
motion Enables (turns on) motion sensors.This setting is enabled by
default.
polling-interval <1-100> Configures polling interval, in seconds, on all sensors. This is the
interval after which the sensor module polls its environment to
assess the various parameters, such as light intensity.
• <1-100> – Specify a value from 1 - 100 seconds. The default is 5
seconds.

temperature Enables (turns on) temperature sensors. This setting is enabled by

default.

environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1| radio-2]}

environmental-sensor Configures environmental sensor settings on this profile

light Enables (turns on) light sensors and specifies its settings
When enabled, the sensor module polls the environment to
determine the light intensity. Based on the reading, the system
determines whether the AP8132’s deployment location has lights on
or off. Light intensity also helps determine whether the access
point’s deployment location is currently populated with clients.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1097
Profile Config Commands Profile Commands

holdtime <10-201> Optional. Configures a holdtime, in seconds, for the light sensor
• <10-201> – Specify a value from 10 - 201 seconds. The default
value is 11 seconds.

radio-shutdown [all|radio1| Optional. Shuts down the sensor’s radios

radio2] • all – Shuts down all radios. This is the default setting.
• radio1 – Shuts down radio 1
• radio2 – Shuts down radio 2
AP8132’s using this profile have their radios shut down, when the
radio’s power falls below the specified threshold. Use the
environmental-sensor > light > threshold >
[high|low] command to set the threshold values.

environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}

environmental-sensor Configures environmental sensor settings on this profile

light Enables (turns on) light sensors and specifies its settings
threshold Optional. Configures the upper and lower thresholds for the amount
of light in the environment
high <100-10000> Specifies the upper threshold from 100 - 10000 lux. This value
determines whether lighting is on in the AP8132’s deployment
location. The radios are turned off if the average reading value is
lower than the value set here. The default is 400 lux.
The light sensor triggers an event if the amount of light exceeds the
specified value.
low <0-1000> Specifies the lower threshold from 0 - 1000 lux. This value
determines whether lighting is off in the AP8132’s deployment
location. The radios are turned on when the average value is higher
than the value set here. The default is 200 lux.
The light sensor triggers an event if the amount of light drops
below the specified value.

Example
rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor humidity
rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor polling-interval 60
rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light radio-shutdown all
rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold high 300
rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold low 100

rfs4000-229D58(config-profile-testRFS4000)#show context
profile rfs4000 testRFS4000
bridge vlan 1
tunnel-over-level2
ip igmp snooping
ip igmp snooping querier
environmental-sensor polling-interval 60
environmental-sensor light threshold high 300
environmental-sensor light threshold low 100
environmental-sensor light radio-shutdown all
no autoinstall configuration
no autoinstall firmware
device-upgrade persist-images
--More--
rfs4000-229D58(config-profile-testRFS4000)#

Controller, Service Platform and Access Point

1098 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no on page 1329 Removes the environmental sensor’s settings

events
Profile Config Commands on page 954

Displays system event messages

Supported in the following platforms:

Syntax
events [forward on|on]

Parameters
events [forward on|on]

forward on Forwards system event messages to the wireless controller, service

platform, or cluster members. This feature is enabled by default.
• on – Enables forwarding of system events

on Generates system events. This feature is enabled by default.

Example
nx9500-6C8809(config-profile-default-rfs4000)#events forward on
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

export
Profile Config Commands on page 954

Enables export of startup.log file after every boot

Supported in the following platforms:

Syntax
export startup-log [max-retries|retry-interval|url]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1099
Profile Config Commands Profile Commands

export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]

Parameters
export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]

export startup-log Enables export of the startup.log file after every boot. This option is
disabled by default.
max-retries <2-65535> Configures the maximum number of retries in case the export
process fails
• <2-65535> – Specify a value from 2 - 65535.

retry-interval <30-86400> Configures the interval between two consecutive retries

• <30-86400> – Specify a value from 30 - 86400 seconds.

url <URL> Configures the destination URL in the following format:

tftp://<hostname|IP>[:port]/path/file
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file
sftp://<user>@<hostname|IP>[:port]>/path/file

Example
nx9500-6C8809(config-profile-test-nx5500)#export startup-log max-retries 10 retry-
interval 30 url ftp://anonymous:[email protected]/log/startup.log

nx9500-6C8809(config-profile-test-nx5500)#show context
profile nx5500 test-nx5500
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
.......................................................
interface ge5
interface ge6
interface pppoe1
use firewall-policy default
export startup-log max-retries 10 retry-interval 30 url ftp://
anonymous:[email protected]/log/startup.log
enforce-version adoption major
enforce-version cluster full
service pm sys-restart
--More--
nx9500-6C8809(config-profile-test-nx5500)#

Related Commands

no on page 1329 Disables export of startup.log file

file-sync
Profile Config Commands on page 954

Configures parameters enabling auto syncing of trustpoint/wireless-bridge certificate between the

staging-controller and its adopted access points

This command is applicable to the access point’s profile as well as device configuration modes.

Controller, Service Platform and Access Point

1100 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

Syntax
file-sync [auto|count <1-20>]

Parameters
file-sync [auto|count <1-20>]

file-sync [auto|count <1-20>] Configures the following file-synching parameters:

• auto – Enables the staging controller to autoinstall trustpoint/
wireless-bridge certificate on an access point when it comes up
for the first time and adopts to the controller.

Prior to enabling file syncing, ensure that the wireless-bridge

certificate is present on the staging controller. To upload the
certificate on the controller, in the user or privilege executable
modes, execute the following command: file-sync >
load-file > <URL>.
• count <1-20> – Configures the maximum number of access
points that can be concurrently auto-installed.
◦ <1-20> – Specify a value from 1 - 20. The default is 10 access
points.

Note: For the NX 95XX and NX 96XXservice platforms the count-

range is from 1 - 128.

nx9500-6C8809(config-profile-default-rfs4000)#file-sync auto

nx9500-6C8809(config-profile-default-rfs4000)#file-sync count 8

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
no autoinstall configuration
no autoinstall firmware
no device-upgrade auto
file-sync count 8
file-sync auto
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables automatic file syncing between the staging-controller and
its access points

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1101
Profile Config Commands Profile Commands

floor
Profile Config Commands on page 954

Sets the floor name where the target device (access point, wireless controller, or service platform using
this profile) is physically located. Assigning a building floor name helps in grouping devices within the
same general coverage area.

Supported in the following platforms:

Syntax
floor <WORD> {<1-4094>}

Parameters
floor <WORD> {<1-4094>}

floor <WORD> {<1-4094>} Sets the floor name where the target device is located
• <WORD> – Specify the floor name (should not exceed 64
characters in length).
◦ <1-4094> – Optional. Configures the floor number from 1 -
4094. The default is 1.

Example
nx9500-6C8809(config-profile-default-rfs4000)#floor fifth

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
ip igmp snooping
ip igmp snooping querier
area Ecospace
floor fifth
autoinstall configuration
autoinstall firmware
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Resets the configured floor name and number

gre
Profile Config Commands on page 954

Controller, Service Platform and Access Point

1102 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

The following table summarizes commands that allow you to enter the GRE configuration mode:

Command Description
gre on page 1103 Enables GRE tunneling on a profile/device This command also creates a GRE
tunnel and enters its configuration mode. Use this command to modify an
existing GRE tunnel’s settings.
gre-config-instance Summarizes GRE tunnel configuration mode commands
on page 1105

gre

gre on page 1102

Enables GRE (Generic Routing Encapsulation) tunneling on this profile, and creates a new GRE tunnel or
modifies an existing GRE tunnel.

The GRE protocol allows encapsulation of one protocol over another. It is a tunneling protocol that
transports any layer 3 protocol over an IP network. When enabled, a payload packet is first
encapsulated in the GRE protocol. The GRE encapsulated payload is then encapsulated in another IP
packet before being forwarded to the destination.

GRE tunneling can be configured to bridge Ethernet packets between WLANs and a remote WLAN
gateway over an IPv4 GRE tunnel. The tunneling of 802.3 packets using GRE is an alternative to MiNT or
L2TPv3. Related features like ACLs for extended VLANs are still available using layer 2 tunneling over
GRE.

Using GRE, access points map one or more VLANs to a tunnel. The remote end point is a user-
configured WLAN gateway IP address, with an optional secondary IP address should connectivity to the
primary GRE peer be lost. VLAN traffic is expected in both directions in the GRE tunnel. A WLAN
mapped to these VLANs can be either open or secure. Secure WLANs require authentication to a
remote RADIUS server available within your deployment using standard RADIUS protocols. Access
Points can reach both the GRE peer as well as the RADIUS server using IPv4.

The WiNG software now supports for both IPv4 or IPv6 tunnel endpoints. However, a tunnel needs to
contain either IPv4 or IPv6 formatted device addresses and cannot be mixed. With the new IPv6 tunnel
implementation, all outbound packets are encapsulated with the GRE header, then the IPv6 header. The
header source IP address is the local address of the IPv6 address of tunnel interface, and the destination
address peer address of the tunnel. All inbound packets are de-capsulated by removing the IPv6 and
GRE header before sending it over to the IP stack.

Note
Only one GRE tunnel can be created for every profile.

Supported in the following platforms:

Syntax
gre tunnel <GRE-TUNNEL-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1103
Profile Config Commands Profile Commands

Parameters
gre tunnel <GRE-TUNNEL-NAME>

gre tunnel <GRE-TUNNEL- Creates a new GRE tunnel or modifies an existing GRE tunnel
NAME> • <GRE-TUNNEL-NAME> – If creating a new tunnel, specify a
unique name for it. If modifying an existing tunnel, specify its
name.

Example
rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#?
GRE Tunnel Mode commands:
dscp Differentiated Services Code Point
establishment-criteria Set tunnel establishment criteria
failover L2gre tunnel failover
mtu L2GRE tunnel endpoint maximum transmission unit(MTU)
native Native trunking characteristics
no Negate a command or set its defaults
peer L2GRE peer
tunneled-vlan VLANs to tunnel

clrscr Clears the display screen

rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#

rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 1 ip 192.168.13.8

rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 2 ip
192.168.13.10

rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#show context

gre tunnel testGREtunnel
peer 1 ip 192.168.13.8
peer 2 ip 192.168.13.10
rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#

rfs4000-229D58(config-profile-testRFS4000)#show context
profile rfs4000 testRFS4000
bridge vlan 1
tunnel-over-level2
ip igmp snooping
ip igmp snooping querier
..................................................................................
use firewall-policy default
service pm sys-restart
router ospf
gre tunnel testGREtunnel
peer 1 ip 192.168.13.8
peer 2 ip 192.168.13.10
rfs4000-229D58(config-profile-testRFS4000)#

Related Commands

no on page 1329 Disables GRE tunneling on this profile

Controller, Service Platform and Access Point

1104 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

gre-config-instance

gre on page 1102

The following table summarizes GRE tunnel configuration mode commands:

Command Description
dscp on page 1105 Sets the GRE tunnel’s DSCP / 802.1q priority value
establishment- Configures the GRE tunnel establishment criteria
criteria on page
1106
failover on page Enables periodic pinging of the primary gateway to assess its availability, in case
1107 it is unreachable
mtu on page 1107 Configures the MTU for IPv4/IPv6 L2GRE tunnel endpoints
native on page Configures native trunking settings for this GRE tunnel
1108
no on page 1109 Removes the GRE tunnel settings based on the parameters passed
peer on page 1110 Configures the GRE tunnel’s end-point peers
tunneled-vlan on Defines the VLAN that connected clients use to route GRE-tunneled traffic
page 1111 within their respective WLANs

dscp

gre-config-instance on page 1105

Sets the GRE tunnel’s DSCP / 802.1q priority value from encapsulated packets to the outer packet IPv4
header.

This option is disabled by default.

Syntax
dscp [<0-63>|reflect]

Parameters
dscp [<0-63>|reflect]

dscp <0-63> Specifies the DSCP 802.1q priority value for outer packets from 0 -
63. The default is 1.
dscp reflect Copies the DSCP 802.1q value from inner packets

Example
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#dscp 20

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1105
Profile Config Commands Profile Commands

gre tunnel testGRETunnel

dscp 20
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands

no on page 1109 Removes the GRE tunnel settings based on the parameters passed

establishment-criteria

gre-config-instance on page 1105

Configures the GRE tunnel establishment criteria

In a multi-controller RF domain, it is always the master node that establishes the tunnel. The tunnel is
created only if the tunnel device is designated as one of the following: vrrp-master, cluster-master, or rf-
domain-manager.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]

Parameters
establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]

establishment-criteria [always| Configures the GRE tunnel establishment criteria. The options are:
cluster-master| rf-domain- • always – Always automatically establishes tunnel (default setting).
manager| vrrp-master <1-255>] The tunnel device need not be a cluster master, RF Domain
manager, or VRRP master to establish the GRE tunnel. This is the
default setting.
• cluster-master – Establishes tunnel only if the tunnel device is
designated as the cluster master
• rf-domain-manager – Establishes tunnel only if the tunnel device
is designated as the RF Domain manager
• vrrp-master <1-255> – Establishes tunnel only if the tunnel device
is designated as the Virtual Router Redundancy (VRRP) master
◦ <1-255> – Configures the VRRP group ID from 1 - 255. A VRRP
group enables the creation of a group of routers as a default
gateway for redundancy. Clients can point to the IP address of
the VRRP virtual router as their default gateway and utilize a
different group member if a master becomes unavailable.

Example
nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#establishment-
criteria rf-domain-manager

nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context

gre tunnel testGREtunnel
establishment-criteria rf-domain-manager
nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#

Controller, Service Platform and Access Point

1106 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

failover

gre-config-instance on page 1105

Enables periodic pinging of the primary gateway to assess its availability. When enabled, the system
continues pinging, an unreachable gateway, for a specified number of times and at the specified
interval.

This option is disabled by default.

Syntax
failover interval <1-250> retry <1-10>

Parameters
failover interval <1-250> retry <1-10>

failover interval <1-250> Specifies the interval, in seconds, between two successive pings to the
retry <1-10> primary gateway. If the primary gateway is unreachable, the system
pings it at intervals specified here.
• <1-250> – Specify a value from 1 - 250 seconds.
◦ retry – Specifies the maximum number attempts made to ping the
primary gateway before the session is terminated.
▪ <1-10> – Specify a value from 1 - 10.

Example
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#failover
interval 200 retry 5

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context

gre tunnel testGRETunnel
dscp 20
failover interval 200 retry 5
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands

no on page 1109 Removes the GRE tunnel settings based on the parameters passed

mtu

gre-config-instance on page 1105

Configures the MTU for IPv4/IPv6 L2GRE tunnel endpoints

The MTU is the largest physical packet size (in bytes) transmittable within the tunnel. Any messages
larger than the configured MTU are divided into smaller packets before transmission. Larger the MTU
greater is the efficiency because each packet carries more user data, while protocol overheads, such as
headers or underlying per-packet delays remain fixed; the resulting higher efficiency means a slight

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1107
Profile Config Commands Profile Commands

improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for
the same amount of data.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
mtu [ipv4 <900-1476>|ipv6 <1236-1456>]

Parameters
mtu [ipv4 <900-1476>|ipv6 <1236-1456>]

mtu [ipv4 Configures the MTU for L2GRE tunnel endpoints

<900-1476>| ipv6 • ipv4 <900-1476> – Configures IPv4 L2GRE tunnel endpoint MTU from 900 -
<1236-1456>] 1476. The default is 1476.
• ipv6 <1236-1456> – Configures IPv6 L2GRE tunnel endpoint MTU from 1236
- 1456. The default is 1456.

Example
nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv4 1200

nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv6 1300

nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context

gre tunnel testGREtunnel
mtu ipv4 1200
mtu ipv6 1300
establishment-criteria rf-domain-manager
nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#
native

gre-config-instance on page 1105

Configures native trunking settings for this GRE tunnel

Syntax
native [tagged|vlan <1-4094>]

Controller, Service Platform and Access Point

1108 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
native [tagged|vlan <1-4094>]

native tagged Enables native VLAN tagging

The IEEE 802.1Q specification is supported for tagging frames and
coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each
frame identifying the VLAN ID for upstream devices that the frame
belongs. If the upstream Ethernet device does not support IEEE 802.1Q
tagging, it does not interpret the tagged frames. When VLAN tagging is
required between devices, both devices must support tagging and be
configured to accept tagged VLANs. When a frame is tagged, the 12 bit
frame VLAN ID is added to the 802.1Q header so upstream Ethernet
devices know which VLAN ID the frame belongs to. The device reads the 12
bit VLAN ID and forwards the frame to the appropriate VLAN. When a
frame is received with no 802.1Q header, the upstream device classifies the
frame using the default or native VLAN assigned to the Trunk port. The
native VLAN allows an Ethernet device to associate untagged frames to a
VLAN when no 802.1Q frame is included in the frame. This feature is
disabled by default.
native vlan Specifies a numerical VLAN ID (1 - 4094) for the native VLAN
<1-4094> The native VLAN allows an Ethernet device to associate untagged frames
to a VLAN, when no 802.1q frame is included in the frame. Additionally, the
native VLAN is the VLAN untagged traffic is directed over when using a
port in trunk mode.

Example
nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native tagged

nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native vlan 20

nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context

gre tunnel testGREtunnel
native vlan 20
native tagged
mtu ipv4 1200
mtu ipv6 1300
establishment-criteria rf-domain-manager
nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#

Related Commands

no on page 1109 Removes the GRE tunnel settings based on the parameters passed

gre-config-instance on page 1105

Removes or resets the GRE tunnel settings based on the parameters passed
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1109
Profile Config Commands Profile Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets the GRE tunnel’s settings based on the parameters
passed

Example

The following example shows the GRE tunnel ‘testGRETunnel’ settings before the no commands are
executed:
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context
gre tunnel testGRETunnel
peer 1 ip 192.168.13.6
native vlan 1
tunneled-vlan 1,10
native tagged
dscp 20
failover interval 200 retry 5
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no dscp

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no native vlan
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no tunneled-vlan
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no failover

The following example shows the GRE tunnel ‘testGRETunnel’ settings after the no commands are
executed:
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context
gre tunnel testGRETunnel
peer 1 ip 192.168.13.6
native tagged
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
peer

gre-config-instance on page 1105

Adds the GRE tunnel’s end-point peers. A maximum of two peers, representing the tunnel’s end points,
can be added for each GRE tunnel.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
peer <1-2> ip <IPv4/IPv6>

Controller, Service Platform and Access Point

1110 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
peer <1-2> ip <IPv4/IPv6>

peer <1-2> ip <IPv4/IPv6> Configures the tunnel’s end-point peers

• <1-2> – Specify a numeric index for each peer to help differentiate the
tunnel end points.
◦ ip – Specify the IP address (IPv4/IPv6) of the added GRE peer to
serve as a network address identifier.
▪ <IPv4/IPv6> – Specify the peer’s IPv4 or IPv6 address.

Example
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#peer 1
ip 192.168.13.6

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context

gre tunnel testGRETunnel
peer 1 ip 192.168.13.6
native tagged
dscp 20
failover interval 200 retry 5
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands

no on page 1109 Removes the GRE tunnel settings based on the parameters passed

tunneled-vlan

gre-config-instance on page 1105

Defines the VLAN that connected clients use to route GRE tunneled traffic within their respective
WLANs
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
tunneled-vlan <VLAN-ID>

Parameters
tunneled-vlan <VLAN-ID>

tunneled-vlan Specifies the VLANs associated with this GRE tunnel

<VLAN-ID> • <VLAN-ID> – Specify the VLAN IDs. Specify a comma-separated list of IDs,
to specify multiple VLANs. For example, 1,10,12,16-20.

Example
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)# tunneled-vlan 10

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context

gre tunnel testGRETunnel

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1111
Profile Config Commands Profile Commands

peer 1 ip 192.168.13.6
native vlan 1
tunneled-vlan 1,10
native tagged
dscp 20
failover interval 200 retry 5
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands

no on page 1109 Removes the GRE tunnel settings based on the parameters passed

http-analyze
Profile Config Commands on page 954

Enables forwarding of HTTP request related data to the HTTP analytics engine

Wireless clients (MUs) connect to APs and route their HTTP requests through the APs. These APs
extract and forward HTTP request packets, through MiNT, to the NX series controller. The NX series
controller uses a new analytic daemon to cache, format, and forward information to the analytics
engine. Currently the analytics daemon is supported only on the NX series service platform. Therefore, it
is essential that all APs should use an NX series service platform as controller.

In a hierarchically organized network, HTTP analytics data forwarding is a simple and transparent
process. The site controllers receive the HTTP data from adopted APs adopted. This data is compressed
and forwarded to the NOC (Network Operations Center) controller. There is no need for a separate
configuration to enable this feature.

Use this command to configure the mode and interval at which data is sent to the controller and the
external analytics engine. This command also configures the external engine’s details, such as URL,
credentials, etc.

Note
The Analytics module helps gather data about customer behavior such as web sites visited,
search terms used, mobile device types, number of new users vs. repeat users. This data
provides a better understanding of pricing strategies and promotions being run by
competitors.

Supported in the following platforms:

Controller, Service Platform and Access Point

1112 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
http-analyze [compress|update-interval <1-3600>]

http-analyze Configures HTTP analysis related parameters

compress Compresses update files before forwarding to the controller. This
option is disabled by default.
update-interval <1-3600> Configures the interval, in seconds, at which buffered packets are
pushed to the controller
• <1-3600> – Specify the interval from 1 - 3600 seconds. The
default is 60 seconds.

http-analyze external-server [password <WORD>|proxy <URL>|update-interval| url|username|

validate-server-certificate]

http-analyze external-server Configures the external HTTP analytics engine’s parameters

password <WORD> Configures the external analytics engine’s password
• <WORD> – Provide the login password. This is the password
associated with the user name needed to access the external
analytics engine.

proxy <URL> Configures the proxy server’s URL

• <URL> – Specify the proxy server’s URL in the following format:
http://username:password@proxy-server:port. For example,
http://mot:[email protected]:1080

update-interval <1-36000> Configures the interval, in seconds, at which buffered packets are
pushed to the external analytics engine
• <1-3600> – Specify the interval from 1 - 3600 seconds. The
default is 60 seconds.

url <URl> Configures the external analytics engine’s IP address or URL

• <URL> – Provide the IP address or URL.

username <WORD> Configures the user name needed to access the external analytics
engine
• <WORD> – Provide the user name.

validate-server-certificate Validates the external analytics engine’s certificate, if it is using

HTTPS as the mode of access

Example
nx9500-6C8809(config-profile-default-rfs4000)#http-analyze compress

nx9500-6C8809(config-profile-default-rfs4000)#http-analyze update-interval 200

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1

.....................................................................
qos trust 802.1p
interface pppoe1
use firewall-policy default
http-analyze update-interval 200

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1113
Profile Config Commands Profile Commands

http-analyze compress
service pm sys-restart
router ospf
nx9500-6C8809(config-profile-default-rfs4000)#

nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server username anonymous

nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server password anonymous
nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server validate-server-
certificate
nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server update-interval 100
nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server url
https://192.168.13.10

nx9500-6C8809(config-profile-test-nx5500)#show context
profile nx5500 test-nx5500
no autoinstall configuration
no autoinstall firmware
......................................................
interface ge5
interface ge6
interface pppoe1
use firewall-policy default
export startup-log max-retries 10 retry-interval 30 url ftp://
anonymous:[email protected]/log/startup.log
http-analyze external-server url https://192.168.13.10
http-analyze external-server username anonymous
http-analyze external-server password anonymous
http-analyze external-server update-interval 100
enforce-version adoption major
enforce-version cluster full
--More--
nx9500-6C8809(config-profile-test-nx5500)#

nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server proxy http://

mot:[email protected]:1080

nx9500-6C8809(config-profile-test-nx5500)#show context
profile nx5500 test-nx5500
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
...............................................................
http-analyze external-server url https://192.168.13.10
http-analyze external-server username anonymous
http-analyze external-server password anonymous
http-analyze external-server update-interval 100
http-analyze external-server proxy http://mot:[email protected]:1080
enforce-version adoption major
enforce-version cluster full
service pm sys-restart
router ospf
router bgp
dot1x system-auth-control
dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#

Related Commands

no on page 1329 Disables HTTP analyze settings

Controller, Service Platform and Access Point

1114 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

interface
Profile Config Commands on page 954

The following table summarizes interface configuration commands:

Command Description
interface on page 1115 Selects an interface to configure
interface-config-ge- Summarizes Ethernet interface (associated with the wireless controller or
instance on page 1118 service platform) configuration commands
interface-config-vlan- Summarizes VLAN interface configuration commands
instance on page 1147
interface-config-port- Summarizes port-channel interface configuration commands
channel-instance on
page 1163
interface-config-radio- Summarizes radio interface configuration commands (applicable to devices
instance on page 1178 with built-in radios)
interface-config-wwan- Summarizes WWAN interface configuration commands
instance on page 1256
interface-config- Summarizes the Bluetooth radio interface configuration commands
bluetooth-instance on (supported only on the AP8432 and AP8533 model access points
page 1265

interface

interface on page 1115

Selects an interface to configure

A profile’s interface configuration can be defined to support separate physical Ethernet configurations
both unique and specific to RFS4000 controllers and NX7500 and NX9500 series service platforms.
Ports vary depending on the platform, but controller or service platform models do have some of the
same physical interfaces.

A controller or service platform requires its virtual interface be configured for layer 3 (IP) access or layer
3 service on a VLAN. A virtual interface defines which IP address is associated with each VLAN ID the
controller or service platform is connected to.

If the profile is configured to support an access point radio, an additional radio interface is available,
unique to the access point’s radio configuration.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax Service Platforms

interface [<INTERFACE-NAME>|fe <1-4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|
radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-4>]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1115
Profile Config Commands Profile Commands

Syntax Access Points and Wireless Controllers

interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel <1-4>|
pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|xge <1-4>]

Parameters
interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel <1-4>|
radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-4>]

<INTERFACE-NAME> Enters the configuration mode of the interface identified by the

<INTERFACE-NAME> keyword
bluetooth <1-1> Selects the Bluetooth radio interface
• <1-1> – Specify the Bluetooth radio interface index from 1 - 1. As
of now only one Bluetooth radio interface is supported.
This interface is applicable only for the AP8432 and AP8533 model
access points.
fe <1-4> Selects a FastEthernet interface
• <1-4> – Specify the interface index from 1 - 4.

ge <1-24> Selects a GigabitEthernet interface

• <1-24> – Specify the interface index from 1 - 24. .

me1 Selects a management interface

port-channel <1-4> Selects the port channel interface
• <1-4> – Specify the interface index from 1 - 4.

pppoe1 Selects the PPP over Ethernet interface to configure

radio [1|2|3] Selects a radio interface
• 1 – Selects radio interface 1
• 2 – Selects radio interface 2
• 3 – Selects radio interface 3
The radio interface is not available on wireless controllers or service
platforms.
up1 Selects the uplink GigabitEthernet interface
vlan <1-4094> Selects a VLAN interface
• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.

wwan1 Selects a Wireless WAN interface

This interface is applicable only to AP7161, AP8163, RFS4000 model
access points and controllers.
xge <1-4> Selects a TenGigabitEthernet interface
• <1-2> – Specify the interface index from 1 - 4.

Usage Guidelines

The ports available on a device vary depending on the model. For example, the following ports are
available on RFS4000 and RFS7000 model wireless controllers:
• RFS4000 - ge1, ge2, ge3, ge4, ge5, up1
• GE ports on are RJ-45 supporting 10/100/1000Mbps

Controller, Service Platform and Access Point

1116 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even
when the other ports on the controller are unreachable.

The ports available on service platforms also vary depending on the model. For example, the following
ports are available on NX series service platforms:
• NX7500 - ge1-ge10, xge1-xge2
• NX9500 series - ge1, ge2, xge1-xge4
• EX3500 – ge1-1 to ge1-24
• EX3548 – ge1-1 to ge1-48

GE ports are available on devices, such as RFS4000 controllers. GE ports are RJ-45 supporting
10/100/1000Mbps.

An UP port is used to connect to the backbone network. An UP port supports either RJ-45 or fiber. The
UP port is the preferred means to connect to the backbone as it has a non-blocking 1gbps connection
unlike the GE ports.
• The following ports are available on access points:
• AP6522 - GE1/POE (LAN)
• AP6562 - GE1/POE
• AP7161 - GE1/POE (LAN), GE2 (WAN)
• AP7502 - GE1 (THRU), fe1, fe2, fe3,
• AP7522 - GE1/POE (LAN)
• AP7532 - GE1/POE (LAN)
• AP8163 - GE1/POE (LAN), GE2 (WAN)

Note
For a NX7500 model service platform, there are options for either a 2 port or 4 port
network management card. Either card can be managed using WiNG. If the 4 port card is
used, ports ge7-ge10 are available. If the 2 port card is used, ports xge1-xge2 are available.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan44)#
nx9500-6C8809(config-profile-default-rfs4000-if-vlan44)#?
SVI configuration commands:
crypto Encryption module
description Vlan description
dhcp Dynamic Host Configuration Protocol (DHCP)
dhcp-relay-incoming Allow on-board DHCP server to respond to relayed DHCP
packets on this interface
ip Interface Internet Protocol config commands
ipv6 Internet Protocol version 6 (IPv6)
no Negate a command or set its defaults
shutdown Shutdown the selected interface
use Set setting to use

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1117
Profile Config Commands Profile Commands

service Service Commands

show Show running system information
write Write running configuration to memory or terminal

nx9500-6C8809(config-profile-default-rfs4000-if-vlan44)#

Related Commands

no on page 1329 Removes the selected interface

interface-config-ge-instance

interface on page 1115

This section documents the GigabitEthernet configuration commands.

GE port placement and quantity varies depending on the controller, service platform, or access point
model. Configure the GE interface either in the device’s profile-config context or directly on a device.

The following example uses the config-profile-nx9500-6C8809 instance to configure a GigabitEthernet

interface:
nx9500-6C8809(config-profile-testNX9000-if-ge2)#?
Interface configuration commands:
captive-portal-enforcement Enable captive-portal enforcement on this port
cdp Cisco Discovery Protocol
channel-group Channel group commands
description Interface specific description
dot1x 802.1X
duplex Set duplex to interface
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
lacp LACP commands
lacp-channel-group LACP channel commands
lldp Link Local Discovery Protocol
mac-auth Enable mac-auth for this port
no Negate a command or set its defaults
power PoE Command
qos Quality of service
remove-override Remove configuration item override from the
device (so profile value takes effect)
shutdown Shutdown the selected interface
spanning-tree Spanning tree commands
speed Configure speed
switchport Set switching mode characteristics
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-profile-testNX9000-if-ge2)#

Controller, Service Platform and Access Point

1118 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

The following table summarizes the interface configuration commands:

Command Description
captive-portal- Enables captive-portal enforcement on this Ethernet port
enforcement on
page 1119
cdp on page 1120 Enables Cisco Discovery Protocol (CDP) on this Ethernet port
channel-group on Assigns this Ethernet port to a channel group
page 1121
description on page Configures a description for this Ethernet port
1122
dot1x Configures 802.1X authenticator settings
(authenticator) on
page 1122
dot1x (supplicant) Configures 802.1X supplicant settings
on page 1125
duplex on page Specifies the duplex mode for the interface
1127
ip on page 1128 Sets the IP address for this Ethernet port
ipv6 on page 1129 Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this
interface
lacp on page 1130 Configures the selected GE port’s Link Aggregation Control Protocol (LACP)
port-priority value
lacp-channel-group Configures the selected GE port as a member of a port-channel group (also
on page 1131 referred as LAG)
lldp on page 1133 Configures Link Local Discovery Protocol (LLDP)
mac-auth on page Enables MAC-based authentication on this Ethernet port
1134
no on page 1135 Removes or reverts the selected Ethernet port settings
power on page 1136 Configures Power over Ethernet (PoE) settings on this interface
qos on page 1137 Enables QoS
shutdown on page Disables the selected Ethernet port
1137
spanning-tree on Configures spanning tree parameters
page 1138
speed on page 1140 Specifies the speed on this Ethernet port
switchport on page Sets interface switching mode characteristics
1142
use on page 1146 Associates IPv4, IPv6, and/or MAC ACL with the selected Ethernet port

captive-portal-enforcement

interface-config-ge-instance on page 1118

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1119
Profile Config Commands Profile Commands

Enables application of captive portal access permission rules to data transmitted over this specific
Ethernet port. This setting is disabled by default.

Captive portal enforcement allows users on the wired network to pass traffic through the captive portal
without being redirected to an authentication page. Authentication instead takes place when the
RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS
server's user database, the user can pass traffic on the captive portal.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
captive-portal-enforcement {fall-back}

Parameters
captive-portal-enforcement {fall-back}

captive-portal- Enables captive-portal enforcement on this Ethernet port

enforcement fall-back • fall-back – Optional. Enforces captive portal validation only if port
authentication fails. When selected, captive portal policies are enforced
only when RADIUS authentication of the client MAC address is not
successful. If this option is not selected, captive portal policies are
enforced regardless of the client's MAC address being in the RADIUS
server's user database or not.

Example
nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge2)#captive-portal-enforcement

nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge2)#show context
interface ge2
captive-portal-enforcement
nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge2)#

Related Commands

no on page 1135 Disables captive-portal enforcement on this interface

cdp

interface-config-ge-instance on page 1118

Enables CDP on the selected GE port

Syntax

Controller, Service Platform and Access Point

1120 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

cdp [receive|transmit]

Parameters
cdp [receive|transmit]

receive Enables CDP packet snooping on this interface. When enabled, the
port receives periodic interface updates from a multicast address.
This option is enabled by default.
transmit Enables CDP packet transmission on this interface. When enabled,
the port sends out periodic interface updates to a multicast address
to advertise its presence to neighbors. This option is enabled by
default.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#cdp transmit

Related Commands

no on page 1135 Disables CDP packet snooping on the controller or service

platform’s selected GE ports

channel-group

interface-config-ge-instance on page 1118

Assigns this Ethernet port to a channel group. Ethernet ports can be aggregated to form a channel
group. They can be aggregated to form a minimum of one and maximum of two channel groups. A port
can be a member of only one channel group at a time.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
channel-group <1-4>

Parameters
channel-group <1-4>

<1-4> Specifies a channel group number from 1 - 4. The number of channel

groups supported varies with the device type. For example:
• NX5500 – Supports three channel groups
• NX75XX – Supports four channel groups
• NX95XX – Supports two channel groups

Note: RFS4000 – Supports three channel groups.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#channel-group 1

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1121
Profile Config Commands Profile Commands

interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
channel-group 1
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Removes the channel group to which this port belongs

description

interface-config-ge-instance on page 1118

Configures a description for this Ethernet port

Syntax
description [<LINE>|<WORD>]

Parameters
description [<LINE>|<WORD>]

<LINE> Configures the maximum length (number of characters) of the

interface description
<WORD> Configures a unique description for this interface. The description
should not exceed the length specified by the <LINE> parameter.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#description “This is GigabitEthernet
interface for Royal King”

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
ip dhcp trust
qos trust dscp
qos trust 802.1p
channel-group 1
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Removes the interface description

dot1x (authenticator)

interface-config-ge-instance on page 1118

Configures 802.1X authenticator settings

Controller, Service Platform and Access Point

1122 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the
endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to
ensure only the authenticated endpoint is allowed to send traffic.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432
• Wireless Controllers — RFS4000, NX5500, NX7500

Note
The dot1x (802.1x) supplicant settings are documented in the next section.

dot1x authenticator Configures 802.1x authenticator settings

guest-vlan <1-4094> Configures the guest VLAN for this interface. This is the VLAN, traffic is
bridged on if this port is unauthorized and the guest VLAN is globally
enabled. Select the VLAN index from 1 - 4094.
host-mode [multi-host| Configures the host mode for this interface
single-host] • multi-host – Configures multiple host mode
• single-host – Configures single host mode. This is the default setting.

max-reauth-req <1-10> Configures maximum number of re-authorization retries for the

supplicant. This is the maximum number of re-authentication attempts
made before this port is moved to unauthorized.
• <1-10> – Specify a value from 1 -10. The default is 2.

port-control [auto| force- Configures port control state

authorized| force- • auto – Configures auto port state
unauthorized] • force-authorized – Configures authorized port state. This is the
default setting.
• force-unauthorized – Configures unauthorized port state

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1123
Profile Config Commands Profile Commands

reauthenticate Enables re-authentication for this port. When enabled, clients are forced
to re-authenticate on this port. The setting is disabled by default.
Therefore, clients are not required to re-authenticate for connection over
this port until this setting is enabled.
timeout [quiet-period| Configures timeout settings for this interface
reauth-period] <1-65535> • quiet-period – Configures the quiet period timeout in seconds. This is
the interval, in seconds, between successive client authentication
attempts.
• reauth-period – Configures the time after which re-authentication is
initiated
The following option is common to ‘quiet-period’ and ‘reauth-period’
keywords:
• <1-65535> – Specify a ‘quiet-period’ or ‘reauth-period’ from 1 - 65535
seconds.

Example
rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator guest-vlan 2

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator host-mode multi-host

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator max-reauth-req 6

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator reauthenticate

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context
interface ge1
dot1x authenticator host-mode multi-host
dot1x authenticator guest-vlan 2
dot1x authenticator reauthenticate
dot1x authenticator max-reauth-count 6
ip dhcp trust
qos trust dscp
qos trust 802.1p
rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

The following examples show the configurations made on an RFS4000 to enable it as a dot1X
authenticator:

1. Configure AAA policy on the authenticator, and identify the authentication server as onboard (self):
rfs4000-229D58(config-aaa-policy-aaa-wireddot1x)#show context
aaa-policy aaa-wireddot1x
authentication server 1 onboard controller
rfs4000-229D58(config-aaa-policy-aaa-wireddot1x)#

This AAA policy is used in the authenticator’s self configuration mode as shown in the last step.
2. Configure RADIUS user policy on the authenticator:
rfs4000-229D58(config-radius-user-pool-wired-dot1x-users)#show con
radius-user-pool-policy wired-dot1x-users
user bob password 0 bob1234
rfs4000-229D58(config-radius-user-pool-wired-dot1x-users)#

The user name and password configured here should match that of the supplicant. For more
information, see the examples provided in the dot1x (supplicant) on page 1125 section.

Controller, Service Platform and Access Point

1124 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

3. Configure RADIUS server policy on the authenticator, and associate the RADIUS user policy created
in the previous step:
rfs4000-229D58(config-radius-server-policy-for-wired-dot1x)#show con
radius-server-policy for-wired-dot1x
use radius-user-pool-policy wired-dot1x-users
rfs4000-229D58(config-radius-server-policy-for-wired-dot1x)#

4. In the authenticator’s self configuration mode, associate the RADIUS server policy, created in the
previous step, and configure other parameters (in bold) as shown in the following example:
rfs4000-229D58(config-device-00-15-70-81-73-79)#use radius-server-policy for-wired-
dot1x

5. In the authenticator’s interface > ge configuration mode, configure the following parameters:
rfs4000-229D58(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator host-mode
single-host
rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator port-
control auto

6. In the authenticator’s self configuration mode, configure the following parameters:

rfs4000-229D58(config-device-00-15-70-81-73-79)#dot1x system-auth-control
rfs4000-229D58(config-device-00-15-70-81-73-79)#dot1x use aaa-policy aaa-wireddot1x

Following example displays the above configured parameters:

rfs4000-229D58(config-device-00-15-70-81-73-79)#show context
use profile default-rfs4000
use rf-domain default
hostname rfs4000-229D58
use radius-server-policy for-wired-dot1x
interface me1
ip address 192.168.0.1/24
interface ge2
dot1x authenticator host-mode single-host
dot1x authenticator port-control auto
interface vlan1
ip address dhcp
ip dhcp client request options all
logging on
logging console debugging
dot1x system-auth-control
dot1x use aaa-policy aaa-wireddot1x
--More--
rfs4000-229D58(config-device-00-15-70-81-73-79)#

Related Commands

no on page 1135 Disables or reverts interface settings to their default

dot1x (supplicant)

interface-config-ge-instance on page 1118

Enables IEEE 802.1X port-based authentication on the selected wired port and configures the
credentials required to authenticate the IEEE 802.1X-capable supplicant (client).

The IEEE 802.1X port-based authentication protocol restricts unauthorized LAN access by enforcing
supplicant authentication at the port. When a supplicant associates with a IEEE 802.1X enabled wired
port, normal traffic across the port is suspended until the supplicant is successfully authenticated. Once
the supplicant is successfully authenticated, the port status changes to authorized and normal traffic
flow resumes. During the suspended state, only EAP over LAN traffic is allowed across the wired port.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1125
Profile Config Commands Profile Commands

The 802.1X port-based authentication process consists of the following three components:
• supplicant - the client (wired-device) that is attempting to access the network
• authenticating server - the server (e.g., RADIUS server) used to authenticate the client..
• authenticator - the access point or switch that proxies the client's request to the authenticating
server

The authentication methods supported are username/password and EAP-TLS (trustpoint-based

authentication).
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7632, AP7662, AP8163,
AP8432, AP8533
• Wireless Controllers — RFS4000, NX5500, NX7500

Syntax
dot1x supplicant [username|trustpoint]
dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]
dot1x supplicant trustpoint <WORD>

Parameters
dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]

dot1x supplicant Configures 802.1x suppliant settings

username <USERNAME> Sets the username for authentication
• <USERNAME> – Specify the supplicant’s username.

password [0 <WORD>| 2 Sets the password associated with the supplicant’s username.
<WORD>| <WORD>] Select any one of the following options:
• 0 <WORD> – Sets a clear text password
• 2 <WORD> – Sets an encrypted password
• <WORD> – Specify the password.

dot1x supplicant trustpoint <WORD>

dot1x supplicant Configures 802.1x suppliant settings

trustpoint <WORD> Sets the authentication mode as EAP-TLS and specifies the
trustpoint to be used for authentication.
In EAP-TLS authentication, the supplicant and RADIUS server
authenticate each other using certificates. A trustpoint represents a
CA/identity pair containing the identity of the CA, CA specific
configuration parameters, and an association with an enrolled
identity certificate.
• <WORD> – Specify the trustpoint name.

Example
nx9500-6C8809(config-profile-test8432-if-ge2)#dot1x supplicant username test password 0
test123

nx9500-6C8809(config-profile-test8432-if-ge2)#show context include-factory | include dot1x

Controller, Service Platform and Access Point

1126 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dot1x supplicant username test password 0 test123

nx9500-6C8809(config-profile-test8432-if-ge2)#
nx9500-6C8809(config)#ap8432 74-67-F7-07-02-35
nx9500-6C8809(config-device-74-67-F7-07-02-35)#interface ge 2
nx9500-6C8809(config-device-74-67-F7-07-02-35-if-ge2)#dot1x supplicant trustpoint TEST_TP

nx9500-6C8809(config-device-74-67-F7-07-02-35-if-ge2)#show context include-factory |

include dot1x
dot1x supplicant trustpoint TEST_TP
nx9500-6C8809(config-device-74-67-F7-07-02-35-if-ge2)#

Related Commands

no on page 1135 Removes 802.1X supplicant (client) authentication settings

duplex

interface-config-ge-instance on page 1118

Configures duplex mode (for the flow of packets) on this Ethernet port
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
duplex [auto|half|full]
Parameters
duplex [auto|half|full]

auto Enables automatic duplexity on an interface port. The port

automatically detects whether it should run in full or half-duplex
mode. (default setting)
half Sets the port to half-duplex mode. Allows communication in one
direction only at any given time. When selected, data is sent over
the port, then immediately data is received from the direction in
which the data was transmitted.
full Sets the port to full-duplex mode. Allows communication in both
directions simultaneously. When selected, the port can send data
while receiving data as well.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#duplex full

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
duplex full
dot1x supplicant username Bob password 0 test@123
ip dhcp trust
qos trust dscp
qos trust 802.1p

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1127
Profile Config Commands Profile Commands

channel-group 1
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Reverts to default (auto)

interface-config-ge-instance on page 1118

Sets the ARP and DHCP components for this Ethernet port
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ip [arp|dhcp]
ip [arp [header-mismatch-validation|trust]|dhcp trust]

Parameters
ip [arp [header-mismatch-validation|trust]|dhcp trust]

arp [header-mismatch- Configures ARP packet settings

validation| trust] • header-mismatch-validation – Enables matching of source MAC
address in the ARP and Ethernet headers to check for mismatch.
This option is disabled by default.
• trust – Enables trust state for ARP responses on this interface.
When enabled, ARP packets received on this port are
considered trusted and information from these packets is used
to identify rogue devices within the network. This option is
disabled by default.

dhcp trust Enables trust state for DHCP responses on this interface. When
enabled, only DHCP responses are trusted and forwarded on this
port, and a DHCP server can be connected only to a DHCP trusted
port. This option is enabled by default.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#ip dhcp trust

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#ip arp header-mismatch-validation

rfs7000-37FABE(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
duplex full
dot1x supplicant username Bob password 0 test@123
ip dhcp trust
ip arp header-mismatch-validation
qos trust dscp
qos trust 802.1p

Controller, Service Platform and Access Point

1128 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

channel-group 1
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Removes the ARP and DHCP components configured for this
interface

ipv6

interface-config-ge-instance on page 1118

Sets the DHCPv6 and ICMPv6 ND (neighbor discovery) components for this interface

The ICMPv6 ND protocol uses ICMP messages and solicited multicast addresses to track neighboring
devices on the same local network. These messages are used to discover a neighbor’s link layer address
and to verify if a neighboring device is reachable.

The ICMP messages are NS (neighbor solicitation) and NA (neighbor advertisement) messages. When a
destination host receives an NS message from a neighbor, it replies back with a NA. The NA contains the
following information:
• Source address – This is the IPv6 address of the device sending the NA
• Destination address – This is the IPv6 address of the device from whom the NS message is received
• Data portion – Includes the link layer address of the device sending the NA

NS messages are used to verify a neighbor’s (whose ink layer address is known) reachability. To confirm
a neighbor’s reachability a node sends an NS message in which the neighbor’s unicast address is
specified as the destination address. If the neighbor sends back an acknowledgment on receipt of the
NS message it is considered reachable.
Supported in the following platforms:
• Access Points — AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612,
AP7622, AP7632, AP7662, AP8163, AP8432, AP8533
• Wireless Controllers — RFS4000
• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600,
VX9000

Syntax
ipv6 [dhcpv6|nd]
ipv6 dhcpv6 trust
ipv6 nd [header-mismatch-validation|raguard|trust]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1129
Profile Config Commands Profile Commands

Parameters
ipv6 dhcpv6 trust

ipv6 dhcpv6 trust Enables trust state for DHCPv6 responses on this interface. When
enabled, all DHCPv6 responses received on this port are trusted and
forwarded. This option is enabled by default.
A DHCPv6 server can be connected to a DHCPv6 trusted port.

ipv6 nd [header-mismatch-validation|raguard|trust]

ipv6 nd Configures IPv6 ND settings

header-mismatch- Enables matching of source MAC address in the ICMPv6 ND and Ethernet
validation headers (link layer option) to check for mismatch. This option is disabled by
default.
raguard Allows redirection of RAs (router advertisements) and ICMPv6 packets
originating on this interface. When selected, RAs are periodically sent to hosts
or sent in response to neighbor solicitation requests. The advertisement
includes IPv6 prefixes and other subnet and host information. This option is
enabled by default.
trust Enables trust state for IPv6 ND requests received on this interface. When
enabled, IPv6 hosts can configure themselves automatically when connected to
an IPv6 network using the neighbor discovery protocol via ICMPv6 router
discovery messages. When first connected to a network, a host sends a link-
local router solicitation multicast request for its configuration parameters;
routers respond to the request with a router advertisement packet containing
Internet Layer configuration parameters. This option is disabled by default.

Example
nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 dhcpv6 trust

nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd header-mismatch-validation
nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd trust

nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge1)#show context
interface ge1
switchport mode access
switchport access vlan 1
ipv6 nd trust
ipv6 nd header-mismatch-validation
ipv6 dhcpv6 trust
nx9500-6C8809(config-device-B4-C7-99-6D-CD-4B-if-ge1)#

Related Commands

no on page 1135 Removes or reverts IPv6 settings on this interface

lacp

interface-config-ge-instance on page 1118

Configures the selected GE port’s LACP (Link Aggregation Control Protocol) port-priority value. If LACP
is enabled, and the selected port is a member of a LAG (link aggregation group), use this command to
configure the port’s priority within the LAG.

Controller, Service Platform and Access Point

1130 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

As per the IEEE 802.3ad standard, LACP enables aggregation of multiple physical links to form a single
logical channel. Each aggregated group of physical links is a LAG. When enabled, LACP dynamically
determines if link aggregation is possible between two peers, and automatically configures the
aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only
when LACP detects that the remote device is also using LACP and is able to join the LAG.

Enabling LACP provides automatic recovery in case one or more of the aggregated physical links fail.

Note
Use the lacp-channel-group on page 1131 command to configure this port as a LAG member.

Supported in the following platforms:

• Service Platforms — NX5500, NX75XX, NX95XX, NX9600, VX9000

Syntax
lacp port-priority <1-65535>

Parameters
lacp port-priority <1-65535>

lacp port-priority <1-65535> Configures the selected GE port’s port-priority value. The selected
port’s actual priority within the LAG is determined by the port-
priority value specified here along with the port’s number. Higher
the value, lower is the priority. Use this option to manipulate a port’s
priority. For example, in a LAG having five physical ports, four active
and one standby, manually increasing the standby port’s priority
ensures that if one of the active port fails, the standby port is
included in the LAG during re-negotiation.
• <1-65535> – Specify a value from 1 - 65535. The default value is
32768.

Example
nx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp port-priority 2

nx9500-6C8809(config-profile-testnx9000-if-ge1)#show context
interface ge1
lacp port-priority 2
nx9500-6C8809(config-profile-testnx9000-if-ge1)#

Related Commands

no on page 1135 Removes the selected GE port’s configured port-priority value

lacp-channel-group

interface-config-ge-instance on page 1118

Configures the selected GE port as a member of a port channel group (also referred as LAG)

As per the IEEE 802.3ad standard, LACP enables the aggregation of multiple physical links (ethernet
ports) to form a single logical channel. When enabled, LACP dynamically determines if link aggregation
is possible and then automatically configures the aggregation. LACP also allows the switch to

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1131
Profile Config Commands Profile Commands

dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device
is also using LACP and is able to join the LAG.

Note
Successful aggregation of two or more physical links is feasible only if the aggregating
physical links are configured identically. To ensure uniformity in configuration across LAG
members, implement configuration changes (such as changes in the switching mode, speed,
etc.) on the logical port (the port-channel) and not on the physical port. Changes made on
the port-channel will cascade down to each member of the LAG thereby retaining uniformity.

Supported in the following platforms:

• Service Platforms — NX5500, NX75XX, NX95XX, NX9600, VX9000

Syntax
lacp-channel-group <1-4> mode [active|passive]

Parameters
lacp-channel-group <1-4> mode [active|passive]

lacp-channel-group <1-4> Associates this GE port with an existing port-channel group

• <1-4> – Specify a value from 1 - 4.
Use the interface > port-channel > <1-4> command to
configure a port-channel group. For more information, see
interface-config-port-channel-instance on page 1163.
mode [active|passive] After configuring the selected port as a LAG member, specify
whether the port is an active or passive member within the group.
An active member initiates and participates in LACP negotiations.
• active – Configures the port as an active member. When set to
active, the port always transmits LACPDU irrespective of the
remote device’s port mode.
• passive – Configures the port as passive member. When set to
passive, the port will only respond to LACPDU received from its
corresponding Active port.
At least one port within a LAG, on either of the two negotiating
peers, should be in the active mode. LACP negotiations are not
initiated if all LAG member ports are passive. Further, the peer-to-
peer LACP negotiations are always initiated by the peer with the
lower system-priority value. For more information on configuring
the system-priority, see lacp on page 1399.

Example
nx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp-channel-group 2 mode active

nx9500-6C8809(config-profile-test2nx9000-if-ge1)#show context
interface ge1
lacp-channel-group 2 mode active
lacp port-priority 2
nx9500-6C8809(config-profile-test2nx900-if-ge1)#

To enable dynamic link aggregation on a device (service platform), execute the following steps:

1. Create a port-channel group on the device. Enter the port-channel configuration mode.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface port-channel 1

Controller, Service Platform and Access Point

1132 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Set the switching mode to access or trunk as per requirement. In this example, the mode is set to
‘access’.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport mode
access

Specify the VLAN to switch, commit changes and exit.

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport access vlan
1
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#commit
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#exit

2. Enable dynamic link aggregation on the device’s physical port. Enter the GE port’s configuration
mode.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface ge 2

Enable link aggregation and associate the port with the port-channel group created in step 1.
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp-channel-group 1 mode
active

Note, the mode can be set to passive. However, at least one of the aggregated GE ports
in the port-channel group should be active in order to initiate link aggregation
negotiations with other LACP-enabled peers.

Specify the GE port’s priority value.

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp port-priority 2

Related Commands

no on page 1135 Removes the selected GE port’s port-channel group membership

lldp

interface-config-ge-instance on page 1118

Configures LLDP (Link Local Discovery Protocol) parameters on this Ethernet port
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
lldp [receive|transmit]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1133
Profile Config Commands Profile Commands

Parameters
lldp [receive|transmit]

receive Enables LLDP Protocol Data Units (PDUs) snooping. When enabled,
the port receives periodic updates from a multicast address
informing about presence of neighbors. This option is enabled by
default.
transmit Enables LLDP PDU transmission. When enabled, the port sends out
periodic interface updates to a multicast address to advertise its
presence to neighbors. This option is enabled by default.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#lldp transmit

Related Commands

no on page 1135 Disables or reverts interface settings to their default

mac-auth

interface-config-ge-instance on page 1118

Enables authentication of MAC addresses on the selected wired port. When enabled, this feature
authenticates the MAC address of a device, connecting to this interface, with a RADIUS server. When
successfully authenticated, packets from the source are processed. Since only one MAC address is
supported per wired port, packets from all other sources are dropped.

For more information on enabling this feature, see mac-auth on page 1311.

Enable port MAC authentication in conjunction with Wired 802.1x settings to configure a MAC
authentication AAA policy.

This option is also available in the device configuration mode.

Parameters
None

Example
rfs4000-229D58(config-profile-testRFS4000-if-ge1)#mac-auth

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context
interface ge1
mac-auth
ip dhcp trust
qos trust dscp
qos trust 802.1p

Controller, Service Platform and Access Point

1134 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

channel-group 1
rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

rfs4000-229D58(config-profile-testRFS4000-if-ge5)#mac-auth

rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context
interface ge5
switchport mode access
switchport access vlan 1
dot1x authenticator host-mode single-host
dot1x authenticator guest-vlan 5
dot1x authenticator port-control auto
mac-auth
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#

Related Commands

no on page 1135 Disables authentication of MAC addresses on the selected wired

port

interface-config-ge-instance on page 1118

Removes or reverts the selected Ethernet port settings

Syntax
no [captive-portal-enforcement|cdp|channel-group|description|dot1x|duplex|ip|ipv6|lacp|
lacp-channel-group|lldp|mac-auth|power|qos|shutdown|spanning-tree|speed|switchport|
use]
no [captive-portal-enforcement|channel-group|description|duplex|mac-auth|shutdown|speed]
no [cdp|lldp] [receive|transmit]
no dot1x [authenticator [guest-vlan|host-mode|max-reauth-req|port-control|
reauthentication|timeout [quiet-period|reauth-period]]|supplicant]
no ip [arp [header-mismatch-validation|trust]|dhcp trust]
no ipv6 [dhcpv6 trust|nd [header-mismatch-validation|raguard|trust]]
no [lacp port-priority|lacp-channel-group]
no power {best-effort|limit|priority}
no qos trust [802.1p|cos|dscp]
no spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|portfast]
no switchport [access vlan|mode|trunk native tagged]
no use [ip-access-list|ipv6-access-list|mac-access-list] in

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this Ethernet port settings based on the

parameters passed

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1135
Profile Config Commands Profile Commands

Usage Guidelines

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#no duplex
power

interface-config-ge-instance on page 1118

Configures PoE (Power over Ethernet) settings on this interface

When configured, this option allows the selected port to use Power over Ethernet. When enabled, the
controller supports 802.3af PoE on each of its GE ports. PoE allows users to monitor port power
consumption and configure power usage limits and priorities for each GE port.
Supported in the following platforms:
• Wireless Controllers — RFS4000

Syntax
power {best-effort|limit <0-40>|priority [critical|high|low]}

Parameters
power {best-effort|limit <0-40>|priority [critical|high|low]}

power Configures power related thresholds for this interface

best-effort Optional. Enables power when the device is not operating from an
802.3at class 4 power source
limit <0-40> Optional. Configures the PoE power limit from 0 - 40 Watts. The
default is 30 Watts.
priority [critical|high|low] Optional. Configures the PoE power priority on this interface. This is
the priority assigned to this port versus the power requirements of
the other ports available on the controller.
• critical – Sets PoE priority as critical
• high – Sets PoE priority as high
• low – Sets PoE priority as low. This is the default setting.

Example
rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power limit 30

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power priority critical

rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
power limit 30
power priority critical
rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

Controller, Service Platform and Access Point

1136 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no on page 1135 Removes PoE settings on this interface

qos

interface-config-ge-instance on page 1118

Defines QoS (Quality of Service) settings on this Ethernet port

Syntax
qos trust [802.1p|cos|dscp]

Parameters
qos trust [802.1p|cos|dscp]

trust [802.1p|cos|dscp] Trusts QoS values ingressing on this interface

• 802.1p – Trusts 802.1p COS values ingressing on this interface
• cos – Trusts 802.1p COS values ingressing on this interface. This
option is enabled by default.
• dscp – Trusts IP DSCP QOS values ingressing on this interface.
This option is enabled by default.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#qos trust dscp

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#qos trust 802.1p

Related Commands

no on page 1135 Removes QoS settings on the selected interface

shutdown

interface-config-ge-instance on page 1118

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1137
Profile Config Commands Profile Commands

Shuts down (disables) an interface. The interface is administratively enabled unless explicitly disabled
using this command.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
shutdown

Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#shutdown

Related Commands

no on page 1135 Disables or reverts interface settings to their default

spanning-tree

interface-config-ge-instance on page 1118

Configures spanning tree parameters

Controller, Service Platform and Access Point

1138 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
spanning-tree [force-version <0-3>|guard root|portfast]

force-version <0-3> Specifies the spanning tree force version. A version identifier of less
than 2 enforces the spanning tree protocol. Select one of the
following versions:
• 0 – Spanning Tree Protocol (STP)
• 1 – Not supported
• 2 – Rapid Spanning tree Protocol (RSTP)
• 3 – Multiple Spanning Tree Protocol (MSTP). This is the default
setting

guard root Enables Root Guard for the port

The Root Guard disables superior Bridge Protocol Data Unit (BPDU)
reception. The Root Guard ensures the enabled port is a designated
port. If the Root Guard enabled port receives a superior BPDU, it
moves to a discarding state (root-inconsistent STP state). This state
is equivalent to a listening state, and data is not forwarded across
the port. Therefore, enabling the guard root enforces the root
bridge position. Use the no parameter with this command to
disable the Root Guard.
portfast Enables rapid transitions. Enabling PortFast allows the port to
bypass the listening and learning states.

spanning-tree [bpdufilter|bpduguard] [default|disable|enable]

bpdufilter [default|disable| Sets a PortFast BPDU filter for the port

enable] Use the no parameter with this command to revert the port BPDU
filter to its default. The spanning tree protocol sends BPDUs from all
ports. Enabling the BPDU filter ensures PortFast enabled ports do
not transmit or receive BPDUs.
bpduguard [default|disable| Enables BPDU guard on a port
enable] Use the no parameter with this command to set BPDU guard to its
default.
When the BPDU guard is set for a bridge, all PortFast-enabled ports
that have the BPDU guard set to default shut down upon receiving
a BPDU. If this occurs, the BPDU is not processed. The port can be
brought back either manually (using the no shutdown command),
or by configuring the errdisable-timeout to enable the port after a
specified interval.

spanning-tree link-type [point-to-point|shared]

link-type [point-to-point|shared] Enables point-to-point or shared link types

• point-to-point – Enables rapid transition. This option indicates
the port should be treated as connected to a point-to-point link.
A port connected to a controller is a point-to-point link.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1139
Profile Config Commands Profile Commands

• shared – Disables rapid transition. This option indicates this port

should be treated as having a shared connection. A port
connected to a hub is on a shared link,

spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]

mst <0-15> Configures MST on a spanning tree

cost <1-200000000> Defines path cost for a port from 1 - 200000000. The default path
cost depends on the speed of the port. The cost helps determine
the role of the port in the MSTP network. The designated cost is the
cost for a packet to travel from this port to the root in the MSTP
configuration. The slower the media, the higher the cost.
port-priority <0-240> Defines port priority for a bridge from 1 - 240. Lower the priority
greater is the likelihood of the port becoming a designated port.
Applying a higher value impacts the port's likelihood of becoming a
designated port.

spanning-tree port-cisco-interoperability [disable|enable]

port-cisco-interoperability Enables interoperability with Cisco's version of MSTP (which is

incompatible with standard MSTP)
enable Enables CISCO Interoperability
disable Disables CISCO Interoperability. The default is disabled.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#spanning-tree bpdufilter disable

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#spanning-tree bpduguard enable

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#spanning-tree force-version 1

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#spanning-tree guard root

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#spanning-tree mst 2 port-priority 10

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
duplex full
spanning-tree bpduguard enable
spanning-tree bpdufilter disable
spanning-tree force-version 1
spanning-tree guard root
spanning-tree mst 2 port-priority 10
--More--
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Removes spanning tree settings configured on this interface

speed

interface-config-ge-instance on page 1118

Controller, Service Platform and Access Point

1140 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Specifies the speed of a FastEthernet (10/100) or GigabitEthernet (10/100/1000) port. This is the speed
at which the port can receive and transmit the data.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
speed [10|100|1000|auto]

Parameters
speed [10|100|1000|auto]

10 Forces 10 Mbps operation

100 Forces 100 Mbps operation
1000 Forces 1000 Mbps operation
auto Port automatically detects its operational speed based on the port
at the other end of the link. Select this option to enable the port to
automatically exchange information about data transmission speed
and duplex capabilities. Auto negotiation is helpful when in an
environment where different devices are connected and
disconnected on a regular basis.

Usage Guidelines

Set the interface speed to auto detect and use the fastest speed available. Speed detection is based on
connected network hardware.
Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#speed 10

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
speed 10
duplex full
spanning-tree bpduguard enable
spanning-tree bpdufilter disable
spanning-tree force-version 1
spanning-tree guard root
spanning-tree mst 2 port-priority 10
dot1x supplicant username Bob password 0 test@123
ip dhcp trust
ip arp header-mismatch-validation
qos trust dscp
qos trust 802.1p
channel-group 1
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Resets speed to default (auto)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1141
Profile Config Commands Profile Commands

switchport

interface-config-ge-instance on page 1118

Sets switching mode characteristics for the selected interface

Controller, Service Platform and Access Point

1142 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]

access vlan [<1-4094>| <VLAN- Sets the VLAN when interface is in the access mode. You can either
ALIAS-NAME>] directly specify the native VLAN ID or use a VLAN alias to identify
the native VLAN.
• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.
• <VLAN-ALIAS-NAME> – Specify the VLAN alias name (should
be existing and configured).
An Ethernet port in the access mode accepts packets only from the
native VLAN. Frames are forwarded out the port untagged with no
802.1Q header. All frames received on the port are expected as
untagged and are mapped to the native VLAN.

switchport mode [access|trunk]

mode [access|trunk] Sets the interface’s switching mode to access or trunk (can only be
used on physical - layer 2 - interfaces)
• access – If access mode is selected, the access VLAN is
automatically set to VLAN1. In this mode, only untagged packets
in the access VLAN (vlan1) are accepted on this port. All tagged
packets are discarded.
• trunk – If trunk mode is selected, tagged VLAN packets are
accepted. The native VLAN is automatically set to VLAN1.
Untagged packets are placed in the native VLAN by the wireless
controller or service platform. Outgoing packets in the native
VLAN are sent untagged. The default mode for both ports is
trunk.

switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]

trunk allowed Sets trunking mode, allowed VLANs characteristics of the port. Use
this option to add VLANs that exclusively send packets over the
listed port.
vlan [<VLAN-ID>| add <VLAN- Sets allowed VLAN options. The options are:
ID>| none| remove <VLAN-ID> • <VLAN-ID> – Allows a group of VLAN IDs. Specify the VLAN
IDs, can be either a range (55-60) or a comma-separated list
(35, 41, etc.)
• none – Allows no VLANs to transmit or receive through the layer
2 interface
• add <VLAN-ID> – Adds VLANs to the current list
◦ <VLAN-ID> – Specify the VLAN IDs. Can be either a range of
VLAN (55-60) or a list of comma separated IDs (35, 41, etc.)
• remove <VLAN-ID> – Removes VLANs from the current list
◦ <VLAN-ID> – Specify the VLAN IDs. Can be either a range of
VLAN (55-60) or a list of comma separated IDs (35, 41, etc.)
Allowed VLANs are configured only when the switching mode is set
to “trunk”.

switchport trunk fabric-attach vlan [<1-4094>|<VLAN-ALIAS-NAME>] isid <1-16777214>

Sets trunking mode characteristics of this Ethernet port

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1143
Profile Config Commands Profile Commands

trunk
fabric-attach Enables Fabric Attach (FA) client operation on this Ethernet port.
Use this option to enable non-SPB WiNG devices (access points
and controllers) as FA Clients.
FA enabled switches, in the FC network, send out LLDP messages
with TLV extensions of Organization-specific TLV with OUI, to
discover FA clients and advertise capabilities.
The FA-enabled client associates with the FA Server (FAS), and
obtains provisioning information (management VLAN interface
details, and whether the interface is tagged or not) that allows the
client to be configured with parameters that allow traffic to flow
through the Fabric to the WLAN controller. This initial FA Client to
WLC communication uses the Fabric’s default VLAN to I-SID
mapping.
Use this command to configure the I-SID (Individual Service
Identifier) to VLAN mapping that the FA Client uses to negotiate
with the FAS.

Note: You can configure FA Client capability on a device’s profile as

well as device contexts.

Note: This option is enabled only when the switching mode is set to
trunk.

vlan [<1-4094>|<VLAN-ALIAS- Configures the VLAN through which traffic from this device is
NAME>] routed to the FA switch
• <1-4094> – Specify the VLAN from 1 - 4094.
• <VLAN-ALIAS-NAME> – Use a VLAN alias to specify the VLAN.
If using a VLAN alias, ensure that the alias is existing and
configured.
The FA Client requests acceptance of the I-SID to VLAN mapping
from the FAS within the Fabric Connect (FC) network. Once
acceptance is achieved, the FC edge switch applies the I-SID to the
VLAN traffic from the device (AP or controller), and uses this I-SID
inside the Fabric.

Note: Both the FA Client and FA switch (at the edge of the FC
network) use LLDP Element and Assignment Type-Length-Values
(TLVs) to advertise their identity and FA capabilities.

isid <1-16777214> Configures the I-SID to be associated with the VLAN interface
specified above.
• isid <1-16777214> – Specify the I-SID from 1 - 16777214. The IEEE
Auto-Attach standard requires that the I-SID and VLAN ID be
unique per port per switch, so that the device does not enforce
duplicate I-SID and VLAN ID for each mapping.

Note: A maximum of 94 pairs of I-SID to VLAN mappings can be

configured per Ethernet port.

switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]

Sets trunking mode characteristics of the switchport

Controller, Service Platform and Access Point

1144 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

trunk
native [tagged|vlan [<1-4094>| Configures the native VLAN ID for the trunk-mode port
<VLAN-ALIAS-NAME>]] The native VLAN allows an Ethernet device to associate untagged
frames to a VLAN when no 802.1Q frame is included in the frame.
Additionally, the native VLAN is the VLAN untagged traffic is
directed over when using a port in trunk mode.
• tagged – Tags the native VLAN. When a frame is tagged, the 12
bit frame VLAN ID is added to the 802.1Q header enabling
upstream Ethernet devices to know which VLAN ID the frame
belongs to. The device reads the 12 bit VLAN ID and forwards
the frame to the appropriate VLAN. When a frame is received
with no 802.1Q header, the upstream device classifies the frame
using the default or native VLAN assigned to the Trunk port. A
native VLAN allows an Ethernet device to associate untagged
frames to a VLAN when no 802.1Q frame is included in the
frame.
• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Sets the native VLAN
for classifying untagged traffic when the interface is in trunking
mode.
◦ <1-4094> – Specify a value from 1 - 4094.
◦ <VLAN-ALIAS-NAME> – Specify the VLAN alias name used
to identify the VLANs. The VLAN alias should be existing and
configured.

Usage Guidelines

Interfaces ge1 - ge4 can be configured as trunk or in access mode. An interface configured as “trunk”
allows packets (from the given list of VLANs) to be added to the trunk. An interface configured as
“access” allows packets only from native VLANs.

Use the [no] switchport (access|mode|trunk) to undo switchport configurations.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#switchport trunk native
tagged

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#switchport access vlan 1

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
speed 10
duplex full
switchport mode access
switchport access vlan 1
spanning-tree bpduguard enable
spanning-tree bpdufilter disable
--More--
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1145
Profile Config Commands Profile Commands

The following is the basic configuration required to enable a device as a FA Client, with tagged native
VLAN traffic:
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#switchport mode trunk
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#switchport trunk
fabric-attach vlan 1 isid 1
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#switchport trunk
fabric-attach vlan 2 isid 200
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#switchport trunk
fabric-attach vlan 100 isid 1000
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#switchport trunk
allowed vlan 1-2,100
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#switchport trunk
native tagged
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#show context
interface ge1
switchport mode trunk
switchport trunk fabric-attach vlan 1 isid 1
switchport trunk fabric-attach vlan 2 isid 200
switchport trunk fabric-attach vlan 100 isid 1000
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1-2,100
ap8432-070235(config-device-74-67-F7-07-02-35-if-ge1)#

Related Commands

no on page 1135 Disables or reverts interface settings to their default

use

interface-config-ge-instance on page 1118

Specifies the IP (IPv4 and IPv6) access list and MAC access list used with this Ethernet port. The
associated ACL firewall inspects IP and MAC traffic flows and detects attacks typically not visible to
traditional wired firewall appliances.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-LIST-NAME>|
mac-access-list in <MAC-ACCESS-LIST-NAME>]

Controller, Service Platform and Access Point

1146 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-LIST-NAME>|
mac-access-list in <MAC-ACCESS-LIST-NAME>]

ip-access-list in <IPv4-ACCESS- Associates an IPv4 access list with this Ethernet port. IPv4 is a
LIST-NAME> connectionless protocol for packet switched networking. IPv4
operates as a best effort delivery method, as it does not guarantee
delivery, and does not ensure proper sequencing or duplicate
delivery (unlike (TCP). IPv4 hosts can use link local addressing to
provide local connectivity.
• in – Applies the IPv4 ACL on incoming packets
◦ <IPv4-ACCESS-LIST-NAME> – Specify the IPv4 access list
name (it should be an existing and configured).

ipv6-access-list in <IPv6- Associates an IPv6 access list with this Ethernet port. IPv6 is the
ACCESS-LIST-NAME> latest revision of the IP designed to replace IPv4. IPV6 provides
enhanced identification and location information for computers on
networks routing traffic across the Internet. IPv6 addresses are
composed of eight groups of four hexadecimal digits separated by
colons.
• in – Applies the IPv6 ACL on incoming packets
◦ <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list
name (it should be an existing and configured).

mac-access-list in <MAC- Associates a MAC access list with this Ethernet port. MAC ACLs
ACCESS-LIST-NAME> filter/mark packets based on the MAC address from which they
arrive, as opposed to filtering packets on layer 2 ports.
• in – Applies the MAC ACL on incoming packets
◦ <MAC-ACCESS-LIST-NAME> – Specify the MAC access list
name (it should be an existing and configured).

Example
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#use mac-access-list in test

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#use ip-access-list in test

nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#show context
interface ge1
description "This is GigabitEthernet interface for Royal King"
speed 10
duplex full
switchport mode accessi
switchport access vlan 1
use ip-access-list in test
use mac-access-list in test
spanning-tree bpduguard enable
spanning-tree bpdufilter disable
spanning-tree force-version 1
--More--
nx9500-6C8809(config-profile-default-rfs4000-if-ge1)#

Related Commands

no on page 1135 Disassociates the IP access list or MAC access list from the interface

interface-config-vlan-instance

interface on page 1115

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1147
Profile Config Commands Profile Commands

Use the config-profile-<DEVICE-PROFILE-NAME> mode to configure Ethernet, VLAN and tunnel

settings.

To switch to this mode, use the following commands:

<DEVICE>(config-profile-default-<DEVICE-TYPE>)#interface [<INTERFACE-NAME>| fe <1-4>|ge
<1-24>|me1|port-channel <1-4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>| wwan1|xge <1-24>]

The following example uses the config-profile-nx9500-6C8809 instance to configure a VLAN interface:
nx9500-6C8809(config-profile-default-rfs4000)#interface vlan 8
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#?
SVI configuration commands:
crypto Encryption module
description Vlan description
dhcp Dynamic Host Configuration Protocol (DHCP)
dhcp-relay-incoming Allow on-board DHCP server to respond to relayed DHCP
packets on this interface
ip Interface Internet Protocol config commands
ipv6 Internet Protocol version 6 (IPv6)
no Negate a command or set its defaults
shutdown Shutdown the selected interface
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

The following table summarizes interface VLAN configuration commands:

Commands Description
crypto on page 1149 Defines the encryption module used with this VLAN interface
description on page Defines the VLAN interface description
1149
dhcp on page 1150 Enables inclusion of optional fields (client identifier) in DHCP client requests
dhcp-relay-incoming Allows an onboard DHCP server to respond to relayed DHCP packets on this
on page 1151 interface
ip on page 1151 Configures the VLAN interface’s IP settings
ipv6 on page 1155 Configures the VLAN interface’s IPv6 settings
no on page 1160 Removes or reverts this VLAN interface’s settings to default
shutdown on page Shuts down this VLAN interface
1161
use on page 1162 Associates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and
an IPv6-route-advertisement policy with this VLAN interface

Controller, Service Platform and Access Point

1148 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

crypto

interface-config-vlan-instance on page 1147

Associates an existing and configured VPN crypto map with this VLAN interface.

Crypto map entries are sets of configuration parameters for encrypting packets that pass through the
VPN tunnel. For more information on crypto maps, see crypto-map-config-commands on page 1056.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
crypto map <CRYPTO-MAP-NAME>
Parameters
crypto map <CRYPTO-MAP-NAME>

map <CRYPTO-MAP-NAME> Attaches a crypto map to the selected VLAN interface. The crypto
map should be existing and configured.
• <CRYPTO-MAP-NAME> – Specify the crypto map name.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#crypto map map1

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
crypto map map1
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Related Commands

no on page 1160 Disables or reverts interface VLAN settings to their default

description

interface-config-vlan-instance on page 1147

Defines this VLAN interface’s description. Use this command to provide additional information about
the VLAN.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
description <WORD>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1149
Profile Config Commands Profile Commands

Parameters
description <WORD>

description <WORD> Configures a description for this VLAN interface (should not exceed
64 characters in length)
• <WORD> – Specify a description unique to the VLAN’s specific
configuration, to help differentiate it from other VLANs with
similar configurations.

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#description “This VLAN interface
is configured for the Sales Team”

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
description "This VLAN interface is configured for the Sales Team"
crypto map map1
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Related Commands

no on page 1160 Removes the VLAN interface description

dhcp

interface-config-vlan-instance on page 1147

Enables inclusion of optional fields (client identifier) in DHCP client requests. This option is disabled by
default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dhcp client include client-identifier
Parameters
dhcp client include client-identifier

dhcp client include client- Enables inclusion of client identifier in DHCP client requests
identifier

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#dhcp client include client-
identifier

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
dhcp client include client-identifier
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Controller, Service Platform and Access Point

1150 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no on page 1160 Disables inclusion of client identifier in DHCP client requests

dhcp-relay-incoming

interface-config-vlan-instance on page 1147

Allows an onboard DHCP server to respond to relayed DHCP packets. This option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dhcp-relay-incoming
Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#dhcp-relay-incoming

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
description "This VLAN interface is configured for the Sales Team"
crypto map map1
dhcp-relay-incoming
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Related Commands

no on page 1160 Disables or reverts interface VLAN settings to their default

interface-config-vlan-instance on page 1147

Configures the VLAN interface’s IP settings

Syntax
ip [address|dhcp|helper-address|nat|ospf]

ip helper-address <IP>

ip address [<IP/M>|<NETWORK-ALIAS-NAME>|dhcp|zeroconf]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1151
Profile Config Commands Profile Commands

ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}

ip address dhcp

ip dhcp client request options all

ip nat [inside|outside]

ip ospf authentication [message-digest|null|simple-password]

ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]
ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]
ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]
Parameters
ip helper-address <IP>

helper-address <IP> Enables DHCP and BOOTP requests forwarding for a set of clients.
Configure a helper address on the VLAN interface connected to the
client. The helper address should specify the address of the BOOTP
or DHCP servers to receive the requests. If you have multiple
servers, configure one helper address for each server.
• <IP> – Specify the IP address of the DHCP or BOOTP server.

ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}

address Sets the VLAN interface’s IP address

<IP/M> Specifies the interface IP address in the A.B.C.D/M format
• secondary – Optional. Sets the specified IP address as a
secondary address

Controller, Service Platform and Access Point

1152 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

<NETWORK-ALIAS-NAME> Uses a pre-defined network alias to provide this VLAN interface’s IP

address. Specify the network alias name.
• secondary – Optional. Sets the network-alias provided IP
address as the secondary address

zeroconf {secondary} Uses Zero Configuration Networking (zeroconf) to generate an IP

address for this interface.Zero configuration can be a means of
providing a primary or secondary IP addresses for the virtual
interface. Zero configuration (or zero config) is a wireless
connection utility included with Microsoft Windows XP and later as
a service dynamically selecting a network to connect based on a
user's preferences and various default settings. Zero config can be
used instead of a wireless network utility from the manufacturer of
a computer's wireless networking device.
• secondary – Optional. Sets the generated IP address as a
secondary address

ip address dhcp

address Sets the VLAN interface’s IP address

dhcp Uses a DHCP client to obtain an IP address for this VLAN interface

ip dhcp client request options all

dhcp Uses a DHCP client to configure a request on this VLAN interface

client Configures a DHCP client
request Configures DHCP client request
options Configures DHCP client request options
all Configures all DHCP client request options

ip nat [inside|outside]

nat [inside|outside] Defines NAT settings for the VLAN interface. NAT is disabled by
default.
• inside – Enables NAT on the inside interface. The inside network
is transmitting data over the network to the intended
destination. On the way out, the source IP address is changed in
the header and replaced by the (public) IP address.
• outside – Enables NAT on the outside interface. Packets passing
through the NAT on the way back to the managed LAN are
searched against the records kept by the NAT engine. There, the
destination IP address is changed back to the specific internal
private class IP address in order to reach the LAN over the
network.

ip ospf authentication [message-digest|null|simple-password]

ospf authentication Configures OSPF authentication scheme. Options are message-

digest, null, and simple-password.
message-digest Configures md5 based authentication

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1153
Profile Config Commands Profile Commands

null No authentication required

simple-password Configures simple password based authentication

ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]

ospf authentication-key Configures an OSPF authentication key

simple-password [0 <WORD>|2 Configures a simple password OSPF authentication key
<WORD>] • 0 <WORD> – Configures clear text key
• 2 <WORD> – Configures encrypted key

ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]

bandwidth <1-10000000> Configures bandwidth for the physical port mapped to this layer 3
interface
• <1-10000000> – Specify the bandwidth from 1 - 10000000.

cost <1-65535> Configures OSPF cost

• <1-65535> – Specify OSPF cost value from 1 - 65535.

priority <0-255> Configures OSPF priority

• <0-255> – Specify OSPF priority value from 0 - 255.

ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]

ospf message-digest Configures message digest authentication parameters

key-id <1-255> Configures message digest authentication key ID from 0 - 255
md5 [0 <WORD>|2 <WORD>] Configures md5 key
• 0 <WORD> – Configures clear text key
• 2 <WORD> – Configures encrypted key

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#ip address 10.0.0.1/8

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#ip nat inside

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#ip helper-address 172.16.10.3

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#ip dhcp client request options all

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
description "This VLAN interface is configured for the Sales Team"
ip address 10.0.0.1/8
ip dhcp client request options all
ip helper-address 172.16.10.3
ip nat inside
crypto map map1
dhcp-relay-incoming
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Controller, Service Platform and Access Point

1154 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no on page 1160 Removes or resets IP settings on this interface

ipv6

interface-config-vlan-instance on page 1147

Configures the VLAN interface’s IPv6 settings

ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}

ipv6 address [<IPv6/M>|autoconfig|eui-64|link-local|prefix-from-

provider]

ipv6 address [<IPv6/M>|autoconfig]

ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/
PREFIX-LENGTH>]
ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>
ipv6 address link-local <LINK-LOCAL-ADD>

ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay

destination <DEST-IPv6-ADD>]

ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcpv6-

options]

ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider

<WORD>] {no-autoconfig|off-link|site-prefix|valid-lifetime}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1155
Profile Config Commands Profile Commands

Parameters
ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}

ipv6 accept ra Enables processing of router advertisements (RAs) on this VLAN

interface. This option is enabled by default.
When enabled, IPv6 hosts can configure themselves automatically
when connected to an IPv6 network using the neighbor discovery
protocol via ICMPv6 router discovery messages. When first
connected to a network, a host sends a link-local router solicitation
multicast request for its configuration parameters; routers respond
to the request with a router advertisement packet containing
Internet layer configuration parameters.
no-default-router Optional. Disables inclusion of routers on this interface in the
default router selection process. This option is disabled by default.
no-hop-limit Optional. Disables the use of RA advertised hop-count value on this
interface. This option is disabled by default.
no-mtu Optional. Disables the use of RA advertised MTU value on this
interface. This option is disabled by default.

ipv6 address [<IPv6/M>|autoconfig]

ipv6 address [<IPv6/M>| Configures IPv6 address related settings on this VLAN interface
autoconfig] • <IPv6> – Specify the non-link local static IPv6 address and prefix
length of the interface in the X:X::X:X/M format.
• autoconfig – Enables stateless auto-configuration of IPv6
address, based on the prefixes received from RAs (with auto-
config flag set). These prefixes are used to auto-configure the
IPv6 address. This option is enabled by default. Use the no >
ipv6 > address > autoconfig command to negate the use of
prefixes received in RAs.

ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>]

ipv6 address eui-64 Configures the IPv6 prefix and prefix length. This prefix is used to
auto-generate the static IPv6 address (for this interface) in the
modified Extended Unique Identifier (EUI)-64 format.
Implementing the IEEE's 64-bit EUI64 format enables a host to
automatically assign itself a unique 64-bit IPv6 interface identifier,
without manual configuration or DHCP. This is accomplished on a
virtual interface by referencing the already unique 48-bit MAC
address, and reformatting it to match the EUI-64 specification.
In the EUI-64 IPv6 address the prefix and host portions are each 64
bits in length.
<IPv6/M> Specify the IPv6 prefix and prefix length. This configured value is
used as the prefix portion of the auto-generated IPv6 address, and
the host portion is derived from the MAC address of the interface.
Any bits of the configured value exceeding the prefix-length “M” are
ignored and replaced by the host portion derived from the MAC
address.
For example:
Prefix portion provided using this command: ipv6 > address >
eui-64 > 2004:b055:15:dead::1111/64.

Controller, Service Platform and Access Point

1156 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Host portion derived using the interface’s MAC address

(00-15-70-37-FB-5E): 215:70ff:fe37:fb5e
Auto-configured IPv6 address using the above prefix and host
portions: 2004:b055:15:dead:215:70ff:fe37:fb5e/64
In this example, the host part “::1111” is ignored and replaced with the
modified eui-64 formatted host address.
prefix-from-provider <WORD> Configures the “prefix-from-provider” named object and the
<IPv6-PREFIX/PREFIX-LENGTH> associated IPv6 prefix and prefix length. This configured value is
used as the prefix portion of the auto-generated IPv6 address, and
the host portion is derived from the MAC address of the interface.
• <WORD> – Specify the IPv6 “prefix-from-provider” object’s
name. This is the IPv6 general prefix (32 character maximum)
name provided by the Internet service provider.
• <IPv6-PREFIX/PREFIX-LENGTH> – Specify the IPv6 address
subnet and host parts along with prefix length (site-
renumbering).
For example:
Prefix portion provided using this command: ipv6 > address
> eui-64 > prefix-from-provider > ISP1-prefix >
2002::/64
Host portion derived using the interface’s MAC address
(00-15-70-37-FB-5E): 215:70ff:fe37:fb5e
Auto-configured IPv6 address using the above prefix and host
portions: 2002::215:70ff:fe37:fb5e/64

ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>]

ipv6 address Configures the IPv6 address related settings on this VLAN interface
prefix-from-provider <WORD> Configures the “prefix-from-provider” named object and the host
<HOST-PORTION/LENGTH> portion of the IPv6 interface address. The prefix derived from the
specified “prefix-from-provide” and the host portion (second
parameter) are combined together (using the prefix-length of the
specified “prefix-from-provide”) to generate the interface’s IPv6
address.
• <WORD> – Provide the “prefix-from-provider” object’s name.
This is the IPv6 general prefix (32 character maximum) name
provided by the service provider.
• <HOST-PORTION/LENGTH> – Provide the subnet number, host
portion, and prefix length used to form the actual address along
with the prefix derived from the “prefix-from-provider” object
identified by the <WORD> keyword.

ipv6 address link-local <LINK-LOCAL-ADD>

ipv6 address Configures the IPv6 address related settings on this VLAN interface
link-local <LINK-LOCAL-ADD> Configures IPv6 link-local address on this interface. The configured
value overrides the default link-local address derived from the
interface’s MAC address. Use the no > ipv6 > link-local
command to restore the default link-local address derived from
MAC address.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1157
Profile Config Commands Profile Commands

It is mandatory for an IPv6 interface to always have a link-local

address.

ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination <DEST-IPv6-

ADD>]

ipv6 dhcp client [information| Configures DHCPv6 client-related settings on this VLAN interface
prefix-from-provider <WORD>] • information – Configures stateless DHCPv6 client on this
interface. When enabled. the device can request configuration
information from the DHCPv6 server using stateless DHCPv6.
This option is disabled by default.
• prefix-from-provider – Configures prefix-delegation client on
this interface. Enter the IPv6 general prefix (32 character
maximum) name provided by the service provider. This option is
disabled by default.

relay destination <DEST-IPv6- Enables DHCPv6 packet forwarding on this VLAN interface
ADD> • destination – Forwards DHCPv6 packets to a specified DHCPv6
relay
◦ <DEST-IPv6-ADD> – Specify the destination DHCPv6 relay’s
address.
DHCPv6 relay enhances an extended DHCP relay agent by
providing support in IPv6. DHCP relays exchange messages
between a DHCPv6 server and client. A client and relay agent exist
on the same link. When a DHCP request is received from the client,
the relay agent creates a relay forward message and sends it to a
specified server address. If no addresses are specified, the relay
agent forwards the message to all DHCP server relay multicast
addresses. The server creates a relay reply and sends it back to the
relay agent. The relay agent then sends back the response to the
client.

ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcp-options]

ipv6 Configures IPv6 settings on this VLAN interface

enable Enables IPv6 on this interface. This option is disabled by default.
enforce-dad Enforces Duplicate Address Detection (DAD) on wired ports. This
option is enabled by default.
mtu <1280-1500> Configures the Maximum Transmission Unit (MTU) for IPv6 packets
on this interface
• <1280-1500> – Specify a value from 1280 - 1500. The default is
1500.

redirects Enables ICMPv6 redirect messages sending on this interface. This

option is enabled by default.
request-dhcp-options Requests options from DHCPv6 server on this interface. This option
is disabled by default.

ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>] {no-

autoconfig|off-link|site-prefix <SITE-PREFIX>|valid-lifetime}

Configures IPv6 RA related settings on this VLAN interface

Controller, Service Platform and Access Point

1158 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

ipv6 router-advertisements
prefix <IPv6-PREFIX> Configures a static prefix and its related parameters. The configured
value is advertised on RAs.
• <IPv6-PREFIX> – Specify the IPv6 prefix.

prefix-from-provider <WORD> Configures a static “prefix-from-provider” named object and its

related parameters on this VLAN interface. The configured value is
advertised on RAs.
• <WORD> – Specify the “prefix-from-provider” named object’s
name

no-autoconfig This parameter is common to the “general-prefix”, “prefix”, and

“prefix-from-provider” keywords.
• no-autoconfig – Optional. Disables the setting of the auto
configuration flag in the prefix. When configured, the configured
prefixes are not used for IPv6 address generation. The
autoconfiguration option is enabled by default. Using no-
autoconfig disables it.

off-link This parameter is common to the “general-prefix”, “prefix”, and

“prefix-from-provider” keywords.
• off-link – Optional. Disables the setting of the on-link flag in the
prefix. The on-link option is enabled by default. Using off-link
disables it.

site-prefix <SITE-PREFIX> This parameter is common to the “general-prefix”, “prefix”, and

“prefix-from-provider” keywords.
• site-prefix <SITE-PREFIX> – Configures subnet (site) prefix

valid-lifetime This parameter is common to the “general-prefix”, “prefix”, and

[<30-4294967294>| at|infinite] “prefix-from-provider” keywords.
(preferred-lifetime) • valid-lifetime – Configures the valid lifetime for the prefix
• preferred-lifetime – Configures preferred lifetime for the prefix
• <30-4294967294> – Configures the valid/preferred lifetime in
seconds
◦ at – Configures expiry time and date of the valid/preferred
lifetime
▪ infinite – Configures the valid/preferred lifetime as infinite

Example
nx9500-6C8809(config-profile-test-if-vlan4)#ipv6 enable

nx9500-6C8809(config-profile-test-if-vlan4)#ipv6 accept ra no-mtu

rfs6000-81742D(config-profile-test-if-vlan4)#ipv6 address eui-64 prefix-from-provider

ISP1-prefix 2002::/64

nx9500-6C8809(config-profile-test-if-vlan4)#show context
interface vlan4
ipv6 enable
ipv6 address eui-64 prefix-from-provider ISP1-prefix 2002::/64
ipv6 accept ra no-mtu
nx9500-6C8809(config-profile-test-if-vlan4)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1159
Profile Config Commands Profile Commands

Related Commands

no on page 1160 Removes or resets IPv6 settings on this VLAN interface

interface-config-vlan-instance on page 1147

Negates a command or reverts to defaults. The no command, when used in the Config Interface VLAN
mode, negates VLAN interface settings or reverts them to their default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

no dhcp client include client-identifier

no [crypto map|description|dhcp-relay-incoming|shutdown]

no ip [address|dhcp|helper-address|nat|ospf]
no ip [helper-address <IP>|nat]
no ip address {<IP/M> {secondary}|<NETWORK-ALIAS-NAME> {secondary}|dhcp|
zeroconf {secondary}}
no ip dhcp client request options all
no ip ospf [authentication|authentication-key|bandwidth|cost|message-
digest-key| priority]

no ipv6 [accept ra|enable|enforce-dad|mtu|redirects|request-dhcpv6-

no use [bonjour-gw-discovery-policy>|ip-access-list in|ipv6-access-list

in|ipv6-router-advertisement-policy|url-filter]
Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this VLAN interface’s settings based on the

parameters passed

Controller, Service Platform and Access Point

1160 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example

The following example shows the VLAN interface settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
description "This VLAN interface is configured for the Sales Team"
ip address 10.0.0.1/8
ip dhcp client request options all
ip helper-address 172.16.10.3
ip nat inside
crypto map map1
dhcp-relay-incoming
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#no crypto map

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#no description
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#no dhcp-relay-incoming
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#no ip dhcp client request options
all

The following example shows the VLAN interface settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
ip address 10.0.0.1/8
ip helper-address 172.16.10.3
ip nat inside
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#
shutdown

interface-config-vlan-instance on page 1147

Shuts down the selected interface. Use the no shutdown command to enable an interface.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
shutdown
Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#shutdown

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
ip address 10.0.0.1/8
ip helper-address 172.16.10.3
shutdown
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Related Commands

no on page 1160 Disables or reverts interface VLAN settings to their default

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1161
Profile Config Commands Profile Commands

use

interface-config-vlan-instance on page 1147

Associates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-router-
advertisement policy with this VLAN interface
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
use [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-
ACL-NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-
advertisement-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>]
Parameters
use [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-NAME>|ipv6-
access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy <POLICY-NAME>|url-filter
<URL-FILTER-NAME>]

bonjour-gw-discovery-policy Uses an existing Bonjour GW Discovery policy with this VLAN

<POLICY-NAME> interface. When associated, the Bonjour GW Discovery policy is
applied for the Bonjour requests coming over the VLAN interface.
• <POLICY-NAME> – Specify the Bonjour GW Discovery policy
name (should be existing and configured).
For more information on Bonjour GW Discovery policy, see bonjour-
gw-discovery-policy on page 319.
ip-access-list in <IP-ACCESS- Uses a specified IPv4 access list with this interface
LIST-NAME> • in – Applies IPv4 ACL to incoming packets
◦ <IP-ACCESS-LIST-NAME> – Specify the IPv4 access list
name.

ipv6-access-list in <IPv6- Uses a specified IPv6 access list with this interface
ACCESS-LIST-NAME> • in – Applies IPv6 ACL to incoming packets
◦ <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list
name.

ipv6-router-advertisement- Uses an existing IPv6 router advertisement policy with this VLAN
policy <POLICY-NAME> interface.
• <POLICY-NAME> – Specify the IPv6 router advertisement policy
name (should be existing and configured).

url-filter <URL-FILTER-NAME> Enforces URL filtering on this VLAN interface by associating a URL
filter
• <URL-FILTER-NAME> – Specify the URL filter name (should be
existing and configured).

