Ws-5000 User Manual

WS5000 Series Switch
System Reference Guide

Copyright
Copyright © 2006 by Symbol Technologies, Inc. All rights reserved.
No part of this publication can be modified or adapted in any way, for any purposes without permission in writing from
Symbol. The material in this manual is subject to change without notice.
Symbol reserves the right to make changes to any product to improve reliability, function, or design.
No license is granted, either expressly or by implication, estoppel, or otherwise under any Symbol Technologies, Inc.,
intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Symbol
products.
Symbol, the Symbol logo are registered trademarks of Symbol Technologies, Inc.
IBM is a registered trademark of International Business Machine Corporation. Microsoft, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and LAN Workplace are registered trademarks of Novell Inc. Toshiba
is a trademark of Toshiba Corporation. All other product names referred to in this guide might be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Patents
This product is covered by one or more of the patents listed on the website: http://www.symbol.com/patents.
Contents
Chapter 1. WS5000 Series Switch Overview

1.1 Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.1 Installation Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.2 Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
1.1.4 Networking Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
1.1.5 Access Port Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
1.2 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1 Physical Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1.1 Power Cord Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1.2 Power Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
1.2.1.3 Cabling Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
1.2.2 System Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
1.2.3 10/100/1000 Port Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
iv WS5000 Series Switch System Reference Guide
1.3 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

1.3.1 Accessing and Configuring the Switch Software. . . . . . . . . . . . . . . . . . . . . . . . 1-8
1.3.2 Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
1.3.3 Access Port Adoption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
1.3.4 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
1.3.4.1 Different Dimensions of QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
1.3.4.2 Packet Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
1.3.4.3 Weighted Fair Queuing (WFQ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
1.3.4.4 QoS via Wi-Fi Multimedia Extension (WME). . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
1.3.5 Multi-BSSID and ESSID Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
1.3.6 Standby Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
1.3.7 WLAN to VLAN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
1.4 New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1.4.1 WME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1.4.2 RF Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
1.4.3 GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
1.4.4 Dual DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
1.4.5 SNMP Trap on Config Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.6 AP to AP Beacons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.7 DTIM per BSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.8 WIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.4.9 CPU Temperature Monitoring in WS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.4.10 Active Primary Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.4.11 Access Port Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.4.12 Upgrade/Downgrade Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5 Other Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.1 AP-4131 Port Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.2 Automatic Channel Select . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.3 Event Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
1.5.4 Hot Standby. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.5 Integrated Radius/AAA ServerRadius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.6 On-Board DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.6.1 Configuring DHCP Server using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
1.5.6.2 Viewing DHCP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
1.5.6.3 Importing a dhcpd.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.6.4 DHCP Option 60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.7 On-Board KDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.8 Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
1.5.9 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . 1-23
1.5.10 WTLS VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
v
Chapter 2. Installing the System Image

2.1 Before Installing the Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.2 Upgrading the Switch Software to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.2.1 Upgrading Using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.2.1.1 Upgrading the Switch from 2.0 to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
2.2.1.2 Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1. . . . . . . . . . . 2-4
2.3 Recovering from Upgrade Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
2.4 Downgrading from 2.1 to 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
2.5 Downgrading from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.0 . . . . . . . . . . . . . . . . . . . . . 2-14
2.5.1 Running the PreDowngrade Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
2.5.1.1 Executing the Predowngrade Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
2.5.2 Running the Downgrade.exe Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
2.5.3 Downgrading the Image Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
2.5.3.1 Executing the Downgrade Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Chapter 3. Configuring the WS5000 Series Switch Automatically

3.1 DHCP Auto-install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.2 Command File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.3 Command File Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.3.1 Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
3.3.2 TFTP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
3.3.3 General Network Configuration and Standby Management . . . . . . . . . . . . . . . 3-4
3.3.4 Kerberos Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
3.3.5 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
3.3.6 Syslog Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
3.3.7 CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
3.3.7.1 Command File Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
3.4 Upgrading Using AutoInstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
3.4.1 Using AutoInstall to Upgrade from 2.0 to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
3.4.2 Using AutoInstall to Upgrade from 1.4.X.X/1.4.1.0/1.4.1.1/1.4.2 /1.4.3 to 2.1 3-11
3.4.3 Using AutoInstall to Upgrade From WS5000 Series Switch Build 49 . . . . . . . 3-12
3.4.3.1 Installing the Patch File Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
3.5 Manual Auto-install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Chapter 4. Using the WS5000 Series Switch GUI

4.1 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.2 Key Distribution Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.2.1 Configuring Master KDC Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
4.2.2 Configuring Slave KDC Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
4.2.2.1 Configuring the KDC Slave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
4.2.2.2 Configuring the Master KDC to Recognize the Slave . . . . . . . . . . . . . . . . . . . . . . 4-5
vi WS5000 Series Switch System Reference Guide
4.2.3 Creating Kerberos User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

4.2.4 Setting Kerberos Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Chapter 5. Configuring User and Management Authentication

5.1 WS5000 as a RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2 Configuring an On-board RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2.1 Configuring the Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2.2 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
5.2.2.1 Importing and Installing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
5.2.2.2 Uploading Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
5.2.2.3 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
5.2.2.4 Configuring Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
5.2.2.5 Configuring the Radius Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
5.2.3 Configuring Radius Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
5.2.3.1 Adding Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
5.2.3.2 Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.2.3.3 Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.2.4 Configuring Radius Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.3 Configuring Management User Authentication . . . . . . . . . . . . . . . . . . . . . . 5-15
5.3.1 Using External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
5.3.2 Using On-board RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.3.3 Physical Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.3.4 Configuring WS5000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
5.4 LDAP and Certificate Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
5.4.1 OpenLdap in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
5.4.2 User/Group Configuration with LdapBrowser . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
5.4.3 ActiveDirectory in Windows server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
5.4.3.1 LDAP configuration for accessing Openldap/ActiveDirectory . . . . . . . . . . . . . . . 5-19
5.4.4 LDAP Configuration in switch for Active Directory. . . . . . . . . . . . . . . . . . . . . . 5-20
5.4.5 Certificate Management with Win-2003 server. . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.4.5.1 Configuration in MU (client). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.4.5.2 Signing certificate request from WS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.4.5.3 Installing CA & Server Certificate in WS5k: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.5 Configuring Windows Server 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.5.1 Installing Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
5.5.2 Configuring Active Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32
5.5.3 Installing Internet Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
5.5.4 Configuring Internet Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
5.5.5 Testing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54
vii
Chapter 6. Configuring Policies

6.1 Configuring Network Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
6.1.1 Classifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
6.1.1.1 Creating a Classifier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
6.1.2 Classification Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
6.1.2.1 Creating a Classification Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
6.1.2.2 Modifying a Classification Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
6.1.3 Creating a Network Input Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
6.1.4 Creating a Network Output Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
6.1.5 Creating a Network Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
6.1.5.1 Configuring the Switch from the Default Configuration (Example). . . . . . . . . . . 6-14
6.1.5.2 GUI Configration t oset up a switch (EXAMPLE) . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
6.1.6 Modifying a Network Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38
6.2 Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
6.2.1 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
6.2.1.1 Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
6.2.2 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-47
6.2.2.1 Creating an Access Control List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48
6.2.2.2 Modifying an Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49
6.2.3 WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
6.2.3.1 Creating a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51
6.2.3.2 Modifying a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53
6.2.4 Ethernet Port Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55
6.2.4.1 Creating an Ethernet Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55
6.2.4.2 Modifying an Ethernet Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
6.2.4.3 Configuring VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
6.2.5 Access Port Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
6.2.5.1 Creating an Access Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
6.2.5.2 Modifying an Access Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64
6.2.6 Setting the Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66
6.2.7 Creating a Switch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66
6.2.8 Defining/Activating an Emergency Switch Policy . . . . . . . . . . . . . . . . . . . . . . 6-71
Chapter 7. Configuring Rogue AP Detection

7.1 Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
7.1.1 Defining the Detection Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
7.1.2 Specifying Detector APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
7.1.3 Configuring Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
7.1.4 Examining Approved and Rogue Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
7.1.5 Viewing Details of the Rogue AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
7.1.6 SNMP Traps for Rogue AP Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
7.1.7 Rogue AP Syslog Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
viii WS5000 Series Switch System Reference Guide
Chapter 8. CLI Command Reference

8.1 CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
8.1.1 About Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
8.1.2 CLI Indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
8.1.3 About Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
8.1.4 Basic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.2 Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.2.1 .. or end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.2 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.3 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.4 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
8.2.5 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
8.2.6 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
8.2.7 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
8.2.8 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
8.3 System Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
8.3.1 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
8.3.2 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.3 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.4 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.5 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
8.3.6 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
8.3.7 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.3.8 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.3.9 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
8.3.10 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.3.11 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.3.12 install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
8.3.13 logdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
8.3.14 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
8.3.15 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
8.3.16 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
8.3.17 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
8.3.18 rfping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
8.3.19 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.3.20 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
8.4 show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
8.4.1 show aaa-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
8.4.2 show accessports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
8.4.3 show acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
8.4.4 show allconfig. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
8.4.5 show appolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
ix
8.4.6 show arp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

8.4.7 show autoinstalllog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
8.4.8 show ce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
8.4.9 show cfghistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
8.4.10 show cg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
8.4.11 show channelinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
8.4.12 show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
8.4.13 show configaccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
8.4.14 show ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
8.4.15 show etherpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
8.4.16 show events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
8.4.17 show ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
8.4.18 show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
8.4.19 show host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
8.4.20 show https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
8.4.21 show interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
8.4.22 show kdc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
8.4.23 show knownap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
8.4.24 show lan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
8.4.25 show mu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
8.4.26 show musummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
8.4.27 show np . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
8.4.28 show po . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
8.4.29 show radius-server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
8.4.30 show rfstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37
8.4.31 show rfthreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37
8.4.32 show rogueap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
8.4.33 show routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
8.4.34 show securitypolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
8.4.35 show sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
8.4.36 show snmpclients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
8.4.37 show snmpstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
8.4.38 show ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
8.4.39 show standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
8.4.40 show switchpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
8.4.41 show sysalerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
8.4.42 show syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
8.4.43 show system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
8.4.44 show telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41
8.4.45 show time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41
8.4.46 show traphosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41
8.4.47 show tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41
8.4.48 show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
x WS5000 Series Switch System Reference Guide
8.4.49 show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

8.4.50 show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.51 show vpnsupportstatus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.52 show wlan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
8.4.53 show wme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.4.54 show WSrfstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.4.55 show wtls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.4.56 show wvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
8.5 Configuration (Cfg) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-45
8.5.1 .. or end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47
8.5.2 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47
8.5.3 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
8.5.4 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
8.5.5 aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
8.5.6 accessport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49
8.5.7 acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49
8.5.8 appolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
8.5.9 banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
8.5.10 ce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
8.5.11 cg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-51
8.5.12 chassis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-51
8.5.13 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52
8.5.14 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52
8.5.15 date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-53
8.5.16 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54
8.5.17 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
8.5.18 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
8.5.19 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
8.5.20 encrypt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
8.5.21 ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
8.5.22 etherpolicy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
8.5.23 events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57
8.5.24 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59
8.5.25 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59
8.5.26 fw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
8.5.27 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
8.5.28 install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61
8.5.29 kdc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61
8.5.30 logdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62
8.5.31 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62
8.5.32 np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63
8.5.33 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63
8.5.34 po. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-65
xi
8.5.35 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-65

8.5.36 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66
8.5.37 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66
8.5.38 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67
8.5.39 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67
8.5.40 rougeap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68
8.5.41 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68
8.5.42 runacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69
8.5.43 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69
8.5.44 securitypolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69
8.5.45 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-70
8.5.46 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-70
8.5.47 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-81
8.5.48 shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-81
8.5.49 snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-82
8.5.50 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-82
8.5.51 ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-83
8.5.52 standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-83
8.5.53 switchpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-84
8.5.54 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-84
8.5.55 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-85
8.5.56 user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-85
8.5.57 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-85
8.5.58 wme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-86
8.5.59 wvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-86
8.6 AAA Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-88
8.6.1 acct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-88
8.6.2 client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-89
8.6.3 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-89
8.6.4 eap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-90
8.6.5 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-90
8.6.6 ldap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-90
8.6.7 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-91
8.6.8 proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-91
8.6.9 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-92
8.6.10 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-92
8.6.11 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-93
8.6.12 userdb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-93
8.7 AAA Client Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-94
8.7.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-94
8.7.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-95
8.7.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-95
8.8 AAA EAP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-96
xii WS5000 Series Switch System Reference Guide
8.8.1 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-96

8.8.2 peap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-97
8.8.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-97
8.8.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-98
8.8.5 ttls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-98
8.9 AAA LDAP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-100
8.9.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-100
8.9.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-101
8.10 AAA Policy Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103
8.10.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103
8.10.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103
8.10.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-104
8.10.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-105
8.11 AAA Proxy Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-106
8.11.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-106
8.11.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-107
8.11.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-107
8.11.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-108
8.12 AAA User Database Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-109
8.12.1 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-109
8.12.2 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110
8.13 AAA User Database - Group Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-111
8.13.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-111
8.13.2 adduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-112
8.13.3 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-112
8.13.4 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-113
8.13.5 remuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-113
8.14 AAA User Database - User Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-114
8.14.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-114
8.14.2 adduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115
8.14.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115
8.14.4 remuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115
8.14.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-116
8.14.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-116
8.15 Access Port (APort) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-118
8.15.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-118
8.15.2 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-119
8.15.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-120
8.15.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-121
8.16 Access Port Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123
8.16.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123
8.16.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123
8.16.3 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124
xiii
8.16.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124

8.16.5 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-127
8.17 Access Control List (ACL) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-129
8.17.1 acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-129
8.17.2 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-130
8.17.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-130
8.17.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-131
8.18 ACL Instance Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132
8.18.1 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132
8.18.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132
8.18.2.1 set name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-133
8.18.2.2 set addItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-133
8.18.2.3 set remItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134
8.18.2.4 set editItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134
8.18.2.5 set defaultAction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134
8.18.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-135
8.19 Access Port Policy (APPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136
8.19.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136
8.19.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-137
8.19.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-138
8.19.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-138
8.20 Access Port Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-139
8.20.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-139
8.20.2 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-140
8.20.3 map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-141
8.20.4 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-141
8.20.5 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-142
8.20.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-142
8.20.7 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-143
8.20.7.1 set basicRates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-144
8.20.7.2 set beacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-145
8.20.7.3 set dTim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-145
8.20.7.4 set nonSpectrumMgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-146
8.20.7.5 set np . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147
8.20.7.6 set preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147
8.20.7.7 set rtsThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147
8.20.7.8 set supportedRates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-148
8.20.7.9 set wmm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-149
8.21 Access Port Map Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-150
8.21.1 select . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-151
8.21.2 set bss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152
8.21.3 set bw. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152
8.21.4 set primaryWLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153
8.21.5 unselect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153
xiv WS5000 Series Switch System Reference Guide
8.21.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-154

8.22 Classifier Context (CE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-155
8.22.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-155
8.22.2 ce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-156
8.22.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-156
8.22.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-157
8.23 Classifier Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158
8.23.1 addMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158
8.23.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-160
8.23.3 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-160
8.23.4 removeMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-161
8.23.5 setMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-161
8.23.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-162
8.24 Classification Group (CG) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-163
8.24.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-163
8.24.2 cg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-164
8.24.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-164
8.24.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-165
8.25 Classification Group Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-166
8.25.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-166
8.25.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-167
8.25.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-167
8.25.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-168
8.26 Chassis Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-170
8.26.1 set notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-170
8.26.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-171
8.27 Ethernet Port Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-172
8.27.1 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-172
8.27.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-173
8.28 Ethernet Port Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-174
8.28.1 ipAddress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-174
8.28.2 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-175
8.28.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-177
8.29 Ethernet Policy (EtherPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-178
8.29.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-178
8.29.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179
8.29.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179
8.29.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179
8.30 Ethernet Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-181
8.30.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-181
8.30.2 add tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182
8.30.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182
8.30.4 remove tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-183
xv
8.30.5 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-183

8.30.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-184
8.30.7 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-185
8.30.8 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-185
8.31 Event Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186
8.31.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186
8.31.2 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-187
8.31.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-187
8.32 Syslog Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-189
8.32.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-189
8.32.2 local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-190
8.32.3 logdir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-190
8.32.4 logsubsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-191
8.32.5 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-192
8.32.6 purgelocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-192
8.32.7 remlocal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-193
8.32.8 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-193
8.32.9 save local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-194
8.32.10 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-194
8.32.11 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-196
8.32.12 start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-196
8.32.13 stop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-197
8.33 FTP Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198
8.33.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198
8.33.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198
8.33.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-199
8.34 FW (Firewall) Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-200
8.34.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-200
8.34.2 addnat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-201
8.34.3 addnp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-202
8.34.4 addpf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-203
8.34.5 lan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-204
8.34.6 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-204
8.34.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-205
8.35 FW Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-207
8.35.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-207
8.35.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-208
8.36 Host Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-209
8.36.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-209
8.36.2 host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-210
8.36.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-210
8.36.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-210
8.37 Host Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212
xvi WS5000 Series Switch System Reference Guide
8.37.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212

8.37.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-213
8.38 KDC Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-214
8.38.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-214
8.38.2 authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-215
8.38.3 dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-216
8.38.4 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-216
8.38.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-217
8.38.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-219
8.38.7 synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-221
8.39 Network Policy (NP) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-222
8.39.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-222
8.39.2 np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-223
8.39.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-223
8.39.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-224
8.40 Network Policy Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-225
8.40.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-225
8.40.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-226
8.41 Policy Object (PO) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-228
8.41.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-228
8.41.2 po. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-229
8.41.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-230
8.41.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-230
8.42 Policy Object Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-232
8.42.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-232
8.42.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-234
8.43 Radius Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235
8.43.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235
8.43.1.1 set authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235
8.43.1.2 set primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-236
8.43.1.3 set secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-236
8.43.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-237
8.44 Rogueap Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-239
8.44.1 approvedlist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-239
8.44.2 detectorap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240
8.44.3 roguelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240
8.44.4 rulelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240
8.44.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-241
8.44.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-242
8.45 Security Policy Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-243
8.45.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-243
8.45.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-244
8.45.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-244
xvii
8.45.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-245

8.46 Security Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-246
8.46.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-247
8.46.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-251
8.47 Sensor Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-252
8.47.1 convert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-252
8.47.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253
8.47.3 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253
8.47.4 revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253
8.47.5 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-254
8.47.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-254
8.48 Sensor Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256
8.48.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256
8.48.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256
8.48.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-257
8.49 SNMP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-258
8.49.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-258
8.49.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-259
8.49.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-259
8.49.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260
8.49.4.1 set kdcconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260
8.49.4.2 set snmptrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260
8.49.4.3 set traphost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-261
8.49.5 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-262
8.49.6 v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-263
8.49.7 v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-263
8.50 v2 Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-264
8.50.1 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-264
8.50.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265
8.50.2.1 set client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265
8.50.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265
8.51 v3 Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267
8.51.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267
8.51.1.1 set profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267
8.51.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-268
8.52 SSH (Secure Shell) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-269
8.52.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-269
8.52.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-270
8.53 SSL (Secure Socket Layer) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271
8.53.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271
8.53.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271
8.53.3 revert certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-272
8.53.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-272
xviii WS5000 Series Switch System Reference Guide
8.54 Standby Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-273