Example
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#use ip-access-list in test

Controller, Service Platform and Access Point

1162 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#show context
interface vlan8
ip address 10.0.0.1/8
use ip-access-list in test
ip helper-address 172.16.10.3
nx9500-6C8809(config-profile-default-rfs4000-if-vlan8)#

Related Commands

no on page 1160 Disables or reverts interface VLAN settings to their default

interface-config-port-channel-instance

interface on page 1115

Profiles can utilize customized port channel configurations as part of their interface settings. Existing
port channel profile configurations can be overridden as they become obsolete for specific device
deployments.

The following example uses the config-profile-testNX9000 instance to configure a port-channel

interface:
nx9500-6C8809(config-profile-testNX9000)#interface port-channel 1
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)# Port Channel Mode commands:
description Port description
duplex Set duplex to interface
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
no Negate a command or set its defaults
port-channel Portchannel commands
qos Quality of service
remove-override Remove configuration item override from the device (so
profile value takes effect)
shutdown Shutdown the selected interface
spanning-tree Spanning tree commands
speed Configure speed
switchport Set switching mode characteristics
use Set setting to use

clrscr Clears the display screen

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Commands Description
description on page Configures a brief description for this port-channel interface
1164
duplex on page Configures the duplex-mode (that is the data transmission mode) for this port-
1164 channel interface

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1163
Profile Config Commands Profile Commands

Commands Description
ip on page 1165 Configures ARP and DHCP related security parameters on this port-channel
interface
ipv6 on page 1166 Configures IPv6 related parameters on this port-channel interface
no on page 1169 Removes or reverts to default this port-channel interface’s settings
shutdown on page Shutsdown this port-channel interface
1170
spanning-tree on Configures spanning-tree related parameters on this port channel interface
page 1170
speed on page 1174 Configures the speed at which this port-channel interface receives and
transmits data
switchport on page Configures the packet switching parameters for this port-channel interface
1175
use on page 1177 Configures access controls on this port-channel interface

description

interface-config-port-channel-instance on page 1163

Configures a brief description for this port channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
description <LINE>
Parameters
description <LINE>

description <LINE> Configures a description for this port-channel interface that

uniquely identifies it from other port channel interfaces
• <LINE> – Provide a description not exceeding 64 characters in
length.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#description "This port
-channel is for enabling dynamic LACP."

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Related Commands

no on page 1169 Removes this port-channel interface’s description

duplex

Controller, Service Platform and Access Point

1164 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

interface-config-port-channel-instance on page 1163

Configures the duplex-mode (that is the data transmission mode) for this port channel interface
Supported in the following platforms:
• Wireless Controllers — RFS4000
• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600,
VX9000

Syntax
duplex [auto|half|full]
Parameters
duplex [auto|half|full]

duplex [auto|half|full] Configures the mode of data transmission as auto, full, or half
• auto – Select this option to enable the controller, service
platform, or access point to dynamically duplex as port channel
performance needs dictate. This is the default setting.
• full – Select this option to simultaneously transmit data to and
from the port channel.
• half – Select this option to send data over the port channel, then
immediately receive data from the same direction in which the
data was transmitted.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#duplex full

Related Commands

no on page 1169 Reverts the duplex-mode to the default value (auto)

interface-config-port-channel-instance on page 1163

Configures ARP and DHCP related security parameters on this port-channel interface
Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ip [arp|dhcp]

ip arp [header-mismatch-validation|trust]

ip dhcp trust

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1165
Profile Config Commands Profile Commands

Parameters
ip arp [header-mismatch-validation|trust]

ip arp [header-mismatch- Configures ARP related parameters on this port-channel interface

validation| trust] • header-mismatch-validation – Enables a source MAC mismatch
check in both the ARP and ethernet headers. This option is
enabled by default.
• trust – Enables ARP trust on this port channel. If enabled, ARP
packets received on this port are considered trusted, and
information from these packets is used to identify rogue devices.
This option is disabled by default.

ip dhcp trust

ip dhcp trust Enables DHCP trust. If enabled, only DHCP responses are trusted
and forwarded on this port channel, and a DHCP server can be
connected only to a DHCP trusted port. This option is enabled by
default.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ip arp trust

Related Commands

no on page 1169 Removes or reverts to default the ARP and DHCP security
parameters configured

ipv6

interface-config-port-channel-instance on page 1163

Configures IPv6 related parameters on this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ipv6 [dhcpv6|nd]

ipv6 dhcpv6 trust

ipv6 nd [header-mismatch-validation|raguard|trust]

Controller, Service Platform and Access Point

1166 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
ipv6 dhcpv6 trust

ipv6 dhcpv6 trust Enables DHCPv6 trust. If enabled, only DHCPv6 responses are
trusted and forwarded on this port channel, and a DHCPv6 server
can be connected only to a trusted port. This option is enabled by
default.

ipv6 nd [header-mismatch-validation|raguard|trust]

ipv6 nd [header-mismatch- Configures IPv6 neighbor discovery (ND) parameters

validation| raguard|trust] • header-mismatch-validation – Enables a mismatch check for the
source MAC in both the ND header and link layer options. This
option is disabled by default.

raguard Enables router advertisements or IPv6 redirects from this port.

Router advertisements are periodically sent to hosts or are sent in
response to solicitation requests. The advertisement includes IPv6
prefixes and other subnet and host information. This option is
enabled by default.
trust Enables DHCPv6 trust. If enabled, only DHCPv6 responses are
trusted and forwarded on this port channel, and a DHCPv6 server
can be connected only to a trusted port. This option is enabled by
default.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ipv6 nd header-mismatch-
validation

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ipv6 nd trust

Related Commands

no on page 1169 Removes or reverts to default the IPv6 related parameters on this
port-channel interface

port-channel

interface-config-port-channel-instance on page 1163

Configures client load balancing parameters on this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1167
Profile Config Commands Profile Commands

port-channel load-balance [src-dst-ip|src-dst-mac]

Parameters
port-channel load-balance [src-dst-ip|src-dst-mac]

port-channel load-balance [src- Specifies whether port channel load balancing is conducted using a
dst-ip| src-dst-mac] source/destination IP or a source/destination MAC.
• src-dst-ip – Uses a source/destination IP to conduct client load
balancing. This is the default setting.
• src-dst-mac – Uses a source/destination MAC to conduct client
load balancing

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#port-channel load-balance src-
dst-mac

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
description "This port-channel is for enabling dynamic LACP."
duplex full
ipv6 nd trust
ipv6 nd header-mismatch-validation
ip arp trust
port-channel load-balance src-dst-mac
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Related Commands

no on page 1169 Removes or reverts to default the client load balancing parameters
on this port-channel interface

qos

interface-config-port-channel-instance on page 1163

Configures Quality of Service (QoS) related parameters on this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
qos trust [802.1p|dscp]
Parameters
qos trust [802.1p|dscp]

qos trust [802.1p|dscp] Configures the following QoS related parameters:

• 802.1p – Trusts 802.1p class of service (COS) values ingressing
on this port channel. This option is enabled by default.
• dscp – Trusts IP DSCP QOS values ingressing on this port
channel. This option is enabled by default.

Controller, Service Platform and Access Point

1168 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#qos trust dscp
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context

Related Commands

no on page 1169 Removes the QoS related parameters configured on this port-
channel interface

interface-config-port-channel-instance on page 1163

Removes or reverts to default this port-channel interface’s settings

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

no <PARAMETERS> Removes or reverts to default this port-channels interface’s settings

based on the parameters passed
• <PARAMETERS> – Specify the parameters.

Example

The following example shows the port-channel interface’s interface settings before the ‘no’ commands
are executed:
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
description "This port-channel is for enabling dynamic LACP."
speed 100
duplex full
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1
use ip-access-list in BROADCAST-MULTICAST-CONTROL
ipv6 nd trust
ipv6 nd header-mismatch-validation
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
spanning-tree mst 1 port-priority 1
spanning-tree mst 1 cost 20000
ip arp trust
port-channel load-balance src-dst-mac
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no duplex
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no ip arp trust

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1169
Profile Config Commands Profile Commands

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no ipv6 nd trust

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no port-channel load-balance

The following example shows the port-channel interface’s interface settings after the ‘no’ commands
are executed:
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
description "This port-channel is for enabling dynamic LACP."
speed 100
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1
use ip-access-list in BROADCAST-MULTICAST-CONTROL
ipv6 nd header-mismatch-validation
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
spanning-tree mst 1 port-priority 1
spanning-tree mst 1 cost 20000
no qos trust dscp
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
shutdown

interface-config-port-channel-instance on page 1163

Shutsdown this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4000
• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600,
VX9000

Syntax

shutdown
Parameters

None
Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#shutdown

Related Commands

no on page 1169 Re-enables this port-channel interface

spanning-tree

interface-config-port-channel-instance on page 1163

Configures spanning-tree related parameters on this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

1170 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

spanning-tree [bpdufilter|bpduguard] [default|disable|enable]

spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-

interoperability [disable|enable]]

spanning-tree link-type [point-to-point|shared]

spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1171
Profile Config Commands Profile Commands

Parameters
spanning-tree [bpdufilter|bpduguard] [default|disable|enable]

spanning-tree [bpdufilter| Configures the following BPDU related parameters for this port
bpduguard] channel:
• bpdufilter – Configures the BPDU filtering options. The options
are:
◦ default – When selected, makes the bridge BPDU filter value
to take effect. This is the default setting.
◦ disable – Disables BPDU filtering
◦ enable – Enables BPDU filtering. Enabling the BPDU filter
feature ensures this port channel does not transmit or
receive any BPDUs.
• bpduguard – Configures the BPDU guard options. The options
are
◦ default – When selected, makes the bridge BPDU guard
value to take effect. This is the default setting.
◦ disable – Disables guarding this port from receiving BPDUs
◦ enable – Enables BPDU guarding. Enabling the BPDU guard
feature means this port will shutdown on receiving a BPDU.
Thus, no BPDUs are processed.
Execute the portfast command to ensure that fast transitions is
enabled on this port channel before configuring BPDU filtering and
guarding.

spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability

[disable|enable]]

spanning-tree [force-version Configures the following MSTP related parameters for this port
<0-3>| guard root| portfast| channel:
port-cisco-interoperability • force-version <0-3> – Sets the protocol version to either STP(0),
[disable|enable] Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default
setting
• guard root – Enforces root bridge placement. Setting the guard
to Root ensures the port is a designated port. Typically, each
guard root port is a designated port, unless two or more ports
(within the root bridge) are connected together.

If the bridge receives superior (BPDUs) on a guard root-enabled

port, the guard root moves the port to a root-inconsistent STP
state. This state is equivalent to a listening state. No data is
forwarded across the port. Thus, the guard root enforces the
root bridge position.
• portfast – Enables fast transitions on this port channel. When
enabled, BPDU filtering and guarding can be enforced on this
port. Enable the portfast option and then use the ‘bpdufilter’
and bpduguard’ options to configure BPDU filtering and
guarding parameters. This option is disabled by default.
• port-cisco-interoperability [disable|enable] – Enables or disables
interoperability with Cisco's version of MSTP, which is

Controller, Service Platform and Access Point

1172 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

incompatible with standard MSTP. This option is disabled by

default.

spanning-tree link-type [point-to-point|shared]

spanning-tree link-type [point- Configures the link type applicable on this port channel. The
to-point| shared] options are:
• point-to-point – Configures a point-to-point link, which indicates
the port should be treated as connected to a point-to-point link.
Note, a port connected to the wireless device is a point-to-point
link. This is the default setting.
• shared – Configures a shared link, which indicates this port
should be treated as having a shared connection. Note, A port
connected to a hub is on a shared link.

spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]

spanning-tree mst <0-15> [cost Configures the following Multiple Spanning Tree (MST) parameters
<1-200000000>| port-priority on this port:
<0-240>] • mst <0-15> – Select the MST instance from 0 - 15.
◦ cost <1-200000000> – Configures the port cost from 1 -
200000000. The default path cost depends on the user
defined port speed.The cost helps determine the role of the
port channel in the MSTP network. The designated cost is the
cost for a packet to travel from this port to the root in the
MSTP configuration. The slower the media, higher the cost.
• port-priority <0-240> – Configures the port priority from 0 -
240. The lower the priority, greater is the likelihood of the port
becoming a designated port.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree portfast
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree bpdufilter enable
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree bpduguard enable
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree force-version 3
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree mst 1 cost 20000
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree mst 1 port-
priority 1

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
description "This port-channel is for enabling dynamic LACP."
duplex full
ipv6 nd trust
ipv6 nd header-mismatch-validation
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
spanning-tree mst 1 port-priority 1
spanning-tree mst 1 cost 20000
ip arp trust
port-channel load-balance src-dst-mac
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1173
Profile Config Commands Profile Commands

Related Commands

no on page 1169 Removes or reverts to default the spanning-tree related parameters

configured on this port channel interface

speed

interface-config-port-channel-instance on page 1163

Configures the speed at which this port-channel interface receives and transmits data
Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
speed [10|100|1000|auto]]]
Parameters
speed [10|100|1000|auto]

speed [10|100|1000| auto] Configure the data receive-transmit speed for this port channel. The
options are:
• 10 – 10 Mbps
• 100 – 100 mbps
• 1000 – 1000 Mbps
• auto – Enables the system to auto select the speed. This is the
default setting.
Select either of these options to establish a 10, 100 or 1000 Mbps
data transfer rate for the selected half duplex or full duplex
transmission over the port. The auto option enables the port-
channel to automatically exchange information about data
transmission speed and duplex capabilities. Auto negotiation is
helpful in an environment where different devices are connected
and disconnected on a regular basis.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#speed 100

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
description "This port-channel is for enabling dynamic LACP."
speed 100
duplex full
ipv6 nd trust
ipv6 nd header-mismatch-validation
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
spanning-tree mst 1 port-priority 1
spanning-tree mst 1 cost 20000
ip arp trust
port-channel load-balance src-dst-mac
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Controller, Service Platform and Access Point

1174 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no on page 1169 Removes or reverts to default the speed at which this port-channel
interface receives and transmits data

switchport

interface-config-port-channel-instance on page 1163

Configures the VLAN switching parameters for this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
switchport [access|mode|trunk]

switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1175
Profile Config Commands Profile Commands

Parameters
switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]

access vlan [<1-4094>| <VLAN- Configures the VLAN to which this port-channel interface is
ALIAS-NAME>] mapped when the switching mode is set to access.
• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.
• <VLAN-ALIAS-NAME> – Specify the VLAN alias name (should
be existing and configured).

switchport mode [access|trunk]

mode [access|trunk] Configures the VLAN switching mode over the port channel
• access – If selected, the port channel accepts packets only form
the native VLANs. Frames are forwarded out the port untagged
with no 802.1Q header. All frames received on the port are
expected as untagged and are mapped to the native VLAN. This
is the default setting.
• trunk – If selected, the port channel allows packets from a list of
VLANs you add to the trunk. A port channel configured as Trunk
supports multiple 802.1Q tagged VLANs and one Native VLAN
which can be tagged or untagged.

switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]

trunk allowed If configuring the VLAN switching mode as trunk, use this option to
configure the VLANs allowed on this port channel. Add VLANs that
exclusively send packets over the port channel.
vlan [<VLAN-ID>| add <VLAN- Use this keyword to add/remove the allowed VLANs
ID>| none| remove <VLAN-ID> • <VLAN-ID> – Allows a group of VLAN IDs. Specify the VLAN
IDs, can be either a range (55-60) or a comma-separated list
(35, 41, etc.)
• none – Allows no VLANs to transmit or receive through the layer
2 interface
• add <VLAN-ID> – Adds VLANs to the current list
◦ <VLAN-ID> – Specify the VLAN IDs. Can be either a range of
VLAN (55-60) or a list of comma separated IDs (35, 41, etc.)
• remove <VLAN-ID> – Removes VLANs from the current list
◦ <VLAN-ID> – Specify the VLAN IDs. Can be either a range of
VLAN (55-60) or a list of comma separated IDs (35, 41, etc.)
Allowed VLANs are configured only when the switching mode is set
to “trunk”.

switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]

trunk If configuring the VLAN switching mode as trunk, use this option to
configure the native VLAN on this port channel.
native [tagged| vlan [<1-4094>| Configures the native VLAN ID for the trunk-mode port
<VLAN-ALIAS-NAME>]] The native VLAN allows an Ethernet device to associate untagged
frames to a VLAN when no 802.1Q frame is included in the frame.

Controller, Service Platform and Access Point

1176 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Additionally, the native VLAN is the VLAN untagged traffic is

directed over when using a port in trunk mode.
• tagged – Tags the native VLAN. When a frame is tagged, the 12
bit frame VLAN ID is added to the 802.1Q header enabling
upstream Ethernet devices to know which VLAN ID the frame
belongs to. The device reads the 12 bit VLAN ID and forwards
the frame to the appropriate VLAN. When a frame is received
with no 802.1Q header, the upstream device classifies the frame
using the default or native VLAN assigned to the Trunk port. A
native VLAN allows an Ethernet device to associate untagged
frames to a VLAN when no 802.1Q frame is included in the
frame.
• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Sets the native VLAN
for classifying untagged traffic when the interface is in trunking
mode.
◦ <1-4094> – Specify a value from 1 - 4094.
◦ <VLAN-ALIAS-NAME> – Specify the VLAN alias name used
to identify the VLANs. The VLAN alias should be existing and
configured.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#switchport mode trunk

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
description "This port-channel is for enabling dynamic LACP."
speed 100
duplex full
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1
ipv6 nd trust
ipv6 nd header-mismatch-validation
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
spanning-tree mst 1 port-priority 1
spanning-tree mst 1 cost 20000
ip arp trust
port-channel load-balance src-dst-mac
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Related Commands

no on page 1169 Removes the packet switching parameters configured on this port-
channel interface

use

interface-config-port-channel-instance on page 1163

Configures access controls on this port-channel interface

Supported in the following platforms:
• Wireless Controllers — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1177
Profile Config Commands Profile Commands

Syntax
use [ip-access-list|ipv6-access-list|mac-access-list] in <IP/IPv6/MAC-
ACCESS-LIST-NAME>]]
Parameters
use [ip-access-list|ipv6-access-list|mac-access-list] in <IP/IPv6/MAC-ACCESS-LIST-NAME>]

use [ip-access-list| ipv6-access- Associates an access list controlling the inbound traffic on this port
list| mac-access-list] <IP/IPv6/ channel.
MAC-ACCESS-LIST-NAME>] • ip-access-list – Specify the IPv4 specific firewall rules to apply to
this profile’s port channel configuration. IPv4 is a connectionless
protocol for packet switched networking. IPv4 operates as a
best effort delivery method, as it does not guarantee delivery,
and does not ensure proper sequencing or duplicate delivery
(unlike (TCP). IPv4 hosts can use link local addressing to provide
local connectivity.
• ipv6-access-list – Specify the IPv6 specific firewall rules to apply
to this profile’s port channel configuration. IPv6 is the latest
revision of the Internet Protocol (IP) designed to replace IPv4.
IPV6 provides enhanced identification and location information
for computers on networks routing traffic across the Internet.
IPv6 addresses are composed of eight groups of four
hexadecimal digits separated by colons.
• mac-access-list – Specify the MAC specific firewall rules to apply
to this profile’s port channel configuration.
◦ <IP/IPv6/MAC-ACCESS-LIST-NAME> – Provide the IPv4,
IPv6, or MAC access list name based on the option selected.
The access list specified should be existing and configured.

Example
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#use ip-access-list in
BROADCAST-MULTICAST-CONTROL

nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context
interface port-channel1
description "This port-channel is for enabling dynamic LACP."
speed 100
duplex full
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1
use ip-access-list in BROADCAST-MULTICAST-CONTROL
ipv6 nd trust
ipv6 nd header-mismatch-validation
spanning-tree portfast
--More--
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#

Related Commands

no on page 1169 Removes the access controls configured on this port-channel

interface

interface-config-radio-instance

interface on page 1115

Controller, Service Platform and Access Point

1178 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

This section documents radio interface configuration parameters applicable only to the access point
profiles.

The access point radio interface can be radio1, radio2, or radio3. The AP7662 model is a dual radio
access point. Whereas, AP-8533 is a triple radio access point.

To enter the AP profile > radio interface context, use the following commands:
<DEVICE>(config)#profile <AP-TYPE> <PROFILE-NAME>

nx9500-6C8809(config)#profile ap7532 test7532

nx9500-6C8809(config-profile-test7532)#

nx9500-6C8809(config-profile-test7532)#interface radio 2
nx9500-6C8809(config-profile-test7532-if-radio2)#

nx9500-6C8809(config-profile-test7532-if-radio2)#?
Radio Mode commands:
adaptivity Adaptivity
aeroscout Aeroscout Multicast MAC/Enable
aggregation Configure 802.11n aggregation related parameters
airtime-fairness Enable fair access to medium for clients based
on their usage of airtime
antenna-diversity Transmit antenna diversity for non-11n transmit
rates
antenna-downtilt Enable ADEPT antenna mode
antenna-elevation Specifies the antenna elevation gain
antenna-gain Specifies the antenna gain of this radio
antenna-mode Configure the antenna mode (number of transmit
and receive antennas) on the radio
assoc-response Configure transmission parameters for
Association Response frames
association-list Configure the association list for the radio
beacon Configure beacon parameters
bridge Bridge rf-mode related configuration
channel Configure the channel of operation for this
radio
data-rates Specify the 802.11 rates to be supported on this
radio
description Configure a description for this radio
dfs-rehome Revert to configured home channel once dfs
evacuation period expires
dynamic-chain-selection Automatic antenna-mode selection (antenna for
non-11n transmit rates)
ekahau Ekahau Multicast MAC/Enable
extended-range Configure extended range
fallback-channel Configure the channel to be used for falling
back in the event of radar being detected on the
current operating channel
guard-interval Configure the 802.11n guard interval
koda-server-cert Set debug KODA server cert
koda-server-url Set debug KODA server URL
ldpc Configure support for Low Density Parity Check
Code
lock-rf-mode Retain user configured rf-mode setting for this
radio
max-clients Maximum number of wireless clients allowed to
associate subject to AP limit
mesh Configure radio mesh parameters
meshpoint Enable meshpoints on this radio
mu-mimo Enable multi user MIMO on this radio (selected
platforms only)
no Negate a command or set its defaults

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1179
Profile Config Commands Profile Commands

non-unicast Configure handling of non-unicast frames

off-channel-scan Enable off-channel scanning on the radio
placement Configure the location where this radio is
operating
power Configure the transmit power of the radio
preamble-short Use short preambles on this radio
probe-response Configure transmission parameters for Probe
Response frames
radio-resource-measurement Configure support for 802.11k Radio Resource
Measurement
radio-share-mode Configure the radio-share mode of operation for
this radio
rate-selection Default or Opportunistic rate relection
rf-mode Configure the rf-mode of operation for this
radio
rifs Configure Reduced Interframe Spacing (RIFS)
parameters
rts-threshold Configure the RTS threshold
rx-sensitivity-reduction Configure radio receive sensitivity reduction
threshold
shutdown Shutdown the selected radio interface
smart-rf Configure radio specific smart-rf settings
sniffer-redirect Capture packets and redirect to an IP address
running a packet capture/analysis tool
stbc Configure Space-Time Block Coding (STBC)
parameters
transmit-beamforming Enable Transmit Beamforming
use Set setting to use
wips Wireless intrusion prevention related
configuration
wireless-client Configure wireless client related parameters
wlan Enable wlans on this radio

clrscr Clears the display screen

nx9500-6C8809(config-profile-test7532-if-radio2)#

The following table summarizes the radio interface configuration commands:

Commands Description
adaptivity on page 1182 Configures an adaptivity timeout value, in minutes, for
avoidance of channels detected with radar or high levels of
interference
aeroscout on page 1184 Enables Aeroscout multicast packet forwarding
aggregation on page 1184 Configures 802.11n aggregation parameters
airtime-fairness on page 1188 Enables fair access for clients based on airtime usage
antenna-diversity on page 1189 Transmits antenna diversity for non-11n transmit rates

Controller, Service Platform and Access Point

1180 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Commands Description
antenna-downtilt on page 1190 Enables ADEPT (Advanced Element Panel Technology)
antenna mode
antenna-elevation on page 1190 Configures the antenna’s elevation gain. This command is
applicable only to the AP 7562 model access point.
antenna-gain on page 1192 Specifies the antenna gain for the selected radio
antenna-mode on page 1192 Configures the radio antenna mode
assoc-response on page 1193 Enables an access point to ignore or respond to an
association/authorization request based on the configured
RSSI (Received Signal Strength Index) threshold and deny-
threshold values
association-list on page 1195 Associates an existing global association list with this radio
interface
beacon on page 1195 Configures beacon parameters
bridge on page 1197 Configures client-bridge related parameters, if the selected
radio’s RF mode is set to bridge
channel on page 1208 Configures a radio’s channel of operation
data-rates on page 1210 Specifies the 802.11 rates supported on a radio
description on page 1215 Configures the selected radio’s description
dfs-rehome on page 1216 Reverts to configured home channel once DFS (Dynamic
Frequency Selection) evacuation period expires
dynamic-chain-selection on page 1216 Enables automatic antenna mode selection
ekahau on page 1217 Enables Ekahau multicast packet forwarding
extended-range on page 1218 Configures extended range
fallback-channel on page 1219 Configures the channel to which the radio switches in case of
radar detection on the current channel
guard-interval on page 1220 Configures the 802.11n guard interval
ldpc on page 1221 Enables support for LDPC (Low Density Parity Check) on the
radio interface
lock-rf-mode on page 1221 Retains user configured RF mode settings for the selected
radio
max-clients on page 1222 Configures the maximum number of wireless clients allowed
to associate with this radio
mesh on page 1223 Configures radio mesh parameters
meshpoint on page 1225 Maps an existing meshpoint to this radio interface
mu-mimo on page 1226 Enables multi-user multiple input multiple output (MU-MIMO)
support on a radio
no (radio-interface-config-command) Negates or resets radio interface settings configures on a
on page 1227 profile or a device
non-unicast on page 1229 Configures the handling of non unicast frames on this radio
off-channel-scan on page 1231 Enables selected radio’s off channel scanning parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1181
Profile Config Commands Profile Commands

Commands Description
placement on page 1234 Defines selected radio’s deployment location
power on page 1235 Configures the transmit power on this radio
preamble-short on page 1237 Enables the use of short preamble on this radio
probe-response on page 1238 Configures transmission parameters for probe response
frames
radio-resource-measurement on page Enables 802.11k radio resource measurement
1240
radio-share-mode on page 1241 Configures the mode of operation, for this radio, as radio-
share
rate-selection on page 1242 Sets the rate selection method to standard or opportunistic
rf-mode on page 1242 Configures the radio’s RF mode
rifs on page 1244 Configures RIFS (Reduced Interframe Spacing) parameters on
this radio
rts-threshold on page 1245 Configures the RTS (Request to Send) threshold value on this
radio
rx-sensitivity-reduction on page 1246 Configures the selected radio's receive sensitivity reduction
threshold
service on page 1248 Enables dynamic control function. This dynamic function
controls performance of the radio receiver's low noise
amplifiers (LNAs).
shutdown on page 1248 Terminates or shuts down selected radio interface
smart-rf on page 1249 Overrides Smart RF channel width setting on the selected
radio interface
sniffer-redirect on page 1250 Captures and redirects packets to an IP address running a
packet capture/analysis tool
stbc on page 1251 Configures radio’s Space Time Block Coding (STBC) mode
transmit-beamforming on page 1252 Enables transmit beamforming on the selected radio interface
use on page 1252 Enables use of an association ACL policy and a radio QoS
policy by selected radio interface
wips on page 1253 Enables access point to change its channel of operation in
order to terminate rogue devices
wireless-client on page 1254 Configures wireless client parameters on selected radio
wlan on page 1255 Enables a WLAN on selected radio

adaptivity

interface-config-radio-instance on page 1178

Configures the duration, in minutes, for which channels detected with high levels of interference are
avoided by the AP

Controller, Service Platform and Access Point

1182 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

As per the ETSI's (European Telecommunications Standards Institute) EN 300 328 V1.8.1/ ETSI EN 301
893 V1.7.1 requirements, access points have to monitor interference levels on operating channels, and
stop functioning on channels with interference levels exceeding ETSI-specified threshold values.

This command configures the duration for which a channel is avoided on detection of interference, and
is applicable only if the channel selection mode is set to ACS, Random, or Fixed.

Note
If you want to configure your radio to use a SMART RF policy for channel selection (i.e., the
radio's channel selection mode is set to Smart), in the Smart-RF policy config mode, use the
avoidance-time > [adaptivity|dfs] > <30-3600> command to specify the
interval for which a channel is avoided on detection of high levels of interference or radar. For
more information, see avoidance-time on page 1815 (smart-rf policy config mode).

When configured, this feature ensures recovery by switching the radio to a new operating channel.
Once adaptivity is triggered, the evacuated channel becomes inaccessible and is available again only
after the adaptivity timeout, specified here, expires. In case of fixed channel, the radio switches back to
the original channel of operation after the adaptivity timeout expires. On the other hand, ACS-enabled
radios continue operating on the new channel even after the adaptivity timeout period expires.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
adaptivity [recovery|timeout <30-3600>]
Parameters
adaptivity [recovery|timeout <30-3600>]

adaptivity Configures adaptivity parameters on the radio. These parameters

are: recovery and timeout.
recovery Enables switching of channels when an access point’s radio is in the
adaptivity mode. In the adaptivity mode, an access point monitors
interference on its set channel and stops functioning when the
radio’s defined interference tolerance level is exceeded. When the
defined adaptivity timeout is exceeded, the radio resumes
functionality on a different channel. This option is enabled by
default.
timeout <30-3600> Configures an adaptivity timeout
• <30-3600> – Specify a value from 30 - 3600 minutes. The
default is 90 minutes.

Example
nx9500-6C8809(config-profile-testAP7532-if-radio1)#adaptivity timeout 200

nx9500-6C8809(config-profile-testAP7532-if-radio1)#show context
interface radio1
adaptivity timeout 200
nx9500-6C8809(config-profile-testAP7532-if-radio1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1183
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Removes the configured adaptivity timeout value and disables

command) on page 1227 adaptivity recovery

aeroscout

interface-config-radio-instance on page 1178

Enables Aeroscout multicast packet forwarding. This feature is disabled by default.

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
Syntax
aeroscout [forward ip <IP> port <0-65535>|mac <MAC>]

Parameters
aeroscout [forward ip <IP> port <0-65535>|mac <MAC>]

aeroscout Enables Aeroscout packet forwarding and configures the packet

forwarding parameters
forward ip <IP> port <0-65535> Configures the following Aeroscout locationing engine details:
• ip – Configures Aeroscout engine’s IP address
◦ <IP> – Specify the Aeroscout engine’s IP address. When
specified, the AP forwards Aeroscout beacons directly to the
Aeroscout locationing engine without proxying through the
controller or RF Domain manager.
• port – Configures the port on which the Aeroscout engine is
reachable
◦ <0-65535> – Specify the port number from 0 - 65535.

mac <MAC> Configures the multicast MAC address to forward the Aeroscout
packets
• <MAC> – Specify the MAC address in the AA-BB-CC-DD-EE-FF
format. The default value is 01-0C-CC-00-00-00.

Example
nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#aeroscout forward ip
10.233.84.206 port 22

nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#show context
interface radio2
aeroscout forward ip 10.233.84.206 port 22
nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#

Related Commands

no (radio-interface-config- Disables Aeroscout packet forwarding

command) on page 1227

aggregation

interface-config-radio-instance on page 1178

Controller, Service Platform and Access Point

1184 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Configures frame aggregation parameters. Frame aggregation is a IEEE 802.11e, 802.11n, and 802.11ac
wireless networking standard. It increases throughput by sending two or more data frames in a single
transmission. There are two types of frame aggregation: Aggregate - MAC Service Data Unit (A-MSDU )
aggregation and Aggregate - MAC Protocol Data Unit (A-MPDU) aggregation. Both modes group
several data frames into one large data frame.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
Syntax
aggregation [ampdu|amsdu]
aggregation ampdu [rx-only|tx-only|tx-rx|none|max-aggr-size|min-spacing|min-spacing]
aggregation ampdu [rx-only|tx-only|tx-rx|none]
aggregation ampdu max-aggr-size [rx|tx]
aggregation ampdu max-aggr-size rx [8191|16383|32767|65535|128000|256000|512000|1024000]
aggregation ampdu max-aggr-size tx <2000-1024000>
aggregation ampdu min-spacing [0|1|2|4|8|16|auto]
aggregation amsdu [rx-only|tx-rx]

Parameters
aggregation ampdu [rx-only|tx-only|tx-rx|none]

aggregation Configures 802.11n frame aggregation parameters

ampdu Configures AMPDU frame aggregation parameters
AMPDU aggregation joins multiple MPDU frames, addressed to a
single destination, to form a single frame. It wraps each MPDU
frame in a MAC header. This aggregation mode is less efficient, but
more reliable in environments with high error rates. It enables the
acknowledgment and retransmission of each aggregated data
frame individually.
tx-only Supports the transmission of AMPDU aggregated frames only
rx-only Supports the receipt of AMPDU aggregated frames only
tx-rx Supports the transmission and receipt of AMPDU aggregated
frames (default setting)
none Disables support for AMPDU aggregation

aggregation ampdu max-aggr-size rx [8191|16383|32767|65535|128000|256000|512000|1024000]

aggregation Configures 802.11n frame aggregation parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1185
Profile Config Commands Profile Commands

max-aggr-size Configures AMPDU packet size limits. Configure the packet size
limit for transmitted and received packets.
rx [8191|16383|32767|65535| Configures the maximum limit (in bytes) advertised for received
128000|256000| 512000| frame size
1024000] • 8191 – Advertises a maximum frame size of 8191 bytes
• 16383 – Advertises a maximum frame size of 16383 bytes
• 32767 – Advertises a maximum frame size of 32767 bytes
• 65535 – Advertises a maximum frame size of 65535 bytes
(default setting)
• 128000 – Advertises a maximum frame size of 128000 bytes
• 256000 – Advertises a maximum frame size of 256000 bytes
• 512000 – Advertises a maximum frame size of 512000 bytes
• 1024000 – Advertises a maximum frame size of 1024000 bytes
• default - Sets the default aggregation size.

aggregation ampdu max-aggr-size tx <2000-1024000>

aggregation Configures 802.11n frame aggregation parameters

Controller, Service Platform and Access Point

1186 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

max-aggr-size Configures AMPDU packet size limits. Configure the packet size
limit for transmitted and received packets.
tx <2000-1024000> Configures the maximum size (in bytes) for AMPDU aggregated
transmitted frame size
• <2000-1024000> – Sets the maximum aggregated transmitted
frame size limit

The available range depends on the AP type and the radio

selected.

For 802.11ac capable APs, the range is as follows:

◦ radio 1 - 2000 - 65,535 bytes. The default value is 65,535
bytes.
◦ radio 2 - The range is 2000 - 1,024,000 bytes. The default
value is 1,024,000 bytes.

Note:
For AP7662 and AP7632 models the range for radio 1 and
radio 2 is 2000 - 1,024,000 bytes. And the default is
1,024,000 bytes.

Note: The WiNG 802.11ac capable APs are: AP7522, AP7532,

AP7562, AP7602, AP7612, AP7632, AP7662, AP8432, and
AP8533.

For non 802.11ac APs the range is as follows:

◦ radio 1 and radio 2 - 2000 - 65,535 bytes. The default value is
65,535 bytes.

aggregation ampdu min-spacing [0|1|2|4|8|16|auto]

aggregation Configures 802.11n frame aggregation parameters

ampdu Configures AMPDU frame aggregation parameters
AMPDU aggregation joins multiple MPDU frames, addressed to a
single destination, to form a single frame. It wraps each MPDU
frame in a MAC header. This aggregation mode is less efficient, but
more reliable in environments with high error rates. It enables the
acknowledgment and retransmission of each aggregated data
frame individually.
min-spacing [0|1|2|4|8|16] Configures the minimum gap, in microseconds, between AMPDU
frames
• 0 – Configures the minimum gap as 0 microseconds
• 1 – Configures the minimum gap as 1 microseconds
• 2 – Configures the minimum gap as 2 microseconds
• 4 – Configures the minimum gap as 4 microseconds
• 8 – Configures the minimum gap as 8 microseconds

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1187
Profile Config Commands Profile Commands

• 16 – Configures the minimum gap as 16 microseconds

• auto – Auto configures the minimum gap depending on the
platform and radio type (default setting)

aggregation amsdu [rx-only|tx-rx]

aggregation Configures 802.11n frame aggregation parameters

amsdu Configures AMSDU frame aggregation parameters. AMSDU
aggregation collects Ethernet frames addressed to a single
destination. But, unlike AMPDU, it wraps all frames in a single
802.11n frame.
rx-only Supports the receipt of AMSDU aggregated frames only (default
setting)
tx-rx Supports the transmission and receipt of AMSDU aggregated
frames

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#aggregation ampdu tx-only

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
aggregation ampdu tx-only
aeroscout forward
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Disables 802.11n aggregation parameters

command) on page 1227

airtime-fairness

interface-config-radio-instance on page 1178

Enables fair access to the medium for wireless clients based on their airtime usage, regardless of
whether the client is a high-throughput (802.11n) or legacy client. This option is enabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
airtime-fairness {prefer-ht} {weight <1-10>}

Controller, Service Platform and Access Point

1188 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
airtime-fairness {prefer-ht} {weight <1-10>}

airtime-fairness Enables fair access to the medium for wireless clients based on their
airtime usage
prefer-ht Optional. Prioritizes high throughput (802.11n) clients over clients
with slower throughput (802.11 a/b/g) and legacy clients
weight <1-10> Optional. Configures the relative weightage for 11n clients over
legacy clients.
• <1-10> – Sets a weightage ratio for 11n clients from 1 - 10

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#airtime-fairness prefer-ht weight
6

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
aggregation ampdu tx-only
aeroscout forward
airtime-fairness prefer-ht weight 6
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no on page 1160 Disables fair access for wireless clients (provides access on a round-
robin mode)

antenna-diversity

interface-config-radio-instance on page 1178

Enables antenna diversity for transmit frames at non-11n transmit rates

Antenna diversity uses two or more antennas to increase signal quality and strength. This option is
disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
antenna-diversity

Parameters
None

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#antenna-diversity

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
aggregation ampdu tx-only
aeroscout forward
antenna-diversity
airtime-fairness prefer-ht weight 6
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1189
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Uses single antenna for non-11n transmit rates

command) on page 1227

antenna-downtilt

interface-config-radio-instance on page 1178

Enables the Advanced Element Panel Technology (ADEPT) antenna mode. The ADEPT mode increases
the probability of parallel data paths enabling multiple spatial data streams. This option is disabled by
default.
Supported in the following platforms:
• Access Points — AP7161

Syntax
antenna-downtilt

Parameters
None

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#antenna-downtilt

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
antenna-gain 12.0
aggregation ampdu tx-only
aeroscout forward
antenna-diversity
airtime-fairness prefer-ht weight 6
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Disables the ADEPT antenna mode

command) on page 1227

antenna-elevation

interface-config-radio-instance on page 1178

Configures an antenna's elevation gain. Antenna gain is the ratio of an antenna's radiation intensity in a
given direction to the intensity produced by a no-loss, isotropic antenna radiating equally in all
directions. An antenna's gain along the horizon and at an elevation of 30 degree may vary. The elevation
gain is defined as the maximum antenna gain at 30 to 150 degrees above the horizon. If elevation gain is
configured, the transmit (TX) power calculations maximize the allowable TX power for an elevation
below 30 degree.

Access points must conform to U.S. Federal Communications Commission's (FCC) limitations. FCC has
now stipulated a 21dBm Effective Isotropic Radiated Power (EIRP) limit for power directed 30 degrees
above the horizon.

Controller, Service Platform and Access Point

1190 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

For Extreme Networks -supplied antennas, compatible with 5.0 GHz on the AP7562 access point, refer
to the Antenna Guide for "Elevation Gain" information. If using a third-party antenna, it is required that
you obtain the antenna-elevation gain information from the antenna manufacturer.

The elevation gain should be configured if the access point:

• Is deployed outdoors, and
• Is used with a dipole antenna (panel antenna and polarized antenna are for point to point only, and
are excluded from this requirement), and
• Is transmitting in the 5.15 - 5.25 GHz Unlicensed National Information Infrastructure-1 (UNII-1) band.

Professional installers must complete the following steps to ensure compliance with the FCC rule:
1. Configure the antenna type. For example:
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#service antenna-type dipole

2. Configure the antenna peak gain. For example:

ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-gain 7.0

3. Configure the antenna placement. For example:

ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#placement outdoor

4. Configure the antenna elevation gain. For example:

ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0

After the professional installer enters the antenna type, gain, placement, and elevation gain using the
CLI as outlined above, the firmware will use this information and hardcoded maximum limits
determined during testing (See Annex C in FCC Report #FR4D0448AB) to limit the EIRP below 21dBm
for outdoor use in UNII-1 band. The antenna information is provided in the Installation guide and
antenna guide.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
Syntax
antenna-elevation <-30.0-36.0>

Note
The antenna elevation gain feature is supported only on the AP7562 model access point.

Parameters
antenna-elevation <-30.0-36.0>

antenna-elevation <-30.0-36.0> Configures the antenna elevation gain from -30.0 - 36.0 dB. Refer
to the antenna specifications for antenna-elevation gain
information.
The default value is 0 dB.

Example
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0

ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#show context
interface radio2
antenna-elevation 5.0
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1191
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Resets antenna elevation gain to default (0 dB)

command) on page 1227

antenna-gain

interface-config-radio-instance on page 1178

Configures the antenna gain for the selected radio

Antenna gain is the ability of an antenna to convert power into radio waves and vice versa. The access
point or wireless controller’s PMACF (Power Management Antenna Configuration File) automatically
configures the access point orwireless controller’s radio transmit power based on the antenna type, its
antenna gain (provided here) and the deployed country’s regulatory domain restrictions. Once
provided, the access point or wireless controller calculates the power range. Antenna gain relates the
intensity of an antenna in a given direction to the intensity that would be produced ideally by an
antenna that radiates equally in all directions (isotropically), and has no losses. Although the gain of an
antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of
the antenna as well as its directional capabilities. It is recommended that only a professional installer set
the antenna gain.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
antenna-gain <0.0-15.0>

Parameters
antenna-gain <0.0-15.0>

antenna-gain <0.0-15.0> Sets the antenna gain from 0.0 - 15.0 dBi. The default is 0.00 dBi.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#antenna-gain 12.0

Related Commands

no (radio-interface-config- Resets the radio’s antenna gain parameter

command) on page 1227

antenna-mode

interface-config-radio-instance on page 1178

Controller, Service Platform and Access Point

1192 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Configures the antenna mode (the number of transmit and receive antennas) on the access point

This command sets the number of transmit and receive antennas on the access point. The 1x1 mode is
used for transmissions over just the single -A- antenna, 1xALL is used for transmissions over the -A-
antenna and all three antennas for receiving. The 2x2 mode is used for transmissions and receipts over
two antennas for dual antenna models. 3x3x3 is used for transmissions and receipts over three antennas
for AP8163 models. The default setting is dynamic based on the access point model deployed and its
transmit power settings.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
antenna-mode [1*1|1*ALL|2*2|3*3|default]

Parameters
antenna-mode [1*1|1*ALL|2*2|default]

antenna-mode Configures the antenna mode

1*1 Uses only antenna A to receive and transmit
1*ALL Uses antenna A to transmit and receives on all antennas
2*2 Uses antennas A and C for both transmit and receive
3*3 Uses antenna A, B, and C for both transmit and receive
default Uses default antenna settings. This is the default setting.

Usage Guidelines

To support STBC feature on AP7161 profile, the antenna-mode should not be configured to 1*1.
Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#antenna-mode 2x2

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
antenna-gain 12.0
aggregation ampdu tx-only
aeroscout forward
antenna-mode 2x2
antenna-diversity
airtime-fairness prefer-ht weight 6
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets the radio antenna mode (the number of transmit and receive
command) on page 1227 antennas) to its default

assoc-response

interface-config-radio-instance on page 1178

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1193
Profile Config Commands Profile Commands

Configures the parameters that determine whether the access point ignores or responds to a client's
association/authorization request
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
assoc-response [ac-strict|deny-threshold <1-12>|rssi-threshold <-128--40>]

Parameters
assoc-response [ac-strict|deny-threshold <1-12>|rssi-threshold <-128--40>]

assoc-response Allows you to configure parameters based on which the AP ignores

or responds to client's association/authorization request. The
options are: ac-strict, deny-threshold, and rssi-threshold.

Note: All three options are disabled by default.

ac-strict Strictly denies association to clients that are not 802.11ac/VHT

capable. Configure this parameter to enable the access point to
strictly decline association requests received from wireless clients
that are not 802.11ac/VHT capable. When configured, the AP checks
if the incoming association request is from a VHT-capable client or
not, and denies association if the client is non-VHT capable.
The IEEE 802.11ac is a wireless networking standard that provides
VHT (very-high throughput) wireless service on the 5 GHz band.

Note: The 'probe-response ac-strict' command is another

way to enable your AP to ignore non-VHT enabled clients. You can
issue one or both of the 'assoc-response ac-strict' or
'probe-response ac-strict' commands to prevent non-VHT
capable client association. For information on probe-response
option, see probe-response on page 1238.

deny-threshold <1-12> Configures the number of times the AP ignores association/

authorization requests, if the RSSI is below the configured RSSI
threshold value
• <1-12> – Specify a value from 1 - 12.

Note: The AP always ignores association/authorization requests

when deny-threshold is not specified and rssi-threshold is
specified.

rssi-threshold <-128--40> Configures the RSSI threshold. If the RSSI is lower than the
threshold configured here, the AP ignores the association/
authorization request.
• <128--40> – Specify the RSSI threshold from -128 - -40 dBi.

Example
nx9500-6C8809(config-profile-71XXTestProfile-if-radio1)#assoc-response rssi-threshold -128

Controller, Service Platform and Access Point

1194 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-71XXTestProfile-if-radio1)#show context
interface radio1 assoc-response rssi-threshold -128
nx9500-6C8809(config-profile-71XXTestProfile-if-radio1)#
nx9500-6C8809(config-device-84-24-8D-84-A2-24-if-radio2)#assoc-response ac-strict
nx9500-6C8809(config-device-84-24-8D-84-A2-24-if-radio2)#show context include-factory |
include assoc-response
assoc-response ac-strict
nx9500-6C8809(config-device-84-24-8D-84-A2-24-if-radio2)##

Related Commands

no (radio-interface-config- Removes the RSSI threshold, based on which an association/

command) on page 1227 authorization request is either ignored or responded.

association-list

interface-config-radio-instance on page 1178

Associates an existing global association list with this radio interface

An association ACL is a policy-based ACL that either prevents or allows wireless clients from connecting
to a managed access point radio. An ACL is a sequential collection of permit and deny rules that apply
to incoming and outgoing packets. When a packet is received on an interface, the controller, service
platform, or access point compares the fields in the packet against the applied ACLs to verify the packet
has the required permissions to be forwarded. If a packet does not meet any of the criteria specified in
the ACL, it is dropped.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
association-list global <GLOBAL-ASSOC-LIST-NAME>

Parameters
association-list global <GLOBAL-ASSOC-LIST-NAME>

association-list global <GLOBAL- Associates an existing global association list with this radio
ASSOC-LIST-NAME> interface

Example
rfs4000-880DA7(config-profile-test-if-radio1)#association-list global test

rfs4000-880DA7(config-profile-test-if-radio1)#show context
interface radio1
association-list global test
rfs4000-880DA7(config-profile-test-if-radio1)#

Related Commands

no (radio-interface-config- Removes the global association list associated with this radio
command) on page 1227 interface

beacon

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1195
Profile Config Commands Profile Commands

interface-config-radio-instance on page 1178

Configures radio beacon parameters

A beacon is a packet broadcasted by adopted radios to keep the network synchronized. Included in a
beacon is information, such as the WLAN service area, the radio address, the broadcast destination
addresses, a time stamp, and indicators about traffic and delivery such as a Delivery Traffic Indication
Message (DTIM). Increase the DTIM/beacon settings (lengthening the time) to let nodes sleep longer
and preserve battery life. Decrease these settings (shortening the time) to support streaming-multicast
audio and video applications that are jitter sensitive.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
beacon [dtim-period|period]
beacon dtim-period [<1-50>|bss <1-16> <1-50>]
beacon period [50|100|200]

Parametersd
beacon dtim-period [<1-50>|bss <1-8> <1-50>]

beacon Configures radio beacon parameters

dtim-period Configures the radio DTIM interval. A DTIM is a message that
informs wireless clients about the presence of buffered multicast or
broadcast data. These are simple data frames that require no
acknowledgement, so nodes sometimes miss them. Increase the
DTIM/ beacon settings (lengthening the time) to let nodes sleep
longer and preserve their battery life. Decrease these settings
(shortening the time) to support streaming multicast audio and
video applications that are jitter-sensitive.
<1-50> Configures a single value to use on the radio. Specify a value
between 1 and 50.
bss <1-16> <1-50> Configures a separate DTIM for a BSS on this radio interface
• <1-16> – Sets the BSS number from 1 - 16
◦ <1-50> – Sets the BSS DTIM from 1 - 50. The default is 2.

beacon period [50|100|200]

period [50|100|200] Configures the beacon period (the interval between consecutive
radio beacons)
• 50 – Configures 50 K-uSec interval between beacons
• 100 – Configures 100 K-uSec interval between beacons (default)
• 200 – Configures 200 K-uSec interval between beacons

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#beacon dtim-period bss 2 20
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#beacon period 50

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1

Controller, Service Platform and Access Point

1196 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

beacon period 50
beacon dtim-period bss 1 2
beacon dtim-period bss 2 20
beacon dtim-period bss 3 2
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Removes the configured beacon parameters

command) on page 1227

bridge

interface-config-radio-instance on page 1178

Configures the CB (client-bridge) parameters for radios with rf-mode set to bridge. When configured as
a client bridge, the radio can authenticate and associate to the WLAN hosted on the infrastructure
access point. After successfully associating with the infrastructure WLAN, the CB access point switches
frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the
other radio, there by providing the clients access to the infrastructure WLAN resources.

This command configures settings that define the authentication-type and encryption-type used by the
CB AP to associate and communicate with the infrastructure AP. It also configures other parameters,
such as channel-dwell time, wlan ssid, etc.

Note
The radio interface configured to form the client-bridge will not be able to service wireless
clients as its RF mode is set to bridge and not 2.4 GHz or 5.0 GHz.

Supported in the following platforms:

• Access Points — AP7522, AP7532, AP7622, AP7622, AP7632, AP7602, AP7622

The following EAP authentication commands have been documented in the first five parameter tables:
bridge authentication-type [eap|none]
bridge eap [password|trustpoint|type|username]
bridge eap type [peap-mschapv2|tls]
bridge eap password <PASSWORD>
bridge eap username <USERNAME>
bridge eap trustpoint [ca|client] <TRUSTPOINT-NAME>
bridge eap trustpoint on-cert-expiry [continue|discontinue]

The following parameters have been documented in the last parameter table:
bridge channel-dwell-time <50-2000>
bridge channel-list [2.4GHz|5GHz] <LIST>
bridge connect-through-bridges
bridge encryption-type [ccmp|none|tkip]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1197
Profile Config Commands Profile Commands

bridge inactivity-timeout <0-864000>

bridge keepalive [frame-type [null-data|wnmp]|interval <0-36000>]
bridge max-clients <1-64>
bridge on-link-loss shutdown-other-radio <1-1800>
bridge on-link-up refresh-vlan-interface
bridge roam-criteria [missed-beacon <1-60>|rssi-threshold <-128--40>]
bridge ssid <SSID>
bridge wpa-wpa2 psk <LINE>

Controller, Service Platform and Access Point

1198 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
bridge [authentication-type [eap|none]]

bridge Configures client-bridge related parameters on the selected radio

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

authentication-type [eap|none] Configures the authentication framework used between the client-
bridge and infrastructure WLAN APs.
• eap – Uses EAP authentication (802.1X).
• none – Uses no authentication. This is the default setting.

Note: If selecting EAP authentication, use the ‘bridge > eap

> type’ command to configure the type of EAP authentication
to use.

bridge eap type [peap-mschapv2|tls]

bridge Configures client-bridge related parameters on the selected radio

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

eap type [peap-mschapv2|tls] If selecting EAP authentication, specify the EAP authentication type
to use. The options are:
• PEAP-MSCHAPv2 – Configures EAP authentication type as
PEAP-MSCHAPv2. This mode uses a username/password for
authentication of the CB AP by the RADIUS server host. This is
the default setting.

Note: If selecting this option, use the following commands to

configure the username and password:

‘bridge > eap > username > <USER-NAME>’

‘bridge > eap > password > <PASSWORD>’
• TLS – Configures EAP authentication type as TLS. This mode
uses trustpoints (TPs) to authenticate the CB AP and RADIUS
server host.

Note: If selecting this option, use the ‘bridge > eap > trustpoint’
command to configure the TPs used for authentication.

Ensure that the authentication-type configured on the CB AP is the

same as that on the infrastructure WLAN.

bridge eap username <USERNAME>

bridge Configures client-bridge related parameters on the selected radio

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1199
Profile Config Commands Profile Commands

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

eap username <UESERNAME> Configures username used for authentication with the RADIUS
server host
• <USERNAME> – Specify the username.

Note: PEAP-MSCHAPv2 – For PEAP-MSCHAPv2 authentication.

The username specified here should be configured in the
RADIUS server policy used on the RADIUS server host.
TLS – For TLS authentication, use the username configured in
the CN field of the installed PKCS #12 client certificate.

bridge eap password <PASSWORD>

bridge Configures client-bridge related parameters on the selected radio

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

eap password [<PASSWORD>] If EAP authentication type is set to PEAP-MSCHAPv2, use this
option to configure the password used for authentication. The
password specified here should be associated with the username
configured in the RADIUS server policy used on the RADIUS server
host.
• password <PASSWORD> – Specify the password.

bridge eap trustpoint [client <TRUSTPOINT-NAME>|ca <TRUSTPOINT-NAME>]

bridge Configures client-bridge related parameters on the selected radio

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

eap trustpoint If EAP authentication type is set to EAP-TLS, use this command to
configure TP (trustpoint) details.
In EAP-TLS authentication, the CB AP and RADIUS server host
authenticate each other using TPs. A TP contains the CA certificate
and the CA-signed certificate authenticating the device. To enable
TP-based authentication, both the CB AP and the RADIUS server
host must use the same CA as the certifying authority.

Controller, Service Platform and Access Point

1200 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

client <TRUSTPOINT-NAME> Configures the Client-TP name (this is the TP installed on the CB
AP). When configured, the certificate installed on the CB AP is sent
across a TLS tunnel and matched for authentication at the RADIUS
server host.
• <TRUSTPOINT-NAME> – Specify the TP name. This
configuration is mandatory for enabling TP-based
authentication of CB AP.

Note: To view TP name, use the 'show > crypto > pki >
trustpoint' command on the CB AP.

Note: On the self of the RADIUS server host, execute the

following commands:
trustpoint > radius-server> <TUSTPOINT-NAME> -
This is the RADIUS server TP name.
trustpoint > radius-ca > <TUSTPOINT-NAME> - This
is the RADIUS server TP name.

Fo more information, see trustpoint (device-config-mode) on page

1418.
ca <TRUSTPOINT-NAME> This configuration is applicable to both the EAP-TLS and PEAP-
MSCHAPv2 authentication types. Configure this option only if you
want to enable RADIUS server certificate validation at the client
end. This configuration is not mandatory for enabling TP-based
authentication of CB AP.
• <TRUSTPOINT-NAME> – Specify the TP name (it is the TP
installed on the RADIUS server host.

bridge eap trustpoint on-cert-expiry [continue|discontinue]]

bridge Configures client-bridge related parameters on the selected radio

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

eap trustpoint on-cert-expiry If EAP authentication type is set to EAP-TLS, a CA-signed

[continue|discontinue] certificate is used to authenticate the CB AP and RADIUS server
host to establish the wireless CB. Use this command to specify
whether the wireless CB is to be continued or terminated on
expiration of this certificate.
• continue – Enables continuation of the CB even after the
certificate (CA/client) has expired. When configured, this option
enables automatic CA certificate deployment as and when new
CA certificates are available.
• discontinue – Terminates the CB once the certificate (CA/client)
has expired.

Note: Configure this parameter only if the CB AP and the

RADIUS server host are using a crypto CMP policy for automatic
certificate renewal. For more information, see CRYPTO-CMP-
POLICY on page 2027.

bridge [channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1201
Profile Config Commands Profile Commands

keepalive [frame-type [null-data|wnmp]|interval <0-36000>]|max-clients <1-64>|on-link-

bridge Configures client-bridge related parameters on the selected radio

Note: Prior to configuring the client-bridge parameters, set the

radio’s rf-mode to bridge.

channel-dwell-time <50-2000> Configures the channel-dwell time in milliseconds. This is the time
the client-bridge radio dwells on each channel (configured in the
channel-list) when scanning for an infrastructure WLAN.
• <50-2000> – Specify a value from 50 -2000 milliseconds. The
default is 150 milliseconds.

channel-list [2.4GHz|5GHz] Configures the list of channels the radio scans when scanning for an
<LIST> infrastructure WLAN access point to associate
• 2.4GHz <LIST> – Configures a list of channels for scanning
across all the channels in the 2.4GHz radio band
• 5GHz <LIST> – Configures a list of channels for scanning across
all the channels in the 5.0 GHz radio band
The following parameter is common to both of the 2.4 GHZ and 5.0
GHz bands:
• <LIST> – Provide the list of channels separated by commas.

connect-through-bridges Enables the client-bridge access point radio to connect to an

infrastructure WLAN, which already has other client-bridge radios
associated with it. The client-bridge access points, in this scenario,
are said to be daisy chained together.
encryption-type [ccmp|none| Configures the encryption mode. The encryption mode specified
tkip] here should be the same as that configured on the infrastructure
WLAN. The options are:
• ccmp – Uses WPA/WPA2 CCMP encryption
• none – Uses no encryption method. This is the default setting.
• tkip – Uses WPA/WPA2 TKIP encryption
If using CCMP or TKIP, use the ‘wpa2-wpa2’ keyword to configure
the pre-shared key (PSK).
inactivity-timeout <0-864000> Configures the inactivity timeout for each bridge MAC address. This
is the time for which the client-bridge access point waits before
deleting a MAC address from which a frame has not been received
for more than the time specified here. For example, if the inactivity
time is set at 120 seconds, and if no frames are received from a MAC
address for 120 seconds, it is deleted. The default value is 600
seconds.
• <0-864000> – Specify a value from 0 - 864000 seconds. The
default is 600 seconds.

Controller, Service Platform and Access Point

1202 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

keepalive [frame-type [null-data| Configures the keep-alive frame type and interval
wnmp]| interval <0-36000>] • frame-type – Configures the keepalive frame type exchanged
between the client-bridge access point and the infrastructure
access point/controller. The options are:
◦ null-data – Transmits 802.11 NULL data frames. This is the
default setting.
◦ wnmp – Transmits Wireless Network Management Protocol
(WNMP) multicast packet
• interval <0-36000> – Configures the interval, in seconds,
between successive keep-alive frame transmission.
◦ <0-36000> – Specify a value from 0 - 36000 seconds. The
default is 300 seconds.

max-clients <1-64> Configures the maximum number of clients that the client-bridge
AP can support
• <1-14> – Specify a value from 1 - 64. The default is 64.

on-link-loss shutdown-other- Configures the radio-link behaviour when the link between the
radio <1-1800> client-bridge and infrastructure access points is lost.
• shutdown-other-radio – Enables shutting down of the non-client
bridge radio (this is the radio to which wireless-clients associate)
when the link between the client-bridge and infrastructure
access points is lost. When enabled, clients associated with the
non-client bridge radio are pushed to search for and associate
with other access points having backhaul connectivity. This
option is disabled by default.
◦ <1-1800> – If enabling this option, use this parameter to
configure the time, in seconds, for which the non-client
bridge radio is shut down. Specify a value from 1 - 1800
seconds.

on-link-up refresh-vlan-interface Configures the radio-link behaviour when the link between the
client-bridge and infrastructure access points comes up.
• refresh-vlan-interface – Enables the SVI to refresh on re-
establishing client bridge link to infrastructure Access Point.
And, if using a DHCP assigned IP address, causes a DHCP renew.
This option is enabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1203
Profile Config Commands Profile Commands

roam-criteria [missed-beacons Configures the following roaming criteria parameters

<1-60>| rssi-threshold • missed-beacons <1-60> – Configures the missed beacon interval
<-128--40>] from 0 - 60 seconds. This is the time for which the CB AP waits
for, after missing a beacon from the associated infrastructure AP,
before roaming to another infrastructure AP. For example, if the
missed-beacon time is set to 30 seconds, and if more than 30
seconds have passed since the last received beacon, the CB AP
resumes scanning for another infrastructure AP. The default
value s 20 seconds.
◦ <1-60> – Specify a value from 1 - 60 seconds. The default is
20 seconds.
• rssi-threshold <-128--40> – Configures the minimum signal
strength, received from target AP, for the bridge connection to
be maintained before roaming
◦ <-128--40> – Specify a value from -128 - -40 dBm. If the RSSI
value of infrastructure access point radio signals falls below
the specified value, the CB AP resumes scanning for another
infrastructure access point. The default is -75 dBm.

ssid <SSID> Configures the infrastructure WLAN SSID the client bridge connects
to
• <SSID> – Specify the SSID.

wpa-wpa2 psk <LINE> Configures the encryption PSKto use with the infrastructure WLAN
• <LINE> – Enter the key

Note: Pre-shared keys are valid only when the authentication-

type is set to none and the encryption-type is set to tkip or
ccmp.
The PSK should be 8 - 32 characters in length.

Usage Guidelines EAP Authentication

Use the following commands to view client-bridge configuration:

1. show > wireless > bridge > config

Shows the current client bridge configuration.

2. show > wireless > bridge > candidate-ap

Shows the available infrastructure WLAN candidates that are found during the last scan.
3. show > wireless > bridge > host

Shows the wired/wireless clients that are being bridged.

4. show > wireless > bridge > statistics > rf

Shows the client bridge RF statistics.

5. show > wireless > bridge > statistics > traffic

Shows the client bridge traffic statistics.

6. show > wireless > bridge > certificate > status

Shows the client bridge authentication certificate status.

Controller, Service Platform and Access Point

1204 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Use the following command on the CB AP and the RADIUS server host to view installed TP details:

1. show > crypto > pki > trustpoints

Example - CB with authentication ‘none’ and encryption ‘ccmp’

The following example shows the basic parameters that need to be configured on the Infrastructure and
the CB APs in order to enable the CB AP to associate with the Infrastructure WLAN. Note, in this
example, the authentication mode is set to ‘none’ and the encryption-type is set to ‘ccmp’. The
authentication and encryption modes used will vary as per requirement.

1. Configure the Infrastructure WLAN:

InfrastrNOC(config)#show running-config wlan cb-psk
wlan cb-psk
ssid cb-psk
bridging-mode local
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 extreme@123

InfrastrNOC(config)#

2. Associate the ‘cb-psk’ WLAN to the Infrastructure AP.

InfrastrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#wlan cb-psk

3. Confirm the Infrastructure AP’s radio interface status.

InfrastrAP(config)#show wireless radio

---------------------------------------------------------------------------------------
-------
RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER
#CLIENT
---------------------------------------------------------------------------------------
-------
InfrastrAP:R1 B4-C7-99-5E-51-40 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0
InfrastrAP:R2 B4-C7-99-5E-1A-40 5GHz-Wlan On 165 ( 165) 17 (smt) 2
---------------------------------------------------------------------------------------
-------
Total number of radios displayed: 2
InfrastrAP(config)#

4. Configure following radio parameters on the CB AP:

ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#rf-mode bridge

ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge ssid cb-psk

ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge encryption-type ccmp

ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge authentication-type
none

ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge wpa-wpa2 psk

extreme@123

ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#show context
interface radio2
rf-mode bridge
bridge ssid cb-psk
bridge encryption-type ccmp
bridge wpa-wpa2 psk 0 extreme@123
ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1205
Profile Config Commands Profile Commands

Note, bridge SSID, encryption-type, and authentication mode are the same as that of
the Infrastructure WLAN.

5. Confirm the CB AP’s radio interface status.

ClientBridgeAP#show wireless radio

---------------------------------------------------------------------------------------
-------
RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER
#CLIENT
---------------------------------------------------------------------------------------
-------
ClientBridgeAP:R1 84-24-8D-AC-2D-B0 2.4GHz-wlan Off N/A ( smt) 0
(smt) 0
ClientBridgeAP:R2 84-24-8D-AC-CC-10 bridge On 165 ( smt) 20
(smt) 0
---------------------------------------------------------------------------------------
-------
Total number of radios displayed: 2
===================================================
ClientBridgeAP(config-device-84-24-8D-85-B2-74)#

6. View the candidate-ap (connected Infrastructure AP’s) details on the CB AP.

ClientBridgeAP(config-device-84-24-8D-85-B2-74)#show wireless bridge candidate-ap

84-24-8D-AC-CC-10 Client Bridge Candidate APs:
AP-MAC BAND CHANNEL SIGNAL(dbm) STATUS
B4-C7-99-5E-1A-40 5 GHz 165 -21 selected
Total number of candidates displayed: 1
Total number of client bridges displayed: 1
=======================================================
ClientBridgeAP(config-device-84-24-8D-85-B2-74)#

7. View the bridge host details on the CB AP.

ClientBridgeAP(config-device-84-24-8D-85-B2-74)#show wireless bridge hosts

-----------------------------------------------------------------------------
HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY
(sec ago)
-----------------------------------------------------------------------------
84-24-8D-85-B2-74 84-24-8D-AC-CC-10 10.1.0.249 UP 00:00:07
-----------------------------------------------------------------------------
Total number of hosts displayed: 1
ClientBridgeAP(config-device-84-24-8D-85-B2-74)#

Example - CB with encryption ‘CCMP’ and authentication ‘EAP-TLS’ using Trustpoint Client.

1. On the Infrastructure AP,

a. Configure WLAN as shown below.

InfrastrAP7532(config)#show running-config wlan cb-tp
wlan cb-tp
ssid cb-tp
bridging-mode local
encryption-type ccmp
authentication-type eap
InfrastrAP7532(config)#

b. Associate WLAN to the infrastructure AP radio.

InfraStrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#show context
interface radio2
wlan cb-tp bss 1 primary
InfraStrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#

Controller, Service Platform and Access Point

1206 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

c. Confirm infrastructure AP’s radio interface status.

InfraStrAP(config)#show wireless radio
------------------------------------------------------------------------------------
----------
RADIO RADIO-MAC RF-MODE STATE CHANNEL
POWER #CLIENT
------------------------------------------------------------------------------------
----------
InfraStrAP:R1 B4-C7-99-5E-51-40 2.4GHz-wlan Off N/A ( smt) 0
(smt) 0
InfraStrAP:R2 B4-C7-99-5E-1A-40 5GHz-Wlan On 165 ( 165) 17
(smt) 2
------------------------------------------------------------------------------------
----------
Total number of radios displayed: 2
InfraStrAP(config)#

2. On the RADIUS server host,

a. Configure the RADIUS user policy as shown below:

RADServer(config-radius-user-pool-cb-tp)#show context
radius-user-pool-policy cb-tp
user admin password 0 extreme@123
RADServer(config-radius-user-pool-cb-tp)#

Note
In case of EAP-TLS authentication, the username configured here should be the
“common name” on the client certificate.
b. Use this RADIUS user policy in the RADIUS server policy.
RADServer(config-radius-server-policy-cb-tp)#show context
radius-server-policy cb-tp
use radius-user-pool-policy cb-tp
RADServer(config-radius-server-policy-cb-tp)#

c. On the self of the RADIUS server host,

• Apply the RADIUS server policy.
RADServer(config-device-74-67-F7-07-02-35)#use radius-server-policy cb-tp

• Configure the trustpoint to be used to authenticate the RADIUS server host and RADIUS
server CA.
RADServer(config-device-74-67-F7-07-02-35)#trustpoint radius-server serverTP
RADServer(config-device-74-67-F7-07-02-35)#trustpoint radius-ca serverTP

Note
Ensure that the trustpoint is existing and installed on the RADIUS server. Also
ensure that the RADIUS server host and CB AP are using the same CA for
certification.
3. On the CB AP,

a. Configure the mandatory parameters as shown below:

clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#show context
interface radio2
rf-mode bridge
channel smart
power smart
data-rates default
no preamble-short
bridge ssid cb-tp

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1207
Profile Config Commands Profile Commands

bridge encryption-type ccmp

bridge authentication-type eap
bridge eap username admin
bridge eap trustpoint client clientTP
bridge eap type tls
clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#

Note
In case of EAP-TLS authentication, the username configured here should be the
“common name” on the client certificate.

Note
Ensure that the CB AP and RADIUS server host are using the same CA for certification.

b. If you want to enable RADIUS server certificate validation at the client end, execute the following
command:
clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#trustpoint radius-ca clientTP

Note
This is an optional parameter that provides additional security and is applicable for
EAP-TLS and PEAP-MSCHAPv2 authentication modes.

Related Commands

no (radio-interface-config- Removes or resets this client-bridge settings

command) on page 1227

channel

interface-config-radio-instance on page 1178

Configures a radio’s channel of operation

Only a trained installation professional should define the radio channel. Select Smart for the radio to
scan non-overlapping channels listening for beacons from other access points. After the channels are
scanned, the radio selects the channel with the fewest access points. In case of multiple access points
on the same channel, it selects the channel with the lowest average power level.

Note
Channels with a “w” appended to them are unique to the 40 MHz band. Channels with a “ww”
appended to them are 802.11ac specific, and appear only when using an and are unique to the
80 MHz band.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
channel [smart|acs|random|ml-rrm|1|2|3|4|-------]

Controller, Service Platform and Access Point

1208 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
channel [smart|acs|random|ml-rrm1|2|3|4|-------]

channel Configures a radio’s channel of operation

[smart|acs|random|ml-rrm|1|2|3| Configures the radio’s channel of operation, using one of the
4|-------] following options:
• smart – Enables Smart RF the channel assignment for the
selected radio (uses uniform spectrum spreading if Smart RF is
not enabled). This is the default setting.
• acs – Uses ACS (automatic channel selection) to assign a
channel
• random – Randomly assigns a channel
• ml-rrm - Enables ml-rrm (Machine Learning - Radio Resource
Management) to determine the channel assignment for the
selected radio.

The ML-RRM option provides an alternative solution to Smart RF

management of radio settings, such as channel selection and
transmit power. To use ML-RRM, you must first enable the ml-
rrm agent in the access point's profile or device context.

Note: ML-RRM can be enabled only on the WiNG AP7632 and

AP7662 model access points and only if the APs are adopted to
ExtremeCloud.

Note: ExtremeAI can be enabled on the access point through

the ExtremeCloud UI. For more information on ExtremeAI,
please refer to the ExtremeAI User Guide available at https://
extremenetworks.com/documentation.

For more information on ExtremeAI, please refer to the

ExtremeAI User Guide available at https://
extremenetworks.com/documentation.
• 1 – Sets channel 1 in 20 MHz mode as the selected radio's
channel of operation
• 2 – Sets channel 2 in 20 MHz mode as the selected radio's
channel of operation
• 3 – Sets channel 3 in 20 MHz mode as the selected radio's
channel of operation

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#channel 1

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
channel 1
beacon period 50
beacon dtim-period bss 1 5
beacon dtim-period bss 2 2
........................................................................
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
aggregation ampdu tx-only
aeroscout forward

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1209
Profile Config Commands Profile Commands

antenna-mode 2x2
antenna-diversity
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Here is a sample output that shows the ml-rrm configurations made on the AP7662 profile. The output
shows ml-rrm enabled on the profile and channel > ml-rrm enabled on both radios. Note, this AP
is ExtremeCloud adopted.
ap7662(config)#show running-config profile anyap ece9601103a711e985729b37513dbd86 | in ml-
rrm
channel ml-rrm
power ml-rrm
channel ml-rrm
power ml-rrm
ml-rrm
ap7662(config)#

Related Commands

no (radio-interface-config- Resets a radio’s channel of operation

command) on page 1227

data-rates

interface-config-radio-instance on page 1178

Configures the 802.11 data rates on this radio

This command sets the rate options depending on the 802.11 protocol and the radio band selected. If 2.4
GHz is selected as the radio band, select separate 802.11b, 802.11g and 802.11n rates and define how they
are used in combination. If 5.0 GHz is selected as the radio band, select separate 802.11a and 802.11n
rates then define how they are used together.

If dedicating the radio to either 2.4 or 5.0 GHz support, use the custom keyword to set a 802.11n MCS
(modulation and coding scheme) in respect to the radio’s channel width and guard interval. A MCS
defines (based on RF channel conditions) an optimal combination of rates, bonded channels, multiple
spatial streams, different guard intervals and modulation types. Clients can associate as long as they
support basic MCS (as well as non-11n basic rates).

Data rates are fixed and not user configurable for radios functioning as sensors.

Note
Use the rf-mode command to configure a radio’s mode of operation.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default|custom|mcs]
data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]

Controller, Service Platform and Access Point

1210 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54|mcs-1s|mcs-2s|mcs-3s|basic-1|basic-2|

Parameters
data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]

data-rates Configures the 802.11 data rates on this radio

b-only Supports operation in the 802.11b mode only (applicable for 2.4 and
4.9 GHz bands)
g-only Uses rates that support operation in the 802.11g mode only
(applicable for 2.4 and 4.9 GHz bands)
a-only Uses rates that support operation in the 802.11a mode only
(applicable for 5.0 GHz band only)
bg Uses rates that support 802.11b and 802.11g wireless clients
(applicable for 2.4 and 4.9 GHz bands)
bgn Uses rates that support 802.11b, 802.11g, and 802.11n wireless clients
(applicable for 2.4 and 4.9 GHz bands)
gn Uses rates that support 802.11g and 802.11n wireless clients
(applicable for 2.4 and 4.9 GHz bands)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1211
Profile Config Commands Profile Commands

an Uses rates that support 802.11a and 802.11n wireless clients

(applicable for 5.0 GHz band only)
default Enables the default data rates according to the radio’s band of
operation

data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54||mcs-1s|mcs-2s|mcs-3s|basic-1|basic-2|

data-rates Configures the 802.11 data rates on this radio

custom Configures a list of data rates by specifying each rate individually.
Use 'basic-' prefix before a rate to indicate it’s used as a basic rate
(For example, 'data-rates custom basic-1 basic-2 5.5 11')
• 1 – 1-Mbps
• 2 – 2-Mbps
• 5.5 – 5.5-Mbps
• 6 – 6-Mbps
• 9 – 9-Mbps
• 11 – 11-Mbps
• 12 – 12-Mbps
• 18 – 18-Mbps
• 24 – 24-Mbps
• 36 – 36-Mbps
• 48 – 48-Mbps
• 54 – 54-Mbps
• mcs-1s – Applicable to 1-spatial stream data rates
• mcs-2s – Applicable to 2-spatial stream data rates
• mcs-3s – Applicable to 3-spatial stream data rates
• basic-1 – Basic 1-Mbps
• basic-2 – Basic 2-Mbps
• basic-5.5 – Basic 5.5-Mbps
• basic-6 – Basic 6-Mbps
• basic-9 – Basic 9-Mbps
• basic-11 – Basic 11-Mbps
• basic-12 – Basic 12-Mbps
• basic-18 – Basic 18-Mbps
• basic-24 – Basic 24-Mbps
• basic-36 – Basic 36-Mbps
• basic-48 – Basic 48-Mbps
• basic-54 – Basic 54-Mbps
• basic-mcs-1s – Modulation and Coding Scheme data rates for 1
Spatial Stream

Note: Refer to the Usage Guidelines Usage Guidelines

(Supported data rates) on page 1213 section for 802.11an and

Controller, Service Platform and Access Point

1212 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

802.11ac MCS detailed dates rates for both with and without SGI
(short guard intervals).

data-rates mcs qam-only

data-rates Configures the 802.11 data rates on this radio

mcs qam-only Configures supports for MCS QAM data rates only

Usage Guidelines (Supported data rates)

The following table defines the 802.11n MCS for MCS 1 streams, both with and without SGI:

MCS-1Stream Number of 20 MHz No 20 MHz With 40 MHz No 20 MHz With

Index Streams SGI SGI SGI SGI
0 1 6.5 7.2 13.5 15
1 1 13 14.4 27 30
2 1 19.5 21.7 40.5 45
3 1 26 28.9 54 60
4 1 39 43.4 81 90
5 1 52 57.8 108 120
6 1 58.5 65 121.5 135
7 1 65 72.2 135 150

The following table defines the 802.11n MCS for MCS 2 streams, both with and without SGI:

MCS-2Stream Number of 20 MHz No 20 MHz With 40 MHz No 20 MHz With

Index Streams SGI SGI SGI SGI
0 2 13 14.4 27 30
1 2 26 28.9 54 60
2 2 39 43.4 81 90
3 2 52 57.8 108 120
4 2 78 86.7 162 180
5 2 104 115.6 216 240
6 2 117 130 243 270
7 2 130 144.4 270 300

The following table defines the 802.11n MCS for MCS 3 streams, both with and without SGI:

MCS-3Stream Number of 20 MHz No 20 MHz With 40 MHz No 20 MHz With

Index Streams SGI SGI SGI SGI
0 3 19.5 21.7 40.5 45
1 3 39 43.3 81 90

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1213
Profile Config Commands Profile Commands

MCS-3Stream Number of 20 MHz No 20 MHz With 40 MHz No 20 MHz With

Index Streams SGI SGI SGI SGI
2 3 58.5 65 121.5 135
3 3 78 86.7 162 180
4 3 117 130.7 243 270
5 3 156 173.3 324 360
6 3 175.5 195 364.5 405
7 3 195 216.7 405 450

The following table defines the 802.11ac MCS rates (theoretical throughput for single spatial streams)
both with and without SGI:

MCS 20 MHz No 20 MHz With 40 MHz No 40 MHz With 80 MHz No 80 MHz No

Index SGI SGI SGI SGI SGI SGI
0 6.5 7.2 13.5 15 29.3 32.5
1 13 14.4 27 30 58.5 65
2 19.5 21.7 40.5 45 87.8 97.5
3 26 28.9 54 60 117 130
4 39 43.3 81 90 175.5 195
5 52 57.8 108 120 234 260
6 58.5 65 121.5 135 263.3 292.5
7 65 72.2 135 150 292,5 325
8 78 86.7 162 180 351 390
9 N/A N/A 180 200 390 433.3

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#data-rates b-only

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
channel 1
data-rates b-only
beacon period 50
beacon dtim-period bss 1 5
beacon dtim-period bss 2 2
beacon dtim-period bss 3 5
........................................................
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
aggregation ampdu tx-only
aeroscout forward
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Controller, Service Platform and Access Point

1214 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no (radio-interface-config- Resets the 802.11 data rates on a radio

command) on page 1227
rf-mode on page 1242 Configures the radio’s RF mode of operation

description

interface-config-radio-instance on page 1178

Configures the selected radio’s description that helps differentiate it from other radios with similar
configurations
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
description <WORD>

Parameters
description <WORD>

description <WORD> Provide a description for the selected radio (should not exceed 64
characters in length).

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#description "Primary
radio to use"

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
description "Primary radio to use"
channel 1
data-rates b-only
beacon period 50
beacon dtim-period bss 1 5
beacon dtim-period bss 2 2
beacon dtim-period bss 3 5
beacon dtim-period bss 4 5
beacon dtim-period bss 5 5
beacon dtim-period bss 6 5
beacon dtim-period bss 7 5
beacon dtim-period bss 8 5
beacon dtim-period bss 9 5
beacon dtim-period bss 10 5
beacon dtim-period bss 11 5
beacon dtim-period bss 12 5
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
aggregation ampdu tx-only
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1215
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Removes a radio’s description

command) on page 1227

dfs-rehome

interface-config-radio-instance on page 1178

Reverts to configured home channel once the DFS (Dynamic Frequency Selection) evacuation period
expires

Note
This option is applicable only if the radio’s RF mode is set to ‘5GHz-wlan’.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
dfs-rehome {holdtime <30-3600>}

Parameters
dfs-rehome {holdtime <30-3600>}

dfs-rehome {holdtime Enables the radio to revert to the configured home channel once
<30-3600>} the DFS evacuation period expires
• holdtime – Optional. Specifies the duration, in minutes, to stay in
the new channel
◦ <30-3600> – Specify the holdtime from 30 - 3600 minutes.
The default is 90 minutes.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#dfs-rehome holdtime 500

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
dfs-rehome holdtime 500
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Stays on DFS elected channel after evacuation period expires

command) on page 1227

dynamic-chain-selection

interface-config-radio-instance on page 1178

Enables automatic antenna mode selection. When enabled, the radio can dynamically change the
number of transmit chains used (uses a single chain/antenna for frames at non-11n transmit rates). This
option is enabled by default.

Controller, Service Platform and Access Point

1216 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
dynamic-chain-selection

Parameters
None

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#dynamic-chain-selection
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Uses the configured transmit antenna mode for all clients
command) on page 1227

ekahau

interface-config-radio-instance on page 1178

Enables Ekahau multicast packet forwarding. When enabled, Ekahau small, battery powered Wi-Fi tags
are attached to tracked assets or assets carried by people. Ekahau processes locations, rules, messages,
and environmental data and turns the information into locationing maps, alerts and reports.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
ekahau [forward ip <IP> port <0-65535>|mac <MAC>]

Parameters
ekahau [forward ip <IP> port <0-65535>|mac <MAC>]

ekahau Enables Ekahau multicast packet forwarding on this radio

forward ip <IP> port <0-65535> Enables multicast packet forwarding to the Ekahau engine
• ip <IP> – Configures the IP address of the Ekahau engine in the
A.B.C.D format
◦ port <0-65535> – Specifies the TZSP (TaZman Sniffer
Protocol) port on Ekahau engine from 0 - 65535
TZSP is an encapsulation protocol, which is generally used to wrap
802.11 wireless packets.
mac <MAC> Configures the multicast MAC address to forward the Ekahau
multicast packets
• <MAC> – Specify the MAC address in the AA-BB-CC-DD-EE-FF
format.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#ekahau forward ip 172.16.10.1
port 3

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1217
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Uses default Ekahau multicast MAC address

command) on page 1227

extended-range

interface-config-radio-instance on page 1178

Enables the extended range capability for AP7161 model access point. When enabled, these access
points can exchange signals with their clients at greater distances without being timed out. This option
is disabled by default.
Supported in the following platforms:
• Access Point — AP7562, AP8163

Syntax
extended-range <1-25>

Parameters
extended-range <1-25>

extended-range <1-25> Configures extended range on this radio interface from 1 - 25

kilometers. The default is 2 km on 2.4 GHz band and 7 km on 5.0
GHz band.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#extended-range 15

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
description "Primary radio to use"
channel 1
data-rates b-only
beacon period 50

Controller, Service Platform and Access Point

1218 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

beacon dtim-period bss 1 5

beacon dtim-period bss 2 2
beacon dtim-period bss 3 5
beacon dtim-period bss 4 5
beacon dtim-period bss 5 5
beacon dtim-period bss 6 5
beacon dtim-period bss 7 5
beacon dtim-period bss 8 5
beacon dtim-period bss 9 5
beacon dtim-period bss 10 5
beacon dtim-period bss 11 5
beacon dtim-period bss 12 5
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
antenna-mode 2x2
antenna-diversity
airtime-fairness prefer-ht weight 6
extended-range 15
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets the extended range to default (7 km for 2.4 GHz and 5 km
command) on page 1227 for 5.0 GHz)

fallback-channel

interface-config-radio-instance on page 1178

Configures the channel to which the radio switches in case of radar detection on the current channel
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
fallback-channel [100|100w|100ww|104|104w|104ww|108|108w...............]

Parameters
fallback-channel [100|100w|100ww|104|104w|104ww|108|108w...............]

fallback-channel [100| Configures the fallback channel. This is the channel the radio
100w|...........] switches to in case a radar is detected on the radio’s current
operating channel.
• [100|100w|100ww|...] – Select the fall back channel from the
available options.

Example
nx9500-6C8809(config-profile-testAP81XX-if-radio2)#fallback-channel 104
NOTE: Functionality is supported only in the US regulatory domain and only a non-dfs
channel can be configured as a fallback channel

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1219
Profile Config Commands Profile Commands

nx9500-6C8809(config-profile-testAP81XX-if-radio2)#show context
interface radio2
fallback-channel 104
nx9500-6C8809(config-profile-testAP81XX-if-radio2)#

Related Commands

no (radio-interface-config- Removes the fallback-channel configuration

command) on page 1227

guard-interval

interface-config-radio-instance on page 1178

Configures the 802.11n guard interval. A guard interval ensures distinct transmissions do not interfere
with one another. It provides immunity to propagation delays, echoes and reflection of radio signals.

The guard interval is the space between transmitted characters. The guard interval eliminates ISI (inter
symbol interference). ISI which occurs when echoes or reflections from one symbol interferes with
another. Adding time between transmissions allows echoes and reflections to settle before the next
symbol is transmitted. A shorter guard interval results in shorter symbol times, which reduces overhead
and increases data rates by up to 10%.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
guard-interval [any|long]

Parameters
guard-interval [any|long]

guard-interval Configures the 802.11n guard interval

any Enables the radio to use any short (400nSec) or long (800nSec)
guard interval
long Enables the use of long guard interval (800nSec). This is the default
setting.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#guard-interval long

Controller, Service Platform and Access Point

1220 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

beacon dtim-period bss 9 5

beacon dtim-period bss 10 5
beacon dtim-period bss 11 5
beacon dtim-period bss 12 5
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
guard-interval long
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets the 802.11n guard interval to default (long: 800nSec)

command) on page 1227

ldpc

interface-config-radio-instance on page 1178

Enables support for LDPC (Low Density Parity Check) codes on the radio interface

LDPC consists of forward error correcting codes that enable error control in data transmission. This
option is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
ldpc

Parameters
None

Example
rfs4000-229D58(config-profile-Test81XX-if-radio1)#ldpc

rfs4000-229D58(config-profile-Test81XX-if-radio1)#show context
interface radio1
ldpc
rfs4000-229D58(config-profile-Test81XX-if-radio1)#

Related Commands

no (radio-interface-config- Disables LDPC support

command) on page 1227

lock-rf-mode

interface-config-radio-instance on page 1178

Retains user configured RF mode settings for the selected radio. This option is disabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1221
Profile Config Commands Profile Commands

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
lock-rf-mode

Parameters
None

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#lock-rf-mode

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
description "Primary radio to use"
channel 1
data-rates b-only
beacon period 50
beacon dtim-period bss 1 5
beacon dtim-period bss 2 2
beacon dtim-period bss 3 5
beacon dtim-period bss 4 5
beacon dtim-period bss 5 5
beacon dtim-period bss 6 5
beacon dtim-period bss 7 5
beacon dtim-period bss 8 5
beacon dtim-period bss 9 5
beacon dtim-period bss 10 5
beacon dtim-period bss 11 5
beacon dtim-period bss 12 5
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
antenna-mode 2x2
antenna-diversity
airtime-fairness prefer-ht weight 6
lock-rf-mode
extended-range 15
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Allows Smart RF to change a radio’s RF mode settings

command) on page 1227

max-clients

interface-config-radio-instance on page 1178

Configures the maximum number of wireless clients allowed to associate with this radio

Controller, Service Platform and Access Point

1222 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
max-clients <0-256>

Parameters
max-clients <0-256>

max-clients <0-256> Configures the maximum number of clients allowed to associate

with a radio, subject to the access point’s limit. Specify a value from
0 - 256. The default is 256.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#max-clients 100

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
description "Primary radio to use"
channel 1
data-rates b-only
beacon period 50
beacon dtim-period bss 1 5
beacon dtim-period bss 2 2
..............................................
beacon dtim-period bss 12 5
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
antenna-mode 2x2
antenna-diversity
max-clients 100
airtime-fairness prefer-ht weight 6
lock-rf-mode
extended-range 15
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets the maximum number of wireless clients allowed to

command) on page 1227 associate with a radio

mesh

interface-config-radio-instance on page 1178

Use this command to configure radio mesh parameters. A WMN (Wireless Mesh Network) is a network
of radio nodes organized in a mesh topology. It consists of mesh clients, mesh routers, and gateways.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1223
Profile Config Commands Profile Commands

Each radio setting can have a unique mesh mode and link configuration. This provides a customizable
set of connections to other mesh supported radios within the same radio coverage area.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP8163, AP8432, AP8533

mesh Configures radio mesh parameters, such as maximum number of

mesh links, preferred peer device, client operations, etc.
client Enables operation as a client
Setting the mesh mode to ‘client’ enables the radio to operate as a
mesh client that scans for and connects to mesh portals or nodes
that are connected to portals.
links <1-6> Configures the maximum number of mesh links a radio attempts to
create
• <1-6> – Sets the maximum number of mesh links from 1 - 6. The
default is 6.

portal Enables operation as a portal

Setting the mesh mode to ‘portal’ turns the radio into a mesh
portal. The radio starts beaconing immediately and accepts
connections from other mesh nodes, typically the node with a
connection to the wired network.
preferred-peer <1-6> <MAC> Configures a preferred peer device
• <1-6> – Configures the priority at which the peer node will be
added
When connecting to the mesh infrastructure, nodes with lower
priority are given precedence over nodes with higher priority.
• <MAC> – Sets the MAC address of the preferred peer device
(Ethernet MAC of either a AP, wireless controller, or service
platform with onboard radios)

psk [0 <LINE>|2 <LINE>| <LINE>] Configures the pre-shared key. Ensure this key is configured on the
access point when staged for mesh, and added to the mesh client
and to the portal access point’s configuration on the controller or
service platform.
• 0 <LINE> – Enter a clear text key
• 2 <LINE> – Enter an encrypted key
• <LINE> – Enter the pre-shared key
Pre-shared keys should be 8 - 64 characters in length.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#mesh client

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1

Controller, Service Platform and Access Point

1224 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

description "Primary radio to use"

channel 1
data-rates b-only
mesh client
beacon period 50
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config-command) on page 1227 D

i
s
a
b
l
e
s
m
e
s
h
m
o
d
e
o
p
e
r
a
t
i
o
n
o
f
t
h
e
s
e
l
e
c
t
e
d
r
a
d
i
o

meshpoint

interface-config-radio-instance on page 1178

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1225
Profile Config Commands Profile Commands

Maps an existing meshpoint to this radio

Use this command to assign each WLAN its own BSSID. If using a single-radio access point, there are 8
BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8
BSSIDs for the 802.11a/n radio.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP8163, AP8432, AP8533

Syntax
meshpoint <MESHPOINT-NAME> {bss <1-16>}

Parameters
meshpoint <MESHPOINT-NAME> {bss <1-16>}

meshpoint <MESHPOINT-NAME> Maps a meshpoint to this radio. Specify the meshpoint name.
bss <1-16> Optional. Specifies the radio’s BSS where this meshpoint is mapped
• <1-16> – Specify the BSS number from 1 - 16.