8.54.1 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274
8.54.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274
8.54.3 set autorevert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274
8.54.4 set arDelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275
8.54.5 set heartbeat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275
8.54.6 set mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275
8.54.7 set mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-276
8.54.8 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-276
8.55 Switch Policy (SPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-278
8.55.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-278
8.55.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-279
8.55.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-280
8.55.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-280
8.56 Switch Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-283
8.56.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-283
8.56.2 edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-284
8.56.3 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-284
8.56.4 restrictedchannel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-285
8.56.5 set adoptionList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-285
8.56.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-286
8.56.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-287
8.57 Restricted Channel Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-289
8.57.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-289
8.57.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-290
8.57.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-290
8.58 Telnet Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-291
8.58.1 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-291
8.58.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-292
8.58.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-292
8.58.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-293
8.59 Tunnel Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-294
8.59.1 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-294
8.59.2 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-295
8.60 Tunnel Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-296
8.60.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-296
8.60.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-297
8.61 User Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-298
8.61.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-299
8.61.3 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-300
8.61.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-300
8.62 User Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-302
8.62.2 deny. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303
xix
8.62.3 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303

8.62.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-304
8.63 WLAN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-305
8.63.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-306
8.63.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-307
8.63.4 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-307
8.64 WLAN Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-309
8.64.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-309
8.64.2 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-310
8.64.3 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-310
8.64.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-311
8.65 WME Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-312
8.65.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314
8.65.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314
8.65.4 wme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314
8.66 WME Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-316
8.66.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-316
8.66.2 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-317
8.66.3 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-317
8.66.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-318
8.67 WVPN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-319
8.67.1 auth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-319
8.67.2 cert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-320
8.67.3 ddns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-321
8.67.4 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-321
8.67.5 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-322
8.67.6 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-322
8.67.7 ip_pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-323
8.67.8 rt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-323
8.67.9 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-324
8.67.10 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-324
8.67.11 wtls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-326
8.68 cert Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-327
8.68.1 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-327
8.68.2 dump cert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-328
8.68.3 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-328
8.68.4 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-329
8.68.5 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-329
8.68.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-330
8.68.7 tftpImport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-330
8.69 ddns Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-332
8.69.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-332
8.69.2 clearClientDns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-333
xx WS5000 Series Switch System Reference Guide
8.69.3 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334

8.69.4 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334
8.69.5 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-335
8.69.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-336
8.69.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-336
8.69.8 updateClientDns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-337
8.70 ip pools Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-338
8.70.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-338
8.70.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-339
8.70.3 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-339
8.70.4 ip_pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-340
8.70.5 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-341
8.70.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-342
8.70.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-342
8.71 rt Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-344
8.71.1 Kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-344
8.71.2 Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-345
8.72 wtls Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-347
8.72.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-347
8.72.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-348
Chapter 9. Service Mode CLI

9.1 CLI Service Mode Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
9.1.1 Logging into the Service Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.1.2 Basic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.2 SM-WS5000> Command Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.2.1 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
9.2.2 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
9.2.3 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
9.2.4 capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
9.2.5 cleanapdbglog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.6 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.7 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.2.8 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
9.2.9 debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
9.2.10 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
9.2.11 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
9.2.12 diag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
9.2.13 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
9.2.14 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
9.2.15 enablecclog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
9.2.16 execute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
9.2.17 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14
xxi
9.2.18 ftpPasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

9.2.19 getcclogfile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15
9.2.20 install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15
9.2.21 launch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
9.2.22 ledcolor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
9.2.23 logdir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
9.2.24 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
9.2.25 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
9.2.26 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
9.2.27 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
9.2.28 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20
9.2.29 rfping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
9.2.30 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
9.2.31 setThresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
9.2.32 shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
9.2.33 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
9.2.34 showAPFirmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
9.2.35 showBuildInfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
9.2.36 showDiskUsage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26
9.2.37 showHardwareInfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26
9.2.38 showMemUsage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27
9.2.39 showThresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27
9.2.40 watchdogtimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
9.2.41 wvpnctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
9.3 Diagnosing problems in WS5000/WS5100 Switch. . . . . . . . . . . . . . . . . . . . 9-29
9.3.1 Diagnose User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29
9.3.2 Finding whether a particular process is running or not . . . . . . . . . . . . . . . . . . 9-30
9.3.3 Encrypt, Launch and Execute commands of Service mode CLI . . . . . . . . . . . . 9-30
9.3.3.1 encrypt Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
9.3.3.2 launch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
9.3.4 execute Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
Chapter 10. Antennas and Power
Chapter 11. Converting AP-4131 Access Points to RF Ports

11.1 AP-4131 Features in the WS5000 Series Switch . . . . . . . . . . . . . . . . . . . . 11-2
11.1.1 AP-4131 Port Adoption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
11.1.2 AP-4131 Radio Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
11.1.3 Multiple BSS and ESS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
11.1.4 Rate Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
11.1.5 AP-4131 Features Unavailable after Conversion . . . . . . . . . . . . . . . . . . . . . . 11-2
11.2 Converting AP-4131 to Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
xxii WS5000 Series Switch System Reference Guide
11.2.1 Updating the Access Point Firmware Using the TFTP Program . . . . . . . . . . . 11-3
11.2.2 Updating the Access Point Firmware Using the XMODEM . . . . . . . . . . . . . . 11-3
11.2.3 Adding an Access Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
11.2.4 Mapping BSS and ESS IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
11.3 Reverting to Access Point Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
11.4 WS5000 Switch Applet Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Chapter 12. Configuring the WS5100 WTLS VPN

12.1 Onboard DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
12.2 On Board VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
12.2.1 DHCP Relay and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
12.2.2 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
12.2.3 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
12.2.3.1 PKI and PKCS12 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
12.2.4 WVPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.2.4.1 Simple Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.2.4.2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
12.2.4.3 IP Pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7
12.2.4.4 Certificate configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
12.2.4.5 VPN Session License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
12.2.5 AES versus 3DES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
12.2.6 Wireless Transport Layer Security (WTLS). . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
12.2.6.1 WTLS versus IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
12.2.6.2 WTLS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
12.3 VPN Session Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
12.3.1 Switch Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
12.3.2 WVPN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
12.3.3 Starting VPN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
12.3.4 Client Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
12.3.4.1 Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
12.3.5 Testing VPN Session Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
12.3.6 TroubleShooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18
12.4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19
12.5 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
12.5.1 Twice NAT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
Chapter 13. Neighboring APs

13.1 ccPortalBeaconRptTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
13.2 ccMuProbeRptTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
13.3 Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
xxiii
Chapter 14. Enhanced RF Statistics

14.1 ccApTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
14.2 ccPortal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
14.2.1 ccPortalTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
14.2.2 ccPortalLast Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.2.3 ccPortalLastReason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.2.4 ccPortalSystemStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
14.2.5 ccPortalStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5
14.2.6 ccPortalRxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
14.2.7 ccPortalTxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
14.2.8 ccPortalRxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7
14.2.9 ccPortalTxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8
14.2.10 ccPortalTxRetriesPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9
14.2.11 ccPortalTxRetriesOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10
14.2.12 ccPortalSigStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12
14.2.13 ccPortalSumStatsShortTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
14.2.14 ccPortalSumStatsLongTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16
14.3 ccMus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
14.3.1 ccMuInfoTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
14.3.2 ccMuStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19
14.3.3 ccMuRxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20
14.3.4 ccMuTxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-21
14.3.5 ccMuRxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22
14.3.6 ccMuTxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22
14.3.7 ccMuTxRetriesTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-23
14.4 ccMuRfSum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-24
14.4.1 ccMuTxRetriesOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-24
14.4.2 ccMuSigStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-25
14.4.3 ccMuSumStatsShortTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-26
14.4.4 ccMuSumStatsLongTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-28
14.5 RF-Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-30
14.6 Explanation of Enhanced RF Statisitcs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32
14.6.1 A Sample Usage Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-38
14.6.1.1 Watching min, max, or average is not enough . . . . . . . . . . . . . . . . . . . . . . . . 14-42
14.6.1.2 Who calculates Standard Deviation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-43
14.6.1.3 How is Standard Deviation calculated from running sums? . . . . . . . . . . . . . . 14-44
Chapter 15. AP-300 Sensor Conversion

15.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
15.1.1 Sensor Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
15.2 Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
15.2.1 Sensor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
xxiv WS5000 Series Switch System Reference Guide
15.2.2 Sensor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

15.2.3 Sensor Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.3 GUI and CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.3.1 Converting an AP300 into a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
15.3.2 Converting an Sensor into AP300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
Chapter 16. Syslog and Traps

16.1 List of Traps and Syslog Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
Chapter 17. DDNS

17.1 Update Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1
Appendix A. DOM Firmware Upgrade
Appendix B. DTIM Interval per BSS
Appendix C. AP300 LED Codes
Appendix D. Customer Support

About this Guide
This preface introduces the WS5000 Series Switch System Reference Guide and contains the following
sections:
• Who Should Use this Guide
• How to Use this Guide
• Conventions Used in this Guide
• Service Information
Who Should Use this Guide

The WS5000 Series Switch System Reference Guide is intended for system administrators responsible for the
implementing, configuring, and maintaining the WS5000 Series Switch within the wireless local area network.
It also serves as a reference for configuring and modifying most common system settings. The administrator
should be familiar with wireless technologies, network concepts, ethernet concepts, as well as IP addressing
and SNMP concepts.
xxvi WS5000 Series Switch System Reference Guide
How to Use this Guide

This guide will help you implement, configure, and administer the WS5000 Series Switch and associated
network elements. This guide is organized into the following sections:
Table 1 Quick Reference on How This Guide Is Organized
Chapter Jump to this section if you want to...
Chapter 1, “WS5000 Series Review the overall feature set of the WS5000 Series Switch, as well as the many
Switch Overview” configuration options available.
Chapter 2, “Installing the Install the System Image. This includes uploading the system image to a TFTP server,
System Image” deleting prior configuration or system files, saving a backup version of the existing
configuration, and uploading the system image file, and restoring the site
configuration file.
Chapter 3, “Configuring the Review details about the Command File, its syntax, options, specific settings, and an
WS5000 Series Switch example.
Automatically”
Chapter 4, “Using the Learn about working within the WS5000 Series Switch GUI to perform most daily
WS5000 Series Switch GUI” administration tasks for the switch and its associated devices.
Chapter 5, “Configuring User Configure the Radius server (for both User and Management authentication).
and Management
Authentication”
Chapter 6, “Configuring Configure network policies and switch policies.

Policies”
Chapter 7, “Configuring Configure rogue access port (an access port in the network that is not valid and might
Rogue AP Detection” be unsafe) detection.
Chapter 8, “CLI Command Review the CLI command reference for all configuration command details, for when
Reference” the administrator will use the CLI interface instead of the GUI interface.
Chapter 9, “Service Mode Review the CLI command reference for all the service mode command details for use
CLI” in debugging and problem resolution while troubleshooting the WS5000 Series
Switch configuration.
Chapter 10, “Antennas and Review antenna and power settings for numerous field installation demographics.
Power”
Chapter 11, “Converting AP- Convert the AP-4131 access point to WS5000 RF ports.
4131 Access Points to RF
Ports”
Chapter 12, “Configuring the Configure WS5100 WTLS VPN.

WS5100 WTLS VPN”
Chapter 13, “Neighboring Configure AP to AP beacon using SNMP.

APs”
Chapter 14, “Enhanced RF Learn about RF Stats configuration.

Statistics”
Chapter 15, “AP-300 Sensor Learn about the concepts and functionality of AP300 Sensor conversion.
Conversion”
xxvii
Table 1 Quick Reference on How This Guide Is Organized (Continued)

Chapter Jump to this section if you want to...
Chapter 16, “Syslog and See all the syslog and traps generated by WS5000 2.1.
Traps”
Chapter 17, “DDNS” Learn about the DDNS updateall mechanism.
Appendix , “DOM Firmware Learn about the new DOM firmware upgrade implemented in this release.
Upgrade”
Appendix , “DTIM Interval per Learn about the new DTIM interval per BSS implemented in this release.
BSS”
Appendix , “AP300 LED Learn about the AP300’s LED color code functionality.
Codes”
Appendix , “Customer Contact the customer support department for any queries.
Support”
Conventions Used in this Guide

This section describes the following topics:
• Annotated Symbols
• Notational Conventions
Annotated Symbols
Note This symbol signals recommended behavior or reference information that

might be important to consider. It may include tips or special requirements.
IMPORTANT! THIS SYMBOL SIGNALS INFORMATION ABOUT A PROCESS OR CONDITION
! THAT COULD CAUSE DAMAGE TO EQUIPMENT, INTERRUPTION OF SERVICE, OR LOSS OF

DATA.
Warning! This symbol indicated information about conditions that could

cause bodily injury. Before working on any equipment, be aware of
physical and electrical hazards and follow practices for preventing
accidents.
xxviii WS5000 Series Switch System Reference Guide
Notational Conventions
The following notational conventions are used in this document:
• Italics are used to highlight specific items in the general text, and to identify chapters and sections in
this and related documents.
• Bullets (•) indicate:
• action items
• lists of alternatives
• lists of required steps that are not necessarily sequential
• Sequential lists (those describing step-by-step procedures) appear as numbered lists.
Service Information
If a problem with is encountered with the WS5000 Series Switch, contact Symbol Customer Support. See
Symbol’s Web site (http://www.symbol.com/services/online_support/online_support.html) for Symbol
Customer Support contact information and policies.
Note Before calling Symbol Customer Support, have the model number and serial
number for the WS5000 Series Switch on hand.
If the problem cannot be solved over the phone, you may need to return your equipment for servicing. If that is
necessary, you will be given specific directions.
Symbol Technologies is not responsible for any damages incurred during shipment if the approved shipping
container is not used. Shipping the units improperly can possibly void the warranty. If the original shipping
container was not kept, contact Symbol to have another sent to you.
WS5000 Series Switch Overview
The WS5000 Series Switch provides a centralized management solution for wireless networking components
across the wired network infrastructure. Unlike traditional wireless network infrastructures that reside at the
edge of a network, the switch uses centralized, policy-based management for all devices on the wireless
network.
The switch connects to the network through the Ethernet and a Layer 2 switch or hub. The access ports are
connected to a POE-enabled hub which is connected to a Layer 2 switch or hub on the network.
The switch functions as the center of the wireless network. The access ports function as radio antennas for
data traffic management and routing. All of the system configuration and intelligence for the wireless network
resides in the switch.
The switch uses access ports to bridge data from the associated wireless devices to the wireless switch. The
wireless switch applies policies to the data packets before routing them to their destinations. Data packets
destined for devices on the wired network are processed by the switch where appropriate policies are applied
before they are encapsulated and sent to their destination.
1-2 WS5000 Series Switch System Reference Guide
Access port configuration is managed by the switch through the Graphical User Interface (GUI) or the Command
Line Interface (CLI). A WS5000 Series Switch streamlines management of a large wireless system and allows
for network management features such as Quality of Service (QoS), virtual WLANs and packet forwarding.
1.1 Key Features

WS5000 Series Switch includes a robust set of features. These features are briefly listed and described in the
following sections:
• Installation Features
• Management Features
• Security Features
• Networking Features
• Access Port Support
1.1.1 Installation Features

A WS5000 Series Switch includes the following installation features:
• Single file upgrade
• Automatic installation and configuration of local or remote wireless switches using a command file.
• Automatic discovery and adoption of access ports
• Upgrade/downgrade using auto-install script.
1.1.2 Management Features

WS5000 Series Switch includes the following security features:
• Policy-based centralized management
• Secure browser-based management console
• Command Line Interface (CLI) is accessible via a Telnet session through the serial port or through a
secure shell (SSH) application
• CLI service mode enables the capture of system status information that can be sent to Symbol personnel
for use in problem resolution
• “Emergency override” enables the definition of an Emergency Switch Policy that can be activated when
required without system interruption
• Kerberos principal file can update the wireless switch’s internal KDC
• Support for Simple Network Management Protocol (SNMP) version 3 as well as SNMP version 2
(including SNMP version 1 support).
• TFTP upload and download of access port firmware and configuration files
• Each access port can support multiple WLANs (with the exception being FH APs)
• System redundancy with auto-revert
• CPU temperature and fan monitoring
WS5000 Series Switch Overview 1-3
• IP-Redirect VoIP
• Multicast support
• DFS/TPC jumbo packet
• Support for Proxy ARP statistics applet operation with Sun JRE
• Service mode features
• The WS5000 Series Switch GUI applet only supports Sun Java Runtime Environment (JRE) including the
Sun Java Virtual Machine (JVM). Support for the Microsoft Virtual Machine is discontinued with the 1.4
release and WS5000 Series Switch. This is an extension of the JRE support changes implemented in
1.4. The Sun JRE version support on Windows platforms is JRE 1.4.2_06 or greater. JRE 5.0 Update 2 is
recommended.
1.1.3 Security Features

A WS5000 Series Switch includes the following security features:
• On-board Radius server
• Rogue AP detection
• VPN functionality with an integrated DHCP server, firewall, Twice NAT, and integrated VPN server
• Remote administrator login authentication via external Radius server
• MAC address-based access control list
• WEP 40/128
• KeyGuard Mobile Computing Mode (MCM) support (Symbol’s TKIP encryption implementation based on
the 802.11i standard)
• Wi-Fi Protected Access (WPA) support with Temporal Key Integrity Protocol (TKIP)
• Optional broadcast key rotation support, which improves broadcast traffic security
• On-board Kerberos Key Distribution Center (KDC) v5 on WNMP
• EAP/TLS on 802.1x
• VLAN segregation
• No serial interface on the access ports to prevent tampering
• Multiple ESSID/BSSID for AP 100, AP-4121 and AP-4131 access point conversions
• Secure beacon
• Mobile unit to mobile unit disallow or drop
• PSP support for mobile units
• Proxy ARP
• AES WPAII
• Short preamble support
• Load balancing
• International roaming
• Power over Ethernet capability
• 802.1Q functionality and interoperability

• Report to cell controller tuning
• Mobile unit roaming between RF ports
• RF port adoption
• 802.1p support
1.1.4 Networking Features

A WS5000 Series Switch includes the following networking features:
• Quality of service (QoS) support, including:
• 802.1p support
• DiffServ (advanced TOS)
• Multiple Tx power settings
• Bandwidth allocation
• Congestion management
• Customizable classifiers and classification groups (packet filters)
• Support for VLANs and virtual WLANs
• IP redirection
• Ethernet load balancing
• DHCP option 60 support
• Layer 2 filtering
• Layer 3 filtering
• Multiple WLAN
1.1.5 Access Port Support

Access ports work on any VLAN with connectivity to the wireless switch. The WS5000 Series Switch supports
the following access ports:
• AP 100 (supports 802.11b)
• AP 300 (supports 802.11a/b/g)
• Access points converted to access ports, including:
• AP 4131
• AP 4121
• AP-3020, AP-3021
1.2 Hardware Overview

A WS5000 Series Switch contains types of hardware: a wireless switch and a set of access ports.
The wireless switch is a rack-mountable device that manages all inbound and outbound traffic on the wireless
network. It provides security, network services, and system management applications.
Unlike traditional wireless infrastructure devices that reside at the edge of a network, the WS5000 Series
Switch uses centralized, policy-based management to apply sets of rules or actions to all devices on the
wireless network. It collects management “intelligence” from individual access points and moves the collected
information into the centralized wireless switch. Then, it replaces the access points with “dumb” radio
antennas called access ports.
Access ports (APs) are 48V power-over-Ethernet devices that are connected to the WS5000 Series Switch by
an Ethernet cable. An access port receives 802.11x data from mobile units and forwards this data to the switch,
which applies the appropriate policies and routes the packets to their destinations. Depending on the model,
an AP can support as many as 16 WLANs.
Access ports do not have software or firmware upon initial receipt from the factory. When the access port is
first powered on and cleared for the network, the wireless switch initializes the access port and installs a small
firmware file automatically. Therefore, installation and upgrades of firmware is automatic and transparent.
1.2.1 Physical Specifications

The physical dimensions and operating parameters for the WS5000 Series Switch are:
Width 48.1 cm / 18.93 in. (with mounting brackets)

42.9 cm / 16.89 in. (without mounting brackets)
Height 4.39 cm / 1.73 in.
Depth 40.46 cm / 15.93 in.
Weight 6.25 kg / 13.75 lbs.
Max Power Consumption 100 VAC, 50/60 Hz, 3A

240 VAC, 50/60 Hz, 1.5A
Operating Temperature 10°C - 35°C / 50°F - 95°F
Operating Humidity 5% - 85% without condensation
1.2.1.1 Power Cord Specifications

A power cord is not supplied with the device. Use only a correctly rated power cord certified for the country of
operation.
1.2.1.2 Power Protection

To best protect the WS5000 series switch from unexpected power surges or other power-related problems,
ensure the system installation meets the following power protection guidelines:
• If possible, use a circuit that is dedicated to data processing equipment. Commercial electrical
contractors are familiar with wiring for data processing equipment and can help with the load balancing
of these circuits.
• Install surge protection. Use a surge protection device between the electricity source and the WS5000
Series Switch.
• Install an Uninterruptible Power Supply (UPS). A UPS provides continuous power during a power outage.
Some UPS devices have integral surge protection. UPS equipment requires periodic maintenance to
ensure reliability. A UPS of the proper capacity for the data processing equipment must be purchased.
1.2.1.3 Cabling Requirements

Two Category 6 Ethernet cables (not supplied) are required to connect the switch to the LAN and the WLAN.
The cables are used with the two Ethernet ports on the front panel of the device.
The console cable shipped with the switch is used to connect the switch to a computer running a serial
terminal emulator program to access the switch’s Command Line Interface (CLI) for initial configuration. Initial
configuration steps are described in the WS5000 Series Switch Installation Guide.
1.2.2 System Status LED Codes

A WS5000 Series Switch has two LEDs on the front panel, adjacent to the RJ45 ports. The System Status LEDs
display three colors—blue, amber, or red —and three “lit” states—solid, blinking, or off. Table 1.1 decodes
the combinations of LED colors and states.
Table 1.1 System Status LED Codes

Event Top LED Bottom LED
System Start Up LED Codes
Power off Off Off
Power On Self Test (POST) running All colors in rotation All colors in rotation
POST succeeded Blue solid Blue solid
Software initializing Blue solid Off
Software initialized Blue blinking Off
Configured as a Primary Switch
Active Blue blinking Blue solid
Monitoring Blue blinking Amber solid
Standby missing or not enabled Blue blinking Off
Inactive Amber blinking Blue blinking
Configured as a Standby Switch
Active (acting as primary) Blue blinking Blue blinking
Monitoring Blue blinking Amber solid
Standby not enabled Blue blinking Off
Inactive Amber blinking Amber blinking
Error Codes
Table 1.1 System Status LED Codes (Continued)

Event Top LED Bottom LED
POST failed (critical error) Red blinking Red blinking
Software initialization failed Amber solid Off
Country code not configureda Amber solid Amber blinking
No access ports have been adopted Blue blinking Amber blinking
Primary inactive or failed Amber blinking Blue blinking

a. During first time setup, the LEDs will remain in this state until the country code is configured.
1.2.3 10/100/1000 Port Status LED Codes

A WS5000 Series Switch includes two indicators for the RJ-45 ports:
• Upper left (amber/green) for link rate
• Upper right (green) for link activity
Table 1.2 provides additional information about the status of the 10/100/1000 Port Status LED codes.
Table 1.2 10/100/1000 Port Status LED Codes
LED State Meaning
Upper left Off 10 Mbps link rate
Green steady 100 Mbps link rate
Amber steady 1 Gigabit link rate
Upper right Off The port isn’t linked
Green steady The port is linked
Green blinking The port is linked and active
1.3 Software Overview

This section provides an overview of the WS5000 Series Switch software and features. It contains:
• 1.3.1 Accessing and Configuring the Switch Software on page 8
• 1.3.2 Switch Policies on page 8
• 1.3.3 Access Port Adoption Process on page 9
• 1.3.4 Quality of Service on page 9
• 1.3.5 Multi-BSSID and ESSID Access Ports on page 13
• 1.3.6 Standby Management on page 14
• 1.3.7 WLAN to VLAN Mapping on page 14
1.3.1 Accessing and Configuring the Switch Software

To access and configure the WS5000 Series Switch administration controls and options, the administrator can
access a CLI through a Telnet session, or log into a Web-based graphical user interface.
The CLI is accessible via Telnet, through the console port on the front of the wireless switch, or through a SSH
application (which enables protected access to the switch over the CLI). All configuration and management
functions can be performed through the CLI.
The Web-based graphical user interface (GUI) can be accessed securely from any Web browser on the
network. The GUI provides tools to configure and maintain the wireless system. It also provides real-time
graphs for displaying system load and traffic on the wireless network.
1.3.2 Switch Policies

A WS5000 Series Switch uses a set of rules, or “policies,” to configure the wireless LAN (WLAN), the access
ports that it adopts, and to integrate the wired LANs and VLANs. The policy-based management architecture
lets a network administrator create a class of service (CoS) by defining network access, type of WLAN security,
and quality of service (QoS) for a group of users.
Figure 1.1 displays the WS5000 Series Switch principal policies. The following section describes these
policies:
• Switch Policy – Acts as a container for all the other policies. It also contains an adoption list, which
controls the types of access ports (APs) that can be adopted.
• Ethernet Port Policy – Configures the switch’s Ethernet ports, and associates multiple WLANs with
multiple LANs or VLANs. There are two Ethernet ports on WS5000 Series Switches. By convention, port
1 (the left port) connects to the wireless LAN, and port 2 (the right port) connects to the wired LAN.
• Access Port Policy – Defines access port configuration details such as an APs beacon interval, RTS
threshold, and its set of supported data rates. The AP policy is also responsible for adding WLANs to
the AP and for attaching a security policy, access control list, and network policy (or packet filter) to each
AP.
• WLAN Policy – Defines attributes (such as ESS ID, beacon rate, DTIM interval) applied to mobile units
on a portion of the wireless LAN.
• Security Policy – Defines the authentication and encryption methods used to secure communication
between the WS5000 Series Switch and the mobile units through the APs. Each WLAN can have a
different security policy associated with it.
• Network Policy – Filters and prioritizes packets as they are sent across the wireless network. it can
reject packets completely. Use the network policy to implement QoS and types of service (ToS) protocols.
Figure 1.1 Principal Policies of a WS5000 Series Switch
1.3.3 Access Port Adoption Process

The process in which the WS5000 Series Switch takes on a 802.11 access port and configures it is called
adoption. It includes configuring adoption lists, loading the firmware image on the access port, and configuring
the access port radios according to the switch policy.
The adoption process works as follows:
1. The access port sends a packet to the wireless switch to provide a way for the switch to declare its
intention to adopt.
2. If the switch can adopt the access port, it replies with a message indicating its intention to adopt.
3. After the access port receives the message, it requests a firmware image download.
4. After the firmware image downloads, the access port sends a configuration request packet from the
MAC address of each of its radios. The configuration request informs the switch of the radio
capabilities, including the radio MAC address, radio type, radio serial number, and whether the radio is
equipped with an internal or external antenna.
5. The switch checks the adoption list for policies and configures the radios accordingly. The power,
channel (or if Automatic Channel Selection is enabled—a set of legal channels), BSS IDs, ESSIDs, and
data rates are configured.
1.3.4 Quality of Service

QoS is used to give a user or an application relative precedence or priority over another. QoS applies in the
case of congestion that may occur from excessive traffic or different data rates and link speeds—10 Mbps
Ethernet, 100 Mbps Ethernet, 11 Mbps Wireless, and so on—that exist in the same network.
If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a
very high cost), then applying QoS has very little value. When total bandwidth is shared by different users and
applications, QoS is required to provide policy enforcement for mission-critical applications and/or users that
have critical bandwidth requirements.
1.3.4.1 Different Dimensions of QoS

Different methods of QoS are applied for distinction between users and applications. The two main categories
are:
• QoS via Queuing – A network shared by different users such as in a revenue-based, shared office
building or a public hotspot is implemented with Service Level Agreements (SLA) based on how much
each group of users pay for bandwidth. In this case, one or all points of aggregation, such as the switch
and some high-end routers or policy managers, can allocate different percentages of the total
bandwidth to different groups of users through the use of queues. Bandwidth allocation can also be
further divided and applied to different applications again using Queues.
• Application QoS via Packet Marking – A network or a portion of the allocated bandwidth can be shared
by different applications. Voice communication (for example) can be more latency-sensitive or more
mission-critical than others. In this case, a priority is assigned to the traffic by adding the appropriate
QoS marking or tags to network traffic to provide higher precedence while the data is passed through
points of aggregation—routers, switch(es), and gateways—and the medium of transfer. Packet marking
provides configurable upstream devices and helps QoS end-to-end.
1.3.4.2 Packet Filtering

Packet filtering allows or discards packets matching certain criteria defined by Classification Groups (CG) on
an output packet port. Classification groups on an output port are defined with allow decisions, discard
decisions or a combination of both. A CG defined with an allow condition is associated with a priority number
in the range of 0 – 7, seven being the highest priority. shows the types of packet filtering that the WS5000
Series Switch supports.
Table 1.3 Packet Filters Supported
Packet filter Filters
MACsource Source MAC addresses.
MACdestination Destination MAC addresses.
ethertype Ethernet specifier: Speed.
vlanid Virtual LAN IDs
userpriority User Priority
protocol Protocol Type
tos Type of Service
IPsource Source IP
IPdestination Destination IP
sourceport Source Port
destinationport Destination Port.
MCMask Destination multicast group MAC address.

1.3.4.3 Weighted Fair Queuing (WFQ)

Weighted Fair Queuing (WFQ) enables a mechanism on the switch that uses up to eight queues to store data—
network packets—and prioritize RF transmission to and from MUs depending on the data type. After the
switch classifies the data (as voice or data), WFQ stores the packets (assuming the network traffic demands
that the data be queued by data type) and then transmits the packets at a rate specified by the WFQ allocation
percentage setting.
You can assign WFQs to classification groups. There is a WFQ for inbound traffic. WFQ for a classification
group must have a nonzero value to enable the classification group.
Note You can use WFQ to prioritize only UDP traffic along with the filters.
WFQ uses one queue for each classification group, up to eight queues total, and one queue for all other data.
For example, if the network has only one classification group for VoIP and no other groups, then WGQ
automatically uses two queues: one for VoIP and the other for all other data (data not defined in the
classification group). Each additional classification group uses another queue and keeps one queue open for
other data.
The allocation setting determines the percentage of available network bandwidth for data from a classification
group. For example, if the WFQ allocation for VoIP data is set to 80%, then the switch sends four packets of
VoIP data every one packet of other data during periods of network congestion.
WFQ is implemented for the different types of traffic on the same ESSID and Access Port (AP) as well as
between different ESSIDs on the same AP. This implementation shares voice and non-voice traffic across
different network paths, thereby balancing the traffic load. A large volume of non-voice traffic on one ESSID
does not deplete the voice traffic on another ESSID on the same AP.
1.3.4.4 QoS via Wi-Fi Multimedia Extension (WME)

Quality of Service (QoS) is required to support multimedia applications and advanced traffic management.
WME (Wi-Fi Multimedia Extension) adds prioritized QoS capabilities to Wi-Fi networks and optimizes their
performance when multiple concurring applications, each with different latency and throughput requirements,
compete for network resources.
By using WME, end-user satisfaction is maintained in a wider variety of environments and traffic conditions.
WMM provides prioritized media access and is based on the Enhanced Distributed Channel Access (EDCA)
method.
It defines four priority classes to manage traffic from different applications:
• Voice
• Video
• Best effort,
• Background
Typically, networks operate on a best-effort delivery basis. All traffic has equal priority and an equal chance of
being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Applications such as voice, video and music streaming, and interactive gaming generate data streams that
have strict latency and throughput requirements. To ensure a good user experience, traffic from different
applications has to be managed and prioritized using QoS.
When QoS is configured on the switch, users can select specific network traffic, prioritize it, and use
congestion management and congestion avoidance techniques to provide preferential treatment.
Implementing QoS on wireless LANs makes network performance more predictable and bandwidth utilization
more effective. The benefits of QoS become more obvious as the load on the wireless LAN increases, keeping
the latency, jitter, and loss for selected traffic types within an acceptable range.
WMM introduces traffic prioritization capabilities based on the four “Access Categories" (AC). In the default
configuration, the higher the access categories, the higher the probability to transmit.
The ACs were designed to correspond to 802.1d priorities to facilitate interoperability with QoS policy
management mechanisms, such as UPnP.
Table 1.4
Access Category Description 802.1d Tags
WMM Voice Highest priority. 7,6

(AC 3) Allows Multiple concurrent VoIP calls, with low latency and toll voice
quality.
WMM Video Prioritize video traffic above other data traffic. 5,4
(AC 2) One 802.11g or 802.11a channel support 3-4 SD TV streams or 1 HDTV
stream.
WMM Best Effort Traffic from legacy devices, traffic from applications or device that lack 0,3
(AC 1) QoS capabilities.
Traffic less sensitive to latency, but effected by long delays, such as
internet browsing.
WMM Background low priority traffic (file downloads, print jobs) tat do not have strict 2,1
(AC 0) latency and throughput requirements.
The Access Category of a packets is part of the 802.11 header.

Packets from the wired side to WLAN do not contain any AC information. This traffic is classified into one of
the four WMM ACs:
• If it contains VLAN tags/DSCP priority, use this information to obtain the AC
• In addition, existing classifiers (CE/CG) can be used to match traffic of a particular type, it can be
assigned to an AC as an action.
Traffic from a WMM enabled WLAN, when sent to RON (rest of network) retains the priority information in the
VLAN tag (if present) as well as the IP header (if an IP packet). Mapping from AC to 802.1d tags is according
to WMM standards.
Packets not assigned to a specific AC are categorized by default as having best effort priority.
WME can be enabled on a per AP policy basis as well as on a per WLAN basis. A WLAN will use WME only
if both the WLAN, as well as the AP Policy it is under have WME enabled. By default, WME is disabled in
WLANs as well as AP Policies.
WME is only supported on AP300s. WMM enabled switches/ APs coexist with legacy devices (devices that
are not WMM-enabled).
The default WME AC parameters (which determines the prioritization of traffic under each AC) are as specified
by the WME standard. The configuration of each AC can be modified. Four parameters can be configured per
AC: CWmin, CWmax, AIFSN and TXOP. The parameters are explained below
AC Parameters
Packets are then added to one of four independent transmit queues (one per AC; i.e., voice, video, best effort,
or background) in the AP. The AP has an internal collision resolution mechanism to address collision among
different queues, which selects the frames with the highest priority to transmit. The same mechanism deals
with external collision, to determine which client should be granted the “Opportunity to Transmit” (TXOP).
The collision resolution algorithm that is responsible for traffic prioritization is probabilistic and depends on
two timing parameters that vary for each AC.
• The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN)
• The Contention Window (CW), sometimes referred to as the Random Backoff Wait.
Both values are smaller for high-priority traffic.
For each AC, a backoff value is calculated as the sum of the AIFSN and a random value from zero to the CW.
• The value of the CW varies through time.
• Initially the CW is set to a value that depends on the AC (CWmin)
After each collision, the CW is doubled until a maximum value (CWmax), also dependent on the AC, is reached.
• After successful transmission, the CW is reset to its initial, AC dependant value.
The AC with the lowest backoff value gets the TXOP.
• As frames with the highest AC tend to have the lowest backoff values, they are more likely to get a TXOP.
Once a client gains a TXOP, it is allowed to transmit for a given time depending on the AC and the PHY rate.
• TXOP limit ranges from 0.2 ms (background priority) to 3 ms (video priority) in an 802.11a/g network, and
from 1.2 ms to 6 ms in an 802.11b network.
• This bursting capability greatly enhances the efficiency for high data rate traffic, such as AV streaming.
• Also, the devices operating at higher PHY rates are not penalized when devices that support only lower
PHY rates (e.g. because of distance) contend for medium access.
1.3.5 Multi-BSSID and ESSID Access Ports

In a networked wireless environment, multiple access ports are connected to a WS5000 Series Switch to
provide RF connectivity to MUs. Each access port radio sends and receives RF signals over a range of space,
the Basic Service Set (BSS). The BSS coverage area is identified by a Basic Service Set Identifier (BSSID).
The access port beacon contains its BSSID, which enables the MU to recognize the access port and associate
with it. Extended Service Sets (ESS) are a logical group of BSSs. ESSs virtualize or increase the number of BSS
radio signals.
The beacon contains information about the access port and the network, which enables the MU to rank access
ports based on the received signal strength. The beacon can optionally include the Extended Service Set
Identifier (ESSID). MUs associate with the most preferable access port in the coverage area.
After association, the MU continues to scan for other beacons to ensure that it is receiving the best, continuous
signal strength, in case the signal from the currently associated access port becomes too weak to maintain
communications as the MU moves through the area.
Most access ports support multiple BSSs (see Access Port Support on page 1-4). MUs sense each unique BSS
as a separate radio signal. Access ports with multiple BSSs solve performance and security issues by isolating
broadcast traffic on a specific BSS rather than sending broadcasts to all BSSs. This enables MUs to save
battery power by sensing only for their specific BSS rather than all traffic. An access port with multiple BSSs
provides the same functionality as four single-BSS Access Points and requires less time for installation and
configuration.
Network administrators add WLANs to BSSs. The BSSIDs are mapped to ESSIDs by default. However, the
network administrator can optionally change default settings. The network administrator can map each BSSID
to multiple ESSIDs, so the radios on the access ports support multiple WLANs.
As RF traffic changes over time or the MU roams, the MU searches for access ports that have a matching
ESSID. The MU associates with an access port with the same ESSID to synchronize communication. As the
MU roams from coverage area to coverage area, it switches between access ports.
The MU switches between access ports when the MU analyzes the reception quality at a location and decides
to communicate with another access port based on the best signal strength and lowest MU load distribution.
The AP 100, AP 200, AP 300, AP 4121 and AP 4131 access ports support multiple ESSIDs.
1.3.6 Standby Management