Example
nx9500-6C8809(config-profile-ap71xxTest-if-radio1)#meshpoint test bss 7
nx9500-6C8809(config-profile-ap71xxTest-if-radio1)#show context
interface radio1
meshpoint test bss 7
nx9500-6C8809(config-profile-ap71xxTest-radio1)#

Related Commands

no (radio-interface-config- Disables meshpoint on the selected radio

command) on page 1227

mu-mimo

interface-config-radio-instance on page 1178

Enables multi-user multiple input multiple output (MU-MIMO) support on the selected radio. When
enabled, multiple users are able to simultaneously access the same channel using the spatial degrees of
freedom offered by MIMO.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
mu-mimo

Parameters
None

Example
nx9500-6C8809(config-profile-TestAP81xx-if-radio1)#mu-mimo
nx9500-6C8809(config-profile-TestAP81xx-if-radio1)#show context include-factory | include
mu-mimo
mu-mimo
nx9500-6C8809(config-profile-TestAP81xx-if-radio1)#

Controller, Service Platform and Access Point

1226 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#mu-mimo

ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#show context include-factory |

include mu-mimo
mu-mimo
ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#

Related Commands

no (radio-interface-config- Disables mu-mimo on the selected radio

command) on page 1227

no (radio-interface-config-command)

interface-config-radio-instance on page 1178

Negates a command or resets settings to their default. When used in the profile/device > radio interface
configuration mode, the no command disables or resets radio interface settings.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
no <PARAMETERS>

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this radio interface’s settings based on the

parameters passed

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.
Examples
nx9500-6C8809(config-profile-ap71xxTest-if-radio1)#no ?
adaptivity Adaptivity
aeroscout Use Default Aeroscout Multicast MAC Address
aggregation Configure 802.11n aggregation related parameters
airtime-fairness Disable fair access to medium for clients,
provide access in a round-robin mode
antenna-diversity Use single antenna for non-11n transmit rates
antenna-downtilt Reset ADEPT antenna mode
antenna-elevation Reset the antenna elevation of this radio to
default
antenna-gain Reset the antenna gain of this radio to default
antenna-mode Reset the antenna mode (number of transmit and
receive antennas) on the radio to its default
assoc-response Configure transmission parameters for
Association Response frames
association-list Configure the association list for the radio
beacon Configure beacon parameters
bridge Bridge rf-mode related configuration
channel Reset the channel of operation of this radio to
default
data-rates Reset radio data rate configuration to default

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1227
Profile Config Commands Profile Commands

description Reset the description of the radio to its

default
dfs-rehome Stay on dfs elected channel after evacuation
period expires
dynamic-chain-selection Use the configured transmit antenna mode for all
clients
ekahau Use Default Ekahau Multicast MAC Address
extended-range Reset extended range to default
fallback-channel Clear the DFS fallback channel for this radio
guard-interval Configure default value of 802.11n guard
interval (long: 800nSec)
ldpc Configure support for Low Density Parity Check
Code
lock-rf-mode Allow smart-rf to change rf-mode setting for
this radio
max-clients Maximum number of wireless clients allowed to
associate
mesh Disable mesh mode operation of the radio
meshpoint Disable a meshpoint from this radio
mu-mimo Disable multi user MIMO on this radio (selected
platforms only)
non-unicast Configure handling of non-unicast frames
off-channel-scan Disable off-channel scanning on the radio
placement Reset the placement of the radio to its default
power Reset the transmit power of this radio to
default
preamble-short Disable the use of short-preamble on this radio
probe-response Configure transmission parameters for Probe
Response frames
radio-resource-measurement Configure support for 802.11k Radio Resource
Measurement
radio-share-mode Configure the radio-share mode of operation for
this radio
rate-selection Monotonic rate selection
rf-mode Reset the RF mode of operation for this radio to
default (2.4GHz on radio1, 5GHz on radio2,
sensor on radio3)
rifs Configure Reduced Interframe Spacing (RIFS)
parameters
rts-threshold Reset the RTS threshold to its default (65536)
rx-sensitivity-reduction Configure radio receive sensitivity reduction
threshold
shutdown Re-enable the selected interface
smart-rf Reset smart-rf related configuration to default
sniffer-redirect Disable capture and redirection of packets
stbc Configure Space-Time Block Coding (STBC)
parameters
transmit-beamforming Disable Transmit Beamforming
use Set setting to use
wips Wireless intrusion prevention related
configuration
wireless-client Configure wireless client related parameters
wlan Disable a wlan from this radio

service Service Commands

nx9500-6C8809(config-profile-ap71xxTest-if-radio1)#

The following example shows radio interface settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
description "Primary radio to use"
channel 1

Controller, Service Platform and Access Point

1228 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

data-rates b-only
mesh client
beacon period 50
beacon dtim-period bss 1 5
beacon dtim-period bss 2 2
beacon dtim-period bss 3 5
beacon dtim-period bss 4 5
beacon dtim-period bss 5 5
beacon dtim-period bss 6 5
beacon dtim-period bss 7 5
beacon dtim-period bss 8 5
beacon dtim-period bss 9 5
beacon dtim-period bss 10 5
beacon dtim-period bss 11 5
beacon dtim-period bss 12 5
beacon dtim-period bss 13 5
beacon dtim-period bss 14 5
beacon dtim-period bss 15 5
beacon dtim-period bss 16 5
antenna-gain 12.0
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
antenna-mode 2x2
antenna-diversity
max-clients 100
airtime-fairness prefer-ht weight 6
lock-rf-mode
extended-range 15
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#no channel
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#no antenna-gain
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#no description
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#no antenna-mode
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#no beacon dtim-period
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#no beacon period

The following example shows radio interface settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
data-rates b-only
mesh client
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
antenna-diversity
max-clients 100
airtime-fairness prefer-ht weight 6
lock-rf-mode
extended-range 15
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#
non-unicast

interface-config-radio-instance on page 1178

Configures support for forwarding of non-unicast (multicast and broadcast) frames on this radio

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1229
Profile Config Commands Profile Commands

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Parameters
non-unicast forwarding [follow-dtim|power-save-aware]

non-unicast forwarding Enables non-unicast frame forwarding on this radio. Once enabled,
select one of the available options to specify whether these frames
should always follow DTIM, or only follow DTIM when using power
save aware mode.
follow-dtim Specifies frames always wait for the DTIM interval to time out. The
DTIM interval is configured using the beacon command. This is the
default setting.
power-save-aware Enables immediate forwarding of frames only if all associated
wireless clients are in the power save mode

non-unicast queue [<1-200>|bss <1-16> <1-200>]

non-unicast queue Enables non-unicast frame forwarding on this radio. Once enabled,
specify the number of broadcast packets queued per BSS on this
radio. This option is enabled by default.
This command also enables you to override the default on a specific
BSS.
<1-200> Specify a number from 1 - 200. This value applies to all BSSs. The
default is 50 frames per BSS.
bss <1-16> <1-200> Overrides the default on a specified BSS
• <1-16> – Select the BSS number from 1 - 16.
◦ <1-200> – Specify the number of broadcast packets queued
for the selected BSS from 1 - 200.

non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic| lowest-basic]

non-unicast tx-rate Enables non-unicast frame forwarding on this radio. Once enabled,
use one of the available options to configure the rate at which these
frames are transmitted.
bss <1-16> Overrides the default on a specified BSS
• <1-16> – Select the BSS number from 1 - 16. The transmit rate
selected is applied only to the BSS specified here. The tx-rate
options are: dynamic-all, dynamic-basic, highest-basic, lowest-
basic.

Controller, Service Platform and Access Point

1230 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

dynamic-all Dynamically selects a rate from all supported rates based on

current traffic conditions
dynamic-basic Dynamically selects a rate from all supported basic rates based on
current traffic conditions
highest-basic Uses the highest configured basic rate. This is the default setting.
lowest-basic Uses the lowest configured basic rate

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#non-unicast queue bss 2 3

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#non-unicast tx-rate bss 1 dynamic-

all

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
data-rates b-only
mesh client
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
non-unicast tx-rate bss 1 dynamic-all
non-unicast tx-rate bss 2 highest-basic
non-unicast tx-rate bss 3 highest-basic
non-unicast tx-rate bss 4 highest-basic
non-unicast tx-rate bss 5 highest-basic
non-unicast tx-rate bss 6 highest-basic
non-unicast tx-rate bss 7 highest-basic
non-unicast tx-rate bss 8 highest-basic
non-unicast tx-rate bss 9 highest-basic
non-unicast tx-rate bss 10 highest-basic
non-unicast tx-rate bss 11 highest-basic
non-unicast tx-rate bss 12 highest-basic
non-unicast tx-rate bss 13 highest-basic
non-unicast tx-rate bss 14 highest-basic
non-unicast tx-rate bss 15 highest-basic
non-unicast tx-rate bss 16 highest-basic
non-unicast queue bss 1 50
non-unicast queue bss 2 3
--More--
antenna-diversity
max-clients 100
airtime-fairness prefer-ht weight 6
lock-rf-mode
extended-range 15
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets the handling of non-unicast frames to its default

command) on page 1227

off-channel-scan

interface-config-radio-instance on page 1178

Enables off channel scanning on this radio. This option is disabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1231
Profile Config Commands Profile Commands

Channel scanning uses the access point’s resources and is time consuming. Therefore, enable this option
only if the radio has the bandwidth to support channel scan without negatively impacting client
support.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
off-channel-scan {channel-list|max-multicast|scan-interval|sniffer-redirect}
off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}
off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}
off-channel-scan {sniffer-redirect tzsp <IP>}

Controller, Service Platform and Access Point

1232 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}

off-channel-scan Enables off-channel scanning and configures related parameters.

These parameters are optional, and the system configures default
settings if no values are specified.
channel-list [2.4GHz|5GHz] Optional. Selects the 2.4GHz or 5GHz access point radio band.
Restricting off channel scans to specific channels frees bandwidth
otherwise utilized for scanning across all channels.
• 2.4GHz – Selects the 2.4 GHz band
• 5GHz – Selects the 5.0 GHz band

<CHANNEL-LIST> Optional. Specifies a list of 20 MHz, 40 MHz, or 80 MHz channels for

the selected band (the channels are separated by commas or
hyphens)

off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}

off-channel-scan Enables off-channel scanning and configures related parameters.

These parameters are optional, and the system configures default
settings if no values are specified.
max-multicast <0-100> Optional. Configures the maximum multicast/broadcast messages
used to perform OCS
• <0-100> – Specify a value from 0 - 100. The default is 4.

scan-interval <2-100> Optional. Configures the scan interval in dtims

• <2-100> – Specify a value from 2 - 100. The default is 20 dtims.

off-channel-scan {sniffer-redirect tzsp <IP>}

off-channel-scan Enables off-channel scanning and configures related parameters.

These parameters are optional, and the system configures default
settings if no values are specified.
sniffer-redirect tzsp <IP> Optional. Captures and redirects packets to a host running a packet
capture/analysis tool. Use this command to configure the IP
address of the host.
• tzsp – Encapsulates captured packets in TZSP before redirecting
to the specified host
◦ <IP> – Specify the destination device IP address.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#off-channel-scan channel-list
2.4GHz 1

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
data-rates b-only
mesh client
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1233
Profile Config Commands Profile Commands

non-unicast tx-rate bss 1 dynamic-all

non-unicast tx-rate bss 2 highest-basic
non-unicast tx-rate bss 3 highest-basic
non-unicast tx-rate bss 4 highest-basic
non-unicast tx-rate bss 5 highest-basic
non-unicast tx-rate bss 6 highest-basic
non-unicast tx-rate bss 7 highest-basic
non-unicast tx-rate bss 8 highest-basic
non-unicast tx-rate bss 9 highest-basic
non-unicast tx-rate bss 10 highest-basic
non-unicast tx-rate bss 11 highest-basic
non-unicast tx-rate bss 12 highest-basic
non-unicast tx-rate bss 13 highest-basic
non-unicast tx-rate bss 14 highest-basic
non-unicast tx-rate bss 15 highest-basic
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Disables radio off channel scanning

command) on page 1227

placement

interface-config-radio-instance on page 1178

Defines the radio’s location (whether the radio is deployed indoors or outdoors). The radio’s placement
should depend on the country of operation selected and its regulatory domain requirements for radio
emissions.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
placement [indoor|outdoor]

Parameters
placement [indoor|outdoor]

placement Defines the radio’s location

indoor Radio is deployed indoors (uses indoor regulatory rules). This is the
default setting.
outdoor Radio is deployed outdoors (uses outdoor regulatory rules)

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#placement outdoor

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
data-rates b-only
placement outdoor
mesh client
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
aeroscout forward

Controller, Service Platform and Access Point

1234 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

ekahau forward ip 172.16.10.1 port 3

non-unicast tx-rate bss 1 dynamic-all
non-unicast tx-rate bss 2 highest-basic
non-unicast tx-rate bss 3 highest-basic
non-unicast tx-rate bss 4 highest-basic
non-unicast tx-rate bss 5 highest-basic
non-unicast tx-rate bss 6 highest-basic
non-unicast tx-rate bss 7 highest-basic
non-unicast tx-rate bss 8 highest-basic
non-unicast tx-rate bss 9 highest-basic
non-unicast tx-rate bss 10 highest-basic
non-unicast tx-rate bss 11 highest-basic
non-unicast tx-rate bss 12 highest-basic
non-unicast tx-rate bss 13 highest-basic
non-unicast tx-rate bss 14 highest-basic
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets a radio’s deployment location

command) on page 1227

power

interface-config-radio-instance on page 1178

Configures the selected radio’s transmit power. Use this command to manually set the transmit power
of the selected radio, or select the mode (Smart RF or ml-rrm) by which the transmit power is
determined.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
power [<1-30>|ml-rrm|smart]

Parameters
power [<1-30>|ml-rrm|smart]

power Configures the selected radio’s transmit power

<1-30> Configures the transmit power from 1 - 30 dBm (actual power could
be lower based on regulatory restrictions)
For APs with dual or three radios, use this option to manually
configure each radio with a unique transmit power in respect to its
intended client support function.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1235
Profile Config Commands Profile Commands

ml-rrm Enables ml-rrm (Machine Learning - Radio Resource Management)

to decide the optimum transmit power for the selected radio.
The ML-RRM option provides an alternative solution to Smart RF
management of radio settings, such as channel selection, transmit
power, client steering, etc. To use ML-RRM, you must first enable the
ml-rrm agent in the access point's profile or device context.

Note: ML-RRM can be enabled only on the WiNG AP7632 and

AP7662 model access points and only if the APs are adopted to
ExtremeCloud.

Note: ExtremeAI can be enabled on the access point through the

ExtremeCloud UI. For more information on ExtremeAI, please refer
to the ExtremeAI User Guide available at https://
extremenetworks.com/documentation.

For more information on ExtremeAI, please refer to the ExtremeAI

User Guide available at https://extremenetworks.com/
documentation.
smart Enables Smart RF to determine the optimum transmit power
needed. Use this option to let Smart RF determine the selected
radio's transmit power. If you are using this option for RF
management, ensure that a Smart RF policy is configured and
applied to the AP's RF Domain context. You can also use the default
Smart RF policy.

Note: By default, APs use Smart RF to determine transmit power.

Examples
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#power 12
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
power 12
data-rates b-only
placement outdoor
mesh client
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
non-unicast tx-rate bss 1 dynamic-all
non-unicast tx-rate bss 2 highest-basic
non-unicast tx-rate bss 3 highest-basic
non-unicast tx-rate bss 4 highest-basic
non-unicast tx-rate bss 5 highest-basic
non-unicast tx-rate bss 6 highest-basic
non-unicast tx-rate bss 7 highest-basic

--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Here is a sample output that shows the ml-rrm configurations made on the AP7662 profile. The output
shows ml-rrm enabled on the profile and power > ml-rrm enabled on both radios. Note, this AP is
ExtremeCloud adopted.
ap7662(config)#show running-config profile anyap ece9601103a711e985729b37513dbd86 | in ml-
rrm

Controller, Service Platform and Access Point

1236 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

channel ml-rrm
power ml-rrm
channel ml-rrm
power ml-rrm
ml-rrm
ap7662(config)#

Related Commands

no (radio-interface-config- Resets a radio’s transmit power

command) on page 1227

preamble-short

interface-config-radio-instance on page 1178

Enables short preamble on this radio. If using an 802.11bg radio, enable short preamble. Short preambles
improve throughput. However, some devices (SpectraLink phones) require long preambles. This option
is disabled by default.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
preamble-short

Parameters
None

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#preamble-short

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
power 12
data-rates b-only
placement outdoor
mesh client
off-channel-scan channel-list 2.4GHz 1
preamble-short
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
non-unicast tx-rate bss 1 dynamic-all
non-unicast tx-rate bss 2 highest-basic
non-unicast tx-rate bss 3 highest-basic
non-unicast tx-rate bss 4 highest-basic
non-unicast tx-rate bss 5 highest-basic
non-unicast tx-rate bss 6 highest-basic
non-unicast tx-rate bss 7 highest-basic
non-unicast tx-rate bss 8 highest-basic
non-unicast tx-rate bss 9 highest-basic
non-unicast tx-rate bss 10 highest-basic
non-unicast tx-rate bss 11 highest-basic
non-unicast tx-rate bss 12 highest-basic
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1237
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Disables the use of short preamble on a radio

command) on page 1227

probe-response

interface-config-radio-instance on page 1178

Configures transmission parameters for probe response frames sent by the access point in response to
probe requests received from clients.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
probe-response [ac-strict|rate|retry|rssi-threshold]
probe-response ac-strict

probe-response retry
probe-response rate [follow-probe-request|highest-basic|lowest-basic]
probe-response rssi-threshold <-128--40>

Controller, Service Platform and Access Point

1238 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
probe-response ac-strict

probe-response ac-strict Strictly ignores probe-requests received from clients that are not
802.11ac/VHT capable. Configure this parameter to disable the
access point from sending probe-response frames to wireless
clients that are not 802.11ac/VHT capable. When configured, the AP
checks if the incoming probe-request is from a VHT-capable client
or not, and strictly ignores the request if the client is non-VHT
capable.
The IEEE 802.11ac is a wireless networking standard that provides
VHT (very-high throughput) wireless service on the 5 GHz band.

Note: The 'assoc-response ac-strict' command is another

way to enable your AP to ignore non-VHT enabled clients. You can
issue one or both of the 'probe-response ac-strict' or
assoc-response ac-strictcommands to prevent non-VHT
capable client association. For information on probe-response
option, see assoc-response on page 1193.

probe-response retry

probe-response retry Enables retransmission of probe-response frames if no

acknowledgment is received from the client. This option is enabled
by default.

probe-response rate [follow-probe-request|highest-basic|lowest-basic]

probe-response rate Configures the rates used for transmission of probe response
frames. The tx-rate options available for transmitting probe
response frames are: follow-probe-request, highest-basic, lowest-
basic.
follow-probe-request Transmits probe responses at the same rate as the received request
(default setting)
highest-basic Uses the highest configured basic rate
lowest-basic Uses the lowest configured basic rate

probe-response rssi-threshold <-128--40>

probe-response rssi-threshold Ignores probe request from client if the received signal strength is
<-128--40> less than the RSSI threshold specified here
<-128--40> – Specify a value from -128 - -40.

Example
nx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response rate highest-basic

nx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response retry

nx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response rssi-threshold -60

nx9500-6C8809(config-profile-testAP7161-if-radio1)#show context
interface radio1
probe-response rate highest-basic

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1239
Profile Config Commands Profile Commands

probe-response rssi-threshold -60

nx9500-6C8809(config-profile-testAP7161-if-radio1)#

Related Commands

no (radio-interface-config- Resets transmission parameters for probe response frames

command) on page 1227

radio-resource-measurement

interface-config-radio-instance on page 1178

Enables 802.11k radio resource measurement. When enabled, the radio station sends channel and
neighbor reports.

The IEEE 802.11 Task Group k defined a set of specifications regarding radio resource measurements.
These specifications specify the radio resources to be measured and the mechanism used to
communicate measurement requests and results.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
radio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]

Parameters
radio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]

radio-resource-measurement Enables 802.11k radio resource measurement on the radio

attenuation-threshold <1-199> Configures the neighbor attenuation threshold, considered when
generating channel and neighbor reports
• <1-199> – Specify the attenuation threshold from 1 -199. The
default is 90.

max-entries <1-12> Configures the maximum number of entries to include in channel

and neighbor reports
• <1-12> – Specify a value from 1 - 12. The default is 6.

Example
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-measurement
attenuation-threshold 20

rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-measurement max-
entries 10

rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#show context
interface radio1
radio-resource-measurement max-entries 10
radio-resource-measurement attenuation-threshold 20
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#

Related Commands

no (radio-interface-config- Disables 802.11k radio resource measurement support

command) on page 1227

Controller, Service Platform and Access Point

1240 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

radio-share-mode

interface-config-radio-instance on page 1178

Configures the radio’s mode of operation as radio share. A radio operating in the radio share mode
services clients and also performs sensor functions (defined by the radio’s ADSP licenses and profiles).

Note
The sensor capabilities of the radio are restricted to the channel and WLANs defined on the
radio.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
radio-share-mode [inline|off|promiscuous]

Parameters
radio-share-mode [inline|off|promiscuous]

radio-share-mode Enables sharing of packets, switched by this radio, with the WIPS
sensor module. There are two radio-share modes, these are: inline
and promiscuous
inline Enables sharing of all WLAN packets (matching the BSSID of the
radio) serviced by the radio with the WIPS sensor module.
off Disables radio share (no packets shared with the WIPS sensor
module)
promiscuous Enables the promiscuous radio share mode. In this mode the radio
is configured to receive all packets on the channel irrespective of
whether the destination address is the radio or not, and shares
these packets with the WIPS sensor module for analysis (i.e.
without filtering based on BSSI).

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#radio-share-mode promiscuous

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
power 12
data-rates b-only
placement outdoor
mesh client
off-channel-scan channel-list 2.4GHz 1
preamble-short
guard-interval long
.........................................................
non-unicast queue bss 16 50
antenna-diversity
max-clients 100
radio-share-mode promiscuous
airtime-fairness prefer-ht weight 6
lock-rf-mode
extended-range 15
antenna-downtilt
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1241
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Resets the radio share mode for this radio to its default
command) on page 1227

rate-selection

interface-config-radio-instance on page 1178

Sets the data-rate selection mode to standard or opportunistic

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
rate-selection [opportunistic|standard]

Parameters
rate-selection [opportunistic|standard]

rate-selection Sets the rate selection mode to standard or opportunistic

standard Configures the monotonic rate selection mode. This is the default
setting.
opportunistic Configures the opportunistic radio link adaptation ORLA rate
selection mode
The ORLA algorithm is designed to select data rates that provide
best throughput. Instead of using local conditions to decide
whether a data rate is acceptable or not, ORLA pro-actively probes
other rates to determine if greater throughput is available. If these
other rates do provide improved throughput, ORLA intelligently
adjusts its selection tables to favour higher performance. ORLA
provides improvements both on the client side of a mesh network
as well as in the backhaul capabilities.

Note: The ORLA rate selection mode is supported only on the

AP8163 model access points.

Example
nx9500-6C8809(config-profile-testAP8163-if-radio1)#rate-selection opportunistic

nx9500-6C8809(config-profile-testAP8163-if-radio1)#show context
interface radio1
rate-selection opportunistic
nx9500-6C8809(config-profile-testAP8163-if-radio1)#

Related Commands

no (radio-interface-config- Resets the rate selection mode to standard (monotonic)

command) on page 1227

rf-mode

interface-config-radio-instance on page 1178

Controller, Service Platform and Access Point

1242 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Configures the radio’s RF mode of operation

This command sets the mode to either 2.4 GHz WLAN or 5.0 GHz WLAN support depending on the
radio’s intended client support. If you are currently licensed to use 4.9 GHz, configure the 4.9 GHz-
WLAN option.

Set the mode to sensor if using the radio for rogue device detection. The radio cannot support rogue
detection when one of the other radios is functioning as a WIPS sensor. To set a radio as a detector,
disable sensor support on the other access point radios.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

rf-mode Configures the radio’s RF mode of operation

2.4GHz-wlan Provides WLAN service in the 2.4 GHz bandwidth
4.9GHz-wlan Provides WLAN service in the 4.9 GHz bandwidth
5GHz-wlan Provides WLAN service in the 5.0 GHz bandwidth
bridge Enables this radio to operate as client bridge that can authenticate
and associate to a defined infrastructure Wireless LAN (WLAN)
access point

Note: This option is applicable only on the AP6522, AP6562,

AP7522, AP7532, and AP7562 model access points. Enable this
option only if the access point is to provide client-bridge support.
Once enabled, configure the client-bridge parameters. For more
information, see bridge on page 1197.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1243
Profile Config Commands Profile Commands

scan-ahead Enables this radio to operate as a scan-ahead radio

A radio functioning in the scan-ahead mode is used for forward
scanning only. The radio does not support WLAN or mesh services.
The scan ahead feature is used in DFS (Dynamic Frequency
Selection) aware countries for infrastructure devices, static, and
VMMs (vehicular mounted modems). It enables a secondary radio
to scan ahead for an active channel for backhaul transmission, in
the event of a radar trigger on the primary radio. The device then
switches radios allowing transmission to continue. This is required in
environments where handoff is required and DFS triggers are
common.
With a secondary radio dedicated for forward scanning, the primary
radio, in case of radar hit, hands over the CAC (channel availability
check) function to the secondary radio. This avoids a break in data
communication, which would have resulted if the primary radio was
to do CAC itself.
The secondary radio periodically does a scan of the configured
channel list, searching for the other available meshpoint roots.
When configured on the root meshpoint, the scan-ahead feature
also scans for cleaner channels.
sensor Operates as a sensor radio. Configures this radio to function as a
scanner, providing scanning services on both 2.4 GHz and 5.0 GHz
bands. The radio does not provide WLAN services.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#rf-mode sensor

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
rf-mode sensor
placement outdoor
mesh client
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
non-unicast tx-rate bss 1 dynamic-all
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets the radio’s RF mode of operation

command) on page 1227
data-rates on page 1210 Configures the 802.11 data rates on this radio

rifs

interface-config-radio-instance on page 1178

Configures RIFS (Reduced Interframe Spacing) parameters on this radio

This value determines whether interframe spacing is applied to access point transmitted or received
packets, both, or none. Inter-frame spacing is the interval between two consecutive Ethernet frames

Controller, Service Platform and Access Point

1244 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

that enable a brief recovery between packets and allow target devices to prepare for the reception of
the next packet.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
rifs [none|rx-only|tx-only|tx-rx]

Parameters
rifs [none|rx-only|tx-only|tx-rx]

rifs Configures RIFS parameters

none Disables support for RIFS. Consider setting the value to None for
high-priority traffic to reduce packet delay.
rx-only Supports RIFS possession only
tx-only Supports RIFS transmission only
tx-rx Supports both RIFS transmission and possession (default setting)

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#rifs tx-only

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
rf-mode sensor
placement outdoor
mesh client
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
rifs tx-only
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
non-unicast tx-rate bss 1 dynamic-all
non-unicast tx-rate bss 2 highest-basic
non-unicast tx-rate bss 3 highest-basic
non-unicast tx-rate bss 4 highest-basic
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Disables radio’s RIFS parameters

command) on page 1227

rts-threshold

interface-config-radio-instance on page 1178

Configures the Request to Send (RTS) threshold value on this radio

RTS is a transmitting station’s signal that requests a Clear To Send (CTS) response from a receiving
client. This RTS/CTS procedure clears the air where clients are contending for transmission time.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1245
Profile Config Commands Profile Commands

Benefits include fewer data collisions and better communication with nodes that are hard to find (or
hidden) because of other active nodes in the transmission path.

The RTS threshold controls RTS/CTS by initiating an RTS/CTS exchange for data frames larger than the
threshold, and sends (without RTS/CTS) any data frames smaller than the threshold.

Consider the trade-offs when setting an appropriate RTS threshold for the WLAN’s access point radios.
A lower RTS threshold causes more frequent RTS/CTS exchanges. This consumes more bandwidth
because of additional latency (RTS/CTS exchanges) before transmissions can commence. A
disadvantage is the reduction in data-frame throughput. An advantage is quicker system recovery from
electromagnetic interference and data collisions. Environments with more wireless traffic and
contention for transmission make the best use of a lower RTS threshold.

A higher RTS threshold minimizes RTS/CTS exchanges, consuming less bandwidth for data
transmissions. A disadvantage is less help to nodes that encounter interference and collisions. An
advantage is faster data-frame throughput. Environments with less wireless traffic and contention for
transmission make the best use of a higher RTS threshold.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
rts-threshold <0-65536>

Parameters
rts-threshold <0-65536>

rts-threshold <0-65536> Specify the RTS threshold value from 0 - 65536 bytes. The default is
65536 bytes.

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#rts-threshold 100

--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Resets a radio’s RTS threshold to its default

command) on page 1227

rx-sensitivity-reduction

Controller, Service Platform and Access Point

1246 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Allows you to set the selected radio's receive sensitivity reduction threshold level. This threshold
determines the RSSI (in dBm) at which the radio acknowledges the SOP (Start of Packet) frames
received from clients and begins to demodulate and decode the packets.

In highly dense environments, or single-channel networks, having two or more radios sharing a channel,
CCI (co-channel interference) adversely impacts network performance. By setting this threshold, you
can control the radio’s receive sensitivity to interference and noise, thereby reducing the impact of CCI.
You are basically configuring the AP to not decode packets that have a signal strength below the
specified threshold level.

The available rx-sensitivity-reduction threshold levels are: high, low, medium, and None. Refer to the
following table for rx-sensitivity-reduction threshold level to RSSI mapping for the 2.4 GHz and 5 GHz
bands:

802.11 Bands High Threshold Medium Threshold Low Threshold

2.4 GHz -79 dBm -82 dBm -85 dBm
5 GHz -76 dBm -78 dBm -80 dBm

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
rx-sensitivity-reduction [high|low|medium|none]

Parameters
rx-sensitivity-reduction [high|low|medium|none]

rx-sensitivity-reduction [auto| Sets the selected radio's receive sensitivity reduction threshold
high|low|medium] level. The options are:
• high – Sets the threshold level as high. By setting the threshold
at high, you are forcing the radio to ignore all traffic having a
signal strength below the high threshold value. This results in
fewer traffic interruptions due to collision and Wi-Fi interference.
• low – Sets the threshold level as low.
• medium – Sets the threshold level as medium.
• none – Does not set a threshold. This option is applicable for
networks having minimal to no CCI.

Note:
The default setting is None.

Examples
ap8432-070235(config-device-74-67-F7-07-02-35-if-radio2)#rx-sensitivity-reduction high
ap8432-070235(config-device-74-67-F7-07-02-35-if-radio2)#show context
interface radio2
wlan test bss 1 primary
rx-sensitivity-reduction high
ap8432-070235(config-device-74-67-F7-07-02-35-if-radio2)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1247
Profile Config Commands Profile Commands

Related Commands

no (radio-interface-config- Removes the rx-sensitivity-reduction threshold level configuration

command) on page 1227

service

interface-config-radio-instance on page 1178

Enables dynamic control function. This dynamic function controls performance of the radio receiver's
LNAs (low noise amplifiers).

When enabled, the control function, in the presence of very strong received signals, improves the
receiver’s performance on radio 1. Strong signals are caused if the distance between the WiFi client and
the AP is within two (2) meters. When disabled, the control function is a useful debug tool in case the
uplink throughput is less than expected and the AP-to-client separation is greater than two (2) meters.
Disabling the control function does not affect the receive sensitivity of the radio.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
service radio-lna [agc|ms]

Parameters
service radio-lna [agc|ms]

service radio-lna [agc|ms] Enables dynamic control function

• agc – Enables dynamic LNA control function. This is the default
setting.
• ms – Disables dynamic LNA control function

Example
nx9500-6C8809(config-profile-testAP6522-if-radio1)#service radio-lna ms

nx9500-6C8809(config-profile-testAP6522-if-radio1)#show context
interface radio1
service radio-lna ms
nx9500-6C8809(config-profile-testAP6522-if-radio1)#

Related Commands

no (radio-interface-config- Reverts radio-lna mode to default (agc)

command) on page 1227

shutdown

interface-config-radio-instance on page 1178

Terminates or shuts down selected radio interface

Controller, Service Platform and Access Point

1248 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
shutdown

Parameters
None

Example
nx9500-6C8809nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#shutdown

Related Commands

no (radio-interface-config- Enables a disabled radio interface

command) on page 1227

smart-rf

interface-config-radio-instance on page 1178

Overrides Smart RF channel width setting on this radio. When configured, the radio overrides the Smart
RF selected channel setting and operates in the channel configured using this command.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
smart-rf preferred-channel-width [20MHz|40MHz|80MHz]

Parameters
smart-rf preferred-channel-width [20MHz|40MHz|80MHz]

smart-rf preferred-channel- Configures the preferred channel width. The options are:
width [20MHz| 40MHz|80MHz] • 20MHz – Sets 20 MHz as the preferred channel of operation
• 40MHz – Sets 40MHz as the preferred channel of operation
• 80MHz – Sets 80MHz as the preferred channel of operation
(default setting)

Example
nx9500-6C8809(config-profile-testAP7161-if-radio1)#smart-rf preferred-channel-width 40MHz

nx9500-6C8809(config-profile-testAP7161-if-radio1)#show context
interface radio1
smart-rf preferred-channel-width 40MHz
rate-selection opportunistic
nx9500-6C8809(config-profile-testAP7161-if-radio1)#

Related Commands

no (radio-interface-config- Enables use of Smart RF selected channel of operation

command) on page 1227

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1249
Profile Config Commands Profile Commands

sniffer-redirect

interface-config-radio-instance on page 1178

Captures and redirects packets to an IP address running a packet capture/analysis tool

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
sniffer-redirect [omnipeek|tzsp] <IP> channel [1|10|100|100w --------] {snap <1-65535>
(append descriptor)}

Parameters
sniffer-redirect [omnipeek|tzsp] <IP> channel [1|10|100|100w ---------] {snap <1-65535>
(append descriptor)}

sniffer-redirect Captures and redirects packets to an IP address running a packet

capture/analysis tool
omnipeek Encapsulates captured packets in proprietary header (used with
OmniPeek and plug-in)
tzsp Encapsulates captured packets in TZSP (used with WireShark and
other tools)
<IP> Specify the IP address of the device running the capture/analysis
tool (the host to which captured off channel scan packets are
redirected)
[1|10|100|100w ----------] Specify the channel to capture packets
• 1 – Channel 1 in 20 MHz mode (default setting)
• 10 – Channel 10 in 20 MHz mode
• 100 – Channel 100 in 20 MHz mode
• 100w – Channels 100w in 40 MHz mode (channels 100*,104)

snap <1-65535> Optional. Allows truncating of large captured frames at a specified

length (in bytes). This option is useful when capturing traffic with
large frames. Use this option when only headers are needed for
analysis, since it reduces the bandwidth needed for sniffing, and
(for typical values) eliminates any fragmentation of the outer
packet.
• <1-65535> – Specify the maximum truncated byte length of
captured packets.

append descriptor Optional – Enables appending of the radio's receive descriptor to

the captured packet

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#sniffer-redirect omnipeek
172.16.10.1 channel 1

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
rf-mode sensor
placement outdoor
mesh client
rts-threshold 100

Controller, Service Platform and Access Point

1250 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no (radio-interface-config- Disables packet capture and redirection

command) on page 1227

stbc

interface-config-radio-instance on page 1178

Configures the radio’s STBC (Space Time Block Coding) mode. STBC is a pre-transmission encoding
scheme providing an improved SNR ratio (even at a single RF receiver). STBC transmits multiple data
stream copies across multiple antennas. The receiver combines the copies into one to retrieve data from
the signal. These transmitted data versions provide redundancy to increase the odds of receiving data
streams with a good data decode (especially in noisy environments).

Note
STBC requires the radio has at least two antennas with the capability to transmit two streams.
If the antenna mode is configured to 1x1 (or falls back to 1x1 for some reason), STBC support is
automatically disabled.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
stbc [auto|none|tx-only]

Parameters
stbc [auto|none|tx-only]

stbc Configures the radio’s STBC mode

auto Autoselects STBC settings based on the platform type and other
radio interface settings. This is the default setting.
none Disables STBC support
tx-only Configures the AP radio to format and broadcast the special stream
(enables STBC support for transmit only)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1251
Profile Config Commands Profile Commands

Example
nx9500-6C8809(config-profile-81xxTestProfile-if-radio1)#stbc tx-only

rfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#show context
interface radio1
stbc tx-only
nx9500-6C8809(config-profile-81xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Disables STBC support

command) on page 1227

transmit-beamforming

interface-config-radio-instance on page 1178

Enables transmit beamforming on this radio interface. This option is disabled by default.

When enabled, this option steers signals to peers in a specific direction to enhance signal strength and
improve throughput amongst meshed devices (not clients). Each access point radio supports up to 16
beamforming capable mesh peers. When enabled, a beamformer steers its wireless signals to its peers.
A beamformee device assists the beamformer with channel estimation by providing a feedback matrix.
The feedback matrix is a set of values sent by the beamformee to assist the beamformer in computing a
steering matrix. A steering matrix is an additional set of values used to steer wireless signals at the
beamformer so constructive signals arrive at the beamformee for better SNR and throughput. Any
beamforming capable mesh peer connecting to a radio whose capacity is exhausted cannot enable
beamforming itself.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
transmit-beamforming

Parameters
None

Example
nx9500-6C8809(config-profile-testAP8163-if-radio1)#transmit-beamforming

Related Commands

no (radio-interface-config- Disables transmit beamforming on this radio interface

command) on page 1227

use

interface-config-radio-instance on page 1178

Applies an association ACL policy and a radio QoS policy on this radio interface

An association ACL is a policy-based ACL that either prevents or allows wireless clients from connecting
to a controller managed access point radio. An ACL is a sequential collection of permit and deny

Controller, Service Platform and Access Point

1252 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

conditions that apply to controller packets. When a packet is received on an interface, the controller
compares the fields in the packet against any applied ACLs to verify the packet has the required
permissions to be forwarded, based on the criteria specified in the access lists. If a packet does not
meet any of the criteria specified in the ACL, the packet is dropped.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
use [association-acl-policy|radio-qos-policy]
use [association-acl-policy <ASSOC-ACL-POLICY-NAME>|radio-qos-policy <RADIO-QOS-POLICY-
NAME>]

Parameters
use [association-acl-policy <ASSOC-ACL-POLICY-NAME>|radio-qos-policy <RADIO-QOS-POLICY-
NAME>]

use Applies an association ACL policy and a radio QoS policy on this
radio interface
association-acl-policy Uses a specified association ACL policy with this radio interface
• <ASSOC-ACL-POLICY-NAME> – Specify the association ACL
policy name (should be existing and fully configured).

radio-qos-policy Uses a specified radio QoS policy with this radio interface
• <RADIO-QoS-POLICY-NAME> – Specify the radio QoS policy
name (should be existing and fully configured).

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#use association-acl-policy test

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
rf-mode sensor
placement outdoor
mesh client
rts-threshold 100
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
rifs tx-only
use association-acl-policy test
sniffer-redirect omnipeek 172.16.10.1 channel 1
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Dissociates the specified association ACL policy and radio QoS
command) on page 1227 policy

wips

interface-config-radio-instance on page 1178

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1253
Profile Config Commands Profile Commands

Enables access point to change its channel of operation in order to terminate rogue devices. The radio
should be configured to provide WLAN service.

This option is enabled by default.

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
wips airtime-termination allow-channel-change

Parameters
wips airtime-termination allow-channel-change

wips airtime-termination allow- Enables access point to change its channel of operation (to that of
channel-change the rogue device) in order to terminate the rogue device

Example
nx9500-6C8809(config-profile-testAP8163-if-radio1)#wips air-termination allow-channel-
change

Related Commands

no (radio-interface-config- Disables access point to change its channel of operation in order to

command) on page 1227 terminate rogue devices

wireless-client

interface-config-radio-instance on page 1178

Configures wireless client parameters on this radio

Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
wireless-client tx-power [<0-20>|mode]
wireless-client <0-20>
wireless-client tx-power mode [802.11d {wing-ie}|wing-ie {802.11d}]

Controller, Service Platform and Access Point

1254 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
wireless-client tx-power <0-20>

wireless-client Configures wireless client parameters

tx-power <0-20> Configures the transmit power indicated to wireless clients. If using
a dual or three radio model access point, each radio should be
configured with a unique transmit power in respect to its intended
client support function. A setting of 0 defines the radio as using
Smart RF to determine its output power. 20 dBm is the default
value.
• <0-20> – Specify transmit power from 0 - 20 dBm.

wireless-client tx-power mode [802.11d {wing-ie}|wing-ie {802.11d}]

wireless-client Configures wireless client parameters

tx-power [802.11d|wing-ie] Configures the transmit power indicated to wireless clients
• 802.11d – Advertises in the IEEE 802.11d country information
element
◦ wing-ie – Optional. Advertises in the WiNG information
element (173)
• wing-ie – Advertises in the WiNG information element (173). This
is the default setting.
◦ 802.11d – Optional. Advertises in the IEEE 802.11d country
information element

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#wireless-client tx-power 20

Related Commands

no (radio-interface-config- Resets the transmit power indicated to wireless clients

command) on page 1227

wlan

interface-config-radio-instance on page 1178

Enables a WLAN on this radio

Use this command to configure WLAN/BSS mappings for an existing access point deployment.
Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1255
Profile Config Commands Profile Commands

BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8
BSSIDs for the 802.11a/n radio.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
wlan <WLAN-NAME> {bss|primary}
wlan <WLAN-NAME> {bss <1-16>} {primary}

Parameters
wlan <WLAN-NAME> {bss <1-16>} {primary}

<WLAN-NAME> {bss <1-16> | Specify the WLAN name (it must have been already created and
primary} configured)
• bss <1-16> – Optional. Specifies a BSS for the radio to map the
WLAN
◦ <1-18> – Specify the BSS number from 1 - 16.
▪ primary – Optional. Uses the specified WLAN as the
primary WLAN, when multiple WLANs exist on the BSS
• primary – Optional. Uses the specified WLAN as the primary
WLAN, when multiple WLANs exist on the BSS

Example
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#wlan TestWLAN primary

nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#show context
interface radio1
rf-mode sensor
placement outdoor
mesh client
rts-threshold 100
wireless-client tx-power 20
wlan TestWLAN bss 1 primary
off-channel-scan channel-list 2.4GHz 1
guard-interval long
aggregation ampdu tx-only
rifs tx-only
use association-acl-policy test
sniffer-redirect omnipeek 172.16.10.1 channel 1
aeroscout forward
ekahau forward ip 172.16.10.1 port 3
non-unicast tx-rate bss 1 dynamic-all
non-unicast tx-rate bss 2 highest-basic

--More--
nx9500-6C8809(config-profile-71xxTestProfile-if-radio1)#

Related Commands

no (radio-interface-config- Disables a WLAN on a radio

command) on page 1227

interface-config-wwan-instance

interface on page 1115

Controller, Service Platform and Access Point

1256 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a
device to connect, transmit and receive data over a Cellular Wide Area Network. The RFS4000 and
RFS6000 each have a PCI Express card slot that supports 3G WWAN cards. The WWAN card uses point
to point protocol (PPP) to connect to the Internet Service Provider (ISP) and gain access to the Internet.
PPP is the protocol used for establishing Internet links over dial-up modems, DSL connections, and
many other types of point-to-point communications. PPP packages your system’s TCP/IP packets and
forwards them to the serial device where they can be put on the network. PPP is a full-duplex protocol
that can be used on various physical media, including twisted pair or fiber optic lines or satellite
transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.

To switch to the WWAN Interface configuration mode, use the following command:
<DEVICE>(config)#profile <DEVICE-TYPE> <DEVICE-PROFILE-NAME>

<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#interface wwan1

<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#?
Interface configuration commands:
apn Enter the access point name provided by the service provider
auth-type Type of authentication, Eg chap, pap
crypto Encryption Module
description Port description
ip Internet Protocol (IP)
no Negate a command or set its defaults
password Enter password provided by the service provider
shutdown Disable wireless wan feature
use Set setting to use
username Enter username provided by the service provider

clrscr Clears the display screen

<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#

The following table summarizes WWAN interface configuration commands:

Commands Description
apn on page 1258 Configures the access point’s name provided by the service provider
auth-type on page Configures the authentication types used on this interface
1258
crypto on page 1259 Associates a crypto map with this interface
ip on page 1260 Associates an IP ACL with this interface
no on page 1261 Removes or reverts the WWAN interface settings
password on page Configures a password for this WWAN interface
1262

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1257
Profile Config Commands Profile Commands

Commands Description
use on page 1264 Associates an IP ACL with this interface
username on page Configures the names of users accessing this interface
1264

apn

interface-config-wwan-instance on page 1256

Configures the cellular data provider’s name. This setting is needed in areas with multiple cellular data
providers using the same protocols, such as Europe and Asia.
Supported in the following platforms:
• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
apn <WORD>
Parameters
apn <WORD>

apn <WORD> Specify the name of the cellular data service provider.

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#apn AT&T

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
apn AT&T
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes the configured access point name.

auth-type

interface-config-wwan-instance on page 1256

Configures the authentication type used by the cellular data provider

Supported in the following platforms:
• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
auth-type [chap|mschap|mschap-v2|pap]

Controller, Service Platform and Access Point

1258 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
auth-type [chap|mschap|mschap-v2|pap]

auth-type Configures the authentication protocol used on this interface. The

options are: PAP, CHAP, MSCHAP, and MSCHAP-v2
chap Configures Challenge-Handshake Authentication Protocol (CHAP).
This is the default value.
mschap Configures Microsoft Challenge-Handshake Authentication Protocol
(MSCHAP)
mschapv2 Configures Microsoft Challenge-Handshake Authentication Protocol
(MSCHAP) version 2
pap Configures Password Authentication Protocol (PAP)

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#auth-type mschap-v2

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
apn AT&T
auth-type mschap-v2
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes the authentication protocol configured on this interface

crypto

interface-config-wwan-instance on page 1256

Associates a crypto map with this interface

Supported in the following platforms:
• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
crypto map <CRYPTO-MAP-NAME>
Parameters
crypto map <CRYPTO-MAP-NAME>

crypto map <CRYPTO-MAP- Associates a crypto map with this interface

NAME> • <CRYPTO-MAP-NAME> – Specify the crypto map name (should
be existing and configured).

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#crypto map test

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
apn AT&T
auth-type mschap-v2

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1259
Profile Config Commands Profile Commands

crypto map test

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes the crypto map associated with this interface

interface-config-wwan-instance on page 1256

Configures IP related settings on this interface

Supported in the following platforms:
• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
ip [default-gateway|nat]

ip default-gateway priority <1-8000>

ip nat [inside|outside]

Controller, Service Platform and Access Point

1260 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
ip default-gateway priority <1-8000>

ip Configures IP related settings on this interface

default-gateway priority Configures the default-gateway’s (learned by the wireless WAN)
<1-8000> priority.
• <1-8000> – Specify a value from 1 - 8000. The default is 3000.

ip nat [inside|outside]

Configures IP related settings

i on this interface
p
Configures the NAT settings.
n This option is disabled by default.
a
• inside – Marks this WWAN interface as NAT inside. The inside network is transmitting data over the network to its intended
t out, the source IP address is changed in the header and replaced by the (public) IP address.
destination. On the way
[
• outside – Marks this WWAN interface as NAT outside. Packets passing through the NAT on the way back to the controller or
i
service platform managed LAN are matched against the records kept by the NAT engine. There, the destination IP address
n specific internal private class IP address in order to reach the LAN over the network.
is changed back to the
s
i
d
e
|
o
u
t
s
i
d
e
]

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#ip default-gateway priority 1

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#ip nat inside

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
apn AT&T
auth-type mschap-v2
crypto map test
ip nat inside
ip default-gateway priority 1
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes IP related settings on this interface

interface-config-wwan-instance on page 1256

Removes or reverts the WWAN interface settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1261
Profile Config Commands Profile Commands

Supported in the following platforms:

no crypto map

no ip [default-gateway priority|nat]

no use ip-access-list in
Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this WWAN interface’s settings based on the

parameters passed

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.
Example

The following example displays the WWAN interface settings before the ‘no’ commands are executed:
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
apn AT&T
auth-type mschap-v2
crypto map test
ip nat inside
ip default-gateway priority 1
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#no apn
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#no auth-type

The following example displays the WWAN interface settings after the ‘no’ commands are executed:
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
crypto map test
ip nat inside
ip default-gateway priority 1
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#
password

interface-config-wwan-instance on page 1256

Configures a password for this WWAN interface. The configured value is used for authentication
support by the cellular data carrier.

Controller, Service Platform and Access Point

1262 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
password [2 <WORD>|<WORD>]
Parameters
password [2 <WORD>|<WORD>]

password Configures a password for this WWAN interface

2 <WORD> Configures an encrypted password. Use this option when copy
pasting the password from another device.
<WORD> Enter the password string (should not exceed 32 characters in
length.

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#password 2 TechPubsTesting@123

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
password TechPubsTesting@123
crypto map test
ip nat inside
ip default-gateway priority 1
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes the configured password

shutdown

interface-config-wwan-instance on page 1256

Shuts down this WWAN interface. Use the no > shutdown command to re-start the WWAN interface.
Supported in the following platforms:
• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
shutdown
Parameters
None

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#shutdown

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
shutdown
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1263
Profile Config Commands Profile Commands

Related Commands

no on page 1261 Re-starts the WWAN interface

use

interface-config-wwan-instance on page 1256

Associates an IP ACL with this interface. The ACL should be existing and configured.

The ACL applies an IP based firewall to all incoming packets. The ACL identifies a single IP or a range of
IPs that are to be allowed or denied access on this interface.
Supported in the following platforms:
• Access Point — AP8163
• Wireless Controllers — RFS4010

Syntax
use ip-access-list in <ACCESS-LIST-NAME>
Parameters
use ip-access-list in <ACCESS-LIST-NAME>

use ip-access-list in <ACCESS- Associates an inbound IPv4 ACL with this interface. This setting
LIST-NAME> applies to IPv4 inbound traffic only and not IPv6 traffic. IPv4
operates as a best effort delivery method, as it does not guarantee
delivery, and does not ensure proper sequencing or duplicate
delivery (unlike TCP). IPv4 hosts can use link local addressing to
provide local connectivity.
• <ACCESS-LIST-NAME> – Specify the IP ACL name.

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#use ip-access-list in test

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
password TechPubsTesting@123
crypto map test
ip nat inside
use ip-access-list in test
ip default-gateway priority 1
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes the IP ACL associated with this interface

username

interface-config-wwan-instance on page 1256

Configures the names of users accessing this interface

Supported in the following platforms:
• Access Point — AP8163

Controller, Service Platform and Access Point

1264 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• Wireless Controllers — RFS4010

Syntax
username <WORD>
Parameters
username <WORD>

username <WORD> Configures the username for authentication support by the cellular
data carrier
• <WORD> – Specify the username (should not exceed 32
characters).

Example
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#username TechPubsUser1

nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#show context
interface wwan1
username TechPubsUser1
password TechPubsTesting@123
crypto map test
ip nat inside
use ip-access-list in test
ip default-gateway priority 1
nx9500-6C8809(config-profile-testRFS4000-if-wwan1)#

Related Commands

no on page 1261 Removes the configured username

interface-config-bluetooth-instance

interface on page 1115

WiNG access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a
WiNG managed network. The AP8432 and AP8533 models support both Bluetooth classic and
Bluetooth low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to
sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to
an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP
can raise an alarm.

Note
AP8132 model access points support an external USB Bluetooth radio providing ADSP
Bluetooth classic sensing functionality only, not the BLE beaconing functionality available for
AP8432 and AP8533 model access points described in this section.

WiNG access points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons.
The access point’s Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement
packets periodically. These advertisement packets are short and sent on Bluetooth advertising channels
that conform to already-established iBeacon and Eddystone-URL standards. However, portions of the
advertising packet are customizable via the Bluetooth radio interface configuration context.

To switch to this mode, use the following commands:

<DEVICE>(config)#profile <ap8432/ap8533> <PROFILE-NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1265
Profile Config Commands Profile Commands

<DEVICE>(config-profile-default-ap8432)#interface bluetooth ?
<1-1> Bluetooth interface index?

The following example uses the default-ap8432 profile instance to configure the Bluetooth radio
interface:
nx9500-6C8809(config-profile-default-ap8432)#interface bluetooth 1
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)# Bluetooth Radio Mode commands:
beacon Configure low-energy beacon operation parameters
description Configure a description for this bluetooth radio
eddystone Configure eddystone beacon payload parameters
ibeacon Configure iBeacon beacon payload parameters
mode Set the bluetooth operation mode
no Negate a command or set its defaults
shutdown Shutdown the selected bluetooth radio interface
tron Tron-tracking

clrscr Clears the display screen

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

Commands Description
beacon on page 1266 Configures the Bluetooth radio’s beacon’s emitted transmission
pattern
description on page 1269 Configures a description for the Bluetooth radio interface
eddystone on page 1269 Configures Eddystone beacon payload parameters. Configure these
parameters if the operational mode is set to ‘le-beacon’ and the
beacon transmission pattern is set to ‘eddystone-url1’ or
‘eddystone-url2’.
ibeacon on page 1271 Configures iBeacon beacon payload parameters. Configure these
parameters if the operational mode is set to ‘le-beacon’ and the
beacon transmission pattern is set to ‘ibeacon’.
mode on page 1272 Configures the Bluetooth radio’s mode of operation
shutdown on page 1273 Shutdowns the selected Bluetooth radio interface
tron on page 1274 Configures parameters that enable TRON tracking and reporting on
this Bluetooth radio
no (bluetooth-inf-config- Removes or reverts to default this Bluetooth radio interface’s
command) on page 1279 settings

beacon

interface-config-bluetooth-instance on page 1265

Controller, Service Platform and Access Point

1266 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Configures the Bluetooth radio’s beacon’s emitted transmission pattern for Bluetooth radios functioning
in the low energy beacon (le-beacon) mode. This option is applicable only if the Bluetooth radio’s
operational mode is set to le-beacon.
Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Syntax
beacon [pattern|period|txpower]

beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]

beacon period <100-10000>

beacon txpower <-15-6>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1267
Profile Config Commands Profile Commands

Parameters
beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]

beacon pattern [eddystone-url1| When the beacon mode is set to ‘le-beacon’, use this command to
eddystone-ulr2| ibeacon] configure the Bluetooth radio’s beacon’s emitted transmission
pattern. Select one of the following beacon patterns:
• eddystone-url1 – Transmits an Eddystone-URL beacon using
URL 1. This is the default setting.
• eddystone-url2 – Transmits an Eddystone-URL beacon using
URL 2

An Eddystone-URL frame broadcasts a URL using a compressed

encoding scheme to better fit within a limited advertisement
packet. Once decoded, the URL can be used by a client for
Internet access. If an Eddystone-URL beacon broadcasts
https:anysite, clients receiving the packet can access that URL. If
setting the transmission pattern as ‘eddystone-url1’ or
‘eddystone-ulr2’, use the ‘eddystone’ keyword to configure
Eddystone beacon payload parameters. For more information,
see eddystone on page 1269.
• ibeacon – Transmits an ibeacon beacon. iBeacon was created by
Apple for use in iPhone OS (iOS) devices (beginning with iOS
version 7.0). There are three data fields Apple has made
available to iOS applications, a Universally Unique IDentifier
(UUID) for device identification, a Major value for device class
and a Minor value for more refined information like product
category. If setting the transmission pattern as ‘ibeacon’, use the
‘ibeacon’ keyword to configure ibeacon beacon payload
parameters. For more information, see ibeacon on page 1271.
For more information on configuring the Bluetooth radio’s
operational mode, see mode on page 1272.

beacon period <100-10000>

beacon period <100-10000> Configures the Bluetooth radio’s beacon transmission period, in
milliseconds, from 100 - 10000. As the defined period increases, so
does the CPU processing time and the number of packets
incrementally transmitted (typically one per minute).
• <100-10000> – Specify a value from 100 - 10000 milliseconds.
The default value is 1000 milliseconds.

beacon txpower <-15-6>

beacon txpower <-15-6> Configures the Bluetooth radio’s le-beacon transmit power. This
determines how far a beacon can transmit data.
• <-15-6> – Specify a value from -15 - -6 dBM. The default value is
-10 dBm.

Example
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#beacon pattern
eddystone-url2

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#beacon period 900

Controller, Service Platform and Access Point

1268 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context
interface bluetooth1
shutdown
description AP8432-BLE-Radio1
mode le-beacon
beacon pattern eddystone-url2
beacon period 900
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

Related Commands

no (bluetooth-inf-config- Removes or reverts to default this Bluetooth radio’s beacon-related

command) on page 1279 configurations

description

interface-config-bluetooth-instance on page 1265

Configures a description for the Bluetooth radio interface, differentiating it from other Bluetooth
supported radio’s within the same RF Domain
Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Syntax
description <WORD>
Parameters
description <WORD>

description <WORD> Configures a description for the AP8432/AP8533 access point’s

Bluetooth radio’s description
• <WORD> – Provide a description that uniquely identifies this
radio interface from other similar Bluetooth supported radios
(should not exceed 64 characters) within an RF Domain.

Example
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#description AP8432-BLE-Radio1

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context
interface bluetooth1
shutdown
description AP8432-BLE-Radio1
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

Related Commands

no (bluetooth-inf- Removes this Bluetooth radio interface’s description

config-command)
on page 1279

eddystone

interface-config-bluetooth-instance on page 1265

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1269
Profile Config Commands Profile Commands

Configures Eddystone beacon payload parameters. Configure these parameters only if the Bluetooth
radio interface’s operational mode is set to ‘le-beacon’, and the beacon’s emitted transmission pattern is
set to either ‘eddystone-url1’ or ‘eddystone-ulr2’.
Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Syntax
eddystone [calibration-rssi <-127-127>|url [1|2] <WORD>]
Parameters
eddystone [calibration-rssi|url [1|2] <WORD>]

eddystone [calibration-rssi If the Beacon transmission pattern has been set to either
<-127-127>| url [1|2] <WORD>] ‘eddystone-url1’ or ‘eddystone-url2’, configure the following
Eddystone parameters:
• calibration-rssi – Configures the Eddystone beacon measured
calibration signal strength, from -127 to 127 dBm, at 0 meters.
Mobile devices can approximate their distance to beacons based
on received signal strength. However, distance readings can
fluctuate since they depend on several external factors. The
closer you are to a beacon, the more accurate the reported
distance. This setting is the projected calibration signal strength
at 0 meters.
◦ <-127-127> – Specify a value from -127 - 127 dBm. The default
value is -19 dBm.
• url [1|2] <WORD> – Configures the Eddystone URL as URL1 OR
URL2
◦ 1 – Selects the Eddystone URL number 1
◦ 2 – Selects the Eddystone URL number 2
The following keyword is common to the ‘eddystone-url1’ and
‘eddystone-url2’ keywrods:
• <WORD> – Enter a 64 character maximum eddystone-URL1/
eddystone-URL2. The URL must be 18 characters or less once
auto-encoding is applied. URL encoding is used when placing
text in a query string to avoid confusion with the URL itself. It is
typically used when a browser sends data to a Web server.

Example
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#eddystone calibration-rssi -120

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context
interface bluetooth1
shutdown
description AP8432-BLE-Radio1
mode le-beacon
beacon pattern eddystone-url2
beacon period 900
eddystone calibration-rssi -120
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

Controller, Service Platform and Access Point

1270 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

• no (bluetooth- Removes or reverts to default this Bluetooth radio’s Eddystone beacon payload
inf-config- configurations
command) on
page 1279

ibeacon

interface-config-bluetooth-instance on page 1265

Configures iBeacon beacon payload parameters. Configure these parameters only if the Bluetooth radio
interface’s operational mode is set to ‘le-beacon’, and the beacon’s emitted transmission pattern is set
to ‘ibeacon’.
Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Syntax
ibeacon [calibration-rssi <-127-127>|major <0-65535>|minor <0-65535>|
uuid <WORD>]

ibeacon [calibration-rssi <-127-127>|uuid <WORD>]

ibeacon [major|minor] <0-65535>

Parameters
ibeacon [calibration-rssi <-127-127>|major <0-65535>|minor <0-65535>|uuid <WORD>]

ibeacon Configures following iBeacon beacon payload parameters:

calibration-rssi, major, minor, and uuid
calibration-rssi <-127-127> Configures the ibeacon measured calibration signal strength, from
-127 to 127 dBm, at 1 meter. Mobile devices can approximate their
distance to beacons based on received signal strength. However,
distance readings can fluctuate since they depend on several
external factors. The closer you are to a beacon, the more accurate
the reported distance. This setting is the projected calibration signal
strength at 1 meter.
• <-127-127> – Specify a value from -127 - 127 dBm. The default
value is -60 dBm.

major <0-65535> Configures the iBeacon Major value from 0 - 65535. Major values
identify and distinguish groups. For example, each beacon on a
specific floor in a building could be assigned a unique major value.
• <0-65535> – Specify a value from 0 - 65535. The default value is
1111.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1271
Profile Config Commands Profile Commands

minor <0-65535> Configures the iBeacon Minor value from 0 - 65535. Minor values
identify and distinguish individual beacons. Minor values help
identify individual beacons within a group of beacons assigned a
major value. The default setting is 2,222.
• <0-65535> – Specify a value from 0 - 65535. The default value is
2222.

uuid <WORD> Configures a 32 hex character maximum UUID. The UUID

classification contains 32 hexadecimal digits, split into 5 groups,
separated by dashes. For example,
f2468da65fa82e841134bc5b71e0893e. The UUID distinguishes
iBeacons in the network from all other beacons in networks outside
of your direct administration.
• <WORD> – Specify the UUID (should not exceed 32
hexadecimal characters). The default value is
01F101F101F101F101F101F101F101F1.

Example
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon
calibration-rssi -70

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon
major 1110

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon
minor 2210

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon uuid
f2468da65fa82e841134bc5b71e0893e

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context
interface bluetooth1
shutdown
mode le-beacon
beacon pattern ibeacon
ibeacon calibration-rssi -70
ibeacon major 1110
ibeacon minor 2210
ibeacon uuid f2468da65fa82e841134bc5b71e0893e
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

Related Commands

no (bluetooth-inf-config- Removes or reverts to default this Bluetooth radio’s iBeacon beacon

command) on page 1279 payload parameters

mode

interface-config-bluetooth-instance on page 1265

Configures the Bluetooth radio's mode of operation as bt-sensor, le-beacon, le-sensor, or tron-tracking.
Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Syntax
mode [bt-sensor|le-beacon|le-sensor|tron-tracking]

Controller, Service Platform and Access Point

1272 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
mode [bt-sensor|le-beacon|le-sensor|tron-tracking]

mode Configures the Bluetooth radio's mode of operation. The options

are:
• bt-sensor – Select this option to enable the radio as a bt-sensor.
Bt-sensors are Bluetooth classic sensors providing robust
wireless connections for legacy devices. Typically these
connections are not ideally suited for the newer Bluetooth low
energy (BLE) technology supported devices. This is the default
setting.
• le-beacon – Select this option to provide Bluetooth support for
newer BLE technology supported devices. le-beacons are newer
Bluetooth low energy beacons ideal for applications requiring
intermittent or periodic transfers of small amounts of data. le-
beacons are not designed as replacements for classic beacon
sensors. If selecting this option, use the beacon on page 1266
keyword to configure the Beacon transmission period and
Beacon transmission pattern.
• le-sensor – Select this option to provide Bluetooth support for
LE (low energy) asset tracking. When enabled, it uses the AP’s
Bluetooth radio to detect BLE ‘asset tags’ within the managed
network. This information is reported to a back-end server (for
example, the ExtremeLocation server or a third-party
locationing server). The interval at which the AP scans for asset
tags is determined by the Sensor policy applied on the AP's self
or in the AP's RF domain context. For information on Sensor
policies, see sensor-policy on page 591.
• tron-tracking – TRON is a proprietary FedEx feature. Select this
option to enable TRON tracking. When enabled, it BLE-enabled,
WiNG APs detect ‘ID Nodes’ within a managed network and
report to a proprietary FedEx back-end server application. If
selecting this option, configure the Bluetooth radio's initial
configurations needed to enable TRON tracking and reporting.
For more information, see tron on page 1274.

Example
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#mode le-beacon

Related Commands

no (bluetooth-inf-config- Reverts this Bluetooth radio’s mode of operation to le-beacon

command) on page 1279

shutdown

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1273
Profile Config Commands Profile Commands

interface-config-bluetooth-instance on page 1265

Shutsdown the selected AP8432/AP8533 Bluetooth radio interface

Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Syntax
shutdown
Parameters
None

Example
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#shutdown

Related Commands

no (bluetooth-inf- Reverses shutdown

config-command)
on page 1279

tron

Sets the configurations required by the TRON-capable, WiNG APs to start TRON-tracking and
reporting.

Note
TRON is a licensed feature, designed specifically for FedEX. The TRON license can be applied
on the NX5000, NX7500, NX9500, NX9600, and VX9000 platforms.

TRON is a proprietary FedEx BLE asset tracking application that tracks tagged packages moving
through a distribution center. It is a multi-tier application consisting of the following elements:
• The “ID Nodes” – These are small, battery-powered Bluetooth Low Energy (BLE) devices attached to
FedEx packages. Each ID Node (also called tag) is uniquely identified by its Bluetooth device
address. The ID Node sends out BLE advertisements, with a payload containing information about
the state and configuration of the ID Node.
• The FMN (Fixed Master Node) – This is a functionality running on the TRON-capable, WiNG AP. The
FMN listens for BLE advertisements beaconed by the ID Nodes. When the FMN senses an ID Node, it
records the state and condition of the ID Node in an internal table. At regular intervals, the FMN
reviews this table and reports interesting information about the ID Nodes to the FedEx backend
server.

Controller, Service Platform and Access Point

1274 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

The FMN also connects to an ID Node to read/write arbitrary Generic Attribute Profile (GATT)
attributes, as instructed by the back-end server.

Each TRON-capable, WiNG AP will be able to track up to 2000 ID Nodes at a time.

• The FedEx backend provisioning server – This is a FedEx proprietary application that tracks the ID
Nodes based on the information sent to it by the FMN running on the WiNG AP.
• The Message Queuing Telemetry Transport) (MQTT) Broker– MQTT is a standard publish-subscribe-
based messaging protocol, which allows clients to exchange messages through an intermediate
component, called the broker, A client (the publisher) publishes messages on a particular “topic” to
the MQTT Broker, which filters these messages and forwards them correctly to other clients (the
subscribers) that have subscribed to that “topic”.

All communication between the FMN and the backend server is through the MQTT Broker. The FMN
and FedEx backend server are the clients (publisher and subscriber) of the MQTT Broker. They
communicate by publishing/subscribing to topics they have agreed upon in advance. The FMN and
server can publish as well as subscribe messages on the pre-defined topics

To enable TRON tracking, you will need a controller with the TRON license applied, TRON-capable APs
adopted to this controller. However, to TURN ON the TRON capabilities on a WiNG AP, the following two
things are needed:
• The adopting controller must explicitly ‘give permission’ to the AP to enable the TRON feature. For
this, the controller must have the TRON license applied on it. For more information on applying the
TRON license, see license on page 1400.
• The AP should have the ‘initial configurations’ set in its Bluetooth interface context. Use this
command to set these initial configurations.

Note
Before setting the initial configurations, set the AP’s bluetooth radio mode to tron-tracking.
For more information, see mode on page 1272.

Supported in the following platforms

• Access Points – AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1275
Profile Config Commands Profile Commands

Parameters
tron delete-operating-config-on-start

tron delete-operating-config-on- Enables the TRON software, on the AP, to delete the TRON
start “operating configuration” before starting any other TRON
operations. Issue this command only if you wish to reload the
operating configuration from the provisioning server.
When the TRON software on an AP comes up for the first time, it
uses the "initial-configuration" to connect with the backend
provisioning server and download the operating configuration. This
operating configuration is stored in the AP’s file system. The
configuration persists across TRON enables/disables and across AP
reboots. In case the "operating configuration" has been
misconfigured, the only means to delete it is by using this
command. When issued, the command deletes the operating
configuration. After the deletion, the AP's uses the “initial
configuration” to connect to the provisioning server through the
MQTT broker and download the operating configuration.
However, if you execute this command while the TRON software is
already up and running, it will have no effect until you restart the
TRON.

Note:
Once the TRON software has obtained a new operating
configuration and reconnected to the MQTT Broker, issue the no →
tron delete-operating-config-on-start command to
retain the new operating configuration across reboots and enable/
disable operations.

Note:
To view the operating configuration, execute the show → tron →
operating-configuration → {on <AP-NAME>}
command. For more information, see tron (show command) on
page 914.

tron ignore-mqtt-truststore

tron ignore-mqtt-truststore Enable this option to force the MQTT functionality on the AP to use
URIs beginning with tcp: and not ssl:
When enabled, the TRON software, on starting up, ignores existing
MQTT truststore (aka, certificate file), and uses a URI that begins
with tcp: instead of ssl:

Note:
However, if you execute this command while the TRON software is
already up and running, it will have no effect until you restart the
TRON. This parameter is not mandatory, and is disabled by default.

tron initial-config mqtt [client-prefix <WORD>|password <WORD>|port <1025-65535>|server

[<IP>|<HOST-NAME>]|topic-publish-prefix <LINE>|topic-subscribe-prefix <LINE>|username
<WORD>]

tron initial-config mqtt Sets the initial configurations required by the TRON-capable, WiNG
AP to recognize and associate with the MQTT Broker for the first

Controller, Service Platform and Access Point

1276 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

time. After associating with the Broker, the FMN functionality on the
WiNG AP begins exchanging messages with the FedEx backend
server. This FedEx backend server downloads an operating
configuration to the AP.

Note:
The initial configurations are mandatory. However, once the AP is
provisioned with the FedEx proprietary operating configuration, the
initial configuration is ignored. To view the operating configuration,
execute the show → tron → operating-configuration →
{on <AP-NAME>} command. For more information, see tron
(show command) on page 914.

Note:
The FMN also connects to an ID Node to read/write arbitrary GATT
attributes, as instructed by the back-end server.

client-prefix <WORD> Configures the MQTT client’s prefix

• <WORD> – Provide the prefix (should not exceed 16 characters
in length).

Note:
The default value is ‘FMN’.

password <WORD> Configures the password required to authenticate with the MQTT
Broker. You will need a username/password combination in order
for the FMN to authenticate and associate with the MQTT Broker.
Use the ‘username’ and ‘password’ options to specify the username
and password respectively.
• <WORD> – Specify the password either as clear text or as
encrypted text. In case of clear text, the password should not
exceed 32 characters in length).

Note:
The password is displayed as clear or encrypted text depending on
whether or not ‘password encryption’ has been enabled on the AP.
For more information on enabling password-encryption, see
password-encryption on page 535.

port <1025-65535> Configures the port on which the MQTT Broker is reachable
• <1025-65535> – Provide the port number form 1025 - 65535.

Note:
The default value is 61613.

server [<IP>|<HOST-NAME>] Identifies the MQTT server either by its IP address or hostname. This
the server hosting the MQTT Broker.
• <IP> – Provide the server’s IP address in the A.B.C.D format.
• <HOST-NAME> – Provide the server’s hostname.

Note:
The input should not exceed 255 characters in length.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1277
Profile Config Commands Profile Commands

topic-publish-prefix <LINE> Configures the prefix of the topic published by the FMN
• <LINE> – Specify the publish topic prefix.

Note:
The input should not exceed 255 characters in length.

topic-subscribe-prefix <LINE> Configures the prefix of the topic subscribed by the FMN
• <LINE> – Specify the subscribe topic prefix.

Note:
The input should not exceed 255 characters in length.

username <WORD> Configures the username required to authenticate with the MQTT
Broker. You will need a username/password combination in order
for the FMN to authenticate and associate with the MQTT Broker.
Use the ‘username’ and ‘password’ options to specify the username
and password respectively.

Note:
The username should not exceed 32 characters in length.

tron reconstruct-nodetype-db-on-start

tron reconstruct-nodetype-db- Enables reconstruction of the node-type database. When enabled,

on-start the TRON software (FMN) discards existing database and on-the-
fly, reconstructs a database containing “node-type” to a specific
layout of GATT services and characteristics mappings.
Each ID Node, within a physical space, sends out Bluetooth
advertisements that includes the ‘node-type’ (for example, 0x11)
information. When the TRON functionality on the WiNG AP,
connects to an ID Node for the first time, it discovers and caches
the ID Node’s layout for GATT services and characteristics in the
‘node-type’ database/table. Subsequent GATT discovery of other ID
Nodes is skipped on the assumption that ID Nodes advertising the
same node-type value as the first ID Node will have the same layout
for their GATT services and characteristics. This node-type
database, created at the first instance of connection, persists across
AP reboots and enabling/disabling of the TRON functionality on the
AP. If on the ID Nodes, the layout of the GATT services and
characteristics changes (post database creation), the existing
database is no longer valid. In this scenario, use this command to
discard the existing database and recreate a new one.

Note:
This parameter is not mandatory, and is disabled by default.

Controller, Service Platform and Access Point

1278 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Examples
NOC-NX9500(config-profile-test8533-if-bluetooth1)#tron initial-config mqtt client-prefix
fmn
NOC-NX9500(config-profile-test8533-if-bluetooth1)#tron initial-config mqtt server 1.2.3.4
NOC-NX9500(config-profile-test8533-if-bluetooth1)#tron initial-config mqtt topic-publish-
prefix idnodes
NOC-NX9500(config-profile-test8533-if-bluetooth1)#tron initial-config mqtt topic-
subscribe-prefix idnodes
NOC-NX9500(config-profile-test8533-if-bluetooth1)#tron initial-config mqtt username fmn
NOC-NX9500(config-profile-test8533-if-bluetooth1)#show context
interface bluetooth1
shutdown
mode tron-tracking
tron initial-config mqtt server 1.2.3.4
tron initial-config mqtt username fmn
tron initial-config mqtt password 0 fmn@1234
tron initial-config mqtt client-prefix fmn
tron initial-config mqtt topic-publish-prefix idnodes
tron initial-config mqtt topic-subscribe-prefix idnodes
NOC-NX9500(config-profile-test8533-if-bluetooth1)#

Related Commands

no (bluetooth-inf-config- Removes the TRON related configurations set on this Bluetooth

command) on page 1279 radio.

no (bluetooth-inf-config-command)

interface-config-bluetooth-instance on page 1265

Removes or reverts to default this AP8432/AP8533 Bluetooth radio interface’s settings

Supported in the following platforms:
• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1279
Profile Config Commands Profile Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts to default this Bluetooth radio interface’s

settings based on the parameters passed
• <PARAMETERS> – Specify the parameters.

Example

The following example shows the AP8432 default profile’s Bluetooth radio interface settings:
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context
interface bluetooth1
shutdown
mode le-beacon
beacon pattern ibeacon
ibeacon calibration-rssi -70
ibeacon major 1110
ibeacon minor 2210
ibeacon uuid f2468da65fa82e841134bc5b71e0893e
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no shutdown
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no ibeacon minor
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no ibeacon calibration-rssi

The following example shows the AP8432 default profile’s Bluetooth radio interface settings after the
‘no’ commands are executed:
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context
interface bluetooth1
no shutdown
mode le-beacon
beacon pattern ibeacon
ibeacon major 1110
ibeacon uuid f2468da65fa82e841134bc5b71e0893e
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#

ip
Profile Config Commands on page 954

The following table summarizes NAT pool configuration commands:

Command Description
ip on page 1280 Configures IP components, such as default gateway, DHCP, DNS server
forwarding, name server, domain name, routing standards, etc.
nat-pool-config- Invokes NAT pool configuration parameters
instance on page
1286

ip on page 1280

Configures IPv4 routing components, such as default gateway, DHCP, DNS server forwarding, name
server, domain name, routing standards, etc.

Controller, Service Platform and Access Point

1280 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-

client <1-1800>|static-route <1-1800>]]

ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-
server <IP>| routing]

ip dhcp client [hostname|persistent-lease]

ip igmp snooping {fast-leave|forward-unknown-multicast|querier}

ip igmp snooping {fast-leave|forward-unknown-multicast}
ip igmp snooping {querier} {max-response-time <1-25>|query-interval
<1-18000>| robustness-variable <1-7>|timer expiry <60-300>|version
<1-3>}

Note
The command ‘ip igmp snooping’ can be configured under bridge VLAN context also. For
example: rfs7000-37FABE(config-device 00-15-70-37-FA-BE-bridge-vlan-1)#ip igmp
snooping forward-unknown-multicast

ip nat [crypto|inside|outside|pool]

ip nat [crypto source pool|pool] <NAT-POOL-NAME>

ip nat [inside|outside] [destination|source]

ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|

udp] [(<NATTED-IP> {<1-65535>})]

ip nat [inside|outside] source [list|static]

ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp]

[(<NATTED-IP> {<1-65535>})]

ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1281
Profile Config Commands Profile Commands

ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]

Parameters
ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-1800>|static-
route <1-1800>]]

ip Configures IPv4 routing components

default-gateway Configures default gateway (next-hop router) parameters
<IP> Configures default gateway’s IP address
• <IP> – Specify the default gateway’s IP address.

failover Configures failover to the gateway (with next higher priority) when the current
default gateway is unreachable (In case of multiple default gateways). This
option is enabled by default.
<HOST-ALIAS- Configures the host alias mapped to the required default gateway
NAME> • <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and
configured). Host alias names begin with a ‘$’.

priority [dhcp-client Configures default gateway priority

<1-1800>| static- • dhcp-client <1-1800> – Defines a priority for the default gateway acquired by
route <1-1800>] the DHCP client on the VLAN interface. The default setting is 1000.
• static-route <1-1800> – Defines the weight (priority) assigned to this static
route versus others that have been defined to avoid potential congestion.
The default setting is 100.
The following keyword is common to ‘dhcp-client’ and ‘static-route’ parameters:
• <1-1800> – Specify the priority from 1 - 18000 (lower the value higher is the
priority).

ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server <IP>|routing]

ip Configures IPv4 routing components

dns-server-forward Enables DNS forwarding. This command enables the forwarding of DNS queries
to DNS servers outside of the network. This option is disabled by default.
domain-lookup Enables domain lookup. When enabled, human friendly domain names are
converted into numerical IP destination addresses. The option is enabled by
default.
domain-name Configures a default domain name
<DOMAIN-NAME> • <DOMAIN-NAME> – Specify a name for the DNS (should not exceed 64
characters in length).

Controller, Service Platform and Access Point

1282 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

name-server <IP> Configures the name server’s IP address

• <IP> – Specify the IP address of the name server.

routing Enables IP routing of logically addressed packets from their source to their
destination. IPv4 routing is enabled by default.

ip dhcp client [hostname|persistent-lease]

ip Configures IPv4 routing components

dhcp Configures the DHCP client and host
client [hostname| Sets the DHCP client
persistent-lease] • hostname – Includes the hostname in the DHCP lease for the requesting
client. This option is enabled by default.
• persistent-lease – Retains the last lease across reboots if the DHCP server is
unreachable. A persistent DHCP lease assigns the same IP address and other
network information to the device each time it renews its DHCP lease. This
option is disabled by default.

ip igmp snooping {fast-leave|forward-unknown-multicast}

ip Configures IPv4 routing components

fats-leave Optional. Enables fast leave processing. When enabled, leave messages are
processed quickly, preventing the host from receiving further traffic. Should be
configured for one (wired) host network only. This option is disabled by default.
This feature is supported only on the AP7502, AP8533 model access points.
igmp snooping Optional. Enables unknown multicast data packets to be flooded in the specified
forward-unknown- VLAN. This option is disabled by default.
multicast

ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>| robustness-

variable <1-7>|timer expiry <60-300>|version <1-3>}

ip Configures IPv4 routing components

igmp snooping Optional. Enables the IGMP querier functionality for the specified VLAN. By
querier default IGMP snooping querier is disabled.
max-response-time Configures the IGMP maximum query response interval used in IGMP V2/V3
<1-25> queries for the given VLAN. The default is 10 seconds.
query-interval Configures the IGMP querier query interval in seconds. Specify a value from 1 -
<1-18000> 18000 seconds. The default is 60 seconds.
robustness-variable Configures the IGMP robustness variable from 1 - 7. The default is 2.
<1-7>
timer expiry Configures the other querier time out value for the given VLAN. The default is
<60-300> 60 seconds.
version <1-3> Configures the IGMP query version for the given VLAN. The default is 3.

ip nat [crypto source pool|pool <NAT-POOL-NAME>]

Configures IPv4 routing components

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1283
Profile Config Commands Profile Commands

ip
nat Configures the NAT parameters
crypto source pool Configures the NAT source address translation settings for IPSec tunnels
<NAT-POOL-NAME> • <NAT-POOL-NAME> – Specify a NAT pool name.

pool <NAT-POOL- Configures a pool of IP addresses for NAT

NAME> • <NAT-POOL-NAME> – Specify a name for the NAT pool.

ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP>

{<1-65535>})]

ip Configures IPv4 routing components

nat Configures the NAT parameters
[inside|outside] Configures inside and outside address translation for the destination
• inside – Configures inside address translation
• outside – Configures outside address translation

destination static The following keywords are common to the ‘inside’ and ‘outside’ parameters:
<ACTUAL-IP> • destination – Specifies destination address translation parameters
◦ static – Specifies static NAT local to global mapping
▪ <ACTUAL-IP> – Specify the actual outside IP address to map.

<1-65535> [tcp|udp] • <1-65535> – Configures the actual outside port. Specify a value from 1 -
65535.
◦ tcp – Configures Transmission Control Protocol (TCP) port
◦ udp – Configures User Datagram Protocol (UDP) port

<NATTED-IP> Enables configuration of the outside natted IP address

<1-65535> • <NATTED-IP> – Specify the outside natted IP address.
◦ <1-65535> – Optional. Configures the outside natted port. Specify a value
from 1 - 65535.

ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP>

{<1-65535>})]

ip Configures IPv4 routing components

nat Configures the NAT parameters
[inside|outside] Configures inside and outside address translation for the source
• inside – Configures inside address translation
• outside – Configures outside address translation

source static The following keywords are common to the’ inside’ and ‘outside’ parameters:
<ACTUAL-IP> • source – Specifies source address translation parameters
◦ static – Specifies static NAT local to global mapping
▪ <ACTUAL-IP> – Specify the actual inside IP address to map.

Controller, Service Platform and Access Point

1284 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

<NATTED-IP> Enables configuration of the outside natted IP address

<1-65535> • <NATTED-IP> – Specify the outside natted IP address.
◦ <1-65535> – Optional. Configures the outside natted port. Specify a value
from 1 - 65535.

ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-NAME>|

ip Configures IPv4 routing components

nat Configures the NAT parameters
[inside|outside] Configures inside and outside IP access list
source list <IP- Configures an access list describing local addresses
ACCESS-LIST- • <IP-ACCESS-LIST-NAME> – Specify a name for the IP access list.
NAME>
interface Selects an interface to configure. Select a layer 3 router interface or a VLAN
[<INTERFACE- interface.
NAME>| pppoe1| • <INTERFACE-NAME> – Selects a layer 3 interface. Specify the layer 3 router
vlan <1-4094>| interface name.
wwan1] • vlan – Selects a VLAN interface
◦ <1-4094> – Set the SVI VLAN ID of the interface.
• pppoe1 – Selects PPP over Ethernet interface
• wwan1 – Selects Wireless WAN interface

address <IP> The following keyword is recursive and common to all interface types:
• address <IP> – Configures the interface IP address used with NAT

interface <L3-IF- The following keyword is recursive and common to all interface types:
NAME> • interface <L3-IF-NAME> – Configures a wireless controller or service
platform’s VLAN interface
◦ <L3IFNAME> – Specify the SVI VLAN ID of the interface.

overload The following keyword is recursive and common to all interface types:
• overload – Enables use of global address for many local addresses

pool <NAT-POOL- The following keyword is recursive and common to all interface types:
NAME> • pool <NAT-POOL-NAME> – Specifies the NAT pool
◦ <NAT-POOL-NAME> – Specify the NAT pool name.

ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]

ip Configures IPv4 routing components

route Configures the static routes
<IP/M> Specify the IP destination prefix in the A.B.C.D/M format.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1285
Profile Config Commands Profile Commands

<IP> Specify the IP address of the gateway.

<HOST-ALIAS- Configures the host alias mapped to the required default gateway
NAME> • <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and
configured). Host alias names begin with a ‘$’.

Example
NOC-NX9500(config-profile-testNX9000)#ip default-gateway 10.234.160.5
NOC-NX9500(config-profile-testNX9000)#ip dns-server-forward
NOC-NX9500(config-profile-testNX9000)#ip nat inside source list BROADCAST-MULTIC
AST-CONTROL precedence 1 interface vlan 1 pool NATPool1 overload

NOC-NX9500(config-profile-testNX9000-nat-pool-NATPool1)#?
Nat Policy Mode commands:
address Specify addresses for the nat pool
no Negate a command or set its defaults

clrscr Clears the display screen

NOC-NX9500(config-profile-testNX9000-nat-pool-NATPool1)#

Related Commands

no on page 1329 Disables or reverts settings to their default

nat-pool-config-instance

ip on page 1280

Use the config-profile-<DEVICE-PROFILE-NAME> instance to configure Network Address Translation

(NAT) pool settings.

The following example uses the config-profile-nx9500-6C8809 instance to configure NAT pool settings:
nx9500-6C8809(config-profile-default-rfs4000)#ip nat pool pool1
nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#

nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#?
Nat Policy Mode commands:
address Specify addresses for the nat pool
no Negate a command or set its defaults

clrscr Clears the display screen

Controller, Service Platform and Access Point

1286 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

write Write running configuration to memory or terminal

nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)

The following table summarizes NAT pool configuration commands:

Command Description
address on page Configures NAT pool addresses
1287
no on page 1288 Negates a command or sets its default

address

nat-pool-config-instance on page 1286

Configures NAT pool of IP addresses

Define a range of IP addresses hidden from the public Internet. NAT modifies network address
information in the defined IP range while in transit across a traffic routing device. NAT only provides IP
address translation and does not provide a firewall. A branch deployment with NAT by itself will not
block traffic from being potentially routed through a NAT device. Consequently, NAT should be
deployed with a stateful firewall.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
address [<IP>|range <START-IP> <END-IP>]
Parameters
address [<IP>|range <START-IP> <END-IP>]

address <IP> Adds a single IP address to the NAT pool

range <START-IP> Adds a range of IP addresses to the NAT pool
<END-IP> • <START-IP> – Specify the starting IP address of the range.
• <END-IP> – Specify the ending IP address of the range.

Example
nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#address range 172.16.10.2
172.16.10.8

nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#show context
ip nat pool pool1
address range 172.16.10.2 172.16.10.8
nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#

Related Commands

no on page 1329 Removes address(es) configured with this NAT pool

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1287
Profile Config Commands Profile Commands

nat-pool-config-instance on page 1286

Removes address(es) configured with this NAT pool

Supported in the following platforms:
• Access Points — AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612,
AP7622, AP7632, AP7662, AP8163, AP8432, AP8533
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
no address [<IP>|range <START-IP> <END-IP>]
Parameters
no address [<IP>|range <START-IP> <END-IP>]

no address Removes a single IP address or a range of IP addresses from this NAT pool
[<IP>| range
<START-IP>
<END-IP>]

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.
Example
nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#show context
ip nat pool pool1
address range 172.16.10.2 172.16.10.8
nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#

nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#no address range 1

72.16.10.2 172.16.10.8

nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#show context
ip nat pool pool1
nx9500-6C8809(config-profile-default-rfs4000-nat-pool-pool1)#

Related Commands

address on page 1287 Configures NAT pool IP address(es)

ipv6
Profile Config Commands on page 954

Configures IPv6 routing components, such as default gateway, DNS server forwarding, name server,
routing standards, etc.

These IPv6 settings are applied to all devices using this profile.

You can also configure IPv6 settings on a device, using the device’s configuration mode.

Controller, Service Platform and Access Point

1288 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

Note
The IPv6 settings configured at the profile/device level are global configuration settings and
not interface-specific.

ipv6 [default-gateway <IPv6> {vlan <VLAN-ID>}|dns-server-forward|hop-

ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}

ipv6 mld snooping {forward-unknown-multicast|querier}

ipv6 mld snooping {forward-unknown-multicast}
ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval
<1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version
<1-2>}

ipv6 neighbor [<IPv6>|timeout]

ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1]

{dhcp-server| router}
ipv6 neighbor timeout <15-86400>

ipv6 route <DEST-IPv6-PREFIX/PREFIX-LENGTH> <IPv6-GATEWAY-ADDRESS> {vlan

<VLAN-ID>}

Parameters
ipv6 [default-gateway <IPv6> {vlan <VLAN-ID>}|dns-server-forward|hop-limit <1-255>|name-
server <IPv6>|nd-reachable-time <5000-3600000>|ns-interval <1000-3600000>|ula-reject-
route|unicast-routing]

ipv6 Configures IPv6 routing components

default-gateway Configures IPv6 default gateway’s address in the ::/0 format
<IPv6> {vlan • vlan <VLAN-ID> – Optional. Specify the VLAN interface’s ID through which
<VLAN-ID>} the default gateway is accessible.

dns-server-forward Enables DNS server forwarding. This command enables the forwarding of DNS
queries to DNS servers outside of the network. This feature is disabled by
default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1289
Profile Config Commands Profile Commands

hop-limit <1-255> Configures the IPv6 hop count limit

• <1-255> – Specify a value between 1 - 255. The default is 64.

name-server <IPv6> Configures the IPv6 name server’s address

• <IPv6> – Specify the address of the IPv6 name server.

nd-reachable-time Configures the time, in milliseconds, that a neighbor is assumed to be reachable

<5000-3600000> after having received neighbor discovery (ND) confirmation for their
reachability
• <5000-3600000> – Specify a value from 5000 - 3600000 milliseconds.
The default is 30,000 milliseconds.

ns-interval Configures the interval, in milliseconds, between two consecutive retransmitted

<1000-3600000> neighbor solicitation (NS) messages. NS messages are sent by a node to
determine the link layer address of a neighbor, or verify a neighbor is still
reachable via a cached link-layer address.
• <1000-3600000> – Specify a value from 1000 - 3600000. The default is
1000 milliseconds.

ula-reject-route Installs a "reject" route for Unique Local Address (ULA) prefixes. This ensures
that site-border routers and firewalls do not forward packets with ULA source
or destination addresses outside of the site, unless explicitly configured with
routing information about specific /48 or longer Local IPv6 prefixes. This option
is disabled by default.
The ULA is an IPv6 address used in private networks for local communication
within a site (for example a company, campus, or within a set of branch office
networks). These site local addresses are IPv6 addresses that fall in the block
fc00::/7, defined in RFC 4193.
unicast-routing Enables IPv6 unicast routing. This feature is enabled by default.

ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}

ipv6 Configures IPv6 routing components

ra-convert {throttle Enables conversion of multicast router advertisements (RAs) to unicast RAs at
interval <3-1800> the dot11 layer. This feature is disabled by default.
max-RAs <1-256> • throttle – Optional. Throttles multicast RAs before converting to unicast
◦ interval <3-1800> – Throttles multicast RAs for a specified time period.
Specify the interval from 3 - 1800 seconds. The default is 3 seconds.
▪ max-RAs <1-256> – Specifies the maximum number of RAs per IPv6
router during the specified throttle interval. Specify a value from 1 -
256. The default is 1.

ipv6 mld snooping {forward-unknown-multicast}

ipv6 Configures IPv6 routing components

mld snooping Enables multicast listener discovery (MLD) protocol snooping. This feature is
forward-unknown- disabled by default.
multicast When enabled, IPv6 devices (access point, wireless controller, or service
platform) can examine MLD messages exchanged between hosts and multicast
routers to discern which hosts are receiving multicast group traffic. Based on
the information gathered these devices forward multicast traffic only to those

Controller, Service Platform and Access Point

1290 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

interfaces connected to interested receivers instead of flooding traffic to all

interfaces. This prevents VLANs from getting flooded with IPv6 multicast traffic.
• forward-unknown-multicast – Optional. Enables unknown multicast
forwarding. This feature is enabled by default.

ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval <1-18000>|

robustness-variable <1-7>|timer expiry <60-300>|version <1-2>}

ipv6 Configures IPv6 routing components

mld snooping Enables MLD protocol snooping
querier • querier – Optional. Enables the on-board MLD querier. When enabled, IPv6
devices send query messages to discover which network devices are
members of a given multicast group.This option is disabled by default.

max-response-time Configures the MLD querier’s maximum query response time. This is the time
<1-25000> for which the querier waits before sending a responding report. Queriers use
MLD reports to join and leave multicast groups and receive group traffic.
• <1-25000> – Specify a value from 1 - 25000 milliseconds. The default is 10
milliseconds.

query-interval Configures the interval, in seconds, between two consecutive MLD querier’s
<1-18000> queries
The robustness variable is an indication of how susceptible the subnet is to lost
packets. MLD can recover from robustness variable minus 1 lost MLD packets.
• <1-18000> – Specify a value from 1 - 18000 seconds. The default is 60
seconds.

robustness-variable Configures the MLD IGMP robustness variable. This value is used by the sender
<1-7> of a query.
• <1-7> – Select a value from 1 - 7. The default is 2.

timer expiry Configures the MLD other querier (any external querier) timeout
<60-300> • <60-300> – Specify a value from 60 - 300 seconds. The default is 60
seconds.

version <1-2> Configures the MLD querier’s version. MLD version 1 is based on IGMP version 2
for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully
backward compatible. IPv6 multicast uses MLD version 2.
• <1-2> – Select the MLD version from 1 - 2. The default is 2.

ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] {dhcp-server|router}

ipv6 Configures IPv6 routing components

neighbor Configures static IPv6 neighbor entries
<IPv6> Specify the IPv6 address for which a static neighbor entry is created.
<MAC> Specify the MAC address associated with the specified IPv6 address.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1291
Profile Config Commands Profile Commands

[<INTF-NAME>| Specify the following interface settings:

pppoe1| vlan • <INTF-NAME> – Selects the layer 3 router interface. Specify the interface
<1-4094>| wwan1] name.
• pppoe1 – Selects the PPP over Ethernet interface
• vlan <1-4094> – Selects the VLAN interface. Specify the VLAN interface
index.
• wwan1 – Selects the wireless WAN interface

{dhcp-server|router} After specifying interface type, you can optionally specify the device type for
this neighbor solicitation.
• dhcp-server – Optional. States this neighbor entry is for a DHCP server
• router – Optional. States this neighbor entry is for a router

ipv6 neighbor timeout <15-86400>

neighbor Configures static IPv6 neighbor entries

timeout <15-86400> Configures the timeout, in seconds, for the static neighbor entries
• <15-86400> – Specify a value from 15 - 86400 seconds. The default is 3600
seconds.

ipv6 route <DEST-IPv6-PREFIX/PREFIX-LENGTH> <IPv6-GATEWAY-ADDRESS> {vlan <VLAN-ID>}

ipv6 Configures IPv6 routing components

route Configures the static routes
These routes are maintained in the IPv6 Forwarding Information Base (FIB).
To view FIB6 routing entries, use the service > show fib6 > <TABLE-ID>
command.
<DEST-IPv6- Specify the IPv6 destination prefix (IPV6 network) and the prefix length.
PREFIX/PREFIX-
LENGTH>
<IPv6-GATEWAY- Specify the IPv6 gateway’s address.
ADDRESS>
vlan <VLAN-ID> Optional. specify the VLAN interface’s ID (through which the defalut gateway is
accessible)
This parameter is needed only if the gateway address is a link local address.

Example
nx9500-6C8809(config-profile-TestRFS4000)#ipv6 default-gateway 2001:10:10:10:10:10:10:2

nx9500-6C8809(config-profile-TestRFS4000)#ipv6 dns-server-forward

nx9500-6C8809(config-profile-TestRFS4000)#ipv6 mld snooping

nx9500-6C8809(config-profile-TestRFS4000)#show context
profile rfs4000 TestRFS6000
ipv6 mld snooping
ipv6 dns-server-forward
ipv6 default-gateway 2001:10:10:10:10:10:10:2
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha

Controller, Service Platform and Access Point

1292 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

--More--
nx9500-6C8809(config-profile-TestRFS4000)#

Related Commands

no on page 1329 Disables or reverts IPv6 settings to their default

l2tpv3
Profile Config Commands on page 954

Defines the L2TPV3 settings for tunneling layer 2 payloads using VPNs

L2TPv3 is an IETF standard that defines the control and encapsulation protocol settings for tunneling
layer 2 frames in an IP network (and access point profile) between two IP nodes. Use L2TPv3 to create
tunnels for transporting layer 2 frames. L2TPv3 enables WiNG supported controllers and access points
to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports.
L2TPv3 tunnels can be defined between WiNG devices and other vendor devices supporting the
L2TPv3 protocol.

Supported in the following platforms:

l2tpv3 Configures the L2TPv3 protocol settings for a profile

hostname Configures the host name sent in the L2TPv3 signaling messages. Tunnel
<HOSTNAME> establishment involves exchanging 3 message types (SCCRQ, SCCRP, and SCCN)
with the peer. Tunnel IDs and capabilities are exchanged during the tunnel
establishment with the host.
• <HOSTNAME> – Specify the L2TPv3 specific host name.

inter-tunnel- Enables inter tunnel bridging of packets. This feature is disabled by default.
bridging
manual-session Creates/modifies L2TPv3 manual sessions
For more information, see l2tpv3-manual-session-commands on page 1900.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1293
Profile Config Commands Profile Commands

router-id Configures the router ID (either the numeric IP address or the integer) sent in the
[<1-4294967295>| L2TPv3 signaling messages. These signaling (AVP) messages help to identify
<IP>] tunneled peers.
• <1-4294967295> – Configures the router ID in decimal format from 1 -
4294967295
• <IP> – Configures the router ID in the IP address (A.B.C.D) format

tunnel Creates/modifies an L2TPv3 tunnel

For more information, see l2tpv3-tunnel-commands on page 1887.
udp-listen-port Configures the UDP port used to listen for incoming traffic
<1024-65535> • <1024-65535> – Specify the UDP port from 1024 - 65535 (default is 1701)

l2tpv3 logging ip-address [<IP>|any] hostname [<HOSTNAME>|any] router-id [<IP>|<WORD>|any]

l2tpv3 Configures L2TPv3 protocol settings for a profile

logging Enables L2TPv3 tunnel event logging and debugging. When enabled, all events
relating to Ethernet frames to and from bridge VLANs and physical ports on a
specified IP address, host or router ID are logged. This option is disabled by
default.
ip-address [<IP>| Configures the L2TPv3 peer tunnel IP address for which event logging is enabled.
any] The options are:
• <IP> – Specify the peer’s IP address. L2TPv3 events are captured and logged
for the specified peer.
• any – Peer’s IP address is not specified. Enables event logging for all incoming
connections from any IP address.

hostname Configures the L2TPv3 peer tunnel hostname for which event logging is enabled.
[<HOSTNAME>| The options are:
any] • <HOSTNAME> – Specify the peer’s host name. L2TPv3 events are captured
and logged for specified host.
• any – Peer’s hostname is not specified. Enables debugging for all incoming
connections from any host.

router-id [<IP>| Configures the L2TPv3 tunnel router ID for which event logging is enabled. The
<WORD>|any] options are:
• <IP> – Specify the router ID in the IP address format.
• <WORD> – Specify the router ID in the form of an integer or range. For
example 100-200.
• any – Router ID is not specified. Enables debugging for all incoming
connections from any L2TPv3 router.

Example
nx9500-6C8809(config-profile-default-rfs4000)#l2tpv3 hostname l2tpv3Host1

nx9500-6C8809(config-profile-default-rfs4000)#l2tpv3 inter-tunnel-bridging

Controller, Service Platform and Access Point

1294 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

l2tpv3 hostname l2tpv3Host1

l2tpv3 inter-tunnel-bridging
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Negates a L2TPv3 tunnel settings on this profile

l3e-lite-table
Profile Config Commands on page 954

Configures L3e lite table aging time

The L3e Lite table stores information about destinations and their location within a specific IPSec
tunnel. This enables quicker packet transmissions. The table is updated as nodes transmit packets.

Supported in the following platforms:

• Wireless Controllers — RFS4010

• Service Platforms — NX5500, NX75XX, NX95XX, NX9600, VX9000

Syntax
l3e-lite-table aging-time <10-1000000>

Parameters
l3e-lite-table aging-time <10-1000000>

l3e-lite-table aging- Configures the aging time in seconds. The aging time defines the duration a
time <10-1000000> learned L3e entry (IP, VLAN) remains in the L3e Lite table before deletion due
to lack of activity. The default is 300 seconds.

Example
nx9500-6C8809(config-profile-default-rfs4000)#l3e-lite-table aging-time 1000

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs7000 default-rfs4000
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
..........................................................
interface ge4
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface pppoe1
use firewall-policy default
l3e-lite-table aging-time 1000
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Removes the L3e lite table aging time configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1295
Profile Config Commands Profile Commands

led
Profile Config Commands on page 954

Turns on and off access point LEDs

Supported in the following platforms:

Syntax
led {flash-pattern}

Parameters
led {flash-pattern}

led flash-pattern Optional. Enables LED flashing on the device using this profile
Select this option to flash an access point’s LEDs in a distinct manner
(different from its operational LED behavior). Enabling this feature allows an
administrator to validate an access point has received its configuration
(perhaps remotely at the site of deployment) without having to log into the
managing controller or service platform. This feature is disabled by default.

Example
nx9500-6C8809(config-profile-RFS6000Test)#led flash-pattern

nx9500-6C8809(config-profile-RFS6000Test)#show context
profile rfs4000 RFS4000Test
no autoinstall configuration
no autoinstall firmware
led flash-pattern
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
--More--
nx9500-6C8809(config-profile-RFS4000Test)#

Related Commands

no on page 1329 Disables or reverts settings to their default

led-timeout
Profile Config Commands on page 954

Configures the LED-timeout timer in the device or profile configuration mode

Controller, Service Platform and Access Point

1296 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

Syntax
led-timeout [<15-1440>|shutdown]

Parameters
led-timeout [<15-1440>|shutdown]

led-time [<15-1440>| Sets the LED-timeout timer. The value provided here determines the interval
shutdown] (time to lapse) for which a device’s LEDs are turned off after the last radio
state change. For example, if set at 15 minutes, the LEDs are turned off for 15
minutes after the last radio state change.
• <15-1440> – Specify a value from 15 - 1400 minutes. The default is 30
minutes.
• shutdown – Shuts down the LED-timeout timer. The device LEDs are not
turned off.

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-timeout 25

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context
nx9000 B4-C7-99-6C-88-09
use profile default-nx9000
use rf-domain default
hostname nx9500-6C8809
license AAP
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1
license HTANLT
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497
no autogen-uniqueid
ip default-gateway 192.168.13.2
led-timeout 25
--More--
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-timeout shutdown

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context
nx9000 B4-C7-99-6C-88-09
use profile default-nx9000
use rf-domain default
hostname nx9500-6C8809
license AAP
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1
license HTANLT
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497
no autogen-uniqueid
ip default-gateway 192.168.13.2
led-timeout shutdown
crypto ikev2 peer IKEv2Peer1
--More--
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1297
Profile Config Commands Profile Commands

Related Commands

no on page 1329 Disables LED-timeout timer

legacy-auto-downgrade
Profile Config Commands on page 954

Enables device firmware to auto downgrade when legacy devices are detected

Supported in the following platforms:

Syntax
legacy-auto-downgrade

Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000)#legacy-auto-downgrade

Related Commands

no on page 1329 Prevents device firmware from auto downgrading when legacy
devices are detected

legacy-auto-update
Profile Config Commands on page 954

Auto updates an AP7161 legacy access point firmware

Supported in the following platforms:

• Access Points — AP7161

Syntax
legacy-auto-update ap71xx image <FILE>]

Parameters
legacy-auto-update ap71xx image <FILE>

legacy-auto-update Updates a legacy AP7161 access point firmware

ap71xx image <FILE> Auto updates legacy AP7161 firmware
• image – Sets the path to the firmware image
◦ <FILE> – Specify the path and filename in the flash:/ap.img format.

Controller, Service Platform and Access Point

1298 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-default-rfs4000)#legacy-auto-update ap71xx image flash:/
ap47d.img

Related Commands

no on page 1329 Disables automatic legacy firmware upgrade

lldp
Profile Config Commands on page 954

Enables LLDP on this profile and configures LLDP settings

LLDP or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for
advertising of (announcing) identity, capabilities, and interconnections on a IEEE 802 LAN network. The
protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery.
Both LLDP snooping and ability to generate and transmit LLDP packets is provided.

Information obtained via CDP and LLDP snooping is available in the UI. Information obtained using
LLDP is provided during the adoption process, so the layer 2 device detected by the access point can be
used as a criteria in the provisioning policy.

Supported in the following platforms:

Syntax
lldp [holdtime|med-tlv-select|run|timer]

lldp [holdtime <10-1800>|run|timer <5-900>]

lldp med-tlv-select [inventory-management|power-management {auto}]

Parameters
lldp [holdtime <10-1800>|run|timer <5-900>]

lldp Enables LLDP on this profile and configures LLDP settings

holdtime <10-1800> Sets the holdtime for transmitted LLDP PDUs. This command specifies the time
a receiving device holds information before discarding.
• <10-1800> – Specify a holdtime from 10 - 1800 seconds. The default is 180
seconds.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1299
Profile Config Commands Profile Commands

run Enables LLDP on this profile

timer <5-900> Sets the transmit interval. This command specifies the transmission frequency
of LLDP updates in seconds.
• <5-900> – Specify transmit interval from 5 - 900 seconds. The default is 60
seconds.

lldp med-tlv-select [inventory-management|power-management {auto}]

lldp Enables LLDP on this profile and configures LLDP settings

med-tlv-select [inventory- Provides additional media endpoint device TLVs to enable inventory
management| power- and power management discovery. Specifies the LLDP MED TLVs to
management {auto}] send or receive.
• inventory-management – Enables inventory management
discovery. Allows an endpoint to convey detailed inventory
information about itself. This information includes details, such
as manufacturer, model, and software version, etc. This option is
enabled by default.
power-management auto – Enables extended power via MDI
discovery. Allows endpoints to convey power information, such as
how the device is powered, power priority, etc.
• auto – Optional. Assigns default value based on device type

Example
nx9500-6C8809(config-profile-default-rfs4000)#lldp timer 20

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
...........................................
use firewall-policy default
ip dns-server-forward
ip nat pool pool1
address range 172.16.10.2 172.16.10.8
ip nat inside source list test interface vlan1 pool pool1 overload
lldp timer 20
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables LLDP on this profile

load-balancing
Profile Config Commands on page 954

Configures load balancing parameters

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010

Controller, Service Platform and Access Point

1300 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load|equality-

load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load] [client-

weightage|throughput-weightage] <0-100>

load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band]

<0-100>

load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|

channel-5GHz]<0-100>

load-balancing advanced-params max-preferred-band-load [2.4GHz|5GHz]

<0-100>

load-balancing advanced-params [max-neighbors <0-16>|min-common-clients

<0-256>| min-neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]

load-balancing [balance-ap-loads|balance-band-loads|balance-channel-
loads [2.4GHz|5GHz]]

load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz|

prefer-5GHz]

load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]

load-balancing group-id <GROUP-ID>

load-balancing neighbor-selection-strategy [use-common-clients|use-roam-

notification|use-smart-rf]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1301
Profile Config Commands Profile Commands

Parameters
load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load] [client-weightage|
throughput-weightage] <0-100>

load-balancing advanced- Configures advanced load balancing parameters

params
2.4GHz-load [client-weightage| Configures 2.4 GHz load calculation weightages
throughput-weightage] <0-100> • client-weightage – Specifies weightage assigned to the client-
count when calculating the 2.4 GHz load
• throughput-weightage – Specifies weightage assigned to
throughput, when calculating the 2.4 GHz load
The following keyword is common to the ‘client-weightage’ and
‘throughput-weightage’ parameters:
• <0-100> – Sets the margin as a load percentage from 1 - 100.
The default client-weightage is 90%. The default throughput-
weightage is 10%.

5GHz-load [client-weightage| Configures 5.0 GHz load calculation weightages

throughput-weightage] <0-100> • client-weightage – Specifies weightage assigned to the client-
count when calculating the 5.0 GHz load
• throughput-weightage – Specifies weightage assigned to
throughput, when calculating the 5.0 GHz load
The following keyword is common to the ‘client-weightage’ and
‘throughput-weightage’ parameters:
• <0-100> – Sets the margin as a load percentage from1 - 100. The
default client-weightage is 90%. The default throughput-
weightage is 10%.

ap-load [client- Configures AP load calculation weightages

weightage| throughput- • client-weightage – Specifies weightage assigned to the client-
weightage] <0-100> count, when calculating the AP load
• throughput-weightage – Specifies weightage assigned to
throughput, when calculating the AP load
The following keyword is common to the ‘client-weightage’ and
‘throughput-weightage’ parameters:
• <0-100> – Sets the margin as a load percentage from 1 - 100.
The default client-weightage is 90%. The default throughput-
weightage is 10%.

load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band] <0-100>

load-balancing advanced- Configures advanced load balancing parameters

params
equality-margin [2.4GHz|5GHz| Configures the maximum load difference considered equal. The
ap| band] <0-100> load is compared for different 2.4 GHz channels, 5.0 GHz channels,
APs, or bands.
• 2.4GHz – Configures the maximum load difference considered
equal when comparing loads on different 2.4 GHz channels
• 5GHz – Configures the maximum load difference considered
equal when comparing loads on different 5.0 GHz channels

Controller, Service Platform and Access Point

1302 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

• ap – Configures the maximum load difference considered equal

when comparing loads on different APs
• band – Configures the maximum load difference considered
equal when comparing loads on different bands
The following keyword is common to 2.4 GHz channels, 5.0 GHz
channels, APs, and bands:
• <0-100> – Sets the margin as a load percentage from 1 - 100.
The default equality-margin for 2.4 GHz, 5.0 GHz, ap, and band
loads is 1%.

load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|channel-5GHz] <0-100>

load-balancing advanced- Configures advanced load balancing parameters

params
hiwater-threshold Configures the load beyond which load balancing is invoked
[ap|channel-2.4GHz| Select one of the following options:
channel-5GHz] <0-100> • ap – Configures the AP load beyond which load balancing
begins
• channel-2.4GHz – Configures the AP load beyond which load
balancing begins (for APs on 2.4 GHz channel)
• channel-5GHz – Configures the AP load beyond which load
balancing begins for (APs on 5.0 GHz channel)
The following keyword is common for the ‘AP’, ‘channel-2.4GHz’,
and ‘channel-5GHz’ parameters:
• <0-100> – Sets the load threshold as a number from 1 - 100. The
default hiwater-threshold for channel-2.5GHz, channel-5GHz,
and ap loads is 5.

load-balancing advanced-params max-preferred-band-load [2.4GHGz|5GHzd] <0-100>

load-balancing advanced- Configures advanced load balancing parameters

params
max-preferred-band-load Configures the maximum load on the preferred band, beyond which
the other band is equally preferred
[2.4GHz|5GHz] <0-100> Select one of the following options:
• 2.4GHz – Configures the maximum load on 2.4 GHz, when it is
the preferred band
• 5GHz – Configures the maximum load on 5.0 GHz, when it is the
preferred band
The following keyword is common to the 2.4 GHz and 5.0 GHz
bands:
• <0-100> – Configures the maximum load as a percentage from
0 - 100. The default value for 2.4GHz and 5.GHz is 75%.

load-balancing advanced-params [max-neighbors <0-16>|min-common-clients <0-256>|min-

neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]

Configures advanced load balancing parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1303
Profile Config Commands Profile Commands

load-balancing advanced-
params
max-neighbors <0-16> Configures the maximum number of confirmed neighbors to
balance
• <0-16> – Specify a value from 0 - 16. Optionally configure a
minimum of 0 neighbors and a maximum of 16 neighbors. The
default is 16.

min-common-clients <0-256> Configures the minimum number of common clients that can be
shared with the neighbor for load balancing
• <0-256> – Specify a value from 0 - 256. Optionally configure a
minimum of 0 clients and a maximum of 256 clients. The default
is 0.

min-neighbor-rssi <-100-30> Configures the minimum signal strength (RSSI) of a neighbor

detected
• <-100-30> – Sets the signal strength in dBm. Specify a value
from -100 - 30 dBm. The default is -65 dBm.

min-probe-rssi Configures the minimum received probe signal strength required to

<-100-30> qualify the sender as a common client
• <0-100> – Sets the signal strength in dBm. Specify a value from
-100 - 30 dBm. The default is -100 dBm.

load-balancing [balance-ap-loads|balance-band-loads|balance-channel-loads [2.4GHz|5GHz]]

load-balancing Configures the following load balancing parameters: ap-loads,

band-loads, and channel-loads.
balance-ap-loads Enables neighbor AP load balancing. This option distributes the
access point’s radio load amongst other controller managed access
point radios. This option is disabled by default.

Controller, Service Platform and Access Point

1304 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

balance-band-loads Enables balancing of the total band load amongst neighbors. This
option balances the access point’s radio load by assigning a ratio to
both the 2.4 GHz and 5.0 GHz bands. Balancing radio load by band
ratio allows an administrator to assign a greater weight to radio
traffic on either the 2.4 GHz or 5.0 GHz band. This option is disabled
by default.
balance-channel-loads [2.4GHz| Enables the following:
5GHz] • 2.4GHz – Channel load balancing on 2.4 GHz band. This option is
disabled by default.

Balances the access point’s 2.4 GHz radio load across channels
supported within the country of deployment. This can prevent
congestion on the 2.4 GHz radio if a channel is over utilized.
• 5GHz – Channel load balancing on 5.0 GHz band. This option is
disabled by default.

Balances the access point’s 5.0 GHz radio load across channels
supported within the country of deployment. This can prevent
congestion on the 5.0 GHz radio if a channel is over utilized.

load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz| prefer-5GHz]

load-balancing band-control- Configures a band control strategy

strategy By default, this option steers 5.0 GHz-capable clients to the 5.0 GHz
band. When an access point hears a request from a client to
associate on both the 2.4 GHz and 5.0 GHz bands, it knows the
client is capable of operation in 5.0 GHz. Band steering steers the
client by responding only to the 5.0 GHz association request and
not the 2.4 GHz request. Consequently, the client only associates in
the 5.0 GHz band.
distribute-by-ratio Distributes clients to either band according to the band-ratio
prefer-2.4GHz Nudges all dual-band clients to 2.4 GHz band
prefer-5GHz Nudges all dual-band clients to 5.0 GHz band. This is the default
setting.

load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]

load-balancing band-ratio Configures the relative loading of 2.4 GHz band and 5.0 GHz
band.This allows an administrator to weight client traffic load if
wishing to prioritize client traffic load on the 2.4 GHz or the radio
band. The higher the value set, the greater the weight assigned to
radio traffic load on the 2.4 GHz or 5.0 GHz radio band.
2.4GHz [0|<1-10>] Configures the relative loading of 2.4 GHz band
• 0 – Selecting ‘0’ steers all dual-band clients preferentially to the
other band
• <0-10> – Configures a relative load as a number from 0 - 10. The
default is 0.

5ghz [0|<1-10>] Configures the relative loading of 5.0 GHz band

• 0 – Selecting ‘0’ steers all dual-band clients preferentially to the
other band

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1305
Profile Config Commands Profile Commands

• <0-10> – Configures a relative load as a number from 0 - 10. The

default is 1.

load-balancing group-id <GROUP-ID>

load-balancing group-id Configures group ID to facilitate load balancing

<GROUP-ID> • <GROUP-ID> – Specify the group ID. This option is enabled only
when a group ID is configured.

load-balancing neighbor-selection-strategy [use-common-clients|use-roam-notification|use-

smart-rf]

load-balancing neighbor- Configures a neighbor selection strategy. The options are: use-
selection-strategy common-clients, use-roam-notification, and use-smart-rf
use-common-clients Selects neighbors based on probes from clients common to
neighbors. This option is enabled by default.
use-roam-notification Selects neighbors based on roam notifications from roamed clients.
This option is enabled by default.
use-smart-rf Selects neighbors detected by Smart RF. This option is enabled by
default.

Example
nx9500-6C8809(config-profile-default-rfs4000)#load-balancing advanced-params 2.4ghz-load
throughput-weightage 90

nx9500-6C8809(config-profile-default-rfs4000)#load-balancing advanced-params hiwater-

threshold ap 90

nx9500-6C8809(config-profile-default-rfs4000)#load-balancing balance-ap-loads

rfs7000-37FABE(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
ip default-gateway 172.16.10.4
autoinstall configuration
autoinstall firmware
load-balancing advanced-params 2.4ghz-load throughput-weightage 90
load-balancing advanced-params hiwater-threshold ap 90
load-balancing balance-ap-loads
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables load balancing on this profile

logging
Profile Config Commands on page 954

Controller, Service Platform and Access Point

1306 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Enables message logging and configures logging settings. When enabled, the profile logs individual
system events to a user-defined log file or a syslog server. Message logging is disabled by default.

Enabling message logging is recommended, because system event logs can be analyzed to determine
an overall pattern that may be negatively impacting performance.

This command can also be executed in the device configuration mode.

Supported in the following platforms:

logging [aggregation-time <1-60>|host [<IPv4>|<IPv6>] {port <1-65535>}|

on]

logging [buffered|console|syslog|forward] [<0-7>|emergencies|alerts|

logging facility [local0|local1|local2|local3|local4|local5|local6|

local7]

Parameters
logging [aggregation-time <1-60>|host [<IPv4>|<IPv6>] {port <1-65535>}|on]

logging Enables message logging and configures logging settings

aggregation-time <1-60> Sets the number of seconds for aggregating repeated messages.
This is the interval at which system events are logged on behalf of
this profile. The shorter the interval, the sooner the event is logged.
• <1-60> – Specify a value from 1 - 60 seconds. The default value
is 0.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1307
Profile Config Commands Profile Commands

host [<IPv4>|<IPv6>] {port Configures a remote host to receive log messages. Defines
<1-65535>} numerical (non DNS) IPv4 or IPv6 addresses for external resources
where logged system events can be sent on behalf of the profile (or
device). A maximum of four entries can be made.
• <IPv4> – Specify the IPv4 address of the remote host.
• <IPv6> – Specify the IPv6 address of the remote host.
◦ port <1-65535> – Optional. Configures the syslog port
▪ <1-65535> – Specify the syslog port from 1 - 65535. The
default port is 514.

on Enables the logging of system messages

logging [buffered|console|syslog|forward] [<0-7>|emergencies|alerts|critical| errors|

warnings|notifications|informational|debugging]

logging Enables message logging and configures logging settings

buffered Sets the buffered logging level
console Sets the console logging level
syslog Sets the syslog server’s logging level
forward Forwards system debug messages to the wireless controller or
service platform
[<0-7>|alerts| criticail| The following keywords are common to the buffered, console,
debugging| emergencies|errors| syslog, and forward parameters.
informational| notifications| All incoming messages have different severity levels based on their
warnings] importance. The severity level is fixed on a scale of 0 - 7.
• <0-7> – Sets the message logging severity level on a scale of 0 -
7
• emergencies – Severity level 0: System is unusable
• alerts – Severity level 1: Requires immediate action
• critical – Severity level 2: Critical conditions
• errors – Severity level 3: Error conditions
• warnings – Severity level 4: Warning conditions (default)
• notifications – Severity level 5: Normal but significant conditions
• informational – Severity level 6: Informational messages
• debugging – Severity level 7: Debugging messages

logging facility [local0|local1|local2|local3|local4|local5|local6|local7]

logging Enables message logging and configures logging settings

facility [local0|local1| local2| Enables the syslog to decide where to send the incoming message
local3|local4| local5|local6| There are 8 logging facilities, from syslog0 to syslog7.
local7] • local0 – Syslog facility local0
• local1 – Syslog facility local1
• local2 – Syslog facility local2
• local3 – Syslog facility local3
• local4 – Syslog facility local4
• local5 – Syslog facility local5
• local6 – Syslog facility local6
• local7 – Syslog facility local7

Controller, Service Platform and Access Point

1308 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
NOC-NX9500(config-profile-testNX9000)#logging facility local4

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include log

ging
no logging on
logging aggregation-time 0
logging console warnings
logging buffered warnings
logging syslog warnings
logging facility local4
logging forward errors
no l2tpv3 logging
no dpi logging on
dpi logging level notifications
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Disables logging on this profile

mac-address-table
Profile Config Commands on page 954

Configures the MAC address table. Use this command to create MAC address table entries by assigning
a static address to the MAC address table.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1309
Profile Config Commands Profile Commands

Parameters
mac-address-table aging-time [0|<10-1000000>]

mac-address-table aging-time Sets the duration a learned MAC address persists after the last
[0|<10-1000000>] update
• 0 – Entering the value ‘0’ disables the aging time
• <10-1000000> – Sets the aging time from 10 -100000 seconds.
The default is 300 seconds.

mac-address-table detect-gateways

mac-address-table detect- Enables automatic detection of gateways. Detected gateways are

gateways remembered in the MAC address table.

mac-address-table static <MAC> vlan <1-4094> interface [<L2-INTERFACE>|ge <1-4>| port-

channel <1-2>]

mac-address-table static <MAC> Creates a static MAC address table entry

• <MAC> – Specifies the static address to add to the MAC address
table. Specify the MAC address in the AA-BB-CC-DD-EE-FF,
AA:BB:CC:DD:EE:FF, or AABB.CCDD.EEFF format.

vlan <1-4094> Assigns a static MAC address to a specified VLAN port

• <1-4094> – Specify the VLAN index from 1 - 4094.

interface [<L2-INTERFACE>| ge Specifies the interface type. The options are: layer 2 Interface,
<1-4>| port-channel <1-2>] GigabitEthernet interface, and a port channel interface
• <L2-INTERFACE> – Specify the layer 2 interface name.
• ge – Specifies a GigabitEthernet interface
◦ <1-4> – Specify the GigabitEthernet interface index from 1 -
4.
• port-channel – Specifies a port channel interface
◦ <1-2> – Specify the port channel interface index from 1 - 2.

Example
nx9500-6C8809(config-profile-default-rfs4000)#mac-address-table static 00-40-96-B0-BA-2A
vlan 1 interface ge 1

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
.........................................................
logging facility local4
mac-address-table static 00-40-96-B0-BA-2A vlan 1 interface ge1
ip nat pool pool1
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

Controller, Service Platform and Access Point

1310 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

mac-auth
Profile Config Commands on page 954

Enables authentication of a client’s MAC address on wired ports. When configured, MAC authentication
will be enabled on devices using this profile.

To enable MAC address authentication on a device, enter the device’s configuration mode and execute
the mac-auth command.

When enabled, the source MAC address of a device, connected to the specified wired port, is
authenticated with the RADIUS server. Once authenticated the device is permitted access to the
managed network and packets from the authenticated source are processed. If not authenticated the
device is either denied access or provided guest access through the guest VLAN (provided guest VLAN
access is configured on the port).

Enabling MAC authentication requires you to first configure a AAA policy specifying the RADIUS server.
Configure the client’s MAC address on the specified RADIUS server. Attach this AAA policy to a profile
or a device. Finally, enable MAC authentication on the desired wired port of the device or device-profile.

Only one MAC address is supported for every wired port. Consequently, when one source MAC address
is authenticated, packets from all other sources are dropped.

To enable client MAC authentication on a wired port:

1. Configure the user on the RADIUS server. The following examples create a RADIUS server user entry.

<DEVICE>(config)#radius-group <RAD-GROUP-NAME>
<DEVICE>(config-radius-group-<RAD-GROUP-NAME>)#policy vlan <VLAN-ID>

<DEVICE>(config)#radius-user-pool-policy <RAD-USER-POOL-NAME>
<DEVICE>(config-radius-user-pool-<RAD-USER-POOL-NAME>)#user <USER-NAME> password
<PASSWORD> group <RAD-GROUP-OF-STEP-A>

Note: The <USER-NAME> and <PASSWORD> should be the client’s MAC address. This address will
be matched against the MAC address of incoming traffic at the specified wired port.

<DEVICE>(config)#radius-server-policy <RAD-SERVER-POL-NAME>
<DEVICE>(config-radius-server-policy-<RAD-SERVER-POL-NAME>)#use radius-user-pool-
policy <RAD-USER-POOL-OF-STEP-B>

2. Configure a AAA policy exclusively for wired MAC authentication and specify the authentication
(RADIUS) server settings. The following example creates a AAA policy ‘macauth’ and enters its
configuration mode:
<DEVICE-A>(config)#aaa-policy macauth
<DEVICE-A>(config-aaa-policy-macauth)#...

Specify the RADIUS server details.

<DEVICE-A>(config)#aaa-policy macauth
<DEVICE-A>(config-aaa-policy-macauth)#authentication server <1-6> [host <IP>|onboard]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1311
Profile Config Commands Profile Commands

3. Attach the AAA policy to the device or profile. When attached to a profile, the AAA policy is applied
to all devices using this profile.
<DEVICE>(config-device-aa-bb-cc-dd-ee)#mac-auth use aaa-policy macauth
<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#mac-auth use aaa-policy macauth

4. Enable mac-auth on the device’s desired GE port. When enabled on a profile, MAC address
authentication is enabled, on the specified GE port, of all devices using this profile.
<DEVICE>(config-device-aa-bb-cc-dd-ee)#interface ge x
<DEVICE>(config-device-aa-bb-cc-dd-ee-gex)#mac-auth

<DEVICE>(config-profile-<PROFILE-NAME>)#interface ge x
<DEVICE>(config-profile-<PROFILE-NAME>)#mac-auth

Supported in the following platforms:

Syntax
mac-auth use aaa-policy <AAA-POLICY-NAME>

Parameters
mac-auth use aaa-policy <AAA-POLICY-NAME>

mac-auth Enables 802.1X authentication of MAC addresses on this profile. Use

the device configuration mode to enable this feature on a device.
use aaa-policy <AAA-POLICY- Associates an existing AAA policy with this profile (or device)
NAME> <AAA-POLICY NAME> – Specify the AAA policy name.
The AAA policy used should be created especially for MAC
authentication.

Example

The following examples demonstrate the configuration of authentication of MAC addresses on wired
ports:
rfs4000-229D58(config-aaa-policy-mac-auth)#authentication server 1 onboard controller

rfs4000-229D58(config-aaa-policy-mac-auth)#show context
aaa-policy mac-auth
authentication server 1 onboard controller
rfs4000-229D58(config-aaa-policy-mac-auth)#

rfs4000-229D58(config)#radius-group RG
rfs4000-229D58(config-radius-group-RG)#policy vlan 11

rfs4000-229D58(config-radius-group-RG)#show context
radius-group RF
policy vlan 11
rfs4000-229D58(config-radius-group-RG)#

rfs4000-229D58(config)#radius-user-pool-policy RUG
rfs4000-229D58(config-radius-user-pool-RUG)#user 00-16-41-55-F8-5D password 0
0-16-41-55-F8-5D group RG

Controller, Service Platform and Access Point

1312 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

rfs4000-229D58(config-radius-user-pool-RUG)#show context
radius-user-pool-policy RUG
user 00-16-41-55-F8-5D password 0 00-16-41-55-F8-5D group RG
rfs4000-229D58(config-radius-user-pool-RUG)#

rfs4000-229D58(config)#radius-server-policy RS
rfs4000-229D58(config-radius-server-policy-RS)#use radius-user-pool-policy RUG

rfs4000-229D58(config-radius-server-policy-RS)#show context
radius-server-policy RS
use radius-user-pool-policy RUG
rfs4000-229D58(config-radius-server-policy-RS)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#show context
interface ge4
dot1x authenticator host-mode single-host
dot1x authenticator port-control auto
mac-auth
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#

rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 4

Mac Auth info for interface GE4
-----------------------------------
Mac Auth Enabled
Mac Auth Authorized Client MAC 00-16-41-55-F8-5D

rfs4000-229D58(config-device-00-23-68-22-9D-58)#

rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 5

Mac Auth info for interface GE5
-----------------------------------
Mac Auth Enabled
Mac Auth Not Authorized

rfs4000-229D58(config-device-00-23-68-22-9D-58)#

Related Commands

no on page 1329 Disables authentication of MAC addresses on wired ports settings

on this profile (or device)

management-server
Profile Config Commands on page 954

Configures a management server with this profile. This command is also applicable to the device
configuration context.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1313
Profile Config Commands Profile Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
management-server <HOST-NAME> port <1-65535>

Parameters
management-server <HOST-NAME> port <1-65535>

management-server Configures a management server with this profile. Use this command to
<HOST-NAME> port identify the management server.
<1-65535> • <HOST-NAME> – Specify the management server’s host name.
◦ port <1-65535> – Specify the port where the management server is
reachable. The default setting is port 443.

Note: If the adoption-mode, on this profile, is set to ‘cloud’, ensure that the
management-server configuration points to the ExtremeCloud Web address. If
the adoption-mode is set to ‘ws-controller’, provide the ESE controller’s IP
address or hostname as the management server. For information on
configuring the adoption-mode, see adoption-mode on page 960.

Example
nx9500-6C8809(config-profile-testRFS4000)#management-server nx9500-6C8809 port 300

nx9500-6C8809(config-profile-testRFS4000)#show context include-factory | include

management-server
management-server nx9500-6C8809 port 300
nx9500-6C8809(config-profile-testRFS4000)#

Related Commands

no on page 1329 Removes the management server configuration

meshpoint-device
Profile Config Commands on page 954

Configures meshpoint device parameters. This feature is configurable in the profile and device
configuration modes.

Supported in the following platforms:

Syntax
meshpoint-device <MESHPOINT-NAME>

Controller, Service Platform and Access Point

1314 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
meshpoint-device <MESHPOINT-NAME>

meshpoint-device Configures meshpoint device parameters

<MESHPOINT- • <MESHPOINT-NAME> – Specify meshpoint name.
NAME>

Usage Guidelines

For VMM (Vehicular Mounted Modem) access points or other mobile devices, set the path selection
method as mobile-snr-leaf in the config-meshpoint-device mode. For more information, see path-
method (meshpoint-device-config) on page 1990.

nx9500-6C8809(config-profile-testAP7161)#meshpoint-device test

nx9500-6C8809(config-profile-testAP7161-meshpoint-test)#?
Mesh Point Device Mode commands:
acs Configure auto channel selection parameters
exclude Exclude neighboring Mesh Devices
hysteresis Configure path selection SNR hysteresis values
monitor Event Monitoring
no Negate a command or set its defaults
path-method Path selection method used to find a root node
preferred Configure preferred path parameters
root Set this meshpoint as root
root-select Root selection method parameters

clrscr Clears the display screen

nx9500-6C8809(config-profile-testAP7161-meshpoint-test)#

Related Commands

no on page 1329 Removes a specified meshpoint

Note
For more information on the meshpoint-device configuration parameters, see MESHPOINT on
page 1950.

meshpoint-monitor-interval
Profile Config Commands on page 954

Configures the meshpoint monitoring interval. This is the interval, in seconds, at which the meshpoint
status is checked.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1315
Profile Config Commands Profile Commands

Supported in the following platforms:

Syntax
meshpoint-monitor-interval <1-65535>

Parameters
meshpoint-monitor-interval <1-65535>

meshpoint-monitor- Configures the meshpoint monitoring interval in seconds

interval <1-65535> • <1-65535> – Specify the interval from 1 - 65535 seconds. The default is 30
seconds.

Example
nx9500-6C8809(config-profile-default-rfs4000)#meshpoint-monitor-interval 100

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
meshpoint-monitor-interval 100
ip default-gateway 172.16.10.4
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Resets the meshpoint monitoring interval to default (30 seconds)

min-misconfiguration-recovery-time
Profile Config Commands on page 954

Configures the minimum device connectivity verification time

Supported in the following platforms:

Syntax
min-misconfiguration-recovery-time <60-3600>

Controller, Service Platform and Access Point

1316 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
min-misconfiguration-recovery-time <60-3600>

min-misconfiguration- Configures the minimum connectivity (with the associated device) verification
recovery-time interval
<60-3600> • <60-3600> – Specify a value from 60 - 3600 seconds (default is 60
seconds).

Example
NOC-NX9500(config-profile-testNX9000)#min-misconfiguration-recovery-time 500

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include min

-misconfiguration-recovery-time
min-misconfiguration-recovery-time 500
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Resets setting to default (60 seconds)

mint
Profile Config Commands on page 954

Configures MiNT protocol parameters required for MiNT creation and adoption

MiNT links are required for adoption of a device (APs, wireless controller, and service platform) to a
controller. The MiNT link is created on both the adoptee and the adopter. WiNG provides several
commands to configure MiNT links and establish adoption for both IPv4 and IPv6 addresses.

Supported in the following platforms:

mint dis [priority-adjustment <-255-255>|strict-evis-reachability]

mint inter-tunnel-bridging

mint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]

mint link [force|ip|listen|vlan]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1317
Profile Config Commands Profile Commands

mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2]

{adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|
ipsec-secure {gw [<IP>|<HOST-NAME>]}}

mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>]

{adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|
ipsec-security {gw [<IP>|<HOST-NAME>]}|level [1|2]}

mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-

hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-
security {gw [<IP>|<HOST-NAME>]}|level [1|2]}

mint mlcp [ip|ipv6|vlan]

mint rate-limit level2 [link|mlcp]

mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan

<1-4094>]|mlcp [ip|ipv6|vlan]] rate <50-1000000> max-burst-size
<2-1024> {red-threshold [background|best-effort|video|voice] <0-100>}

mint spf-latency <0-60>

mint tunnel-across-extended-vlan

mint tunnel-controller-load-balancing level1

Controller, Service Platform and Access Point

1318 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
mint dis [priority-adjustment <-255-255>|strict-evis-reachability]

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
dis priority- Sets the relative priority for the router to become DIS (designated router)
adjustment • priority-adjustment – Sets priority adjustment added to base priority
<-255-255>
The Designated IS (DIS) priority adjustment is the value added to the base level
DIS priority to influence the DIS election. A value of +1 or greater increases
DISiness.
• <-255-255> – Specify a value from -255 - 255. The default is 0.
Higher numbers result in higher priorities
strict-evis- Enables reaching Ethernet Virtualization Interconnect (EVIS) election winners
reachability through MiNT. This option is enabled by default.

mint inter-tunnel-bridging

mint Configures MiNT protocol parameters required for MiNT link creation, adoption
and communication
inter-tunnel-bridging Enables forwarding of broadcast multicast (BCMC) packets between devices
communicating via Level 2 MiNT links. When enabled, MiNT tunnels across
Level 2, adopted access points are bridged. One of the advantages of inter-
tunnel bridging is the enabling of roaming between these access points. This
option is disabled by default.
If enabling this option, use ACLs to filter unwanted BCMC traffic.

mint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
level 1 Configures local MiNT routing settings
• 1 – Configures local MiNT routing level

area-id Specifies the level 1 routing area identifier. Use one of the following options to
[<1-16777215>| specify the area ID:
<NUMBER-ALIAS- • <1-16777215> – Specify a value from 1 - 16777215.
NAME>] • <NUMBER-ALIAS-NAME> – Specify a number alias (should be existing and
configured). Aliases are configuration items that can be defined once and
used in different configuration contexts. For more information on creating a
number alias, see alias on page 267.

mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2] {adjacency-hold-time

<2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-NAME>]}}

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
link force Creates a MiNT routing link as a forced link
• force – Forces a MiNT routing link to be created even if not necessary

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1319
Profile Config Commands Profile Commands

ip [<IPv4>|<IPv6>] Creates a MiNT tunnel over UDP/IPv4 or IPv6

Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for
inter-operation when supporting the MINT protocol.
• <IPv4> – Specify the MiNT tunnel peer’s IPv4 address.
• <IPv6> – Specify the MiNT tunnel peer’s IPv6 address.
After specifying the MiNT peer’s address, configure the following MiNT link
parameters: UDP port, adjacency-hold-time, cost, hello-interval, IPSec security
gateway, and routing level.
<1-65535> level 2 Optional. Specifies a custom UDP port for MiNT links. Specify the port from 1 -
65535.
• level – Specifies the routing level
◦ 2 – Configures level 2 inter-site MiNT routing

adjacency-hold-time Optional. Specifies the adjacency lifetime after hello packets cease
<2-600> • <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.

cost <1-100000> Optional. Specifies the link cost in arbitrary units

• <1-100000> – Specify a value from 1 - 100000. The default is 100.

hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets
• <1-120> – Specify a value from 1 - 120 seconds. The default is 15 seconds.

ipsec-security {gw Optional. Enables IPSec secure peer authentication on the MiNT link
[<IP>|<HOST- connection (link). This option is disabled by default.
NAME>]} • gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway.
When enabling IPSec, you can optionally specify the IPSec secure
gateway’s numerical IP address or administrator defined hostname.

mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>] {adjacency-hold-

time <2-600>|cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw [<IP>|
<HOST-NAME>]}}

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
link listen ip [<IPv4>| Creates a MiNT routing link
<IPv6>| <HOST- • listen – Creates a MiNT listening link
ALIAS-NAME>] ◦ ip – Creates a MiNT listening link over UDP/IP or IPv6
▪ <IPv4> – Specify the IPv4 address of the listening UDP/IP link.
▪ <IPv6> – Specify the IPv6 address of the listening UDP/IP link.
▪ <HOST-ALIAS-NAME> – Specify the host alias identifying the MiNT
link address. The host alias should existing and configured.
UDP/IP links can be created by configuring a matching pair of links, one on
each end point. However, that is error prone and does not scale. So UDP/IP
links can also listen (in the TCP sense), and dynamically create connected
UDP/IP links when contacted. The typical configuration is to have a listening
UDP/IP link on the IP address S.S.S.S, and for all the APs to have a regular
UDP/IP link to S.S.S.S.
link vlan <1-4094> Enables MiNT routing on VLAN
• vlan – Defines a VLAN ID used by peers for inter-operation when
supporting the MINT protocol.
◦ <1-4094> – Select VLAN ID from 1 - 4094.

Controller, Service Platform and Access Point

1320 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

adjacency-hold-time This parameter is common to the ‘listen’ and ‘vlan’ parameters:

<2-600> • adjacency-hold-time <2-600> – Optional. Specifies the adjacency lifetime
after hello packets cease
◦ <2-600> – Specify a value from 2 - 600 seconds. The default is 46
seconds.
For MiNT VLAN routing, the default is 13 seconds.
cost <1-100000> This parameter is common to the ‘listen’ and ‘vlan’ parameters:
• cost <1-100000> – Optional. Specifies the link cost in arbitrary units
◦ <1-100000> – Specify a value from 1 - 100000. The default is 100.
For MiNT VLAN routing, the default is 10.
hello-interval <1-120> This parameter is common to the ‘listen’ and ‘vlan’ parameters:
• hello-interval <1-120> – Optional. Specifies the interval, in seconds, between
successive hello packets
◦ <1-120> – Specify a value from 1 - 120. The default is 15 seconds.
For MiNT VLAN routing the default is 4 seconds.
level [1|2] This parameter is common to the ‘listen’ and ‘vlan’ parameters:
Optional. Specifies the routing levels for this routing link. The options are:
• 1 – Configures local routing
• 2 – Configures inter-site routing

ipsec-security {gw This parameter is common to the ‘listen’ and ‘vlan’ parameters:
[<IP>| <HOST- • ipsec-security – Optional. Enables IPSec secure peer authentication on the
NAME>]} MiNT connection (link). This option is disabled by default.
◦ gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure
gateway. When enabling IPSec, you can optionally specify the IPSec
secure gateway’s numerical IP address or administrator defined
hostname.

mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-hold-time <2-600>|

cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw [<IP>|<HOST-NAME>]}}

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
link ip [<IPv4>|<IPv6>| Creates a MiNT routing link
<HOST-ALIAS- • ip – Creates a MiNT tunnel over UDP/IP or IPv6
NAME>]
Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for
inter-operation when supporting the MINT protocol.
• <IPv4> – Specify the IPv4 address used by peers.
• <IPv6> – Specify the IPv6 address used by peers.
• <HOST-ALIAS-NAME> – Specify the host alias identifying the MiNT tunnel
peer’s address. The host alias should existing and configured.

<1-65535> Select the peer UDP port from 1 - 65535.

adjacency-hold-time Optional. Specifies the adjacency lifetime after hello packets cease
<2-600> • <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.

cost <1-100000> Optional. Specifies the link cost in arbitrary units

• <1-100000> – Specify a value from 1 - 100000. The default is 100.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1321
Profile Config Commands Profile Commands

hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets
• <1-120> – Specify a value from 1 - 120. The default is 15 seconds.

level [1|2] Optional. Specifies the routing levels for this routing link. The options are:
• 1 – Configures local routing
• 2 – Configures inter-site routing

ipsec-security {gw Optional. Enables IPSec secure peer authentication on the MiNT connection
[<IP>| <HOST- (link). This option is disabled by default.
NAME>]} • gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway.
When enabling IPSec, you can optionally specify the IPSec secure
gateway’s numerical IP address or administrator defined hostname.

mint mlcp [ip|ipv6|vlan]

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
mlcp [ip|ipv6|vlan] Configures the MLCP using the IP address or VLAN. MLCP is used to create a
UDP/IP link from the device to a neighbor. The neighboring device does not
need to be a wireless controller or service platform, it can be another access
point with a path to the wireless controller or service platform.
• vlan – Enables MLCP over layer 2 (VLAN) links
• ip – Enables MLCP over layer 3 (UDP/IP) links. When enabled, allows
adoption over IPv4 address.
• ipv6 – Enables MLCP over layer 3 (UDP/IPv6) links. When enabled, allows
adoption over IPv6 address.

mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan <1-4094>]| mlcp [ip|ipv6|
vlan]] rate <50-1000000> max-burst-size <2-1024> {red-threshold [background|best-effort|
video|voice] <0-100>}

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
mint rate-limit level2 Applies rate limits on extended VLAN traffic
Excessive traffic can cause performance issues on an extended VLAN.
Excessive traffic can be caused by numerous sources including network loops,
faulty devices, or malicious software.
Rate limiting reduces the maximum rate sent or received per wireless client. It
prevents any single user from overwhelming the wireless network, and also
provides differential service for service providers. Uplink and downlink rate
limits are usually configured on a RADIUS server using vendor specific
attributes. Rate limits are extracted from the RADIUS server’s response. When
such attributes are not present, the settings defined on the controller, service
platform or access point are applied. You can set separate QoS rate limit
configurations for data types transmitted from the network (upstream) and
data transmitted from a wireless clients back to associated radios
(downstream).

Controller, Service Platform and Access Point

1322 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

link [ip <IPv4/IPv6> Configures rate limit parameters applicable for all statically configured MiNT
<1-65535>| vlan links on level2. Select the link-type as ‘IP’ or ‘VLAN’.
<1-4094>] • ip <IPv4/IPv6> – Configures rate limits for MiNT link traffic over UDP/IP
◦ <IPv4/IPv6> – Specify the MiNT peer’s IPv4 or IPV6 address in the
A.B.C.D and X:X::X:X formats respectively.
▪ <1-65535> – Configures the virtual port used for rate limiting traffic.
Specify the UDP port from 1 - 65535.
• vlan <1-4094 – Configures rate limits for MiNT link traffic on specified
VLAN
◦ <1-4094> – Specify the VLAN ID from 1 - 4094.

mlcp [ip|ipv6|vlan] Configures rate limit parameters applicable for MLCP

MLCP creates a UDP/IP link from the device to a neighbor. The neighboring
device does not need to be a controller or service platform, it can be an access
point with a path to the controller or service platform.
• ip – Configures rate-limits for MLCP over UDP/IPv4 links
• ipv6 – Configures rate-limits for MLCP over UDP/IPv6 links
• vlan – Configures rate-limits for MLCP over VLAN links

rate <50-1000000> Configures the rate limit from 50 - 1000000 Kbps

This limit constitutes a threshold for the maximum number of packets
transmitted or received (from all access categories). Traffic exceeding the
defined rate is dropped and a log message is generated. The default setting is
5000 Kbps.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1323
Profile Config Commands Profile Commands

max-burst-size Configures the maximum burst size from 0 - 1024 Kbytes

<2-1024> Smaller the burst size, lesser is the probability of the upstream packet
transmission resulting in congestion for the WLAN’s client destinations. By
trending the typical number of ARP, broadcast, multicast and unknown
unicast packets over a period of time, the average rate for each access
category can be obtained. Once a baseline is obtained, add a 10% margin
(minimally) to allow for traffic bursts. The default burst size is 320 Kbytes.
red-threshold Optional. Configures the random early detection (RED) threshold (as a
[background|best- percentage) for the following traffic types:
effort|video|voice] • background – Configures the RED threshold for low priority background
<0-100> traffic. Background packets are dropped and a log message generated if
the rate exceeds the set value. Background traffic consumes the least
bandwidth of any access category, so this value can be set to a lower value
once a general upstream rate is known by the network administrator
(using a time trend analysis). The default setting is 50%.
• best-effort – Configures the RED threshold for low priority best-effort
traffic. Best-effort packets are dropped and a log message generated if the
rate exceeds the set value. Best effort traffic consumes little bandwidth, so
this value can be set to a lower value once a general upstream rate is
known by the network administrator (using a time trend analysis).The
default setting is 50%.
• video – Configures the RED threshold for high priority video traffic. Video
packets are dropped and a log message generated if the rate exceeds the
set value. Video traffic consumes significant bandwidth, so this value can
be set to a higher value once a general upstream rate is known by the
network administrator (using a time trend analysis).The default setting is
25%.
• voice – Configures the RED threshold for high priority voice traffic. Voice
packets are dropped and a log message generated if the rate exceeds the
set value. Voice applications consume significant bandwidth, so this value
can be set to a higher value once a general upstream rate is known by the
network administrator (using a time trend analysis).The default setting is
0%.
◦ <0-100> – After selecting the traffic type, specify the RED threshold
from 0 - 100%.

mint spf-latency <0-60>

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
spf-latency <0-60> Specifies the latency of SPF routing recalculation

Controller, Service Platform and Access Point

1324 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

This option allows you to set the latency of routing recalculation option
(within the Shortest Path First (SPF) field). This option is disabled by default.
• <0-60> – Specify the latency from 0 - 60 seconds.

mint tunnel-across-extended-vlan

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
tunnel-across- Enables tunneling of MiNT protocol packets across an extended VLAN. This
extended-vlan setting is disabled by default.

mint tunnel-controller-load-balancing level1

mint Configures MiNT protocol parameters required for MiNT link creation and
adoption
tunnel-controller-load- Enables load balancing of MiNT extended VLAN traffic across tunnels
balancing level1 • level1 – Enables balancing of load of a tunnel wireless controller or service
platform over VLAN links

Example
nx9500-6C8809(config-profile-default-rfs4000)#mint level 1 area-id 88

nx9500-6C8809(config-profile-default-rfs4000)#mint link ip 1.2.3.4 level 2

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
mint link ip 1.2.3.4 level 2
mint level 1 area-id 88
bridge vlan 1
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#show context
ap7522 84-24-8D-1B-B9-0C
use profile default-ap7522
use rf-domain default
hostname ap7522-1BB90C
no staging-config-learnt
nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)

nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#mint inter-tunnel-bridging

Related Commands

no on page 1329 Disables or reverts settings to their default

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1325
Profile Config Commands Profile Commands

misconfiguration-recovery-time
Profile Config Commands on page 954

Verifies connectivity after a configuration is received

Supported in the following platforms:

Syntax
misconfiguration-recovery-time [0|<60-300>]

Parameters
misconfiguration-recovery-time [0|<60-300>]

<60-300> Sets the recovery time from 60 - 300 seconds (default is 180 seconds)
0 Disables recovery from misconfiguration

Example
NOC-NX9500(config-profile-testNX9000)#misconfiguration-recovery-time 65

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include mis

configuration-recovery-time
misconfiguration-recovery-time 65
min-misconfiguration-recovery-time 500
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Reverts to default (180 seconds)

ml-rrm

Profile Config Commands on page 954

Enables ML-RRM (Machine Learning - Radio Resource Management) agent on the AP's profile or device
context. When enabled, the ExtremeAI ML agent, sends RF metrics to the ExtremeAI instance that is
integrated with the orchestration management software, such as ExtremeCloud™. ExtremeAI analyzes
information received from the access point to learn network conditions and user requirements. Based
on this learning, ExtremeAI dynamically fine-tunes the radio to enhance network performance and
achieve optimum results. Statistical data is displayed in the orchestration management user interface.

Note
You can use this option only on the WiNG AP7632 and AP7662 model access points and only
if the APs are adopted to ExtremeCloud.

Controller, Service Platform and Access Point

1326 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Note
ExtremeAI can be enabled on the access point through the ExtremeCloud UI. For more
information on ExtremeAI, please refer to the ExtremeAI User Guide available at https://
extremenetworks.com/documentation.

We recommend ML-RRM is an alternative solution to Smart RF management of radio resources. It is an

efficient and innovative means of managing radio settings, such as channel assignment, transmit power
settings, client steering, load balancing, etc. Further, ML-RRM is proactive rather than being reactive. It
constantly analyzes real-time data to determine the best possible radio settings needed to make your
network run efficiently and provide your users a positive experience.

If enabling ML-RRM on the access points, in the radio context, allow ML-RRM to set the radio's channel
and/or transmit power settings. For more information, see power on page 1235 and channel on page
1208 commands.

Supported in the following platforms:

• Access Points — AP7632, AP7662

Syntax
ml-rrm

Parameters
None

Examples

Here is a sample output that shows the ml-rrm configurations made on the AP7662 profile. Note, this
AP is ExtremeCloud adopted.
ap7662(config)#show running-config profile anyap ece9601103a711e985729b37513dbd86 | in ml-
rrm
channel ml-rrm
power ml-rrm
channel ml-rrm
power ml-rrm
ml-rrm
ap7662(config)#

neighbor-inactivity-timeout
Profile Config Commands on page 954

Configures neighbor inactivity timeout

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1327
Profile Config Commands Profile Commands

Syntax
neighbor-inactivity-timeout <1-1000>

Parameters
neighbor-inactivity-timeout <1-1000>

<1-1000> Sets neighbor inactivity timeout

• <1-1000> – Specify a value from 1 - 1000 seconds. The default is 30 seconds.

Example
nx9500-6C8809(config-profile-default)#neighbor-inactivity-timeout 500

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
mint link ip 1.2.3.4
mint level 1 area-id 88
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
neighbor-inactivity-timeout 500
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
interface me1
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

neighbor-info-interval
Profile Config Commands on page 954

Configures the neighbor information exchange interval

Supported in the following platforms:

Syntax
neighbor-info-interval <1-100>

Controller, Service Platform and Access Point

1328 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
neighbor-info-interval <1-100>

<1-100> Sets interval from 1 - 100 seconds. The default is 10 seconds.

Example
nx9500-6C8809(config-profile-default-rfs4000)#neighbor-info-interval 6

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
mint link ip 1.2.3.4
mint level 1 area-id 88
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
neighbor-info-interval 6
neighbor-inactivity-timeout 500
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
interface me1
interface ge1
ip dhcp trust
qos trust dscp
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

no
Profile Config Commands on page 954

Negates a command or resets values to their default

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1329
Profile Config Commands Profile Commands

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts this profile’s settings based on the parameters

passed

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated.

Example
nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000profile rfs4000 default-rfs4000
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface me1
interface up1
interface ge1
interface ge2
interface ge3
interface ge4
interface ge5
interface ge6
interface ge7
interface ge8
interface wwan1
interface pppoe1
use firewall-policy default
logging on
service pm sys-restart
adopter-auto-provisioning-policy-lookup
router ospf
router bgp
adoption start-delay min 10 max 30
nx9500-6C8809(config-profile-default-rfs4000)#

nx9500-6C8809(config-profile-default-rfs4000)#no adopter-auto-provisioning-policy-lookup
nx9500-6C8809(config-profile-default-rfs4000)#no adoption start-delay

Controller, Service Platform and Access Point

1330 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface me1
interface up1
interface ge1
interface ge2
interface ge3
interface ge4
interface ge5
interface ge6
interface ge7
interface ge8
interface wwan1
interface pppoe1
use firewall-policy default
logging on
service pm sys-restart
router ospf
router bgp
nx9500-6C8809(config-profile-default-rfs4000)#

noc
Profile Config Commands on page 954

Configures Network Operations Center (NOC) statistics update interval. This is the interval at which
statistical updates are sent by the RF Domain manager to its adopting controller (the NOC controller).

Supported in the following platforms:

Syntax
noc update-interval [<5-3600>|auto]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1331
Profile Config Commands Profile Commands

Parameters
noc update-interval [<5-3600>|auto]

noc update-interval Configures NOC statistics update interval

[<5-3600>|auto] • <5-3600> – Specify the update interval from 5 - 3600 seconds.
• auto – The NOC statistics update interval is automatically adjusted by the
wireless controller or service platform based on load. This option is enabled
by default.

Example
NOC-NX9500(config-profile-testNX9000)#noc update-interval 25

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include noc

noc update-interval 25
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Resets NOC related parameters

nsight
Profile Config Commands on page 954

Configures NSight database related parameters. Use this command to configure the data-update
periodicity, number of applications posted to the NSight server for a wireless client, and the duration for
which data is stored in the NSight database’s buckets. These parameters impact the amount of data
stored in the NSight DB and interval at which data is aggregated and expired within the NSight DB. For
more information on data aggregation and expiration, see Usage Guidelines(Data Aggregation and
Expiration) on page 1335.

Configure these parameters in the NSight server’s profile configuration mode. These parameters are
also configurable on the NSight server’s device configuration mode.

Supported in the following platforms:

• Service Platforms — NX9500, NX9510, NX9600, VX9000

Syntax
nsight database [statistics|summary]

nsight database statistics [avc-update-interval|max-apps-per-client|max-

nsight database statistics [avc-update-interval|update-interval|

wireless-clients-update-interval] [120|30|300|60|600]

nsight database statistics max-apps-per-client <1-1000>

Controller, Service Platform and Access Point

1332 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nsight database statistics [max-http-usage-metadata|max-http-visits-

metadata| max-ssl-usage-metadata|max-ssl-visits-metadata] <1-1000>

nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>

Parameters
nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-
interval] [120|30|300|60|600]

nsight database Configures NSight database statistics related parameters

statistics
avc-update-interval Configures the interval, in seconds, at which Application Visibility and Control
(AVC) statistics is updated to the NSight database. This interval represents the
rate at which AVC-related data is inserted in the NSight database’s first bucket.
This first bucket data is referred to as the RAW records. A bucket is a database
collection that holds statistical data on a per RF Domain basis. For more
information, see Usage Guidelines (Data Aggregation and Expiration) on page
1409.
When configured, RF Domain managers posting AVC-related data to the
NSight server receive a reply from the NSight server intimating the next update
time. The NSight server calculates the ‘next update time’ based on the avc-
update-interval configured here.
update-interval Configures the interval, in seconds, at which data is updated to the NSIght
server. This interval represents the rate at which data (excluding AVC and
wireless-clients related statistics) is inserted in the NSight database’s first
bucket. This first bucket data is referred to as the RAW records. A bucket is a
database collection that holds statistical data on a per RF Domain basis. For
more information, see Usage Guidelines (Data Aggregation and Expiration) on
page 1409.
When configured, RF Domain managers posting data to the NSight server
receive a reply from the NSight server intimating the next update time. The
NSight server calculates the ‘next update time’ based on the update-interval
configured here.

Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-interval’

keywords to configure update interval for AVC-related and wireless-clients
related information respectively.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1333
Profile Config Commands Profile Commands

wireless-clients- Configures the interval, in seconds, at which wireless-client statistics is updated

update-interval to the NSIght server. This interval represents the rate at which wireless-clients
related statistics is inserted in the NSight database’s first bucket. This first
bucket data is referred to as the RAW records. A bucket is a database collection
that holds statistical data on a per RF Domain basis. For more information, see
Usage Guidelines (Data Aggregation and Expiration) on page 1409.
When configured, RF Domain managers posting wireless-client related data to
the NSight server receive a reply from the NSight server intimating the next
update time. The NSight server calculates the ‘next update time’ based on the
wireless-clients-update-interval configured here.
[120|30|300|60|600] The following keywords are common to all of the above parameters:
• 120 – Sets the data-update periodicity as 120 seconds (2 minutes)
• 30 – Sets the data-update periodicity as 30 seconds
• 300 – Sets the data-update periodicity as 300 seconds (5 minutes). This is
the default setting for the ‘avc-update-interval’ and ‘wireless-clients-
update-interval’ parameters.
• 60 – Sets the data-update periodicity as 60 seconds (1 minute). This is the
default setting for the ‘update-interval’ parameter.
• 600 – Sets the data-update periodicity as 600 seconds (10 minutes)

nsight database statistics max-apps-per-client <1-1000>

nsight database Configures NSight database statistics related parameters

statistics
max-apps-per-client Configures the maximum number of applications per wireless-client to be
posted to the NSight server within the configured data-update interval. This
information is included in the AVC statistics posted by RF Domain managers to
the NSight server.
<1-1000> Specify the number of applications posted from 1 - 1000. The default is 10
applications per wireless client.

nsight database statistics [max-http-usage-metadata|max-http-visits-metadata| max-ssl-

usage-metadata|max-ssl-visits-metadata] <1-1000>

nsight database Configures NSight database statistics related parameters

statistics
[max-http-usage- Configures the number of HTTP and/or SSL metadata posted within an update
metadata|max-http- interval
visits-metadata|max- • max-http-usage-metadata – Configures the NSight database maximum
ssl-usage-metadata| http-metadata by usage (rx+tx) to be posted in an update-interval
max-ssl-visits- • max-http-visits-metadata – Configures the NSight database’s maximum
metadata] http-metadata by the number of visits to be posted within an update-
interval
• max-ssl-usage-metadata – Configures the NSight database maximum ssl-
metadata by usage (rx+tx) to be posted in an update-interval
• max-ssl-visits-metadata – Configures the NSight database’s maximum ssl-
metadata by the number of visits to be posted within an update-interval
When configured, RF Domain managers posting data to the NSight server
receive a reply from the NSight server intimating the next update time. The
NSight server calculates the ‘next update time’ based on the update-interval
configured here.

Controller, Service Platform and Access Point

1334 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-interval’

keywords to configure update interval for AVC-related and wireless-clients
related information respectively.

nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>

nsight database Configures the NSight database’s per-bucket data storage duration
summary
duration <1-24> Configures the duration for which data is stored on a per-bucket basis
<1-168> <1-2160> • <1-24> – Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day).
<24-26280> The default is 8 hours.
◦ <1-168> – Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7
days). The default is 24 hours.
▪ <1-2160> – Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1
hour to 90 days). The default is 7 days (168 hours).

<24-26280> – Specify the bucket 4 duration from 24 - 26280 hours

(i.e. 1 day to 3 years). The default is 365 days (1 year).
A bucket is a database collection that holds statistical data for each RF Domain
within the network. (Note, only those RF Domain’s that are using an NSight
policy with the NSight server host configured will post data to the NSight
server. (For more information, see use (rf-domain-config-mode) on page 574 in
the RF Domain configuration mode.) NSight database has four (4) buckets. The
data from each bucket is aggregated and pushed to the next bucket once the
data storage duration, specified for the bucket, has exceeded. For more
information on data aggregation, see Usage Guidelines (Data Aggregation and
Expiration) on page 1409.

Usage Guidelines(Data Aggregation and Expiration)

Data Aggregation:

The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes
within the managed wireless LAN. For large WLAN networks, generating significantly large amount of
data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized
into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one
record by taking an average of them. Although this causes a loss in the data’s granularity, average
numbers for any given time period is still available.

Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets
(database collections) within the NSight database. There are four buckets in total. These are:
• First bucket (termed as the RAW bucket) - B1
• Second bucket - B2
• Third bucket - B3
• Fourth bucket - B4

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1335
Profile Config Commands Profile Commands

aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default
storage duration for each bucket is as follows:
• B1: storage duration 8 hours
• B2: granularity 10 minutes / storage duration 24 hours
• B3: granularity 1 hour / storage duration 7 days
• B4: granularity 1 day / storage duration 1 year

Let us consider (with default update-interval settings) the growth of any one of the statistical buckets.
• Since B1’s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF
Domain after 8 hours (updated at the rate of 30 seconds).
• Since B2’s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into
a single record and inserted into B2.
• Since B2’s default storage duration is 24 hours, it will contain a maximum of 144 records per RF
Domain after 24 hours.
• Since B3’s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record
and inserted into B3.
• Since B3’s default storage duration is 7 days, it will contain a maximum of 168 records per RF
Domain after 7 days.
• Since B4’s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record
and inserted into B4.
• Since B4’s default storage duration is 365 days, it will contain a maximum of 365 records per RF
Domain after 1 year.

Data Expiration:

The expiration of older records (also referred to as purging or deleting of records) occurs along with
data aggregation for each bucket.

Let us consider (with default data storage-duration settings) the expiration of data for any one of the
statistical buckets.
• As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8
hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To
enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first
10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is
triggered every 10 minutes.
• At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10
minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This
expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of
data.
• At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour
one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is
triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data.
• At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records
(corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to
enable B4 to maintain exactly 365 days worth of data.

Controller, Service Platform and Access Point

1336 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-testNX9500)#nsight database statistics avc-update-interval
120

nx9500-6C8809(config-profile-testNX9500)#nsight database statistics update-interval 30

nx9500-6C8809(config-profile-testNX9500)#nsight database statistics wireless-clients-

update-interval 600

nx9500-6C8809(config-profile-testNX9500)#nsight database statistics max-apps-per-client

nx9500-6C8809(config-profile-testNX9500)#nsight database summary duration 12 30 200 500

nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include nsight

use nsight-policy nsight-noc
nsight database statistics update-interval 30
nsight database statistics wireless-clients-update-interval 600
nsight database summary duration 12 30 200 500
nsight database statistics avc-update-interval 120
nsight database statistics max-apps-per-mu 20
nx9500-6C8809(config-profile-testNX9500)#

Related Commands

no on page 1405 Reverts the NSight database related parameters configured to default values

ntp
Profile Config Commands on page 954

Configures the Network Time Protocol (NTP) server settings

NTP manages time and/or network clock synchronization within the network. NTP is a client/server
implementation. Controllers, service platforms, and access points (NTP clients) periodically synchronize
their clock with a master clock (an NTP server). For example, a controller resets its clock to 07:04:59
upon reading a time of 07:04:59 from its designated NTP server.

Supported in the following platforms:

Syntax
ntp server <PEER-IP/HOSTNAME> {autokey|key|maxpoll|minpoll|prefer|
version}

ntp server <PEER-IP/HOSTNAME> {autokey}

ntp server <PEER-IP/HOSTNAME> {maxpoll [1024|2048|4096|8192]}

ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1337
Profile Config Commands Profile Commands

ntp server <PEER-IP> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}

ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4>

prefer}

Controller, Service Platform and Access Point

1338 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
ntp server <PEER-IP/HOSTNAME> {autokey} {prefer version <1-4>|version <1-4>}

ntp server Configures NTP server resources that are used to obtain system time
<PEER-IP/ • <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP
HOSTNAME> address or hostname. Specify the NTP server’s IP address or hostname.

autokey Optional. Enables automatic configuration of authentication key for the

specified NTP server. This option is disabled by default. If not enabled, use the
‘key’ option to configure an authentication key for the NTP server.

ntp server <PEER-IP/HOSTNAME> {maxpoll [1024|2048|4096|8192]}

maxpoll [1024| Optional. Configures the maximum polling interval. Once set, the specified NTP
2048|4096| server is polled no later than the defined interval. Select one of the following
8192] options:
• 1024 – Configures the maximum polling interval as 1024 seconds. This is the
default setting.
• 2048 – Configures the maximum polling interval as 2048 seconds
• 4096 – Configures the maximum polling interval as 4096 seconds
• 8192 – Configures the maximum polling interval as 8192 seconds

ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}

minpoll [1024| Optional. Configures the minimum polling interval. Once set, the specified NTP
128|256|512| server is polled no sooner than the defined interval. Select one of the following
64] options:
• 1024 – Configures the minimum polling interval as 1024 seconds
• 128 – Configures the minimum polling interval as 128 seconds
• 256 – Configures the minimum polling interval as 256 seconds
• 512 – Configures the minimum polling interval as 512 seconds
• 64 – Configures the minimum polling interval as 64 seconds. This is the
default setting.

ntp server <PEER-IP/HOSTNAME> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}

Configures NTP server resources that are used to obtain system time
• <PEER-IP/HOSTNAME>> – Identifies the NTP server resource by its IP
address or hostname. Specify the NTP server’s IP address or hostname.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1339
Profile Config Commands Profile Commands

ntp server
<PEER-IP/
HOSTNAME>
key <1-65534> Optional. Defines the authentication key for the specified NTP server. This
md5 [0 <WORD>| option is used to configure the key when ‘autokey’ configuration is not enabled.
2 <WORD>| • <1-65534> – Specify the peer key number. Should not exceed 64 characters
<WORD>] in length.
◦ md5 – Sets MD5 authentication
▪ 0 <WORD> – Configures a clear text password
▪ 2 <WORD> – Configures an encrypted password
▪ <WORD> – Sets an authentication key

ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4> prefer}

prefer version Optional. Designates the specified NTP server as a preferred NTP resource. This
<1-4> setting is disabled by default.
• version – Optional. Configures the NTP version
◦ <1-4> – Select the NTP version from 1 - 4. If not specified, the default
value of ‘0’ is applied, which implies that the NTP server’s version is
ignored.

version <1-4> Optional. Configures the version number used by the specified NTP server
prefer resource
• <1-4> – Select the NTP version from 1 - 4. The default setting is 0. A value of
‘0’ implies that the NTP server’s version is ignored.
◦ prefer – Optional. Designates the specified NTP server as a preferred
NTP resource. This setting is disabled by default. The NTP version
number specified using the ‘version <1-4>’ keyword is applied to this
preferred NTP resource.

Example
NOC-NX9500(config-profile-testNX9000)#ntp server 10.234.160.5

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include ntp

no ntp autokey
no ntp authenticate
ntp server 10.234.160.5
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

otls
Profile Config Commands on page 954

Enables support for OmniTrail Location Server (OTLS) beacon identification

Controller, Service Platform and Access Point

1340 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

OmniTrail (offered by OmniTrail technologies) is a Wi-Fi based locationing protocol used in positioning
and tracking location solutions. Access points supporting OTLS beacon identification lock their radios to
scan channels for beacons with OTLS tags. Beacons received by the access point are matched for the
OTLS signature, and in case of a match, the beacons are forwarded to the OTLS server as UDP payload.

Use this command to configure OTLS server details on the AP and enable OTLS data forwarding.
Alternately, OTLS parameters can be configured in the AP’s profile on the controller or service platform,
and pushed to adopted access points. When configured, APs establish connection with the OTLS server
and forward OTLS locationing feeds to the server.

Supported in the following platforms:

• Access Points — AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8432,
AP8533

Syntax
otls [apid|control-port|data-port|forward|server-ip]

otls apid <WORD>

otls control-port <0-65535>

otls data-port [2.4GHz|5GHz] <0-65535>

otls forward [2.4GHz|5GHz] [disable|enable]

otls server-ip <OTLS-SERVER-IP>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1341
Profile Config Commands Profile Commands

Parameters
otls apid <WORD>

otls apid <WORD> Configures a unique identification for the OTLS-enabled access point. The
access point identifier (APID) enables the OTLS server to identify the AP
forwarding the OTLS tag.
• <WORD> – Specify an ID for the AP.
To ensure that OTLS-enabled APs have unique OTLS ID, it is recommended that
the APID is configured in the device context of each AP.

otls control-port <0-65535>

otls control-port Configures the port used by the AP to establish and maintain connection with
<0-65535> the OTLS server
• <0-65535> – Specify the control port from 0 - 655635.

otls data-port [2.4GHz|5GHz] <0-65535>

otls data-port Configures the port used by the AP to forward OTLS beacons to the OTLS
[2.4GHz|5GHz] server. However, OTLS data forwarding has to be enabled on the APs. Use the
<0-65535> otls > forward > [2.4GHz|5GHz] > [disable|enable] command to enable data
forwarding.
• 2.4GHz – Configures the port used to forward OTLS beacons received on
the 2.4 GHz band
• 5.0GHz – Configures the port used to forward OTLS beacons received on
the 5.0 GHz band
The following keyword is common to the above parameters:
• <0-65535> – Specify a data-forwarding port from 0 - 65535.

otls forward [2.4GHz|5GHz] [disable|enable]

otls forward [2.4GHz| Enables or disables OTLS tag forwarding

5GHz] [disable| • 2.4GHz – Enables or disables forwarding of OTLS beacons received on the
enable] 2.4 GHz band
• 5GHz – Enables or disables forwarding of OTLS beacons received on the 5.0
GHz band
The following keywords are common to the above parameters:
• disable – Disables OTLS tag forwarding. By default OTLS beacon forwarding
is disabled for both 2.4 GHz and 5.0 GHz bands.
• enable – Enables OTLS tag forwarding

otls server-ip <OTLS-SERVER-IP>

otls server-ip <OTLS- Configures the OTLS server’s IP address

SERVER-IP> • <OTLS-SERVER-IP> – Specify the OTLS server’s IP address.

Example
ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls apid 112233
ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 2.4GHz enable

Controller, Service Platform and Access Point

1342 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 5GHz enable

ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls control-port 8890
ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 2.4GHz 8888
ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 5GHz 8889
ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls server-ip 192.168.13.10

ap8533-84A224(config-device-84-24-8D-84-A2-24)#show context include-factory | include otls

otls forward 5GHz enable
otls forward 2.4GHz enable
otls server-ip 192.168.13.10
otls control-port 8890
otls data-port 2.4GHz 8888
otls data-port 5GHz 8889
otls apid 112233
ap8533-84A224(config-device-84-24-8D-84-A2-24)

The following example displays OTLS parameters configured on an AP8533 profile:

nx9500-6C8809(config-profile-testAP8533)#show context include-factory | include otls
otls forward 5GHz enable
otls forward 2.4GHz enable
otls server-ip 192.168.13.10
otls control-port 8890
otls data-port 2.4GHz 8888
otls data-port 5GHz 8889
otls apid 12345
nx9500-6C8809(config-profile-testAP8533)#

Related Commands

no on page 1329 Removes the OTLS-related parameters configured on an AP or on an AP’s

profile

offline-duration
Profile Config Commands on page 954

Sets the duration, in minutes, for which a device remains unadopted before it generates offline event

This command is also supported on the device configuration mode.

Supported in the following platforms:

Syntax
offline-duration <5-43200>

Parameters
offline-duration <5-43200>

offline-duration Specify a value from 5 - 43200 minutes. The default is 10 minutes.

<5-43200>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1343
Profile Config Commands Profile Commands

Example
rfs4000-229D58(config-profile-test)#offline-duration 200

rfs4000-229D58(config-profile-test)#show context
profile rfs4000 test
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
................................................................
interface wwan1
interface pppoe1
use firewall-policy default
service pm sys-restart
router ospf
offline-duration 200
rfs4000-229D58(config-profile-test)#

Related Commands

no on page 1329 Resets the offline-duration to default (10 minutes)

power-config
Profile Config Commands on page 954

Configures the power option mode. Use this command in the profile configuration mode to configure
the transmit output power of access point radios. This command is also available in the device-config
mode.

Single radio model access points always operate using a full power configuration. The power
management configurations described in this section do not apply to single radio models. When an
access point is powered on for the first time, the system determines the power budget available to the
access point. If 802.3af is selected, the access point assumes 12.95 watts is available. If the mode is
changed, the access point requires a reset to implement the change. If 802.3at is selected, the access
point assumes 23 - 26 watts is available.

Supported in the following platforms:

Syntax
power-config [af-option|at-option|mode]

power-config [af-option|at-option] [range|throughput]

power-config mode [auto|3af]

Controller, Service Platform and Access Point

1344 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
power-config [af-option|at-option] [range|throughput]

power-config Configures the power option mode

af-option [range| Configures the 802.3.af power mode option. The options are:
throughput] • range – Configures the af power range mode. This mode provides higher
power but fewer transmission (tx) chains.
Select range when range is preferred over performance for broadcast/multicast
(group) traffic. The data rates used for range are the lowest defined basic rates.
• throughput – Configures the af power throughput mode. This mode provides
lower power but has more tx chains. This is the default setting.
Select throughput to transmit packets at the radio’s highest defined basic rate
(based on the radio’s current basic rate settings). This option is optimal in
environments where transmission range is secondary to broadcast/multicast
transmission performance.
at-option [range| Configures the 802.3 at power mode option. The options are:
throughput] • range – Configures the at power range mode. This mode provides higher
power but fewer tx chains.
Select range when range is preferred over performance for broadcast/multicast
(group) traffic. The data rates used for range are the lowest defined basic rates.
• throughput – Configures the at power throughput mode. This mode provides
lower power but has more tx chains. This is the default setting.
Select throughput to transmit packets at the radio’s highest defined basic rate
(based on the radio’s current basic rate settings). This option is optimal in
environments where transmission range is secondary to broadcast/multicast
transmission performance.

power-config mode [auto|3af]

power-config Configures the power option mode

mode [auto|3af] Configures the AP power mode
• 3af – Forces an AP to power up in the 802.3af power mode
• auto – Sets the detection auto mode (default setting)
The automatic power-config mode enables an access point to automatically
determine the best power configuration based on the available power budget.

Example
nx9500-6C8809(config-profile-testAP7161)#power-config mode 3af

nx9500-6C8809(config-profile-testAP7161)#power-config af-option range

nx9500-6C8809(config-profile-testAP7161)#show context
profile ap71xx testAP7161
no autoinstall configuration
no autoinstall firmware
power-config mode 3af
power-config af-option range
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1345
Profile Config Commands Profile Commands

crypto ipsec transform-set default esp-aes-256 esp-sha-hmac

--More--
nx9500-6C8809(config-profile-testAP7161)#

Related Commands

no on page 1329 Reverts the power mode setting on this profile to default

preferred-controller-group
Profile Config Commands on page 954

Specifies the controller group preferred for adoption

At adoption, an access point solicits and receives multiple adoption responses from controllers and
service platforms available on the network. These adoption responses contain loading policy
information the access point uses to select the optimum controller or service platform for adoption.
After selecting the controller or service platform, the access point associates with it and optionally
obtains an image upgrade and configuration. By default, an auto provisioning policy generally
distributes AP adoption evenly amongst available controllers and service platforms. Use this command
to specify the controller or service platform preferred for adoption. Once configured, the access point
adopts to the specified preferred controller or service platform.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Syntax
preferred-controller-group <WORD>

Parameters
preferred-controller-group <WORD>

<WORD> Specify the name of the controller (wireless controller or service platform)
group preferred for adoption. Devices using this profile are added, on
adoption, to the controller group specified here.

Example
NOC-NX9500(config-profile-testNX9000)#preferred-controller-group testGroup

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include pre

ferred-controller-group
preferred-controller-group testGroup
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Removes the preferred controller group configuration

preferred-tunnel-controller
Profile Config Commands on page 954

Controller, Service Platform and Access Point

1346 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Configures the tunnel controller's name preferred for tunneling extended VLAN traffic. Devices using
this profile will prefer to route their extended VLAN traffic through the specified tunnel controller
(wireless controller or service platform).

Supported in the following platforms:

Syntax
preferred-tunnel-controller <NAME>

Parameters
preferred-tunnel-controller <NAME>

preferred-tunnel- Configures the preferred tunnel name

controller <NAME>

Example
nx9500-6C8809(config-profile-default-rfs4000)#preferred-tunnel-controller testtunnel

Related Commands

no on page 1329 Removes the preferred tunnel configuration

radius
Profile Config Commands on page 954

Configures device level RADIUS authentication parameters

Supported in the following platforms:

Syntax
radius [nas-identifier|nas-port-id] <WORD>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1347
Profile Config Commands Profile Commands

Parameters
radius [nas-identifier|nas-port-id] <WORD>

radius Configures RADIUS authentication parameters

nas-identifier Specifies the RADIUS Network Access Server (NAS) identifier attribute used by
<WORD> this device
• <WORD> – Specifies the NAS identifier

nas-port-id Specifies the RADIUS NAS port ID attribute used by this device
<WORD> • <WORD> – Specifies the NAS port ID

Example
nx9500-6C8809(config-profile-default-rfs4000)#radius nas-port-id 1

nx9500-6C8809(config-profile-default-rfs4000)#radius nas-identifier test

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
mint link ip 1.2.3.4
mint level 1 area-id 88
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
radius nas-identifier test
radius nas-port-id 1
neighbor-info-interval 6
neighbor-inactivity-timeout 500
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

rf-domain-manager
Profile Config Commands on page 954

Configures the RF Domain manager election criteria

Supported in the following platforms:

Syntax
rf-domain-manager [capable|priority <1-255>]

Controller, Service Platform and Access Point

1348 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
rf-domain-manager [capable|priority <1-255>]

rf-domain- Configures the RF Domain manager election criteria

manager
capable Enables devices using this profile capable of being elected as the RF Domain
manager. The RF Domain manager stores and provisions configuration and
firmware images for other members of the RF Domain. It also updates state
changes, if any, to RF Domain members. This option is enabled by default.
priority <1-255> Assigns a priority value for devices using this profile in the RF Domain manager
election process. The higher the number set, higher is the device’s priority in the
RF Domain manager election process.
• <1-255> – Select a priority value from 1 - 255.

Example
NOC-NX9500(config-profile-testNX9000)#rf-domain-manager capable

NOC-NX9500(config-profile-testNX9000)#rf-domain-manager capable

NOC-NX9500(config-profile-testNX9000)#show context include-factory | include rf-

domain-manager
rf-domain-manager capable
rf-domain-manager priority 1
NOC-NX9500(config-profile-testNX9000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

router
Profile Config Commands on page 954

Enables dynamic routing (BGP and/or OSPF) and enters the routing protocol configuration mode

Supported in the following platforms:

Note
BGP is supported only on RFS4000, NX75XX, and NX 95XX model controllers and service
platforms.

Syntax
router [bgp|ospf]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1349
Profile Config Commands Profile Commands

Parameters
router [bgp|ospf]

router Enables dynamic routing and enters the routing protocol configuration mode
bgp Enables BGP dynamic routing and configures relevant settings
BGP is an inter-ISP routing protocol, which establishes routing between ISPs. ISPs
use BGP to exchange routing and reachability information between Autonomous
Systems (AS) on the Internet. BGP uses TCP as its transport protocol, eliminating
the need to implement explicit update fragmentation, retransmission,
acknowledgement, and sequencing.
Routing information exchanged through BGP supports destination based
forwarding only. It assumes a router forwards packets based on the destination
address carried in the IP header of the packet.
An AS is a set of routers under the same administration that use Interior Gateway
Protocol (IGP) and common metrics to define how to route packets within the
AS.
For more information on dynamic BGP routing configurations, see BORDER
GATEWAY PROTOCOL on page 2050.
ospf Enables OSPF dynamic routing and configures relevant settings. Changes
configuration mode to router mode
OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain
(autonomous system), like an enterprise LAN. OSPF gathers link state
information from neighbor routers and constructs a network topology. The
topology determines the routing table presented to the Internet Layer which
makes routing decisions based solely on the destination IP address found in IP
packets.
For more information on dynamic OSPF routing configurations, see ROUTER-
MODE on page 1909.

Example
nx9500-6C8809(config-profile-default-rfs4000)#router ospf

nx9500-6C8809(config-profile default-rfs4000-router-ospf)#?
Router OSPF Mode commands:
area OSPF area
auto-cost OSPF auto-cost
default-information Distribution of default information
ip Internet Protocol (IP)
network OSPF network
no Negate a command or set its defaults
ospf Ospf
passive Make OSPF Interface as passive
redistribute Route types redistributed by OSPF
route-limit Limit for number of routes handled OSPF process
router-id Router ID

clrscr Clears the display screen

nx9500-6C8809(config-profile default-rfs4000-router-ospf)#

Controller, Service Platform and Access Point

1350 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Related Commands

no on page 1329 Disables OSPF settings

spanning-tree
Profile Config Commands on page 954

Enables spanning tree commands. Use these commands to configure the errdisable, multiple spanning
tree and portfast settings.

Supported in the following platforms:

Syntax
spanning-tree [errdisable|mst|portfast]

spanning-tree errdisable recovery [cause bpduguard|interval

<10-1000000>]

spanning-tree mst [<0-15>|cisco-interoperability|enable|forward-time|

spanning-tree mst [<0-15> priority <0-61440>|cisco-interoperability

spanning-tree portfast [bpdufilter|bpduguard] default

Parameters
spanning-tree errdisable recovery [cause bpduguard|interval <10-1000000>]

spanning-tree Configures spanning-tree related parameters

errdisable Disables or shuts down ports where traffic is looping, or ports with traffic in one
direction
recovery Enables the timeout mechanism for a port to be recovered. This option is
disabled by default.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1351
Profile Config Commands Profile Commands

cause bpduguard Specifies the reason for errdisable

• bpduguard – Recovers from errdisable due to bpduguard

interval Specifies the interval after which a port is enabled

<10-1000000> • <10-1000000> – Specify a value from 10 - 1000000 seconds. The default is
300 seconds.

spanning-tree mst [<0-15> priority <0-61440>|cisco-interoperability [enable|disable]|

spanning-tree Configures spanning-tree related parameters

mst Configures Multiple Spanning Tree (MST) commands
The MSTP provides an extension to STP to optimize the usefulness of VLANs.
MSTP allows for a separate spanning tree for each VLAN group, and blocks all
but one of the possible alternate paths within each spanning tree topology.
<0-15> priority Specifies the number of instances required to configure MST. Select a value from
<0-61440> 0 -15.
• priority – Sets the bridge priority to the specified value. This value is used to
determine the root bridge. Use the no parameter with this command to
restore the default bridge priority value.
◦ <0-61440> – Sets the bridge priority in increments (Lower priority
indicates greater likelihood of becoming root)

cisco interoperability Enables CISCO interoperability

[enable|disable] Enables interoperability with CISCO’s version of MSTP, which is incompatible
with standard MSTP. This setting is disabled by default.
enable Enables MST protocol
forward-time Specifies the forwarding delay time in seconds
<4-30> • <4-30> – Specify a value from 4 - 30 seconds. The default is 15 seconds.

hello-time <1-10> Specifies the hello BDPU interval in seconds

• <1-10> – Specify a value from 1 - 10 seconds. The default is 2 seconds.

instance <1-15> Defines the instance ID to which the VLAN is associated

• <1-15> – Specify an instance ID from 1 - 10.

max-age <6-40> Defines the maximum time to listen for the root bridge
• <6-40> – Specify a value from 4 - 60 seconds. The default is 20 seconds.

max-hops <7-127> Defines the maximum hops when BPDU is valid

• <7-127> – Specify a value from 7 - 127. The default is 20.

Controller, Service Platform and Access Point

1352 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

region <LINE> Specifies the MST region

• <LINE> – Specify the region name.

revision <0-255> Sets the MST bridge revision number. This enables the retrieval of configuration
information.
• <0-255> – Specify a value from 0 - 255. This default is 0.

spanning-tree portfast [bpdufilter|bpduguard] default

spanning-tree Configures spanning-tree related parameters

portfast [bpdufilter| Enables PortFast on a bridge
bpduguard] default • bpdufilter default – Sets the BPDU filter for the port. The BPDU filter is
disabled by default.

The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU
filter ensures that PortFast enabled ports do not transmit or receive BPDUs.
• bpduguard default – Guards PortFast ports against BPDU receive. The BPDU
guard is disabled by default.

Enabling the BPDU guard means this port will shutdown on receiving a
BPDU.
◦ default – Enables the BPDU filter and/or BPDU guard on PortFast
enabled ports by default

Usage Guidelines

If a bridge does not hear BPDUs from the root bridge within the specified interval, assume the network
has changed and recomputed the spanning-tree topology.

Generally, spanning tree configuration settings in the config mode define the configuration for bridge
and bridge instances.

MSTP is based on instances. An instance is a group of VLANs with a common spanning tree. A single
VLAN cannot be associated with multiple instances.

Wireless Controllers or service platforms with the same instance, VLAN mapping, revision number and
region names define a unique region. Wireless Controllers or service platforms in the same region
exchange BPDUs with instance record information within.

Example
nx9500-6C8809(config-profile-default-rfs4000)#spanning-tree errdisable recovery cause
bpduguard

nx9500-6C8809(config-profile-default-rfs4000)#spanning-tree mst 2 priority 4096

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1353
Profile Config Commands Profile Commands

neighbor-info-interval 6
neighbor-inactivity-timeout 500
spanning-tree mst 2 priority 4096
spanning-tree errdisable recovery cause bpduguard
autoinstall configuration
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables or reverts settings to their default

traffic-class-mapping
Profile Config Commands on page 954

Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority. This mapping is
required to provide priority of service to some packets over others. For example, VoIP packets get
higher priority than data packets to provide a better quality of service for high priority voice traffic.
Devices use the traffic class field in the IPv6 header to set this priority. This command allows you to
assign a priority for different IPv6 traffic types.

Supported in the following platforms:

Syntax
traffic-class-mapping <IPv6-TRAFFIC-CLASS-VALUE> priority <0-7>

Controller, Service Platform and Access Point

1354 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
traffic-class-mapping <IPv6-TRAFFIC-CLASS-VALUE> priority <0-7>

traffic-class-mapping Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p
priority
<IPv6-TRAFFIC- Specify the traffic class value of incoming IPv6 untagged packet(s) (could be a
CLASS-VALUE> single value or a list. For example, 10-20, 25, 30-35). This is the DSCP 6-bit
parameter in the header of every IP packet used for packet classification.
priority <0-7> Specify the 802.1p priority to map with the traffic-class value specified in the
previous step
• <0-7> – Specify a value from 0 - 7.
The 802.1p priority is a 3-bit IP precedence value in the Type of Service field of
the IP header used to set the priority. The valid values for this field are 0-7. Up
to 64 entries are permitted. The priority values are:
• 0 – Best Effort
• 1 – Background
• 2 – Spare
• 3 – Excellent Effort
• 4 – Controlled Load
• 5 – Video
• 6 – Voice
• 7 – Network Control

Example
rfs4000-229D58(config-profile-TestRFS4000)#traffic-class-mapping 25 priority 2

rfs4000-229D58(config-profile-TestRFS4000)#show context
profile rfs4000 TestRFS4000
traffic-class-mapping 25 priority 2
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
-More-
rfs4000-229D58(config-profile-TestRFS4000)#

Related Commands

no on page 1329 Removes mapping between IPv6 traffic class value (of incoming IPv6 untagged
packets) and 802.1p priority

traffic-shape
Profile Config Commands on page 954

Enables traffic shaping and configures traffic shaping parameters. This command is applicable to both
the profile and device configuration modes.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1355
Profile Config Commands Profile Commands

Traffic shaping is a means of regulating data transfers and ensuring a specific level of performance
within a network. Traffic shaping does the following:
• Controls flow of packets based on their priority value. Prioritized traffic streams are given priority
over less important traffic.
• Controls traffic on an interface to match its flow to the speed of a remote target’s interface and
ensure traffic conforms to applied policies
• Shapes traffic to meet downstream requirements and eliminate network congestion when data rates
are in conflict.

Use this option to apply traffic shaping to specific applications or application categories. Note, in
scenarios where a traffic class is matched against an application, application-category, and ACL rule, the
application rule will be applied first, followed by the application-category, and finally the ACL. Further,
using traffic shaping, an application takes precedence over an application category.

To enable traffic shaping, configure QoS values on the basis of which priority of service is provided to
some packets over others. For example, VoIP packets get higher priority than data packets to provide a
better quality of service for high priority voice traffic. For configuring IPv6 traffic class mappings, see
traffic-class-mapping on page 1354. And for configuring DSCP traffic class mappings, see dscp-
mapping on page 1091.

Supported in the following platforms:

traffic-shape activation-criteria [always|cluster-master|rf-domain-

manager|vrrp-master <1-255>]

traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>

traffic-shape application <APPLICATION-NAME> class <1-4>

traffic-shape class <1-4> [max-buffers|max-latency|rate]

traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-

percent <1-100>}

traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]

traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-

percent <1-100>]

Controller, Service Platform and Access Point

1356 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Note
The available range for the ‘rate’ field will vary depending on the unit selected. It is 250 -
250000 for Kbps and 1 - 250 for Mbps.

traffic-shape priority-map <0-7>

traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]

Note
The available range for the ‘total-bandwidth’ field will vary depending on the unit selected. It
is 250 - 1000000 for Kbps and 1 - 1000 for Mbps.

traffic-shape enable

Parameters
traffic-shape activation-criteria [always|cluster-master|rf-domain-manager| vrrp-master
<1-255>]

traffic-shape Configures traffic-shape activation criteria that determines when the device
activation-criteria invokes traffic shaping
always Always invokes traffic shaping. This is the default setting.
cluster-master Invokes traffic shaping when the device is the cluster master. The solitary cluster
master (elected using a priority assignment scheme) is a cluster member that
provides management configuration and Smart RF data to other members
within the cluster. Cluster requests go through the elected master before
dissemination to other cluster members.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1357
Profile Config Commands Profile Commands

rf-domain-manager Invokes traffic shaping when the device is the RF Domain manager. The RF
Domain manager is the elected member capable of storing and provisioning
configuration and firmware images for other members of the RF Domain.
vrrp-master <1-255> Invokes traffic shaping when the device is the VRRP master. As the VRRP
master, the device responds to ARP requests, forwards packets with a
destination link MAC layer address equal to the virtual router MAC layer address,
rejects packets addressed to the IP associated with the virtual router and
accepts packets addressed to the IP associated with the virtual router.
• <1-255> – Specify the VRRP group ID from 1 - 255.

traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>

traffic-shape app- Configures an application category to traffic-class mapping. Use this option to
category <APP- apply an application category to traffic-shaper class mapping. Naming and
CATEGORY-NAME> categorizing applications that do not fall into existing groups is an additional
class <1-4> means of filtering and potentially limiting network airtime to consumptive non
required applications negatively impacting network performance.
• class <1-4> – Map the specified application category to a traffic-shaper class
from 1 - 4.

Note: app-category <APP-CATEGORY-NAME> – Specify the application

category name. To list the available application categories, press [TAB] after
entering app-category. Select the required category from the displayed list.

Before configuring an application category to class mapping, ensure that the

specified classes have been configured. Use the ‘class > [max-buffers|max-
latency|rate]’ option available with this command to configure a traffic shaper
class. For more information, see following parameter tables.

traffic-shape application <APPLICATION-NAME> class <1-4>

traffic-shape app- Configures an application to traffic-class mapping. Use this option to apply an
category application to traffic-shaper class mapping.
<APPLICATION- • app-category <APPLICATION-NAME> – Specify the application name.
NAME> class <1-4> ◦ class <1-4> – Map the specified application to a traffic-shaper class from 1
- 4.

Note: Before configuring an application to class mapping, ensure that the

specified classes have been configured. Use the ‘class > [max-buffers|
max-latency|rate] option available with this command to configure a
traffic shaper class. For more information, see following tables.

traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-percent <1-100>}

traffic-shape class Configures the queue length limit for different traffic-shaper class
<1-4> max-buffers • class <1-4> – Specify the traffic-shaper class from 1 - 4.
<1-400> ◦ max-buffers <1-400> – Configures the maximum queue lengths for
packets of different priority queues, after which the queue starts to drop
packets.
▪ <1-400> – Configure the queue length limit from 1 - 400 for packets of
priority queues 0, 1, 2, 3, 4, 5, 6, and 7.

Controller, Service Platform and Access Point

1358 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Note: For access points the upper queue length limit is 400.

red-level <1-400> Optional. Performs Random Early Drop (RED) when a specified queue length in
packets is reached
• <1-400> – Configure the queue length limit from 1 - 400 for packets of
priority queues 0, 1, 2, 3, 4, 5, 6, and 7.
The RED algorithm is a queuing technique for congestion avoidance. RED
monitors the average queue size and drops or marks packets. If the buffer is
near empty, all incoming packets are accepted. When the queue grows, the
probability for dropping an incoming packet also grows. When the buffer is full,
the probability has reached 1 and all incoming packets are dropped.

Note: For more information on default values, see the Usage Guidelines section
in this topic.

red-percent <1-100> Optional. Performs RED when a specified value, which is a percentage of the
max-buffers configured, is reached
• <1-100> – Configure the percentage of the maxi-buffers from 1 - 100 for
packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.

traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]

traffic-shape class Configures the max-latency for different traffic-shaper class. Max latency
<1-4> max-latency specifies the time limit after which packets start dropping (maximum packet
<1-1000000> [msec| delay in the queue). The maximum number of entries is 8.
usec] • class <1-4> – Specify the traffic-shaper class from 1 - 4.
◦ max-latency <1-1000000> – Configures the max-latency for packets of
different priority queues, after which the queue starts to drop packets.
▪ <1-1000000> – Configure the max-latency from 1 - 100000 for
packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.

[msec|usec] – Configures the unit for measuring latency as

milliseconds (msec) or microseconds (usec). The default setting is
msec.

traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-percent

<1-100>]

traffic-shape class Configures traffic rate, in either Kbps, Mbps or percentage, for the different
<1-4> rate traffic shaper class. Specify rates for different traffic shaper class to control the
maximum traffic rate sent or received on an interface. Consider this form of rate
limiting on interfaces at the edge of a network to limit traffic into or out of the
network. Traffic within the set limit is sent and traffic exceeding the set limit is
dropped or sent with a different priority.
• class <1-4> – Specify the traffic-shaper class from 1 - 4.

<1-250000> [Kbps| Configures the traffic rate, in Kbps, Mbps, for the class specified in the previous
Mbps] step
• <1-250000> – Specify the rate from 1 - 250000.
◦ [Kbps|Mbps] – Configures the unit for measuring bandwidth as Kbps or
Mbps. The default setting is Kbps.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1359
Profile Config Commands Profile Commands

Note: The range varies depending on the unit selected. It is 1 - 250 Mbps,
or 250 - 250000 Kbps.

total-bandwidth- Configures the traffic rate, as a percentage of the total available bandwidth, for
percent <1-100> the class specified in the previous first step
• <1-100> – Specify the traffic rate from 1 - 100% of the total bandwidth.

traffic-shape priority-map <0-7>

traffic-shape Configures the traffic-shaper queues, within a class, having different priority
priority-map <0-7> values (0, 1, 2, 3, 4, 5, 6, and 7). There are 8 queues (0 - 7), and traffic is queued
in each based on the incoming packet’s 802.1p 3-bit priority markings.
• priority-map <0-7> – Specify the priority from 0 - 7 for priority levels 0, 1, 2,
3, 4, 5, 6, and 7.
The IEEE 802.1p standards sets a 3-bit value in the MAC header to indicate
prioritization. This 3-bit value provides priority levels ranging from 0 to 7 (i.e., a
total of 8 levels), with level 7 representing the highest priority. This permits
packets to cluster and form different traffic classes. In case of network
congestion, packets with higher priority receive preferential treatment while low
priority packets are kept on hold.

traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]

traffic-shape total- Configures the total-bandwidth for traffic shaping

bandwidth • <1-1000000> – Specify the value from 1 - 1000000 Kbps/Mbps. The default
<1-1000000> [Kbps| value is 10 Mbps.
Mbps] ◦ [Kbps|Mbps] – Configures the unit for measuring bandwidth as Kbps or
Mbps. The default setting is Mbps.

Note: The range varies depending on the unit selected. It is 1 - 1000 Mbps,
or 250 - 1000000 Kbps.

traffic-shape enable

traffic-shape enable Enables traffic shaping using the defined bandwidth, rate and class mappings
configured using this command

Note: Traffic shaping is disabled by default.

Usage Guidelines

Following are the default max-buffers set for the traffic shaper classes:

traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10

traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10

traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10

traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10

Following is the default priority-map settings:

Controller, Service Platform and Access Point

1360 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

traffic-shape priority-map 2 0 1 3 4 5 6 7

Example
nx9500-6C8809(config-profile-ProfileNX5500)#show context include-factory | include
traffic-shape
traffic-shape priority-map 2 0 1 3 4 5 6 7
traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape activation-criteria always
traffic-shape total-bandwidth 10 Mbps
no traffic-shape enable
nx9500-6C8809(config-profile-ProfileNX5500)#

nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape enable
nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape class 1 rate 250 Mbps
nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape application Bing class 1
nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape total-bandwidth 200 Mbps

nx9500-6C8809(config-profile-ProfileNX5500)#show context include-factory | include

traffic-shape
traffic-shape priority-map 2 0 1 3 4 5 6 7
traffic-shape class 1 rate 250 Mbps
traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15
10
traffic-shape activation-criteria always
traffic-shape application Bing class 1
traffic-shape total-bandwidth 200 Mbps
traffic-shape enable
nx9500-6C8809(config-profile-ProfileNX5500)#

Related Commands

no on page 1329 Removes traffic shaping configuration or reverts them to the default values

trustpoint (profile-config-mode)
Profile Config Commands on page 954

Configures the trustpoint assigned for validating a CMP auth Operator

A certificate links identity information with a public key enclosed in the certificate.

A CA is a network authority that issues and manages security credentials and public keys for message
encryption. The CA signs all digital certificates it issues with its own private key. The corresponding
public key is contained within the certificate and is called a CA certificate. A browser must contain the
CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1361
Profile Config Commands Profile Commands

Depending on the public key infrastructure, the digital certificate includes the owner's public key, the
certificate expiration date, the owner's name and other public key owner information.

Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a
certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the
identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity
certificate.

Note
Certificates/trustpoints used in this command should be verifiable as existing on the device.
For information on configuring trustpoints on a device, see trustpoint (device-config-mode)
on page 1418.

Supported in the following platforms:

Syntax
trustpoint [cmp-auth-operator|https|radius-ca|radius-server]
<TRUSTPOINT-NAME>

Parameters
trustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>

trustpoint Assigns an existing trustpoint to validate CMP auth operator, client certificates,
and RADIUS server certificate
https Assigns an existing trustpoint to validate HTTPS requests
cmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator Once validated,
CMP is used to obtain and manage digital certificates in a PKI network. Digital
certificates link identity information with a public key enclosed within the
certificate, and are issued by the CA.
Use this command to specify the CMP-assigned trustpoint. When specified,
devices send a certificate request to the CMP supported CA server, and
download the certificate directly from the CA server. CMP supports multiple
request options through for device communicating to a CMP supported CA
server. The device can initiate a request for getting the certificates from the
server. It can also auto update the certificates which are about to expire.
radius-ca Assigns an existing trustpoint to validate client certificates in EAP
radius-server Assigns an existing trustpoint to validate RADIUS server certificate
<TRUSTPOINT- The following keyword is common to all of the above parameters:
NAME> • <TRUSTPOINT-NAME> – After selecting the service to validate, specify the
trustpoint name (should be existing and stored on the device).

Example
nx9500-6C8809(config-profile-testNX9500)#trustpoint cmp-auth-operator test

Controller, Service Platform and Access Point

1362 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nx9500-6C8809(config-profile-testNX9500)#show context
profile nx9000 testNX9500
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
...........................................................
service pm sys-restart
router bgp
trustpoint cmp-auth-operator test
nx9500-6C8809(config-profile-testNX9500)#

Related Commands

no on page 1329 Removes trustpoint-related configurations

tunnel-controller
Profile Config Commands on page 954

Configures the tunneled WLAN (extended VLAN) wireless controller or service platform’s name

Supported in the following platforms:

Syntax
tunnel-controller <NAME>

Parameters
tunnel-controller <NAME>

tunnel-controller Configures the tunneled WLAN (extended VLAN) wireless controller or service
<NAME> platform’s name
• <NAME> – Specify the name.

Example
rfs7000-37FABE(config-profile-default-rfs4000)#tunnel-controller testgroup

Related Commands

no on page 1329 Removes the configured the tunneled WLAN (extended VLAN) wireless
controller or service platform’s name

use (profile/device-config-mode-commands)
Profile Config Commands on page 954

Associates existing policies with this profile. This command is also applicable to the device configuration
mode.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1363
Profile Config Commands Profile Commands

Supported in the following platforms:

Syntax Profiles Mode

use ip/ipv6-access-list <IP/IPv6-ACL-NAME> traffic-shape class <1-4>

Syntax Device Mode

Note
The following tables contain the ‘use’ command parameters for the Profile and Device
configuration modes.

Parameters Profiles Mode

use Associates the specified policies with this profile

The specified policies should be existing and configured.
auto-provisioning- Associates an auto provisioning policy
policy <POLICY- • <POLICY-NAME> – Specify the auto provisioning policy name.
NAME>

Controller, Service Platform and Access Point

1364 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

bonjour-gw- Uses an existing Bonjour GW Forwarding policy with a profile or device

forwarding-policy • <POLICY-NAME> – Specify the Bonjour GW Forwarding policy name
<POLICY-NAME> (should be existing and configured).
For more information on Bonjour GW Forwarding policy, see bonjour-gw-
forwarding-policy on page 324.
bonjour-gw-query- Uses an existing Bonjour GW Query Forwarding policy with a profile or device
forwarding-policy • <POLICY-NAME> – Specify the Bonjour GW Query Forwarding policy name
<POLICY-NAME> (should be existing and configured).

captive-portal server Configures access to a specified captive portal with this profile
<CAPTIVE-PORTAL> • <CAPTIVE-PORTAL> – Specify the captive portal name.

client-identity- Associates an existing client identity group with this profile

identity-group • <CLIENT-IDENTITY-GROUP-NAME> – Specify the client identity group
<CLIENT-IDENTITY- name.
GROUP-NAME>
For more information on the ‘client-identity’ and ‘client-identity-group’
commands, see client-identity on page 374 and client-identity-group on page
380.
crypto-cmp-policy Associates an existing crypto certificate management protocol (CMP) policy
<POLICY-NAME> with this profile
• <POLICY-NAME> – Specify the CMP policy name.
For more information on configuring a crypto CMP policy, see CRYPTO-CMP-
POLICY on page 2027.
database-client- Associates an existing database client policy with a profile
policy <POLICY- • <POLICY-NAME> – Specify the policy name (should be existing and
NAME> configured).
For more information on database client policy, see database-client-policy
global-config on page 399.
Applicable only to the NX 95XX, NX 96XX, and VX 9000 model service
platforms.
dhcp-server-policy Associates a DHCP server policy
<DHCP-POLICY> • <DHCP-POLICY> – Specify the DHCP server policy name.

dhcpv6-server-policy Associates a DHCPv6 server policy

<DHCPv6-POLICY> • <DHCPv6-POLICY> – Specify the DHCPv6 server policy name.

event-system-policy Associates an event system policy

<EVENT-SYSTEM- • <EVENT-SYSTEM-POLICY> – Specify the event system policy name.
POLICY>
firewall-policy <FW- Associates a firewall policy
POLICY> • <FW-POLICY> – Specify the firewall policy name.

global-association-list Associates the specified global association list with the controller profile
server <GLOBAL- • <GLOBAL-ASSOC-LIST-NAME> – Specify the global association list name.
ASSOC-LIST-NAME>
Once associated, the controller, using this profile, applies this association list to
requests received from all adopted APs. For more information on global
association list, see global-association-list on page 473.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1365
Profile Config Commands Profile Commands

guest-management Associates the specified guest management policy with the controller profile
<GUEST- • <GUEST-MANAGEMENT-POLICY-NAME> – Specify the guest management
MANAGEMENT- policy name (should be existing and configured).
POLICY-NAME>
iot-device-type- Associates an IoT Imago Tag policy to an AP’s profile or device context.
imagotag-policy • <POLICY-NAME> – Specify the policy name. When associated, the policy
<POLICY-NAME> enables support for SES-imagotag’s ESL (Electronic Shelf Label) tags and
communicator on WiNG APs with USB interfaces. This feature is supported
only on AP-8432 model access points.

ip/ipv6-access-list Associates an IP and/or IPv6 ACL with this profile and applies it as a firewall for
<IP/IPv6-ACL-NAME> the selected traffic-shape class
traffic-shape class • <IP/IPv6-ACL-NAME> – Specify the IP/IPv6 ACL name (should be existing
<1-4> and configured)
◦ traffic-shape class <1-4> – Selects the traffic-shape class to apply the
above specified IP/IPv6 ACL

<1-4> – Select the traffic-shape class from 1 - 4.

location-policy Associates a location policy to the device profile. The Location policy is a
<POLICY-NAME> means to upload site hierarchy to the ExtremeLocation server through the
WiNG controller (NOC, standalone APs, virtual controllers). The location policy
points to the ExtremeLocation server and provides the Tenant authentication
key needed to authenticate with the server.
It is applicable to the following platform profiles: AP-7522, AP 7532, AP 7562,
AP 7602, AP-7612, AP 7622, AP7632, AP7662, AP-8432, AP-8533, RFS 4000,
NX 5500, NX 7510, NX 95XX, NX 96XX, and VX 9000 .
• <POLICY-NAME> – Specify the policy name.

management-policy Associates a management policy

<MNGT-POLICY> • <MNGT-POLICY> – Specify the management policy name.

radius-server-policy Associates a device onboard RADIUS policy

<RADIUS-POLICY> • <RADIUS-POLICY> – Specify the RADIUS policy name.

role-policy <ROLE- Associates a role policy

POLICY> • <ROLE-POLICY> – Specify the role policy name.

routing-policy Associates a routing policy

<ROUTING-POLICY> • <ROUTING-POLICY> – Specify the routing policy name.

web-filter-policy Associates an existing Web Filter policy with a profile or device

<POLICY-NAME> • <POLICY-NAME> – Specify the policy name.

Parameters Device Mode

Controller, Service Platform and Access Point

1366 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

policy]
<POLICY-NAME>

use Associates the following policies with this device:

auto-provisioning- Associates an auto provisioning policy
policy <POLICY- • <POLICY-NAME> – Specify the auto provisioning policy name.
NAME>
bonjour-gw- Uses an existing Bonjour GW Forwarding policy with a profile or device
forwarding-policy • <POLICY-NAME> – Specify the Bonjour GW Forwarding policy name
<POLICY-NAME> (should be existing and configured).
For more information on Bonjour GW Forwarding policy, see bonjour-gw-
forwarding-policy on page 324.
bonjour-gw-query- Uses an existing Bonjour GW Query Forwarding policy with a profile or device
forwarding-policy • <POLICY-NAME> – Specify the Bonjour GW Query Forwarding policy name
<POLICY-NAME> (should be existing and configured).

captive-portal server Configures access to a specified captive portal

<CAPTIVE-PORTAL> • <CAPTIVE-PORTAL> – Specify the captive portal name.

client-identity- Associates an existing client identity group with this device

identity-group • <CLIENT-IDENTITY-GROUP-NAME> – Specify the client identity group
<CLIENT-IDENTITY- name.
GROUP-NAME>
For more information on the ‘client-identity’ and ‘client-identity-group’
commands, see client-identity on page 374 and client-identity-group on page
380.
crypto-cmp-policy Associates an existing crypto certificate management protocol (CMP) policy
<POLICY-NAME> • <POLICY-NAME> – Specify the CMP policy name.
For more information on configuring a crypto CMP policy, see CRYPTO-CMP-
POLICY on page 2027.
database-client- Associates an existing database client policy with a device
policy <POLICY- • <POLICY-NAME> – Specify the policy name (should be existing and
NAME> configured).
For more information on database client policy, see database-client-policy
global-config on page 399.
Applicable only to the NX 95XX, NX 96XX, and VX 9000 model service
platforms.
database-policy Associates an existing database policy with this device
<DATABASE-POLICY- • <DATABASE-POLICY-NAME> – Specify the database policy name.
NAME>
Note: For more information on configuring a database policy, see database-
policy global config on page 403.

dhcp-server-policy Associates a DHCP server policy

<DHCP-POLICY> • <DHCP-POLICY> – Specify the DHCP server policy name.

dhcpv6-server-policy Associates a DHCPv6 server policy

<DHCPv6-POLICY> • <DHCPv6-POLICY> – Specify the DHCPv6 server policy name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1367
Profile Config Commands Profile Commands

enterprise-ui Enables application of the site controller’s Enterprise user interface (UI) on all
management points (controllers and access points)
For example, the site controller is NX 5500 and an AP 7562 is adopted to it. To
enable the access point to also use the Enterprise UI:
On the AP 7562’s profile configuration mode execute: use > enterprise-
ui
On adoption and application of this profile, the AP 7562 access point resets
and reboots using the Enterprise UI. Once using the Enterprise UI, on all
subsequent adoptions, the AP does not get reset.
event-system-policy Associates an event system policy
<EVENT-SYSTEM- • <EVENT-SYSTEM-POLICY> – Specify the event system policy name.
POLICY>
firewall-policy <FW- Associates a firewall policy
POLICY> • <FW-POLICY> – Specify the firewall policy name.

global-association-list Associates the specified global association list with the device (controller)
server <GLOBAL- • <GLOBAL-ASSOC-LIST-NAME> – Specify the global association list name.
ASSOC-LIST-NAME>
Once associated, the controller applies this association list to requests received
from all adopted APs. For more information on global association list, see
global-association-list on page 473.
guest-management Associates the specified guest management policy with this device
<GUEST- • <GUEST-MANAGEMENT-POLICY-NAME> – Specify the guest management
MANAGEMENT- policy name (should be existing and configured).
POLICY-NAME>
ip/ipv6-access-list Associates an IP and/or IPv6 ACL with this device and applies it as a firewall for
<IP/IPv6-ACL-NAME> a selected traffic-shape class
traffic-shape class • <IP/IPv6-ACL-NAME> – Specify the IP/IPv6 ACL name (should be existing
<1-4> and configured)
◦ traffic-shape class <1-4> – Selects the traffic-shape class to apply the
above specified IP/IPv6 ACL
▪ <1-4> – Select the traffic-shape class from 1 - 4.

license <WORD> Associates a Web filtering license with this device

• <WORD> – Provide a 256 character maximum license string for the Web
filtering feature. Web filtering is used to restrict access to specific resources
on the Internet.

location-policy Associates a location policy to the device self.The Location policy is a means to
<POLICY-NAME> upload site hierarchy to the ExtremeLocation server through the WiNG
controller (NOC, standalone APs, virtual controllers). The location policy points
to the ExtremeLocation server and provides the Tenant authentication key
needed to authenticate with the server.
It is applicable to the following platform profiles: AP-7522, AP 7532, AP 7562,
AP 7602, AP-7612, AP 7622, AP7632, AP7662, AP-8432, AP-8533, RFS 4000,
NX 5500, NX 7510, NX 95XX, NX 96XX, and VX 9000 .
• <POLICY-NAME> – Specify the policy name.

management-policy Associates a management policy

<MNGT-POLICY> • <MNGT-POLICY> – Specify the management policy name.

Controller, Service Platform and Access Point

1368 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

nsight-policy Associates a specified NSight policy with this device

<NSIGHT-POLICY- • <NSIGHT-POLICY-NAME> – Specify the NSight policy name (should be
NAME> existing and configured).

Note: Use this command to associate an NSight policy to a controller to

enable it to function as the NSight server. For more information, see nsight-
policy (global-config-mode) on page 529.

profile <PROFILE- Associates a profile with this device

NAME> • <PROFILE-NAME> – Specify the profile name.

radius-server-policy Associates a device onboard RADIUS policy

<RADIUS-POLICY> • <RADIUS-POLICY> – Specify the RADIUS policy name.

rf-domain <RF- Associates an RF Domain

DOMAIN-NAME> • <RF-DOMAIN-NAME> – Specify the RF Domain name.

role-policy <ROLE- Associates a role policy

POLICY> • <ROLE-POLICY> – Specify the role policy name.

routing-policy Associates a routing policy

<ROUTING-POLICY> • <ROUTING-POLICY> – Specify the routing policy name.

rtl-server-policy Associates a RTL (Real TIme Locationing) server policy with an access point.
<POLICY-NAME> When associated, enables the access point to directly send RSSI feeds to the
third-party Euclid RTL server.
• <POLICY-NAME> – Specify the RTL server policy name (should be existing
and configured).

sensor-policy Associates a sensor policy with an access point or controller. When associated,
<POLICY-NAME> WiNG controllers and access points function as sensors.
• <POLICY-NAME> – Specify the sensor policy name (should be existing and
configured).

wips-policy <WIPS- Associates a WIPS policy

POLICY> • <WIPS-POLICY> – Specify the WIPS policy name.

web-filter-policy Associates an existing Web Filter policy with a profile or device

<POLICY-NAME> • <POLICY-NAME> – Specify the policy name.

nx9500-6C8809(config-profile-default-rfs4000)#use event-system-policy TestEventSysPolicy

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
mint link ip 1.2.3.4
mint level 1 area-id 88
.....................................................
interface ge3
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge4
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface pppoe1
use event-system-policy TestEventSysPolicy

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1369
Profile Config Commands Profile Commands

use firewall-policy default

ntp server 172.16.10.10 prefer version 1
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disassociates a specified policy from this profile/device

vrrp
Profile Config Commands on page 954

Configures VRRP group settings

A default gateway is a critical resource for connectivity. However, it is prone to a single point of failure.
Thus, redundancy for the default gateway is required. If WAN backhaul is available, and a router failure
occurs, then the controller should act as a router and forward traffic on to its WAN link.

Define an external VRRP configuration when router redundancy is required in a network requiring high
availability.

Central to VRRP configuration is the election of a VRRP master. A VRRP master (once elected)
performs the following functions:
• Responds to ARP requests
• Forwards packets with a destination link layer MAC address equal to the virtual router’s MAC
address
• Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP
address owner
• Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address
owner or accept mode is true.

The nodes that lose the election process enter a backup state. In the backup state they monitor the
master for any failures, and in case of a failure one of the backups, in turn, becomes the master and
assumes the management of the designated virtual IPs. A backup does not respond to an ARP request,
and discards packets destined for a virtual IP resource.

Supported in the following platforms:

Syntax
vrrp [<1-255>|version]

vrrp <1-255> [delta-priority|description|interface|ip|monitor|preempt|

priority| sync-group|timers]

Controller, Service Platform and Access Point

1370 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

vrrp <1-255> [delta-priority <1-253>|description <LINE>|ip <IP> {<IP>}|

preempt {delay <1-65535>}|priority <1-254>|sync-group]

vrrp <1-255> interface vlan <1-4094>

vrrp <1-255> monitor [<IF-NAME>|critical-resource|pppoe1|vlan|wwan1]

vrrp <1-255> monitor [<IF-NAME>|pppoe1|vlan <1-4094>|wwan1] {(<IF-NAME>|

critical-resource|pppoel|vlan|wwan1)}

vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-

NAME3> <CRM-NAME4> (action [decrement-priority|increment-priority]
{<IF-NAME>|pppoe1| vlan|wwan1})

vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec

<250-999>]

vrrp version [2|3]

Parameters
vrrp <1-255> [delta-priority <1-253>|description <LINE>|vrrp ip <IP> {<IP>}| preempt
{delay <1-65535>}|priority <1-254>|sync-group]

vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the
packet is reporting status for.
delta-priority <1-253> Configures the priority to decrement (local link monitoring and critical resource
monitoring) or increment (critical resource monitoring). When the monitored
interface is down, the configured priority decrements by a value defined by the
delta-priority option. When monitoring critical resources, the value increments
by the delta-priority option.
• <1-253> – Specify the delta priority level from 1- 253.

description <LINE> Configures a text description for the virtual router to further distinguish it from
other routers with similar configuration
• <LINE> – Provide a description (a string from 1- 64 characters in length)

ip <IP-ADDRESSES> Identifies the IP address(es) backed by the virtual router. These are IP
addresses of Ethernet switches, routers, and security appliances defined as
virtual router resources.
• <IP-ADDRESSES> – Specify the IP address(es) in the A.B.C.D format.
This configuration triggers VRRP operation.
preempt {delay Controls whether a high priority backup router preempts a lower priority
<1-65535>} master. This field determines if a node with higher priority can takeover all
virtual IPs from a node with lower priority. This feature is disabled by default.
• delay – Optional. Configures the pre-emption delay timer from 1 - 65535
seconds (default is 0 seconds). This option can be used to delay sending
out the master advertisement or, in case of monitored link coming up,
adjusting the VRRP priority by priority delta.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1371
Profile Config Commands Profile Commands

priority <1-254> Configures the priority level of the router within a VRRP group. This value
determines which node is elected as the Master. Higher values imply higher
priority, value 254 has the highest precedence (default is 100).
sync-group Adds this VRRP group to a synchronized group. To trigger VRRP failover, it is
essential all individual groups within a synchronized group have failover. VRRP
failover is triggered if an advertisement is not received from the virtual masters
that are part of this VRRP sync group. This feature is disabled by default.

vrrp <1-255> interface vlan <1-4094>

vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the
packet is reporting status for.
interface vlan Enables VRRP on the specified switch VLAN interface (SVI)
<1-4094> • vlan <1-4094> – Specify the VLAN interface ID from 1 - 4094.

vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-NAME3> <CRM-NAME4>

(action [decrement-priority|increment-priority] {<IF-NAME>|pppoe1|vlan| wwan1})

vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the
packet is reporting status for.
monitor Enables link monitoring or Critical Resource Monitoring (CRM)
critical-resource Specifies the name of the critical resource to monitor. VRRP can be configured
<CRM-NAME1> to monitor maximum of four critical resources. Use the <CRM-NAME2>, <CRM-
NAME3>, and <CRM-NAME4> to provide names of the remaining three critical
resources.
By default VRRP is configured to monitor all critical resources on the device.
action [decrement- Sets the action on critical resource down event. It is a recursive parameter that
priority| increment- sets the action for each of the four critical resources being monitored.
priority] • decrement-priority – Decrements the priority of virtual router on critical
resource down event
• increment-priority – Increments the priority of virtual router on critical
resource down event

<IF-NAME> Optional. Enables interface monitoring

• <IF-NAME> – Specify the interface name to monitor

pppoe1 Optional. Enables Point-to-Point Protocol (PPP) over Ethernet interface

monitoring

Controller, Service Platform and Access Point

1372 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

vlan <1-4094> Optional. Enables VLAN (switched virtual interface) interface monitoring
• <1-4094> – Specify the VLAN interface ID from 1- 4094.

wwan1 Optional. Enables Wireless WAN interface monitoring

vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>]

vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the
packet is reporting status for.
timers Configures the timer that runs every interval
advertise [<1-255>| Configures the VRRP advertisements time interval. This is the interval at which
centiseconds a master sends out advertisements on each of its configured VLANs.
<25-4095>| msec • <1-255> – Configures the timer interval from 1- 255 seconds. (applicable for
<250-999>] VRRP version 2 only)
• centiseconds <25-4095> – Configures the timer interval in centiseconds
(1/100th of a second). Specify a value between 25 - 4095 centiseconds
(applicable for VRRP version 3 only).
• msec <250-999> – Configures the timer interval in milliseconds (1/1000th
of a second). Specify a value between 250 - 999 msec (applicable for
VRRP version 2 only).
Default is 1 second.

vrrp version [2|3]

vrrp version [2|3] Configures one of the following VRRP versions:

• 2 – VRRP version 2 (RFC 3768). This is the default setting.
• 3 – VRRP version 3 (RFC 5798 only IPV4)
The VRRP version determines the router redundancy. Version 3 supports sub-
second (centisecond) VRRP failover and support services over virtual IP.

Example
nx9500-6C8809(config-profile-default-rfs4000)#vrrp version 3

nx9500-6C8809(config-profile-default-rfs4000)#vrrp 1 sync-group

nx9500-6C8809(config-profile-default-rfs4000)#vrrp 1 delta-priority 100

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
......................................................
vrrp 1 timers advertise 1
vrrp 1 preempt
vrrp 1 sync-group
vrrp 1 delta-priority 100
vrrp version 3
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Reverts VRRP settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1373
Profile Config Commands Profile Commands

vrrp-state-check
Profile Config Commands on page 954

Publishes interface via OSPF or BGP based on Virtual Router Redundancy Protocol (VRRP) status

VRRP allows automatic assignment of available IP routers to participating hosts. This increases the
availability and reliability of routing paths via automatic default gateway selections on an IP
subnetwork. This option is enabled by default.

Supported in the following platforms:

Syntax
vrrp-state-check

Parameters
None

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#vrrp-state-check

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context
nx9000 B4-C7-99-6C-88-09
use profile default-nx9000
use rf-domain default
.......................................................................
no weight
no timers bgp
ip default-gateway priority 7500
bgp-route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 360
vrrp-state-check
controller adopted-devices controllers
alias string $SN B4C7996C8809
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Related Commands

no on page 1329 Disables the publishing of an interface via OSPF/BGP based on VRRP status

virtual-controller
Profile Config Commands on page 954

Enables an access point as a virtual-controller (VC) or a dynamic virtual controller (DVC)

When configured without the ‘auto’ option, this command manually enables an AP as a VC. The ‘auto’
option allows dynamic enabling of APs as VCs. When DVC is enabled on an AP’s device or profile
context, the AP is dynamically enabled as the VC on being elected as the RF-Domain manager.

Controller, Service Platform and Access Point

1374 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Supported in the following platforms:

Note
The DVC feature is supported only on the AP7522, AP7532, AP7562, AP8432, and AP8533
model access points.

Syntax
virtual-controller {auto|management-interface}

virtual-controller auto
virtual-controller {management-interface [ip address <IP/M>|vlan
<1-4094>]}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1375
Profile Config Commands Profile Commands

Parameters
virtual-controller auto

virtual-controller auto Enables an AP as a virtual-controller

• auto – Enables AP as a DVC. When enabled, the AP on being elected as the
RF Domain manager takes on the role of the virtual controller. In an RF-
Domain, DVC can be enabled on multiple access points. However, only the
current RF-Domain manager AP has a running instance of the DVC. This
option is applicable only if enabling DVC.

Note: MLCP discovery does not function on APs enabled as VC or DVCs. Do

an explicit “mint link vlan X” on the AP’s device/profile context, or “control-
vlan X” in the AP’s RF-Domain context, to establish MiNT links between the
VC and its adopted APs.

virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}

virtual-controller
{management- Note: Enables an AP as a virtual-controller. If enabling DVC, use this option to
interface [ip address configure management interface details.
<IP/M>|vlan • management-interface – Configures the management interface for the
<1-4094>]} DVC. Configuring the management interface ensures failover in case the RF
Domain manager is unreachable.
◦ ip address <IP/M> – Specify the management interface IP address. Due
to the random nature of DVC, specifying an explicit management
interface IP address makes it easier to manage VCs. In case of fail over,
this IP address is installed as the secondary IP address on the new VC.
◦ vlan <1-4094> – Optional. Specifies the VLAN from 1 - 4094 on which
the management interface IP address is configured.

For DVC, configuring management-interface ip address is mandatory.

However, VLAN configuration is optional. If you configure the ip address
without specifying the VLAN, the system configures the specified ip
address as secondary ip on VLAN 1.

Example
ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller auto

ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-interface ip
address 110.110.110.120/24

ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-interface
vlan 100

ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show context | include virtual-controller

virtual-controller auto
virtual-controller management-interface ip address 110.110.110.120/24
virtual-controller management-interface vlan 100
ap8533-9A1529(config-device-74-67-F7-9A-15-29)#

The following example shows the management interface VLAN IP address being configured as the
secondary IP address.
ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show ip interface brief
-------------------------------------------------------------------------------

Controller, Service Platform and Access Point

1376 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL

-------------------------------------------------------------------------------
vlan1 10.1.1.11/24 primary UP up
vlan100 110.110.110.110/24 primary UP up
vlan100 110.110.110.120/24 secondary UP up
-------------------------------------------------------------------------------

wep-shared-key-auth
Profile Config Commands on page 954

Enables support for 802.11 WEP shared key authentication

When enabled, devices, using this profile, use a WEP key to access the network. The controller or
service platform use the key algorithm to convert an ASCII string to the same hexadecimal number.
Clients without the recommended adapters need to use WEP keys manually configured as hexadecimal
numbers. This option is disabled by default.

Supported in the following platforms:

Syntax
wep-shared-key-auth

Parameters
None

Example
nx9500-6C8809(config-profile-default-rfs4000)#wep-shared-key-auth

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
bridge vlan 1
bridging-mode isolated-tunnel
ip igmp snooping
ip igmp snooping querier
wep-shared-key-auth
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
interface me1
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1377
Profile Config Commands Profile Commands

ip dhcp trust
--More--
nx9500-6C8809(config-profile-default-rfs4000)#

Related Commands

no on page 1329 Disables support for 802.11 WEP shared key authentication

ws-controller
Profile Config Commands on page 954

This parameter allows WiNG APs adopted to ExtremeCloud Appliance to rediscover a new controller in
case the first controller is unreachable. It applies to WiNG APs configured to adopt to a WebSocket
controller (ExtremeCloud Appliance). In other words, the AP's adoption-mode is set to 'ws-controller'.

As per the current implementation, WiNG AP adoption to the ExtremeCloud Appliance WebSocket
controller, supports only one controller. If the adopting controller goes down, the AP does not attempt
to re-discover and adopt to another controller. If the AP reboots, it uses the management-server
configuration to discover and adopt to the first discovered controller. This prevents the AP from
adopting to a new controller. Use this parameter to configure multiple ws-controller hosts and enable
rediscovery of new ws-controller.

Supported in the following platforms:

Syntax
ws-controller host <1-5> port <1-65535>

Parameters
ws-controller <1-5> port <1-65535>

ws-controller host <1-5> Configures multiple WebSocket controller hosts.

• <1-5> - Select the controller to configure. A maximum of five
controllers can be configured.
When a WiNG AP with adoption-mode set to 'ws-controller'
reboots, it will try to connect to the ws-controller received in DHCP
option 191, then it will try connecting to the controller hosts
configured here.
port <1-65535> Specify the port on which the controller is reachable.
• <1-65535> - Select the port number from 1 to 65535. The default
value is 443.

Examples
nx9500-6C8809(config-profile-test8432)#ws-controller 1 host 1.2.3.4 port 100
nx9500-6C8809(config-profile-test8432)#show context include-factory | include ws-
controller

Controller, Service Platform and Access Point

1378 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

ws-controller 1 host 1.2.3.4 port 100

nx9500-6C8809(config-profile-test8432)#

Related Commands

no on page 1329 Reverts the adoption-mode to default (controller)

service
Profile Config Commands on page 954

Service commands are used to view and manage configurations. The service commands and their
corresponding parameters vary from mode to mode.

Supported in the following platforms:

service captive-portal-server connections-per-ip <3-64>

service cluster master-election immediate

service critical-resource port-mode-source-ip <IP>

service enable [l2tpv3|pppoe|radiusd]

service global-association-list blacklist-interval <1-65535>

service lldp loop-detection

service memory kernel decrease

service meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-5>|

port-channel <1-2>|up1]

service pm sys-restart

service power-config [3af-out|force-3at]

service radius dynamic-authorization additional-port <1-65535>

service remote-config apply-delay <0-600>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1379
Profile Config Commands Profile Commands

service rss-timeout <0-86400>

service watchdog

service wireless [anqp-frag-always|anqp-frag-size|ap650|client|cred-

service wireless anqp-frag-always

service wireless anqp-frag-size <100-1500>
service wireless ap650 legacy-auto-update-image <FILE>
service wireless client tx-deauth on-radar-detect
service wireless cred-cache-sync [full|interval <30-864000>|never|
partial]
service wireless test [max-rate|max-retries|min-rate]
service wireless test [max-rate|min-rate]
[1,2,5.5,6,11,12,18,24,36,48,54,mcs0, mcs1,............mcs23]
service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]
service wireless noise-immunity
service wireless reconfig-on-rx-stall
service wireless test max-retries <0-15>
service wireless wispe-controller-port <1-65535>

service show cli

Controller, Service Platform and Access Point

1380 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Parameters
service captive-portal-server connections-per-ip <3-64>

captive-portal-server Configures the maximum number of simultaneous captive portal connection

connections-per-ip allowed per IP address
<3-64> • <3-64> – Specify the maximum number of connections per IP address from
3 - 64. The default is 3.

Note: This command is applicable only to the NX9XXX and NX9600 service
platform profiles.

service cluster master-election immediate

cluster master- Initiates and completes cluster master election as soon as just one cluster
election member comes on and is active. This option is disabled by default.
immediate

service critical-resource port-mode-source-ip <IP>

critical-resource port- Hard codes a source IP for critical resource management The default is 0.0.0.0
mode-source-ip <IP> Use this option to define the IP address used as the source address in ARP
packets used to detect a critical resource on a layer 2 interface. By default, the
source address used in ARP packets to detect critical resources is 0.0.0.0.
However, some devices do not support the above IP address and drop the ARP
packets. Use this field to provide an IP address specifically used for this
purpose. The IP address used for port-mode-source-ip monitoring must be
different from the IP address configured on the device.

service enable [l2tpv3|pppoe|radiusd]

service enable l2tpv3 Enables L2TPv3 on this profile

The L2TPV3 enable/disable option is not supported on AP8163, AP8432,
AP8533, RFS4000, and NX95XX model devices.
service enable pppoe Enables PPPoE features. When executed on a device, enables PPPoE on the
logged device. When executed on a profile, enables PPPoE on all devices using
that profile.
service enable Enables RADIUSD features. When executed on a device, enables RADIUSD on
radiusd the logged device. When executed on a profile, enables RADIUSD on all devices
using that profile.

service global-association-list blacklist-interval <1-65535>

Configures global association list related parameters

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1381
Profile Config Commands Profile Commands

service global-
association-list
blacklist-interval Configures the period for which a client is blacklisted. A client is considered
<1-65535> blacklisted after being denied access by the server.
• <1-65535> – Specify a value from 1 - 65535 seconds. The default is 60
seconds.

service lldp loop-detection

lldp loop-detection Enables network loop detection via LLDP. This option is disabled by default.

service memory kernel decrease

service memory Enables reduction in kernel memory usage. When enabled, firewall flows are
kernel decrease reduced by 75% resulting in reduced kernel memory usage. A reboot is
required for the option to take effect.
This option is disabled by default.

service meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-4>| port-channel <1-2>]

meshpoint loop- Limits meshpoint loop prevention to a single port

prevention-port
<L2-INTERFACE- Limits meshpoint loop prevention on a specified Ethernet interface
NAME> • <L2-INTERFACE-NAME> – Specify the layer 2 Ethernet interface name.

ge <1-4> Limits meshpoint loop prevention on a specified GigabitEthernet interface

• ge <1-4> – Specify the GigabitEthernet interface index from 1 - 4.

port-channel <1-2> Limits meshpoint loop prevention on a specified port-channel interface

• port-channel <1-2> – Specify the port-channel interface index from 1 - 2.

service pm sys-restart

pm sys-restart Enables the process monitor (PM) to restart the system when a process fails.
This option is enabled by default.

service power-config [3af-out|force-3at]

power-config 3af-out Enables LLDP power negotiation, but uses 3af power. This option is disabled by
default.
power-config Disables LLDP negotiation and forces 802.3at power configuration. This option
force-3at is disabled by default.

service radius dynamic-authorization additional-port <1-65535>

radius dynamic- Configures an additional UDP port used by the device to listen for dynamic
authorization authorization messages
additional-port • <1-65535> – Specify a value from 1 - 65535. The default is 3799.
<1-65535>

Controller, Service Platform and Access Point

1382 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

The Cisco Identity Services Engine (ISE) server uses port 1700.

service remote-config apply-delay <0-600>

remote-config apply- Delays configuration of a remote device (after it becomes active) by the
delay <0-600> specified time period
• <0-600> – Specify a value from 0 - 600 seconds. The default is 0 seconds.

service rss-timeout <0-86400>

rss-timeout Configures the duration, in seconds, for which an adopted access point will
<0-86400> continue to provide wireless functions even after loosing controller adoption.
• <0-86400> – Specify a value from 0 - 86400 seconds. The default is 300
seconds.

service watchdog

watchdog Enables the watchdog. This feature is enabled by default.

Enabling the watchdog option implements heartbeat messages to ensure other
associated devices are up and running and capable of effectively inter-
operating with the controller.

service wireless anqp-frag-always

wireless anqp-frag- Enables fragmentation of all ANQP packets. This option is disabled by default.
always

service wireless anqp-frag-size <100-1500>

wireless anqp-frag- Configures the ANQP packet fragment size

size <100-1500> • <100-1500> – Specify a value from 100 - 1500. The default is 1200.

service wireless client tx-deauth on-radar-detection

wireless client Configures wireless client and stations related settings

tx-deauth on-radar- Enables access points to transmit deauth to clients when changing channels on
detection radar detection. This option is enabled by default.

service wireless cred-cache-sync [full|interval <30-864000>|never|partial]

wireless cred-cache- Configures the credential cache’s synchronization parameters. The parameters
sync are: full, interval, never, and partial.
full Enables synchronization of all credential cache entries
interval Sets the interval, in seconds, at which the credential cache is synchronized
<30-864000> • <30-864000> – Specify a value from 30 - 864000 seconds. The default is
1200 seconds.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1383
Profile Config Commands Profile Commands

never Disables credential cache entry synchronization for all associated clients other
than roaming clients. This is the default setting.
partial Enables partial synchronization of parameters for associated clients, with
credential cache close to aging out

service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]

wireless inter-ap-key Configure encryption key used for securing inter-ap messages. This option is
disabled by default.
[0<WORD>| Specify a clear text or encrypted key.
2<WORD>|<WORD>]

service wireless noise-immunity

wireless noise- Polls for status and reconfigures radio in case of receive stall. This option is
immunity enabled by default.

service wireless reconfig-on-rx-stall

wireless reconfig-on- Enables noise immunity on the radio

rx-stall

service wireless test [max-rate|min-rate] [1,2,5.5,6,11,12,18,24,36,48,

54,mcs0,mcs1,............mcs23]

wireless test Configures the serviceability parameters used for testing

[max-rate|min-rate] Configures the maximum and minimum data rates for clients using rate-scaling.
The ‘max-rate’ and min-rate’ options are disabled by default.
[1,2,5.5,....mcs23] Select the maximum and minimum data rates applicable.

service wireless test max-retries <0-15>

wireless test Configures the serviceability parameters used for testing

max-retries <0-15> Configures the maximum number of retries per packet from 0 - 15. The default
is 0.

service wireless wispe-controller-port <1-65535>

wispe-controller-port Resets the WIreless Switch Protocol Enhanced (WISPe) controller port. This is
<1-65535> the UDP port used to listen for WISPe.
• <1-65535> – Specify a value from 1 - 65535. The default is 24756.

service show cli

show cli Displays running system configuration details

• cli – Displays the CLI tree of the current mode

Controller, Service Platform and Access Point

1384 CLI Reference Guide for version 5.9.7
Profile Commands Profile Config Commands

Example
nx9500-6C8809(config-profile-testRFS4000)#service radius dynamic-authorization additional-
port 1700

nx9500-6C8809(config-profile-testRFS4000)#show context
profile rfs4000 testRFS4000
service radius dynamic-authorization additional-port 1700
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
--More--
nx9500-6C8809(config-profile-testRFS4000)#

Related Commands

no on page 1329 Removes or resets service command parameters

zone
Profile Config Commands on page 954

Configures the zone for devices using this profile. The zone can also be configured on the device’s self
context.

Supported in the following platforms:

Syntax
zone <NAME>

Parameters
zone <NAME>

zone <NAME> Configures the device’s zone/area

• <NAME> – Specify the zone/areaname.

Example
nx9500-6C8809(config-profile-testNX9000)#szone Ecospace

nx9500-6C8809(config-profile-testNX9000)#show context include-factory | include

zone
zone Ecospace
nx9500-6C8809(config-profile-testNX9000)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1385
Device Config Commands Profile Commands

Related Commands

no on page 1329 Removes the zone configured on this profile or device

Device Config Commands

PROFILES on page 949

Use the (config) instance to configure device specific parameters

To navigate to this instance, use the following commands:

<DEVICE>(config)#<DEVICE-TYPE> <MAC>
<DEVICE>(config-device-<MAC>)#?
Device Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning
policy when adopted by another
controller
adoption Adoption configuration
adoption-mode Configure the adoption mode for the
access-points in this RF-Domain
adoption-site Set system's adoption site
alias Alias
application-policy Application Policy configuration
area Set name of area where the system
is located?
arp Address Resolution Protocol (ARP)
auto-learn Auto learning
autogen-uniqueid Autogenerate a unique id
autoinstall Autoinstall settings
bridge Ethernet bridge
captive-portal Captive portal
cdp Cisco Discovery Protocol
channel-list Configure channel list to be
advertised to wireless clients
cluster Cluster configuration
configuration-persistence Enable persistence of configuration
across reloads (startup config
file)
contact Configure the contact
controller WLAN controller configuration
country-code Configure the country of operation
critical-resource Critical Resource
crypto Encryption related commands
database Database command
device-upgrade Device firmware upgrade
device-onboard Device-onboarding configuration
dot1x 802.1X
dpi Enable Deep-Packet-Inspection
(Application Assurance)
dscp-mapping Configure IP DSCP to 802.1p
priority mapping for untagged
eguest-server Enable EGuest Server functionality
frames
email-notification Email notification configuration
enforce-version Check the firmware versions of
devices before interoperating
environmental-sensor Environmental Sensors Configuration
events System event messages
export Export a file
file-sync File sync between controller and
adoptees

Controller, Service Platform and Access Point

1386 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

floor Set the floor within a area where

the system is located
geo-coordinates Configure geo coordinates for this
device
gre GRE protocol
hostname Set system's network name
http-analyze Specify HTTP-Analysis configuration
interface Select an interface to configure
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
l2tpv3 L2tpv3 protocol
l3e-lite-table L3e lite Table
lacp LACP commands
layout-coordinates Configure layout coordinates for
this device
led Turn LEDs on/off on the device
led-timeout Configure the time for the led to
turn off after the last radio state
change
legacy-auto-downgrade Enable device firmware to auto
downgrade when other legacy devices
are detected
legacy-auto-update Auto upgrade of legacy devices
license License management command
lldp Link Layer Discovery Protocol
load-balancing Configure load balancing parameter
location Configure the location
logging Modify message logging facilities
mac-address-table MAC Address Table
mac-auth 802.1X
mac-name Configure MAC address to name
mappingss
management-server Configure management server address
memory-profile Memory profile to be used on the
device
meshpoint-device Configure meshpoint device
parameters
meshpoint-monitor-interval Configure meshpoint monitoring
interval
min-misconfiguration-recovery-time Check controller connectivity after
configuration is received
mint MiNT protocol
mirror Mirroring
misconfiguration-recovery-time Check controller connectivity after
configuration is received
mpact-server MPACT server configuration
neighbor-inactivity-timeout Configure neighbor inactivity
timeout
neighbor-info-interval Configure neighbor information
exchange interval
no Negate a command or set its
defaults
noc Configure the noc related setting
nsight NSight
nsight-sensor Enable sensor for Nsight
ntp Ntp server A.B.C.D
offline-duration Set duration for which a device
remains unadopted before it
generates offline event
otls Omnitrail Location Server
override-wlan Configure RF Domain level overrides
for wlan
power-config Configure power mode
preferred-controller-group Controller group this system will

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1387
Device Config Commands Profile Commands

prefer for adoption

preferred-tunnel-controller Tunnel Controller Name this system
will prefer for tunneling extended
vlan traffic
radius Configure device-level radius
authentication parameters
raid RAID
remove-override Remove configuration item override
from the device (so profile value
takes effect)
rf-domain-manager RF Domain Manager
router Dynamic routing
rsa-key Assign a RSA key to a service
sensor-server AirDefense sensor server
configuration
slot PCI expansion Slot
spanning-tree Spanning tree
timezone Configure the timezone
traffic-class-mapping Configure IPv6 traffic class to
802.1p priority mapping for
untagged frames
traffic-shape Traffic shaping
trustpoint Assign a trustpoint to a service
tunnel-controller Tunnel Controller group this
controller belongs to
use Set setting to use
vrrp VRRP configuration
vrrp-state-check Publish interface via OSPF/BGP only
if the interface VRRP state is not
BACKUP
wep-shared-key-auth Enable support for 802.11 WEP
shared key authentication
zone Configure Zone name

clrscr Clears the display screen

commit Commit all changes made in this
session
do Run commands from Exec mode
end End current mode and change to EXEC
mode
exit End current mode and down to
previous mode
help Description of the interactive help
system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to
memory or terminal

<DEVICE>(config-device-<MAC>)#

The following table summarizes device configuration mode commands:

Command Description
adopter-auto-provisioning- Enables the use of a centralized auto provisioning policy on this
policy-lookup on page 958 device
adoption on page 959 Configures a minimum and maximum delay time in the initiation of
the device adoption process
adoption-site on page 1392 Sets the device’s adoption site name

Controller, Service Platform and Access Point

1388 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Command Description
alias on page 963 Configures network, VLAN, and service aliases on a device
application-policy on page 971 Associates a RADIUS server provided application policy with this
device. When associated, the application policy allows wireless
clients (MUs) to always find the RADIUS-supplied application policy
in the dataplane.
area on page 1393 Sets the name of area where the system is deployed
arp on page 973 Configures ARP parameters
auto-learn on page 974 Enables controllers or service platforms to maintain a local
configuration record of devices requesting adoption and
provisioning. The command also enables learning of a device’s host
name via DHCP options.
autogen-uniqueid on page 975 When executed in the device configuration mode, this command
generates a unique ID for the logged device
autoinstall on page 977 Autoinstalls firmware image and configuration setup parameters
bridge on page 979 Configures Ethernet Bridging parameters
captive-portal on page 1009 Configures captive portal advanced Web page upload on this
profile
cdp on page 1010 Operates CDP on the device
channel-list on page 1393 Configures channel list advertised to wireless clients
cluster on page 1011 Sets cluster configuration
configuration-persistence on Enables configuration persistence across reloads
page 1014
contact on page 1394 Sets contact information
controller on page 1014 Configures a WLAN’s wireless controller or service platform
country-code on page 1395 Configures wireless controller or service platform’s country code
critical-resource on page 1019 Monitors user configured IP addresses and logs their status
crypto on page 1030 Configures data encryption protocols and settings
database on page 1080 Backs up captive-portal and/or NSight database to a specified
location and file and configures a low-disk-space threshold value
device-upgrade on page 1082 Configures device firmware upgrade settings on this device
diag on page 1085 Enables looped packet logging
dot1x on page 1086 Configures 802.1x standard authentication controls
dpi on page 1088 Enables Deep Packet Inspection (DPI) on this device
dscp-mapping on page 1091 Configures IP Differentiated Services Code Point (DSCP) to 802.1p
priority mapping for untagged frames
eguest-server (VX9000 only) on Enables the EGuest daemon when executed without the ‘host’
page 1092 option
eguest-server (NOC Only) on Points to the EGuest server, when executed along with the ‘host’
page 1092 option
email-notification on page 1093 Configures e-mail notification settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1389
Device Config Commands Profile Commands

Command Description
enforce-version on page 1095 Checks the device firmware version before attempting connection
environmental-sensor on page Configures the environmental sensor device settings. If the device is
1096 an environmental sensor, use this command to configure its
settings.
events on page 1099 Enables system event message generation and forwarding
export on page 1099 Enables export of startup.log file after every boot
file-sync on page 1100 Configures parameters enabling syncing of trustpoint/wireless-
bridge certificate between the staging-controller and its adopted
access points
floor on page 1396 Sets the floor name where the system is located
geo-coordinates on page 1397 Configures the geographic coordinates for this device
gre on page 1103 Enables GRE tunneling on this device
hostname on page 1398 Sets a system's network name
http-analyze on page 1112 Enables HTTP analysis on this device
interface on page 1115 Selects an interface to configure
ip on page 1280 Configures IPv4 components
ipv6 on page 1288 Configures IPv6 components
l2tpv3 on page 1293 Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling
Layer 2 payloads using Virtual Private Networks (VPNs)
l3e-lite-table on page 1295 Configures L3e Lite Table with this profile
lacp on page 1399 Configures an LACP-enabled peer’s system-priority value. LACP
uses this system-priority value along with the peer’s MAC address
to form the peer’s system ID.
layout-coordinates on page 1400 Configures layout coordinates
led on page 1296 Turns LEDs on or off
led-timeout on page 1296 Configures the LED-timeout timer in the device or profile
configuration mode
legacy-auto-downgrade on page Enables legacy device firmware to auto downgrade
1298
legacy-auto-update on page Auto updates AP7161 legacy device firmware
1298
license on page 1400 Adds device feature licenses
lldp on page 1299 Configures Link Layer Discovery Protocol (LLDP) settings for this
device
load-balancing on page 1300 Configures load balancing parameters.
location on page 1403 Configures the system’s location (place of deployment)
logging on page 1306 Enables message logging
mac-address-table on page 1309 Configures the MAC address table
mac-auth on page 1311 Enables 802.1x authentication of hosts on this device

Controller, Service Platform and Access Point

1390 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Command Description
mac-name on page 1404 Configures MAC address to device name mappings
management-server on page Configures a management server with this profile
1313
meshpoint-device on page 1314 Configures meshpoint device parameters
meshpoint-monitor-interval on Configures meshpoint monitoring interval
page 1315
min-misconfiguration-recovery- Configures the minimum device connectivity verification time
time on page 1316
mint on page 1317 Configures MiNT protocol settings
misconfiguration-recovery-time Verifies device connectivity after a configuration is received
on page 1326
neighbor-inactivity-timeout on Configures neighbor inactivity timeout value
page 1327
neighbor-info-interval on page Configures the neighbor information exchange interval
1328
no on page 1405 Negates a command or resets values to their default settings
noc on page 1331 Configures NOC settings
nsight on page 1406 Configures NSight database statistics related parameters. Use this
command to set the interval at which data is updated by the RF
Domain managers to the NSight server. This command is applicable
only on the NX95XX series and NX9600 service platforms and is
configured on the NSight server.
ntp on page 1337 Configures NTP server settings
offline-duration on page 1343 Sets the duration, in minutes, for which a device remains unadopted
before it generates offline event
override-wlan on page 1411 Configures WLAN RF Domain level overrides on the logged device
power-config on page 1344 Configures power mode features
preferred-controller-group on Specifies the wireless controller or service platform group the
page 1346 system prefers for adoption
preferred-tunnel-controller on Configures the tunnel wireless controller or service platform
page 1346 preferred by the system for tunneling extended VLAN traffic
radius on page 1347 Configures device-level RADIUS authentication parameters
remove-override on page 1413 Removes device overrides
rf-domain-manager on page Enables the RF Domain manager
1348
router on page 1349 Configures dynamic router protocol settings.
rsa-key on page 1415 Assigns a RSA key to SSH
sensor-server on page 1416 Configures an AirDefense sensor server
spanning-tree on page 1351 Enables spanning tree commands on the logged device
traffic-class-mapping on page Maps the IPv6 traffic class value of incoming IPv6 untagged packets
1354 to 802.1p priority

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1391
Device Config Commands Profile Commands

Command Description
traffic-shape on page 1355 Enables traffic shaping and configures traffic shaping parameters
on this device
trustpoint (device-config-mode) Assigns trustpoints to validate various services, such as HTTPS,
on page 1418 RADIUS CA, RADIUS server, external LDAP server, etc.
timezone on page 1417 Configures wireless controller or service platform’s time zone
settings
tunnel-controller on page 1363 Configures the tunneled WLAN (extended VLAN) wireless
controller or service platform’s name
use (profile/device-config- Associates different policies and settings with this device
mode-commands) on page 1363
vrrp on page 1370 Configures VRRP group settings
vrrp-state-check on page 1374 Publishes interface via OSPF or BGP based on Virtual Router
Redundancy Protocol (VRRP) status
wep-shared-key-auth on page Enables support for 802.11 WEP shared key authentication
1377
raid on page 1420 Enables alarm on the array. This command is supported only on the
NX9500 series service platform.
ws-controller on page 1378 Configure multiple ws-controller hosts and enables rediscovery of
new controllers. This option is required for WiNG APs with
'adoption-mode' set to 'ws-controller'. That is WiNG APs adopting
to the ExtremeCloud Appliance controller.

adoption-site
Device Config Commands on page 1386

Sets the device’s adoption site name

Supported in the following platforms:

Syntax
adoption-site <SITE-NAME>

Parameters
adoption-site <SITE-NAME>

adoption-site <SITE-NAME> Sets the device’s adoption site name

Example
rfs4000-229D58(config-device-00-23-68-22-9D-58)#adoption-site SanJoseMainOffice

Controller, Service Platform and Access Point

1392 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Related Commands

no on page 1405 Disables or reverts settings to their default

area
Device Config Commands on page 1386

Sets the physical area where the device (controller, service platform, or access point) is deployed. This
can be a building, region, campus or other area that describes the deployment location of the device.
Assigning an area name is helpful when grouping devices in RF Domains and profiles, as devices in the
same physical deployment location may need to share specific configuration parameters in respect to
radio transmission and interference requirements specific to that location.

Supported in the following platforms:

Syntax
area <AREA-NAME>

Parameters
area <AREA-NAME>

area <AREA-NAME> Sets the physical area where the device is deployed
<AREA-NAME> – Specify the area name (should not 64 characters
in length).

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#area RMZEcoSpace

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname ap8163-4AA708
area RMZEcospace
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Disables or reverts settings to their default

channel-list
Device Config Commands on page 1386

Configures the channel list advertised to wireless clients

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1393
Device Config Commands Profile Commands

Supported in the following platforms:

Syntax
channel-list [2.4GHz|5GHz|dynamic]
channel-list [2.4GHz <CHANNEL-LIST>|5GHz <CHANNEL-LIST>|dynamic]

Parameters
channel-list [2.4GHz <CHANNEL-LIST>|5GHz <CHANNEL-LIST>|dynamic]

channel-list Configures the channel list advertised to wireless clients

2.4GHz <CHANNEL-LIST> Configures the channel list advertised by radios operating in 2.4
GHz
• <CHANNEL-LIST> – Specify a list of channels separated by
commas or hyphens.

5GHz <CHANNEL-LIST> Configures the channel list advertised by radios operating in 5.0
GHz
• <CHANNEL-LIST> – Specify a list of channels separated by
commas or hyphens.

dynamic Enables dynamic (neighboring access point based) update of

configured channel list

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#channel-list 2.4GHz 1,2

Related Commands

no on page 1405 Resets the channel list configuration

contact
Device Config Commands on page 1386

Defines an administrative contact for a deployed device (controller, service platform, or access point)

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

1394 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
contact <WORD>

Parameters
contact <WORD>

contact <WORD> Specify the administrative contact name (should not exceed 64
characters in length)

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#contact Bob+1-631-738-5200

Related Commands

no on page 1405 Resets the administrative contact name

country-code
Device Config Commands on page 1386

Defines the two digit country code for legal device deployment

Configuring the correct country is central to legal operation. Each country has its own regulatory
restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be
transmitted.

Supported in the following platforms:

Syntax
country-code <WORD>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1395
Device Config Commands Profile Commands

Parameters
country-code <COUNTRY-CODE>

country-code <COUNTRY- Defines the two digit country code for legal device deployment
CODE> • <COUNTRY-CODE> – Specify the two letter ISO-3166 country
code.

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#country-code us

Related Commands

no on page 1405 Removes the configured country code

floor
Device Config Commands on page 1386

Sets the building floor name representative of the location within the area or building the device
(controller, service platform, or access point) is physically deployed. Assigning a building floor name is
helpful when grouping devices in RF Domains and profiles, as devices on the same physical building
floor may need to share specific configuration parameters in respect to radio transmission and
interference requirements specific to that location.

Supported in the following platforms:

Syntax
floor <FLOOR-NAME> <1-4094>

Parameters
floor <FLOOR-NAME> <1-4094>

floor <FLOOR-NAME> <1-4094> Sets the building floor name where the device is deployed
• <1-4094> – Sets a numerical floor designation in respect to the
floor’s actual location within a building. Specify a value from 1 -
4094. The default setting is the 1st floor.

Controller, Service Platform and Access Point

1396 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#floor 5thfloor

Related Commands

no on page 1405 Removes device’s location floor name

geo-coordinates
Device Config Commands on page 1386

Configures the geographic coordinates for this device. Specifies the exact location of this device in
terms of latitude and longitude coordinates.

Supported in the following platforms:

Syntax
geographic coordinates <-90.0000-90.0000> <-180.0000-180.0000>

Parameters
geographic coordinates <-90.0000-90.0000> <-180.0000-180.0000>

geographic coordinates Configures the geographic coordinates for this device

• <-90.0000-90.0000> – Specify the device’s latitude coordinate
from -90.0000 to 90.0000. When looking at a floor map,
latitude lines specify the east-west position of a point on the
Earth's surface.
• <-180.0000-180.0000> – Specify the device’s longitude
coordinate from -180.0000 to 180.0000. When looking at a floor
map, longitude lines specify the north-south position of a point
on the Earth's surface.

Example
rfs4000-229D58(config-device-00-23-68-22-9D-58)#geo-coordinates -90.0000 166.0000

rfs4000-229D58(config-device-00-23-68-22-9D-58)#show context
rfs4000 00-23-68-22-9D-58

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1397
Device Config Commands Profile Commands

use profile default-rfs4000

use rf-domain default
hostname rfs4000-229D58
geo-coordinates -90.0000 166.0000
license AP DEFAULT-6AP-LICENSE
license ADSEC DEFAULT-ADV-SEC-LICENSE
ip default-gateway 192.168.13.2
ip default-gateway priority static-route 20
interface ge1
switchport mode access
switchport access vlan 1
interface vlan1
ip address 192.168.13.9/24
ip address 192.168.0.1/24 secondary
ip dhcp client request options all
use client-identity-group ClientIdentityGroup
logging on
logging console warnings
logging buffered warnings
rfs4000-229D58(config-device-00-23-68-22-9D-58)#

Related Commands

no on page 1405 Removes device’s geographic coordinates

hostname
Device Config Commands on page 1386

Sets the system's network name

Supported in the following platforms:

Syntax
hostname <WORD>

Parameters
hostname <WORD>

hostname <WORD> Sets the name of the managing wireless controller, service platform,
or access point. This name is displayed when accessed from any
network.

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#hostname TechPubAP8163

The hostname has changed from ‘ap8163-4AA708’ to ‘TechPubAP8163’

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default

Controller, Service Platform and Access Point

1398 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

hostname TechPubAP8163
area RMZEcospace
floor 5thfloor
contact Bob+1-631-738-5200
country-code us
channel-list 2.4GHz 1,2
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes device’s hostname

lacp
Device Config Commands on page 1386

Configures an LACP-enabled peer’s system priority value. LACP uses this system priority value along
with the peer’s MAC address to form the system ID. In a LAG, the peer with the lower system ID initiates
LACP negotiations with another peer. In scenarios, where both peers have the same system-priority
value assigned, the peer with the lower MAC gets precedence.

Note
For more information on enabling link aggregation, see lacp on page 1130 and lacp-channel-
group on page 1131.

Supported in the following platforms:

• Service Platforms — NX75XX, NX95XX, NX9600, VX9000

Syntax
lacp system-priority <1-65535>

Parameters
lacp system-priority <1-65535>

lacp system-priority <1-65535> Configures the LACP system priority value

• <1-65535> – Specify a value from 1 - 65535. Lower the value,
higher is the priority. Therefore, ‘1’ and ‘65535’ indicate highest
and lowest system-priority values respectively. The default value
is 32768.

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#lacp system-priority 1

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include lacp

lacp system-priority 1
lacp-channel-group 1 mode active
lacp port-priority 2
lacp-channel-group 1 mode active
lacp port-priority 2
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1399
Device Config Commands Profile Commands

Related Commands

no on page 1405 Removes this device’s configured system-priority value

layout-coordinates
Device Config Commands on page 1386

Configures X and Y layout coordinates for the device

Supported in the following platforms:

Syntax
layout-coordinates <-4096.0-4096.0> <-4096.0-4096.0>

Parameters
layout-coordinates <-4096.0-4096.0> <-4096.0-4096.0>

layout-coordinates Configures X and Y layout coordinates for the device

<-4096.0-4096.0> Specify the X coordinate from -4096 - 4096.0
<-4096.0-4096.0> Specify the Y coordinate from -4096 - 4096.0

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#layout-coordinates 1.0 2.0

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname TechPubAP8163
area RMZEcospace
floor 5thfloor
layout-coordinates 1.0 2.0
contact Bob+1-631-738-5200
country-code us
channel-list 2.4GHz 1,2
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes device’s layout co-ordinates

license
Device Config Commands on page 1386

Adds a license pack on the device for the specified feature (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/
NSIGHT-PER/TRON)

Controller, Service Platform and Access Point

1400 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a
single NOC (Network Operations Center) controller, The NOC controller constitutes the first and the site
controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped
to form clusters. The site controllers in turn adopt and manage access points that form the third tier of
the hierarchy.

The NOC controllers and/or site controllers can both have license packs installed. Adoption of APs by
the NOC and site controllers depends on the number of licenses available on each of these controllers.

The NOC controllers and/or site controllers can both have license packs installed. When a AP is adopted
by a site controller, the site controller pushes a license on to the AP. The various possible scenarios are:
• AP licenses installed only on NOC controller:

The NOC controller provides the site controllers with AP licenses, ensuring that per platform limits
are not exceeded.
• AP licenses installed on site controller:

The site controller uses its installed licenses, and then asks the NOC controller for additional licenses
in case of a shortage.

In a hierarchical and centrally managed network, the NOC controller can pull unused AP licenses
from site controllers and relocate to other site controllers when required.
• AP licenses installed on any member of a site cluster:

The site controller shares installed and borrowed (from the NOC) licenses with other controllers
within a site cluster.

Supported in the following platforms:

Syntax
license <WORD> <LICENSE-KEY>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1401
Device Config Commands Profile Commands

Parameters
license <WORD> <LICENSE-KEY>

<WORD> Specify the feature name (AP/AAP/ADSEC/HTANLT/WEBF/

NSIGHT/NSIGHT-PER/TRON) for which license is added.
• AP License: This is the license key required for AP adoptions.
The number of APs that can be adopted depends on the
installed license count. If the installed license count is 10 APs and
the number of AP adoptions is 5, 5 additional APs can still be
adopted under the terms of the license.
• AAP License: This is the license key required for AAP adoptions.
The number of AAPs that can be adopted depends on the
installed license count. If the installed license count is 10 APs and
the number of AAP adoptions is 5, 5 additional AAPs can still be
adopted under the terms of the license.
• ADSEC License: This is the license key required to install the Role
Based Firewall feature and increase the number of IPSec VPN
tunnels. The number of IPSec tunnels varies by platform.
• HTANLT: This is the license key required to install Analytics (an
enhanced statistical management tool) for NX9500 and
NX9600 series service platforms.
• WEBF License: This is the license key required to install the Web
filtering feature. Web filtering is used to restrict access to
specific resources on the Internet.
• NSIGHT/NSIGHT-PER Licenses: This is the license key required to
install NSight on a supported service platform. The NSight UI
displays a comprehensive, day-to-day overview of the network
in a graphical, visually interactive, and easy-to-use format.
However, NSight being a licensed service, on expiration of the
first 120 days grace period, the NSight server’s NSight UI can be
launched only on the application of the NSight or NSight-Per
(NSight Perpetual) license.

The difference between the NSight and NSight-Per licenses is

that the first one has an expiration date, whereas the latter
doesn’t have an expiration date. Once purchased and applied,
the NSight-Per license is active forever, and is therefore ideally
suited for a Replica-set, NSight deployment, where it is essential
that the license is perpetually active and synched across the
NSight servers and their primary and secondary databases.

Note: NSight is supported only on NX9500, NX9600 model

service platforms, and the VX9000 virtual controller.
• TRON – TRON is a proprietary FedEx BLE asset tracking
application that tracks tagged packages moving through a
distribution center. This license enables the TRON-feature
entitlement on TRON-capable, WiNG APs. It is applied on the
self of the controller adopting the APs.

TRON-tracking is turned on when a TRON-capable WiNG AP,

having the requisite initial configurations, adopts to a controller
having the TRON license. The license does not put a limit on the
AP count. In other words, the license enables TRON feature
entitlement for all TRON-capable APs, adopting to the

Controller, Service Platform and Access Point

1402 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

controller. For more information on setting the initial

configurations, see tron on page 1274 .

Note:
TRON-tracking is supported only on the AP8533,model access
point. The license can be applied only on the NX5500, NX7500,
NX9500, NX9600 and VX9000 platforms.

<LICENSE-KEY> Specify the license key.

Examples
NOC-NX9500(config-device-B4-C7-99-6C-88-09)#license AAP 66069c24b3bb1259b34ff016
c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1
NOC-NX9500(config-device-B4-C7-99-6C-88-09)#license AP
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7164a1b1e51df2cc87902c9ae7281d319
NOC-NX9500(config-device-B4-C7-99-6C-88-09)#license NSIGHT
66069c24b3bb12596b3d07672fdf5ccc99dd408f0ff891e719a98e92028e10e7a7461de1b5e70f32
NOC-NX9500(config-device-B4-C7-99-6C-88-09)#license HOTSPOT-ANALYTICS
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497
NOC-NX9500(config-device-B4-C7-99-6C-88-09)#show licenses
Serial Number : B4C7996C8809

Device Licenses:
AP-LICENSE
String :
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7164a1b1e51df2cc87902c9ae7281d319
Value : 256
Borrowed : 0
Total : 256
Used : 0
AAP-LICENSE
String :
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1
Value : 10250
Borrowed : 0
Total : 10249
Used : 2
HOTSPOT-ANALYTICS
String :
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497
NSIGHT
String :
66069c24b3bb12596b3d07672fdf5ccc99dd408f0ff891e719a98e92028e10e7a7461de1b5e70f32
Value : 50
NOC-NX9500(config-device-B4-C7-99-6C-88-09)#

location
Device Config Commands on page 1386

Sets the location where a managed device (controller, service platform, or access point) is deployed.
This is the location of the device with respect to the RF Domain it belongs.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1403
Device Config Commands Profile Commands

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
location <WORD>

Parameters
location <WORD>

<WORD> Specify the managed device’s location as part of its RF Domain

configuration

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#location SanJose

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname TechPubAP8163
area RMZEcospace
floor 5thfloor
layout-coordinates 1.0 2.0
location SanJose
contact Bob+1-631-738-5200
country-code us
channel-list 2.4GHz 1,2
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes a managed device’s location

mac-name
Device Config Commands on page 1386

Configures a client name to MAC address mapping. Use this command to assign a user-friendly name to
the device (controller, service platform, or access point) and map it to the device’s MAC address.

Supported in the following platforms:

Syntax
mac-name <MAC> <NAME>

Controller, Service Platform and Access Point

1404 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Parameters
mac-name <MAC> <NAME>

mac-name <MAC> <NAME> Maps a user-friendly name to the device’s MAC address
• <MAC> – Specify the device’s MAC address.
◦ <NAME> – Specify the 'friendly' name used for the specified
MAC address. This is the name used in events and statistics
logs.

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#mac-name 00-04-96-4A-A7-08 5.8TestAP

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname TechPubAP8163
area RMZEcospace
floor 5thfloor
layout-coordinates 1.0 2.0
location SanJose
contact Bob+1-631-738-5200
country-code us
channel-list 2.4GHz 1,2
mac-name 00-04-96-4A-A7-08 5.8TestAP
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes the device’s friendly name to MAC address mapping

no
Device Config Commands on page 1386

Negates a command or resets values to their default

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1405
Device Config Commands Profile Commands

logging|mac-address-table|mac-auth|mac-name|management-server|memory-
profile| meshpoint-device|meshpoint-monitor-interval|min-
misconfiguration-recovery-time| mint|mirror|misconfiguration-
recovery-time|mpact-server|noc|nsight||ntp| offline-duration|
override-wlan|power-config|preferred-controller-group| preferred-
tunnel-controller|radius|raid|rf-domain-manager|router|rsa-key|
sensor-server|slot|spanning-tree|timezone|traffic-class-mapping|
traffic-shape| trustpoint|tunnel-controller|use|vrrp|vrrp-state-
check|wep-shared-key-auth| service]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or resets the logged device’s settings based on the

parameters passed

Usage Guidelines

The no command negates any command associated with it. Wherever required, use the same
parameters associated with the command getting negated

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#no area

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#no contact

nsight
Device Config Commands on page 1386

Configure these parameters in the NSight server’s device configuration mode.

Supported in the following platforms:

• Service Platforms — NX95XX, NX9600, VX9000

Syntax
nsight database [statistics|summary]

nsight database statistics [avc-update-interval|max-apps-per-client|

update-interval|wireless-clients-update-interval]

nsight database statistics [avc-update-interval|update-interval|

wireless-clients-update-interval] [120|30|300|60|600]

Controller, Service Platform and Access Point

1406 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

nsight database statistics max-apps-per-client <1-1000>

nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>

Parameters
nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-
interval] [120|30|300|60|600]

nsight database statistics Configures NSight database statistics related parameters

avc-update-interval Configures the interval, in seconds, at which Application Visibility
and Control (AVC) statistics is updated to the NSight database. This
interval represents the rate at which AVC-related data is inserted in
the NSight database’s first bucket. This first bucket data is referred
to as the RAW records. A bucket is a database collection that holds
statistical data on a per RF Domain basis. For more information, see
Usage Guidelines (Data Aggregation and Expiration) on page 1409.
When configured, RF Domain managers posting AVC-related data
to the NSight server receive a reply from the NSight server
intimating the next update time. The NSight server calculates the
‘next update time’ based on the avc-update-interval configured
here.
update-interval Configures the interval, in seconds, at which data is updated to the
NSIght server. This interval represents the rate at which data
(excluding AVC and wireless-clients related statistics) is inserted in
the NSight database’s first bucket. This first bucket data is referred
to as the RAW records. A bucket is a database collection that holds
statistical data on a per RF Domain basis. For more information, see
Usage Guidelines (Data Aggregation and Expiration) on page 1409.
When configured, RF Domain managers posting data to the NSight
server receive a reply from the NSight server intimating the next
update time. The NSight server calculates the ‘next update time’
based on the update-interval configured here.

Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-

interval’ keywords to configure update interval for AVC-related and
wireless-clients related information respectively.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1407
Device Config Commands Profile Commands

wireless-clients-update-interval Configures the interval, in seconds, at which wireless-client statistics

is updated to the NSIght server. This interval represents the rate at
which wireless-clients related statistics is inserted in the NSight
database’s first bucket. This first bucket data is referred to as the
RAW records. A bucket is a database collection that holds statistical
data on a per RF Domain basis. For more information, see Usage
Guidelines (Data Aggregation and Expiration) on page 1409.
When configured, RF Domain managers posting wireless-client
related data to the NSight server receive a reply from the NSight
server intimating the next update time. The NSight server calculates
the ‘next update time’ based on the wireless-clients-update-interval
configured here.
[120|30|300|60|600] The following keywords are common to all of the above parameters:
• 120 – Sets the data-update periodicity as 120 seconds (2
minutes)
• 30 – Sets the data-update periodicity as 30 seconds
• 300 – Sets the data-update periodicity as 300 seconds (5
minutes). This is the default setting for the ‘avc-update-interval’
and ‘wireless-clients-update-interval’ parameters.
• 60 – Sets the data-update periodicity as 60 seconds (1 minute).
This is the default setting for the ‘update-interval’ parameter.
• 600 – Sets the data-update periodicity as 600 seconds (10
minutes)

nsight database statistics max-apps-per-client <1-1000>

nsight database statistics Configures NSight database statistics related parameters

max-apps-per-client Configures the maximum number of applications per wireless-client
to be posted to the NSight server within the configured data-
update interval. This information is included in the AVC statistics
posted by RF Domain managers to the NSIght server.
<1-1000> Specify the number of applications posted from 1 - 1000. The
default is 10 applications per wireless client.

nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>

nsight database summary Configures the NSight database’s per-bucket data storage duration
duration <1-24> <1-168> <1-2160> Configures the duration for which data is stored on a per-bucket
<24-26280> basis
• <1-24> – Specify the bucket 1 duration from 1 - 24 hours (i.e. 1
hour to 1 day). The default is 8 hours.
◦ <1-168> – Specify the bucket 2 duration from 1 - 168 hours
(i.e. 1 hour to 7 days). The default is 24 hours.
▪ <1-2160> – Specify the bucket 3 duration from 1 - 2160
hours (i.e. 1 hour to 90 days). The default is 7 days (168
hours).

<24-26280> – Specify the bucket 4 duration from 24 -

26280 hours (i.e. 1 day to 3 years). The default is 365 days
(1 year).

Controller, Service Platform and Access Point

1408 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Note: A bucket is a database collection that holds

statistical data for each RF Domain within the network.
(Note, only those RF Domain’s that are using an NSight
policy with the NSight server host configured will post
data to the NSight server. For more information, see use
(rf-domain-config-mode) on page 574 in the RF Domain
configuration mode.) NSight database has four (4)
buckets. The data from each bucket is aggregated and
pushed to the next bucket once the data storage
duration, specified for the bucket, has exceeded. For
more information on data aggregation, see Usage
Guidelines (Data Aggregation and Expiration).

Usage Guidelines (Data Aggregation and Expiration)

Data Aggregation:

On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and
inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes
the next bucket’s granularity. For example, the B1 records (that have exceeded the data storage duration
configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are
aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default
storage duration for each bucket is as follows:
• B1: storage duration 8 hours
• B2: granularity 10 minutes / storage duration 24 hours
• B3: granularity 1 hour / storage duration 7 days
• B4: granularity 1 day / storage duration 1 year

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1409
Device Config Commands Profile Commands

• Since B3’s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record
and inserted into B3.
• Since B3’s default storage duration is 7 days, it will contain a maximum of 168 records per RF
Domain after 7 days.
• Since B4’s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record
and inserted into B4.
• Since B4’s default storage duration is 365 days, it will contain a maximum of 365 records per RF
Domain after 1 year.

Data Expiration:

The expiration of older records (also referred to as purging or deleting of records) occurs along with
data aggregation for each bucket.

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics avc-update-
interval 120

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics update-

interval 30

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics wireless-

clients-update-interval 600

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics max-apps-per-

client 20

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database summary duration 12 30 200

500

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include

nsight
use nsight-policy nsight-noc
nsight database statistics update-interval 30

Controller, Service Platform and Access Point

1410 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

nsight database statistics wireless-clients-update-interval 600

nsight database summary duration 12 30 200 500
nsight database statistics avc-update-interval 120
nsight database statistics max-apps-per-mu 20
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Related Commands

no on page 1405 Reverts the NSight database related parameters configured to

default values

override-wlan
Device Config Commands on page 1386

Configures WLAN’s RF Domain level overrides

Supported in the following platforms:

Syntax
override-wlan <WLAN> [shutdown|ssid|vlan-pool|wep128|wpa-wpa2-psk]

override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit

<0-8192>}| wpa-wpa2-psk <WORD>]

override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-

key <1-4>]

Parameters
override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}| wpa-wpa2-
psk <WORD>]

<WLAN> Specify the WLAN name.

Configure the following WLAN parameters: SSID, VLAN pool, and
WPA-WPA2 key.
shutdown Shuts down the WLAN’s (identified by the <WLAN> keyword)
operations on all mapped radios
SSID <SSID> Configures the WLAN’s Service Set Identifier (SSID)
• <SSID> – Specify an SSID ID.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1411
Device Config Commands Profile Commands

vlan-pool <1-4094> {limit Configures a pool of VLANs for the selected WLAN
<0-8192>} • <1-4094> – Specifies a VLAN pool ID from 1 - 4094.
◦ limit – Optional. Limits the number of users on this VLAN
pool
▪ <0-8192> – Specify the user limit from 0 - 8192.

Note: The VLAN pool configuration overrides the VLAN

configuration.

wpa-wpa2-psk <WORD> Configures the WLAN WPA-WPA2 key or passphrase for the
selected WLAN
• <WORD> – Specify a WPA-WPA2 key or passphrase.

override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>]

<WLAN> Specify the WLAN name.

wep128 [key <1-4> hex Configures the WEP128 key for this WLAN, and also enables key
[0<WORD>| 2 <WORD>]| transmission
transmit-key <1-4> Wired Equivalent Privacy (WEP) is a security protocol specified in
the IEEE Wireless Fidelity (Wi -Fi) standard. WEP 128 uses a 104 bit
key, which is concatenated with a 24-bit initialization vector (IV) to
form the RC4 traffic key. This results in a level of security and
privacy comparable to that of a wired LAN.
• key <1-4> hex – Configures a hexadecimal key (clear text or
encrypted) and specifies the key’s index.
◦ 0 <WORD> – Configures a clear text key. Specify a 4 - 32
character pass key.
◦ 2 <WORD> – Configures an encrypted key. Specify a 4 - 32
character pass key.
• transmit-key <1-4> – Enables transmission of key index. Specify
the key index.
Wireless devices and their connected clients use the algorithm to
convert an ASCII string to the same hexadecimal number. Clients
without the required adapters need to use WEP keys manually
configured as hexadecimal numbers.