“Failover” or Standby Management enables the network administrator to significantly reduce the chance of a
disruption in service to the switch and associated MUs by placing one or more additional WS5000 Series
Switches as backup to a Primary wireless switch if it fails.
After configuring a Primary and Standby switch, the Primary switch issues a Discovery packet on each
configured interface. Assuming there is a properly configured Standby switch, the Standby receives the
Discover packet and starts sending heartbeats to the Primary. This establishes connectivity between the
Primary and the Standby. The Primary switch executes various internal monitors, in addition to any necessary
to communicate with the Standby switch.
If heartbeats fail after being properly established, a failover event is incurred by the Standby wireless switch,
and thus assumes the duties of the Primary switch including adopting all access ports. The Standby switch
sends an administrative alert—SNMP trap, etc.—to the administrator that a failover event has taken place.
Warning! You cannot configure a WS5000 model switch as a standby for a

WS5100 model switch.
1.3.7 WLAN to VLAN Mapping

Virtual LANs (VLANs) segment large subnets of a network, which enables network administrators to control
broadcasts and heighten network security. The WS5000 Series switch connects to the wired network through
one of two Ethernet ports (typically through NIC 2). Each access port associated with the switch can be
connected to either a trunked or non-trunked Ethernet port of the switch. Administrators configure an Ethernet
policy so it maps each WLAN to a non-trunked Ethernet port or to one of the VLANs visible to the trunked
Ethernet port. Further, administrators enable WLANs to communicate with a VLAN by configuring each WLAN
so that the rest of the network connects through a common router or Layer 2 switch.
Access ports in a VLAN are able to broadcast and multicast only within that VLAN. Using VLANs, wireless
switch administrators limit the general traffic in the wireless network, including broadcast packets because
large numbers of broadcast packets can affect network performance. By segmenting a network into VLANs,
wireless switch administrators limit the spread of broadcast packets.
Using VLANs:
• Limits broadcast and multicast traffic
• Increases security by limiting communication between groups
• Allocates network resources, such as servers, to specific groups
Map WLANs on a one-to-one basis, configuring switch policies such as:
• Ethernet Policy mapping one WLAN to a VLAN
• Access Port Policy mapping one or more WLANs to a BSSID
• Security Policy mapping one security policy to a WLAN policy.
1.4 New Features

This section describes the key enhancements in the WS5000 Series Switch:
• WME
• RF Statistics
• GRE Tunnel
• Dual DHCP Server
• SNMP Trap on Config Change
• AP to AP Beacons
• DTIM per BSS
• WIPS Support
• CPU Temperature Monitoring in WS5000
• Active Primary Revert
• Access Port Ping
• Upgrade/Downgrade Process
1.4.1 WME
WME is quality of service implementation based on the subset of the IEEE 802.11e draft specification. WME
support will enable the wireless infrastructure network based on WS5000 to handle the multimedia traffic
with Quality of Service (QoS). WS5000 will be able to provide the enhanced service for WME capable stations
associated on access-Port that has the WME capability.
To learn more about WME refer to QoS via Wi-Fi Multimedia Extension (WME) on page 1-11.
1.4.2 RF Statistics
The switch shall support approximately 24 new MIB tables, giving various details of the RF statistics. The
purpose of these new (enhanced) statistics is to provide better RF monitoring and troubleshooting capabilities
to network administrators.
The salient features of enhnaced RF stats are:

• It supports 350 RF stats, on a per APPortal and per MU basis.
• Provides Long and Short statistics, Traps and Thresholds.
• It is accessible using SNMP.
To learn more about enhanced RF Stats, refer to Chapter 14, Enhanced RF Statistics.
1.4.3 GRE Tunnel

GRE Tunneling capability provides the ability to create a GRE tunnel from a switch to a switch/router at the
remote end through an IP backbone. The primary functionality is to provide IP services (from the remote end /
core of the network) to the MUs on particular WLANs that are mapped to the GRE tunnels. The data arriving
from a MU associated a particular WLAN would be sent across to that GRE endpoint.
This functionality inWS5000 v2.1 is based on v1.4.3 when GRE tunneling capability was first introduced. V2.1
will also provide the capability to enable up to 4 GRE tunnels and provide the necessary WLAN mapping and
other required configuration parameters (including Remote IP Address, Time To Live and Keep Alive).
Common tunneling protocols include:
• Generic Routing Encapsulation (GRE)
• Layer2 Tunneling (L2TP)
• IPSec VPN
• Multi Protocol Label Switching (MPLS) VPN
• IP over IP
The entire GRE tunnel CLI configuration can be referred at tunnel on page 8-85
1.4.4 Dual DHCP Server

Currently the DHCP server is used along with the VPN server to serve public addresses to the wireless clients.
It can be enabled only on one NIC at one time. It is required that the DHPC server should be able to serve IP
addresses on both the interfaces, and should be able to serve IP addresses from different pool of addresses
on both interfaces.
Since the DHCP server may be used directly with WPA/WPA2 (without VPN), the requirement is that the DHCP
configuration should be available, even when VPN is not enabled.
Also, there is a requirement to restrict serving of the IP-addresses only to the primary (native) VLAN. So, a new
configuration is provided to meet this requirement.
To learn more about Dual DHCP server, refer to Chapter 12, Configuring the WS5100 WTLS VPN.
1.4.5 SNMP Trap on Config Change

For improved system administration,WS5000 v2.1 supports the following:
1. Send out a SNMP Trap whenever configuration in the switch changes. The change could be initiated by
CLI, GUI or SNMP.
2. The trap contains the time when the config was changed. The trap will not contain any details of the
config change itself.
3. The Switch stores the time when the config was last modified. This will not be persistent across switch
reboots.
4. Switch will maintain a count of total configuration changes. This will not be persistent across switch
reboots.
Chapter 16, Syslog and Traps lists all the traps and syslog messages.
1.4.6 AP to AP Beacons
The purpose of this functionality is to measure and report the signal strength of beacons heard by each Portal
(radio) connected to the switch, periodically. Normally, any given Portal would hear beacons from at most all
the other Portals on its assigned channel. It may also hear beacons from 'nearby' Portals on adjacent channels.
This information will be reported by the switch as a new doubly-indexed table. The primary index is the
PortalIndex of the Portal that heard the beacons. The second index is the PortalIndex of the Portal from which
the beacons were heard. For each such combination, 7 pieces of data are tracked in a cumulative fashion,
(since switch reboot).
To learn more about AP to AP beacon, refer to Chapter 13, Neighboring APs.
1.4.7 DTIM per BSS

This would allow for the setting of the DTIM on a per BSS basis. Each Access Port can run one WLAN for data
devices with DTIM 10 and another WLAN with DTIM 2 for VoIP phones. With this feature, not all the WLANS
need to have a lower DTIM value because that would drastically impact the battery performance of data
devices
This would involve sending new information elements, while doing a configuration of the Access Port.
The AP policy context will be enhanced to enable the user to set 4 separate DTIM interval values for 4 different
BSSIDs. DTIM value 1 will be used for BSS1, DTIM value 2 for BSS2, and so on. The first DTIM interval value
will also be the default, to be used when the AP does not support setting of DTIM per BSS. This will help the
user to know what DTIM values are actually used, depending on the BSS-ESS mapping, and will be indicated
as such through the user interfaces.
To learn more about DTIM per BSS, refer to Appendix B, DTIM Interval per BSS
1.4.8 WIPS Support

The Wireless Intrusion Prevention System (WIPS), introduced in 2005 as an overlay system (to the wireless
infrastructure) to provide intrusion detection and prevention services. The system comprises of a WIPS server
(typically located at the NOC / Data Center) and the AP300 Access Ports that act as "sensors" and forward all
the necessary traffic to the WIPS server that analyzes the network for any sort of unwanted traffic and protects
against various types of Denial of Service attacks.
The idea of using AP300 is to provide an easy to deploy system for intrusion detection / prevention re-using
existing hardware (typical WIPS systems require a dedicated, expensive sensor). The AP300 needs to be
converted to a "sensor" (with a special Firmware downloaded to it).
WS5000 v2.1 addresses the requirement to integrate the capability of converting a standard AP300 to a sensor
(and back as required) from the switch itself (and not have the administrators use a standalone tool to the do
the same).
To learn more about WIPS support, refer to Converting an AP300 into a Sensor on page 15-3.
1.4.9 CPU Temperature Monitoring in WS5000

Some CPU fan failures have been observed in the field; these failures are typically fatal for the processor of
the switch unless rapid servicing of the switch can take place. To assist in the detection of failure-prone
switches, WS5000 Series 2.1 will expose the following information through the different interfaces:
• The CPU temperature
• The CPU fan speed
• The chassis fans
• The Chassis temperature
This information is available via the CLI, SNMP, Applet, and XML interface for the WS5100 platform. This
functionality will also be available for the WS5000 (SME) platform in WS5000 v2.1.
Additionally to help identify switches that are about to fail, the switch will poll the hardware every 30 seconds.
An event will be generated when threshold values are passed. As for other events, this may result in a syslog
message and/or an SNMP trap depending on the event manager configuration. On the WS5100 platform, this
will also result in an "alert" visual indication on the LEDs.
Refer to Chassis Context on page 8-170 to configure the CPU tempreture in WS5000.
1.4.10 Active Primary Revert

Support issuing 'set mode rev', from the "cfg> standby" context with an "Active" Primary. This is needed
for troubleshooting a suspected issue with the Primary "Active" box.
Refer to Standby Context on page 8-273 to configure the Auto Revert feature.
1.4.11 Access Port Ping

This will allow the Admin to ping an Access Port - at Layer 2 (the access port does not support IP). This uses
Symbol's WNMP protocol's Ping Request and Ping Response to check the connectivity between the switch and
the access port.
Refer to rfping in Chapter 9, Service Mode CLI learn more about rfping.
1.4.12 Upgrade/Downgrade Process

The WS5000 Series Switch provides an autoinstall script that enables you to upgrade to version 2.1
automatically. See Chapter 2, Installing the System Image.
1.5 Other Features

• 1.5.1 AP-4131 Port Conversion on page 19
• 1.5.2 Automatic Channel Select on page 19
• 1.5.3 Event Manager on page 19
• 1.5.4 Hot Standby on page 20
• 1.5.5 Integrated Radius/AAA ServerRadius on page 20
• 1.5.6 On-Board DHCP on page 20
• 1.5.7 On-Board KDC on page 22
• 1.5.8 Rogue AP Detection on page 22
• 1.5.9 Simple Network Management Protocol (SNMP) on page 23
• 1.5.10 WTLS VPN on page 23
1.5.1 AP-4131 Port Conversion

You can convert the Symbol AP-4131 model access points to RF Ports for use with the WS5000. The port
conversion enables existing customers to utilize an existing Symbol wireless infrastructure with the WS5000
Series Switch. See Chapter 11, Converting AP-4131 Access Points to RF Ports.
1.5.2 Automatic Channel Select

The Automatic Channel Selection (ACS) feature enables the switch to determine the best radio frequency or
channel for an access port. The switch determines the best channel for each access port through a set of
algorithms that analyze the channels permitted by country regulations and the relative signal strength of each
access port in the wireless coverage area.
Using ACS optimizes channel selection, which is helpful in areas where coverage is dynamic because either
the site itself changes or coverage needs change. As conditions change, ACS is used to adapt and obtain the
best coverage.
1.5.3 Event Manager

An event notification system monitors an administrator-configured set of events in network performance. The
switch uses the Event Notification manager to log and collect application and system events on remote or local
system log (Syslog) collectors or servers.
Events are conditions about which the network administrator should be notified. The network administrator
can configure the switch to send event notifications using SNMP to an SNMP trap server, to the switch local
log, or to a Syslog server. The administrator can select the events to be notified about and the appropriate
severity level.
1.5.4 Hot Standby

You can use the WS5000 Series Switch in the hot standby mode, but when the switch is in this mode it will
not adopt primary access ports. The hot standby system only adopts APs after it detects that the primary
system it monitors failed. The system administrator should export the primary system’s configuration into the
backup switch. After importing, the administrator should place the switch in the backup mode. The backup
switch can monitor only one primary machine at a time.
The hot standby switch adopts the APs defined by the switch policy rules. The primary switch license
determines the number of APs. The primary switch sends the current number of licenses during its regular
communication with the standby switch. The primary switch does not communicate policy configuration
information; the system administrator must manually export or import it. The communication between the
switches is an ongoing process, so if you change the number of active licenses on the primary switch while it
runs, the standby adopts the appropriate number of access ports during a fail-over. For maximum robustness,
it is recommended both primary and standby switches run the same version of the switch.
1.5.5 Integrated Radius/AAA ServerRadius

The WS5000 Wireless Switch provides an integrated Radius server as well as the ability to work with external
Radius and LDAP servers to provide user database information and user authentication. Radius configuration
supports:
• Configuring appropriate authentication types
• Configuring Clients
• Configuring External Proxy Servers
• Configuring LDAP Servers
1.5.6 On-Board DHCP

Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to computers using TCP/IP. A
DHCP server assigns addresses to computers configured as DHCP clients.
The DHCP configuration can be done on both ethernet interfaces independently.
1.5.6.1 Configuring DHCP Server using CLI

You must run all DHCP CLI commands in the Configuration.Ethernet.[N] context. Table 1.5 lists
and describes the DHCP commands:
Table 1.5 DHCP CLI Commands
Command Description
set dhcpsrv <enable | disable> Enables or disables the WS5000 Series Switch’s
internal DHCP server (for this NIC).
set dhcp_IP_Range startIP [ endIP ] Sets the DHCP server’s IP pool range. If endIP isn’t
supplied, the pool consists of the single startIP
address.
Command Description
set dhcp_Static_IP Assigns the static_IP_Address to the device with

<static_IP_Address> <MAC> <hostname> the given MAC address. The device is also assigned a
hostname.
Enables the DHCP server to recognize DHCP option

number code_num. The option takes on the given
name and value. Currently, the only types that are
recognized are ip-address and text.
set dhcp_DefLease <seconds> Sets the DHCP server’s default lease time, in seconds,
to seconds.
Note The default lease time is always less than or equal to the maximum lease time. If you set
the default lease time to be greater than the maximum lease time, the maximum lease time is
automatically reset to match the default. Conversely, if you set the maximum lease time to be
less than the default lease time, the default is reset to the (new) maximum.
set dhcp_MaxLease <seconds> Sets the DHCP server’s maximum lease time, in
seconds, to seconds.
set dhcp_DomainName <domain.suffix> Sets the DHCP server’s domain name; for example,
“symbol.com”. To clear the domain name, pass a NULL
argument.
set dhcp_PriDNS_IP <IP_address> Sets the IP address that the DHCP server will use as its
primary Domain Name System server. To clear the
primary DNS IP, pass a NULL argument.
set dhcp_SecDNS_IP <IP_address> Sets the IP address that the DHCP server will use as its
secondary Domain Name System server. To clear the
secondary DNS IP, pass a NULL argument.
set dhcp_Router_IP <IP_address> Sets the IP address that the DHCP server will use as its
router. To clear the secondary DNS IP, pass a NULL
argument.
set dhcp_PriVLAN_only <IP_address> Serves DHCP requests only on the primary VLAN for
the interface.
1.5.6.2 Viewing DHCP Configurations

To view the current DHCP server settings for an Ethernet port, use the show command. The DHCP server
settings are grouped and indented at the end of the output:
WS5100_VPN.(Cfg).Ethernet.[1]> show
DHCP Server details

Configured State : Disable
Status : Disable
Subnet IP : 192.000.000.0
Netmask IP : 255.255.255.0
etc...
1.5.6.3 Importing a dhcpd.conf File

You can use a DHCP configuration file to configure the DHCP servers on the WS5000 Series Switch. The
configuration file must be named dhcpd.conf. To install the file on the switch, use the copy tftp
system command from the Configuration context:
WS5100_VPN.(Cfg)> copy tftp system
Enter the file name to be copied from TFTP server : dhcpd.conf
IP address of the TFTP server : 192.168.xxx.xxx
Copying 'dhcpd.conf' from tftp://192.168.90.158 to Switch...
File: dhcpd.conf copied successfully from 192.168.90.158
Verifying conf file...
Valid conf file format.
The format of the dhcpd.conf file follows the convention declared in RFC 2131 (http://rfc.net/
rfc2131.html).
Note When you copy a dhcpd.conf file to the WS5000 Series Switch, the previous
version of the file (on the switch) is overwritten.
1.5.6.4 DHCP Option 60

A feature of DHCP (Option 60) enables a DHCP server to recognize a DHCP client’s equipment identifier, and
assign the device an IP drawn from an equipment-specific set of addresses (an IP pool). DHCP servers that
respond to Option 60 should only use DHCP Option 43 to return vendor-specific information to the DHCP client.
1.5.7 On-Board KDC

The WLAN Switch has an on-board Key Distribution Center (KDC) or Kerberos authentication server. The
WS5000 Series Switch provides a secure means for authenticating users/clients associated to a WLAN or ESS
with the Kerberos security policy applied.
The on-board KDC can be configured to use up to three Network Time Protocol servers (NTPs). A separate
switch with an on-board KDC can be configured as a Slave KDC to support the Master KDC in case of a Master
KDC failure.
1.5.8 Rogue AP Detection

Rogue Access Ports (APs) are an area of concern with respect to LAN security. The term Rogue AP denotes an
unauthorized access port connected to the production network or operating in a stand-alone mode (perhaps in
a parking lot or in a neighbor’s building). Rogue APs are not under the management of network administrators
and do not conform to any network security policies.
Although 802.1x security settings should completely protect the LAN, organizations are not always fully
compliant with the newest wireless-security best practices. In addition, organizations want the ability to
detect and disarm rogue APs. The WS5000 Wireless Switch provides a mechanism for detecting and reporting
rogue APs. See Chapter 7, Configuring Rogue AP Detection.
1.5.9 Simple Network Management Protocol (SNMP)