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#override-wlan test vlan-pool 8

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname TechPubAP8163
floor 5thfloor
layout-coordinates 1.0 2.0
license AP aplicenseley@1234 aplicensekey@123
location SanJose
no contact
country-code us
channel-list 2.4GHz 1,2
override-wlan test vlan-pool 8
mac-name 00-04-96-4A-A7-08 5.8TestAP
neighbor-info-interval 50
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Controller, Service Platform and Access Point

1412 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

Related Commands

no on page 1405 Removes RF Domain level WLAN overrides

remove-override
Device Config Commands on page 1386

Removes device overrides in order to enable profile settings to take effect

Supported in the following platforms:

Syntax
remove-override <PARAMETERS>

Parameters
remove-override <PARAMETERS>

remove-override Removes settings configured at the device level based on the

<PARAMETERS> parameters passed. The profile (applied to the device) settings take
effect once the device-level overrides are removed.

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#remove-override ?
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning
policy when adopted by another
controller
adoption Adoption configuration
adoption-mode Configure the adoption mode for the
access-points in this RF-Domain
alias Alias
all Remove all overrides for the device
application-policy Application Policy configuration
area Reset name of area where the system
is located
arp Address Resolution Protocol (ARP)
auto-learn Auto learning
autogen-uniqueid Autogenerate a unique id
autoinstall Autoinstall settings
bridge Bridge group commands
captive-portal Captive portal
cdp Cisco Discovery Protocol
channel-list Configure a channel list to be
advertised to wireless clients
cluster Cluster configuration
configuration-persistence Automatic write of startup
configuration file
contact The contact
controller WLAN controller configuration
country-code The country of operation
critical-resource Critical Resource
crypto Encryption related commands

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1413
Device Config Commands Profile Commands

database Database command

device-upgrade Device firmware upgrade
diag Diagnosis of packets
dot1x 802.1X
dpi Deep-Packet-Inspection (Application
Assurance)
dscp-mapping IP DSCP to 802.1p priority mapping
for untagged frames
eguest-server Configure ExtremeGuest server
email-notification Email notification configuration
encrypted-alias Alias
enforce-version Check the firmware versions of
devices before interoperating
environmental-sensor Environmental Sensors Configuration
events System event messages
export Export a file
file-sync File sync between controller and
adoptees
firewall Enable/Disable firewall
floor Reset name of floor where the
system is located
geo-coordinates Geo co-ordinates for this device
global Remove global overrides for the
device but keeps per-interface
overrides
gre GRE protocol
interface Select an interface to configure
ip Internet Protocol (IP)
ipv6 Internet Protocol version 6 (IPv6)
l2tpv3 L2tpv3 protocol
l3e-lite-table L3e lite Table
led LED on the device
lldp Link Layer Discovery Protocol
location The location
location-policy Location policy configuration
location-server ExtremeLocation server
configuration
location-tenantid ExtremeLocation tenant account
configuration
logging Modify message logging facilities
mac-address-table MAC Address Table
mac-auth 802.1X
management-server Configure management server address
memory-profile Memory-profile
mint MiNT protocol
noc Noc related configuration
nsight-sensor NSIGHT sensor configuration
ntp Configure NTP
offline-duration Duration to mark adopted device as
offline
override-wlan Overrides for wlans
power-config Configure power mode
preferred-controller-group Controller group this system will
prefer for adoption
preferred-tunnel-controller Tunnel Controller Name this system
will prefer for tunneling extended
vlan traffic
remote-debug Configure remote debug parameters
rf-domain-manager RF Domain Manager
router Dynamic routing
routing-policy Policy Based Routing Configuration
sensor-server AirDefense WIPS sensor server
configuration
spanning-tree Spanning tree

Controller, Service Platform and Access Point

1414 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

timezone The timezone

traffic-class-mapping IPv6 traffic-class to 802.1p
priority mapping for untagged
frames
traffic-shape Traffic shaping
trustpoint Assign a trustpoint to a service
tunnel-controller Tunnel Controller group this
controller belongs to
use Set setting to use
vrrp VRRP configuration
ws-controller Configure websocket controller
zone Configure Zone name

service Service Commands

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

rsa-key
Device Config Commands on page 1386

Assigns an SSH RSA key

SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a
username/password. One key is private and the other is public key. Secure Shell (SSH) public key
authentication can be used by a requesting client to access resources, if properly configured. The RSA
key pair must be generated on the client. The public portion of the key pair resides with the controller,
service platform, or access point locally, while the private portion remains on a secure area of the client.

Supported in the following platforms:

Syntax
rsa-key ssh <RSA-KEY-NAME>

Parameters
rsa-key ssh <RSA-KEY-NAME>

rsa-key ssh <RSA-KEY-NAME> Assigns RSA key to SSH

• <RSA-KEY-NAME> – Specifies the RSA key name. The key
should be installed using PKI commands in the enable mode.

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#rsa-key ssh rsa-key1

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname TechPubAP8163
floor 5thfloor

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1415
Device Config Commands Profile Commands

layout-coordinates 1.0 2.0

license AP aplicenseley@1234 aplicensekey@123
rsa-key ssh rsa-key1
location SanJose
no contact
country-code us
channel-list 2.4GHz 1,2
override-wlan test vlan-pool 8
mac-name 00-04-96-4A-A7-08 5.8TestAP
neighbor-info-interval 50
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes RSA key from service

sensor-server
Device Config Commands on page 1386

Configures an AirDefense sensor server resource for client terminations and WIPS event logging. This is
the server that supports WIPS events on behalf of the controller or service platform.

Supported in the following platforms:

Syntax
sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}

Parameters
sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}

sensor-server <1-3> Sets a numerical index to differentiate this AirDefense sensor server
from other servers. A maximum of 3 (three) sensor server resources
can be defined.
ip <IP/HOSTNAME> Configures the AirDefense sensor server’s IP address or hostname
• <IP/HOSTNAME> – Specify the IP address.

port [443|<1-65535>] Optional. Configures the port. The options are:

• 443 – The default port used by the AirDefense server. This is the
default setting.
• <1-65535> – Manually sets the port number of the AirDefense
server from 1 - 65535

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#sensor-server 1 ip 172.16.10.7

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx

Controller, Service Platform and Access Point

1416 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

use rf-domain default

hostname TechPubAP8163
floor 5thfloor
layout-coordinates 1.0 2.0
license AP aplicenseley@1234 aplicensekey@123
rsa-key ssh rsa-key1
location SanJose
no contact
country-code us
sensor-server 1 ip 172.16.10.7
channel-list 2.4GHz 1,2
override-wlan test vlan-pool 8
mac-name 00-04-96-4A-A7-08 5.8TestAP
neighbor-info-interval 50
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes configured sensor server settings

timezone
Device Config Commands on page 1386

Configures device’s timezone

Supported in the following platforms:

Syntax
timezone <TIMEZONE>

Parameters
timezone <TIMEZONE>

timezone <TIMEZONE> Configures the device’s timezone

Example
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#timezone Etc/UTC

nx9500-6C8809(config-device-00-04-96-4A-A7-08)#show context
ap81xx 00-04-96-4A-A7-08
use profile default-ap81xx
use rf-domain default
hostname TechPubAP8163
floor 5thfloor
layout-coordinates 1.0 2.0
license AP aplicenseley@1234 aplicensekey@123
rsa-key ssh rsa-key1
location SanJose
no contact
timezone Etc/UTC
stats open-window 2 sample-interval 77 size 10

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1417
Device Config Commands Profile Commands

country-code us
sensor-server 1 ip 172.16.10.7
channel-list 2.4GHz 1,2
override-wlan test vlan-pool 8
mac-name 00-04-96-4A-A7-08 5.8TestAP
neighbor-info-interval 50
nx9500-6C8809(config-device-00-04-96-4A-A7-08)#

Related Commands

no on page 1405 Removes device’s configured timezone

trustpoint (device-config-mode)
Device Config Commands on page 1386

Assigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external
LDAP server, etc.

For more information on digital certificates and certificate authorities, see trustpoint (profile-config-
mode) on page 1361.

Note
Certificates/trustpoints used in this command should be verifiable as existing on the device.

Supported in the following platforms:

trustpoint Assigns trustpoints to validate various services. The assigned

trustpoint is used as the CA for validating the services.
cloud-client Assigns trustpoint to validate cloud client. The trustpoint should be
existing and installed on the device.
Use this option on cloud-enabled access points and cloud-adopted,
to secure the communication between the cloud AP and cloud
client. The trustpoint should be existing and installed on the AP. The
cloud-enabled access points are AP7502, AP7522, AP7532, and
AP7562. For local-controller adopted APs, this configuration is not
required,

Controller, Service Platform and Access Point

1418 CLI Reference Guide for version 5.9.7
Profile Commands Device Config Commands

cmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator. Once

validated, CMP is used to obtain and manage digital certificates in a
PKI network. Digital certificates link identity information with a
public key enclosed within the certificate, and are issued by the CA.
Use this command to specify the CMP-assigned trustpoint. When
specified, devices send a certificate request to the CMP supported
CA server, and download the certificate directly from the CA server.
CMP supports multiple request options through for device
communicating to a CMP supported CA server. The device can
initiate a request for getting the certificates from the server. It can
also auto update the certificates which are about to expire.

Note: When configured, this cmp-auth-operator trustpoint setting

overrides the profile-level configuration.

https Assigns an existing trustpoint to validate HTTPS

radius-ca Assigns an existing trustpoint to validate client certificates in EAP
radius-ca-ldaps Assigns an existing trustpoint to validate external LDAP server
radius-server Assigns an existing trustpoint to validate RADIUS server certificate
radius-server-ldaps Assigns an existing trustpoint to RADIUS server certificate to
validate LDAP server
<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:
• <TRUSTPOINT-NAME> – After selecting the service to validate,
specify the trustpoint name (should be existing and stored on
the device).

Note: By default, the system assigns the default-trustpoint to

validate the following: https, radius-server, and radius-server-
ldaps.

Example

A device’s default HTTPS, RADIUS, and CMP certificate/trustpoint configuration is as follows:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include
trustpoint
trustpoint https default-trustpoint
no trustpoint radius-ca
trustpoint radius-server default-trustpoint
no trustpoint radius-ca-ldaps
trustpoint radius-server-ldaps default-trustpoint
no trustpoint cmp-auth-operator
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#trustpoint https test

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include

trustpoint
trustpoint https test
no trustpoint radius-ca
trustpoint radius-server default-trustpoint
no trustpoint radius-ca-ldaps
trustpoint radius-server-ldaps default-trustpoint
no trustpoint cmp-auth-operator
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1419
Device Config Commands Profile Commands

raid
Device Config Commands on page 1386

Enables chassis alarm that sounds when events are detected that degrade RAID support (drive content
mirroring) on a service platform

The NX9500 series service platforms include a single Intel MegaRAID controller (virtual drive) with
RAID-1 mirroring support enabled. The online virtual drive supports up to two physical drives that could
require hot spare substitution if a drive were to fail. The WiNG software allows you to manage the RAID
controller event alarm and syslogs supporting the array hardware from the service platform user
interface without rebooting the service platform BIOS.

Although RAID controller drive arrays are available only on the NX9500 series service platforms, they
can be administrated on behalf of a NX9500 profile by a different model service platform or wireless
controller.

Supported in the following platforms:

• Service Platforms — NX7500, NX9500, NX9600

Syntax
raid alarm enable

Parameters
raid alarm enable

alarm enable Enables audible alarm, which is triggered a RAID drives fails. When
triggered the alarm can be disabled by executing the raid > silence
command in the device’s Priv Exec mode.

Example
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#raid alarm enable

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context
nx9000 B4-C7-99-6C-88-09
use profile default-nx9000
use rf-domain default
hostname nx9500-6C8809
ip default-gateway 192.168.13.2
interface ge1
switchport mode access
switchport access vlan 1
interface vlan1
ip address 192.168.13.13/24
logging on
logging console warnings
logging buffered warnings
raid alarm enable
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Related Commands

no on page 1329 Disables RAID alarm

Controller, Service Platform and Access Point

1420 CLI Reference Guide for version 5.9.7
Profile Commands T5 Profile Config Commands

T5 Profile Config Commands

PROFILES on page 949

A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the
WiNG operating used by RFS wireless controllers and NX service platforms. However, a T5 controller,
once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management
within a WiNG supported subnet populated by both types of devices. The Customer Premises
Equipment (CPEs) are the T5 controller managed radio devices using the IPX operating system. These
CPEs use a DSL as their high speed Internet access mechanism using the CPE’s physical wallplate
connection and phone jack.

To navigate to this instance, use the following commands:

<DEVICE>(config-profile-<PROFILE-NAME>)#?
T5 Profile Mode commands:
cpe T5 CPE configuration
interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
ntp Configure NTP
override-wlan Configure RF Domain level overrides for wlan
t5 T5 configuration
t5-logging Modify message logging facilities
use Set setting to use

clrscr Clears the display screen

<DEVICE>(config-profile-<PROFILE-NAME>)#

The following table summarizes T5 profile configuration mode commands:

Command Description
cpe on page 1422 Configures T5 CPE related settings (IP address range and VLAN)
interface on page Configures the T5 controller’s interfaces
1424
ip on page 1426 Configures the default gateway’s IP address
no on page 1427 Removes or reverts this T5 controller profile settings
ntp on page 1428 Configures the NTP server associated with this T5 profile
override-wlan on Configures the RF Domain level overrides for applied on a WLAN on this T5
page 1429 profile
t5 on page 1430 Configures the logged T5 controller’s country of operation

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1421
T5 Profile Config Commands Profile Commands

Command Description
t5-logging on page Configures a maximum of 5 (five) remote hosts capable of receiving syslog
1430 messages from this selected T5 controller
use on page 1431 Defines this T5 profile’s management settings

cpe
T5 Profile Config Commands on page 1421

Configures T5 CPE related settings. This command is available both in the T5 profile and T5 device
contexts

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Syntax T5 Profile & T5 Device Context

cpe [address led]

cpe address vlan <1-4094> <START-IP> <END-IP>

cpe led cpe <cpe1-24>

The following commands are specific to the T5 device context:

cpe [boot|reload|upgrade]

cpe boot system <cpe1-24> <primary|secondary>

cpe reload <cpe1-24>

cpe <cpe1-24> upgrade <IMAGE-LOCATION>

Controller, Service Platform and Access Point

1422 CLI Reference Guide for version 5.9.7
Profile Commands T5 Profile Config Commands

Parameters
cpe address vlan <1-4094> <START-IP> <END-IP>

cpe address Configures the range of addresses that can be assigned to adopted CPEs
vlan <1-4094> Configures the VLAN assigned to the CPEs managed by this T5 controller
<START-IP> Configures the range of IP addresses that can be assigned to the CPEs managed
<END-IP> by this T5 controller
• <START-IP> – Specify the first IP address in the range.
◦ <END-IP> – Specify the last IP address in the range.

cpe led cpe <cpe1-24>

cpe led Enables flashing of LEDs on specified CPEs

cpe <cpe1-24> Identifies the CPE(s) on which the operation is performed
• <cpe1-24> – Configures the CPE’s ID from cpe1 - cpe24. To enable led flashing
on all adopted CPEs, enter cpe1-X, where X is the total number of adopted
CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter
this value as cpe1-5.

cpe boot system <cpe1-24> <primary|secondary>

• cpe boot Changes the image used by a CPE to boot. When reloading, the CPE uses the
system specified image.

<cpe1-24> Identifies the CPE(s) on which the operation is performed

• <cpe1-24> – Configures the CPE’s ID from cpe1 - cpe24. To enable led
flashing on all adopted CPEs, enter cpe1-X, where X is the total number of
adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready,
then enter this value as cpe1-5.

<primary| Select the next boot image

secondary> • primary – Uses the primary image when reloading
• secondary – Uses the secondary image when reloading

cpe reload <cpe1-24>

cpe reload Reloads all or specified CPEs.

<cpe1-24> Identifies the CPE(s) to reload
• <cpe1-24> – Configures the CPE’s ID from cpe1 - cpe24. To enable led
flashing on all adopted CPEs, enter cpe1-X, where X is the total number of
adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready,
then enter this value as cpe1-5.

cpe <cpe1-24> upgrade <IMAGE-LOCATION>

cpe <cpe1-24> Upgrades all or specified CPEs

upgrade <IMAGE- • <cpe1-24> – Identifies the CPE(s) to upgrade. Specify the CPE’s ID from cpe1
LOCATION> - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1423
T5 Profile Config Commands Profile Commands

the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are
adopted and ready, then enter this value as cpe1-5.
◦ upgrade <IMAGE-LOCATION> – Uses the image specified here to
upgrade identified CEPs.
▪ <IMAGE-LOCATION> – Specify the firmware image location using one
of the following options:

path/file

tftp://<IP>/path/file

ftp://<user>:<passwd>@<IP>/path/file

Example
nx9500-6C8809(config-profile-T5TestProfile)#cpe address vlan 200 192.168.13.26
192.168.13.30

nx9500-6C8809(config-profile-T5TestProfile)#show context
profile t5 T5TestProfile
no autoinstall configuration
no autoinstall firmware
interface vlan1
interface vlan4090
interface fe 5 2
..........................................................................
interface radio 11 1
interface fe 9 2
interface radio 18 1
interface fe 9 1
use firewall-policy default
service pm sys-restart
cpe address vlan 200 192.168.13.26 192.168.13.30
nx9500-6C8809(config-profile-T5TestProfile)#

interface
T5 Profile Config Commands on page 1421

Configures the T5 controller’s interfaces

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Syntax
interface [<WORD>|dsl|fe|ge|radio|vlan]

interface [<WORD>|dsl <1-24>|fe <1-24> <1-2>|ge <1-2>|radio <1-24>

<1-2>|vlan <1-4094>]

Controller, Service Platform and Access Point

1424 CLI Reference Guide for version 5.9.7
Profile Commands T5 Profile Config Commands

Parameters
interface [<WORD>|dsl <1-24>|fe <1-24> <1-2>|ge <1-2>|radio <1-24> <1-2>|vlan <1-4094>]

<WORD> Configures the interface identified by the <WORD> keyword

dsl <1-24> Configures the specified DSL interface. A T5 controller uses the IPX operating
system to manage its connected radio devices, as opposed to the WiNG
operating used by controllers and NX service platforms. However, a T5 controller,
once enabled as a supported external device, can provide data to WiNG to assist
in a T5’s management within a WiNG supported subnet populated by both types
of devices. The CPEs are the T5 controller managed radio devices using the IPX
operating system. These CPEs use DSL as their high speed Internet access
mechanism using the CPE’s physical wallplate connection and phone jack.
• <1-24> – Specify the DSL port index from 1 - 24.

fe <1-24> Configures the specified FastEthernet interface. The T5 controller has the
<1-2> following FastEthernet port designations: fe1-fe2 (fe1-fe2 are for up to 24 CPE
devices managed by a T5 controller).
• <1-24> – Specify the DSL port index from 1 - 24.
◦ <1-2> – Specify the FastEthernet interface to configure.
In the FastEthernet interface configuration mode, specify the interface settings.
ge <1-2> Configures the specified GigabitEthernet interface.
T5 controllers have two Ethernet port designations, These are ge1 and ge2. The
GE ports can be RJ-45 or fiber ports supporting 10/100/1000Mbps.
• <1-2> – Specify the interface index from 1 - 2.
In the GigabitEthernet interface configuration mode, specify the interface
settings.
radio <1-24> Configures the specified radio interface. T5 controller managed CPE device
<1-2> radios can have their radio configurations overridden once their radios have
successfully associated and have been provisioned by the adopting controller,
service platform, or peer model AP controller access point.
• <1-24> – Specify the radio interface index from 1 - 24.
◦ <1-2> – Allows the second radio to be specified as a radio interface. For
example, this is “interface radio X Y” where ‘X’ is the DSL line number and
‘Y’ is the radio interface (number).

vlan <1-4094> Configures the specified VLAN interface. Once configured, the VLAN interface
provides layer 3 (IP) T5 controller access or provides layer 3 service on a VLAN.
The VLAN interface defines which IP address is associated with each VLAN ID a
T5 controller is connected to. A VLAN interface is created for the default VLAN
(VLAN 1) to enable remote administration. This interface is also used to map
VLANs to IP4 and IPv6 formatted IP address ranges. This mapping determines
the destination for routing.
• <1-4094> – Specify the VLAN interface index from 1 - 4094.
In the VLAN configuration mode, specify the interface’s primary IP address in the
A.B.C.D/M format. Optionally specify the secondary IP address.

Example
rfs7000-37FABE(config-profile-t5Profile)#interface dsl 1

rfs7000-37FABE(config-profile-t5Profile-if-dsl1)#?
Interface configuration commands:
description Port description

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1425
T5 Profile Config Commands Profile Commands

ds-interleaver Enable impulse noise protection in the downstream

direction
ds-max-datarate Configure maximum allowed downstream rate for the
interface
ds-min-margin Configure the minimum downstream signal-to-noise(SNR)
ratio margin
ds-target-margin Configure the desired downstream signal-to-noise (SNR)
ratio margin
duplex Set duplex to interface
flowcontrol Set flowcontrol to interface
line-power Use the line-power command to apply power to the interface
no Negate a command or set its defaults
qos QOS settings
shutdown Shutdown the selected interface
speed Configure speed
switchport Set switching mode characteristics
us-interleaver Enable impulse noise protection in the upstream direction
us-max-datarate Configure maximum allowed upstream rate for the interface
us-min-margin Configure the minimum upstream signal-to-noise (SNR) ratio
margin
us-target-margin Configure the desired upstream signal-to-noise (SNR) ratio
margin

clrscr Clears the display screen

commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
--More--
rfs7000-37FABE(config-profile-t5Profile-if-dsl1)#

Related Commands

no on page 1427 Removes the selected interface configuration on the T5 device

ip
T5 Profile Config Commands on page 1421

Configures the default gateway’s IP address

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Syntax
ip default-gateway <IP>

Parameters
ip default-gateway <IP>

ip default- Enter the default gateway’s IP address in the A.B.C.D format.

gateway <IP>

Controller, Service Platform and Access Point

1426 CLI Reference Guide for version 5.9.7
Profile Commands T5 Profile Config Commands

Example
nx9500-6C8809(config-profile-t5Profile)#ip default-gateway 192.168.13.7

nx9500-6C8809(config-profile-t5Profile)#show context
profile t5 t5Profile
ip default-gateway 192.168.13.7
no autoinstall configuration
no autoinstall firmware
interface vlan1
interface vlan4090
interface fe 5 2
interface ge 2
interface ge 1
interface fe 5 1
--More--
nx9500-6C8809(config-profile-t5Profile)#

no
T5 Profile Config Commands on page 1421

Removes or reverts this T5 controller profile settings

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

no cpe led cpe <1-24>

no interface vlan <2-4094>

no ntp server <IP>

no override-wlan <WLAN-NAME> vlan

no t5-logging host <IP>

no use management-policy

Parameters
no <PARAMETERS>

no Removes or reverts to default the selected T5 profile’s or device’s settings

Example
nx9500-6C8809(config-profile-t5Profile)#show context
profile t5 t5Profile
ip default-gateway 192.168.13.7
no autoinstall configuration

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1427
T5 Profile Config Commands Profile Commands

no autoinstall firmware
interface vlan1
interface vlan4090
....................................................
use firewall-policy default
ntp server 192.168.13.2
service pm sys-restart
nx9500-6C8809(config-profile-t5Profile)#

nx9500-6C8809(config-profile-t5Profile)#no ntp server 192.168.13.2

nx9500-6C8809(config-profile-t5Profile)#show context
profile t5 t5Profile
ip default-gateway 192.168.13.7
no autoinstall configuration
no autoinstall firmware
interface vlan1
interface vlan4090
....................................................
use firewall-policy default
service pm sys-restart
nx9500-6C8809(config-profile-t5Profile)#

ntp
T5 Profile Config Commands on page 1421

Configures the NTP server associated with this T5 profile. T5 controllers, using this profile, will obtain
their system time from the specified NTP server resources.

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Syntax
ntp server <IP>

Parameters
ntp server <IP>

ntp server Specify the NTP server’s IP address. You can specify a maximum of 3 (three)
<IP> NTP server resources.

Example
nx9500-6C8809(config-profile-t5Profile)#ntp server 192.168.13.2

nx9500-6C8809(config-profile-t5Profile)#show context
profile t5 t5Profile
ip default-gateway 192.168.13.7
no autoinstall configuration
no autoinstall firmware
interface dsl 5
.....................................................
use firewall-policy default
ntp server 192.168.13.2
service pm sys-restart
nx9500-6C8809(config-profile-t5Profile)#

Controller, Service Platform and Access Point

1428 CLI Reference Guide for version 5.9.7
Profile Commands T5 Profile Config Commands

Related Commands

no on page 1427 Removes the NTP server’s IP address

override-wlan
T5 Profile Config Commands on page 1421

Use this option to configure RF Domain level configuration for WLAN. The override configured here are
applied to all T5 devices using this T5 profile.

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Syntax
override-wlan <WLAN-NAME> vlan <1-4094>

Parameters
override-wlan <WLAN-NAME> vlan <1-4094>

override-wlan
<WLAN-NAME> Note: Overrides the specified WLAN’s VLAN configuration

<WLAN-NAME> – Specify the WLAN’s name.

vlan <1-4094> Specify the new VLAN option
• <1-4094> – Specify the VLAN from 1 - 4094.

Example

The following example displays the WLAN SJOffWLan configuration:

nx9500-6C8809(config-wlan-SJOffWLan)#show context
wlan SJOffWLan
description "SJ Office WLAN"
ssid SJOffWLan
vlan 468
bridging-mode local
encryption-type ccmp
authentication-type eap-psk
use aaa-policy test
nx9500-6C8809(config-wlan-SJOffWLan)#

The following example overrides the SJOffWLan WLAN’s VLAN configuration on the T5 profile:
nx9500-6C8809(config-profile-testT5)#override-wlan SJOffWLan vlan 30

nx9500-6C8809(config-profile-testT5)#show context include-factory | include override-wlan

override-wlan SJOffWLan vlan 30
nx9500-6C8809(config-profile-testT5)#

Related Commands

no on page 1427 Removes the RF Domain level overrides for applied on a WLAN on this T5
profile

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1429
T5 Profile Config Commands Profile Commands

t5
T5 Profile Config Commands on page 1421

Configures this T5 controller’s country of operation

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Syntax
t5 country-code <WORD>

Parameters
t5 country-code <WORD>

country-code Configures the 2 letter ISO-3166 country code for this T5 controller
<WORD>

Example
nx9500-6C8809(config-profile-T5TestProfile)#t5 country-code us

nx9500-6C8809(config-profile-T5TestProfile)#show context
profile t5 T5TestProfile
no autoinstall configuration
no autoinstall firmware
interface vlan1
interface vlan4090
interface fe 5 2
..........................................................................
interface fe 9 1
use firewall-policy default
service pm sys-restart
t5 country-code US
cpe address vlan 200 192.168.13.26 192.168.13.30
nx9500-6C8809(config-profile-T5TestProfile)#

t5-logging
T5 Profile Config Commands on page 1421

Configures a maximum of 5 (five) remote hosts capable of receiving syslog messages from this selected
T5 controller

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Controller, Service Platform and Access Point

1430 CLI Reference Guide for version 5.9.7
Profile Commands T5 Profile Config Commands

t5-logging Configures syslog message logging settings

host <IP> • host <IP> – Configures the external syslog remote host resource’s IP address.
This is the host dedicated to receive T5 syslog messages.

severity Configures the syslog message filtering severity level. The options are:
[error|info| • Error – Only forwards error and above syslog event messages.
notice| trace| • Info – Only forwards informational and above syslog event messages.
warning]
• notice – Only forwards syslog notices relating to general device operational
events. These are events that are of more interest than the “info” events.
• trace – Only forwards trace routing event messages
• warning – Only forwards warnings and above syslog event messages

facility Configures the facility level for log messages sent to the syslog server. The
[local0| facility level specifies the type of program logging the message. Specifying the
local1| facility level allows the configuration file to specify that message handling will
local2|local3| vary with varying facility type. The options are: local0, local1, local2, local3,
local4| local4, local5, local5, local6, local7. The default value is local7.
local5|local6|
local7]

Example
nx9500-6C8809(config-profile-T5TestProfile)#t5-logging host 192.168.13.10 severity
warning facility local6

nx9500-6C8809(config-profile-T5TestProfile)#show context
profile t5 T5TestProfile
t5-logging host 192.168.13.10 severity warning facility local6
no autoinstall configuration
.............................................................................
no autoinstall firmware
t5 country-code US
cpe address vlan 200 192.168.13.26 192.168.13.30
nx9500-6C8809(config-profile-T5TestProfile)#

Related Commands

no on page 1427 Modifies message logging severity level and facilities

use
T5 Profile Config Commands on page 1421

Associates a management policy with this T5 profile. The specified policy is applied to all T5 controllers
using this profile.

Supported in the following platforms:

• Wireless Controllers — RFS4000

• Service Platforms — NX9500, NX9510

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1431
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Syntax
use management-policy <POLICY-NAME>

Parameters
use management-policy <POLICY-NAME>

use Associates a management policy with this T5 profile (should be existing and
management- configured)
policy • <POLICY-NAME> – Specify the management policy’s name.
<POLICY-NAME>

Example
nx9500-6C8809(config-profile-t5Profile)#use management-policy default
Trustpoints HTTPS Server and RSA keys for SSH can be configured with 'trustpoint' and
'rsa-key' commands in device context
nx9500-6C8809(config-profile-t5Profile)#

Related Commands

no on page 1427 Removes the management policy used with this T5 profile

EX3524 & EX3548 Profile/Device Config Commands

PROFILES on page 949

Creates a new EX3524 and EX3548 profile and enters its configuration mode.

To navigate to this instance, use the following commands:

<DEVICE>(config)#profile ex35xx <EX35XX-PROFILE-NAME>

Where ex35xx can be a EX3524 or a EX3548 device type.

<DEVICE>(config-profile-<EX35XX-PROFILE-NAME>)#?
EX35XX Profile Mode commands:
interface Select an interface to configure
ip Internet Protocol (IP)
no Negate a command or set its defaults
power EX3500 Power over Ethernet Command
upgrade Configures upgrade option for ex3500 system
use Set setting to use

clrscr Clears the display screen

<DEVICE>(config-profile-<EX35XX-PROFILE-NAME>)#

Controller, Service Platform and Access Point

1432 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

The following table summarizes EX3524 and EX3548 profile/device configuration mode commands:

Command Description
interface on page Selects an interface type and enters the selected interface’s configuration
1433 mode
ip on page 1448 Configures the default gateway through which this EX35XX switch can reach
other subnets
power on page 1449 Enables power inline compatibility mode on this EX35XX profile
upgrade on page Configures adopted EX35XX switch upgrade settings
1450
use on page 1451 Applies an EX3500 management policy to this EX35XX profile
no on page 1452 Removes or reverts this EX35XX profile’s settings

interface
EX3524 & EX3548 Profile/Device Config Commands on page 1432

This command selects an interface type and enters the selected interface’s configuration mode. The
EX35XX switch has GE and VLAN interfaces. Select the interface type and provide the interface ID to
enter its configuration mode.

Command Description
interface on page Selects an interface type and enters the selected interface’s configuration
1433 mode
interface-ge-config Summarizes GE interface configuration mode commands
commands on page
1435
interface-vlan-config Summarizes VLAN interface configuration mode commands
commands on page
1446

interface

interface on page 1433

Selects the EX35XX interface type and enters the selected interface’s configuration mode
Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
interface [ge 1 <1-48>|vlan <1-4094>]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1433
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Parameters
interface [ge 1 <1-48>|vlan <1-4094>]

interface Selects the EX35XX interface type and enters its configuration mode. The
interface options available are: GE and VLAN
ge 1 <1-48> Selects a GE interface to configure
• 1 – Configures the GE interface unit identifier as 1
◦ <1-48> – Configures the physical port number from 1 - 24/48

Note: For the EX3524 model switch the GE port range is 1-24, and for the
EX3548 it is 1-48.

vlan <1-4094> Selects a VLAN interface to configure

• <1-4094> – Specify the VLAN interface ID from 1 - 4094.

Example
nx4500-5CFA8E(config-profile-testEX35XX)#interface vlan 1
nx4500-5CFA8E(config-profile-testEX35XX-if-vlan1)#?
commands:
ip Internet Protocol (IP)
no Negate a command or set its defaults

clrscr Clears the display screen

nx4500-5CFA8E(config-profile-testEX35XX-if-vlan1)#

nx4500-5CFA8E(config-profile-testEX35XX)#interface ge 1 1
nx4500-5CFA8E(config-profile-testEX35XX-if-ge1-1)#?
commands:
access-group Access group to bind a port to an ACL name
no Negate a command or set its defaults
port Configures the characteristics of the port
power EX3500 Power over Ethernet Command
shutdown Shutdown the selected interface
speed-duplex Configures speed and duplex operation
switchport Configures switch mode characteristics
use Set setting to use

clrscr Clears the display screen

nx4500-5CFA8E(config-profile-testEX35XX-if-ge1-1)#

Controller, Service Platform and Access Point

1434 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

Related Commands

no on page 1452 Removes this interface (GE/VLAN) settings from the EX35XX profile or device
interface-ge-config Summarizes GE interface configuration mode commands
commands on page
1435
interface-vlan- Summarizes VLAN interface configuration mode commands
config commands
on page 1446

interface-ge-config commands

interface on page 1433

The following table lists the EX35XX GE interface configuration mode commands:

Command Description
access-group on page Binds an EX3500 ACL to the selected port
1435
port on page 1436 Enables port monitoring on the selected port
power on page 1439 Turns power on or off for the selected port
shutdown on page Shuts down the selected port
1440
speed-duplex on Configures the speed and duplex mode of the selected port when auto-
page 1441 negotiation is disabled. Auto-negotiation is enabled by default.
switch-port on page Configures the switch mode characteristics of the selected port
1442
use on page 1444 Applies a EX3500 QoS policy map with the selected port
no on page 1445 Removes or reverts the selected port’s settings

access-group

interface-ge-config commands on page 1435

Binds an EX3500 ACL to the selected port

When applied to the port, the ACL takes effect. Only one ACL can be bound to a port at a time. In case
you bind a new ACL to a port with an existing ACL binding, the old binding is replaced with the new
one.
Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-
list] <ACL-NAME> in {time-range <TIME-RANGE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1435
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Parameters
access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME>
in {time-range <TIME-RANGE-NAME>}

access-group Binds a EX3500 ACL with this GE port. Select ACL type and specify the ACL
name. The ACL should be existing and configured.
ex3500-ext- Binds an existing and configured EX3500 extended ACL
access-list • <ACL-NAME> – Specify the ACL name.
<ACL-NAME>
ex3500-std- Binds an existing and configured EX3500 standard ACL
access-list • <ACL-NAME> – Specify the ACL name.
<ACL-NAME>
mac-access- Binds an existing and configured EX3500 MAC ACL
list <ACL- • <ACL-NAME> – Specify the MAC ACL name.
NAME>
in Applies the specified ACL to all incoming packets
time-range Optional. Associates a EX3500 absolute or periodic time range with this access
<TIME-RANGE- group. The specified ACL is bound to the port during the time period specified
NAME> by the associated time range.
• <TIME-RANGE-NAME> – Specify the time range name (should be existing
and configured).

Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#access-group ex3500-ext-access-list
EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Related Commands

no on page 1445 Removes the GE port EX3500 ACL binding

port

interface-ge-config commands on page 1435

Enables port monitoring on the selected port. This allows the port to monitor specified ports and/or
MAC address(es). When enabled, the switch sends a copy of the network packets seen on the specified
switch port (or VLAN interface) to the monitoring switch port. These packets are analyzed and
debugged to provide vital information, such as network performance, intrusion alerts, etc.
Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Controller, Service Platform and Access Point

1436 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

port monitor ethernet 1 <1-52> {both|rx|tx}

port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-

list] <ACL-NAME>

port monitor mac-address <MAC>

port monitor vlan <1-4094>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1437
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Parameters
port monitor ethernet 1 <1-52> {both|rx|tx}

port monitor Configures the characteristics of this GE port

ethernet 1 • monitor – Enables monitoring of another port
<1-52> ◦ ethernet 1 – Selects Ethernet interface and configures the port identifier as
1
▪ <1-52> – Configures the Ethernet unit number from 1 - 52

{both|rx|tx} After specifying the port, optionally configure the following:

• both – Optional. Monitors both incoming and outgoing traffic
• rx – Optional. Monitors only incoming traffic
• tx – Optional. Monitors only outgoing traffic

port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME>

port monitor Configures the characteristics of this GE port

• monitor – Enables monitoring of another port

[ex3500-ext- After specifying the port, apply one of the following ACLs:
access-list| • ex3500-ext-access-list – Applies a EX3500 extended ACL
ex3500-std- • ex3500-std-access-list – Applies a EX3500 standard ACL
access-list|
mac-access- • mac-access-list – Applies a MAC ACL with EX3500 deny or permit rules
list] <ACL- ◦ <ACL-NAME> – Specify the ACL name (should be existing and
NAME> configured).

port monitor mac-address <MAC>

port monitor Configures the characteristics of this GE port

• monitor – Enables monitoring of another port

mac-address Configures the MAC address to monitor

<MAC> • <MAC> – Specify the MAC address in the AA-BB-CC-DD-EE-FF format.

port monitor vlan <1-4094>

port monitor Configures the characteristics of this GE port

• monitor – Enables monitoring of another port

vlan <1-4094> Configures the VLAN interface to monitor

• <1-4094> – Specify the VLAN ID from 1 - 4094.

Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#port monitor vlan 20

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Controller, Service Platform and Access Point

1438 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

Related Commands

no on page 1445 Disables port monitoring on the selected port and removes the settings

power

interface-ge-config commands on page 1435

Enables power allocation to the selected port. When enabled, the power is allocated to this port. Use
the command to configure the power allocation settings, such as maximum power allocated, priority
level of this port in connection with power allocation, and the time range within which these power
settings are applied.

This option is enabled by default.

Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
power inline {maximum|priority|time-range}

power inline {maximum allocation milliwatts <3000-34200>}

power inline {priority [critical|high|low]}

power inline {time-range <TIME-RANGE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1439
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Parameters
power inline {maximum allocation milliwatts <3000-34200>}

power inline Turns power on or off for the selected port. This option is enabled by default.
maximum Optional. Configures the maximum power allocation, in milliwatts, for this port
allocation • <3000-34200> – Specify a value from 3000 - 34200 milliwatts. The default
milliwatts is 34200 milliwatts.
<3000-34200>

power inline {priority [critical|high|low]}

power inline Turns power on or off for the selected port. This option is enabled by default.
priority Optional. Configures the PoE power priority as:
[critical| • critical – Configures the PoE power priority as critical
high|low] • high – Configures the PoE power priority as high
• low - Configures the PoE power priority as low (this is the default setting)

power inline {time-range <TIME-RANGE-NAME>}

power inline Turns power on or off for the selected port. This option is enabled by default.
time-range Optional. Binds a EX3500 time range to this port
<TIME-RANGE- • <TIME-RANGE-NAME> – Specify the time range name (should be existing
NAME> and configured).

Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline maximum allocation
milliwatts 30000

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline priority critical

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline time-range

EX3500_TimeRange_01

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
power inline maximum allocation milliwatts 30000
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Related Commands

no on page 1445 Disables power allocation to the selected port

shutdown

interface-ge-config commands on page 1435

Shuts down the selected port

Controller, Service Platform and Access Point

1440 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

Supported in the following platforms:

• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
shutdown
Parameters

None
Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#shutdown

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
shutdown
power inline maximum allocation milliwatts 30000
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Related Commands

no on page 1445 Brings up a shutdown port

speed-duplex

interface-ge-config commands on page 1435

Configures the speed and duplex mode of the selected port when auto-negotiation is disabled. Auto-
negotiation is enabled by default.

This option is disabled by default.

Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
speed-duplex [100full|100half|10full|10half]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1441
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Parameters
speed-duplex [100full|100half|10full|10half]

speed-duplex Configures the speed and duplex mode of the selected port to one of the
[100full| following modes:
100half| • 100full – Forces 100 Mbps full-duplex operation
10full|10half] • 100half – Forces 100 Mbps half-duplex operation
• 10full – Force 10 Mbps full-duplex operation
• 10half – Force 10 Mbps half-duplex operation
When configured, forces the switch to operate at the specified speed and mode.

Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#speed-duplex 100half

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
shutdown
speed-duplex 100half
power inline maximum allocation milliwatts 30000
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Related Commands

no on page 1445 Removes the speed and duplex settings configured for this EX35XX profile

switch-port

interface-ge-config commands on page 1435

Configures the switch mode characteristics of the selected port

Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
switchport [allowed|l2protocol-tunnel|mode|native]

switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]

switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]

switchport mode [access|hybrid|trunk]

switchport native

Controller, Service Platform and Access Point

1442 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

Parameters
switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]

switchport Configures VLAN groups on the selected interface.

allowed [add • add <VLAN-ID> – Configures the list of VLAN identifiers to add. When the
<VLAN-ID>| add option is used, the interface is assigned to the specified VLANs, and
none| remove membership in all previous VLANs is retained.
<VLAN-ID>] ◦ <VLAN-ID> – Specify the list of VLANs to add.
• none – Removes all VLANs from the current list
• remove <VLAN-ID> – Configures the list of VLAN identifiers to remove. When
the remove option is used, the specified VLANs are removed from the current
list.
◦ <VLAN-ID> – Specify the list of VLANs to remove.

switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]

switchport Enables layer 2 protocol tunneling (L2PT) for the specified protocol. Specify the
l2protocol- protocol:
tunnel [cdp| • cdp – Cisco Discovery Protocol
lldp|pvst+| • lldp – Link Layer Discovery Protocol
spanning-tree|
vtp] • pvst+ – Cisco Per VLAN Spanning Tree Plus
• spanning-tree – Spanning Tree (STP, RSTP, MSTP)
• vtp – Cisco VLAN Trunking Protocol
L2PT is disabled for all of the above specified protocols by default.

switchport mode [access|hybrid|trunk]

switchport Configures the VLAN membership mode for this port

mode [access| • access – The port is configured as an access VLAN interface. It transmits and
hybrid| trunk] receives packets untagged frames on a single VLAN.

• trunk – Configures the selected port as an end-point for a VLAN trunk. A

trunk link is configured between two switches, and it carries frames on more
than one VLANs. These frames are tagged in order to identify the source
VLAN. Frames belonging to the port’s default VLAN are also transmitted as
tagged frames.
• hybrid – Configures the selected port as a hybrid VLAN interface. When
configured as hybrid, the port can transmit either tagged or untagged
frames. This is the default setting.

switchport native vlan <1-4094>

switchport Configures the VLAN membership mode for this port

native vlan • native vlan <1-4094> – Configures the port’s VLAN ID (PVID) (this is the
<1-4094> in port’s default VLAN ID). Frames from the specified VLAN ingress untagged
at this port. The default value is 1.
When using access mode, and an interface is assigned to a new VLAN, the port’s
VLAN ID (PVID) is automatically set to the identifier for that VLAN. When using
hybrid mode, the PVID for an interface can be set to any VLAN for which it is an
untagged member.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1443
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#switchport mode access

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
shutdown
speed-duplex 100half
switchport mode access
power inline maximum allocation milliwatts 30000
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Related Commands

no on page 1445 Removes the selected port’s switchport characteristics

use

interface-ge-config commands on page 1435

Applies a EX3500 QoS policy map with the selected port

Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
use ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME> in
Parameters
use ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME> in

use ex3500- Applies a EX3500 QoS policy map with the selected port
policy-map • <EX3500-QoS-POLICY-MAP-NAME> – Specify the EX3500 QoS policy map
<EX3500-QoS- name (should be existing and configured)
POLICY-MAP- ◦ in – Applies the specified policy to traffic ingressing at the selected port.
NAME>

Example
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#use ex3500-policy-map in test

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
shutdown
speed-duplex 100half
switchport mode access
use ex3500-policy-map in test
power inline maximum allocation milliwatts 30000
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

Controller, Service Platform and Access Point

1444 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

Related Commands

no on page 1445 Disassociates the EX3500 QoS policy map linked to this EX3500 profile

interface-ge-config commands on page 1435

Removes or reverts the selected port’s settings

Supported in the following platforms:
• Switches — EX3524, EX3548

no access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-
access-list] <ACL-NAME> in

no port monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|

mac-access-list|mac-address|vlan]

no port monitor ethernet 1 <1-52>

no port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-

access-list] <ACL-NAME>

no port monitor mac-address <MAC>

no port monitor vlan <1-4094>

no power inline {maximum allocation|priority|time-range}

no shutdown

no speed-duplex

no switchport [l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]|

native vlan]

no use ex3500-policy-map in
Parameters
no <PARAMETERS>

no Removes or reverts the selected port’s settings based on the parameters passed
<PARAMETERS>

Example

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1445
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

The following example shows the EX3524 profile’s GE port 20’s settings before the ‘no’ commands are
executed:
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
shutdown
speed-duplex 100half
switchport mode access
use ex3500-policy-map in test
power inline maximum allocation milliwatts 30000
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no shutdown
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no power inline maximum allocation
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no use ex3500-policy-map in

The following example shows the EX3524 profile’s GE port 20’s settings after the ‘no’ commands are
executed:
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context
interface ge 1 20
speed-duplex 100half
switchport mode access
power inline maximum allocation milliwatts 32400
power inline priority critical
power inline time-range EX3500_TimeRange_01
access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01
port monitor vlan 20
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#

interface-vlan-config commands

interface on page 1433

The following table lists the VLAN interface configuration mode commands:

Command Description
ip on page 1446 Configures IP related settings for this VLAN interface
no on page 1447 Removes the IP related settings configured for this VLAN interface

interface-vlan-config commands on page 1446

Configures IP related settings for this VLAN interface

Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers – RFS4000
• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
ip address [<IP/M>|bootp|dhcp]

Controller, Service Platform and Access Point

1446 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

ip address <IP/M> {default-gateway <IP>|secondary <IP>}

ip address [bootp|dhcp]
Parameters
ip address <IP/M> {default-gateway <IP>|secondary <IP>}

ip address Manually configures the selected VLAN interface’s primary and secondary IPv4
<IP/M> addresses. It also allows to optionally configure the default gateway.
{default- • <IP/M> – Manually configures this VLAN interface’s IP address in the
gateway <IP>| A.B.C.D/M format. Network mask for the associated IP subnet. This mask
secondary identifies the host address bits used for routing to specific subnets. The
<IP>} network mask can be either in the traditional format xxx.xxx.xxx.xxx or use
classless format with the range /5 to /32. For example the subnet
255.255.224.0 would be /19.
◦ default-gateway <IP> – Optional. Configures the default gateway’s IP
address. This is the gateway through which this switch can reach other
subnets not found in the local routing table. Before specifying the default
gateway, ensure that the network interface directly connecting to the
gateway is configured on the route. By default no gateway is specified.
▪ <IP> – Specify the IP address in the A.B.C.D address.
◦ secondary <IP> – Optional. Configures this VLAN interface’s secondary IP
address
▪ <IP> – Specify the secondary IP address in the A.B.C.D address

ip address [bootp|dhcp]

ip address Enables a DHCP or Bootp server to provide the primary IPv4 address for the
[bootp|dhcp] selected VLAN interface
• bootp – Enables the VLAN interface to get its IP address from a Bootp server
• dhcp – Enables the VLAN interface to get its IP address from a DHCP server
If selecting DHCP/Bootp, ensure that a server on the network has been
configured to provide the necessary configuration to the switch. Using DHCP or
Bootp results in frequent connectivity loss between the browser interface and
the switch. Further, DHCP and Bootp cannot configure secondary IP addresses
needed for multinetting.

Example
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#ip address 192.168.13.28/24 default-
gateway 192.168.13.13

nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context
interface vlan 20
ip address 192.168.13.28/24 default-gateway 192.168.13.13
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#

Related Commands

no on page 1447 Removes the IP address configured for this VLAN interface

interface-vlan-config commands on page 1446

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1447
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

Removes the IP related settings configured for this VLAN interface

Supported in the following platforms:
• Switches — EX3524, EX3548
• Wireless Controllers – RFS4000
• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
no ip address [<IP/M>|bootp|dhcp]
Parameters
no <PARAMETERS>

no Removes this EX3500’s selected VLAN’s settings based on the parameters

<PARAMETERS> passed

Example

The following example shows the interface VLAN 20 setting before the ‘no’ command is executed:
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context
interface vlan 20
ip address 192.168.13.28/24 default-gateway 192.168.13.13
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#

nx9500-6C8809(config-profile-testEX3524-if-vlan20)#no ip address 192.168.13.28/24

The following example shows the interface VLAN 20 setting after the ‘no’ command is executed:
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context
interface vlan 20
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#

ip
EX3524 & EX3548 Profile/Device Config Commands on page 1432

Configures the default gateway through which this EX35XX switch can reach other subnets

Supported in the following platforms:

• Switches — EX3524, EX3548

• Wireless Controllers – RFS4000
• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
ip default-gateway <IP>

Parameters
ip default-gateway <IP>

ip default- Configures the default gateway’s IP address in the A.B.C.D format

gateway <IP> • <IP> – Specify the IP address.

Controller, Service Platform and Access Point

1448 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

Example
nx9500-6C8809(config-profile-testEX3524)#ip default-gateway 192.168.13.13

nx9500-6C8809(config-profile-testEX3524)#show context
profile ex3524 testEX3524
ip default-gateway 192.168.13.13
no autoinstall configuration
no autoinstall firmware
interface ge 1 17
interface ge 1 16
interface ge 1 15
interface ge 1 14
interface ge 1 13
interface ge 1 12
interface ge 1 11
--More--
interface ge 1 21
use firewall-policy default
service pm sys-restart
nx9500-6C8809(config-profile-testEX3524)#

power
EX3524 & EX3548 Profile/Device Config Commands on page 1432

Enables power inline compatibility mode on this EX35XX profile. This option is disabled by default.

Supported in the following platforms:

• Switches — EX3524, EX3548

• Wireless Controllers – RFS4000
• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
power inline compatible

Parameters
power inline compatible

power inline Enables power inline compatibility mode

compatible

Example
nx9500-6C8809(config-profile-testEX3524)#power inline compatible

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1449
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

--More--
nx9500-6C8809(config-profile-testEX3524)#

upgrade
EX3524 & EX3548 Profile/Device Config Commands on page 1432

Configures adopted EX35XX switch upgrade settings

For a EX35XX switch to adopt to and be managed by a WiNG controller, you need to upload two
images on the switch. An operation code (opcode) image and an adopted image. The opcode image
functions as an operating system that enables the WiNG controller to communicate with the EX35XX
switch. This command allows you to configure the EX35XX’s opcode image upgrade settings.

Supported in the following platforms:

• Switches — EX3524, EX3548

• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
upgrade opcode [auto|path <LINE>|reload]

Parameters
upgrade opcode [auto|path <LINE>|reload]

upgrade opcode Configures the opcode image upgrade settings

auto Enables automatic upgrade
path <LINE> Configures the location of the opcode image
reload Enables automatic reload after successful loading of the opcode image

Example
<EX35XX-DEVICE>#show versions
Unit 1
Serial Number : 14136520900352
Hardware Version : R01
EPLD Version : 0.00
Number of Ports : 28
Main Power Status : Up
Role : Master
Loader Version : 5.0.0.1-01A
Linux Kernel Version : 2.6.22.18
Boot ROM Version : 0.0.0.1
Operation Code Version : 5.0.0.0-03D
Adoptd Version : 5.8.3.0-024D
<EX35XX-DEVICE>#

nx9500-6C8809(config-profile-testEX3524)#upgrade auto
nx9500-6C8809(config-profile-testEX3524)#upgrade reload
nx9500-6C8809(config-profile-testEX3524)#upgrade opcode path ftp://
anonymous:[email protected]/ex35xx/EX3524.img

nx9500-6C8809(config-profile-testEX3524)#show context
profile ex3524 testEX3524

Controller, Service Platform and Access Point

1450 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

ip default-gateway 192.168.13.13
power inline compatible
.............................................
use firewall-policy default
service pm sys-restart
upgrade opcode auto
upgrade opcode path ftp://anonymous:[email protected]/ex35xx/EX3524.img
upgrade opcode reload
nx9500-6C8809(config-profile-testEX3524)#

use
EX3524 & EX3548 Profile/Device Config Commands on page 1432

Applies an EX3500 management policy to this EX35XX profile

Supported in the following platforms:

• Switches — EX3524, EX3548

• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
use ex3500-management-policy <POLICY-NAME>

Parameters
use ex3500-management-policy <POLICY-NAME>

use ex3500- Applies an EX3500 management policy to this EX35XX profile

management- • <POLICY-NAME> – Specify the EX3500 management policy name (should be
policy existing and configured).
<POLICY-NAME>

Example
nx9500-6C8809(config-profile-testEX3524)#use ex3500-management-policy test
Trustpoints HTTPS Server and RSA keys for SSH can be configured with 'trustpoint' and
'rsa-key' commands in device context
nx9500-6C8809(config-profile-testEX3524)#

nx9500-6C8809(config-profile-testEX3524)#show context
profile ex3524 testEX3524
ip default-gateway 192.168.13.13
power inline compatible
no autoinstall configuration
no autoinstall firmware
interface ge 1 17
interface ge 1 16
interface ge 1 15
--More--
use ex3500-management-policy test
use firewall-policy default
service pm sys-restart
upgrade opcode auto
upgrade opcode path ftp://anonymous:[email protected]/ex35xx/EX3524.img
upgrade opcode reload
nx9500-6C8809(config-profile-testEX3524)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1451
EX3524 & EX3548 Profile/Device Config Commands Profile Commands

no
EX3524 & EX3548 Profile/Device Config Commands on page 1432

Removes or reverts this EX3500 profile’s settings

Supported in the following platforms:

• Switches — EX3524, EX3548

• Wireless Controllers — RFS4000
• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600

Syntax
no [interface vlan <1-4094>|default-gateway {<IP>}|power inline
compatible| upgrade opcode [auto|path|reload]|use ex3500-management-
policy]

Parameters
no <PARAMETERS>

no Removes or reverts this EX3500 profile settings based on the parameters passed
<PARAMETERS>

Example
nx9500-6C8809(config-profile-testEX3524)#show context
profile ex3524 testEX3524
ip default-gateway 192.168.13.13
power inline compatible
no autoinstall configuration
no autoinstall firmware
interface ge 1 17
interface ge 1 16
interface ge 1 15
interface ge 1 14
interface ge 1 13
interface ge 1 12
interface ge 1 11
interface ge 1 10
interface ge 1 24
interface ge 1 22
interface vlan 20
interface ge 1 23
--More--
use ex3500-management-policy test
use firewall-policy default
service pm sys-restart
upgrade opcode auto
upgrade opcode path ftp://anonymous:[email protected]/ex35xx/EX3524.img
upgrade opcode reload
nx9500-6C8809(config-profile-testEX3524)#

nx9500-6C8809(config-profile-testEX3524)#no use ex3500-management-policy

nx9500-6C8809(config-profile-testEX3524)#no upgrade opcode reload
nx9500-6C8809(config-profile-testEX3524)#no interface vlan 20

nx9500-6C8809(config-profile-testEX3524)#show context
profile ex3524 testEX3524
ip default-gateway 192.168.13.13

Controller, Service Platform and Access Point

1452 CLI Reference Guide for version 5.9.7
Profile Commands EX3524 & EX3548 Profile/Device Config Commands

power inline compatible

no autoinstall configuration
--More--
use firewall-policy default
service pm sys-restart
upgrade opcode auto
upgrade opcode path ftp://anonymous:[email protected]/ex35xx/EX3524.img
nx9500-6C8809(config-profile-testEX3524)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1453
AAA Policy
AAA-POLICY on page 1454

AAA-POLICY
This chapter summarizes the Authentication, Authorization, and Accounting (AAA) policy commands in
the CLI command structure.

An AAA policy enables administrators to define access control settings governing network permissions.
External RADIUS and LDAP servers (AAA servers) also provide user database information and user
authentication data. Each WLAN maintains its own unique AAA configuration.

AAA provides a modular way of performing the following services:

Authentication — Provides a means for identifying users, including login and password dialog, challenge
and response, messaging support and (depending on the security protocol), encryption. Authentication
is the technique by which a user is identified before allowed access to the network. Configure AAA
authentication by defining a list of authentication methods, and then applying the list to various
interfaces. The list defines the authentication schemes performed and their sequence. The list must be
applied to an interface before the defined authentication technique is conducted.

Authorization — Authorization occurs immediately after authentication. Authorization is a method for

remote access control, including authorization for services and individual user accounts and profiles.
Authorization functions through the assembly of attribute sets describing what the user is authorized to
perform. These attributes are compared to information contained in a database for a given user and the
result is returned to AAA to determine the user's actual capabilities and restrictions. The database could
be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users
by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be
defined through AAA. When AAA authorization is enabled it’s applied equally to all interfaces.

Accounting — Collects and sends security server information for billing, auditing, and reporting user
data; such as start and stop times, executed commands (such as PPP), number of packets, and number
of bytes. Accounting enables wireless network administrators to track the services users are accessing
and the network resources they are consuming. When accounting is enabled, the network access server
reports user activity to a RADIUS security server in the form of accounting records. Each accounting
record is comprised of AV pairs and is stored locally on the access control server. The data can be
analyzed for network management, client billing, and/or auditing. Accounting methods must be defined
through AAA. When AAA accounting is activated, it is applied equally to all interfaces on the access
servers.

Controller, Service Platform and Access Point

1454 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

Use the (config) instance to configure AAA policy commands. To navigate to the config-aaa-policy
instance, use the following commands:
nx9500-6C8809(config)#aaa-policy test
nx9500-6C8809(config-aaa-policy-test)#?
AAA Policy Mode commands:
accounting Configure accounting parameters
attribute Configure RADIUS attributes in access and accounting
requests
authentication Configure authentication parameters
health-check Configure server health-check parameters
mac-address-format Configure the format in which the MAC address must be
filled in the Radius-Request frames
no Negate a command or set its defaults
proxy-attribute Configure radius attribute behavior when proxying
through controller or rf-domain-manager
server-pooling-mode Configure the method of selecting a server from the
pool of configured AAA servers
use Set setting to use

clrscr Clears the display screen

aaa-policy-commands
The following table summarizes the AAA policy configuration mode commands:

Table 43: AAA Policy Configuration Commands

Command Description
accounting on page 1456 Configures accounting parameters
attribute on page 1461 Configure RADIUS attributes in access and accounting requests
authentication on page 1464 Configures authentication parameters
health-check on page 1470 Configures health check parameters
mac-address-format on page 1471 Configures the MAC address format
proxy-attribute on page 1472 Configures the RADIUS server's attribute behavior when proxying
through the wireless controller or the RF Domain manager
server-pooling-mode on page Defines the method for selecting a server from the pool of
1473 configured AAA servers
use on page 1474 Defines the AAA command settings
no on page 1475 Negates a command or sets its default

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1455
aaa-policy-commands AAA Policy

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

accounting
Configures the server type and interval at which interim accounting updates are sent to the server. A
maximum of 12 accounting servers can be configured.

Supported in the following platforms:

Syntax
accounting [interim|server|type]
accounting interim interval <60-3600>
accounting server [<1-12>|preference]
accounting server preference [auth-server-host|auth-server-number|none]
accounting server <1-12> [dscp|host|nai-routing|onboard|proxy-mode|retry-timeout-factor|
timeout]
accounting server <1-12> [dscp <0-63>|retry-timeout-factor <50-200>]
accounting server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|
<SECRET>]
{port <1-65535>}
accounting server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT> {strip}
accounting server <1-12> onboard [centralized-controller|self|controller]
accounting server <1-12> proxy-mode [none|through-centralized-controller|through-
controller|
through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]
accounting server <1-12> timeout <1-60> {attempts <1-10>}
accounting type [start-interim-stop|start-stop|stop-only]

Controller, Service Platform and Access Point

1456 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

Parameters
accounting interim interval <60-3600>

interim Configures the interim accounting interval. This is the interval at

which interim accounting updates are posted to the accounting
server.
interval <60-3000> Specify the interim interval from 60 - 3600 seconds. The default is
1800 seconds.

accounting server preference [auth-server-host|auth-server-number|none]

server Configures the RADIUS accounting server’s settings

preference Configures the accounting server’s preference mode.
Authentication requests are forwarded to an accounting server,
from the pool, based on the preference mode selected.
auth-server-host Sets the authentication server as the accounting server. This is the
default setting.
This parameter indicates the same server is used for authentication
and accounting. The server is identified by its hostname.
auth-server-number Sets the authentication server as the accounting server
This parameter indicates the same server is used for authentication
and accounting. The server is identified by its index number.
none Indicates the accounting server is independent of the
authentication server

accounting server <1-12> [dscp <0-63>|retry-timeout-factor <50-200>]

server <1-12> Configures an accounting server. Up to 12 accounting servers can be

configured.
dscp <0-63> Sets the Differentiated Services Code Point (DSCP) value for Quality
of Service (QoS) monitoring. This value is used in generated
RADIUS packets.
• <0-63> – Sets the DSCP value from 0 - 63. The default value is
34.

retry-timeout-factor <50-200> Sets the scaling factor for retransmission timeouts. The timeout at
each attempt is a function of this retry-timeout factor and the
attempt number.
• <50-200> – Specify a value from 50 - 200. The default is 100.
If the scaling factor is 100, the interval between two consecutive
retries remains the same, irrespective of the number of retries.
If the scaling factor is less than 100, the interval between two
consecutive retires reduces with subsequent retries.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1457
aaa-policy-commands AAA Policy

If this scaling factor is greater than 100, the interval between two
consecutive retries increases with subsequent retries.

accounting server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|

<SECRET>] {port <1-65535>}

server <1-12> Configures an accounting server. Up to 12 accounting servers can be

configured.
host <IP/HOSTNAME/HOST- Configures the accounting server’s hostname IP address, or host-
ALIAS> alias
The host alias should be existing and configured.
secret [0 <SECRET>| 2 Configures a common secret key used to authenticate with the
<SECRET>| <SECRET>] accounting server
• 0 <SECRET> – Configures a clear text secret key
• 2 <SECRET> – Configures an encrypted secret key
• <SECRET> – Specify the secret key. This shared secret should
not exceed 127 characters.

port <1-65535> Optional. Configures the accounting server’s UDP port (the port
used to connect to the accounting server)
• <1-65535> – Specify the port number from 1 - 65535. The default
value is 1813.

accounting server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT> {strip}

server <1-12> Configures an accounting server. Up to 12 accounting servers can be

configured.
nai-routing Enables Network Access Identifier (NAI) routing. This option is
disabled by default.
The NAI is a character string in the format of an e-mail address as
either user or user@realm but it need not be a valid e-mail address
or a fully qualified domain name. AAA servers identify clients using
the NAI. The NAI can be used either in a specific or generic form.
The specific form, which must contain the user portion and may
contain the @realm portion, identifies a single user. Using the
generic form allows all users to be configured on a single command
line, irrespective of whether the users are within a realm or not.
Each user still needs a unique security association, but these
associations can be stored on a AAA server. The original purpose of
the NAI was to support roaming between dial up ISPs. With NAI, an
ISP does not have the accounts for all of its roaming partners in a
single RADIUS database. RADIUS servers can proxy requests to
remote servers as need be.
realm-type Specifies whether the prefix or suffix of the username is used as the
match criteria. For example, if the option selected is prefix, the
username’s prefix is matched to the realm.
[prefix|suffix] Select one of the following options:
• prefix – Matches the prefix of the username (For example,
username is of type DOMAIN/user1, DOMAIN/user2). This is the
default setting.
• suffix – Matches the suffix of the username (For example,
user1@DOMAIN, user2)@DOMAIN)

Controller, Service Platform and Access Point

1458 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

realm <REALM-TEXT> Configures the text matched against the username. Enter the realm
name (should not exceed 50 characters). When the RADIUS
accounting server receives a request for a user name, the server
references a table of user names. If the user name is known, the
server proxies the request to the RADIUS server.
• <REALM-TEXT> – Specifies the matching text including the
delimiter (a delimiter is typically '' or '@')

strip Optional. When enabled, strips the realm from the username before
forwarding the request to the RADIUS server. This option is disabled
by default.

accounting server <1-12> onboard [centralized-controller|self|controller]

server <1-12> Configures an accounting server. Up to 12 accounting servers can be

configured.
onboard Selects an onboard server instead of an external host
centralized-controller Configures the server on the centralized controller managing the
network
self Configures the onboard server on a AP, wireless controller, or
service platform (where the client is associated)
controller Configures local RADIUS server settings

accounting server <1-12> proxy-mode [none|through-centralized-controller|

through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]

server <1-12> Configures an accounting server. Up to 12 accounting servers can be

configured.
proxy-mode Configures the mode used to proxy requests. The options are: none,
through-controller, and through-rf-domain-manager.
none No proxy required. Sends the request directly using the IP address
of the device. This is the default setting.
through-centralized-controller Proxies requests through the centralized controller that is
configuring and managing the network
through-controller Proxies requests through the controller (access point, wireless
controller, or service platform) configuring the device

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1459
aaa-policy-commands AAA Policy

through-mint-host Proxies requests through a neighboring MiNT device. Provide the

<HOSTNAME/MINT-ID> device’s MiNT ID or hostname.
through-rf-domain- manager Proxies requests through the local RF Domain Manager

accounting server <1-12> timeout <1-60> {attempts <1-10>}

server <1-12> Configures an accounting server. Up to 12 accounting servers can be

configured.
timeout <1-60> Configures the timeout for each request sent to the RADIUS server
• <1-60> – Specify a value from 1 - 60 seconds. The default is 5
seconds.

{attempts<1-10>} Optional. Specifies the number of attempts made at transmitting a

request before being dropped
• <1-10> – Specify a value from 1 - 10. The default is 3.

accounting type [start-interim-stop|start-stop|stop-only]

type Configures the type of RADIUS accounting packets sent. The

options are: start-interim-stop, start-stop, and stop-only.
start-interim-stop Sends accounting-start and accounting-stop messages at the start
and end of the session. This option also sends interim accounting
updates.
start-stop Sends only accounting-start and accounting-stop messages at the
start and end of the session. Interim accounting updates are not
sent. This is the default setting.
stop-only Sends only an accounting-stop message at the end of the session

Examples
nx9500-6C8809(config-aaa-policy-test)#accounting interim interval 65
nx9500-6C8809(config-aaa-policy-test)#accounting server 2 host 172.16.10.10 secret
test1 port 1
nx9500-6C8809(config-aaa-policy-test)#accounting server 2 timeout 2 attempts 2
nx9500-6C8809(config-aaa-policy-test)#accounting type start-stop
nx9500-6C8809(config-aaa-policy-test)#accounting server preference auth-server-number
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
accounting server 2 timeout 2 attempts 2
accounting interim interval 65
accounting server preference auth-server-number
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Removes or resets accounting server parameters

Controller, Service Platform and Access Point

1460 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

attribute
Configures RADIUS Framed-MTU attribute used in access and accounting requests. The Framed-MTU
attribute reduces the EAP (Extensible Authentication Protocol) packet size of the RADIUS server. This
command is useful in networks where routers and firewalls do not perform fragmentation.

To ensure network security, some firewall software drop UDP fragments from RADIUS server EAP
packets. Consequently, the packets are large. Using Framed MTU (Maximum Transmission Unit) reduces
the packet size. EAP authentication uses Framed MTU to notify the RADIUS server about the MTU
negotiation with the client. The RADIUS server communications with the client do not include EAP
messages that cannot be delivered over the network.

Supported in the following platforms:

Syntax
attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|
cisco-vsa|framed-ip-address|framed-mtu|location-information|nas-ip-address|nas-ipv6-
address|
operator-name|service-type]
attribute acct-delay-time
attribute acct-multi-session-id
attribute chargeable-user-identity
attribute cisco-vsa audit-session-id
attribute framed-ip-address
attribute framed-mtu <100-1500>
attribute location-information [include-always|none|server-requested]
attribute nas-ip-address <WORD>
attribute nas-ipv6-address
attribute operator-name <OPERATOR-NAME>
attribute service-type [framed|login]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1461
aaa-policy-commands AAA Policy

Parameters
attribute acct-delay-time

acct- Enables support for accounting-delay-time attribute in accounting requests. When enabled,
delay- this attribute indicates the number of seconds the client has been trying to send a request to
time the accounting server. By subtracting this value from the time the packet is received by the
server, the system is able to calculate the time of a request-generating event. Note, the
network transit time is ignored. This option is disabled by default.
Including the acct-delay-time attribute in accounting requests updates the acct-delay-time
value whenever the packet is retransmitted, This changes the content of the attributes field,
requiring a new identifier and request authenticator.

attribute multi-session-id

acct-multi- Enables support for accounting-multi-session-id attribute. When enabled, it allows

session-id linking of multiple related sessions of a roaming client. This option is useful in
scenarios where a client roaming between access points sends multiple RADIUS
accounting requests to different access points. This option is disabled by default.

attribute chargeable-user-identity

chargeable-user- Enables support for chargeable-user-identity attribute. This option is disabled by

identity default.

attribute cisco-vsa audit-session-id

cisco-vsa Configures the CISCO VSA (Vendor Specific Attribute) attribute included in access
audit- requests. This feature s disabled by default.
session-id This VSA allows CISCO’s ISE (Identity Services Engine) to validate a requesting client’s
network compliance, such as the validity of virus definition files (anti virus software or
definition files for an anti-spyware software application).
• audit-session-id – Includes the audit session ID attribute in access requests
The audit session ID is included in access requests when Cisco ISE is configured as an
authentication server.

Note: If the Cisco VSA attribute is enabled, configure an additional UDP port to listen for
dynamic authorization messages from the Cisco ISE server. For more information, see
service on page 1379.

attribute framed-ip-address

framed-ip-address Enables inclusion of framed IP address attribute in access and accounting

requests. This option is disabled by default.

attribute framed-mtu <100-1500>

framed-mtu Configures Framed-MTU attribute used in access requests

<100-1500> The Framed-MTU attribute reduces the EAP (Extensible Authentication Protocol)
packet size of the RADIUS server. This command is useful in networks where routers
and firewalls do not perform fragmentation. EAP authentication uses Framed-MTU to
notify the RADIUS server about the MTU negotiation with the client. The RADIUS

Controller, Service Platform and Access Point

1462 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

server communications with the client do not include EAP messages that cannot be
delivered over the network.
• <100-1500> – Specify the Framed-MTU attribute value from 100 - 1500. The default
value is 1400.

attribute location-information [include-always|none|server-requested]

location-information Enables support for RFC5580 location information attribute, based on the
[include-always| option selected. The options are:
none|server- • include-always – Always includes location information in RADIUS
requested] authentication and accounting messages
• none – Disables sending of location information in RADIUS authentication
and accounting messages. This is the default setting.
• server-requested – Includes location information in RADIUS authentication
and accounting messages only when requested by the server

Note: When enabled, location information is exchanged in authentication and

accounting messages.

attribute nas-ip-address <WORD>

nas-ip-address <WORD> Enables configuration of an IP address, which is used as the RADIUS

attribute 4, NAS-IP-Address, without changing the source IP address in
the IP header of the RADIUS packets. If you are using a cluster of small
NASs (network access servers) to simulate a large NAS, use this option
to improve scalability. The IP address configured using this option
allows the NASs to behave as a single RADIUS client from the
perspective of the RADIUS server.
• <WORD> – Provide the IPv4 address.

attribute nas-ipv6-address

nas-ipv6- Enables support for NAS IPv6 address. This option is disabled by default.
address When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6
addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a
larger address space.

attribute operator-name <OPERATOR-NAME>

operator-name Enables support for RFC5580 operator name attribute. When enabled, the
<OPERATOR- network operator’s name is included in all RADIUS authentication and accounting
NAME>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1463
aaa-policy-commands AAA Policy

messages and uniquely identifies the access network owner. This option is
disabled by default.
• <OPERATOR-NAME> – Specify the network operator’s name (should not
exceed 63 characters in length).

attribute service-type [framed|login]

service- Configures the service-type (6) attribute value. This attribute identifies the following: the
type type of service requested and the type of service to be provided.
[framed| • framed – Sets service-type to framed (2) in the authentication packets. When
login] enabled, a framed protocol, PPP (Point-to-Point Protocol) or SLIP (Serial Line Internet
Protocol), is started for the client. This is the default setting.
• login – Sets service-type to login (1) in the authentication packets. When enabled, the
client is connected to the host.

Examples
nx9500-6C8809(config-aaa-policy-test)#attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
accounting server 2 timeout 2 attempts 2
accounting interim interval 65
accounting server preference auth-server-number
attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#
nx9500-6C8809(config-aaa-policy-test1)#attribute cisco-vsa audit-session-id
nx9500-6C8809(config-aaa-policy-test1)#show context
aaa-policy test1
attribute cisco-vsa audit-session-id
nx9500-6C8809(config-aaa-policy-test1)#

Related Commands

no Resets values or disables commands

authentication
Configures user authentication parameters

Supported in the following platforms:

Controller, Service Platform and Access Point

1464 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

Syntax
authentication [eap|protocol|server]
authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout
<10-5000>|
identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]
authentication protocol [chap|mschap|mschapv2|pap]
authentication server <1-12> [dscp|host|nac|nai-routing|onboard|proxy-mode|retry-timeout-
factor|timeout]
authentication server <1-12> dscp <0-63>
authentication server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|
<SECRET>]
{port <1-65535>}
authentication server <1-12> nac
authentication server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-NAME>
{strip}
authentication server <1-12> onboard [centralized-controller|controller|self]
authentication server <1-12> proxy-mode [none|through-centralized-controller|
through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]
authentication server <1-12> retry-timeout-factor <50-200>
authentication server <1-12> timeout <1-60> {attempts <1-10>}

Parameters
authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout
<10-5000>|
identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]

eap Configures EAP authentication parameters

wireless-client Configures wireless client's EAP parameters
attempts <1-10> Configures the maximum number of attempts allowed to
authenticate a wireless client
• <1-10> – Specify a value from 1 - 10. The default is 3.

identity-request-retry- timeout Configures the interval, in milliseconds, after which an EAP-identity

<10-5000> request to the wireless client is retried
• <10-5000> – Specify a value from 10 - 5000 milliseconds. The
default is 1000 milliseconds.

identity-request-timeout <1-60> Configures the timeout, in seconds, after the last EAP-identity
request message retry attempt (to allow time to manually enter
user credentials)
• <1-60> – Specify a value from 1 - 60 seconds. The default is 30
seconds.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1465
aaa-policy-commands AAA Policy

retry-timeout-factor <50-200> Configures the interval between successive EAP retries

• <50-200> – Specify a value from 50 - 200. The default is 100.
A value of 100 indicates the interval between two consecutive
retires remains the same irrespective of the number of retries.
A value lesser than 100 indicates the interval between two
consecutive retries reduces with each successive retry.
A value greater than 100 indicates the interval between two
consecutive retries increases with each successive retry.
timeout <1-60> Configures the interval, in seconds, between successive EAP-
identity request sent to a wireless client
• <1-60> – Specify a value from 1 - 60 seconds. The default is 3
seconds.

authentication protocol [chap|mschap|mschapv2|pap]

protocol [chap|mschap| Configures one of the following protocols for non-EAP

mschapv2|pap] authentication:
• chap – Uses CHAP (Challenge Handshake Authentication
Protocol)
• mschap – Uses MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)
• mschapv2 – Uses MS-CHAP version 2
• pap – Uses PAP (Password Authentication Protocol). This is the
default setting.

authentication server <1-12> dscp <0-63>

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Specify the RADIUS server index from 1 - 12.

dscp <0-63> Configures the DSCP quality of service parameter generated in

RADIUS packets. The DSCP value specifies the class of service
provided to a packet, and is represented by a 6-bit parameter in the
header of every IP packet.
• <0-63> – Specify the value from 0 - 63. The default is 46.

authentication server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|

2 <SECRET>|<SECRET>] {port <1-65535>}

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Specify the RADIUS server index from 1 - 12.

host <IP/HOSTNAME> Sets the RADIUS authentication server’s IP address or hostname.

You can use a host alias to identify the device hosting the
authentication server. Ensure that the host alias is existing and
configured.

Controller, Service Platform and Access Point

1466 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

secret [0 <SECRET>| 2 Configures the RADIUS authentication server’s secret key. This key
<SECRET>| <SECRET>] is used to authenticate with the RADIUS server.
• 0 <SECRET> – Configures a clear text secret
• 2 <SECRET> – Configures an encrypted secret
• <SECRET> – Specify the secret key. The shared key should not
exceed 127 characters.

port <1-65535> Optional. Specifies the RADIUS authentication server’s UDP port
(this port is used to connect to the RADIUS server)
• <1-65535> – Specify a value from 1 - 65535. The default port is
1812.

authentication server <1-12> nac

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Specify the RADIUS server index from 1 - 12.

nac Enables Network Access Control (NAC) on the RADIUS

authentication server identified by the <1-12> parameter.
Using NAC, the controller hardware and software grant access to
specific network resources. NAC performs a user and client
authorization check for resources that do not have a NAC agent.
NAC verifies the client’s compliance with the controller’s security
policy. The controller supports only the EAP/802.1x type of NAC.
However, the controller also provides a means to bypass NAC
authentication for client’s that do not have NAC 802.1x support
(printers, phones, PDAs, etc.).

accounting server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Specifies the RADIUS server index from 1 - 12.

nai-routing Enables NAI routing. When enabled, AAA servers identify clients
using NAI. This option is disabled by default.
The NAI is a character string in the format of an e-mail address as
either user or user@realm but it need not be a valid e-mail address
or a fully qualified domain name. AAA servers identify clients using
the NAI. The NAI can be used either in a specific or generic form.
The specific form, which must contain the user portion and may
contain the @realm portion, identifies a single user. Using the
generic form allows all users to be configured on a single command
line, irrespective of whether the users are within a realm or not.
Each user still needs a unique security association, but these
associations can be stored on a AAA server. The original purpose of
the NAI was to support roaming between dial up ISPs. With NAI, an
ISP does not have the accounts for all of its roaming partners in a
single RADIUS database. RADIUS servers can proxy requests to
remote servers as need be.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1467
aaa-policy-commands AAA Policy

realm-type [prefix|suffix] Configures the realm-type used for NAI authentication

• prefix – Sets the realm prefix. For example, in the realm name
‘AC\JohnTalbot’, the prefix is ‘AC’ and the user name
‘JohnTalbot’.
• suffix – Sets the realm suffix. For example, in the realm name
‘[email protected]’ the suffix is ‘AC.org’ and the user name is
‘JohnTalbot’.

realm <REALM-NAME> Sets the realm information used for RADIUS authentication. The
realm name should not exceed 64 characters in length. When the
wireless controller or access point’s RADIUS server receives a
request for a user name the server references a table of usernames.
If the user name is known, the server proxies the request to the
RADIUS server.
• <REALM-NAME> – Sets the realm used for authentication. This
value is matched against the user name provided for RADIUS
authentication.

Example:

Prefix - AC\JohnTalbot

Suffix - [email protected]

strip Optional. Indicates the realm name must be stripped from the user
name before sending it to the RADIUS server for authentication. For
example, if the complete username is ‘AC\JohnTalbot’, then with
the strip parameter enabled, only the ‘JohnTalbot’ part of the
complete username is sent for authentication. This option is
disabled by default.

authentication server <1-12> onboard [centralized-controller|controller|self]

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Specify the RADIUS server index from 1 - 12.

onboard [centralized-controller| Selects the onboard RADIUS server for authentication instead of an
controller|self] external host
• centralized-controller – Configures the server on the centralized
controller managing the network
• controller – Configures the wireless controller, to which the AP is
adopted, as the onboard wireless controller

Controller, Service Platform and Access Point

1468 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

• self – Configures the onboard server on the device (AP or

wireless controller) where the client is associated as the onboard
wireless controller

authentication server <1-12> proxy-mode [none|through-centralized-controller|

through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Sets the RADIUS server index between 1 - 12

proxy-mode [none| through- Configures the mode for proxying a request

centralized-controller| through- • none – Proxying is not done. The packets are sent directly using
controller| through-mint-host the IP address of the device. This is the default setting.
<HOSTNAME/MINT-ID>| • through-centralized-controller – The traffic is proxied through
through-rf-domain-manager] the centralized controller that is configuring and managing the
network.
• through-controller – The traffic is proxied through the wireless
controller configuring this device.
• through-mint-host <HOSTNAME/MINT-ID> – The traffic is
proxied through a neighboring MiNT device. Provide the device’s
hostname or MiNT ID.
• through-rf-domain-manager – The traffic is proxied through the
local RF Domain manager.

authentication server <1-12> retry-timeout-factor <50-200>

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured.
• <1-12> – Specify the RADIUS server index from 1 - 12.

retry-timeout-factor <50-200> Configures the scaling of timeouts between two consecutive

RADIUS authentication retries
• <50-200> – Specify the scaling factor from 50 - 200. The
default is 100.
A value of 100 indicates the interval between two consecutive
retires remains the same irrespective of the number of retries.
A value lesser than 100 indicates the interval between two
consecutive retries reduces with each successive retry.
A value greater than 100 indicates the interval between two
consecutive retries increases with each successive retry.

authentication server <1-12> timeout <1-60> {attempts <1-10>}

server <1-12> Configures a RADIUS authentication server. Up to 12 RADIUS

servers can be configured
• <1-12> – Specify the RADIUS server index from 1 - 12.

timeout <1-60> Configures the timeout, in seconds, for each request sent to the
RADIUS server. This is the time allowed to elapse before another

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1469
aaa-policy-commands AAA Policy

request is sent to the RADIUS server. If a response is received from

the RADIUS server within this time, no retry is attempted.
• <1-60> – Specify a value from 1 - 60 seconds. The default is 3
seconds.

attempts <1-10> Optional. In case of no response from the RADIUS authentication

server, this option configures he maximum number of attempts
made in contacting the server, before retiring the request
• <1-10> – Specify a value from 1 -10. The default is 3.

Examples
nx9500-6C8809(config-aaa-policy-test)#authentication server 5 host 172.16.10.10 secret 0
test1 port 1
nx9500-6C8809(config-aaa-policy-test)#authentication server 5 timeout 10 attempts 3
nx9500-6C8809(config-aaa-policy-test)#authentication protocol chap
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.20 secret 0 test1 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
accounting server 2 timeout 2 attempts 2
authentication protocol chap
accounting interim interval 65
accounting server preference auth-server-number
attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Resets authentication server related parameters on this AAA policy

health-check
An AAA server could go offline. When a server goes offline, it is marked as down. This command
configures the interval after which a server marked as down is checked to see if it has come back online
and is reachable.

Supported in the following platforms:

Syntax
health-check interval <60-86400>

Controller, Service Platform and Access Point

1470 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

Parameters
health-check interval <60-86400>

interval Configures an interval (in seconds) after which a down server is checked to see if it
<60-86400> is reachable again
• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 3600
seconds.

Examples
nx9500-6C8809(config-aaa-policy-test)#health-check interval 4000
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.20 secret 0 test1 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
accounting server 2 timeout 2 attempts 2
authentication protocol chap
accounting interim interval 65
accounting server preference auth-server-number
health-check interval 4000
attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Resets the health-check interval for AAA servers

mac-address-format
Configures the format MAC addresses are filled in RADIUS request frames

Supported in the following platforms:

middle-hyphen Configures the MAC address format as AABBCC-DDEEFF

no-delim Configures the MAC address format as AABBCCDDEEFF (without delimiters)
pair-colon Configures the MAC address format as AA:BB:CC:DD:EE:FF
pair-hyphen Configures the MAC address display format as AA-BB-CC-DD-EE-FF (default
setting)

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1471
aaa-policy-commands AAA Policy

quad-dot Configures the MAC address display format as AABB.CCDD.EEFF

case [lower|upper] Indicates the case the MAC address is formatted
• lower – Indicates MAC address is in lower case. For example, aa:bb:cc:dd:ee:ff
• upper – Indicates MAC address is in upper case. For example,
AA:BB:CC:DD:EE:FF (default setting)

attributes [all| Configures RADIUS attributes to which this MAC format is applicable
username- • all – Applies to all attributes with MAC addresses such as username,
password] password, calling-station-id, and called-station-id
• username-password – Applies only to the username and password fields
(default setting)

Examples
nx9500-6C8809(config-aaa-policy-test)#mac-address-format quad-dot case upper attributes
username-password
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.10 secret 0 test1 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
accounting server 2 timeout 2 attempts 2
mac-address-format quad-dot case upper attributes username-password
authentication protocol chap
--More--
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Resets the MAC address format to default (pair-hyphen)

proxy-attribute
Configures RADIUS server’s attribute behavior when proxying through a wireless controller or a RF
Domain manager

Supported in the following platforms:

Syntax
proxy-attribute [nas-identifier|nas-ip-address]
proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]]

Controller, Service Platform and Access Point

1472 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

Parameters
proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]]

nas-identifier Uses NAS identifier

[originator| • originator – Configures the NAS identifier as the originator of the RADIUS
proxier] request. The originator could be an AP, or a wireless controller with radio. This
is the default setting.
• proxier – Configures the proxying device as the NAS identifier. The device could
be a controller or a RF Domain manager.

nas-ip-address Uses NAS IP address

[none|proxier] • none – NAS IP address attribute is not filled
• proxier – NAS IP address is filled by the proxying device. The device could be a
controller or a RF Domain manager. This is the default setting.

Examples
nx9500-6C8809(config-aaa-policy-test)#proxy-attribute nas-ip-address proxier
nx9500-6C8809(config-aaa-policy-test)#proxy-attribute nas-identifier originator

Related Commands

no Resets RADIUS server’s proxying attributes

server-pooling-mode
Configures the mode used to select the server from a pool of AAA servers. The available methods are
failover and load-balance.

In the failover scenario, when a configured AAA server goes down, the server with the next higher index
takes over for the failed server.

In the load-balance scenario, when a configured AAA server goes down, the remaining servers
distribute the load amongst themselves.

Supported in the following platforms:

Syntax
server-pooling-mode [failover|load-balance]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1473
aaa-policy-commands AAA Policy

Parameters
server-pooling-mode [failover|load-balance]

failover Sets the pooling mode to failover. This is the default setting.
When a configured AAA server fails, the server with the next higher index takes over the
failed server's load.
load- Sets the pooling mode to load balancing.
balance When a configured AAA server fails, all servers in the pool share the failed server's load,
transmitting requests in a round-robin fashion.

Examples
nx9500-6C8809(config-aaa-policy-test)#server-pooling-mode load-balance
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.10 secret 0 test2 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
server-pooling-mode load-balance
mac-address-format quad-dot case upper attributes username-password
accounting server preference auth-server-number
health-check interval 4000
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Resets the method of selecting a server, from the pool of configured AAA servers

use
Associates a NAC (Network Access Control) list with this AAA policy. When associated only the set of
configured devices to allowed use of the configured AAA servers.

For more information on creating a NAC list, see nac-list.

Supported in the following platforms:

Syntax
use nac-list <NAC-LIST-NAME>

Parameters
use nac-list <NAC-LIST-NAME>

nac-list <NAC-LIST- Associates a NAC list with this AAA policy

NAME> • <NAC-LIST-NAME> – Specify the NAC list name (should be existing and
configured).

Controller, Service Platform and Access Point

1474 CLI Reference Guide for version 5.9.7
AAA Policy aaa-policy-commands

Examples
nx9500-6C8809(config-aaa-policy-test)#use nac-list test1
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.10 secret 0 test1 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
server-pooling-mode load-balance
mac-address-format quad-dot case upper attributes username-password
accounting server preference auth-server-number
health-check interval 4000
use nac-list test1
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Dissociates a NAC list from this AAA policy

nac-list Creates a NAC list

no
Removes this AAA policy settings or reverts them to default values

Supported in the following platforms:

Syntax
no [accounting|attribute|authentication|health-check|mac-address-format|proxy-attribute|
server-pooling-mode|use]
no accounting interim interval
no accounting server preference
no accounting server <1-6> {dscp|nai-routing|proxy-mode|retry-timeout-factor|timeout}
no accounting type
no attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|
cisco-vsa audit-session-id|framed-ip-address|framed-mtu|location-information|nas-ipv6-
address|
operator-name|service-type]
no authentication [eap|protocol|server]
no authentication eap wireless-client [attempts|identity-request-retry-timeout|
identity-request-timeout|retry-timeout-factor|timeout]
no authentication protocol
no authentication server <1-6> {dscp|nac|nai-routing|proxy-mode|retry-timeout-factor|
timeout}
no health-check interval
no mac-address-format
no proxy-attribute [nas-identifier|nas-ip-address]
no server-pooling-mode
no use nac-list

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1475
aaa-policy-commands AAA Policy

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes or reverts to default the selected AAA policy settings

Examples

The following example shows the AAA policy ‘test’ settings before the ‘no’ commands are executed:
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.10 secret 0 test1 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
accounting server 2 timeout 2 attempts 2
mac-address-format quad-dot case upper attributes username-password
authentication protocol chap
accounting interim interval 65
accounting server preference auth-server-number
health-check interval 4000
attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#
nx9500-6C8809(config-aaa-policy-test)#no accounting server 2 timeout 2
nx9500-6C8809(config-aaa-policy-test)#no accounting interim interval
nx9500-6C8809(config-aaa-policy-test)#no health-check interval
nx9500-6C8809(config-aaa-policy-test)#no attribute framed-mtu
nx9500-6C8809(config-aaa-policy-test)#no authentication protocol

The following example shows the AAA policy ‘test’ settings after the ‘no’ commands are executed:
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
authentication server 5 host 172.16.10.10 secret 0 test1 port 1
authentication server 5 timeout 10 attempts 3
accounting server 2 host 172.16.10.10 secret 0 test1 port 1
mac-address-format quad-dot case upper attributes username-password
accounting server preference auth-server-number
health-check interval 4000
nx9500-6C8809(config-aaa-policy-test)#

Controller, Service Platform and Access Point

1476 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy
AUTO-PROVISIONING-POLICY on page 1477

AUTO-PROVISIONING-POLICY
This topic summarizes the auto provisioning policy commands in the CLI command structure.

Wireless devices can adopt and manage other wireless devices. For example, a wireless controller can
adopt multiple access points. When a device is adopted, the device configuration is provisioned by the
adopting device. Since multiple configuration policies are supported, an adopting device uses auto
provisioning policies to determine which configuration policies are applied to an adoptee based on its
properties. For example, a configuration policy could be assigned based on MAC address, IP address,
CDP snoop strings, etc.

Auto provisioning or adoption is the process by which an access point discovers controllers in the
network, identifies the most desirable controller, associates with the identified controller, and optionally
obtains an image upgrade, obtains its configuration and considers itself provisioned.

At adoption, an access point solicits and receives multiple adoption responses from controllers available
on the network. These adoption responses contain loading policy information the access point uses to
select the optimum controller for adoption. An auto-provisioning policy maps a new AP to a profile and
RF Domain based on various parameters related to the AP and where it is connected. By default a new
AP will be mapped to the default profile and default RF Domain. Modify existing auto-provisioning
policies or create a new one as needed to meet the configuration requirements of a device.

An auto-provisioning policy enables an administrator to define rules for the supported access points
capable of being adopted by a controller. The policy determines which configuration policies are
applied to an adoptee based on its properties. For example, a configuration policy could be assigned
based on MAC address, IP address, CDP (cisco discovery protocol) snoop strings, etc. Once created an
auto provisioning policy can be used in profiles or device configuration objects. The policy contains a
set of rules (ordered by precedence) that either deny or allow adoption based on potential adoptee
properties and a catch-all variable that determines if the adoption should be allowed when none of the
rules is matched. All rules (both deny and allow) are evaluated sequentially starting with the rule with
the lowest precedence. The evaluation stops as soon as a rule has been matched, no attempt is made to
find a better match further down in the set.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1477
AUTO-PROVISIONING-POLICY Auto-Provisioning Policy

For example,
rule #1 adopt ap7161 10 profile default vlan 10
rule #2 adopt ap6562 20 profile default vlan 20
rule #3 adopt ap7161 30 profile default serial-number
rule #4 adopt ap7161 40 p d mac aa bb

AP 7161 L2 adoption, VLAN 10 - will use rule #1

AP 7161 L2 adoption, VLAN 20 - will not use rule #2 (wrong type), may use rule #3 if the serial number
matched, or rule #4

If aa<= MAC <= bb, or else default.