SNMP defines the method for obtaining information about network operating characteristics as well as router
and gateway behaviors. This application-layer protocol initiates the exchange of configuration and
management information between network devices. The SNMP architecture allows a variety of relationships
among network entities.
The WS5000 Series Switch v2.0 supports SNMP v3.0 as well as SNMP v2.0 and v1.0. To configure SNMP on
the WS5000 Series Switch, see SNMP Context on page 8-258.
The switch GUI and CLI help you enable or disable certain SNMP features. Disabling these features
(“hardening” of the switch) helps manage security. Hardening of the KDC only is also permitted.
SNMP is also managed by the SNMP manager through a third-party SNMP client, software permitting the
manipulation and configuration of SNMP components. There are three elements in this process:
• Management Stations – Software managing SNMP protocol parameters and communicating with
SNMP Agents. The SNMP manager is responsible for this element.
• SNMP Agent – Local to the Wireless Switch, this SNMP server provides the network device information.
It processes information requests from the SNMP manager via the management station using SNMP.
• Management Information Base (MIB) – The storage area for network-management information. It
consists of collections of managed objects, such as SNMP parameters and events. These objects
describe the state of a particular network device.
1.5.10 WTLS VPN

Wireless Transport Layer Security (WTLS) is a security level protocol specifically designed to provide
authentication and data integrity for wireless traffic where access devices can change dynamically; such as
access port change due to environmental changes or roaming.
A Virtual Private Network (VPN) is a protected network connection that tunnels through an unprotected
connection. The WS5000 Series Switch uses a VPN connection to protect wireless transmissions on the
untrusted side of the switch.
The WS5000 Series Switch provides WTLS VPN functionality, which includes:
• On Board DHCP server
• On Board VPN server
• Firewall
• NAT
• Twice NAT
For details, see Chapter 12, Configuring the WS5100 WTLS VPN.
Installing the System Image
This chapter describes how to install a new system image with the latest software on the WS5000 Series
Switch. It also guides you through the CLI commands for restoring the site configuration file for the switch.
This chapter contains:
• Before Installing the Image
• Upgrading the Switch Software to 2.1
2.1 Before Installing the Image

Before upgrading the software on the WS5000 Series Switch, verify the current software version and update
path as described in the following section.
Symbol recommends you save the configuration of the system to be upgraded onto the network using the save
configuration command.
Note The WS5000 Series Switch Graphical User Interface does not support this
process.
After you log into the WS5000 series switch, it displays the software version. For example:.
user name: cli
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line
Interface.
userid: admin
password: ******
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
System information...
System Name : WS5000
Description : WS5000 Wireless Network
Switch Location :
Software Ver. : 2.1.0.0-xxxR
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2006. All
rights reserved.
Serial Number : 00A0F8545254
Number of Licenses : 48
Max Access Ports : 48
Max Mobile Clients : 4096
MU Idle Timeout value : 1800 seconds
Active Switch Policy : symbol2006
Emergency Switch Policy : Not defined
Switch Uptime : 00d:00h:35m
Global RF stats : Disabled
# of Unassigned Access Ports : 0
CLI AutoInstall Status : Enabled
WS5000>
Table 2.1 lists the procedures to upgrade the WS5000 Series Switch to the latest software version (xxx):
Table 2.1 Procedure to Upgrade to 2.1-xxx
If Your Switch Version is To Update to 2.1-xxx
2.1.0.0-xxx Do nothing. The wireless switch software is up to date.
2.0.0.0-xxx Follow the procedures in Upgrading the Switch from 2.0 to 2.1 on page 2-4.
1.4.3.0-xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3
Installing the System Image 2-3
Table 2.1 Procedure to Upgrade to 2.1-xxx

If Your Switch Version is To Update to 2.1-xxx
1.4.2.0-xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3
1.4.1.0.xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.
1.4.0.xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.
WS5100 1.1v49 Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.
Any other version Contact your Symbol Support representative.
2.2 Upgrading the Switch Software to 2.1

The WS5000 Series Switch release 2.1 enables you to upgrade to the 2.1 baseline from the platforms:
• WS5000 or 5100 running the 2.0/1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3/2.0 baseline.
You can upgrade the switch using the following methods:
• Upgrading Using the CLI on page 2-3
If you encounter an error during the upgrade process, then refer Recovering from Upgrade Errors on page 2-12
Note There are certain key combinations that might stop the WS5000 Boot Loader
(in 1.4.x.x baseline) so that it accepts user inputs. To avoid this, do no press any key
and do not enable the scroll lock on the serial console window when the upgrade or
downgrade is in progress.
2.2.1 Upgrading Using the CLI

Use either ssh, telnet or a serial access cable to log into the CLI.
The WS5000 Series Switch software package contains:
• vdate — This binary is used to get the firmware version from the DOM.This binary fails to operate over
a Simpletech DOM and is used only with a Kouwell DOM.
• dominfo — This binary is used to get the DOM manufacturer information, either Simpletech DOM or
Kouwell DOM. This binary is helpful when a Simpletech DOM using the latest firmware is used and the
vdate fails over it.
• PreUpgradeScript - This script uses the dominfo to get the DOM manufacturers information. If the
script detects that the DOM is a Kouwell DOM only then it calls the vdate to get the firmware version.
The Simpletech DOM, by default, always has the latest firmaware.
• WS5000_v2.1.0.0-xxxx.sys.kdi — The image needed for the upgrade.
To upgrade to 2.1 using the CLI, use the following steps:

1. Upgrading the Switch from 2.0 to 2.1.
2. Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1
a. Copy the vdate to the switch

b. Copy the dominfo to the switch
c. Copy the PreUpgradeScript to the switch.
Note You must run the PreUpgradeScript before you upgrade the switch.This is valid
only when you upgrade the switch from 1.4.x to 2.1
2.2.1.1 Upgrading the Switch from 2.0 to 2.1

To upgrade from WS5000 2.0 to the WS5000 2.1 baseline:
1. Copy the WS5000_v2.1.0.0-xxxx.sys.img image (using ftp) to the system to be upgraded.
Use the following command under the cfg mode of the CLI:
WS5000.(Cfg)> copy ftp system -u ftpuser -m bin
Enter the file name to be copied from FTP server :
WS5000_v2.1.0.0-xxxR.sys.img
IP address of the FTP server : 111.111.111.111
Enter the user password : *******
Copying 'WS5000_v2.1.0.0-xxxR.sys.img' from ftp://
111.111.111.111 to Switch...
Data connection mode : BINARY (Connecting as 'ftpuser')
Status : Transfer completed successfully
17091650 bytes received in 10.3 seconds (1666803 bytes/s)
Verifying imagefile...
Valid imagefile. Completing verification.
WS5000.(Cfg)>
2. Run the following command
WS5000.(Cfg)> restore system WS5000_v2.1.0.0-xxxR.sys.img
This command will reset the system and boot up with the new
restored image.
Do you want to continue (yes/no) : yes
Restoring system image and configuration from WS5000_v2.1.0.0-
xxxR.sys.img
It might take a few minutes.......
2.2.1.2 Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1

To determine whether your WS5000 Series Switch has the memory required for upgrading to xxx, run the
PreUgradeScript. If the switch has the memory, the script tells you how to upgrade. If the switch does not have
enough memory, the script enables you to free the memory to upgrade.
To upgrade from WS5000 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to the WS5000 2.1 baseline:
Copy the vdate to the switch
Enter the file name to be copied from FTP server : vdate
Copying 'vdate' from ftp://111.111.111.111 to Switch...

202311 bytes received in 0.036 seconds (5.5e+03 Kbytes/s)
WS5000.(Cfg)>
Copy the dominfo to the switch
Enter the file name to be copied from FTP server : dominfo
Copying 'dominfo' from ftp://111.111.111.111 to Switch...
WS5000.(Cfg)>
Copy the PreUpgradeScript to the switch.
1. Copy the PreUpgradeScript script using tftp/ftp to the system to be upgraded using the
following command under the cfg mode of the CLI. This example uses ftp.
PreUpgradeScript
Copying 'PreUpgradeScript' from ftp://111.111.111.111 to
Switch...
/bin/dedos: line 69: syntax error near unexpected token
`dir'
/bin/dedos: line 69: `dedos -R <dir> # recursive from dir'
WS5000.(Cfg)>
Note When ftping the PreUpgradeScript, the switch displays the error messages:
/bin/dedos: line 69: syntax error near unexpected
token 'dir'
/bin/dedos: line 69: syntax error near unexpected

token 'dir'
Ignore these messages because they do not indicate a problem in ftp'ing the
script.
Just verify the size of the script ftp'ed matches with the actual one.
2. Enter the CLI service mode:

WS5000.(Cfg)> ..
WS5000> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-WS5000>
3. Change the script’s access permissions to make it executable (x):
SM-WS5000> launch -c chmod +x /image/PreUpgradeScript
4. Run the script.
SM-WS5000> launch -c /image/PreUpgradeScript freemem
The script looks for free space on the disk. If it finds the space, it displays the following:
Verifying dominfo Checksum
dominfo Checksum Verification Passed
checking type of DOM
Showing details of DOM
Model Number______________________: Kouwell DOM
Serial Number_____________________: HyFlash 00003768
Controller Revision Number________: 14/05/02
Able to do Double Word Transfer___: No
Controller buffer size (bytes)____: 512
Transfer Speed____________________: > 10 Mbit/sec
Drive Type________________________: Removable
IORDY Supported___________________: No
Can IORDY be disabled by device___: No
LBA Mode supported________________: Yes
DMA Supported_____________________: No
Number of ECC bytes transferred___: 4
Number of sectors per interrupt___: 1
Number of Cylinders_______________: 980
Number of Heads___________________: 16
Number of Sectors per Track_______: 32
This is a Kouwell DOM which needs to check for the version of
DOM firmware
checking DOM firmware
Verifying vdate Checksum
vdate Checksum Verification Passed
Current Firmware Version
Version Date: 040928b9
Dom Firmware up to date - Done

Finding out the Free Space Needed ... !!
Total Free Space on the System: 150 (in MB)
OK. Required space to do the upgrade exists .. !!
SM-WS5000>
Note While running the PreUpgradeScript, you may encounter two problems.
Scenario 1: The switch may not have enough space to upgrade.
Scenario 2: The switch may ask you to upgrade the DOM firmware before upgrading.
Scenario 1
If there is not enough space for the upgrade procedure, the script displays:
Model Number______________________: HYPERSTONE FLASH DISK
Transfer Speed____________________: Drive
Type________________________: IORDY Su
pported___________________: No
DMA Supported_____________________: No
Number of Heads___________________: 8
DOM firmware
Checking DOM firmware
Not enough space to continue with upgrade ... !!
NOTE: Freeing up the space makes you committed for upgrade .. !!
Please continue with upgrade after this, as freeing might

make the current system unusable .. !!
Do you want to free some space (y/n):
If the script does not find the required space, it displays:
Do you want to free some space (y/n): y
Trying to find out how much space can be freed .. !!
/image/*.img: File or directory doesn't exist
/image/*.txt: File or directory doesn't exist
/WS5x00Switch/CC/*txt*: File or directory doesn't exist
Image Space 0
Txt Space 0
PG Space 3
Apache Space 7
SNMP Space 2
Log Space 0
Total Space that can be freed : 12
Saving the Configuration before Freeing the space .. !!
Saving wireless network management configuration...
Configuration saved successfully.
Found the space to be freed .. Freeing .. !!
SM-WS5000>
Scenario 2
At times you may also need to update the DOM firmware when the switch fails to run the preupgrade script.
In such a case the script displays:
Note If you do not wish to upgrade the firmware, then you can use the following
CLI command:
launch -c /image/PreUpgradeScript freemem nofwcheck

DMA Supported_____________________: No
Number of Heads___________________: 8
DOM firmware
checking DOM firmware
Need Dom Firmware Upgrade..Aborting upgrade
Please upgrade the DOM Firmware before upgrading
SM-WS5000>
Execute the following steps to upgrade the DOM firmware:
• Copy the WS5k_domfix.cfg file to the switch
SM-WS5000> copy ftp system -u ftpuser -m bin
WS5k_domfix04.cfg
Copying 'WS5k_domfix04.cfg' from ftp://111.111.111.111 to
Switch...
/bin/dedos: line 69: syntax error near unexpected token `dir'
/bin/dedos: line 69: `dedos -R <dir> # recursive from dir'
SM-WS5000>
• Enter the CLI service mode and execute the WS5k_domfix.cfg file.
SM-WS5000> exec
Executing CLI Service Mode command file ....
Enter the command file name: WS5k_domfix.cfg
Current firmware version
Need firmware upgrade
Shutting down Cell controller..

Shutting down snmpd agent.....done.
Shutting down apache server...done.
Shutting down cell controller......done.
Cell controller successfully shut down.
Shutting down database main thread...done.

Resetting the System..
SKDB kernel debugger installed.
SKDB kernel debugger installed.
Configuring ethernet ports ...
Waiting for network elements to get initialized....done.
Flushing stale dns entries......done.
Checking database integrity...done.
Launching auto-configuration procedure...
Waiting for DHCP lease file to be created...
DHCP lease file found.
Begin parsing DHCP lease file...
Results:
---------------------------
TFTP Server :
Command File:
---------------------------
TFTP server option not found.
Exiting auto-configuration...
Starting cell controller....done.
Waiting for the corba file to be created.......done.
Starting apache server in SSL mode...done.
Starting snmpd daemon...done.
SM-WS5000>
5. Copy the WS5000_v2.1.0.0-xxxx.sys.kdi image (using ftp) to the system to be upgraded.
Use the following command under the cfg mode of the CLI:
Note You cannot use tftp to acquire this image because the file size exceeds 32 MB.

WS5000_v2.1.0.0-xxxR.sys.kdi
Copying 'WS5000_v2.1.0.0-xxxR.sys.kdi' from ftp://111.111.111.111

to Switch...

39661568 bytes received in 25 seconds (1.5e+03 Kbytes/s)
SM-WS5000>
Note If you do not wish to upgrade the firmware, use the following CLI command:
launch -c /image/PreUpgradeScript upgrade nofwcheck
6. Run the following command:

SM-WS5000> launch -c /image/PreUpgradeScript upgrade
The following details are displayed on your monitor. Enter WS5000_v2.1.0.0-xxxx.sys.kdi

as image name when the procedure prompts you to - “Enter the image
name”.
SM-WS5000> launch -c /image/PreUpgradeScript upgrade


DMA Supported_____________________: No

Number of Heads___________________: 16
This is a Kouwell DOM which needs to be checked for the version of
DOM firmware
Checking DOM firmware
Enter the Image Name: WS5000_v2.1.0.0-xxxR.sys.kdi
Verifying Image Checksum
Image Checksum Verification Passed
Saving the Configuration before upgrading

Creating the configuration tar
tar: Removing leading / from absolute path names in the archive.
image/upgrade.cfg
Copying the image
Rebooting the system
Shutting down snmpd agent.....done.
Rebooting the switch...
Note You can also provide the image name a command line argument to the
PreUpgradeScript. If you do this, the script does not prompt for the image name.
Example:
launch -c /image/PreUpgradeScript upgrade<filename>
The switch reboots three times in approximately five minutes, and then displays the 2.1 image. The image has
the same configuration it had before the upgrade. The serial console displays the system logs.
The logs display the switch passing through each reboot state before it finally displays the 2.1 image. The
telnet or ssh window displays the logs until the switch reboots the first time.
2.3 Recovering from Upgrade Errors

In the unlikely event a power failure occurs during the file writing portion of the upgrade process the system
may no longer boot. The most likely symptoms would be the system continuously restarting or never showing
any activity on the serial console. Any system with these symptoms will need to be returned to the local
Symbol Service Center for repair. See the Symbol Service Web-site http
://www.symbol.com/services/msc/msc.html for RMA procedures.
If a serial console is attached to the system during the software upgrade process and the escape key is pressed
at during a specific stage of the process automatic loading will be stopped. If the following message is
displayed for more than 20 seconds, then a key was pressed. This problem can be rectified by pressing the
ENTER key to boot the image.
Note Power cycling the system when any of these screens appears will cause an
unrecoverable error just like a power failure.
GNU GRUB version 0.95 (639K lower / 130048K upper memory)

WS5000-2.x
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit
the commands before booting, or 'c' for a command-line.
If any of the below two messages are displayed then press the escape key (ESC) to return to the boot selection
screen
Minimal BASH-like line editing is supported. For the first word,
TABlists possible command completions. Anywhere else TAB lists
the possiblecompletions of a device/filename. ESC at any time
exits.
grub>
or
kernel (hd0,0)/boot/vmlinuz-2.4.20_mvl31
console=ttyS0,19200 quiet
initrd (hd0,0)/boot/ramdisk.img
2.4 Downgrading from 2.1 to 2.0

1. To downgrade the WS5000 switch from version 2.1 to 2.0 you need to download –
Downgrade2.0.0.0-034R.sys.img. Follow the steps mentioned below to download the
image:
Enter the file name to be copied from FTP server : /home/
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/downgrade/
Downgrade2.0.0.0-034R.sys.img

Copying 'Downgrade2.0.0.0-034R.sys.img' from ftp://
111.111.111.111 to Switch...
Verifying imagefile...
Valid imagefile. Completing verification.
2. Run the following command:
WS5000.(Cfg)> restore system Downgrade2.0.0.0-034R.sys.img
This command will reset the system and boot up with the new
restored image.
Restoring system image and configuration from Downgrade2.0.0.0-
034R.sys.img
It might take a few minutes.......
2.5 Downgrading from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.0

You can downgrade a switch running WS5000 Series Switch 2.1 image to the switch running one of the
following versions:
• WS5000 Series Switch 1.4.0.0 (026R)
Note Save the current system configuration and image files on the network before
downgrading because after you downgrade the switch, it uses the default
configuration settings and the downgraded image files.
After you downgrade from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.1/1.4.0 WS5000 Series Switch, the switch obtains the
following files:
• Running the PreDowngrade Script
• Running the Downgrade.exe Script
• Downgrading the Image Version.
2.5.1 Running the PreDowngrade Script

To check the system has sufficient memory for the downgrade, run the PreDowngrade script.
1. Copy the PreDowngrade script to the switch using copy ftp/tftp command:
copy ftp system -u <user_name> -m bin
2. Enter the PreDowngrade script filename, IP Address, and password at the system prompt.
The switch downloads the PreDowngrade script.
3. Log into the service mode CLI using service command from the cfg context (under system context).
4. Run the following service mode CLI command:
exec <CR>
Enter the command file name: PreDowngrade.exe
This script determines whether the switch has the memory required for the downgrade. If the memory
is not sufficient, the script provides an option to free the memory needed. If it does not find the required
memory to be freed, it stops and displays an error message.
Note If you use the PreDowngrade.exe script to release memory, you must
proceed with the downgrade.
Example
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/
downgrade/PreDowngrade.exe
Copying 'PreDowngrade.exe' from ftp://111.111.111.111 to
Switch...
WS5000.(Cfg)>
2.5.1.1 Executing the Predowngrade Script

You have to execute the predowngrade script from the service mode. The example below explains how to
execute the predowngrade scipt.
WS5000> service
SM-WS5000> exec
Enter the command file name: PreDowngrade.exe

OK. Required space to do the downgrade exists .. !!
SM-WS5000>
2.5.2 Running the Downgrade.exe Script

After you verify the switch has enough memory for the downgrade, run the Downgrade.exe script as follows:
1. Copy the Downgrade.exe and Downgrade<x.x.x.x-xxxR>.image file to the switch using copy ftp system
command
2. Enter the Downgrade.exe filename, IP Address, and password at the system prompt.
exec <CR>
Enter the command file name: Downgrade.exe
5. Enter Downgrade<x.x.x.x-xxxR>.image as the image filename (<x.x.x.x-xxxR> corresponds to the
version to which you downgrade the switch from 2.0).
The switch is downgraded to the corresponding version.
Example
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/
downgrade/Downgrade.exe
Copying 'Downgrade.exe' from ftp://111.111.111.111 to
Switch...
SM-WS5000>
2.5.3 Downgrading the Image Version

1. Copy the Downgrade<version>.image file to the switch using copy ftp system command
2. Enter the Downgrade<version>.image filename, IP Address, and password at the system prompt.
4. Enter Downgrade<x.x.x.x-xxxR>.image as the image filename (x.x.x.x-xxxR corresponds to the
version to which you downgrade the switch from 2.1).
exec Downgrade<x.x.x.x-xxxR>.image
The switch is downgraded to the corresponding version.
Example
WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/downgrade/
Downgrade1.4.0.0-026R.image IP address of the FTP server :
111.111.111.111
Copying 'Downgrade1.4.0.0-026R.image' from ftp://111.111.111.111
to Switch...