With the implementation of the HM hierarchically managed network, the auto-provisioning policy has
been modified to enable controllers to adopt other controllers in addition to access points.

The new HM network defines a three-tier structure, consisting of multiple wireless sites managed by a
single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site
controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage
access points that form the third tier of the hierarchy.

All adopted devices (access points and second-level controllers) are referred to as the ‘adoptee’. The
adopting devices are the ‘adopters’.

A controller cannot be configured as an adoptee and an adopter simultaneously. In other words, a

controller can either be an adopter (adopts another controller) or an adoptee (is adopted by another
controller). Therefore, a site controller, which has been adopted by a NOC controller, cannot adopt
another controller.

A controller should be configured to specify the device types (APs and/or controllers) that it can adopt.
For more information on configuring the adopted-device types for a controller, see controller on page
1014.

Note
The adoption capabilities of a controller depends on:
• Whether the controller is deployed at the NOC or site
◦ A NOC controller can adopt site controllers and access points
◦ A site controller can adopt access points only
• The controller device type, which determines the number and type of devices it can adopt

Use the (config) instance to configure auto-provisioning-policy. To navigate to the auto-provisioning-

policy configuration instance, use the following command:
<DEVICE>(config)#auto-provisioning-policy <POLICY-NAME>
nx9500-6C8809(config)#auto-provisioning-policy test
nx9500-6C8809(config-auto-provisioning-policy-test)#?
Auto-Provisioning Policy Mode commands:
adopt Add rule for device adoption
auto-create-rfd-template When RF Domain specified by the matching rule
template does not exist create new RF Domain
automatically
default-adoption Adopt devices even when no matching rules are

Controller, Service Platform and Access Point

1478 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

found. Assign default profile and default

rf-domain
deny Add rule to deny device adoption
evaluate-always Set the flag to evaluate the policy everytime,
regardless of previous adoption status
no Negate a command or set its defaults
redirect Add rule to redirect device adoption
upgrade Add rule for device upgrade

clrscr Clears the display screen

auto-provisioning-policy-commands
The following table summarizes auto provisioning policy configuration commands:

Table 44: Auto Provisioning Policy Configuration Commands

Command Description
adopt on page 1480 Adds a permit adoption rule
auto-create-rfd-template on page Enables auto creation of a new RF Domain based on an existing
1484 RF Domain template specified using this command
default-adoption on page 1485 Adopts devices even when no matching rules are found. Assigns
default profile and default RF Domain
deny on page 1486 Adds a deny adoption rule
evaluate-always on page 1489 Runs this policy every time a device is adopted
redirect on page 1489 Adds a rule redirecting device adoption to a specified controller
within the system
upgrade on page 1493 Adds a device upgrade rue to this auto provisioning policy
no on page 1496 Negates a command or reverts settings to their default

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1479
auto-provisioning-policy-commands Auto-Provisioning Policy

adopt
Adds device adoption rules to the Auto Provisioning Policy

Supported in the following platforms:

Syntax
adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600]
adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000>
[profile|rf-domain]
adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7632|ap7632|
ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [any|area|cdp-match|dhcp-
option|floor|
fqdn|ip|ipv6|lldp-match|mac|model-number|rf-domain|serial-number|vlan]
adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] any
adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|
ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [area <AREA-NAME>|
cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|floor <FLOOR-NAME>|fqdn <FQDN>|
ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-
STRING>|
mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|
rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]

Parameter
adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence

Controller, Service Platform and Access Point

1480 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

<1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] any

adopt Adds an adopt device rule. The rule applies to the selected device types. Specify the device
type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602, AP-7612, AP
7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX 5500, NX 75XX, NX
95XX, NX 96XX, and VX.

Note: Use the ‘anyap’ option to auto provision any AP regardless of its model type.

preced Sets the rule precedence from 1 - 10000. A rule with a lower value has a higher precedence.
ence
<1-100
00>
profile Sets the device profile for this provisioning policy. The selected device profile must be
<DEVI appropriate for the device being provisioned. For example, use an AP 7502 device profile for
CE- an AP 7502. Using an inappropriate device profile can result in unpredictable results. Provide
PROFI a device profile name.
LE- Provide a device profile name (should be existing and configured). Or a template with
NAME appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-indoor'. Refer to
> Usage Guidelines for the different types of built in tokens available in the system.
rf- Sets the RF Domain for this auto provisioning policy. The provisioning policy is only applicable
domai to devices that try to become a part of the specified RF Domain. Provide the full RF Domain
n <RF- name OR use a string alias to identify the RF Domain.
DOMAI Provide the full RF Domain name or an alias (should be existing and configured). Or a
N- template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'. Refer
NAME to Usage Guidelines for the different types of built in tokens available in the system.
> Use the built-in string alias or a user-defined string alias. String aliases allow you to configure
APs in the same RF Domain as the adopting controller. A string alias maps a name to an
arbitrary string value, for example, ‘alias string $DOMAIN test.example_company.com’. In this
example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For
more information, see alias.
any Indicates any device. Any device seeking adoption is adopted.

adopt [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600]
precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>]
[area <AREA-NAME>|cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|floor <FLOOR-
NAME>|
fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|
lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|
serial-number <SERIAL-NUMBER>|rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]

adopt Adds an adopt device rule. The rule applies to the selected device types. Specify the
device type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602,
AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX
5500, NX 75XX, NX 95XX, NX 96XX, and VX.

Note: Use the ‘anyap’ option to auto provision any AP regardless of its model type.

precedence Sets the rule precedence. A rule with a lower value has a higher precedence.
<1-10000>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1481
auto-provisioning-policy-commands Auto-Provisioning Policy

profile Sets the device profile for this provisioning policy. The selected device profile must
<DEVICE- be appropriate for the device being provisioned. For example, use an AP 7502
PROFILE- device profile for an AP 7502. Using an inappropriate device profile can result in
NAME> unpredictable results. Provide a device profile name.
Provide a device profile name (should be existing and configured). Or a template
with appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-
indoor'. Refer to Usage Guidelines for the different types of built in tokens available
in the system.
rf-domain <RF- Sets the RF Domain for this auto provisioning policy. The provisioning policy is only
DOMAIN- applicable to devices that try to become a part of the specified RF Domain. Provide
NAME> the full RF Domain name OR use a string alias to identify the RF Domain.
Provide the full RF Domain name or an alias (should be existing and configured). Or
a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-
SUFFIX[1:5]'. Refer to Usage Guidelines for the different types of built in tokens
available in the system.

Note: Use the built-in string alias or a user-defined string alias. String aliases allow
you to configure APs in the same RF Domain as the adopting controller. A string
alias maps a name to an arbitrary string value, for example, ‘alias string $DOMAIN
test.example_company.com’. In this example, the string-alias $DOMAIN is mapped
to the string: test.example_company.com. For more information, see alias.

area <AREA- Matches the area of deployment. This option is not applicable to the ‘rf-domain’
NAME> parameter.
• <AREA-NAME> – Enter a 64 character maximum deployment area name
assigned to this policy. Devices with matching area names are adopted.

cdp-match Matches a substring in a list of CDP snoop strings (case insensitive). For example, if
<LOCATION- an access point snooped 3 devices: controller1.example.com,
SUBSTRING> controller2.example.com, and controller3.example.com, 'controller1', ‘example’,
'example.com', are examples of the substrings that will match.
• <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the
specified value are adopted.

dhcp-option Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor
<DHCP- option 191 can be setup to communicate various configuration parameters to an AP.
OPTION> The value of the option in a string in the form of tag=value separated by a
semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point
includes the value of tag 'rf-domain', if present.
• <DHCP-OPTION> – Specify the DHCP option. Devices matching the specified
value are adopted.

floor <FLOOR- Matches the floor name. This option is not applicable to the ‘rf-domain’ parameter.
NAME> • <FLOOR-NAME> – Enter a 32 character maximum deployment floor name
assigned to this policy. Devices with matching floor names are adopted.

fqdn <FQDN> Matches a substring to the FQDN (Fully Qualified Domain Name) of a device (case
insensitive)
FQDN is a domain name that specifies its exact location in the DNS hierarchy. It
specifies all domain levels, including its top-level domain and the root domain. This
parameter allows a device to adopt based on its FQDN value.
• <FQDN> – Specify the FQDN name. Devices matching the specified value are
adopted.

Controller, Service Platform and Access Point

1482 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

ip [<START-IP> Adopts a device if its IP address matches the specified IPv4 address or is within the
<END-IP>| <IP/ specified IP address range. Or if the device is a part of the specified subnet.
MASK>] • <START-IP> – Specify the first IPv4 address in the range.
◦ <END-IP> – Specify the last IPv4 address in the range.
• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP
address.

ipv6 [<START- Adopts a device if its IP address matches the specified IPv6 address or is within the
IP> <END-IP>| specified IP address range. Or if the device is a part of the specified subnet.
<IP/MASK>] • <START-IP> – Specify the first IPv6 address in the range.
◦ <END-IP> – Specify the last IPv6 address in the range.
• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s
IPv6 address.

lldp-match Matches a substring in a list of LLDP (Link Layer Discovery Protocol) snoop strings
<LLDP-STRING> (case insensitive). For example, if an Access Point snooped 3 devices:
controller1.example.com, controller2.example.com and
controller3.example.com,'controller1', 'example', 'example.com', are substrings
match.
LLDP is a vendor neutral link layer protocol that advertises a network device’s
identity, capabilities, and neighbors on a local area network.
• <LLDP-STRING> – Specify the LLDP string. Devices matching the specified value
are adopted.

mac <START- Adopts a device if its MAC address matches the specified MAC address or is within
MAC> {<END- the specified MAC address range <START-MAC> – Specify the first MAC address in
MAC>} the range. Provide this MAC address if you want to match for a single device.
• <END-MAC> – Optional. Specify the last MAC address in the range.

model-number Adopts a device if its model number matches <MODEL-NUMBER>

<MODEL- • <MODEL-NUMBER> – Specify the model number to match.
NUMBER>
serial-number Adopts a device if its serial number matches <SERIAL-NUMBER>
<SERIAL- • <SERIAL-NUMBER> – Specify the serial number to match.
NUMBER>
vlan <VLAN-ID> Adopts a device if its VLAN matches <VLAN-ID>
• <VLAN-ID> – Specify the VLAN ID.

Usage Guidelines: Built-in Tokens & Alias

Following are the built-in tokens that can be used to identify the devices to adopt:
$FQDN - references FQDN of adopting device
$CDP - references CDP Device Id of the wired switch to which adopting device is
connected
$LLDP - references LLDP System Name of wired switch to which adopting device is
connected
$DHCP - references DHCP Option Value received by the adopting device
$SN - references SERIAL NUMBER of adopting device
$MODEL - references MODEL NUMBER of adopting device
$DNS-SUFFIX - references FQDN excluding the hostname of the adopting device
$CDP-SUFFIX - references CDP excluding the hostname of the adopting device
$LLDP-SUFFIX - references LLDP excluding the hostname of the adopting device

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1483
auto-provisioning-policy-commands Auto-Provisioning Policy

Following is the built-in alias that can be used to identify the RF Domain of devices to adopt:
$AUTO-RF-DOMAIN - rf-domain of adopting device

Examples
rfs4000-229D58(config-auto-provisioning-policy-test)#adopt ap8432 precedence 5 profile
default-ap8432 rf-domain TechPubs vlan 1
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
rfs4000-229D58(config-auto-provisioning-policy-test)#
rfs4000-229D58(config-auto-provisioning-policy-test)#show wireless ap configured
---------------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
---------------------------------------------------------------------------------------
1 ap8432-711728 B4-C7-99-71-17-28 default-ap8432 default 00-23-68-22-9D-58
---------------------------------------------------------------------------------------
rfs4000-229D58(config-auto-provisioning-policy-test)#

Related Commands

no Removes an adopt device rule from this Auto Provisioning Policy

auto-create-rfd-template

Enables auto creation of an RF Domain:

• when tokens are used to select the RF Domain to apply to devices matching the adoption criteria,
and
• the token-specified RF Domain does not exist.

During device adoption, if the token-specified RF Domain (configured using the ‘adopt’ rule) is not
found, the system auto creates a new RF Domain based on an existing RF Domain template specified
using this command. This option is disabled by default.

Supported in the following platforms:

Syntax
auto-create-rfd-template <RF-DOMAIN-NAME>

Controller, Service Platform and Access Point

1484 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

Parameters
auto-create-rfd-template <RF-DOMAIN-NAME>

auto-create-rfd-template <RF- Auto creates a new RF Domain based on an existing RF Domain

DOMAIN-NAME> template
• <RF-DOMAIN-NAME> – Specify the RF Domain name (should be
existing and configured). The new RF Domain created is saved
with the token name specified in the ‘adopt’ command.

Note: For more information on configuring tokens, see Usage

Guidelines: Built-in Tokens & Alias.

Examples

The following example configures an adopt rule for adopting any AP7532 and applying an RF Domain
matching the token “$MODEL[1:5]” to the adopted AP:
nx9500-6C8809(config-auto-provisioning-policy-test)#adopt ap7532 precedence 20
rf-domain $MODEL[1:5] any
nx9500-6C8809(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
adopt ap7532 precedence 20 rf-domain $MODEL[1:5] any
nx9500-6C8809(config-auto-provisioning-policy-test)#

The following example enables auto creation of an RF Domain using an existing RF Domain ‘rfd-AP’ as
template:
• RF Domain name “AP-75”: Applicable to any AP 7532
nx9500-6C8809(config-auto-provisioning-policy-test)#auto-create-rfd-template AP-75
nx9500-6C8809(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
adopt ap7532 precedence 20 any
auto-create-rfd-template rfd-AP
nx9500-6C8809(config-auto-provisioning-policy-test)#

• As per the above configurations, when an AP 7532 comes up for first-time adoption, the system:
◦ Checks for an RF Domain matching the options provided in the ‘adopt’ rule, and if not found
◦ auto creates the RF Domain only if:
▪ A token is specified in the ‘adopt’ rule. For example, $MODEL[1:5], and
▪ the ‘auto-create-rfd-template’ option is configured
◦ Uses the ‘RF Domain’ specified in the auto-create-rfd-template command as a template.
Therefore, the specified RF Domain should be existing and configured.
◦ Applies the new RF Domain to the AP.

Related Commands

no on page 1496 Disables auto creation of an RF Domain

default-adoption
Adopts devices, even when no matching rules are defined, and assigns a default profile and default RF
Domain to the adopted device

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1485
auto-provisioning-policy-commands Auto-Provisioning Policy

Supported in the following platforms:

Syntax
default-adoption

Parameters
None

Examples
rfs4000-229D58(config-auto-provisioning-policy-test)#default-adoption
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
default-adoption
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
rfs4000-229D58(config-auto-provisioning-policy-test)#

Related Commands

no Disables adoption of devices when matching rules are not found

deny
Adds deny device adoption rules to the Auto Provisioning Policy

Supported in the following platforms:

Syntax
deny [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600]
deny [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence
<1-10000>
[any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]
deny [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600]
precedence <1-10000> any
deny [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence
<1-10000>
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-
IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|

Controller, Service Platform and Access Point

1486 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|

vlan <VLAN-ID>]

Parameters
deny [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600]
precedence <1-10000> any

deny Adds a deny adoption rule. The rule applies to the selected device types. Specify the
device type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602, AP-7612,
AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX 5500, NX
75XX, NX 95XX, NX 96XX, and VX.

Note: Use the ‘anyap’ option to auto provision any AP regardless of its model type.

precedence Sets the rule precedence. A rule with a lower value has a higher precedence.
<1-10000>
any Indicates any device. Any device seeking adoption is denied adoption.

deny [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence
<1-10000>
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-
IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC>
{<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]

adopt Adds a deny adoption rule. The rule applies to the selected device types. Specify
the device type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602,
AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX
5500, NX 75XX, NX 95XX, NX 96XX, and VX.

Note: Use the ‘anyap’ option to auto provision any AP regardless of its model type.

precedence Sets the rule precedence. A rule with a lower value has a higher precedence.
<1-10000> After specifying the rule precedence, specify the match criteria. Devices matching
the specified criteria are denied adoption.
cdp-match Matches a substring in a list of CDP snoop strings (case insensitive). For example, if
<LOCATION- an access point snooped 3 devices: controller1.example.com,
SUBSTRING> controller2.example.com, and controller3.example.com, 'controller1', ‘example’,
'example.com', are examples of the substrings that will match.
• <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the
specified value are denied adoption.

dhcp-option Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor
<DHCP- option 191 can be setup to communicate various configuration parameters to an AP.
OPTION> The value of the option in a string in the form of tag=value separated by a
semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point
includes the value of tag 'rf-domain', if present.
• <DHCP-OPTION> – Specify the DHCP option value to match. Devices matching
the specified value are denied adoption.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1487
auto-provisioning-policy-commands Auto-Provisioning Policy

fqdn <FQDN> Matches a substring to the FQDN of a device (case insensitive)

FQDN is a domain name that specifies its exact location in the DNS hierarchy. It
specifies all domain levels, including its top-level domain and the root domain.
• <FQDN> – Specify the FQDN. Devices matching the specified value are denied
adoption.

ip [<START-IP> Denies adoption if a device's IP address matches the specified IPv4 address or is
<END-IP>| <IP/ within the specified IP address range
MASK>] • <START-IP> – Specify the first IPv4 address in the range.
◦ <END-IP> – Specify the last IPv4 address in the range.
• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP
address.

ipv6 [<START- Denies adoption if a device's IPv6 address matches the specified IP address or is
IP> <END-IP>| within the specified IP address range
<IP/MASK>] • <START-IP> – Specify the first IPv6 address in the range.
◦ <END-IP> – Specify the last IPv6 address in the range.
• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s
IPv6 address.

lldp-match Matches a substring in a list of LLDP snoop strings (case insensitive). For example, if
<LLDP-STRING> an Access Point snooped 3 devices: controller1.example.com,
controller2.example.com and controller3.example.com,'controller1', 'example',
'example.com', are substrings match.
LLDP is a vendor neutral link layer protocol that advertises a network device’s
identity, capabilities, and neighbors on a local area network.
• <LLDP-STRING> – Specify the LLDP string. Devices matching the specified
values are denied adoption.

mac <START- Denies adoption if a device's MAC address matches the specified MAC address or is
MAC> {<END- within the specified MAC address range
MAC>} • <START-MAC> – Specify the first MAC address in the range. Provide this MAC
address if you want to match for a single device.
◦ <END-MAC> – Optional. Specify the last MAC address in the range.

model-number Denies adoption if a device’s model number matches <MODEL-NUMBER>

<MODEL- • <MODEL-NUMBER> – Specify the model number to match.
NUMBER>
serial-number Denies adoption if a device’s serial number matches <SERIAL-NUMBER>
<SERIAL- • <SERIAL-NUMBER> – Specify the serial number to match.
NUMBER>
vlan <VLAN-ID> Denies adoption if a device’s VLAN matches <VLAN-ID>
• <VLAN-ID> – Specify the VLAN ID.

Examples
rfs4000-229D58(config-auto-provisioning-policy-test)#deny ap8432 precedence 1 mac 74-67-
F7-07-02-35
rfs4000-229D58(config-auto-provisioning-policy-test)#deny ap8432 precedence 2 ip
192.168.13.24 102.168.13.26
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
default-adoption
deny ap8432 precedence 1 mac 74-67-F7-07-02-35
deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26

Controller, Service Platform and Access Point

1488 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1

rfs4000-229D588(config-auto-provisioning-policy-test)#

Related Commands

no Removes a deny adoption rule from this Auto Provisioning Policy

evaluate-always
Sets flag to run this auto-provisioning policy every time an access point is adopted. The access point’s
previous adoption status is not taken into consideration.

Supported in the following platforms:

Syntax
evaluate-always

Parameters
None

Examples
rfs4000-229D58(config-auto-provisioning-policy-test)#evaluate-always
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
default-adoption
evaluate-always
deny ap8432 precedence 1 mac 74-67-F7-07-02-35
deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
rfs4000-229D58(config-auto-provisioning-policy-test)#

Related Commands

no on page 1496 Disables the running of this policy every time an AP is adopted

redirect
Adds a rule redirecting device adoption to another controller within the system. Devices seeking
adoption are redirected to a specified controller based on the redirection parameters specified.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1489
auto-provisioning-policy-commands Auto-Provisioning Policy

Syntax
redirect [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75XX|nx95XX|vx9000|nx96XX]
redirect [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75XX|nx95XX|vx9000|Nnx96XX] precedence
<1-10000>
controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>] [any|cdp-match|dhcp-option|fqdn|ip|
ipv6|level|
lldp-match|mac|model-number|pool|serial-number|vlan]
redirect [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000||nx5500|nx75XX|nx95XX|vx9000|nx96XX] precedence
<1-10000>
controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] any
redirect[anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75XX|nx95XX|vx9000|nx96XX] precedence
<1-10000>
controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-SUBSTRING>|
dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP>
<END-IP>|
<IP/MASK>]|level [1|2]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|
model-number <MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]
{upgrade}

Parameters
redirect [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000||nx5500|nx75XX|nx95XX|vx9000|nx96XX] precedence
<1-10000>
controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] any

redirect Adds a redirect adoption rule. The rule applies to the device type selected.
Specify the device type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602,
AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000,
NX 5500, NX 75XX, NX 95XX, NX 96XX, and VX.

Note: ‘anyap’ is used in auto provisioning policies to create rules that are
applicable to any AP regardless of the model type.

Note: An adoptee controller, such as RFS 4000 can be redirected to another

controller (configured to adopt controllers) with a capacity equal to or higher
than its own. For more information, see controller on page 1014

precedence Sets the rule precedence. Rules with lower values get precedence over rules
<1-10000> with higher values.

Controller, Service Platform and Access Point

1490 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

controller Configures the controller to which the adopting devices are redirected. Specify
[<CONTROLLER-IP>| the controller’s IP address or hostname.
<CONTROLLER- • <CONTROLLER-IP> – Specifies the controller’s IP address
HOSTNAME>|ipv6] • <CONTROLLER-HOSTNAME> – Specifies the controller’s hostname
• ipv6 – Specify the controller’s IPv6 address

any Indicates any device. Any device seeking adoption is redirected.

redirect [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|
ap7632|
ap7662|ap81xx|ap8432|ap8533|rfs4000||nx5500|nx75XX|nx95XX|vx9000|nx96XX] precedence
<1-1000>
controller [<CONTROLLER-IP>| <CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-SUBSTRING>|
dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6[<START-IP>
<END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number
<MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>] {upgrade}

Note: ‘anyap’ is used in auto provisioning policies to create rules that are
applicable to any AP regardless of the model type.

Note: An adoptee controller, such as RFS 4000 can be redirected to another

controller (configured to adopt controllers) with a capacity equal to or higher
than its own. For more information, see controller on page 1014.

precedence <1-10000> Sets the rule precedence. Rules with lower values get precedence over rules
with higher values.
controller Configures the controller to which the adopting devices are redirected.
[<CONTROLLER-IP>| Specify the controller’s IP address or hostname.
<CONTROLLER- • <CONTROLLER-IP> – Specifies the controller’s IP address
HOSTNAME>|ipv6] • <CONTROLLER-HOSTNAME> – Specifies the controller’s hostname
• ipv6 – Specify the controller’s IPv6 address
After specifying the rule precedence and the controller, specify the match
criteria.
cdp-match Configures the device location to match, based on CDP snoop strings
<LOCATION- • <LOCATION-SUBSTRING> – Specify the location. Devices matching the
SUBSTRING> specified string are redirected.

dhcp-option <DHCP- Configures the DHCP options to match

OPTION> DHCP options identify the vendor and DHCP client functionalities. This
information is used by the client to convey to the DHCP server that the client
requires extra information in a DHCP response.
• <DHCP-OPTION> – Specify the DHCP option value. Devices matching the
specified value are redirected.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1491
auto-provisioning-policy-commands Auto-Provisioning Policy

fqdn <FQDN> Configures the FQDN to match

FQDN is a domain name that specifies its exact location in the DNS hierarchy.
It specifies all domain levels, including its top-level domain and the root
domain.
• <FQDN> – Specify the FQDN. Devices matching the specified value are
redirected.

ip [<START-IP> <END- Configures a range of IP addresses and subnet address. Devices having IPv4
IP>|<IP/MASK>] addresses within the specified range or are part of the specified subnet are
redirected.
• <START-IP> – Specify the first IPv4 address in the range.
◦ <END-IP> – Specify the last IPv4 address in the range.
• <IP/MASK> – Specify the IPv4 subnet and mask to match against the
device’s IP address.

level[1|2] Configures the routing level

• level1 – Specifies level 1 as local routing
• level2 – Specifies level2 as inter-site routing

ipv6 [<START-IP> Redirects if a device's IPv6 address matches the specified IP address or is
<END-IP>| <IP/ within the specified IP address range
MASK>] • <START-IP> – Specify the first IPv6 address in the range.
◦ <END-IP> – Specify the last IPv6 address in the range.
• <IP/MASK> – Specify the IPv6 subnet and mask to match against the
device’s IP address.

lldp-match <LLDP- Configures the device location to match, based on LLDP snoop string
STRING> LLDP is a vendor neutral link layer protocol used to advertise a network
device’s identity, capabilities, and neighbors on a local area network.
• <LLDP-STRING> – Specify the location. Devices matching the specified
string are redirected.

mac <START-MAC> Configures a single or a range of MAC addresses. Devices matching the
{<END-MAC>} specified values are redirected.
• <START-MAC> – Specify the first MAC address in the range. Provide only
this MAC address to filter a single device.
◦ <END-MAC> – Optional. Specify the last MAC address in the range.

model-number Configures the device model number

<MODEL-NUMBER> • <MODEL-NUMBER> – Specify the model number. Devices matching the
specified model number are redirected.

pool <1-2> Configures the controller pool

• <1-2> – Configures the pool to which the specified controller belongs to.
The default pool value is 1.

serial-nuber <SERIAL- Configures the device’s serial number

NUMBER> • <SERIAL-NUMBER> – Specify the serial number. Devices matching the
specified serial number are redirected.

Controller, Service Platform and Access Point

1492 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

vlan <VLAN-ID> Configures the VLAN ID

• <VLAN-ID> – Specify the VLAN ID. Devices assigned to the specified
VLAN ID are redirected.

upgrade Optional. Upgrades APs before redirecting the device for adoption within the
system

Examples
rfs4000-229D58(config-auto-provisioning-policy-test)#redirect ap81xx precedence 6
controller 192.168.13.10 ip 192.168.13.11 192.168.13.15
rfs4000-229D58(config-auto-provisioning-policy-test)#redirect ap7532 precedence 7
controller 192.168.13.10 model-number AP-7532-67030-WR
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
default-adoption
evaluate-always
deny ap8432 precedence 1 mac 74-67-F7-07-02-35
deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
redirect ap81xx precedence 6 controller 192.168.13.10 ip 192.168.13.11 192.168.13.15
redirect ap7532 precedence 7 controller 192.168.13.10 model-number AP-7532-67030-WR
rfs4000-229D58(config-auto-provisioning-policy-test)#

Related Commands

no Removes a redirect rule from this Auto Provisioning Policy

upgrade
Adds a device upgrade rule to this auto provisioning policy. When applied to a controller, the upgrade
rule ensures adopted devices, of the specified type, are upgraded automatically.

Supported in the following platforms:

Syntax
upgrade [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx95xx|vx9000|nx96xx]
upgrade [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx95xx|vx9000|nx96xx]
precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|
serial-number|vlan]
upgrade [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx95xx|vx9000|nx96xx]
precedence <1-10000> any
upgrade [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx95xx|vx9000|nx96xx]
precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn
<FQDN>|
ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1493
auto-provisioning-policy-commands Auto-Provisioning Policy

lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|

serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]

Parameters
upgrade [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx95xx|vx9000|nx96xx]
precedence <1-10000> any

upgrade Adds a device upgrade rule. The rule applies to the device type selected. Specify the
device type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602, AP-7612,
AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX 5500, NX
75XX, NX 95XX, NX 96XX, and VX.

Note: Use the ‘anyap’ option to auto provision any AP regardless of its model type.

precedence Sets the rule precedence. Rules with lower values get precedence over rules with
<1-10000> higher values.
any Indicates any device. Any device, of the selected type, is upgraded.

upgrade [anyap|ap6522|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|
ap7622|ap7632|ap7662|ap81xx|ap8432|ap8533|rfs4000|nx5500|nx75xx|nx95xx|vx9000|nx96xx]
precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn
<FQDN>|
ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|
lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|
serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]

upgrade Adds a device upgrade rule. The rule applies to the device type selected. Specify
the device type and assign a precedence to the rule.
The different device types are:
AP 6522, AP 6562, AP 7161, AP 7502, AP-7522, AP 7532, AP 7562, AP 7602,
AP-7612, AP 7622, AP7632, AP7662, AP-8163, AP-8432, AP-8533, RFS 4000, NX
5500, NX 75XX, NX 95XX, NX 96XX, and VX.

Note: Use the ‘anyap’ option to auto provision any AP regardless of its model
type.

precedence Sets the rule precedence. Rules with lower values get precedence over rules with
<1-10000> higher values.
cdp-match Configures the device location to match, based on CDP snoop strings
<LOCATION- • <LOCATION-SUBSTRING> – Specify the location. Devices matching the
SUBSTRING> specified string are upgraded.

dhcp-option Configures the DHCP options to match

<DHCP-OPTION> DHCP options identify the vendor and DHCP client functionalities. This
information is used by the client to convey to the DHCP server that the client
requires extra information in a DHCP response.
• <DHCP-OPTION> – Specify the DHCP option value. Devices matching the
specified value are upgraded.

Controller, Service Platform and Access Point

1494 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

fqdn <FQDN> Configures the FQDN to match.

ip [<START-IP> Upgrades if a device's IPv4 address matches the specified IP address or is within
<END-IP>|<IP/ the specified IP address range
MASK>] • <START-IP> – Specify the first IPv4 address in the range.
◦ <END-IP> – Specify the last IPv4 address in the range.
• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s
IP address.

ipv6 [<START-IP> Upgrades if a device's IPv6 address matches the specified IP address or is within
<END-IP>| <IP/ the specified IP address range
MASK>] • <START-IP> – Specify the first IPv6 address in the range.
◦ <END-IP> – Specify the last IPv6 address in the range.
• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s
IP address.

lldp-match <LLDP- Configures the device location to match, based on LLDP snoop strings.
STRING> LLDP is a vendor neutral link layer protocol used to advertise a network device’s
identity, capabilities, and neighbors on a local area network.
• <LLDP-STRING> – Specify the location. Devices matching the specified string
are upgraded.

mac <START-MAC> Configures a single or a range of MAC addresses. Devices matching the specified
{<END-MAC>} values are upgraded.
• <START-MAC> – Specify the first MAC address in the range. Provide only this
MAC address to filter a single device.
◦ <END-MAC> – Optional. Specify the last MAC address in the range.

model-number Configures the device model number

<MODEL-NUMBER> • <MODEL-NUMBER> – Specify the model number. Devices matching the
specified model number are upgraded.

serial-number Configures the device’s serial number

<SERIAL-NUMBER> • <SERIAL-NUMBER> – Specify the serial number. Device with the specified
serial number is upgraded.

vlan <VLAN-ID> Configures the VLAN ID

• <VLAN-ID> – Specify the VLAN ID. Devices assigned to the specified VLAN
are upgraded.

Examples
rfs4000-229D58(config-auto-provisioning-policy-test1)#upgrade ap8432 precedence 10 any
rfs4000-229D58(config-auto-provisioning-policy-test1)#upgrade ap7522 precedence 11 vlan 1
rfs4000-229D58(config-auto-provisioning-policy-test1)#show context
auto-provisioning-policy test
default-adoption
evaluate-always
deny ap8432 precedence 1 mac 74-67-F7-07-02-35
deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
redirect ap81xx precedence 6 controller 192.168.13.10 ip 192.168.13.11 192.168.13.15

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1495
auto-provisioning-policy-commands Auto-Provisioning Policy

redirect ap7532 precedence 7 controller 192.168.13.10 model-number AP-7532-67030-WR

upgrade ap8432 precedence 10 any
upgrade ap7522 precedence 11 vlan 1
rfs4000-229D58(config-auto-provisioning-policy-test1)#

Related Commands

no Removes an upgrade rule from this Auto Provisioning Policy

no
Removes a deny, permit, or redirect rule from the selected auto provisioning policy

Supported in the following platforms:

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a deny, permit, or redirect rule from the specified auto provisioning
policy

Examples

The following example shows the auto-provisioning-policy ‘test’ settings before the ‘no’ commands are
executed:
rfs4000-229D58(config-auto-provisioning-policy-test1)#show context
auto-provisioning-policy test
default-adoption
evaluate-always
deny ap8432 precedence 1 mac 74-67-F7-07-02-35
deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
redirect ap81xx precedence 6 controller 192.168.13.10 ip 192.168.13.11 192.168.13.15
redirect ap7532 precedence 7 controller 192.168.13.10 model-number AP-7532-67030-WR
upgrade ap8432 precedence 10 any

Controller, Service Platform and Access Point

1496 CLI Reference Guide for version 5.9.7
Auto-Provisioning Policy auto-provisioning-policy-commands

upgrade ap7522 precedence 11 vlan 1

rfs4000-229D58(config-auto-provisioning-policy-test1)#
rfs4000-229D58(config-auto-provisioning-policy-test)#no default-adoption
rfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 1
rfs4000-229D58(config-auto-provisioning-policy-test)#no redirect precedence 6
rfs4000-229D58(config-auto-provisioning-policy-test)#no upgrade precedence 11

The following example shows the auto-provisioning-policy ‘test’ settings after the ‘no’ commands are
executed:
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
redirect ap7532 precedence 7 controller 192.168.13.10 model-number AP-7532-67030-WR
upgrade ap8432 precedence 10 any
rfs4000-229D58(config-auto-provisioning-policy-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1497
Association-ACL Policy
ASSOCIATION-ACL-POLICY on page 1498

ASSOCIATION-ACL-POLICY
This chapter summarizes the association Access Control List (ACL) policy commands in the CLI
command structure. An association ACL is a policy-based ACL that either prevents or allows wireless
clients from connecting to a controller managed WLAN.

System administrators can use an association ACL to grant or restrict wireless clients access to the
WLAN by specifying client MAC addresses or range of MAC addresses to either include or exclude from
controller connectivity. Association ACLs are applied to WLANs as an additional access control
mechanism.

Use the (config) instance to configure the association ACL policy. To navigate to the association-acl-
policy instance, use the following commands:
<DEVICE>(config)#association-acl-policy <POLICY-NAME>
nx9500-6C8809(config)#association-acl-policy test
nx9500-6C8809(config-assoc-acl-test)#?
Association ACL Mode commands:
deny Specify MAC addresses to be denied
no Negate a command or set its defaults
permit Specify MAC addresses to be permitted

clrscr Clears the display screen

nx9500-6C8809(config-assoc-acl-test)#

Note
If creating an new association ACL policy, provide a name specific to its function. Avoid
naming it after a WLAN it may support. The name cannot exceed 32 characters.

Controller, Service Platform and Access Point

1498 CLI Reference Guide for version 5.9.7
Association-ACL Policy Association-acl-policy-commands

Before defining an association ACL policy and applying it to a WLAN, refer to the following deployment
guidelines to ensure the configuration is optimally effective:
• The name and configuration of an association ACL policy should meet the requirements of the
WLANs it may map to. However, be careful not to name ACLs after specific WLANs, as individual
ACL policies can be used by more than one WLAN.
• You cannot apply more than one MAC based ACL to a layer 2 interface. If a MAC ACL is already
configured on a layer 2 interface, and a new MAC ACL is applied to the interface, the new ACL
replaces the previously configured one.

Association-acl-policy-commands
The following table summarizes the association ACL policy configuration commands:

Table 45: Association ACL Policy Configuration Commands

Command Description
deny on page 1499 Specifies a range of MAC addresses denied access to the WLAN
permit on page 1500 Specifies a range of MAC addresses allowed access to the WLAN
no on page 1502 Removes a deny or permit rule from this association ACL policy

Note
For information on common commands (clrscr, commit, help, revert, service, show, write, and
exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

deny
Creates a list of devices denied access to the managed network. Devices are identified by their MAC
address. A single MAC address or a range of MAC addresses can be denied access. This command also
sets the precedence on how deny rules are applied. Up to a thousand (1000) deny rules can be defined
for every association ACL policy. Each rule has a unique sequential precedence value assigned, and are
applied to packets on the basis of this precedence value. Lower the precedence of a rule, higher is its
priority. This results in the rule with the lowest precedence being applied first. No two rules can have the
same precedence. The default precedence is 1, so be careful to prioritize ACLs accordingly as they are
added.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1499
Association-acl-policy-commands Association-ACL Policy

Syntax
deny <STARTING-MAC> [<ENDING-MAC>|precedence]
deny <STARTING-MAC> precedence <1-1000>
deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>

Parameters
deny <STARTING-MAC> precedence <1-1000>

deny Adds a single device or a set of devices to the deny list

<STARTING-MAC> To add a single device, enter its MAC address in the <STARTING-MAC>
parameter.
precedence Sets a precedence value for this rule. Rules are applied in an increasing order of
<1-1000> their precedence.
• <1-1000> – Specify a precedence value from 1 - 1000.

deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>

deny Adds a single device or a set of devices to the deny list. To add a set of devices,
provide the range of MAC addresses.
<STARTING-MAC> Specify the first MAC address in the range.
<ENDING-MAC> Specify the last MAC address in the range.
precedence <1-1000> Sets a precedence rule. Rules are applied in an increasing order of their
precedence.
• <1-1000> – Specify a value from 1 - 1000.

Usage Guidelines

Every rule has a unique sequential precedence value. You cannot add two rules with the same
precedence. Rules are checked in an increasing order of precedence. That means, the rule with
precedence 1 is checked first, then the rule with precedence 2 and so on.

Examples
nx9500-6C8809(config-assoc-acl-test)#deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence
150
nx9500-6C8809(config-assoc-acl-test)#deny 11-22-33-44-56-01 precedence 160
nx9500-6C8809(config-assoc-acl-test)#show context
association-acl-policy test
deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150
deny 11-22-33-44-56-01 precedence 160
nx9500-6C8809(config-assoc-acl-test)#

Related Commands

no Removes a deny rule from this Association ACL Policy

permit
Creates a list of devices allowed access to the managed network. Devices are permitted access based
on their MAC address. A single MAC address or a range of MAC addresses can be specified. This

Controller, Service Platform and Access Point

1500 CLI Reference Guide for version 5.9.7
Association-ACL Policy Association-acl-policy-commands

command also sets the precedence on how permit list rules are applied. Up to a thousand (1000)
permit rules can be defined for every association ACL policy. Each rule has a unique sequential
precedence value assigned, and are applied to packets on the basis of this precedence value. Lower the
precedence of a rule, higher is its priority. This results in the rule with the lowest precedence being
applied first. No two rules can have the same precedence. The default precedence is 1, so be careful to
prioritize ACLs accordingly as they are added.

Supported in the following platforms:

Syntax
permit <STARTING-MAC> [<ENDING-MAC>|precedence]
permit <STARTING-MAC> precedence <1-1000>
permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>

Parameters
permit <STARTING-MAC> precedence <1-1000>

permit Adds a single device or a set of devices to the permit list

<STARTING-MAC> To add a single device, enter its MAC address in the <STARTING-MAC>
parameter.
precedence Specifies a rule precedence. Rules are applied in an increasing order of their
<1-1000> precedence value.
• <1-1000> – Specify a value from 1 - 1000.

permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>

permit Adds a single device or a set of devices to the permit list To add a set of
devices, provide the MAC address range.
<STARTING-MAC> Specify the first MAC address of the range.
<ENDING-MAC> Specify the last MAC address of the range.
precedence <1-1000> Specifies a rule precedence. Rules are applied in an increasing order of their
precedence value.
• <1-1000> – Specify a value from 1 - 1000.

Usage Guidelines

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1501
Association-acl-policy-commands Association-ACL Policy

Examples
nx9500-6C8809(config-assoc-acl-test)# permit 11-22-33-44-66-01 11-22-33-44-66-FF
precedence 170
nx9500-6C8809(config-assoc-acl-test)# permit 11-22-33-44-67-01 precedence 180
nx9500-6C8809(config-assoc-acl-test)#show context
association-acl-policy test
deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150
deny 11-22-33-44-56-01 precedence 160
permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170
permit 11-22-33-44-67-01 precedence 180
nx9500-6C8809(config-assoc-acl-test)#

Related Commands

no Removes a permit rule from this Association ACL Policy

no
Removes a deny or permit rule from this Association ACL Policy

Supported in the following platforms:

Syntax
no [deny|permit]
no deny <STARTING-MAC> precedence <1-1000>
no deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
no permit <STARTING-MAC> precedence <1-1000>
no permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a deny or permit rule from this association ACL policy

Examples

The following example shows the association ACL policy ‘test’ settings before the ‘no’ commands is
executed:
nx9500-6C8809(config-assoc-acl-test)#show context
association-acl-policy test
deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150
deny 11-22-33-44-56-01 precedence 160
permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170
permit 11-22-33-44-67-01 precedence 180
nx9500-6C8809(config-assoc-acl-test)#
nx9500-6C8809(config-assoc-acl-test)#no deny 11-22-33-44-56-01 11-22-33-44-56-FF
precedence 150

Controller, Service Platform and Access Point

1502 CLI Reference Guide for version 5.9.7
Association-ACL Policy Association-acl-policy-commands

The following example shows the association ACL policy ‘test’ settings after the ‘no’ commands is
executed:
nx9500-6C8809(config-assoc-acl-test)#show context
association-acl-policy test
deny 11-22-33-44-56-01 precedence 160
permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170
permit 11-22-33-44-67-01 precedence 180
nx9500-6C8809(config-assoc-acl-test)#

Related Commands

deny Adds a device or a set of devices to the deny list

permit Adds a device or a set of devices to the permit list

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1503
Access-List Policy
ACCESS-LIST on page 1504

ACCESS-LIST
This chapter summarizes IP and MAC access list commands in the CLI command structure.

Access lists control access to the managed network using a set of rules also known as ACEs (Access
Control Entries). Each rule specifies an action taken when a packet matches that rule. If the action is
deny, the packet is dropped. If the action is permit, the packet is allowed. A set of deny and/or permit
rules based on IP (IPv4 and IPv6) addresses constitutes a IP ACL (Access Control List). Similarly, a set of
deny and/or permit rules based on MAC addresses constitutes a MAC ACL.

Within a managed network, IP ACLs are used as firewalls to filter packets and also mark packets. IP
based firewall rules are specific to the source and destination IP addresses and have unique precedence
orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying an
IP ACL. With either IPv4 or IPv6, create access rules for traffic entering a controller, service platform, or
access point interface, because if you are going to deny specific types of packets, it’s recommended you
do it before the controller, service platform, or access point spends time processing them, since access
rules are given priority over other types of firewall rules.

MAC ACLs are firewalls that filter or mark packets based on the MAC address which they arrive, as
opposed to filtering packets on layer 2 ports. Optionally filter layer 2 traffic on a physical layer 2
interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for
matching operations, where the result is a typical allow, deny or mark designation to controller
managed packet traffic.

Once defined, an IP and/or MAC ACL (consisting of a set of firewall rules) must be applied to an
interface to be a functional filtering tool.

Firewall supported devices (access points, wireless controllers, and service platforms) process firewall
rules (within an IP/MAC ACL) sequentially, in ascending order of their precedence value. When a packet
matches a rule, the firewall applies the action specified in the rule to determine whether the traffic is
allowed or denied. Once a match is made, the firewall does not process subsequent rules in the ACL.

The software enables the configuration of IP SNMP ACLs. These ACLs control access by combining IP
ACLs with SNMP server community strings.

The following ACLs are supported:

• ip-access-list on page 1507
• ipv6-access-list on page 1550

Controller, Service Platform and Access Point

1504 CLI Reference Guide for version 5.9.7
Access-List Policy ACCESS-LIST

• mac-access-list on page 1536

• ip-snmp-access-list on page 1564
• ex3500-ext-access-list on page 1566
• ex3500-std-access-list on page 1573

Use IP and MAC commands under the global configuration to create an access list.
• When the access list is applied on an Ethernet port, it becomes a port ACL
• When the access list is applied on a VLAN interface, it becomes a router ACL

Use the (config) instance to configure a new ACL or modify an existing ACL. To navigate to the (config-
access-list) instance, use the following commands:
<DEVICE>(config)#ip access-list <IP-ACCESS-LIST-NAME>
<DEVICE>(config)#mac access-list <MAC-ACCESS-LIST-NAME>
<DEVICE>(config)#ipv6 access-list <IPv6-ACCESS-LIST-NAME>
<DEVICE>(config)#ip snmp-access-list <SNMP-ACCESS-LIST-NAME>
<DEVICE>(config)#ex3500-ext-access-list <EX3500-EXT-ACCESS-LIST-NAME>
<DEVICE>(config)#ex3500-std-access-list <EX3500-STD-ACCESS-LIST-NAME>

Note
If creating a new ACL policy, provide a name that uniquely identifies its purpose. The name
cannot exceed 32 characters.

IPv4 Access List

nx9500-6C8809(config)#ip access-list IPv4ACL
nx9500-6C8809(config-ip-acl-IPv4ACL)#?
ACL Configuration commands:
deny Specify packets to reject
disable Disable rule if not needed
insert Insert this rule (instead of overwriting a existing rule)
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

nx9500-6C8809(config-ip-acl-IPv4ACL)#

IPv6 Access List

nx9500-6C8809(config)#ipv6 access-list IPv6ACL
nx9500-6C8809(config-ipv6-acl-IPv6ACL)#?
IPv6 Access Control Mode commands:
deny Specify packets to reject
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1505
ACCESS-LIST Access-List Policy

commit Commit all changes made in this session

nx9500-6C8809(config-ipv6-acl-IPv6ACL)#

MAC Access List

nx9500-6C8809(config)#mac access-list MACAcl
nx9500-6C8809(config-mac-acl-MACAcl)#?
MAC Extended ACL Configuration commands:
deny Specify packets to reject
disable Disable rule if not needed
ex3500 Ex3500 device
insert Insert this rule (instead of overwriting a existing rule)
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

nx9500-6C8809(config-mac-acl-MACAcl)#

SNMP Access List

nx9500-6C8809(config)#ip snmp-access-list SNMPAcl
nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#?
SNMP ACL Configuration commands:
deny Specify packets to reject
no Negate a command or set its defaults
permit Specify packets to forward

clrscr Clears the display screen

nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#

The NOC controller also has the capabilities of adopting and managing EX3500 series switch. These
switches are Gigabit Ethernet layer 2 switches with either 24 or 48 10/100/1000-BASE-T ports, and four
SFP (Small Form Factor Pluggable) transceiver slots for fiber connectivity. Once adopted to the NOC,

Controller, Service Platform and Access Point

1506 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

various ACLs specifically defined for a EX3500 switch can be used to either prevent or allow specific
clients from using it.

The following EX3500 ACLs are supported:

• EX3500 Extended Access List.
• EX3500 Standard Access List.
• EX3500 (MAC ACL). This configures a EX3500 deny or permit rule in a MAC ACL.

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

ip-access-list
The following table summarizes IP Access List configuration commands.

Table 46: IP-Access-List-Config Commands

Command Description
deny (ipv4-acl) on page 1507 Creates a deny access rule or modifies an existing rule. A deny
access rule rejects packets from specified address(es) and/or
destined for specified address(es).
disable (ipv4-acl) on page 1519 Disables an existing deny or permit rule without removing it from
the ACL
insert (ipv4-acl) on page 1522 Inserts a rule in an IP ACL without overwriting or replacing an
existing rule having the same precedence
permit (ipv4-acl) on page 1524 Creates a permit access rule or modifies an existing rule. A permit
access rule accepts packets from specified address(es) and/or
destined for specified address(es).
no (ipv4-acl) on page 1534 Removes a deny and/or a permit access rule from a IP ACL

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

deny (ipv4-acl)
Creates a deny rule that rejects packets received from a specified source IP and/or addressed to a
specified destination IP. You can also use this command to modify an existing deny rule.

Note
Use a decimal value representation to implement a permit/deny designation for a packet. The
command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the
decimal equivalent of the EtherType listed for any other EtherType.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1507
ip-access-list Access-List Policy

Supported in the following platforms:

Syntax
deny [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|
from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>)
{(rule-description <LINE>)}
deny dns-name [contains|exact|suffix]
deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>)
{(rule-description <LINE>)}
deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-
IP>]
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence
<1-5000>)
{(rule-description <LINE>)}
deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|
host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|
ftp|
ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT>
<END-PORT>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Controller, Service Platform and Access Point

1508 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>)

{(rule-description <LINE>)}

<NETWORK- Applies this deny rule to packets based on service protocols and ports specified in
SERVICE-ALIAS- the network-service alias
NAME> • <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name
(should be existing and configured).
A network-service alias defines service protocols and ports to match. When used
with an ACL, the network-service alias defines the service-specific components of
the ACL deny rule.

Note: For more information on configuring network-service alias, see alias.

<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching
MASK> the service protocols and ports specified in the network-service alias, received from
the specified network are dropped.
<NETWORK- Applies a network-group alias to identify the source IP addresses. Packets,
GROUP-ALIAS- matching the service protocols and ports specified in the network-service alias,
NAME> received from the addresses identified by the network-group alias are dropped.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).
A network-group alias defines a single or a range of addresses of devices, hosts,
and networks. When used with an ACL, the network-group alias defines the
network-specific component of the ACL rule (permit/deny).
any Specifies the source as any source IP address. Packets, matching the service
protocols and ports specified in the network-service alias, received from any source
are dropped.
from-vlan Specifies a single VLAN or a range of VLANs as the match criteria. Packets,
<VLAN-ID> matching the service protocols and ports specified in the network-service alias,
received from the specified VLAN(s) are dropped.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the
start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. Packets,
HOST-IP> matching the service protocols and ports specified in the network-service alias,
received from the specified host are dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D
format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets,
matching the service protocols and ports specified in the network-service alias,
addressed to the specified network are dropped.
any Specifies the destination as any destination IP address. Packets, matching the
service protocols and ports specified in the network-service alias, addressed to any
destination are dropped.
host <DEST- Identifies a specific host (as the destination to match) by its IP address. Packets,
HOST-IP> matching the service protocols and ports specified in the network-service alias,
addressed to the specified host are dropped.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D
format.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1509
ip-access-list Access-List Policy

<NETWORK- Applies a network-group alias to identify the destination IP addresses. Packets,

GROUP-ALIAS- matching the service protocols and ports specified in the network-service alias,
NAME> destined for the addresses identified by the network-group alias are dropped.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

log Logs all deny events matching this entry. If a source and/or destination IP address
is matched (i.e. if any specified type of packet is received from a specified IP
address and/or is destined for a specified IP address), an event is logged.
mark [8021p Specifies packets to mark
<0-7>| dscp • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority
<0-63>] • dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this deny rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this deny rule.
Provide a description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>)

{(rule-description <LINE>)}

dns-name Applies this deny rule to packets based on dns-names specified in the
network-service
contains Matches any hostname which has this DNS label. (for example, *.test.*)
exact Matches an exact hostname as specified in the network-service
syffix Matches any hostname as suffix (for example, *.test)
<WORD> Identifies a specific host (as the source to match) by its domain name.
Packets, matching the service protocols and ports specified in the network-
service alias, received from the specified host are dropped.

Controller, Service Platform and Access Point

1510 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

log Logs all deny events matching this dns entry. If a dns-name is matched an
event is logged.
rule-precedence The following keywords are recursive and common to all of the above
<1-5000> rule- parameters:
description <LINE> • rule-precedence – Assigns a precedence for this deny rule
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this deny
rule. Provide a description that uniquely identifies the purpose of this
rule (should not exceed 128 characters in length).

deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|

host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}

icmp Applies this deny rule to ICMP (Internet Control Message Protocol) packets only
<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets
MASK> received from the specified sources are dropped.
<NETWORK- Applies a network-group alias to identify the source IP addresses. ICMP packets
GROUP-ALIAS- received from the addresses identified by the network-group alias are dropped.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the source as any IP address. ICMP packets received from any source are
dropped.
from-vlan <VLAN- Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets
ID> received from the VLANs identified here are dropped.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the
start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. ICMP packets
HOST-IP> received from the specified host are dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D
format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets
addressed to specified destinations are dropped.
<NETWORK- Applies a network-group alias to identify the destination IP addresses. ICMP
GROUP-ALIAS- packets destined for addresses identified by the network-group alias are dropped.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the destination as any IP address. ICMP packets addressed to any
destination are dropped.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1511
ip-access-list Access-List Policy

host <DEST-HOST- Identifies a specific host (as the destination to match) by its IP address. ICMP
IP> packets addressed to the specified host are dropped.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the
A.B.C.D format.

<ICMP-TYPE> Defines the ICMP packet type

For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it
is an ECHO.
<ICMP-CODE> Defines the ICMP message type
For example, an ICMP code 3 indicates "Destination Unreachable", code 1 indicates
"Host Unreachable", and code 3 indicates "Port Unreachable."

Note: After specifying the source and destination IP address(es), the ICMP
message type, and the ICMP code, specify the action taken in case of a match.

log Logs all deny events matching this entry. If a source and/or destination IP address
is matched (i.e. a ICMP packet is received from a specified IP address and/or is
destined for a specified IP address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this deny rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this deny rule.
Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|

host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

ip Applies this deny rule to IP packets only

<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets
MASK> received from the specified networks are dropped.
<NETWORK- Applies a network-group alias to identify the source IP addresses. IP packets
GROUP-ALIAS- received from the addresses identified by the network-group alias are dropped.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the source as any IP address. IP packets received from any source are
dropped.
from-vlan <VLAN- Specifies a single VLAN or a range of VLANs as the match criteria. IP packets
ID> received from the specified VLANs are dropped.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter
the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

Controller, Service Platform and Access Point

1512 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. IP packets
HOST-IP> received from the specified host are dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the
A.B.C.D format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets
addressed to the specified networks are dropped.
any Specifies the destination as any IP address. IP packets addressed to any
destination are dropped.
host <DEST-HOST- Identifies a specific host (as the destination to match) by its IP address. IP
IP> packets addressed to the specified host are dropped.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the
A.B.C.D format.

<NETWORK- Applies a network-group alias to identify the source IP addresses. IP packets

GROUP-ALIAS- destined for addresses identified by the network-group alias are dropped.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

log Logs all deny events matching this entry. If a source and/or destination IP address
is matched (i.e. a IP packet is received from a specified IP address and/or is
destined for a specified IP address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above
<1-5000> rule- parameters:
description <LINE> • <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
• rule-description – Optional. Configures a description for this deny rule.
Provide a description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]

[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-
IP>]
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence
<1-5000>)
{(rule-description <LINE>)}

proto Configures the ACL for additional protocols

Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured
using this parameter
<PROTOCOL-NUMBER> Filters protocols using their IANA (Internet Assigned Numbers Authority)
protocol number
• <PROTOCOL-NUMBER> – Specify the protocol number.

<PROTOCOL-NAME> Filters protocols using their IANA protocol name

• <PROTOCOL-NAME> – Specify the protocol name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1513
ip-access-list Access-List Policy

eigrp Identifies the EIGRP (Enhanced Internet Gateway Routing Protocol) protocol
(number 88)
EIGRP enables routers to maintain copies of neighbors’ routing tables.
Routers use this information to determine the fastest route to a destination.
When a router fails to find a route in its stored route tables, it sends a query
to neighbors who in turn query their neighbors till a route is found. EIGRP
also enables routers to inform neighbors of changes in their routing tables.
gre Identifies the GRE (General Routing Encapsulation) protocol (number 47)
GRE is a tunneling protocol that enables transportation of protocols (IP, IPX,
DEC net, etc.) over an IP network. GRE encapsulates the packet at the
source and removes the encapsulation at the destination.
igmp Identifies the IGMP (Internet Group Management Protocol) protocol
(number 2)
IGMP establishes and maintains multicast group memberships to interested
members. Multicasting allows a networked computer to send content to
multiple computers who have registered to receive the content. IGMP
snooping is for listening to IGMP traffic between an IGMP host and routers in
the network to maintain a map of the links that require multicast streams.
Multicast traffic is filtered out for those links which do not require them.
igp Identifies any private internal gateway (primarily used by CISCO for their
IGRP) (number 9)
IGP enables exchange of information between hosts and routers within a
managed network. The most commonly used IGP (interior gateway
protocol) protocols are: RIP (Routing Information Protocol) and OSPF (Open
Shortest Path First).
ospf Identifies the OSPF protocol (number 89)
OSPF is a link-state IGP. OSPF routes IP packets within a single routing
domain (autonomous system), like an enterprise LAN. OSPF gathers link
state information from neighbor routers and constructs a network topology.
The topology determines the routing table presented to the Internet Layer
which makes routing decisions based solely on the destination IP address
found in IP packets.
vrrp Identifies the VRRP (Virtual Router Redundancy Protocol) protocol (number
112)
VRRP allows a pool of routers to be advertized as a single virtual router. This
virtual router is configured by hosts as their default gateway. VRRP elects a
master router, from this pool, and assigns it a virtual IP address. The master
router routes and forwards packets to hosts on the same subnet. When the
master router fails, one of the backup routers is elected as the master and its
IP address is mapped to the virtual IP address.
<SOURCE-IP/MASK> Specifies the source IP address and mask (A.B.C.D/M) to match. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources
are dropped.
<NETWORK-GROUP- Applies a network-group alias to identify the source IP addresses. Packets
ALIAS-NAME> (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined
in the network-group alias are dropped.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias
name (should be existing and configured).

any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP,
OSPF, or VRRP) received from any source are dropped.

Controller, Service Platform and Access Point

1514 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

from-vlan <VLAN-ID> Specifies a single VLAN or a range of VLANs as the match criteria. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified
here are dropped.
• <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by
the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST- Identifies a specific host (as the source to match) by its IP address. Packets
IP> (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are
dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the
A.B.C.D format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match.

Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified
destinations are dropped.
any Specifies the destination as any IP address. Packets (EIGRP, GRE, IGMP, IGP,
OSPF, or VRRP) addressed to any destination are dropped.
host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IP address.
Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified
host are dropped.
• <SOURCE-HOST-IP> – Specify the destination host’s exact IP address in
the A.B.C.D format.

<NETWORK-GROUP- Applies a network-group alias to identify the destination IP addresses.

ALIAS-NAME> Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the
destinations identified in the network-group alias are dropped.
• <NETWORK-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

Note: After specifying the source and destination IP address(es), specify the
action taken in case of a match.

log Logs all deny events matching this entry. If a source and/or destination IP
address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is
received from a specified IP address and/or is destined for a specified IP
address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above
<1-5000> rule- parameters:
description <LINE> • rule-precedence – Assigns a precedence for this deny rule
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1515
ip-access-list Access-List Policy

<END-PORT>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

tcp Applies this deny rule to TCP packets only

udp Applies this deny rule to UDP packets only
<SOURCE-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the source IP address and mask (A.B.C.D/M) to match.
TCP/UDP packets received from the specified sources are dropped.
<NETWORK-GROUP-ALIAS- This keyword is common to the ‘tcp’ and ‘udp’ parameters.
NAME> Applies a network-group alias to identify the source IP addresses.
TCP/UDP packets received from the sources defined in the network-
group alias are dropped.
• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group
alias name (should be existing and configured).
After specifying the source and destination IP address(es), specify the
action taken in case of a match.
any This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the source as any IP address. TCP/UDP packets received from
any source are dropped.
from-vlan <VLAN-ID> This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies a single VLAN or a range of VLANs as the match criteria.
TCP/UDP packets received from the VLANs identified here are dropped.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs,
enter the start and end VLAN IDs separated by a hyphen (for
example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP> Identifies a specific host (as the source to match) by its IP address.
TCP/UDP packets received from the specified host are dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in
the A.B.C.D format.

<DEST-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.

Sets the destination IP address and mask (A.B.C.D/M) to match.
TCP/UDP packets addressed to the specified destinations are dropped.
any This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the destination as any destination IP address. TCP/UDP
packets received from any destination are dropped.
eq <SOURCE-PORT> Identifies a specific source port
• <SOURCE-PORT> – Specify the exact source port.

host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IP address.
TCP/UDP packets addressed to the specified host are dropped.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in
the A.B.C.D format.

Controller, Service Platform and Access Point

1516 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

<NETWORK-GROUP-ALIAS- This keyword is common to the ‘tcp’ and ‘udp’ parameters.

NAME> Applies a network-group alias to identify the destination IP addresses.
TCP/UDP packets destined to the addresses identified in the network-
group alias are dropped.
• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group
alias name (should be existing and configured).

range <START-PORT> <END- Specifies a range of source ports

PORT> • <START-PORT> – Specify the first port in the range.
• <END-PORT> – Specify the last port in the range.

eq [<1-65535>| <SERVICE- Identifies a specific destination or protocol port to match

NAME>| |bgp|dns|ftp| ftp- • <1-65535> – The destination port is designated by its number
data|gopher| https|ldap| • <SERVICE-NAME> – Specifies the service name
nntp|ntp| pop3|sip|smtp|
• bgp – The designated BGP (Border Gateway Protocol) protocol port
ssh|telnet| tftp|www]
(179)
• dns – The designated DNS (Domain Name System) protocol port
(53)
• ftp – The designated FTP (File Transfer Protocol) protocol port (21)
• ftp-data – The designated FTP data port (20)
• gropher – The designated GROPHER protocol port (70)
• https – The designated HTTPS protocol port (443)
• ldap – The designated LDAP (Lightweight Directory Access
Protocol) protocol port (389)
• nntp – The designated NNTP (Network News Transfer Protocol)
protocol port (119)
• ntp – The designated NTP (Network Time Protocol) protocol port
(123)
• pop3 – The designated POP3 protocol port (110)
• sip – The designated SIP (Session Initiation Protocol) protocol port
(5060)
• smtp – The designated SMTP (Simple Mail Transfer Protocol)
protocol port (25)
• ssh – The designated SSH (Secure Shell) protocol port (22)
• telnet – The designated Telnet protocol port (23)
• tftp – The designated TFTP (Trivial File Transfer Protocol) protocol
port (69)
• www – The designated www protocol port (80)

range <START-PORT> <END- Specifies a range of destination ports

PORT> • <START-PORT> – Specify the first port in the range.
• <END-PORT> – Specify the last port in the range.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1517
ip-access-list Access-List Policy

log Logs all deny events matching this entry. If a source and/or destination
IP address or port is matched (i.e. a TCP/UDP packet is received from a
specified IP address and/or is destined for a specified IP address), an
event is logged.
rule-precedence <1-5000> The following keywords are recursive and common to all of the above:
rule-description <LINE> • rule-precedence – Assigns a precedence for this deny rule
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this
deny rule. Provide a description that uniquely identifies the
purpose of this rule (should not exceed 128 characters in length).

Usage Guidelines

Use this command to deny traffic between networks/hosts based on the protocol type selected in the
access list configuration. The following protocols are supported:
• IP
• ICMP
• TCP
• UDP
• PROTO (any Internet protocol other than TCP, UDP, and ICMP)

The last ACE (access control entry) in the access list is an implicit deny statement.

Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is
allowed or denied based on the ACL configuration.
• Filtering TCP/UDP allows you to specify port numbers as filtering criteria.
• Select ICMP as the protocol to allow or deny ICMP packets. Selecting ICMP filters ICMP packets
based on ICMP type and code.

Note
The log option is functional only for router ACL’s. The log option displays an informational
logging message about the packet that matches the entry sent to the console

Examples
nx9500-6C8809(config-ip-acl-test)#deny proto vrrp any any log rule-precedence 600
nx9500-6C8809(config-ip-acl-test)#deny proto ospf any any log rule-precedence 650
nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
deny proto vrrp any any log rule-precedence 600
deny proto ospf any any log rule-precedence 650
nx9500-6C8809(config-ip-acl-test)#

Using aliases in IP access list.

The following examples show the usage of network-group aliases:

Controller, Service Platform and Access Point

1518 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

Example 1.
rfs4000-229D58(config-ip-acl-bar)#permit ip $foo any rule-precedence 10

Example 2.
rfs4000-229D58(config-ip-acl-bar)#permit tcp 192.168.100.0/24 $foobar eq ftp rule-
precedence 20

Example 3.
rfs4000-229D58(config-ip-acl-bar)#deny ip $guest $lab rule-precedence 30

• In example 1, network-group alias $foo is used as a source.

• In example 2, network-group alias $foobar is used as a destination.
• In example 3, network-group aliases $guest and $lab are used as source and destination
respectively.

The following examples show the usage of network-service aliases:

Example 4.
rfs4000-229D58(config-ip-acl-bar)# permit $kerberos 10.60.20.0/24 $kerberos-servers log
rule-precedence 40

Example 5.
rfs4000-229D58(config-ip-acl-bar)#permit $Tandem 10.60.20.0/24 $Tandem-servers log rule-
precedence 50

In examples 4, and 5:
• The network-service aliases ($kerberos and $Tandem) define the destination protocol-port
combinations.
• The source network is 10.60.20.0/24.
• The destination network-address combinations are defined by the network-group aliases
($kerberos-servers and $Tandem-servers).

Related Commands

no Removes a specified IP deny access rule

alias Creates and configures aliases (network, VLAN, service, etc.)

disable (ipv4-acl)
Disables an existing deny or permit rule without removing it from the ACL. A disabled rule is inactive
and is not used to filter packets.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1519
ip-access-list Access-List Policy

disable [deny| insert Disables a deny or permit access rule without removing it from the ACL
[deny|permit]| permit] This command also enables the insertion of a disable deny or permit rule
without overwriting an existing rule in the IP ACL.

Note: To disable an existing deny/permit rule, provide the exact values used
to configure the deny or permit rule.

<NETWORK-SERVICE- Specifies the network-service alias, identified by the <NETWORK-SERVICE-

ALIAS-NAME> ALIAS-NAME> keyword, associated with the deny/permit rule
dns-name [contains| Specifies the packets to reject based on the dns-name match. Applies this
exact|suffix] deny rule to packets based on dns-names specified in the network-service
icmp Disables a rule applicable to ICMP packets only
ip Disables a rule applicable to IP packets only
proto <PROTOCOL- Disables a rule applicable to any Internet protocol other than TCP, UDP, or
OPTIONS> ICMP packets
• <PROTOCOL-OPTIONS> – Identify the Internet protocol using the
options available.

tcp Disables a rule applicable to TCP packets only

udp Disables a rule applicable to UDP packets only

Note: After specifying the packet type, specify the source and destination
devices and network address(es) to match.

<SOURCE-IP/MASK> Specify the source IP address and mask in the A.B.C.D/M format.
<NETWORK-GROUP- Specifies the network-group alias, identified by the <NETWORK-GROUP-
ALIAS-NAME> ALIAS-NAME> keyword, associated with this deny/permit rule
any Select ‘any’ if the rule is applicable to any source IP address.
from-vlan <VLAN-ID> Specify the VLAN IDs.

Controller, Service Platform and Access Point

1520 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

host <SOURCE-HOST- Specify the source host’s exact IP address.

IP>
<DEST-IP/MASK> Specify the destination IP address and mask in the A.B.C.D/M format.
<NETWORK-GROUP- Specifies the network-group alias, identified by the <NETWORK-GROUP-
ALIAS-NAME> ALIAS-NAME> keyword, associated with this deny/permit rule
any Select ‘any’ if the rule is applicable to any destination IP address.
host <DEST-HOST-IP> Specify the destination host’s exact IP address.
log Select log, if the rule has been configured to log records in case of a match.
mark [8021p <0-7>| Specifies packets to mark
dscp <0-63>] • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority
• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence Specify the rule precedence. The deny or permit rule with the specified
<1-5000> precedence is disabled.

Note: To enable a disabled rule, enter the rule again without the ‘disable’
keyword.

Note: The no > disable command removes a disabled rule from the ACL.

Examples

The following example shows the ‘auto-tunnel-acl’ settings before the disable command is executed:
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any
rule-precedence 3

The following example shows the ‘auto-tunnel-acl’ settings after the disable command is executed:
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
disable permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#
rfs4000-229D58(config-ip-acl-test)#deny icmp any any log rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
deny icmp any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#
rfs4000-229D58(config-ip-acl-test)#disable deny icmp any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
disable deny icmp any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#

In the following example a disable deny rule has been inserted in the IP ACL “test”:
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
deny tcp from-vlan 1 any any rule-precedence 1

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1521
ip-access-list Access-List Policy

permit icmp any host 192.168.13.7 1 1 rule-precedence 2

rfs4000-229D58(config-ip-acl-test)#
rfs4000-229D58(config-ip-acl-test)#disable insert deny ip any any log rule-precedence 2
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
deny tcp from-vlan 1 any any rule-precedence 1
disable deny ip any any log rule-precedence 2
permit icmp any host 192.168.13.7 1 1 rule-precedence 3
rfs4000-229D58(config-ip-acl-test)#

Related Commands

no Enables a disabled deny or permit rule

deny Creates a new deny access rule or modifies an existing rule
permit Creates a new permit access rule or modifies an existing rule
alias Creates and configures a aliases (network, VLAN, service, etc.)

insert (ipv4-acl)
Enables the insertion of a rule in an IP ACL without overwriting or replacing an existing rule having the
same precedence

The insert option allows a new rule to be inserted within a IP access list. Consider an IP ACL consisting
of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without
overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the
existing one. The existing precedence 4 rule’s precedence changes to 5, and the change cascades down
the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.

Note
NOT using insert when creating a new rule having the same precedence as an existing rule
overwrites the existing rule.

Supported in the following platforms:

Syntax
insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence
<1-5000>)
{(rule-description <LINE>)}

Controller, Service Platform and Access Point

1522 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

Parameters
insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence
<1-5000>)
{(rule-description <LINE>)}

[deny|permit] Inserts a deny or a permit rule within an IP ACL

<PARMETERS> Provide the match criteria for this deny/permit rule. Packets will be filtered
based on the criteria set here.
For more information on the deny rule, see deny.
For more information on the permit rule, see permit.
log After specifying the match criteria, specify the action taken for filtered packets
Logs all deny/permit events matching this entry. If a source and/or destination
IP address is matched an event is logged.
mark [8021p <0-7>| Specifies packets to mark
dscp <0-63>] • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority
• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence Assigns a precedence for this deny/permit rule

<1-5000> rule- • <1-5000> – Specify a value from 1 - 5000.
description <LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
• rule-description – Optional. Configures a description for this deny/permit
rule. Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

Note
The log option is functional only for router ACL’s. The log option displays an informational
logging message about the packet that matches the entry sent to the console.

Examples
rfs4000-229D58(config-ip-acl-test)#deny tcp from-vlan 1 any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#permit icmp any host 192.168.13.7 1 1 rule-precedence 2
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
deny tcp from-vlan 1 any any rule-precedence 1
permit icmp any host 192.168.13.7 1 1 rule-precedence 2
rfs4000-229D58(config-ip-acl-test)#

In the following example a new rule is inserted between the rules having precedences 1 and 2. The
precedence of the existing precedence ‘2’ rule changes to precedence 3.
rfs4000-229D58(config-ip-acl-test)#insert deny ip any any rule-precedence 2
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
deny tcp from-vlan 1 any any rule-precedence 1
deny ip any any rule-precedence 2
permit icmp any host 192.168.13.7 1 1 rule-precedence 3
rfs4000-229D58(config-ip-acl-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1523
ip-access-list Access-List Policy

Related Commands

alias Creates and configures aliases (network, VLAN, service, etc.)

permit (ipv4-acl)
Creates a permit rule that marks packets (from a specified source IP and/or to a specified destination
IP) for forwarding. You can also use this command to modify an existing permit rule.

Supported in the following platforms:

Syntax
permit [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>)
{(rule-description <LINE>)}
permit dns-name [contains|exact|suffix]permit dns-name [contains|exact|suffix]
permit dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>)
{(rule-description <LINE>)}
permit dns-name exact <WORD> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence
<1-5000>)
{(rule-description <LINE>)}
permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-
IP>]
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence
<1-5000>)
{(rule-description <LINE>)}
permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|
host <DEST-HOST-IP>|
range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|
https|ldap|nntp|ntp|pop3|
sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence
<1-5000>)
{(rule-description <LINE>)}

Controller, Service Platform and Access Point

1524 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

Parameters
permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>)
{(rule-description <LINE>)}

<NETWORK- Applies this permit rule to packets based on service protocols and ports specified
SERVICE-ALIAS- in the network-service alias
NAME> • <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name
(should be existing and configured).
A network-service alias defines service protocols and ports to match. When used
with an ACL, the network-service alias defines the service-specific components of
the ACL permit rule.

Note: For more information on configuring network-service alias, see alias.

<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching
MASK> the service protocols and ports specified in the network-service alias, received from
the specified network are permitted.
<NETWORK- Applies a network-group alias to identify the source IP addresses. Packets,
GROUP-ALIAS- matching the service protocols and ports specified in the network-service alias,
NAME> received from the addresses identified by the network-group alias are permitted.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).
A network-group alias defines a single or a range of addresses of devices, hosts,
and networks. When used with an ACL, the network-group alias defines the
network-specific component of the ACL rule (permit/deny).
any Specifies the source as any source IP address. Packets, matching the service
protocols and ports specified in the network-service alias, received from any source
are permitted.
from-vlan Specifies a single VLAN or a range of VLANs as the match criteria. Packets,
<VLAN-ID> matching the service protocols and ports specified in the network-service alias,
received from the specified VLAN(s) are permitted.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the
start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. Packets,
HOST-IP> matching the service protocols and ports specified in the network-service alias,
received from the specified host are permitted.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D
format.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1525
ip-access-list Access-List Policy

host <DEST- Identifies a specific host (as the destination to match) by its IP address. Packets,
HOST-IP> matching the service protocols and ports specified in the network-service alias,
addressed to the specified host are permitted.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D
format.

<NETWORK- Applies a network-group alias to identify the destination IP addresses. Packets,

GROUP-ALIAS- matching the service protocols and ports specified in the network-service alias,
NAME> destined for the addresses identified by the network-group alias are permitted.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

log Logs all permit events matching this entry. If a source and/or destination IP address
is matched (i.e. if any specified type of packet is received from a specified IP
address and/or is destined for a specified IP address), an event is logged.
mark [8021p Specifies packets to mark
<0-7>| dscp • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority
<0-63>] • dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this permit rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit rule.
Provide a description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

permit dns-name [contains|exact (mark)|suffix] <WORD> (log,rule-precedence <1-5000>)

{(rule-description <LINE>)}

dns-name Applies this permit rule to packets based on dns-names specified in the
network-service
contains Matches any hostname which has this DNS label. (for example, *.test.*)
exact Matches an exact hostname as specified in the network-service
syffix Matches any hostname as suffix (for example, *.test)
<WORD> Identifies a specific host (as the source to match) by its domain name.
Packets, matching the service protocols and ports specified in the network-
service alias, received from the specified host are forwarded.

Controller, Service Platform and Access Point

1526 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

log Logs all permit events matching this dns entry. If a dns-name is matched an
event is logged.
rule-precedence The following keywords are recursive and common to all of the above
<1-5000> rule- parameters:
description <LINE> • rule-precedence – Assigns a precedence for this permit rule
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit
rule. Provide a description that uniquely identifies the purpose of this
rule (should not exceed 128 characters in length).

permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|

host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}

icmp Applies this permit rule to ICMP packets only

<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets
MASK> received from the specified sources are permitted.
<NETWORK- Applies a network-group alias to identify the source IP addresses. ICMP packets
GROUP-ALIAS- received from the addresses identified by the network-group alias are permitted.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the source as any IP address. ICMP packets received from any source are
permitted.
from-vlan <VLAN- Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets
ID> received from the VLANs identified here are permitted.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the
start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. ICMP packets
HOST-IP> received from the specified host are permitted.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D
format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP
packets addressed to specified destinations are permitted.
<NETWORK- Applies a network-group alias to identify the destination IP addresses. ICMP
GROUP-ALIAS- packets destined for addresses identified by the network-group alias are
NAME> permitted.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the destination as any IP address. ICMP packets addressed to any
destination are permitted.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1527
ip-access-list Access-List Policy

host <DEST-HOST- Identifies a specific host (as the destination to match) by its IP address. ICMP
IP> packets addressed to the specified host are permitted.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the
A.B.C.D format.

<ICMP-TYPE> Defines the ICMP packet type

Note: After specifying the source and destination IP address(es), the ICMP
message type, and the ICMP code, specify the action taken in case of a match.

log Logs all permit events matching this entry. If a source and/or destination IP
address is matched (i.e. a ICMP packet is received from a specified IP address
and/or is destined for a specified IP address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this permit rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit rule.
Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|

host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

ip Applies this permit rule to IP packets only

<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets
MASK> received from the specified networks are permitted.
<NETWORK- Applies a network-group alias to identify the source IP addresses. IP packets
GROUP-ALIAS- received from the addresses identified by the network-group alias are permitted.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the source as any source IP address. IP packets received from any
source are permitted.
from-vlan <VLAN- Specifies a single VLAN or a range of VLANs as the match criteria. IP packets
ID> received from the specified VLANs are permitted.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter
the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

Controller, Service Platform and Access Point

1528 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. IP packets
HOST-IP> received from the specified host are permitted.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the
A.B.C.D format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets
addressed to the specified networks are permitted.
any Specifies the destination as any destination IP address. IP packets addressed to
any destination are permitted.
host <DEST-HOST- Identifies a specific host (as the destination to match) by its IP address. IP packets
IP> addressed to the specified host are permitted.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the
A.B.C.D format.

<NETWORK- Applies a network-group alias to identify the source IP addresses. IP packets

GROUP-ALIAS- destined for addresses identified by the network-group alias are permitted.
NAME> • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

log Logs all permit events matching this entry. If a source and/or destination IP
address is matched (i.e. a IP packet is received from a specified IP address and/or
is destined for a specified IP address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this permit rule
description <LINE>
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit rule.
Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]

proto Configures the ACL for additional protocols

Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using
this parameter
<PROTOCOL- Filters protocols using their IANA protocol number
NUMBER> • <PROTOCOL-NUMBER> – Specify the protocol number.

<PROTOCOL- Filters protocols using their IANA protocol name

NAME> • <PROTOCOL-NAME> – Specify the protocol name.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1529
ip-access-list Access-List Policy

eigrp Identifies the EIGRP protocol (number 88)

EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use
this information to determine the fastest route to a destination. When a router fails
to find a route in its stored route tables, it sends a query to neighbors who in turn
query their neighbors till a route is found. EIGRP also enables routers to inform
neighbors of changes in their routing tables.
gre Identifies the GRE protocol (number 47)
GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC
net, etc.) over an IP network. GRE encapsulates the packet at the source and
removes the encapsulation at the destination.
igmp Identifies the IGMP protocol (number 2)
IGMP establishes and maintains multicast group memberships to interested
members. Multicasting allows a networked computer to send content to multiple
computers who have registered to receive the content. IGMP snooping is for
listening to IGMP traffic between an IGMP host and routers in the network to
maintain a map of the links that require multicast streams. Multicast traffic is
filtered out for those links which do not require them.
igp Identifies any private internal gateway (primarily used by CISCO for their IGRP)
(number 9)
IGP enables exchange of information between hosts and routers within a managed
network. The most commonly used IGP protocols are: RIP and OSPF
ospf Identifies the OSPF protocol (number 89)
OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain
(autonomous system), like an enterprise LAN. OSPF gathers link state information
from neighbor routers and constructs a network topology. The topology
determines the routing table presented to the Internet Layer which makes routing
decisions based solely on the destination IP address found in IP packets.
vrrp Identifies the VRRP protocol (number 112)
VRRP allows a pool of routers to be advertized as a single virtual router. This virtual
router is configured by hosts as their default gateway. VRRP elects a master router,
from this pool, and assigns it a virtual IP address. The master router routes and
forwards packets to hosts on the same subnet. When the master router fails, one of
the backup routers is elected as the master and its IP address is mapped to the
virtual IP address.
<SOURCE-IP/ Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP,
MASK> GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are permitted.
<NETWORK- Applies a network-group alias to identify the source IP addresses. Packets (EIGRP,
GROUP-ALIAS- GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-
NAME> group alias are permitted.
• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name
(should be existing and configured).

any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or
VRRP) received from any source are permitted.
from-vlan Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP,
<VLAN-ID> GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are
permitted.
• <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start
and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

Controller, Service Platform and Access Point

1530 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP,
HOST-IP> GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are permitted.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D
format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are
permitted.
any Specifies the destination as any destination IP address. Packets (EIGRP, GRE, IGMP,
IGP, OSPF, or VRRP) addressed to any destination are permitted.
host <DEST- Identifies a specific host (as the destination to match) by its IP address. Packets
HOST-IP> (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are
permitted.
• <SOURCE-HOST-IP> – Specify the destination host’s exact IP address in the
A.B.C.D format.

<NETWORK- Applies a network-group alias to identify the destination IP addresses. Packets

GROUP-ALIAS- (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in
NAME> the network-group alias are permitted.
• <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be
existing and configured).
After specifying the source and destination IP address(es), specify the action taken
in case of a match.
log Logs all permit events matching this entry. If a source and/or destination IP address
is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a
specified IP address and/or is destined for a specified IP address), an event is
logged.
rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this permit rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit rule.
Provide a description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|

tcp Applies this permit rule to TCP packets only

udp Applies this permit rule to UDP packets only
<SOURCE-IP/ This keyword is common to the ‘tcp’ and ‘udp’ parameters.
MASK> Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP
packets received from the specified sources are permitted.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1531
ip-access-list Access-List Policy

<NETWORK- This keyword is common to the ‘tcp’ and ‘udp’ parameters.

GROUP-ALIAS- Applies a network-group alias to identify the source IP addresses. TCP/UDP
NAME> packets received from the VLANs identified here are permitted.
• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name
(should be existing and configured).
After specifying the source and destination IP address(es), specify the action
taken in case of a match.
any This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the source as any source IP address. TCP/UDP packets received from
any source are permitted.
from-vlan <VLAN- This keyword is common to the ‘tcp’ and ‘udp’ parameters.
ID> Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP
packets received from the VLANs identified here are permitted.
• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the
start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE- Identifies a specific host (as the source to match) by its IP address. TCP/UDP
HOST-IP> packets received from the specified host are permitted.
• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the
A.B.C.D format.

<DEST-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.

Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP
packets addressed to the specified destinations are permitted.
any This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the destination as any destination IP address. TCP/UDP packets
received from any destination are permitted.
eq <SOURCE- Identifies a specific source port
PORT> • <SOURCE-PORT> – Specify the exact source port.

host <DEST-HOST- Identifies a specific host (as the destination to match) by its IP address. TCP/UDP
IP> packets addressed to the specified host are permitted.
• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the
A.B.C.D format.

<NETWORK- This keyword is common to the ‘tcp’ and ‘udp’ parameters.

GROUP-ALIAS- Applies a network-group alias to identify the destination IP addresses. TCP/UDP
NAME> packets destined to the addresses identified in the network-group alias are
permitted.
• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name
(should be existing and configured).

Controller, Service Platform and Access Point

1532 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

eq [<1-65535>| Identifies a specific destination or protocol port to match

<SERVICE-NAME>| • <1-65535> – The destination port is designated by its number
|bgp|dns|ftp| ftp- • <SERVICE-NAME> – Specifies the service name
data|gopher| https|
• bgp – The designated BGP protocol port (179)
ldap|nntp|ntp|
pop3|sip|smtp| ssh| • dns – The designated DNS protocol port (53)
telnet| tftp|www] • ftp – The designated FTP protocol port (21)
• ftp-data – The designated FTP data port (20)
• gropher – The designated GROPHER protocol port (70)
• https – The designated HTTPS protocol port (443)
• ldap – The designated LDAP protocol port (389)
• nntp – The designated NNTP protocol port (119)
• ntp – The designated NTP protocol port (123)
• pop3 – The designated POP3 protocol port (110)
• sip – The designated SIP protocol port (5060)
• smtp – The designated SMTP protocol port (25)
• ssh – The designated SSH protocol port (22)
• telnet – The designated Telnet protocol port (23)
• tftp – The designated TFTP protocol port (69)
• www – The designated www protocol port (80)

range <START- Specifies a range of destination ports

PORT> <END- • <START-PORT> – Specify the first port in the range.
PORT> • <END-PORT> – Specify the last port in the range.

log Logs all permit events matching this entry. If a source and/or destination IP
address or port is matched (i.e. a TCP/UDP packet is received from a specified IP
address and/or is destined for a specified IP address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above:
<1-5000> rule- • rule-precedence – Assigns a precedence for this permit rule
description <LINE>
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with precedence
3 gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit rule.
Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

Usage Guidelines

Use this command to permit traffic between networks/hosts based on the protocol type selected in the
access list. The following protocols are supported:
• IP
• ICMP
• ICP
• UDP
• PROTO (any Internet protocol other than TCP, UDP, and ICMP)

The last ACE in the access list is an implicit deny statement.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1533
ip-access-list Access-List Policy

Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. The
packet is allowed or denied based on the ACL configuration.
• Filtering on TCP or UDP allows you to specify port numbers as filtering criteria.
• Select ICMP to allow/deny packets. Selecting ICMP filters ICMP packets based on ICMP type and
code.

Note
The log option is functional only for router ACL’s. The log option displays an informational
logging message about the packet matching the entry sent to the console.

Examples
nx9500-6C8809(config-ip-acl-test)#permit ip 172.16.10.0/24 any log rule-precedence 750
nx9500-6C8809(config-ip-acl-test)#permit tcp 172.16.10.0/24 any log rule-precedence 800
nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
permit ip 172.16.10.0/24 any log rule-precedence 750
permit tcp 172.16.10.0/24 any log rule-precedence 800
nx9500-6C8809(config-ip-acl-test)#

Related Commands

no Removes a specified IP permit access rule

alias Creates and configures aliases (network, VLAN, service, etc.)

no (ipv4-acl)
Removes a deny, permit, or disable rule

Supported in the following platforms:

Controller, Service Platform and Access Point

1534 CLI Reference Guide for version 5.9.7
Access-List Policy ip-access-list

no [deny|permit] Removes a deny or permit rule from the selected IP access list
<NETWORK-SERVICE- Removes a deny or permit rule applicable to the specified network-service
ALIAS-NAME> alias
• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service
alias name (should be associated with the deny/permit rule).

icmp Removes a deny or permit rule applicable to ICMP packets only

ip Removes a deny or permit rule applicable to IP packets only
proto Removes a deny or permit rule applicable to protocols (other than IP, ICMP,
TCP, and UDP)
[tcp|udp] Removes a deny or permit rule applicable to TCP/UDP packets
<RULE-PARAMETERS> Enter the exact parameters used when configuring the rule.
rule-precedence Specify the precedence assigned to this deny/permit rule.
<1-5000> rule-description • rule-description – Optional. Specify the rule description.
<LINE>
Note: The system removes the rule from the selected ACL.

no disable [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|icmp|ip|proto|tcp|udp]

<RULE-PARAMETERS>

no disabled [deny| Removes a disabled deny or permit rule from the selected IP access list
permit]
<NETWORK-SERVICE- Removes a disabled deny or permit rule applicable to the specified
ALIAS-NAME> network-service alias
• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service
alias name (should be associated with the deny/permit rule).

icmp Removes a disabled deny or permit rule applicable to ICMP packets only
ip Removes a disabled deny or permit rule applicable to IP packets only
proto Removes a disabled deny or permit rule applicable to protocols (other than
IP, ICMP, TCP, and UDP)
[tcp|udp] Removes a disabled deny or permit rule applicable to TCP/UDP packets
<RULE-PARAMETERS> Enter the exact parameters used when configuring the rule.
rule-precedence Specify the precedence assigned to this disabled deny/permit rule.
<1-5000> rule- • rule-description – Optional. Specify the rule description.
description <LINE>
Note: The system removes the disabled rule from the selected ACL.

Usage Guidelines

Provide the rule-precedence value when using the no command.

Examples
The following example shows the ACL ‘test’ settings before the ‘no’ commands are executed:
<exsw1>(config-ip-acl-test)#show context
ip access-list test

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1535
mac-access-list Access-List Policy

deny proto vrrp any any log rule-precedence 600

deny proto ospf any any log rule-precedence 650
<exsw1>(config-ip-acl-test)#
<exsw1>(config-ip-acl-test)#no deny proto vrrp any any rule-precedence 600
<exsw1>(config-ip-acl-test)#no deny proto ospf any any rule-precedence 650
The following example shows the ACL ‘test’ settings after the ‘no’ commands are executed:
<exsw1>(config-ip-acl-test)#show context
ip access-list test
<exsw1>(config-ip-acl-test)#

Related Commands

deny Creates a deny access rule

disable Disables a deny or permit rule within an IP ACL
permit Creates a permit access rule

mac-access-list
The following table summarizes MAC Access list configuration commands:

Table 47: MAC-Access-List-Config Commands

Command Description
deny (mac-acl) on page 1536 Creates a new deny access rule or modifies an existing rule. A
deny access rule marks packets for rejection.
disable (mac-acl) on page 1539 Disables a MAC deny or permit rule without removing it from the
ACL
ex3500 (mac-acl-config- Creates a MAC ACL deny and/or permit rule applicable only to the
commands) on page 1541 EX3500 switch
insert (mac-acl) on page 1544 Inserts a rule in an MAC ACL without overwriting or replacing an
existing rule having the same precedence
permit (mac-acl) on page 1546 Creates a new permit access rule or modifies an existing rule. A
deny access rule marks packets for forwarding.
no (mac-acl) on page 1548 Removes a deny and/or a permit access rule from a MAC ACL

deny (mac-acl)
Creates a deny rule that marks packets (from a specified source MAC and/or to a specified destination
MAC) for rejection. You can also use this command to modify an existing deny rule.

Note
Use a decimal value representation to implement a permit/deny designation for a packet. The
command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use
the decimal equivalent of the EtherType listed for any other EtherType.

Supported in the following platforms:

• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533

Controller, Service Platform and Access Point

1536 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

• Wireless Controller — RFS4010

• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence
<1-5000>)
{(rule-description <LINE>)}

Parameters
deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence
<1-5000>)
{(rule-description <LINE>)}

<SOURCE-MAC> Configures the source MAC address and mask to match

<SOURCE-MAC- • <SOURCE-MAC> – Specify the source MAC address to match.
MASK> • <SOURCE-MAC-MASK> – Specify the source MAC address mask.
Packets received from the specified MAC addresses are dropped.
any Identifies all devices as the source to deny access. Packets received from any
source are dropped.
host <SOURCE- Identifies a specific host as the source to deny access
HOST-MAC> • <SOURCE-HOST-MAC> – Specify the source host’s exact MAC address to
match. Packets received from the specified host are dropped.

<DEST-MAC> Configures the destination MAC address and mask to match

<DEST-MAC- • <DEST-MAC> – Specify the destination MAC address to match.
MASK>
◦ <DEST-MAC-MASK> – Specify the destination MAC address mask to match.
Packets addressed to the specified MAC addresses are dropped.
any Identifies all devices as the destination to deny access. Packets addressed to any
destination are dropped.
host <DEST- Identifies a specific host as the destination to deny access
HOST-MAC> • <DEST-HOST-MAC> – Specify the destination host’s exact MAC address to
match. Packets addressed to the specified host are dropped.

dot1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling
• <0-7> – Specify 802.1p priority from 0 - 7.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1537
mac-access-list Access-List Policy

type [8021q| Configures the EtherType value

<1-65535>| aarp| An EtherType is a two-octet field in an Ethernet frame that indicates the protocol
appletalk| arp|ip| encapsulated in the payload of the frame. The EtherType values are:
ipv6|ipx|mint| • 8021q – Indicates a 802.1q payload (0x8100)
rarp|wisp] • <1-65535> – Indicates the EtherType protocol number
• aarp – Indicates the Appletalk ARP payload (0x80F3)
• appletalk – Indicates the Appletalk Protocol payload (0x809B)
• arp – Indicates the ARP payload (0x0806)
• ip – Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800)
• ipv6 – Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD)
• ipx – Indicates the Novell’s IPX payload (0x8137)
• mint – Indicates the MiNT protocol payload (0x8783)
• rarp – Indicates the reverse ARP payload (0x8035)
• wisp – Indicates the WIPS (Wireless Internet Service Provider) payload
(0x8783)

vlan <1-4095> Configures the VLAN where the traffic is received

• <1-4095> – Specify the VLAN ID from 1 - 4095.

log Logs all deny events matching this entry. If a source and/or destination MAC
address is matched (i.e., a packet is received from a specified MAC address or is
destined for a specified MAC address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this deny rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this deny rule.
Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

Usage Guidelines

The deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list denies
traffic from a particular source MAC address or any MAC address. It can also disallow traffic from a list of
MAC addresses based on the source mask.

The MAC access list can disallow traffic based on the VLAN and EtherType.
• ARP
• WISP
• IP
• 802.1q

Note
MAC ACLs always takes precedence over IP based ACLs.

The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet,
its content is checked against all the ACEs in the ACL. It is allowed or denied based on the ACL’s
configuration.

Controller, Service Platform and Access Point

1538 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

Examples
rfs4000-229D58(config-mac-acl-test)#deny 41-85-45-89-66-77 ff-ff-ff-00-00-00 any
vlan 1 rule-precedence 1
rfs4000-229D58(config-mac-acl-test)#deny host 00-01-ae-00-22-11 any rule-precedence 2
rfs4000-229D58(config-mac-acl-test)#show context
mac access-list test
deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1
deny host 00-01-AE-00-22-11 any rule-precedence 2
rfs4000-229D58(config-mac-acl-test)#

The MAC ACL (in the example below) denies traffic from any source MAC address to a particular host
MAC address:
nx9500-6C8809(config-mac-acl-test)#deny any host 00:01:ae:00:22:11 vlan 1 log rule-
precedence 1

The following example denies traffic between two hosts based on MAC addresses:
nx9500-6C8809(config-mac-acl-test)#deny host 01:02:fe:45:76:89 host 01:02:89:78:78:45
vlan 1 log rule-precedence 1

Related Commands

no Removes a specified MAC deny access rule

disable (mac-acl)
Disables a MAC deny or permit rule without removing it from the ACL. A disabled rule is inactive and is
not used to filter packets.

Supported in the following platforms:

Syntax
disable [deny|insert|permit]
disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp
<0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log
(rule-precedence <1-5000>) {(rule-description <LINE>)}
disable insert [deny|permit]

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1539
mac-access-list Access-List Policy

type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log

(rule-precedence <1-5000>) {(rule-description <LINE>)}

disable [deny|insert|permit] Disables a deny, insert or permit access rule without removing it from the
MAC ACL
Provide the exact values used to configure the deny or permit rule that is
to be disabled.
<SOURCE-MAC> Specifies the source MAC address and mask to match
<SOURCE-MAC-MASK> • <SOURCE-MAC> – Specify the source MAC address to match.
◦ <SOURCE-MAC-MASK> – Specify the source MAC address mask.

any Select ‘any’ if the rule is applicable to any source MAC address
host <SOURCE-HOST- Specify the source host’s exact MAC address
MAC>
<DEST-MAC> <DEST-MAC- Specifies the destination MAC address and mask to match
MASK> • <DEST-MAC> – Specify the destination MAC address.
◦ <DEST-MAC-MASK> – Specify the destination MAC address mask.

any Select ‘any’ if the rule is applicable to any destination MAC address
host <DEST-HOST-MAC> Specify the destination host’s exact MAC address
log The following keyword defines the action taken when a packet matches
any of the deny rules:
• log – Logs a record, when a packet matches the specified criteria

dot1p <0-7> Specify the 802.1p priority from 0 - 7.

mark [8021p <0-7>,dscp Marks/modifies packets that match the criteria specified here
<0-63>] • 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7
• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63

Note: This option is applicable only to the MAC ACL permit rule.

type [8021q|<1-65535>| Use the available options to specify the EtherType value to match.
aarp|appletalk| arp|ip|ipv6|
ipx|mint| rarp|wisp]
vlan <1-4095> Specify the VLAN ID(s)
log Select log, if the rule has been configured to log records in case of a
match.
rule-precedence <1-5000> The following keywords are recursive and common to all of the above
{(rule-description <LINE>)} parameters:
• rule-precedence – Assigns a precedence for this rule
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this rule.
Provide a description that uniquely identifies the purpose of this
rule (should not exceed 128 characters in length).

Controller, Service Platform and Access Point

1540 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

Examples

The following example shows the MAC access list ‘test’ settings before the ‘disable’ command is
executed:
rfs4000-229D58(config-mac-acl-test)#show context
mac access-list test
deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1
deny host 00-01-AE-00-22-11 any rule-precedence 2
rfs4000-229D58(config-mac-acl-test)#
rfs4000-229D58(config-mac-acl-test)#disable deny host 00-01-AE-00-22-11 any rule-
precedence 2

The following example shows the MAC access list ‘test’ settings after the ‘disable’ command is executed:
rfs4000-229D58(config-mac-acl-test)#show context
mac access-list test
deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1
disable deny host 00-01-AE-00-22-11 any rule-precedence 2
rfs4000-229D58(config-mac-acl-test)#

Related Commands

no Enables a disabled deny or permit rule

ex3500 (mac-acl-config-commands)
Creates a MAC ACL deny and/or permit rule, applicable only to the EX3500 switch

Each deny or permit rule consists of a set of match criteria and an associated action, which is deny
access for the deny rule and allow access for the permit rule. When applied to layer 2 traffic (between a
EX3500 switch and the WiNG managed service platform or a WiNG VM interface) every packet is
matched against the configured match criteria and in case of a match the packet is dropped or
forwarded depending on the rule type.

EX3500 devices are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports,
and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the
IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-based
management agent that provides both in-band and out-of-band management access. The EX3500
switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the
WiNG operating system provides WiNG controllers PoE and port management resources.

Note
To implement the EX3500 MAC ACL rule, apply the MAC ACL directly to the device, or to the
device profile. For more information, see access-group on page 1435.

Supported in the following platforms:

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1541
mac-access-list Access-List Policy

[deny|permit] Creates a deny or permit MAC ACL rule and configures the rule
parameters
Every EX3500 MAC ACL rule provides a set of match criteria against
which incoming and outgoing packets (to and from an EX3500 device)
are matched. In case of a match, the packet is dropped or forwarded
depending on the rule type. The packet is dropped in case of a deny
rule, and forwarded for an permit rule.
[all|tagged-eth2| untagged- Specifies the packet type
eth2] • all – Applies this deny/permit rule to all packets
• tagged-eth2 – Applies this deny/permit rule only to tagged
Ethernet-2 packets
• untagged-eth2 – Applies this deny/permit rule only to untagged
Ethernet-2 packets
After specifying the packet type, configure the source and/or EX3500
MAC addresses to match.
[any| host <SOURCE-MAC>| Enter the Source MAC addresses
network <SOURCE-MAC> • any – Identifies all EX3500 devices as a source to match
<SOURCE-MAC-MASK>] • host <SOURCE-MAC> – Identifies a specific EX3500 host as the
source to match
◦ <SOURCE-MAC> – Specify the source host’s exact MAC address
• network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a
range of MAC addresses as the source to match. Packets received
from any of these MAC addresses are dropped.
◦ <SOURCE-MAC> – Specify the source MAC address to match.
▪ <SOURCE-MAC-MASK> – Specify the source MAC bit mask.
For a deny rule, packets received from EX3500 device(s) matching the
specified MAC address(es) are dropped.
For a permit rule, packets received from EX3500 device(s) matching
the specified MAC address(es) are forwarded.

Controller, Service Platform and Access Point

1542 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

[any|host <DEST-MAC>| Enter the Destination MAC addresses

network <DEST-MAC> • any – Identifies all EX3500 devices as a destination to match
<DEST-MAC-MASK>] • host <SOURCE-MAC> – Identifies a specific EX3500 host as the
destination to match
◦ <SOURCE-MAC> – Specify the destination host’s exact MAC
address
• network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a
range of MAC addresses as the destination to match. Packets
addressed to any of these MAC addresses are dropped.
◦ <SOURCE-MAC> – Specify the destination MAC address to
match.
▪ <SOURCE-MAC-MASK> – Specify the destination MAC bit
mask.
For a deny rule, packets addressed to EX3500 device(s) matching the
specified MAC address(es) are dropped.
For a permit rule, packets addressed to EX3500 device(s) matching the
specified MAC address(es) are forwarded.
ether-type <0-65535> Configures the Ethertype protocol number. The ether type is a two-
octet field within an Ethernet frame. It indicates the protocol
encapsulated in the payload of an Ethernet frame.
• <0-65535> – Specify the value from 0 - 65535. The default value is
1.

ethertype-mask <0-65535> Configures the Ethertype mask

• <0-65535> – Specify the value from 0 - 65535. The default value is
1.

ex3500-time-range <TIME- Applies a specified EX3500 time range (should be existing and
RANGE-NAME> configured). The deny or permit rule is applied during the time period
specified in the EX3500 time range.
• <TIME-RANGE-NAME> – Specify the time range name.
An EX3500 time range list consists of a set of periodic and absolute
time range rules. Periodic time ranges recur periodically at specified
time periods, such as daily, weekly, weekends, weekdays, and on
specific week days, for example on every successive Mondays.
Absolute time ranges are not periodic and do not recur. They consist of
a range of days during a particular time period (the starting and ending
days and time are fixed).

Note: For information on configuring EX3500 time-range, see ex3500.

vlan <1-4094> Configures a VLAN ID representative of the shared SSID each user
employs to interoperate within the network (once authenticated by the
local RADIUS server)
• <1-4094> – Specify the VLAN ID from 1 - 4094.

vlan-mask <1-4095> Configures the VLAN ID bit mask value

• <1-4095> – Specify the VLAN bit mask from 1 - 4095.

rule-precedence <1-128> Configures a precedence for this EX3500 MAC ACL

• <1 - 128> – Specify a value from 1 - 128. ACLs with lower precedence
are applied first to packets.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1543
mac-access-list Access-List Policy

Examples
nx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500 deny tagged-eth2 any any vlan
20 rule-precedence 1
nx9500-6C8809(config-mac-acl-ex3500MacACL)#show context
mac access-list ex3500MacACL
ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1
nx9500-6C8809(config-mac-acl-ex3500MacACL)#

Related Commands

no (mac-acl) on page Removes this EX3500 deny/permit rule from the MAC ACL
1548

insert (mac-acl)
Enables the insertion of a rule in an MAC ACL without overwriting or replacing an existing rule having
the same precedence

The insert option allows a new rule to be inserted within a MAC ACL. Consider an MAC ACL consisting of
rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without
overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the
existing one. The existing precedence 4 rule’s precedence changes to 5, and the change cascades down
the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.

Note
NOT using insert when creating a new rule having the same precedence as an existing rule,
overwrites the existing rule.

Supported in the following platforms:

Syntax
insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,
log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Parameters
insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,
log,rule-precedence <1-5000>) {(rule-description <LINE>)}

insert [deny|permit] Inserts a deny or permit rule within an MAC ACL

Controller, Service Platform and Access Point

1544 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

dotp1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling
• <0-7> – Specify 802.1p priority from 0 - 7.

mark [8021p Marks/modifies packets that match the criteria specified here
<0-7>,dscp <0-63>] • 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7
• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63

Note: This option is applicable only to the MAC ACL permit rule.

type [8021q| Configures the EtherType value

<1-65535>| aarp| An EtherType is a two-octet field in an Ethernet frame that indicates the
appletalk| arp|ip| protocol encapsulated in the payload of the frame. The EtherType values are:
ipv6|ipx|mint| rarp| • 8021q – Indicates a 802.1q payload (0x8100)
wisp] • <1-65535> – Indicates the EtherType protocol number
• aarp – Indicates the Appletalk ARP payload (0x80F3)
• appletalk – Indicates the Appletalk Protocol payload (0x809B)
• arp – Indicates the ARP payload (0x0806)
• ip – Indicates the IPv4 payload (0x0800)
• ipv6 – Indicates the IPv6 payload (0x86DD)
• ipx – Indicates the Novell’s IPX payload (0x8137)
• mint – Indicates the MiNT protocol payload (0x8783)
• rarp – Indicates the reverse ARP payload (0x8035)
• wisp – Indicates the WISP payload (0x8783)

vlan <1-4095> Configures the VLAN where the traffic is received

• <1-4095> – Specify the VLAN ID from 1 - 4095.

log Logs all deny/permit events matching this entry. If a source and/or destination
MAC address is matched (i.e. a packet is received from a specified MAC address
or is destined for a specified MAC address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above
<1-5000> rule- parameters:
description <LINE> • rule-precedence – Assigns a precedence for this deny/permit rule
◦ <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with precedence 3 gets
priority over a rule with precedence 10.

• rule-description – Optional. Configures a description for this deny/permit

rule. Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

Examples
rfs4000-229D58(config-mac-acl-test1)#deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-
precedence 1
rfs4000-229D58(config-mac-acl-test1)#deny host B4-C7-99-6D-CD-9B any rule-precedence 2
rfs4000-229D58(config-mac-acl-test1)#show context
mac access-list test1
deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
deny host B4-C7-99-6D-CD-9B any rule-precedence 2
rfs4000-229D58(config-mac-acl-test1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1545
mac-access-list Access-List Policy

In the following example a new rule is inserted between the rules having precedences 1 and 2. The
precedence of the existing precedence ‘2’ rule changes to precedence 3.
rfs4000-229D58(config-mac-acl-test1)#insert permit host B4-C7-99-6D-B5-D6 host B4-
C7-99-6D-CD-9B rule-precedence 2
rfs4000-229D58(config-mac-acl-test1)#show context
mac access-list test1
deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2
deny host B4-C7-99-6D-CD-9B any rule-precedence 3
rfs4000-229D58(config-mac-acl-test1)#

permit (mac-acl)
Creates a permit rule that marks packets (from a specified source MAC and/or to a specified destination
MAC) for forwarding. You can also use this command to modify an existing permit rule.

Supported in the following platforms:

Syntax
permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-
MASK>|
any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|
<1-65535>|aarp|
appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>)
{(rule-description <LINE>)}

Parameters
permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-
MASK>|
any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|
<1-65535>|aarp|
appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>)
{(rule-description <LINE>)}

<SOURCE-MAC> Configures the source MAC address and mask to match

<SOURCE-MAC- • <SOURCE-MAC> – Specify the source MAC address to match.
MASK>
◦ <SOURCE-MAC-MASK> – Specify the source MAC address mask.
Packets addressed to the specified MAC addresses are forwarded.
any Identifies all devices as the source to permit access. Packets received from any
source are forwarded.

Controller, Service Platform and Access Point

1546 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

host <SOURCE- Identifies a specific host as the source to permit access

HOST-MAC> • <SOURCE-HOST-MAC> – Specify the source host’s exact MAC address to
match. Packets received from the specified host are forwarded.

<DEST-MAC> Configures the destination MAC address and mask to match

<DEST-MAC- • <DEST-MAC> – Specify the destination MAC address to match.
MASK>
◦ <DEST-MAC-MASK> – Specify the destination MAC address mask to match.
Packets addressed to the specified MAC addresses are forwarded.
any Identifies all devices as the destination to permit access. Packets addressed to any
destination are forwarded.
host <DEST- Identifies a specific host as the destination to permit access
HOST-MAC> • <DEST-HOST-MAC> – Specify the destination host’s exact MAC address to
match. Packets addressed to the specified host are forwarded.

dotp1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling
• <0-7> – Specify 802.1p priority from 0 - 7.

type [8021q| Configures the EtherType value

<1-65535>| aarp| An EtherType is a two-octet field in an Ethernet frame that indicates the protocol
appletalk| arp|ip| encapsulated in the payload of the frame. The EtherType values are:
ipv6|ipx|mint| • 8021q – Indicates a 802.1q payload (0x8100)
rarp|wisp] • <1-65535> – Indicates the EtherType protocol number
• aarp – Indicates the Appletalk ARP payload (0x80F3)
• appletalk – Indicates the Appletalk Protocol payload (0x809B)
• arp – Indicates the ARP payload (0x0806)
• ip – Indicates the IPv4 payload (0x0800)
• ipv6 – Indicates the IPv6 payload (0x86DD)
• ipx – Indicates the Novell’s IPX payload (0x8137)
• mint – Indicates the MiNT protocol payload (0x8783)
• rarp – Indicates the reverse ARP payload (0x8035)
• wisp – Indicates the WISP payload (0x8783)

vlan <1-4095> Configures the VLAN ID

• <1-4095> – Specify the VLAN ID from 1 - 4095.

log Logs all permit events matching this entry. If a source and/or destination MAC
address is matched (i.e. a packet is addressed to a specified MAC address or is
destined for a specified MAC address), an event is logged.
rule-precedence The following keywords are recursive and common to all of the above parameters:
<1-5000> rule- • rule-precedence – Assigns a precedence for this permit rule
description
◦ <1-5000> – Specify a value from 1 - 5000.
<LINE>
Note: Lower the precedence higher is the priority. A rule with precedence 3
gets priority over a rule with precedence 10.
◦ rule-description – Optional. Configures a description for this permit rule.
Provide a description that uniquely identifies the purpose of this rule
(should not exceed 128 characters in length).

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1547
mac-access-list Access-List Policy

Usage Guidelines

The permit command in the MAC ACL allows traffic based on layer 2 (data-link layer) information. A
MAC access list permits traffic from a source MAC address or any MAC address. It also has an option to
allow traffic from a list of MAC addresses (based on the source mask).

The MAC access list can be configured to allow traffic based on VLAN information, or Ethernet type.
Common types include:
• ARP
• WISP
• IP
• 802.1q

Layer 2 traffic is not allowed by default. To adopt an Access Point through an interface, configure an
ACL to allow an Ethernet WISP.

Use the mark option to specify the ToS (type of service) and priority value. The tos value is marked in
the IP header and the 802.1p priority value is marked in the dot1q frame.

Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is
marked based on the ACL’s configuration.

Note
To apply an IP based ACL to an interface, a MAC access list entry is mandatory to allow ARP. A
MAC ACL always takes precedence over IP based ACLs.

Examples
nx9500-6C8809(config-mac-acl-test)#permit host 11-22-33-44-55-66 any log mark 8021p 3
rule-precedence 600
nx9500-6C8809(config-mac-acl-test)#permit host 22-33-44-55-66-77 host 11-22-33-44-55-66
type ip log rule-precedence 610
nx9500-6C8809(config-mac-acl-test)#show context
mac access-list test
permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
nx9500-6C8809(config-mac-acl-test)#

Related Commands

no Removes or resets a specified MAC ACL permit rule

no (mac-acl)
Negates a command or sets its default

Supported in the following platforms:

Controller, Service Platform and Access Point

1548 CLI Reference Guide for version 5.9.7
Access-List Policy mac-access-list

Syntax
no [deny|disable|permit]
no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|
<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence
<1-5000>)
{(rule-description <LINE>)}

no disable [deny|permit] <RULE-PARAMETERS>

Parameters
no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence
<1-5000>)
{(rule-description <LINE>)}

no [deny|permit] Removes a deny or permit rule from the MAC ACL

<SOURCE-MAC> <SOURCE- Specify the source MAC address and mask
MAC-MASK>
any Select ‘any’ if the rule is applicable to any source MAC address
host <SOURCE-HOST-MAC> Specify the source host’s exact MAC address.
<DEST-MAC> <DEST-MAC- Specify the destination MAC address and mask
MASK>
any Identifies all devices as the destination to deny/permit access
host <DEST-HOST-MAC> Specify the destination host’s exact MAC address.
dotp1p <0-7> Specify the 802.1p priority value from 0 -7.
type [8021q|<1-65535>| aarp| Specify the EtherType value.
appletalk|arp|ip|ipv6|ipx|mint|
rarp|wisp]
vlan <1-4095> Specify the VLAN ID.
log Select log, if the rule has been configured to log records in case of a
match.
mark [8021p <0-7>| dscp This is specific to the MAC ACL permit rule. Marks packets that match
<0-63>] the ACL rule
8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7
dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1549
ipv6-access-list Access-List Policy

rule-precedence <1-5000> Specify the rule precedence. The rule with the specified rule
precedence is removed from the MAC ACL.
rule-description <LINE> Optional. Provide the description configured for the rule.

no disable [deny|permit] <RULE-PARAMETERS>

no disable [deny|permit] Removes a disabled deny or permit rule from the selected IP access list
<RULE-PARAMETERS> Enter the exact parameters used when configuring the rule.
rule-precedence <1-5000> Specify the precedence assigned to this disabled deny/permit rule.
rule-description <LINE>} • rule-description – Optional. Specify the rule description.
Note: The system removes the disabled rule from the selected ACL.

Examples
<exsw1>(config-mac-acl-test)#show context
mac access-list test
permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
deny any host 33-44-55-66-77-88 log rule-precedence 700

<exsw1>(config-mac-acl-test)#no deny any host 33-44-55-66-77-88 log rule-precedence 700

<exsw1>(config-mac-acl-test)#show context
mac access-list test
permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610

Related Commands

deny Creates a MAC deny ACL

permit Creates a MAC permit ACL

ipv6-access-list

Configures an IPv6 ACL. IPv6 ACLs define a set of rules that filter IPv6 packets flowing through a port
or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny,
the packet is dropped. If the action is permit, the packet is allowed.

The WiNG software supports IPv6 only on VLAN interfaces. Therefore, IPv6 ACLs can be applied only
on the VLAN interface.

Controller, Service Platform and Access Point

1550 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

The following table summarizes IPv6 access list configuration commands:

Table 48: IPv6 Access List Config Mode Commands

Command Description
deny (ipv6-acl) on page 1551 Creates a deny access rule or modifies an existing rule. A deny access
rule rejects IPv6 packets from specified address(es) and/or destined
for specified address(es).
permit (ipv6-acl) on page Creates a permit access rule or modifies an existing rule. A permit
1557 access rule accepts IPv6 packets from specified address(es) and/or
destined for specified address(es).
no (ipv6-acl) on page 1563 Removes a deny and/or a access rule from a IPv6 ACL

deny (ipv6-acl)

Creates a deny rule that rejects packets from a specified IPv6 source and/or to a specified IPv6
destination. You can also use this command to modify an existing deny rule.

Supported in the following platforms:

Syntax
deny [icmpv6|ipv6|proto|tcp|udp]
deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-
ICMPv6-CODE>]|
type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-
IPv6>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<
SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|
tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1551
ipv6-access-list Access-List Policy

type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]]

(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

icmpv6 Applies this deny rule to ICMPv6 packets only

<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. ICMPv6
packets received from any source in the specified network are
dropped.
any Specifies the source as any IPv6 address. ICMPv6 packets received
from any source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
ICMPv6 packets received from the specified host are dropped.
• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match.

ICMPv6 packets addressed to any destination within the specified
network are dropped.
any Specifies the destination as any IPv6 address. ICMPv6 packets
addressed to any destination are dropped.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6
address. ICMPv6 packets addressed to the specified host are
dropped.
• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6
address.

<ICMPv6-TYPE> [eq|range] Defines the ICMPv6 type field filter

• eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type
value.
• range – Configures a range of ICMPv6 types. Specify the starting
and ending ICMPv6 type values.

Note: ICMPv6 packets with type field value matching the values
specified here are dropped.

<ICMPv6-CODE> Defines the ICMPv6 code field filter

• eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code
value.
• range – Configures a range of ICMPv6 code. Specify the starting
and ending ICMPv6 code values.

Note: ICMPv6 packets with code field value matching the values
specified here are dropped.

log Logs all deny events matching this entry

Controller, Service Platform and Access Point

1552 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

rule-precedence <1-5000> Assigns a precedence for this deny rule

• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this deny rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|

host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

ipv6 Applies this deny rule to IPv6 packets only

<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. IPv6
packets received from any source in the specified network are
dropped.
any Specifies the source as any IPv6 address. IPv6 packets received from
any source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
IPv6 packets received from the specified host are dropped.
• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match.

IPv6 packets addressed to any destination within the specified
network are dropped.
any Specifies the destination as any IPv6 address. IPv6 packets
addressed to any destination are dropped.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6
address. IPv6 packets addressed to the specified host are dropped.
• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6
address.

log Logs all deny events matching this entry

rule-precedence <1-5000> Assigns a precedence for this deny rule
• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this deny rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]

[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1553
ipv6-access-list Access-List Policy

IPv6>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

proto Configures the ACL for additional protocols

Additional protocols (other than IP, ICMP, TCP, and UDP) must be
configured using this parameter.
<PROTOCOL-NUMBER> Filters protocols using their IANA protocol number
• <PROTOCOL-NUMBER> – Specify the protocol number.

<PROTOCOL-NAME> Filters protocols using their IANA protocol name

• <PROTOCOL-NAME> – Specify the protocol name.

eigrp Identifies the EIGRP protocol (number 88)

EIGRP enables routers to maintain copies of neighbors’ routing
tables. Routers use this information to determine the fastest route to
a destination. When a router fails to find a route in its stored route
tables, it sends a query to neighbors who in turn query their
neighbors till a route is found. EIGRP also enables routers to inform
neighbors of changes in their routing tables.
gre Identifies the GRE protocol (number 47)
GRE is a tunneling protocol that enables transportation of protocols
(IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the
packet at the source and removes the encapsulation at the
destination.
igp Identifies any private internal gateway (primarily used by CISCO for
their IGRP) (number 9)
IGP enables exchange of information between hosts and routers
within a managed network. The most commonly used IGP protocols
are: RIP and OSPF.
ospf Identifies the OSPF protocol (number 89)
OSPF is a link-state IGP. OSPF routes IP packets within a single
routing domain (autonomous system), like an enterprise LAN. OSPF
gathers link state information from neighbor routers and constructs a
network topology. The topology determines the routing table
presented to the Internet Layer which makes routing decisions based
solely on the destination IP address found in IP packets.
vrrp Identifies the VRRP protocol (number 112)
VRRP allows a pool of routers to be advertized as a single virtual
router. This virtual router is configured by hosts as their default
gateway. VRRP elects a master router, from this pool, and assigns it a
virtual IP address. The master router routes and forwards packets to
hosts on the same subnet. When the master router fails, one of the
backup routers is elected as the master and its IP address is mapped
to the virtual IP address.
<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in
the specified network are dropped.
any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP,
IGP, OSPF, or VRRP) received from any source are dropped.

Controller, Service Platform and Access Point

1554 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the
specified host are dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match.

Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any
destination within the specified network are dropped.
any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE,
IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6
address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed
to the specified host are dropped.
• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6
address.

log Logs all deny events matching this entry

rule-precedence <1-5000> Assigns a precedence for this deny rule
• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this deny rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|

eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|
<SERVICE-NAME>|
bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

tcp Applies this deny rule to TCP packets only

udp Applies this deny rule to UDP packets only
<SOURCE-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies a range of IPv6 source address (network) to match.
TCP/UDP packets received from any source in the specified network
are dropped.
any This keyword is common to the ‘tcp’ and ‘udp’ parameters. Specifies
the source as any IPv6 address. TCP/UDP packets received from any
source are dropped.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
TCP/UDP packets received from the specified host are dropped.
• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.

Specifies a range of IPv6 destination address (network) to match.
TCP/UDP packets addressed to any destination within the specified
network are dropped.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1555
ipv6-access-list Access-List Policy

any This keyword is common to the ‘tcp’ and ‘udp’ parameters.

Specifies the destination as any destination IPv6 address. TCP/UDP
packets received from any destination are dropped.
eq <SOURCE-PORT> Identifies a specific source port
• <SOURCE-PORT> – Specify the exact source port.

host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IPv6
address. TCP/UDP packets addressed to the specified host are
dropped.
• <DEST-HOST-IP> – Specify the destination host’s exact IP
address.

range <START-PORT> <END- Specifies a range of source ports

PORT> • <START-PORT> – Specify the first port in the range.
◦ <END-PORT> – Specify the last port in the range.

eq [<1-65535>| <SERVICE- Identifies a specific destination or protocol port to match

NAME>| |bgp|dns|ftp| ftp-data| • <1-65535> – The destination port is designated by its number
gropher| https|ldap|nntp|ntp| • <SERVICE-NAME> – Specifies the service name
pop3|sip|smtp| ssh|telnet| tftp|
• bgp – The designated BGP protocol port (179)
www]
• dns – The designated DNS protocol port (53)
• ftp – The designated FTP protocol port (21)
• ftp-data – The designated FTP data port (20)
• gropher – The designated GROPHER protocol port (70)
• https – The designated HTTPS protocol port (443)
• ldap – The designated LDAP protocol port (389)
• nntp – The designated NNTP protocol port (119)
• ntp – The designated NTP protocol port (123)
• pop3 – The designated POP3 protocol port (110)
• sip – The designated SIP protocol port (5060)
• smtp – The designated SMTP protocol port (25)
• ssh – The designated SSH protocol port (22)
• telnet – The designated Telnet protocol port (23)
• tftp – The designated TFTP protocol port (69)
• www – The designated www protocol port (80)

range <START-PORT> <END- Specifies a range of destination ports

PORT> • <START-PORT> – Specify the first port in the range.
◦ <END-PORT> – Specify the last port in the range.

log Logs all deny events matching this entry

rule-precedence <1-5000> Assigns a precedence for this deny rule
• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this deny rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

Controller, Service Platform and Access Point

1556 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

Examples
nx9500-6C8809(config-ipv6-acl-test)#deny icmpv6 any any type eq 1 code eq 0 log rule-
precedence 1
nx9500-6C8809(config-ipv6-acl-test)#show context
ipv6 access-list test
deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command
log rule-precedence 1
nx9500-6C8809(config-ipv6-acl-test)#

Related Commands

no (ipv6-acl) on page Removes a specified deny access rule from this IPv6 ACL
1563

permit (ipv6-acl)

Creates a permit rule that accepts packets from a specified IPv6 source and/or addressed to a specified
IPv6 destination. You can also use this command to modify an existing permit rule.

Supported in the following platforms:

Syntax
permit [icmpv6|ipv6|proto|tcp|udp]
permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-
ICMPv6-CODE>]|
type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-
IPv6>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<
SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|
tftp|www]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1557
ipv6-access-list Access-List Policy

type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]]

(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

icmpv6 Applies this permit rule to ICMPv6 packets only

<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. ICMPv6
packets received from any source in the specified network are
forwarded.
any Specifies the source as any IPv6 address. ICMPv6 packets received
from any source are forwarded.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
ICMPv6 packets received from the specified host are forwarded.
• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match.

ICMPv6 packets addressed to any destination within the specified
network are forwarded.
any Specifies the destination as any IPv6 address. ICMPv6 packets
addressed to any destination are forwarded.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6
address. ICMPv6 packets addressed to the specified host are
forwarded.
• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6
address.

<ICMPv6-TYPE> [eq|range] Defines the ICMPv6 type field filter

• eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type
value.
• range – Configures a range of ICMPv6 types. Specify the starting
and ending ICMPv6 type values.

Note: ICMPv6 packets with type field value matching the values
specified here are forwarded.

<ICMPv6-CODE> Defines the ICMPv6 code field filter

• eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code
value.
• range – Configures a range of ICMPv6 code. Specify the starting
and ending ICMPv6 code values.

Note: ICMPv6 packets with code field value matching the values
specified here are forwarded.

log Logs all permit events matching this entry

Controller, Service Platform and Access Point

1558 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

rule-precedence <1-5000> Assigns a precedence for this permit rule

• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this permit rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|

host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

ipv6 Applies this permit rule to IPv6 packets only

<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. IPv6
packets received from any source in the specified network are
forwarded.
any Specifies the source as any IPv6 address. IPv6 packets received from
any source are forwarded.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
IPv6 packets received from the specified host are forwarded.
• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match.

IPv6 packets addressed to any destination within the specified
network are forwarded.
any Specifies the destination as any IPv6 address. IPv6 packets
addressed to any destination are forwarded.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6
address. IPv6 packets addressed to the specified host are forwarded.
• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6
address.

log Logs all permit events matching this entry

rule-precedence <1-5000> Assigns a precedence for this permit rule
• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this permit rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]

[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1559
ipv6-access-list Access-List Policy

IPv6>]
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

proto Configures the ACL for additional protocols

<PROTOCOL-NAME> Filters protocols using their IANA protocol name

• <PROTOCOL-NAME> – Specify the protocol name.

eigrp Identifies the EIGRP protocol (number 88)

EIGRP enables routers to maintain copies of neighbors’ routing
tables. Routers use this information to determine the fastest route to
a destination. When a router fails to find a route in its stored route
tables, it sends a query to neighbors who in turn query their
neighbors till a route is found. EIGRP also enables routers to inform
neighbors of changes in their routing tables.
gre Identifies the GRE protocol (number 47)
GRE is a tunneling protocol that enables transportation of protocols
(IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the
packet at the source and removes the encapsulation at the
destination.
igp Identifies any private internal gateway (primarily used by CISCO for
their IGRP) (number 9)
IGP enables exchange of information between hosts and routers
within a managed network. The most commonly used IGP protocols
are: RIP and OSPF.
ospf Identifies the OSPF protocol (number 89)
OSPF is a link-state IGP. OSPF routes IP packets within a single
routing domain (autonomous system), like an enterprise LAN. OSPF
gathers link state information from neighbor routers and constructs a
network topology. The topology determines the routing table
presented to the Internet Layer which makes routing decisions based
solely on the destination IP address found in IP packets.
vrrp Identifies the VRRP protocol (number 112)
VRRP allows a pool of routers to be advertized as a single virtual
router. This virtual router is configured by hosts as their default
gateway. VRRP elects a master router, from this pool, and assigns it a
virtual IP address. The master router routes and forwards packets to
hosts on the same subnet. When the master router fails, one of the
backup routers is elected as the master and its IP address is mapped
to the virtual IP address.
<SOURCE-IPv6/MASK> Specifies a range of IPv6 source address (network) to match. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in
the specified network are forwarded.
any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP,
IGP, OSPF, or VRRP) received from any source are forwarded.

Controller, Service Platform and Access Point

1560 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the
specified host are forwarded.
• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match.

Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any
destination within the specified network are forwarded.
any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE,
IGMP, IGP, OSPF, or VRRP) addressed to any destination are
forwarded.
host <DEST-HOST-IPv6> Identifies a specific host (as the destination to match) by its IPv6
address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed
to the specified host are forwarded.
• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6
address.

log Logs all permit events matching this entry

rule-precedence <1-5000> Assigns a precedence for this permit rule
• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this permit rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|

tcp Applies this permit rule to TCP packets only

udp Applies this permit rule to UDP packets only
<SOURCE-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies a range of IPv6 source address (network) to match.
TCP/UDP packets received from any source in the specified network
are forwarded.
any This keyword is common to the ‘tcp’ and ‘udp’ parameters. Specifies
the source as any IPv6 address. TCP/UDP packets received from any
source are forwarded.
host <SOURCE-HOST-IPv6> Identifies a specific host (as the source to match) by its IPv6 address.
TCP/UDP packets received from the specified host are forwarded.
• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6
address.

<DEST-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.

Specifies a range of IPv6 destination address (network) to match.
TCP/UDP packets addressed to any destination within the specified
network are forwarded.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1561
ipv6-access-list Access-List Policy

any This keyword is common to the ‘tcp’ and ‘udp’ parameters.

Specifies the destination as any destination IPv6 address. TCP/UDP
packets received from any destination are forwarded.
eq <SOURCE-PORT> Identifies a specific source port
• <SOURCE-PORT> – Specify the exact source port.

host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IPv6
address. TCP/UDP packets addressed to the specified host are
forwarded.
• <DEST-HOST-IP> – Specify the destination host’s exact IP
address.

range <START-PORT> <END- Specifies a range of source ports

PORT> • <START-PORT> – Specify the first port in the range.
◦ <END-PORT> – Specify the last port in the range.

eq [<1-65535>| <SERVICE- Identifies a specific destination or protocol port to match

range <START-PORT> <END- Specifies a range of destination ports

PORT> • <START-PORT> – Specify the first port in the range.
◦ <END-PORT> – Specify the last port in the range.

log Logs all permit events matching this entry

rule-precedence <1-5000> Assigns a precedence for this permit rule
• <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 10.

rule-description <LINE> Optional. Configures a description for this permit rule. Provide a
description that uniquely identifies the purpose of this rule (should
not exceed 128 characters in length).

Controller, Service Platform and Access Point

1562 CLI Reference Guide for version 5.9.7
Access-List Policy ipv6-access-list

Examples
nx9500-6C8809(config-ipv6-acl-test)#ermit proto gre any any log rule-precedence 2
nx9500-6C8809(config-ipv6-acl-test)#show context
ipv6 access-list test
deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command
log rule-precedence 1
permit proto gre any any log rule-precedence 2
nx9500-6C8809(config-ipv6-acl-test)#

Related Commands

no (ipv6-acl) on page Removes a specified permit access rule from this IPv6 ACL
1563

no (ipv6-acl)

Removes a deny or permit rule from this IPv6 ACL Policy

Supported in the following platforms:

Syntax
no [deny|permit]
no [deny|permit] [icmpv6|ipv6|proto|tcp|udp] <RULE-PARAMETERS> {(rule-description <LINE>)}

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a deny or permit rule from the selected IPv6 access list

Examples

The following example shows the ACL ‘test’ settings before the ‘no’ commands is executed:
nx9500-6C8809(config-ipv6-acl-test)#show context
ipv6 access-list test
deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command
log rule-precedence 1
permit proto gre any any log rule-precedence 2
nx9500-6C8809(config-ipv6-acl-test)#
nx9500-6C8809(config-ipv6-acl-test)#no deny icmpv6 any any type eq 1 log rule-precedence 1
nx9500-6C8809(config-ipv6-acl-test)#show context
ipv6 access-list test
permit proto gre any any log rule-precedence 2
nx9500-6C8809(config-ipv6-acl-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1563
ip-snmp-access-list Access-List Policy

ip-snmp-access-list

SNMP performs network management functions using a data structure called a Management
Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text
community strings for accessing controller or service platform configuration files.

Use SNMP ACLs to help reduce SNMP vulnerabilities, as SNMP traffic can be exploited to produce a
denial of service (DoS).

The following table summarizes SNMP access list configuration commands:

Table 49: SNMP Access List Config Mode Commands

Command Description
deny (ip-snmp acl) on page 1564 Creates a deny SNMP MIB object traffic rule
permit (ip-snmp acl) on page 1565 Creates a permit SNMP MIB object traffic rule
no (ip-snmp acl) on page 1566 Removes a deny or permit SNMP MIB object traffic rule

deny (ip-snmp acl)

Creates a deny SNMP MIB object traffic rule. Use this command to specify the match criteria based on
which SNMP traffic is denied

Supported in the following platforms:

Syntax
deny [<IP/M>|any|host <IP>]

Parameters
deny [<IP/M>|any|host <IP>]

deny [<IP/M>|any|host <IP>] Configures the match criteria for this deny rule
• <IP/M> – Specifies a network address and mask in the A.B.C.D/M
format. Packets received from or destined for this network are
dropped.
• any – Specifies the match criteria as any. Packets received from or
destined for any address are dropped.
• host <IP> – Identifies a host by its IP address. Packets received
from or destined for this host are dropped.

Examples
nx9500-6C8809(config-ip-snmp-acl-test)#deny 192.168.13.0/24
nx9500-6C8809(config-ip-snmp-acl-test)#show context
ip snmp-access-list test

Controller, Service Platform and Access Point

1564 CLI Reference Guide for version 5.9.7
Access-List Policy ip-snmp-access-list

deny 192.168.13.0/24
nx9500-6C8809(config-ip-snmp-acl-test)#

Related Commands

no (ip-snmp acl) on Removes this deny rule form the IP SNMP ACL
page 1566

permit (ip-snmp acl)

Creates a permit SNMP MIB object traffic rule. Use this command to specify the match criteria based on
which SNMP traffic is permitted.

Supported in the following platforms:

Syntax
permit [<IP/M>|any|host <IP>]

Parameters
permit [<IP/M>|any|host <IP>]

permit [<IP/M>|any|host <IP>] Configures the match criteria for this permit rule
• <IP/M> – Specifies a network address and mask in the A.B.C.D/M
format. Packets received from or destined for this network are
forwarded.
• any – Specifies the match criteria as any. Packets received from or
destined for any address are forwarded.
• host <IP> – Identifies a host by its IP address. Packets received
from or destined for this host are forwarded.

Examples
nx9500-6C8809(config-ip-snmp-acl-test)#permit host 192.168.13.13
nx9500-6C8809(config-ip-snmp-acl-test)#show context
ip snmp-access-list test
permit host 192.168.13.13
deny 192.168.13.0/24
nx9500-6C8809(config-ip-snmp-acl-test)#

Related Commands

no (ip-snmp acl) on Removes this permit rule form the IP SNMP ACL
page 1566

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1565
ex3500-ext-access-list Access-List Policy

no (ip-snmp acl)

Removes a deny or permit rule from the IP SNMP ACL. Use this command to remove IP SNMP ACL as
they become obsolete for filtering network access permissions.

Supported in the following platforms:

Syntax
no [deny|permit] [<IP/M>|any|host <IP>]

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes deny and/or permit access rule from this IP SNMP ACL

Usage Guidelines

•
Examples
nx9500-6C8809(config-ip-snmp-acl-test)#show context
ip snmp-access-list test
permit host 192.168.13.13
deny 192.168.13.0/24
nx9500-6C8809(config-ip-snmp-acl-test)#
nx9500-6C8809(config-ip-snmp-acl-test)#no permit host 192.168.13.13
nx9500-6C8809(config-ip-snmp-acl-test)#show context
ip snmp-access-list test
deny 192.168.13.0/24
nx9500-6C8809(config-ip-snmp-acl-test)#

ex3500-ext-access-list

An IPv4 EX3500 extended ACL is a policy-based ACL that either prevents or allows specific clients from
using the EX3500 (EX3524 or EX3548) switch. It allows you to permit or deny client access by
specifying that the traffic from a specific host or network and/or the traffic to a specific host or network
be either denied or permitted.

An EX3500 extended ACL consists of a set of deny /permit rules that filter packets based on both
source and destination IPv4 addresses. Each rule specifies a set of match criteria (the source and
destination IP addresses) and has a unique precedence value assigned. These ACL rules are applied
sequentially to the traffic at a port, by a firewall-supported device, in an increasing order of their
precedence. When a packet matches the criteria specified in a rule the packet is either forwarded or
dropped based on the rule type.

Controller, Service Platform and Access Point

1566 CLI Reference Guide for version 5.9.7
Access-List Policy ex3500-ext-access-list

The following table summarizes IPv4 EX3500 extended ACL configuration commands:

Table 50: EX3500 Extended Access List Config Mode Commands

Command Description
deny (ex3500-ext acl) on page Creates a deny access rule or modifies an existing rule. A deny
1567 access rule rejects packets from specified address(es) and/or
destined to specified address(es).
permit (ex3500-ext acl) on page Creates a permit access rule or modifies an existing rule. A
1570 permit access rule accepts packets from specified address(es)
and/or destined to specified address(es).
no (ex3500-ext acl) on page 1572 Removes a deny and/or a permit access rule from this IPv4
EX3500 extended ACL

Note
To implement the EX3500 extended ACL, apply it directly to a EX35XX device, or to an
EX35XX profile. For more information, see access-group on page 1435.

deny (ex3500-ext acl)

Creates a deny ACL rule that filters packets based on the source and/or destination IPv4 address, and
other specified criteria. You can also use this command to modify an existing deny rule.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1567
ex3500-ext-access-list Access-List Policy

ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|

source-port <0-65535>|source-port-bitmark <0-65535>]

deny [<0-255>| tcp|udp] Creates a deny rule and identifies the protocol type. This deny
rule is applied only to packets matching the protocol specified
here.
[<SOURCE-NETWORK-IP/MASK>| Specifies the source as any, host, or network
any| host <SOURCE-HOST-IP>] • <SOURCE-NETWORK-IP/MASK> – Configures a network as
the source. Provide the network’s IPv4 address along with
the mask.
• host <SOURCE-HOST-IP> – Configures a single device as the
source. Provide the host device’s IPv4 address.
• any – Specifies that the source can be any device

[<DEST-NETWORK-IP/MASK>| any| Specifies the destination as any, host, or network

host <DEST-HOST-IP>] • <DEST-NETWORK-IP/MASK> – Configures a network as the
destination. Provide the network’s IPv4 address along with
the mask.
• host <DEST-HOST-IP> – Configures a single device as the
destination. Provide the host device’s IPv4 address.
• any – Specifies that the destination can be any device

control-flag <0-63> Configures the decimal number (representing a bit string) that
specifies the control flag bits in byte 14 of the TCP header
• <0-63> – Specify a value from 0 - 63.

Note: Control flags can be used only in ACLs designed to filter

TCP traffic.

The TCP header contains several one-bit boolean fields known

as flags that influence flow of data across a TCP connection.
Ignoring the CWR and ECE flags added for congestion
notification by RFC 3168, there are six TCP control flags.
• URG flag - Marks incoming packet as urgent.
• ACK flag - Acknowledges receipt of packet
• PUSH flag - Ensures that the packet is given appropriate
priority. Often used at the beginning and end of data
transfer.
• RST flag - Resets the connection. Happens when remote
host receives a establish connection packet, but does not
have a service waiting to answer and sends a reply with reset
flag.
• SYN flag - Establishes the 3-way handshake between two
hosts
• FIN flag - Tears down the connection established between
two hosts via the 3-way SYN process

destination-port <0-65535> Configures the protocol destination port to match. The

destination protocol can be TCP, UDP or any other protocol
identified by its number (<0-255>).
• <0-65535> – Specify the destination port from 0 - 65535.

Controller, Service Platform and Access Point

1568 CLI Reference Guide for version 5.9.7
Access-List Policy ex3500-ext-access-list

destination-port-bitmark <0-65535> Configures the decimal number representing the protocol

destination port bits to match
• <0-65535> – Specify the destination port bits from 0 -
65535.

dscp <0-63> Configures the DSCP priority level

• <0-63> – Specify a value from 0 - 63.

Note: If specifying DSCP priority, ip-precedence cannot be

specified.

ex3500-time-range <TIME-RANGE- Applies a periodic or absolute time range to this rule

NAME> • <TIME-RANGE-NAME> – Specify the time range name
(should be existing and configured). For information on
configuring EX3500 time-range, see ex3500 on page 417.

ip-precedence <0-7> Configures the IP header precedence

• <0-7> – Specify a value from 0 - 7.

source-port <0-65535> Configures the protocol source port to match. The source
protocol can be TCP, UDP or any other protocol identified by its
number (<0-255>).
• <0-65535> – Specify the source port from 0 - 65535.

source-port-bitmark <0-65535> Configures the decimal number representing the protocol

source port bits to match
• <0-65535> – Specify the source port bits from 0 - 65535.

rule-precedence <1-128> The following keywords are recursive and common to all of the
above parameters:
• rule-precedence – Assigns a precedence to this deny rule
◦ <1-128> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 4 and
is applied first to packets.

Usage Guidelines

Use this command to deny traffic between networks/hosts based on the protocol type selected in the
access list configuration. The following protocols are supported:
• TCP
• UDP
• <0-255> (any Internet protocol other than TCP, UDP, and ICMP)

Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the
ACL configuration.
• Filtering TCP/UDP allows you to specify port numbers as filtering criteria

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1569
ex3500-ext-access-list Access-List Policy

Examples

The following example denies TCP outgoing packets from all sources p within the 192.168.14.0/24
network to a specific host 192.168.13.13:
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#deny tcp 192.168.14.0/24 host 192.168.13.13
rule-precedence 1
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context
ip ex3500-ext-access-list test
deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#

Related Commands

no (ex3500-ext acl) on page 1572 Removes a specified deny access rule from this IPv4 EX3500
extended ACL

permit (ex3500-ext acl)

Creates a permit ACL rule that filters packets based on the source and/or destination IPv4 address, and
other specified criteria. You can also use this command to modify an existing permit rule.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

permit [<0-255>| tcp|udp] Creates a permit rule, and identifies the protocol type. This permit
rule is applied only to packets matching the protocol specified here.
[<SOURCE-NETWORK-IP/ Specifies the source as any, host, or network
MASK>| any| host <SOURCE- • <SOURCE-NETWORK-IP/MASK> – Configures a network as the
HOST-IP>] source. Provide the network’s IPv4 address along with the mask.
• host <SOURCE-HOST-IP> – Configures a single device as the
source. Provide the host device’s IPv4 address.
• any – Specifies that the source can be any device

Controller, Service Platform and Access Point

1570 CLI Reference Guide for version 5.9.7
Access-List Policy ex3500-ext-access-list

[<DEST-NETWORK-IP/MASK>| Specifies the destination as any, host, or network

any| host <DEST-HOST-IP>] • <DEST-NETWORK-IP/MASK> – Configures a network as the
destination. Provide the network’s IPv4 address along with the
mask.
• host <DEST-HOST-IP> – Configures a single device as the
destination. Provide the host device’s IPv4 address.
• any – Specifies that the destination can be any device

control-flag <0-63> Configures the decimal number (representing a bit string) that
specifies the control flag bits in byte 14 of the TCP header
• <0-63> – Specify a value from 0 - 63.

Note: Control flags can be used only in ACLs designed to filter TCP
traffic.

The TCP header contains several one-bit boolean fields known as

flags that influence flow of data across a TCP connection. Ignoring
the CWR and ECE flags added for congestion notification by RFC
3168, there are six TCP control flags.
• URG flag - Marks incoming packet as urgent
• ACK flag - Acknowledges receipt of packet
• PUSH flag - Ensures that the packet is given appropriate priority.
Often used at the beginning and end of data transfer.
• RST flag - Resets the connection. Happens when remote host
receives a establish connection packet, but does not have a
service waiting to answer and sends a reply with reset flag.
• SYN flag - Establishes the 3-way handshake between two hosts
• FIN flag - Tears down the connection established between two
hosts via the 3-way SYN process

destination-port <0-65535> Configures the protocol destination port to match. The destination
protocol can be TCP, UDP or any other protocol identified by its
number (<0-255>).
• <0-65535> – Specify the destination port from 0 - 65535.

destination-port-bitmark Configures the decimal number representing the protocol destination

<0-65535> port bits to match
• <0-65535> – Specify the destination port bits from 0 - 65535.

dscp <0-63> Configures the DSCP priority level

• <0-63> – Specify a value from 0 - 63.

Note: If specifying DSCP priority, ip-precedence cannot be specified.

ex3500-time-range <TIME- Applies a periodic or absolute time range to this rule

RANGE-NAME> • <TIME-RANGE-NAME> – Specify the time range name (should be
existing and configured). For information on configuring EX3500
time-range, see ex3500 on page 417.

ip-precedence <0-7> Configures the IP header precedence

• <0-7> – Specify a value from 0 - 7.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1571
ex3500-ext-access-list Access-List Policy

source-port <0-65535> Configures the protocol source port to match. The source protocol
can be TCP, UDP or any other protocol identified by its number
(<0-255>).
• <0-65535> – Specify the source port from 0 - 65535.

source-port-bitmark Configures the decimal number representing the protocol source

<0-65535> port bits to match
• <0-65535> – Specify the source port bits from 0 - 65535.

rule-precedence <1-128> The following keywords are recursive and common to all of the above
parameters:
• rule-precedence – Assigns a precedence to this permit rule
◦ <1-128> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with

precedence 3 gets priority over a rule with precedence 4 and is
applied first to packets.

Usage Guidelines

Use this command to permit traffic between networks/hosts based on the protocol type selected in the
access list configuration. The following protocols are supported:
• TCP
• UDP
• <0-255> (any Internet protocol other than TCP, UDP, and ICMP)

Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the
ACL configuration.
• Filtering TCP/UDP allows you to specify port numbers as filtering criteria.

Examples

The following example permits outgoing TCP packets from all sources within the 192.168.14.0 network to
any destination, with the TCP control flag set to 16 (acknowledge):
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#permit tcp 192.168.14.0/24 any control-flag
16 rule-precedence 2
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context
ip ex3500-ext-access-list test
deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#

Related Commands

no (ex3500-ext acl) on page Removes a specified permit access rule from this IPv4 EX3500
1572 extended ACL

no (ex3500-ext acl)

Removes a deny or permit access rule from this IPv4 EX3500 extended ACL

Controller, Service Platform and Access Point

1572 CLI Reference Guide for version 5.9.7
Access-List Policy ex3500-std-access-list

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a deny or permit access rule based on the parameters

passed

Usage Guidelines

The keyword ‘control-flag <0-63>’ is only applicable to ACL rules filtering TCP traffic.

Examples

The following example shows the IPv4 EX3500 extended ACL ‘test’ settings before the ‘no’ commands
are executed:
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context
ip ex3500-ext-access-list test
deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#no permit tcp 192.168.14.0/24 any control-
flag 16 rule-precedence 2

The following example shows the IPv4 EX3500 extended ACL ‘test’ settings after the ‘no’ commands
are executed:
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context
ip ex3500-ext-access-list test
deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#

ex3500-std-access-list

An EX3500 standard ACL is a policy-based ACL that contains a set of filter criteria and action that is
applied to traffic originating from a specified source.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1573
ex3500-std-access-list Access-List Policy

The following table summarizes IPv4 EX3500 standard ACL configuration commands:

Table 51: EX3500-Standard-Access-List-Config Commands

Command Description
deny (ex3500-std acl) on page Creates a deny rule that rejects packets from a specified source
1574 or sources. The source can be a single device or a range of
devices within a specified network. Use this command to also edit
an existing deny rule.
permit (ex3500-std acl) on page Creates a permit rule that allows packets from a specified source
1575 or sources. The source can be a single device or a range of
devices within a specified network. Use this command to also edit
an existing permit rule.
no (ex3500-std acl) on page 1576 Removes a deny and/or a permit access rule from this IPv4
EX3500 extended ACL

Note
To implement the EX3500 standard ACL, apply it directly to a EX35XX device, or to an
EX35XX profile. For more information, see access-group on page 1435.

deny (ex3500-std acl)

Creates a deny rule that rejects packets from a specified source or sources. The source can be a single
device or a range of devices within a specified network. Use this command to also edit an existing deny
rule.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
deny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
{ex3500-time-range <TIME-RANGE-NAME>}

Controller, Service Platform and Access Point

1574 CLI Reference Guide for version 5.9.7
Access-List Policy ex3500-std-access-list

Parameters
deny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
{ex3500-time-range <TIME-RANGE-NAME>}

deny [<SOURCE-NETWORK-IP/ Creates a deny rule that rejects packets from a specified source
MASK>| any| host <SOURCE- or a network. Use one of the following options to specify the
HOST-IP>] source: any, host, or network.
• <SOURCE-NETWORK-IP/MASK> – Configures a network as
the source. Provide the network’s IPv4 address along with the
mask.
• host <SOURCE-HOST-IP> – Configures a single device as the
source. Provide the host device’s IPv4 address.
• any – Specifies that the source can be any device

ex3500-time-range <TIME- Optional. Applies a periodic or absolute time range to this deny
RANGE-NAME> rule
• <TIME-RANGE-NAME> – Specify the time range name (should
be existing and configured). The ACL is triggered during the
time period configured in the specified EX3500 time range.
For information on configuring EX3500 time-range, see
ex3500 on page 417.

Examples
nx9500-6C8809(config-ip-ex3500-std-acl-test)#deny 192.168.14.0/24
nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context
ip ex3500-std-access-list test
deny 192.168.13.0/24
nx9500-6C8809(config-ip-ex3500-std-acl-test)#

Related Commands

no (ex3500-std acl) on Removes a specified deny access rule from this IPv4 EX3500 standard
page 1576 ACL

permit (ex3500-std acl)

Creates a permit rule that allows packets from a specified source or sources. The source can be a single
device or a range of devices within a specified network. Use this command to also edit an existing
permit rule.

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
permit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
{ex3500-time-range <TIME-RANGE-NAME>}

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1575
ex3500-std-access-list Access-List Policy

Parameters
permit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
{ex3500-time-range <TIME-RANGE-NAME>}

permit [<SOURCE-NETWORK-IP/ Creates a permit rule that allows packets from a specified source
MASK>| any| host <SOURCE-HOST- or a network. Use one of the following options to specify the
IP>] source: any, host, or network.
• <SOURCE-NETWORK-IP/MASK> – Configures a network as
the source. Provide the network’s IPv4 address along with the
mask.
• host <SOURCE-HOST-IP> – Configures a single device as the
source. Provide the host device’s IPv4 address.
• any – Specifies that the source can be any device

ex3500-time-range <TIME-RANGE- Optional. Applies a periodic or absolute time range to this permit
NAME> rule
• <TIME-RANGE-NAME> – Specify the time range name
(should be existing and configured). The ACL is triggered
during the time period configured in the specified EX3500
time range. For information on configuring EX3500 time-
range, see ex3500 on page 417 .

Examples
nx9500-6C8809(config-ip-ex3500-std-acl-test)#permit host 192.168.13.13 ex3500-time-range
EX3500_TimeRange_01
nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextnx9500-6C8809(config-ip-ex3500-
std-acl-test)#show context
ip ex3500-std-access-list test
deny 192.168.14.0/24
permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01
nx9500-6C8809(config-ip-ex3500-std-acl-test)#
nx9500-6C8809(config-ip-ex3500-std-acl-test)#

Related Commands

no (ex3500-std acl) on page Removes a specified permit access rule from this IPv4 EX3500
1576 standard ACL

no (ex3500-std acl)

Removes a deny or permit access rule from this IPv4 EX3500 standard ACL

Supported in the following platforms:

• Wireless Controllers — RFS 4000

• Service Platforms — NX 5500, NX 75XX, NX 95XX, NX 96XX, VX 9000

Syntax
no [deny|permit] [<SOURCE-IP/MASK>|any|host <IP>]
{ex3500-time-range <TIME-RANGE-NAME>}

Controller, Service Platform and Access Point

1576 CLI Reference Guide for version 5.9.7
Access-List Policy ex3500-std-access-list

Parameters
no <PARAMETERS>

no <PARAMETERS> Removes a deny or permit access rule based on the parameters

passed

Examples

The following example shows the IPv4 EX3500 standard ACL ‘test’ settings before the ‘no’ commands
are executed:
nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context
ip ex3500-std-access-list test
deny 192.168.14.0/24
permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01
nx9500-6C8809(config-ip-ex3500-std-acl-test)#
nx9500-6C8809(config-ip-ex3500-std-acl-test)#no deny 192.168.14.0/24

The following example shows the IPv4 EX3500 standard ACL ‘test’ settings after the ‘no’ commands are
executed:
nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context
ip ex3500-std-access-list test
permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01
nx9500-6C8809(config-ip-ex3500-std-acl-test)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1577
DHCP Policy
DHCP-SERVER-POLICY on page 1578

DHCP-SERVER-POLICY
This chapter summarizes Dynamic Host Control Protocol (DHCP) server policy commands in the CLI
command structure.

DHCP is a client-server protocol that manages IPv4 and IPv6 address assignment to network resources
and mobile devices. Central to the DHCP IP address management process is the DHCP server that
dynamically assigns IP addresses and related configuration information, such as gateways and subnet
masks to the DHCP client. WiNG devices (controllers and access points) have built-in DHCP servers that
can be enbaled to manage IP address assignment.

DHCP servers assign IP addresses from a pre-configured set of address pools. DHCP assigned IP
addresses come with a specified lease time and have to be renewed before expiry. The DHCP server
policy defines the IP address pool and

The DHCP server policy ensures all IP addresses are unique and no IP address is assigned to a second
client while the first client's assignment is valid. Configure the DHCP server policy and apply to the
controller or access point to enable the device as the onboard DHCP server.

Note
You can use external DHCP servers for dynamic IP address assignment. If using an external
DHCP server, configure infrastructure controllers/access points to relay DHCP requests to the
external DHCP server.

Use the following command to navigate to the DHCP server policy instance:
<DEVICE>(config)#dhcp-server-policy <POLICY-NAME>
nx9500-6C8809(config)#dhcp-server-policy test
nx9500-6C8809(config-dhcp-server-policy-test)#?
DHCP policy Mode commands:
bootp BOOTP specific configuration
dhcp-class Configure DHCP class (for address allocation using DHCP
user-class options)
dhcp-pool Configure DHCP server address pool
dhcp-server Activating dhcp server based on criteria
no Negate a command or set its defaults
option Define DHCP server option
ping Specify ping parameters used by DHCP Server

clrscr Clears the display screen

commit Commit all changes made in this session

Controller, Service Platform and Access Point

1578 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

do Run commands from Exec mode

nx9500-6C8809(config-dhcp-policy-test)#

Use the following command to navigate to the DHCPv6 server policy instance:
<DEVICE>(config)#dhcpv6-server-policy <POLICY-NAME>
nx9500-6C8809(config)#dhcpv6-server-policy test
nx9500-6C8809(config-dhcpv6-server-policy-test)#?
DHCPv6 server policy Mode commands:
dhcpv6-pool Configure DHCPV6 server address pool
no Negate a command or set its defaults
option Define DHCPv6 server option
restrict-vendor-options Restrict vendor specific options to be sent in
server reply
server-preference Server preference value sent in the reply, by the
server to client

clrscr Clears the display screen

nx9500-6C8809(config-dhcpv6-server-policy-test)#

This chapter is organized into the following subsections:

• dhcp-server-policy commands on page 1579.
• dhcpv6-server-policy commands on page 1627.

dhcp-server-policy commands
The following table summarizes the DHCP server policy configuration mode commands:

Table 52: DHCP-Server-Policy Config Mode Commands

Command Description
bootp (dhcpv4-server-policy- Configures a BOOTP specific configuration
config) on page 1580
dhcp-class (dhcpv4-server-policy- Configures a DHCP server class
config) on page 1581
dhcp-pool (dhcpv4-server-policy- Configures a DHCP server address pool
config) on page 1584

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1579
dhcp-server-policy commands DHCP Policy

Table 52: DHCP-Server-Policy Config Mode Commands (continued)

Command Description
dhcp-server (dhcpv4-server-policy- Configures DHCP server options
config) on page 1625
option (dhcpv4-server-policy- Defines the DHCP option used in DHCP pools
config) on page 1623
ping (dhcpv4-server-policy-config) Specifies ping parameters used by a DHCP server
on page 1623
no (dhcpv4-server-policy-config) on Negates a command or sets its default
page 1626

Note
For more information on common commands (clrscr, commit, help, revert, service, show,
write, and exit), see COMMON COMMANDS on page 705.

Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot
include an underscore (_) character. In other words, the name of a device cannot contain an
underscore.

bootp (dhcpv4-server-policy-config)
Configures a BOOTP specific configuration. Bootstrap Protocol (BOOTP) requests are used by UNIX
diskless workstations to obtain the location of their boot image and IP address within the managed
network. A BOOTP configuration server provides this information and also assigns an IP address from a
configured pool of IP addresses. By default, all BOOTP requests are forwarded to the BOOTP
configuration server by the controller. When enabled, this feature allows controllers, using this DHCP
server policy, to ignore BOOTP requests.

Supported in the following platforms:

Syntax
bootp ignore

Parameters
bootp ignore

bootp ignore Enables controllers to ignore BOOTP requests

Controller, Service Platform and Access Point

1580 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

Examples
nx9500-6C8809(config-dhcp-policy-test)#bootp ignore
nx9500-6C8809(config-dhcp-policy-test)#show context
dhcp-server-policy test
bootp ignore
nx9500-6C8809(config-dhcp-policy-test)#

Related Commands

no (dhcpv4-server-policy-config) Disables the ignore BOOTP requests option

on page 1626

dhcp-class (dhcpv4-server-policy-config)
Creates a DHCP server class and enters its configuration mode. Use this command to configure or
modify user class option values. Once defined, the controller’s internal DHCP server uses the configured
values to group wireless clients into DHCP classes, such that each user class consists of wireless clients
sharing the same set of user class values.

A controller, service platform, or access point’s local DHCP server assigns IP addresses to requesting
DHCP clients based on user class option names. The DHCP server can assign IP addresses from as many
IP address ranges as defined by an administrator. The DHCP user class associates a particular range of
IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the
defined range.

A DHCP user class applies different DHCP settings to a set of wireless clients. Wireless clients using the
same DHCP settings are grouped under one DHCP class. Grouping users into classes facilitates the
provision of differentiated service.

Supported in the following platforms:

Syntax
dhcp-class <DHCP-CLASS-NAME>

Parameters
dhcp-class <DHCP-CLASS-NAME>

<DHCP-CLASS-NAME> Creates a DHCP user class

• <DHCP-CLASS-NAME> – Specify a name that appropriately
identifies this class of wireless clients. If a class with the specified
name does not exist, it is created. The class name should not
exceed 32 characters in length.

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1581
dhcp-server-policy commands DHCP Policy

Examples

Use the dhcp-class command to configure a DHCP user class.

nx9500-6C8809(config-dhcp-policy-test)#dhcp-class dhcpclass1
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#?
DHCP class Mode commands:
multiple-user-class Enable multiple user class option
no Negate a command or set its defaults
option Configure DHCP Server options

clrscr Clears the display screen

nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#

The following table summarizes the DHCP user class configuration commands:

Table 53: DHCP-User-Class Config Mode Commands

Command Description
multiple-user-class (dhcpv4-class- Enables or disables multiple user class option for this DHCP user
config) on page 1582 class policy
option (dhcpv4-class-config) on Configures DHCP user class options for this DHCP user class policy
page 1583
no (dhcpv4-class-config) on page Removes this DHCL class settings
1583
no (dhcpv4-server-policy-config) Removes this DHCP class from the DHCP server policy
on page 1626

multiple-user-class (dhcpv4-class-config)

Enables multiple user class option for this DHCP user class policy. Enabling this option allows this user
class to transmit multiple option values to other DHCP servers also supporting multiple user class
options.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
multiple-user-class

Parameters
None

Controller, Service Platform and Access Point

1582 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

Examples
nx9500-6C8809(config-dhcp-policy-test-class-class1)#multiple-user-class
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#show context
dhcp-class dhcpclass1
multiple-user-class
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#

Related Commands

no (dhcpv4-class-config) on page 1583 Disables the multiple user class option for the selected DHCP
user class policy

option (dhcpv4-class-config)

Configures DHCP user class options for this DHCP user class policy
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
option user-class <VALUE>

Parameters
option user-class <VALUE>

user-class <VALUE> Configures DHCP user class options

• <VALUE> – Specify the DHCP user class option’s ASCII value.

Examples
nx9500-6C8809(config-dhcp-policy-test-class-class1)#option user-class test
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#show context
dhcp-class dhcpclass1
option user-class test
multiple-user-class
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#

Related Commands

no (dhcpv4-class-config) on page 1583 Removes the configured DHCP user class option

no (dhcpv4-class-config)

Removes this DHCP user class policy’s settings

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1583
dhcp-server-policy commands DHCP Policy

Syntax
no [multiple-user-class|option]
no option user-class <VALUE>

Parameters
no <PARAMETERS>

no <PARAMETERS> Disables multiple user class options on this DHCP user class policy

Examples

The following example shows the DHCP class settings before the ‘no’ commands are executed:
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#show context
dhcp-class dhcpclass1
option user-class test
multiple-user-class
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#
nx9500-6C8809(config-dhcp-policy-test-class-class1)#no multiple-user-class
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#no option user-class test

The following example shows the DHCP class settings after the ‘no’ commands are executed:
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#show context
dhcp-class dhcpclass1
nx9500-6C8809(config-dhcp-policy-test-class-dhcpclass1)#

dhcp-pool (dhcpv4-server-policy-config)
Creates a DHCP server address pool and enters its configuration mode.

The DHCP pool command creates and manages a pool of IP addresses. These IP addresses are assigned
to devices using the DHCP protocol. IP addresses have to be unique for each device in the network.
Since IP addresses are finite, DHCP ensures that every device, in the network, is issued a unique IP
address by tracking the issue, release, and reissue of IP addresses.

The DHCP pool command configures a finite set of IP addresses that can be assigned whenever a
device joins a network.

DHCP services are available for specific IP interfaces. A pool (or range) of IP network addresses and
DHCP options can be created for each IP interface defined. This range of addresses is available to DHCP
enabled wireless devices on either a permanent or leased basis. This enables the reuse of limited IP
address resources for deployment in any network. DHCP options are provided to each DHCP client with
a DHCP response and provides DHCP clients information required to access network resources (default
gateway, domain name, DNS server and WINS server configuration). An option exists to identify the
vendor and functionality of a DHCP client. The information is a variable-length string of characters (or
octets) with a meaning specified by the vendor of the DHCP client.

Supported in the following platforms:

Controller, Service Platform and Access Point

1584 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

Syntax
dhcp-pool <POOL-NAME>

Parameters
dhcp-pool <POOL-NAME>

<POOL-NAME> Creates a DHCP server address pool

• <POOL-NAME> – Specify a name that appropriately identifies this
DHCP address pool. If a pool with the specified name does not exist,
it is created. The pool name cannot be modified as part of the edit
process. However, an obsolete address pool can be deleted.

Examples

Use the dhcp-pool command to configure a DHCP user pool.

nx9500-6C8809(config-dhcp-policy-test)#dhcp-pool pool1
nx9500-6C8809(config-dhcp-policy-test-pool-pool1)#?
DHCP pool Mode commands:
address Configure network pool's included addresses
bootfile Boot file name
ddns Dynamic DNS Configuration
default-router Default routers
dns-server DNS Servers
domain-name Configure domain-name
excluded-address Prevent DHCP Server from assigning certain addresses
lease Address lease time
netbios-name-server NetBIOS (WINS) name servers
netbios-node-type NetBIOS node type
network Network on which DHCP server will be deployed
next-server Next server in boot process
no Negate a command or set its defaults
option Raw DHCP options
respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages
static-binding Configure static address bindings
static-route Add static routes to be installed on dhcp clients
update Control the usage of DDNS service

clrscr Clears the display screen

nx9500-6C8809(config-dhcp-policy-test-pool-pool1)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1585
dhcp-server-policy commands DHCP Policy

The following table summarizes the DHCP user pool configuration commands:

Table 54: DHCP-User-Pool Config Mode Commands

address (dhcpv4-pool-config) on Specifies a range of addresses for a DHCP address pool
page 1586
bootfile (dhcpv4-pool-config) on Assigns a bootfile name. The bootfile name can contain letters,
page 1588 numbers, dots and hyphens. Consecutive dots and hyphens are
not permitted.
ddns (dhcpv4-pool-config) on Configures dynamic DNS parameters
page 1588
default-router (dhcpv4-pool- Configures a default router or gateway IP address for the
config) on page 1591 network pool
dns-server (dhcpv4-pool-config) Sets a DNS server’s IP address available to all DHCP clients
on page 1592 connected to the DHCP pool
domain-name (dhcpv4-pool- Sets the domain name for the network pool
config) on page 1594
excluded-address (dhcpv4-pool- Prevents a DHCP server from assigning certain addresses to the
config) on page 1594 DHCP pool
lease (dhcpv4-pool-config) on Sets a valid lease for the IP address used by DHCP clients in the
page 1596 DHCP pool
netbios-name-server (dhcpv4- Configures a NetBIOS (WINS) name server’s IP address
pool-config) on page 1597
netbios-node-type (dhcpv4-pool- Defines the NetBIOS node type
config) on page 1598
network (dhcpv4-pool-config) on Configures the network on which the DHCP server is deployed
page 1599
next-server (dhcpv4-pool-config) Configures the next server in the boot process
on page 1599
option (dhcpv4-pool-config) on Configures RAW DHCP options
page 1600
respond-via-unicast (dhcpv4-pool- Sends a DHCP offer and DHCP Ack as unicast messages
config) on page 1603
static-route (dhcpv4-pool-config) Configures a static route for a DHCP pool
on page 1604
update (dhcpv4-pool-config) on Controls the usage of the DDNS service
page 1605
static-binding (dhcpv4-pool- Configures static address bindings
config) on page 1606
no (dhcpv4-pool-static-binding) on Removes this DHCP pool settings or reverts them to default
page 1618 values

address (dhcpv4-pool-config)

Adds IP addresses to the DHCP address pool. These IP addresses are assigned to each device joining
the network.

Controller, Service Platform and Access Point

1586 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

Supported in the following platforms:

Syntax
address [<IP>|<HOST-ALIAS-NAME>|range]
address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-
HOST-ALIAS-NAME>]]
{class <DHCP-CLASS-NAME>}

Parameters
address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-
HOST-ALIAS-NAME>]]
{class <DHCP-CLASS-NAME>}

<IP> Adds a single IP address to the DHCP address pool

<HOST-ALIAS- Adds a single host mapped to the specified host alias. The host alias should be
NAME> existing and configured.

Note: A network host alias maps a name to a single network host. For example, ‘alias
host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single
host ‘1.1.1.100’. For more information, see alias on page 267.

range [<START- Adds a range of IP addresses to the DHCP address pool. Use one of the following
IP>| <START- options to provide the first IP address in the range:
HOST-ALIAS- • <START-IP> – Specifies the first IP address in the range
NAME>] • <START-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the first IP
[<END-IP>| address in the range
<END-HOST-
ALIAS-NAME>] Use one of the following options to provide the last IP address in the range:
• <END-IP> – Specifies the last IP address in the range
• <END-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the last IP
address in the range

Note: The host aliases should be existing and configured.

class <DHCP- Optional. Applies additional DHCP options, or a modified set of options to those
CLASS-NAME> available to wireless clients. For more information, see dhcp-class (dhcpv4-server-
policy-config) on page 1581.
• <DHCP-CLASS-NAME> – Sets the DHCP class (should be existing and
configured>

Examples
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#address 192.168.13.4 class
dhcpclass1
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context
dhcp-pool testPool
address 192.168.13.4 class dhcpclass1
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1587
dhcp-server-policy commands DHCP Policy

Related Commands

no (dhcpv4-pool-static-binding) on page 1618 Removes the DHCP pool's configured IP addresses

dhcp-class (dhcpv4-server-policy-config) on Creates and configures the DHCP class parameters
page 1581
alias on page 267 Creates and configures network, VLAN, host, string,
and network-service aliases

bootfile (dhcpv4-pool-config)

The Bootfile command provides a diskless node path to the image file while booting up. Only one file
can be configured for each DHCP pool.

For more information on the BOOTP protocol with reference to the DHCP policy, see bootp bootp
(dhcpv4-server-policy-config) on page 1580.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
bootfile <IMAGE-FILE-PATH>

Parameters
bootfile <IMAGE-FILE-PATH>

<IMAGE-FILE- Sets the path to the boot image for BOOTP clients. The file name can contain
PATH> letters, numbers, dots and hyphens. Consecutive dots and hyphens are not
permitted.

Examples
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#bootfile test.txt
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context
dhcp-pool testPool
address 192.168.13.4 class dhcpclass1
bootfile test.txt
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#

Related Commands

no on page 1619 Resets the boot image path for the BOOTP clients
bootp (dhcpv4-server-policy-config) on page Configures BOOTP protocol parameters
1580

ddns (dhcpv4-pool-config)

DDNS (Dynamic DNS) parameters. Dynamic DNS provides a way to access an individual device in a
DHCP serviced network using a static device name.

Depending on the DHCP server’s configuration, the IP address of a device changes periodically. To
ensure continuous accessibility to a device (having a dynamic IP address), the device’s current IP

Controller, Service Platform and Access Point

1588 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

address is published to a DDNS server that resolves the static device name (used to access the device)
with a changing IP address.

The DDNS server must be accessible from outside the network and must be configured as an address
resolver.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
ddns [domainname|multiple-user-class|server|ttl]
ddns domainname <DDNS-DOMAIN-NAME>
ddns multiple-user-class
ddns server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
ddns ttl <1-864000>

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1589
dhcp-server-policy commands DHCP Policy

Parameters
ddns domainname <DDNS-DOMAIN-NAME>

domainname Sets the domain name used for DNS updates

<DDNS- The controller uses DNS to convert human readable host names into IP addresses.
DOMAIN-NAME> Host names are not case sensitive and can contain alphabetic or numeric letters or
a hyphen. A FQDN (fully qualified domain name) consists of a host name plus a
domain name. For example, computername.domain.com.

ddns multiple-user-class

multiple-user-class Enables the multiple user class options with this DDNS domain

ddns server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}

server Configures the DDNS server used by this DHCP profile

[<IP>|<HOST- Configures the primary DDNS server. This is the default server.
ALIAS- Use one of the following options to specify the primary DDNS server:
NAME>] • <IP> – Specifies the primary DDNS server’s IP address
• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DDNS
server’s IP address. The host alias should be existing and configured.

{<IP1>| Optional. Configures the secondary DDNS server. If the primary server is not reachable,
<HOST-ALIAS this server is used.
-NAME1>} Use one of the following options to identify the secondary DDNS server:
• <IP> – Specifies the secondary DDNS server’s IP address
• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the secondary DDNS
server’s IP address. The host alias should be existing and configured.

ddns ttl <1-864000>

ttl <1-864000> Configures the TTL (Time To Live) value for DDNS updates
• <1-86400> – Specify a value from 1- 864000 seconds.

Examples
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns domainname WID
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns multiple-user-class
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns server 192.168.13.9
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context
dhcp-pool testPool
address 192.168.13.4 class dhcpclass1
ddns server 192.168.13.9
ddns domainname WID
ddns multiple-user-class
bootfile test.txt
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#

Controller, Service Platform and Access Point

1590 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

Related Commands

no on page 1619 Resets or disables a DHCP pool's DDNS settings

default-router (dhcpv4-pool-config)

Configures a default router or gateway IP address for the network pool

After a DHCP client has booted, the client begins sending packets to its default router. Set the IP
address of one or a group of routers the controller uses to map host names into IP addresses available
to DHCP supported clients. Up to 8 default router IP addresses are supported.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}

Parameters
default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}

[<IP>| Configures the primary default router, using one of the following options:
<HOST- • <IP> – Specifies the primary default router’s IP address
ALIAS- • <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary default
NAME>] router’s IP address. The host alias should be existing and configured.

{<IP1>| Optional. Configures the secondary default router, using one of the following options:
<HOST- • <IP1> – Specifies the secondary default router’s IP address
ALIAS- • <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary default
NAME1>} router’s IP address. If the primary default router is unavailable, the secondary router
is used.

Note: A maximum of 8 default routers can be configured..

Usage Guidelines

The IP address of the router should be on the same subnet as the client subnet.
Examples
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#default-router 192.168.13.8
192.168.13.9
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context
dhcp-pool testPool
address 192.168.13.4 class dhcpclass1
ddns server 192.168.13.9
ddns domainname WID
ddns multiple-user-class
bootfile test.txt

Controller, Service Platform and Access Point

CLI Reference Guide for version 5.9.7 1591
dhcp-server-policy commands DHCP Policy

default-router 192.168.13.8 192.168.13.9

rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#

Related Commands

no on page 1619 Removes the default router settings

dns-server (dhcpv4-pool-config)

Configures a network’s DNS server. The DNS server supports all clients connected to networks
supported by the DHCP server.

For DHCP clients, the DNS server’s IP address maps the hostname to an IP address. DHCP clients use
the DNS server’s IP address based on the order (sequence) configured.
Supported in the following platforms:
• Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662,
AP8163, AP8432, AP8533
• Wireless Controller — RFS4010
• Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax
dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}

Controller, Service Platform and Access Point

1592 CLI Reference Guide for version 5.9.7
DHCP Policy dhcp-server-policy commands

Parameters
dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}

[<IP>|<HOST- Configures the primary DNS server, using one of the following options:
ALIAS -NAME>] • <IP> – Specifies the primary DNS server’s IP address
• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DNS
server’s IP address

Note: A maximum of 8 DNS server’s can be configured.

To enable redirection of DNS queries to OpenDNS it is necessary that the DNS

server IP addresses provided here should point to the OpenDNS resolver
(208.67.220.220 or 208.67.222.222). OpenDNS is a proxy DNS server that
provides additional functionality, such as Web filtering, reporting, and
performance enhancements in addition to DNS services. When configured on a
WLAN, DNS queries from wireless clients are redirected to OpenDNS. The
following example illustrates the configuration:
dhcp-server-policy dhcppolicy
dhcp-pool dhcppool
network 192.168.1.0/24
address range 192.168.1.160 192.168.1.200
default-router 192.168.1.105
dns-server 208.67.220.220
Note, the above example shows the Op

Telkom Claim Form - PDF - Adobe Acrobat Pro
67% (12)
Telkom Claim Form - PDF - Adobe Acrobat Pro
1 page
External DPSK Configuration With FreeRADIUS Server
No ratings yet
External DPSK Configuration With FreeRADIUS Server
4 pages
EXOS User Guide 16 2
No ratings yet
EXOS User Guide 16 2
1,741 pages
CP R80.20 GA CLI ReferenceGuide
No ratings yet
CP R80.20 GA CLI ReferenceGuide
1,146 pages
Zyxel Cli Commands
No ratings yet
Zyxel Cli Commands
388 pages
Sony X90J Final
No ratings yet
Sony X90J Final
3 pages
AP ReferenceGuide
No ratings yet
AP ReferenceGuide
1,096 pages
WiNG 5.9.7 Controller System Reference Guide
No ratings yet
WiNG 5.9.7 Controller System Reference Guide
1,453 pages
ST - Vid11301-Agd Usefull Commands
No ratings yet
ST - Vid11301-Agd Usefull Commands
57 pages
EXOS Command Reference 30 5
No ratings yet
EXOS Command Reference 30 5
3,480 pages
SwitchEngine Command Reference 32.7.1
No ratings yet
SwitchEngine Command Reference 32.7.1
3,729 pages
AP3917E.wing 5 9 1 System Reference Guide Part 1 3831157
No ratings yet
AP3917E.wing 5 9 1 System Reference Guide Part 1 3831157
467 pages
WiNG 5.9.7 Access-Point System Reference Guide
No ratings yet
WiNG 5.9.7 Access-Point System Reference Guide
1,158 pages
EXOS Command Reference 16 1
No ratings yet
EXOS Command Reference 16 1
3,377 pages
Command Line Interface Cross-Reference Guide: Extremexos, Eos, Voss, Boss, Cisco Ios
No ratings yet
Command Line Interface Cross-Reference Guide: Extremexos, Eos, Voss, Boss, Cisco Ios
120 pages
ConfigUIOSVOSS 8.2 CG
No ratings yet
ConfigUIOSVOSS 8.2 CG
149 pages
EXOS Command Reference 30 7
No ratings yet
EXOS Command Reference 30 7
3,494 pages
EXT-XOSS&Rv23-SG-v1.1 (Extended)
No ratings yet
EXT-XOSS&Rv23-SG-v1.1 (Extended)
359 pages
EXOS User Guide 16 1 PDF
No ratings yet
EXOS User Guide 16 1 PDF
1,818 pages
EXOS Command Reference 21 1
No ratings yet
EXOS Command Reference 21 1
3,233 pages
ExtremeXOS 32.4 RelNotes
No ratings yet
ExtremeXOS 32.4 RelNotes
86 pages
EXOS Concepts Guide 15 4
No ratings yet
EXOS Concepts Guide 15 4
1,732 pages
EXOSConcepts Bookmap PDF
No ratings yet
EXOSConcepts Bookmap PDF
1,670 pages
EXOS Command Reference 22 5
No ratings yet
EXOS Command Reference 22 5
3,296 pages
EXOS User Guide 30 5
0% (1)
EXOS User Guide 30 5
2,087 pages
ExtremeXOS User Guide 16.2
No ratings yet
ExtremeXOS User Guide 16.2
1,724 pages
ExtremeXOS Feature License Requirements
No ratings yet
ExtremeXOS Feature License Requirements
22 pages
Mgtextre
No ratings yet
Mgtextre
171 pages
EXOS User Guide 15.7
No ratings yet
EXOS User Guide 15.7
1,745 pages
EXOS Command Reference 22 1 PDF
No ratings yet
EXOS Command Reference 22 1 PDF
3,125 pages
WING5X How To Centralized Deployments Rev F-v0.1-Rebranded-Final
No ratings yet
WING5X How To Centralized Deployments Rev F-v0.1-Rebranded-Final
159 pages
ECS4210 - Series - CLI Manual
No ratings yet
ECS4210 - Series - CLI Manual
712 pages
EXOS Command Reference 15 6
No ratings yet
EXOS Command Reference 15 6
3,268 pages
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
EXOS User Guide 22 4 PDF
No ratings yet
EXOS User Guide 22 4 PDF
1,812 pages
ECS4510-Series CLI-R03 0904
No ratings yet
ECS4510-Series CLI-R03 0904
954 pages
ExtremeXOS 21.1.5-Patch1-2 RelNotes
No ratings yet
ExtremeXOS 21.1.5-Patch1-2 RelNotes
126 pages
EXOS Command Reference 22 4
No ratings yet
EXOS Command Reference 22 4
3,255 pages
EXOS User Guide 31.5
100% (1)
EXOS User Guide 31.5
2,183 pages
ExtremeXOS 12.4.1 RelNote
No ratings yet
ExtremeXOS 12.4.1 RelNote
86 pages
Extreme Networks
No ratings yet
Extreme Networks
69 pages
Book Config Guide Network Interfaces Ethernet
No ratings yet
Book Config Guide Network Interfaces Ethernet
632 pages
EXOS Command Reference Guide 15 4
No ratings yet
EXOS Command Reference Guide 15 4
3,295 pages
PWP Ex Cli User Guide PDF
No ratings yet
PWP Ex Cli User Guide PDF
240 pages
Extreme (EXOS) Concepts Guide 15.3
No ratings yet
Extreme (EXOS) Concepts Guide 15.3
1,687 pages
Ecs4130-28t Cli-R01 20210706
No ratings yet
Ecs4130-28t Cli-R01 20210706
894 pages
Extreme Exos Concepts Guide 153
No ratings yet
Extreme Exos Concepts Guide 153
1,682 pages
DGS-3120 Series FW R1.02 CLI Reference Guide PDF
No ratings yet
DGS-3120 Series FW R1.02 CLI Reference Guide PDF
714 pages
GS2210-48 3
No ratings yet
GS2210-48 3
385 pages
Ecs4120-Ec Cli R01 20160627 PDF
No ratings yet
Ecs4120-Ec Cli R01 20160627 PDF
917 pages
EXOS Command Reference 31.3
No ratings yet
EXOS Command Reference 31.3
3,609 pages
Multi Cast Configuration Extreme Switch
100% (1)
Multi Cast Configuration Extreme Switch
280 pages
SGE2000/SGE2000P Gigabit Ethernet
No ratings yet
SGE2000/SGE2000P Gigabit Ethernet
286 pages
slx-20 2 1a-Securityguide
No ratings yet
slx-20 2 1a-Securityguide
174 pages
Extremecloud Appliance User Guide: 9036135-02 Published June 2019
No ratings yet
Extremecloud Appliance User Guide: 9036135-02 Published June 2019
219 pages
GTP-5271-v1 CLI v1.0
No ratings yet
GTP-5271-v1 CLI v1.0
379 pages
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Plain JavaScript: Learning the Front-End
From Everand
Plain JavaScript: Learning the Front-End
Roger Beans-Rivet
No ratings yet
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
Cloud Computing : Beginners And Intermediate User Guide
From Everand
Cloud Computing : Beginners And Intermediate User Guide
David comer
No ratings yet
Web Video Business
From Everand
Web Video Business
MUHAMMAD NUR WAHID ANUAR
No ratings yet
Fastiron 09010 Featuresupportmatrix
No ratings yet
Fastiron 09010 Featuresupportmatrix
65 pages
Protecting Your Network From The Inside Out
No ratings yet
Protecting Your Network From The Inside Out
7 pages
Juniper SSG Series Update Tech
No ratings yet
Juniper SSG Series Update Tech
23 pages
Juniper SRX Capture
No ratings yet
Juniper SRX Capture
3 pages
Radial Basis Function Networks 2 2001
No ratings yet
Radial Basis Function Networks 2 2001
372 pages
Gog and Magog
No ratings yet
Gog and Magog
193 pages
Department of Cyber Security: Faculty of Computing and Artificial Intelligence
No ratings yet
Department of Cyber Security: Faculty of Computing and Artificial Intelligence
17 pages
EC305 Microprocessor & Microcontroller
No ratings yet
EC305 Microprocessor & Microcontroller
2 pages
Curious Kids 3
No ratings yet
Curious Kids 3
10 pages
AKANKSHA START PAGE - Merged
No ratings yet
AKANKSHA START PAGE - Merged
51 pages
Cyberoam Authentication For Thin Client (CATC) Installation Guide V 2.0.0.9
No ratings yet
Cyberoam Authentication For Thin Client (CATC) Installation Guide V 2.0.0.9
16 pages
Internship Report 4
No ratings yet
Internship Report 4
44 pages
Harshit Patel
No ratings yet
Harshit Patel
1 page
G Usb BLSTR v2.5-876789
No ratings yet
G Usb BLSTR v2.5-876789
30 pages
Gettingstartedwithmech Mindvisionsystem
No ratings yet
Gettingstartedwithmech Mindvisionsystem
34 pages
Exam Questions ITIL-4-Foundation
100% (1)
Exam Questions ITIL-4-Foundation
15 pages
Networking and Internetworking Devices
No ratings yet
Networking and Internetworking Devices
21 pages
Guía de Ejercicios Biología
No ratings yet
Guía de Ejercicios Biología
60 pages
Harony P6 Past Papers Final 2023 Edited
No ratings yet
Harony P6 Past Papers Final 2023 Edited
314 pages
OperatingManual
No ratings yet
OperatingManual
1 page
Pagerank Explained Simple
No ratings yet
Pagerank Explained Simple
4 pages
45-Days of Python Learn
No ratings yet
45-Days of Python Learn
7 pages
Got A Better Name? Please Let Me Know!
No ratings yet
Got A Better Name? Please Let Me Know!
30 pages
Ipv6 Allocation Policy and Procedure: Global Ipv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan
No ratings yet
Ipv6 Allocation Policy and Procedure: Global Ipv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan
433 pages
GE Launches Asset Transfer System For Airlines and Lessors - Air Transport News - Aviation International News
100% (1)
GE Launches Asset Transfer System For Airlines and Lessors - Air Transport News - Aviation International News
2 pages
Lab 12 (1) Zoom
No ratings yet
Lab 12 (1) Zoom
5 pages
Literature Review On Airline Reservation System PDF
100% (1)
Literature Review On Airline Reservation System PDF
8 pages
ML Powered NGFW Customer Presentation PDF
No ratings yet
ML Powered NGFW Customer Presentation PDF
68 pages
11.7.1: Packet Tracer Skills Integration Challenge Activity: (Instructor Version)
No ratings yet
11.7.1: Packet Tracer Skills Integration Challenge Activity: (Instructor Version)
4 pages
HCPP-03 - Small - and Medium-Sized Campus Network Design Guide-2022.01
No ratings yet
HCPP-03 - Small - and Medium-Sized Campus Network Design Guide-2022.01
77 pages
Physics - Phy-H-Dse-T-03 (Communication Electronics)
No ratings yet
Physics - Phy-H-Dse-T-03 (Communication Electronics)
2 pages
SAP B1 Approval Procedures
No ratings yet
SAP B1 Approval Procedures
7 pages