SM-WS5000>
2.5.3.1 Executing the Downgrade Script

You have to execute the Downgrade.exe from the service mode. The example below explains how to
execute the Downgrade scipt.
SM-WS5000> exec
Enter the command file name: Downgrade.exe
Enter the Image Name: Downgrade1.4.0.0-xxxR.image
Verifying Image Checksum
Image Checksum: 60504983eac60093823e2c890ef0143b
Image Checksum Saved: 60504983eac60093823e2c890ef0143b
Image Checksum Verification Passed
Moving the Boot Loader !!!
Moving the Kernel !!!
Moving the Initrd !!!
Moving the Scripts !!!
GNU GRUB version 0.95 (640K lower / 3072K upper memory)
[ Minimal BASH-like line editing is supported. For the first
word, TAB
lists possible command completions. Anywhere else TAB lists the
possible
completions of a device/filename. ]
grub> root (hd0,0)
Filesystem type is ext2fs, partition type 0x83
grub> setup --stage2=/boot/grub/stage2 --prefix=/boot/grub (hd0)
Checking if "/boot/grub/stage1" exists... yes
Checking if "/boot/grub/stage2" exists... yes
Checking if "/boot/grub/e2fs_stage1_5" exists... yes
Running "embed /boot/grub/e2fs_stage1_5 (hd0)"... failed (this is
not fatal)
Running "embed /boot/grub/e2fs_stage1_5 (hd0,0)"... failed (this
is not fatal)
Running "install --stage2=/boot/grub/stage2 /boot/grub/stage1 hd0)
/boot/grub/stage2 p /boot/grub/menu.lst "... succeeded
Done.
grub> reboot
Creating License Tar File !!!
Rebooting
Shutting down dhcp daemon.. done
Shutting down apache server in the SSL mode...done.
Shutting down cell controller........ done
Shutting down snmpd agent...done.

Shutting down Postgres....done.
Configuring the WS5000 Series Switch
Automatically
There are two types of auto-install to configure the WS5000 Series Switch automatically:
1. DHCP Auto-install, performed as a part of WS5000 boot process
2. Manual Auto-install, performed by executing a CLI command. This requires a reboot.
3.1 DHCP Auto-install

To configure the WS5000 Series Switch automatically, you need:
• An external TFTP server—The switch obtains the IP address of this server through DHCP and stores it in
the returned DHCP lease file.
• A command file – This is an ASCII text file that contains site-specific settings for the WS5000 Series
Switch (the filename must end with a .sym suffix). The switch obtains this filename through DHCP and
stores it in the returned DHCP lease file.
After you extract the configuration file from the DHCP lease file, it downloads, parses, and configures the
WS5000 Series Switch
3.2 Command File

The command file option specifies a valid filename for an ASCII text format file that exists on the TFTP server.
It contains site-specific settings for the wireless switch. The command file (see Command File Example on
page 3-8) directs the switch to perform the following remote configuration functions:
• Load a new wireless switch configuration file
• Reconfigure the Ethernet IP, DNS, gateway, and DHCP settings on the switch
• Reconfigure the master and slave Kerberos settings.
• Manually or automatically update Kerberos user database entries, with automatic propagation to the
slave KDC, if present
• Enable or disable “hot standby” mode on the switch
• Optionally provide status and error logging of the automatic configuration operations
• Reconfiguration of the Primary and Standby settings
• Reconfiguration of Master and Slave Kerberos settings.
Several site-specific settings are available in the command file. The settings available in the command file
include:
• Automatic installation command event logging
• Automatic installation command file TFTP server
• Automatic installation command file network
3.3 Command File Description

The command file is an ASCII text file that contains case sensitive letters, digits, and the underscore ( _ )
character. The command file name uses the .sym extension. The command file contains all options necessary
to perform a limited switch configuration or reconfiguration.
When the system parses this file, it ignores any option that it does not understand. The switch keeps the
current configuration for that specific option unchanged. The following lines are considered equivalent.
#<option> <value>
<option> #<value>
<option> #some comment
All values of the command file are case insensitive except for SNMP community strings, domain names,
realms, and filenames. The system converts the hostname value into lowercase even when specified using a
combination of lower/upper case. The command file option items do have to be in any sequential order.
A template of the command file, called cmd_template.sym, is available and located on the WS5000
Wireless Switch system CD. Copy this file to a local host computer, then edit, save and rename it to serve as
a command file (the .sym extension is required for the command file to be recognized by the wireless switch).
Save the file to the system used to configure the wireless switch. Use the CLI copy tftp system command (see
the copy command on Chapter 8, CLI Command Reference) to copy the command file from the host computer
to the switch.
The command file example shows the configuration of most options (see Command File Example on page 3-8).
Configuring the WS5000 Series Switch Auto- 3-3
Note The command file is not invoked automatically using this method. The correct
method is to use the DHCP option to send the file to the switch.
3.3.1 Event Logging

The service option is a setting to turn on or off the logging feature, which pushes auto-installation event
messages to a log file named CmdProcErrors.txt. This error log file is automatically generated in the same
directory as the system image/configuration/command files if logging is turned on.
These log messages are generated when events such as firmware/configuration upgrades/downgrades occur,
and/or the command file contains errors such as improper syntax, files that are not present on specified TFTP
server, etc.
Table 3.1 Event Logging (Service) Section
Option Value Notes
AutoConfig Log <on|off> This selection allows the user to enable or disable the use of the
logging facility. The default is on.
3.3.2 TFTP Server Settings

This section specifies the location of the TFTP server used to download, the names of the system image,
configuration and Kerberos files that need to be downloaded. These settings are used when upgrading/
downgrading firmware, changing configuration files or updating the user database of the Wireless Switch’s
built-in Kerberos KDC.
Table 3.2 TFTP Server (Files to Download) Section
Option <Value> Notes
TFTP Server <xxx.xxx.xx.xx> This is the TFTP server from where the configuration file, the
image file, and the Kerberos file are downloaded. If the TFTP
server is not specified, it is assumed that the user
downloaded these files manually via CLI copy command or the
auto install will look for them in the Wireless Switch.
ImageRestore <image file(.sys.img)> If the revision levels are different, then the image file will be
downloaded from the TFTP server. After this step has
completed successfully, the switch will perform a reset and
continue to reboot with the most recent (and valid) system
image available. If any error occurred during the file
processing, the firmware will not be upgraded and an error
message will be logged.
Table 3.2 TFTP Server (Files to Download) Section (Continued)

Option <Value> Notes
ConfigFile <config_name (.cfg)> This is the name of a WS5000 Series Switch configuration.
This file is downloaded automatically from a specified TFTP
server or though the CLI copy command.
If the file is not found, or if there were errors during the TFTP
download, the installation software will abort the
configuration immediately and exit. This is considered a fatal
error and any locally specific configurations should not be
applied as well since they can be interrelated to the general
configuration settings. The IP address of the WS will also
remain unchanged. The file name is case sensitive.
KerberosFile <kerberos_name (.krb)> This is the name of a Kerberos username/password (Kerberos
MIT DB file format) file and it is used to configure the primary
Kerberos database of the on board KDC server. The database
is completely flushed before the new principals are added.
If an error occurs during the file downloading or processing,
the installation software logs an error message and skips the
Kerberos configuration. The installation software tries to find
the file in the Wireless Switch.
If it is not there, it logs an error message and continues. Once
a Kerberos DB .krb file is provided for download and
installation, this new file replaces the current database file.
There is no automatic attempt to save the previous copy of
this file on the master KDC. The file name is case sensitive.
3.3.3 General Network Configuration and Standby Management

Configure the network settings in this section such as; enabling/disabling DHCP, setting subnet masks, DNS
servers and gateway settings. When the switch’s Standby Management capability is used, configure the
settings for enabling/disabling Standby Management, and assigning hostnames and IP addresses to the
Ethernet interfaces of the Primary and Standby wireless switches.
Utilizing the Standby Management feature requires a pair of switches. Settings for both types (Primary and
Standby) are in the command file so that a single file can be used at a site to install both the Primary and
Standby switch. When a switch begins Standby configuration, it pings the Primary switch’s IP address, as
specified in the command file. If it does not receive a response, it assumes the role of Primary as long as it
does not have a zero-port license key. The second switch will subsequently configure itself as the Standby
switch.
Warning! A WS5000 model switch cannot be configured as a standby for a

WS5100 model switch.
Table 3.3 General Network Configuration and Standby Management

Option Value Notes
Eth1DNSServer1 <ip_address> DNS server configuration for each interface. Users can configure up
Eth1DNSServer2 <ip_address> to two DNS servers per interface. If it is not supplied, the DHCP
Eth2DNSServer1 <ip_address> configuration will be kept.
Eth2DNSServer2 <ip_address>
Eth1SubnetMask <ip_subnet_mask> Subnet mask for Ethernet port 1.

Eth2SubnetMask <ip_subnet_mask> Subnet mask for Ethernet port 2.
If an Ethernet ports IP address is specified without an associated
subnet mask, an error is logged and the network configuration is not
completed.
Eth1Domain Domain name for Ethernet port 1.
Eth2Domain Domain name for Ethernet port 2.
Eth1DHCP Indicates whether DHCP is on/off for Ethernet port 1.
Eth2DHCP Indicates whether DHCP is on/off for Ethernet port 2.
If DHCP is on for an interface, all IP settings provided in the
command file will be ignored and the interface will be configured
as a DHCP client.
Note DHCP can only be enabled on a

single interface at a time.
Gateway Default gateway. There should only be one value since the switch
currently does not allow gateway settings per interface. If this
configuration is not specified, the DHCP settings apply.
HostnamePrimary Hostname of Primary switch.
HostnameStandby Hostname of Standby switch.
Eth1PrimaryIP IP address of Primary switch.
Eth2PrimaryIP IP address of Primary switch.
Eth1StandbyIP
IP address of Standby switch.
Eth2StandbyIP
IP address of Standby switch.
If these IP addresses are not specified in the command file, the
DHCP settings are kept. When an image upgrade is performed, it
will not change the existing Ethernet configuration.
StandbyMgt Indicates whether Standby Management is on/off (enabled/
disabled).
If enabled, the installation software queries the database for the
number of licenses. If the switch is able to acquire a license, it may
become a Primary switch. If no license is available, it can only be
considered as a Standby switch.
3.3.4 Kerberos Configuration

The Wireless Switch features a built-in kerberos KDC, for authentication services, a site may require settings
for configuring kerberos functionality. The settings in the command file for configuring the KDC include primary
or slave status, hostname, IP address, realm and domain. When applicable, up to three NTP (Network Time
Protocol) servers can be specified. A list of all available Kerberos actions is included in the command file.
Table 3.4 Kerberos Configuration Section
Option Value Notes
NTPServer1 <NTP xxx.xxx.xx.xx> NTP server IP address (for the on-board KDC server). The
primary and standby switches need to be defined with the
same NTP service host to insure that the time source is
consistent.
NTPServer2 <NTP xxx.xxx.xx.xx> Second alternate NTP server IP address.
NTPServer3 <NTP xxx.xxx.xx.xx> Third alternate NTP server IP address or name.
KDCRealm <KDC realm name> Kerberos realm name
KDCInterface <KDC interface The interface on which the KDC is configured (1 or 2).
name>
KDCBackupHostname <xxx.xxx.xx.xx> Hostname of the backup slave.

KDCBackupIP <xxx.xxx.xx.xx> IP address for the backup slave. If this IP address belongs
to any of the ethernet ports and the hostnames match, the
switch is configured as a slave KDC.
KDCBackupDomain <server name> Kerberos Master Hostname where the KDC resides.
Note All Security Policies which are configured for Kerberos Authentication will automatically
be populated with the Master/Slave/Remote server’s IP addresses if present in this file.
3.3.5 SNMP Configuration

The SNMP section of the command file contains settings for community attributes and trap actions, used by
SNMP-based network management tools to get/set MIB variables to configure the Wireless Switch along with
gathering and monitoring device status.
Table 3.5 SNMP Configuration
Option Value Notes
SNMPCommunity[1-4] <string> This is the SNMP community for the designated

group selection of [1..4]
SNMPCommunity[1-4]IP <ip_address> SNMP community IP address.
Table 3.5 SNMP Configuration (Continued)

Option Value Notes
SNMPCommunity[1-4]Perm <RO | RW
permissions>
3.3.6 Syslog Configuration

The syslog section of the command file contains settings for adding syslog hosts to which log messages will
be sent. It also allows specifying the severity level for the log messages.
Table 3.6 Syslog Configuration
Option <value > Notes
SyslogHostname[1-2] <host_name> Host name of the syslog collector

SyslogIP[1-2] <ip_address> IP address of the syslog collector
SyslogSev[1-2] <severity numbers from Severity level for syslog logging
1 to 8>
3.3.7 CLI Commands

In this section you can place any CLI command. There is no limit on the number of commands that you can place
here. Each CLI command should be placed in the file at the CLI# prompt, as mentioned in the CLI Section of
the attached cmd_template.sym file. After execution of a command, enter
CLI#cfg ce add testce
The current context now will be

WS5000.(Cfg).CE.[testce]>
To execute some other command make sure you go to context of that command. This can be done using the
same CLI commands. For example to go to cfg context after executing the above command you need to use
the following lines in the .sym file
CLI#..
CLI#..
This will take you to WS5000.(Cfg)> context.
This way you can execute any number of CLI commands by just placing that command in a separate line at the
CLI# command prompt. Before placing any CLI command, ensure that you are at the correct context level that
you are executing.This context is determined by the execution of the previous command.
The context of the very first command that you execute in the CLI section is System context
WS5000>
This is an optional section in the .sym file and can be omitted.
3.3.7.1 Command File Example

The following command file example shows the configuration of several options in the WS5000 Series
Switch’s command file.
You can use the same command file to configure both a primary wireless switch and an associated standby
wireless switch.
Figure 3.1 Example
#############################################################################
#
# Copyright (c) 2005, Symbol Technologies, Inc.
# All rights reserved.
#
# cmd_template.sym file
#
# This is a template file to illustrate the format of auto configuration command files.
# The command file must end with the .sym extension and contain options to
# perform switch configuration. The format of the file is as follows:
#
# <option> <value> #comment
#
# Each line is composed of an option name and its value. All options are
# case sensitive.
#
# When this file is parsed, any option that is not found or has no value is ignored,
# which means that the switch will keep the current configuration for this option
# unchanged. The following lines are considered equivalent.
#
# #<option> <value>
# <option> #<value>
# <option> #some comment
#
#############################################################################
#############################################################################
# SECTION: Special Options #
#############################################################################
AutoConfigLog #on/off: Log errors and events to CmdProcErrors.txt
#Default is 'on'.
#############################################################################
# SECTION: Files to download #
#############################################################################
TFTPServer #tftp server where files are located
ImageRestore #image file (.sys.img)
ConfigFile #configuration file (.cfg)
KerberosFile #kerberos username/passwd (.krb)
#############################################################################
# SECTION: General Network Configuration and Standby Management #
#############################################################################
#
# DNS configuration
#
Eth1DNSServer1 #dns server
#
# Switch configuration
#
Eth1SubnetMask #subnet mask
Eth2SubnetMask #subnet mask
Eth1Domain #domain name
Eth2Domain #domain name
Eth1DHCP #on/off
Eth2DHCP #on/off
Gateway #default gateway
#
# Primary IP configuration
#
HostnamePrimary #Hostname of primary CC
Eth1PrimaryIP #ip address of primary CC
Eth2PrimaryIP #ip address of primary CC
#
# Standby IP configuration
#
HostnameStandby #Hostname of standby CC
Eth1StandbyIP #ip address of standby CC
Eth2StandbyIP #ip address of standby CC
#
# Enable or disable the standby management
#
StandbyMgt #on/off
#############################################################################
# SECTION: Kerberos Configuration #
#############################################################################
#
# NTP server configuration
#
NTPServer1 #NTP server 1
#
# Kerberos Master and Slave configuration
#
KDCRealm #kerberos realm
KDCInterface #Interface on which KDC is configured (1 or 2)
#
# Add a remote backup master
# (excluding the main Master/Primary & Slave/Standby from above)
#
KDCBackupHostname #Hostname of the backup slave
KDCBackupIP #IP address of backup slave
KDCBackupDomain #Domain of the backup slave
#
# NOTE: All Security Policies which are configured for Kerberos Authentication
# will automatically be populated with the Master/Slave/Remote servers IP
# addresses if present in this file.
#
#############################################################################
# SECTION: SNMP Configuration #
#############################################################################
#
# SNMP community attributes
#
SNMPCommunity1 #SNMP community name
SNMPCommunity1IP #IP address for the community
SNMPCommunity1Perm #RO/RW: Access permissions



#
# SNMP Traps
#
SNMPCommunity1Trap #SNMP community trap
SNMPCommunity1TrapIP #SNMP community trap IP



#############################################################################
# SECTION: SYSLOG Configuration #
#############################################################################
#
# Syslog severities
#
# Name Number
#----------- --------
# Emergency 1
# Alert 2
# Critical 3
# Error 4
# Warning 5
# Notice 6
# Info 7
# Debug 8
#
# Syslog host 1
#
SysLogHostname1 #Hostname of syslog collector
SysLogIP1 #IP address of syslog collector
SysLogSev1 #Enter a list of severity numbers
#separated by white spaces EX: 2 3 6 8
#
# Syslog host 2
#
SysLogHostname2 #Hostname of syslog collector
SysLogIP2 #IP address of syslog collector
SysLogSev2 #Enter a list of severity numbers
#separated by white spaces EX: 2 3 6 8
#
# CLI Commands Section
#
#Example CLI Commands
CLI#
CLI#
CLI#
CLI#
3.4 Upgrading Using AutoInstall

This section describes how to upgrade to 2.1 using the autoinstall procedure.
3.4.1 Using AutoInstall to Upgrade from 2.0 to 2.1

1. Copy the new image (WS5000_v2.1.0.0-xxx.sys.img) to the TFTP Server.
2. Change the parameters in the cmd_template as mentioned below
TFTPServer<IP address of the TFTP Server>
ImageRestore <System image filename *.sys.img>
3. Reboot the Switch. As part of boot up process the auto-install will begin and TFTP Server should supply
the new sys.img file.
If all the above parameters are correct, the upgrade will be performed successfully. It is advised the template
file be edited and checked before starting the auto-install process.
Note The following file must be available on the TFTP server before beginning the upgrade process
using Auto Install:
WS5000_v2.0.0.0-034R.sys.img (should be in the TFTP server)
Cmd_template.sym (Should be in the TFTP Server)
3.4.2 Using AutoInstall to Upgrade from 1.4.X.X / 1.4.1.0 / 1.4.1.1 / 1.4.2

/1.4.3 to 2.1
To upgrade the switch from 1.4/1.4.1.0/1.4.1.1/1.4.2/1.4.3/Mantis to 2.1 using the automatic installation:
1. Copy the patch supplied to switch.
copy ftp system -u <user_name>
2. Enter the patch filename, IP Address, and password at the system prompt.
The switch downloads the patch file specified.
3. Log into the service mode CLI using service command from the system context.
4. Run the following service mode CLI command
exec
5. Enter the patch filename when the system prompts. The switch installs the patch file.
6. Before the reboot ensure that the FTP root directory contains the following:
• PreUpgradeScript
• vdate
• dominfo
• WS5000_v2.1.0.0-xxx.sys.kdi
7. Reboot the switch.

As part of boot up process, the auto-install begins.
The DHCP server provides the TFTP server IP and command filename. The command file is present on TFTP
server and it should contain the following name - value pairs for the upgrade.
FTPServer <ftp_server_ip_address>
FTPUser<ftp_user_name>
FTPPassword<ftp_user_password>
UpgradeFile<upgrade_file_name_present_on_the_ftp_server>
The upgrade file is the. sys.kdi file in the ftp user home directory on the ftp server.
If you enter all of these parameters, the switch upgrades successfully.
3.4.3 Using AutoInstall to Upgrade From WS5000 Series Switch Build 49

To upgrade from WS5000 Series Switch to 2.1 as part of Auto-install.
1. Copy the patch supplied to the switch running WS5000 Series Switch (build 49):
copy ftp system -u <user_name>
2. Enter the patch filename, IP Address, and password at the system prompt.
The switch downloads the patch file specified.
patch <patch_file>
5. Enter the patch filename when the system prompts. The switch installs the patch file.
6. Before the reboot ensure that the FTP root directory contains the following:
• PreUpgradeScript
• vdate
• dominfo
• WS5000_v2.1.0.0-xxx.sys.kdi
7. Reboot the switch.
As part of boot up process, the auto-install begins.
The DHCP server provides the TFTP server IP and command filename. The command file is present on TFTP
server and it should contain the following name - value pairs for the upgrade.
FTPServer <ftp_server_ip_address>
FTPUser<ftp_user_name>
FTPPassword<ftp_user_password>
UpgradeFile<upgrade_file_name_present_on_the_ftp_server>
The upgrade file is the. sys.kdi file in the ftp user home directory on the ftp server.
If you enter all of these parameters, the switch upgrades successfully.
3.4.3.1 Installing the Patch File Automatically

You can install the patch files used during the upgrade procedure either manually or automatically using the
Expect program as described below:
Before you run the automatic patch file installation, check that you have:
• A linux machine with the Expect program installed.
• Telnet or SSH enabled on the WS5000 Series Switch.
There is no need to have a patch update for WS5000 from version 2.0 to 2.1.
Installing the Patch File in 2.1 Switches
To install the patch file for 2.1 switches:
1. Download the files bfly_caller.sh and bfly.exp to the linux machine with the Expect program installed.
Download both bfly_caller.sh and bfly.exp to the same directory.
2. Enter the following command from the directory where you download the files:
./bfly_caller.sh <telnet/ssh> ftp <service_password>
<file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename>
<ftp_ip> <ftp_user> <ftp_password>
If you are using tftp, enter the command:
./bfly_caller.sh <telnet/ssh> tftp <service_password>
<file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename>
<tftp_ip>
where:
• <telnet/ssh>: Program (telnet or ssh) enabled on the list of WS5000 Series Switches specified by the
<file_containing_ip_of_WS5000 Series Switch_switches>.
• ftp or tftp: Method used to download the patch file.
• service_password: Service mode CLI password.
• file_containing_ip_of_WS5000 Series Switch_switches: Filename containing the list of
IP Addresses of WS5000 Series Switch Switches (one IP Address per line).
• patch_filename: Name of the patch file downloaded; bfly_patch.tar by default. If you use ftp,
the patch file is in the home directory of the ftp user on the ftp server specified by <ftp_ip>. If you use
TFTP, the patch file is in the tftp server public directory.
• ftp_ip: IP Address of the FTP Server.
• tftp_ip: IP Address of the TFTP Server.
• ftp_user: Name of the ftp user
• ftp_password: ftp user’s password.
Automatically Installing the Patch File in WS5000 Series Switches

1. Download the files mantis_caller.sh and mantis.exp in the same directory of a linux machine
with the Expect program installed.
2. Run the following command from the directory where you downloaded the files:
If you use ftp to download the file:
./mantis_caller.sh ftp <file_containing_ip_of_WS5000 Series
Switch_switches> <patch_filename> <ftp_ip> <ftp_user> <ftp_password>
If you use tftp to download the file:
./mantis_caller.sh tftp <file_containing_ip_of_WS5000 Series
Switch_switches> <patch_filename> <tftp_ip>
where:
• <telnet/ssh>: Program (telnet or ssh) enabled on the list of WS5000 Series Switches specified by the
<file_containing_ip_of_WS5000 Series Switch_switches>.
• ftp: Method used to download the patch file.
• tftp: Method used to download the patch file.
• service_password: Service mode CLI password.
• file_containing_ip_of_WS5000 Series Switch_switches: Filename with the list of IP
Addresses of WS5000 Series Switches (one IP Address per line).
• patch_filename: Name of the patch file downloaded; mantis_patch.tar by default. If you
use ftp, the patch file is in the home directory of the ftp user on the ftp server specified by <ftp_ip>. If
you use TFTP, the patch file is in the tftp server public directory.
• ftp_ip: IP Address of the FTP Server.
• tftp_ip: IP Address of the TFTP Server.
• ftp_user: Name of the FTP user
• ftp_password: FTP user’s password.
There is no need to have a patch update for WS5000 from version 2.0 to 2.1.
3.5 Manual Auto-install

There are two types of file you can use for manual auto-install:
1. The Command File Example shown above. This file has .sym extension.
2. The .cli file, which contains just the CLI section of command file (.sym file).See CLI Commands section
for more details about this file.
A sample CLI file used for radius configuration is shown below:
#############################################################################
#
# Copyright (c) 2005, Symbol Technologies, Inc.
# All rights reserved.
#
# radius_template.sym file
#
# This is a template file to configure WS5000 for MU authentication by onboard
RADIUS Server.
# Requires Server Certificate (cert-srv.pem) and CA Certificate (cacert.pem)
to be present on the TFTP Server
# Username to be used at MU = aaauser0
# Password to be used at MU = aaaaaa
# SSID to be associated to = aaawlan
#
#############################################################################
#Example CLI Commands
# Go to Config context
CLI#cfg
#############################################################################
#TFTP Server Certificate to be installed for RADIUS server
#############################################################################
CLI#copy tftp system

CLI#cacert.pem
CLI#157.235.208.179
#TFTP CA Certificate to be installed for RADIUS server

CLI#copy tftp system
CLI#cert-srv.pem
CLI#157.235.208.179
#############################################################################
#Install Server Certificate to be installed for RADIUS server
#WS5000 is the password used while generating this certificate
#############################################################################
CLI#aaa
CLI#eap
CLI#import servcert cert-srv.pem
CLI#WS5000
CLI#import cacert cacert.pem
CLI#..
CLI#..
#############################################################################
#create a security policy.
#this example uses WEP and 802.1x authentication using Onboard RADIUS server
#shared secret to be used is WS5000
#############################################################################
CLI#securitypolicy
CLI#add aaasecuritypolicy
CLI#set encryption wep40 enable
CLI#2
CLI#157.235.208.234
CLI#1812
CLI#WS5000
CLI#set radius server 1 127.0.0.1
CLI#..
CLI#..
#############################################################################
#create a WLAN. Use the security policy that was created above
#############################################################################
CLI#wlan
CLI#add aaawlan aaawlan
CLI#set security aaasecuritypolicy
CLI#..
CLI#..
#############################################################################
#Create an APPolicy. Add this WLAN
#############################################################################
CLI#appolicy
CLI#add aaaappolicy
CLI#add aaawlan
CLI#..
CLI#..
#############################################################################
#Create a Switch Policy. Use APPolicy and EtherPolicy created above.
#Set Country to US
#Activate this Switch Policy
#############################################################################
CLI#switchpolicy
CLI#add aaaswitchpolicy
CLI#set appolicy aaaappolicy
CLI#set etherpolicy aaaetherpolicy
CLI#set adoptionlist a default allow aaaappolicy
CLI#set adoptionlist b default allow aaaappolicy
CLI#set adoptionlist g default allow aaaappolicy
CLI#set adoptionlist fh default allow aaaappolicy
CLI#set country us
CLI#yes
CLI#..
CLI#..
CLI#set switchpolicy aaaswitchpolicy
#############################################################################
# AAA Configuration
# Add AAA users
# aaauser0, aaauser1, aaauser2 .....
# passwords for all are aaaaaa
# CLI prompts for the passwords twice.
#############################################################################
CLI#aaa
CLI#userdb
CLI#user
CLI#add aaauser0
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser1
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser2
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser3
CLI#aaaaaa
CLI#aaaaaa
CLI#add aaauser4
CLI#aaaaaa
CLI#aaaaaa
CLI#..
#############################################################################
#Add a RADIUS Group
#############################################################################
CLI#group
CLI#add aaagroup
CLI#..
#############################################################################
# Add aaauser0 to this created group
#############################################################################
CLI#adduser aaauser0 aaagroup

CLI#..
CLI#..
#############################################################################
# Set this access policy for this Group to allow the WLAN
#############################################################################
CLI#policy
CLI#add wlan aaagroup aaawlan
CLI#..
#############################################################################
#Issue Save command to save these configurations
# Start the RADIUS server using "enable"
#############################################################################
CLI#save
CLI#enable
CLI#..
CLI#bye
To execute a .sym file, use the following commands:

• install primary <.sym file name> on a primary switch
• install standby <.sym file name> on a standby switch
To execute the .cli file, use the following command:
• install runcli <.cli file name>
Using the WS5000 Series Switch GUI
You can configure the WS5000 switch and access ports using one of the following methods:
• The GUI through a web browser
• SNMP commands
• CLI from a Telnet connection through the wireless switch console port or a secure shell (SSH)
application.
However, not all areas of the system can be configured solely by the GUI, CLI, or SNMP.
If you need to use a specific interface for a system configuration, this is specified at the beginning of the
configuration process. For information on using the CLI, see Chapter 8, CLI Command Reference.
4.1 Logging In
To log into the WS5000 Series Switch graphical user interface:
1. Open a compatible browser.
2. Connect to the WS5000 Series Switch by typing https:// and the switch’s IP address. The WS5000
GUI Login Page is displayed.
Note You must have Java Runtime version 1.4.2-06 (j2re-1_4_2_06-windows-i586-

p.exe) or greater running on the console machine, to access the WS5000 Series
Switch GUI. This file is included on the CD that ships with the product.
Figure 4.1 WS5000 Series Switch GUI Console Login
3. Type a User ID and Password and click the Login button. The default is “admin” and “symbol”,
respectively.
4.2 Key Distribution Center

The WS5000 Series wireless switch has an on-board Key Distribution Center (KDC), or Kerberos authentication
server. Properly configured, the KDC provides a secure means for authenticating users/clients associated to a
WLAN or ESS with the Kerberos security policy applied. A separate switch with an on-board KDC can be
configured as a slave KDC to support the master KDC in case of a master KDC failure.
The KDC can use the system time or up to three Network Time Protocol servers (NTPs) when available.
Configuration of an NTP server in the KDC is optional, except in a master/slave configuration. When an NTP
server is configured for use, the KDC contacts the NTP server every 30 minutes to synchronize the system time.
When a slave KDC is present, use of an NTP server is recommended so the master and slave KDC times are
synchronized. Not using an NTP server in a master/slave configuration requires periodic, manual time
synchronization to propagate the master database to the slave KDC. This time synchronization step is not
necessary if the master and slave KDC times are within 5 minutes of each other.
Using the WS5000 Series Switch GUI 4-3
Use the WS5000 Series Switch GUI (graphical user interface), the command line interface, or SNMP to
configure the onboard KDC. To configure the KDC via the former, perform the steps in the following sections:
1. Configuring Master KDC Information on page 4-3
2. Setting Kerberos Time Synchronization on page 4-6 (optionally)
3. Creating Kerberos User Accounts on page 4-5
4. Configuring Slave KDC Information on page 4-4 (optionally)
4.2.1 Configuring Master KDC Information

This procedure configures the switch to act as the master KDC authentication server for all Kerberos enabled
WLANs.
Note If using a master and slave switch configuration, ensure that each switch is
named appropriately (using the CLI) in order to avoid two devices with the same
name on the network.
To configure master KDC information:

1. From the WS5000 Series Switch GUI main window, click System Settings > Kerberos >
Configuration > KDC. The Kerberos Security Manager dialog box appears.
Figure 4.2 Kerberos Security Manager—Configuring the Master KDC
2. Select Master from the Configure As list.

3. Enter the Kerberos Realm where the KDC resides.
IMPORTANT! A DOMAIN NAME MUST BE ASSIGNED TO THE ETHERNET PORT

! PRIOR TO ASSIGNING A REALM NAME TO THE KDC.
4. By default, “ethernet1” is selected as the wireless switch’s interface that connects to the wireless
traffic. You can also select “ethernet2” if required.
5. Click Save to complete the Master KDC setup.
4.2.2 Configuring Slave KDC Information

To use the wireless switch’s on-board KDC in a master/slave KDC configuration, the network requires at least
two wireless switches: one for the master KDC and the other for the Slave KDC.
Setting slave KDC information is a two step process as described in the following sections:
• Configuring the KDC Slave
• Configuring the Master KDC to Recognize the Slave
4.2.2.1 Configuring the KDC Slave
IMPORTANT! BEFORE ADDING A SLAVE KDC, A MASTER KDC MUST ALREADY BE

! CONFIGURED.
To configure a KDC as a slave KDC:

1. Click System Settings > Kerberos > Configuration > KDC from the WS5000 Series Switch GUI main
window. The Kerberos Security Manager dialog box appears.
Figure 4.3 Kerberos Security Manager—Configuring a Slave KDC
2. Enter the Hostname, IP Address, and Domain for Kerberos authentication.

3. Select New Slave in the left panel, and configure the slave KDC server details, such as Hostname, IP
address, and Domain.
4. Click Add to set the slave KDC information.
5. Continue with the steps described in Configuring the Master KDC to Recognize the Slave.
4.2.2.2 Configuring the Master KDC to Recognize the Slave

To configure the master KDC to recognize the slave KDC, follow these steps:
1. Complete the steps described in Configuring the KDC Slave.
1. Click System Settings > Kerberos > Configuration > Slave from the WS5000 Series Switch GUI
main window.
2. Select the slave KDC from the list in the left pane. Enter the hostname, IP address, and domain of
the master KDC server.
Figure 4.4 KDC Add Slave
3. Click Add to complete adding the slave to the master KDC. The KDC Add Slave dialog box appears.
Note Click the Synchronize Database button to force the Master KDC to push its
database to the selected slave (even though the database is automatically
synchronized whenever you make a change such as adding a KDC user).
4.2.3 Creating Kerberos User Accounts

A Kerberos user account is required for authentication on the WLAN. However, before a user account can be
added, the master KDC must be configured. See Configuring Master KDC Information on page 4-3 for more
details.
To create a Kerberos user account:
1. From the WS5000 Series Switch GUI main window, select System Settings > Kerberos >
Administration > Users. The Kerberos User Administration dialog box appears.
Figure 4.5 Kerberos User Administration
2. Select New User in the left panel, and configure the user account details as described in Table 4.1,
Table 4.1 Kerberos User Administration Field Descriptions
Field Description
Name A unique (1-20 characters) value that corresponds to the name of the user being
added to or removed from the Key Distribution Center (KDC).
Ticket Life (min) The minimum lifetime of a ticket (value ranges from 1-600 minutes).
Password The Kerberos password for the specific user.
Confirm Enter the password a second time to confirm.
3. When done, click Save to save the new Kerberos user account information.
4.2.4 Setting Kerberos Time Synchronization

This procedure synchronizes the NTP server with the switch’s on board KDC. The KDC can use the system time
or an NTP server (when available). When an NTP server is configured for use, the KDC contacts the NTP server
every 30 minutes to synchronize the system time and propagate the master KDC database to the slave KDC.
Except in a master/slave configuration, KDC NTP time configuration is optional.
To synchronize the NTP server with the switch’s on board KDC, follow these steps:
1. From the WS5000 Series Switch GUI main window, click System Settings > Kerberos >
Configuration > NTP.
The KDC Time Configuration dialog box appears.
Figure 4.6 KDC Time Configuration
2. Enter the IP addresses for the Preferred Time Server, the First Alternate Time Server, and the
Second Alternate Time Server. The alternate servers are optional, but recommended.
3. Click Save to apply settings.
Configuring User and Management
Authentication
The WS5000 Series Switch provides an integrated Radius server as well as the ability to work with External
Radius and LDAP servers to provide user database information and user authentication. Management users
may also be authenticated using external/integrated RADIUS server. The External Radius server cannot be
completely configured through the tools provided by the wireless switch, refer EAP Authentication Settings on
page 6-44 to configure an External Radius server. This association remains unused unless the Radius server
also adds the external switch as a client.The WS5000 Series Switch provides:
• Configuring an On-board RADIUS Server (Internal Radius server)
• Configuring Management User Authentication
• Configuring Remote RADIUS Server (External Radius server), refer EAP Authentication Settings on page
6-44.
• Configuring Windows Server 2000, provides you information about - How to Configure Windows 2000
Server.
5.1 WS5000 as a RADIUS Client

The format of the Calling Station and the Called Station ID are changed, to confirm to the RFC-3580 (IEEE
802.1x RADIUS Usage Guidelines), as follows:
• The 6 byte MAC address now separated by an (-) hyphen when compared to the earlier separator used
(:) colon. An example for Calling Station ID would be – 00-10-A4-23-19-CO.
• The Called Station ID now has the SSID name suffixed to it using a colon (:). For example, the Called
Station ID for the MAC address of 00-10-A4-23-19-CO with an SSID of API would now be “00-10-A4-
23-19-CO:API”.
5.2 Configuring an On-board RADIUS Server

The WS5000 Series Switch provides an integrated Radius server as well as the ability to work with external
Radius and LDAP servers to provide user database information and user authentication.
5.2.1 Configuring the Radius Server

The Radius Server screen allows the admin to set up data sources, as well as specify authentication
information for the built-in Radius server.
To configure the Radius server, select System Settings -> Radius -> Configuration.
Figure 5.1 System Settings
The following Radius Configuration screen appears:

Configuring User and Management Authenti- 5-3
Figure 5.2 Radius Configuration
1. Use the Data Source drop-down menu to select the data source for the local Radius server.
• If you select Local, the internal User Database serves as the data source. Refer to the Users screen
to enter the user data. For more information, see
Configuring Radius Users on page 5-12.
• If you select LDAP, the switch uses the data in an LDAP server. Configure the LDAP server settings
on the LDAP screen under Radius Server on the menu tree. For more information, see Configuring
LDAP Authentication on page 5-7.
2. Use the Default EAP Type drop-down menu in the TTLS/PEAP Configuration field to specify the
EAP type for the Radius server. The options are PEAP and TTLS.
• Protected EAP (PEAP) uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an
ideal choice for networks using legacy EAP authentication methods.
• Tunneled TLS EAP (EAP-TTLS) is similar to EAP-TLS, but the client authentication portion of the
protocol is not performed until after a secure transport tunnel has been established. This allows
EAP-TTLS to protect legacy authentication methods used by some Radius servers.
3. Specify an EAP Authentication Type from the drop-down menu in the TTLS/PEAP Configuration
field. The authentication type for PEAP are GTC and MSCHAP-V2. The authentication type for TTLS
are PAP, MD5 and MS-CHAP-V2
• EAP Generic Token Card (GTC) is a challenge handshake authentication protocol that uses a
hardware token card to provide the response string.
• Microsoft CHAP (MSCHAP-V2) is an encrypted authentication method based on Microsoft's
challenge/response authentication protocol.
• PAP provides a simple method for a remote node to establish its identity using a two-way
handshake. After the PPP link establishment phase is complete, a username and password pair is
repeatedly sent by the remote node across the link (in clear text) until authentication is
acknowledged, or until the connection is terminated
• MD5 provides a simple method for a remote node to establish its identity using a two-way
handshake. After the PPP link establishment phase is complete, a username and password pair is
repeatedly sent by the remote node across the link (in clear text) until authentication is
acknowledged, or until the connection is terminated
4. Click one of the following buttons in the screen:
Apply Saves your changes

Undo Closes the screen without saving your changes. This reverts
the screen back to the last saved configuration.
Cancel Exits the applet and terminate this session
Help Displays the online help
5.2.2 Managing Certificates

To generate a certificate request from the WS5000 Series Switch:
1. Select System Settings > Radius > Certificate Management > Self Certificate.
2. Click the Add button.
3. Enter the certificate signing request (CSR) information and click the Generate button.
4. Copy the generated CSR to a file (with a .req extension) in a Windows 2003 server PC that contains
the CA.
5. Run the certreq command from the command prompt on the Windows 2003 server PC.
The command prompts you for the CSR file.
Enter the name of the CSR file generated from the switch.
The command prompts for the destination to place the server certificate.
6. Copy the ROOT certificate of the CA on the Windows 2003 server PC used to sign the server certificate
into the same location as the server certificate. You must upload this certificate on the switch. See
5.2.2.2 Uploading Certificates on page 6.
5.2.2.1 Importing and Installing CA Certificates

To import and install the CA and server certificates on the WS5000 Series Switch:
1. Ensure the time in the switch is synchronized with the Windows 2003 server PC.
2. Select System Settings > Radius > Certificate Management > Self Certificate to load the CA certificate.
Figure 5.3 Generating Certificate
3. Click the Upload CA Certificate button.

4. Browse to the CA certificates file and click the Send button.
5. Click on the View/Install certificate button to install the CA certificate and Server certificates. The
Install Certificates screen shown in Figure 5.4 appears.
Figure 5.4 Installing Certificates
6. Select the corresponding request ID for the server certificate and the CA certificate ID.
7. Click Apply.
5.2.2.2 Uploading Certificates

If you have a server certificate from a CA and wish to use it on the Radius server:
1. Select Radius > Upload Certificate.
The certificate upload screen (shown in Figure 5.5) appears.
Figure 5.5 Uploading Server Certificate
2. Enter the Radius certificate filename, or click the Browse button.

The menu displays the certificates imported to the switch. You can also choose an imported CA
Certificate to use on the Radius server. If you use a server certificate signed by a CA, you must import
that CA's root certificate using the CA certificates screen from the Certificate Management menu.
Figure 5.6 Uploading CA Certificate
Next Starts uploading the certificate.

Reset Clears the filename and enter a new name.
Help Displays the online help
5.2.2.3 Configuring LDAP Authentication

If the Radius Data Source is using an external LDAP server (see Configuring the Radius Server on page 5-2) the
LDAP screen is used to provide data on the external LDAP server. Select System Settings > Radius
Configuration and click LDAP from the Radius configuration screen.
There should be a group configured in the AAA server local database with the same group name as the LDAP
server. The policy in the AAA server for this group must have the same EAP enabled WLAN. Then, only the
mobile unit is authenticated by the Radius server.
Figure 5.7 LDAP Configuration
1. Configure the LDAP Configuration field to enable the switch to work with the LDAP server. Consult
with the LDAP server administrator for details on how to set the values if necessary.
Server name Enter the name of the external LDAP server acting as the data source for the
Radius server.
LDAP Server IP Enter the IP address of the external LDAP server. The server must be
accessible from the WAN port or from an active subnet on the switch.
Port Number Enter the TCP/IP port number for the LDAP server acting as a data source.
The default port is 389.
Bind DN Specify the Bind Distinguished Name —the distinguished name to bind with
the LDAP server.
Base DN Specify a distinguished name that establishes the base object for the search.
The base object is the point in the LDAP tree at which to start searching.
Pass Attribute Enter the password attribute used by the LDAP server for authentication.
Login Attribute Enter the login attribute used by the LDAP server for authentication. In most
cases, the default value in this field should work.
Filter Specify the filters used by the LDAP server.
Password Enter a valid password for the LDAP server.
Group Name Specify the name of the group sent to the LDAP server.
Membership Specify the Group Member Attribute to be sent to the LDAP server when
Attribute authenticating users.
2. Click one of the following buttons:

Undo Closes the screen without saving your changes. This reverts the screen back
to the last saved configuration.
Help Displays the online help.
5.2.2.4 Configuring Clients

To configure the WS5000 Radius client so that it can be accessed by external Radius servers:
1. Click the Clients Configuration tab in the Radius Configuration screen.
The Radius client configuration screen appears:
Figure 5.8 Client Configuration
2. Enter the following information in the Clients Configuration table:
In the Field Enter

Subnet/Host Name of the subnet or host to authenticate
Netmask The subnet mask number of the host to authenticate.
Shared Secret A shared secret used for each host or subnet authenticating with the Radius
server. The shared secret can be up to seven characters long.
3. Use the Add button to add more entries into the Clients Configuration table. Use the Delete button
to remove entries.

5.2.2.5 Configuring the Radius Accounting Server

The Radius accounting server enables a Network Access Server (NAS) to deliver accounting packets to the
Radius accounting server, which stores this information.
To configure the WS5000 Radius accounting server:
1. Click the Radius Accounting tab in the Radius Configuration screen.
The Radius accounting server screen (shown in Figure 5.9) appears.
Figure 5.9 Radius Accounting Server Configuration
2. Select Enabled or Disabled in the Accounting pulldown menu.
Note Accounting files cannot be viewed from the switch. They have to be
downloaded to a TFTP server for viewing. Downloading the accounting file is
currently supported only through CLI.
3. Enter the following information in the Radius Accounting table:
In the Field Enter

IP Address Enter the IP address of the Radius accounting server.
Shared Secret Enter the shared secret code used to communicate with the Radius accounting
server,
TimeOut (Secs) Enter a value between five and ten to indicate the number of seconds that will
cause the switch to time out on a request to a Radius accounting server.
Port Enter the TCP/IP port number for the Radius accounting server. The default value is
1813.
Max Retry Enter a value between one and ten to indicate the number of times the switch
attempts to reach the Radius accounting server before it stops trying.

5.2.3 Configuring Radius Users

Use the Users screen to create users and groups for the local Radius server. The users database is used when
Local is selected as the Data Source from the Radius Server screen (for more information, see
Configuring the Radius Server on page 5-2). The information in the database is ignored if an LDAP server is
used for user authentication. Select System Settings -> Radius -> Users to maintain the user entries.
Figure 5.10 Radius Users Configuration
Each user created is assigned a unique password and is associated with one or more groups. Each group can
be configured for its own access policy within the Access Policy configuration screen under the Radius Server
menu.
5.2.3.1 Adding Groups

The Groups table displays a list of all groups in the local Radius server database. The groups are listed in the
order they were added. Although groups can be added and deleted, there is no capability to edit the name of
a group.
1. To add a new group, click the Add button and enter the name of the group in the blank field in the
table.

Undo All Closes the screen without saving your changes. This reverts the screen back
Close Exits the applet and terminate this session
5.2.3.2 Deleting Groups

To remove a group, select the group from the table and click the Del (Delete) button. A warning message
displays when applying the change if there are users still assigned to the group. You can remove the group
from each user or add the group back to the group list.
5.2.3.3 Adding Users

The Users table displays the entire list of users. Up to 100 users can be entered. Users are listed in the order
they are added. Although users can be added and deleted, there is no capability to edit the name of a group.
1. To add a new user, click the Add button at the bottom of the Users area.
2. In the new line, type a User ID (username).
3. Click the Password table header. A small window displays. Enter a password for the user and click
OK to return to the Users screen.
4. Click the List of Groups table header. A new screen displays enabling you to associate groups with
a user. A user is required to belong to at least one group in order for the user to have access to the
switch.
• To add the user to a group, select the group from the list of groups (on the right) and click the Add
button.
• To remove the user from a group, select the group in the Assigned list (on the left) and click the
Del (Delete) button.
5. Click OK when you are done.

5.2.4 Configuring Radius Proxy

The Radius server can proxy the authentication requests to a remote radius based on the suffix of the user id.
Figure 5.11 shows the Radius proxy configuration screen.
Figure 5.11 Radius Proxy Configuration
For each proxy server, the WS5000 enables the administrator to configure the following:
• Radius authentication server IP address
• Radius authentication server port
• Secret key
• Suffix of the user ID such as isp2.com or company.com
The WS5000 supports five proxy servers.
5.3 Configuring Management User Authentication

Management users (telnet, cli users etc.) can also be authenticated using external/integrated RADIUS Server.
5.3.1 Using External RADIUS Server

This section will take you step-by-step through the configuration of the wireless switch user authentication
via remote RADIUS server feature using the Symbol WS5000 wireless switch version 1.2 on Microsoft
Windows Server 2000 with Internet Authentication Service and Active Directory.
You would require the following:
1. Symbol WS5000 Wireless Switch version 1.2.0.39 or newer
2. Ethernet switch
3. Microsoft Windows Server 2000 (or Advanced Server) with SP4 or (newer)
4. Experience with Microsoft Windows operating systems and the WS5000
Note It is possible to use the Wireless Switch User Authentication via Remote RADIUS
Server feature with different configurations than what’s provided in this guide.
However, to complete all of the steps in this installation guide the exact configuration
above must be used.
5.3.2 Using On-board RADIUS Server

Management users, authenticated using the onboard RADIUS Server, will be given Read-Only attributes. To
configure the management onboard RADUIUS server, follow the steps provided in 5.2 Configuring an On-
board RADIUS Server on page 2. Add the user with a password. This user must NOT be attached to any group.
Setup on the WS5000 is the same as mentioned in Configuring an On-board RADIUS Server. Specify the IP
address of the switch in Remote Administration dialog.
5.3.3 Physical Network Configuration

This guide uses the following network configuration:
Figure 5.12 Physical Network Configuration
For this installation, Windows Server 2000 must be accessible by the WS5000. The simplest way to achieve
this is to configure the WS5000 and Windows Server 2000 so they are on the same physical and IP subnet. If
they are on different IP subnets, the WS5000 must be able to route to the Windows Server 2000.
5.3.4 Configuring WS5000

1. From the System Settings menu, select Remote Admin …
2. Select the RADIUS Authentication tab. Check the Network Users (Web, Telnet, etc.) check box.
Enter the IP address of the Windows Server 2000 for the Primary Name / IP Address. Enter a Shared
Secret for the Primary. You will need to remember the Shared Secret when configuring the Windows
Server 2000. Click Close.
5.4 LDAP and Certificate Configuration

LDAP Server is used as the database with WS5000 RADIUS server. The configuration details for WS5000 and
LDAP server (Linux OpenLDAP and Windows Active Directory Server) are as follows:
5.4.1 OpenLdap in Linux

• Edit the LDAP configuration file (/etc/openldap/slapd.conf) with the base DN, Manager
username and password.
suffix "o=symbol,c=INDIA"
rootdn "cn=Manager,o=symbol,c=INDIA"
rootpw secret
• Start the LDAP server (/usr/sbin/slapd -d 4)
Note User addition/deletion/searching can be done either through CLI or through

LdapBrowser
• OpenLdap cli command for adding/searching users

ldapadd -x -D "cn=Manager,o=SYMBOL,c=INDIA" -W -f base1.ldif

ldapadd -x -D "cn=Manager,o=SYMBOL,c=INDIA" -W -f group6.ldif
ldapadd -x -D "cn=Manager,o=SYMBOL,c=INDIA" -W -f member6.ldif
ldapsearch -x -b 'o=SYMBOL,c=INDIA' '(&(cn=group2)(objectclass=groupofNames))'
ldif file format (base1.ldif, group6.ldif, member6.ldif, wvpn.ldif)
dn: o=SYMBOL,c=INDIA
objectclass: organization
o: SYMBOL
dn: cn=group6,o=SYMBOL,c=INDIA
objectclass: groupOfNames
member: cn=srijith,o=SYMBOL,c=INDIA
member: cn=apar,o=SYMBOL,c=INDIA
cn: group6
o: SYMBOL
dn: cn=srijith,o=SYMBOL,c=INDIA
objectclass: person
objectclass: uidObject
cn: srijith
sn: srijith
uid: srijith
userPassword: test
dn: cn=wvpnuser,o=SYMBOL,c=INDIA
objectclass: person
objectclass: uidObject
cn: wvpnuser
sn: wvpnuser
uid: wvpnuser
userPassword: test
5.4.2 User/Group Configuration with LdapBrowser

LdapBrowser (free download) can be used for configuring users instead of CLI. Follow the below given steps
to install and start using the LDAP browser:
1. Install LDAP browser and run the binary for configuration GUI (lbe.sh).
2. Connect to a active LDAP server.
3. Import the LDIF files mentioned above, using LDIF->import menu option
(Import base1.ldif,group6.ldif,member6.ldif,wvpn.ldif).
4. Choose Update/Add option when importing the configuration.
5. Verify the users/groups that are loaded are properly displayed in left panel.
5.4.3 ActiveDirectory in Windows server

ActiveDirectory can also be used as LDAP server with WS5000 switch. Users and groups need to be configured
in Active directory for authentication.
5.4.3.1 LDAP configuration for accessing Openldap/ActiveDirectory

1. Use the following command for LDAP Configuration in switch for Openldap. This is valid only for NON-
VPN CLIENTS.
LDAP Server IP 192.192.4.42 :

LDAP Server Port 389 :
LDAP Bind DN :
cn=Manager,o=symbol,c=India
LDAP Base DN :
o=symbol,c=India
LDAP Login Attribute : (uid=%{Stripped-User-Name:-%
{User-Name}})
LDAP Password Attribute : userPassword
LDAP Group Name Attribute : cn
LDAP Group Membership Filter :
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})))
LDAP Group Membership Attribute : radiusGroupName
Note There should be a group configured in the AAA server local database with the
same group name as in LDAP server. The policy in AAA server for this group should
contain the EAP enabled WLAN.
2. Use the following command for LDAP Configuration in switch for Openldap. This is valid only for VPN
CLIENTS.
LDAP Server IP : 192.192.4.42
LDAP Server Port : 389
LDAP Bind DN : cn=Manager,o=symbol,c=India
LDAP Base DN : o=symbol,c=India
LDAP Login : (uid=%{Stripped-User-Name:-%{User-Name}})
LDAP Password : userPassword
LDAP Group Membership Filter : (cn=wwvpnuser)
LDAP Group Membership Attribute :
LDAP Passwd : secret
Note This auth will work only if the username is not present in any group's available @
LDAP server
5.4.4 LDAP Configuration in switch for Active Directory

The following command is used to configuring LDAP in switch for Active Directory:
LDAP Server IP : 192.192.4.42
LDAP Server Port : 389
LDAP Bind DN : cn=blradmin,ou=WID,dc=TVLAB01,dc=com
LDAP Base DN : ou=WID,dc=TVLAB01,dc=com
LDAP Login Attribute : (sAMAccountName=%{Stripped-User-Name:-
%{User
-Name}})
LDAP Password Attribute : UserPassword
LDAP Group Membership Filter : (|(&(objectClass=group)(member=%{Ldap-
UserDn
})))
LDAP Group Membership Attribute : radiusGroupName
Note Only the default PAP encryption type is supported when a user is created in the
Active directory on Windows server. To select all the other encryption, go to the User
Properties > Account Information and select Store User Password in Reversible
Encryption checkbox.
5.4.5 Certificate Management with Win-2003 server

Windows 2003 server has Certificate Authority (CA) functionality which can be used for signing requests. This
details the configuration for PEAP/TTLS authentication with WS5000 RADIUS server.
1. Install Certificate Authority which comes with Win-2003 server.
2. Create a CA in standalone mode at the end of installation
5.4.5.1 Configuration in MU (client)

1. Copy the CA certificate from the 2003 server to client (MU) in base64 encoded format.
2. Install the certificate in the client
3. Select Validate server certificate option in MU connection profile configuration.
5.4.5.2 Signing certificate request from WS5000

1. Generate the CSR from WS5000 using the self-certificate management window from the Applet.
(System Setting > Radius > Certificate Management > Self Certificate)
2. Provide the information required for CSR and click on the Generate button. Then copy the generated
CSR to a Win2003 server PC.
3. Execute certreq <CSR-file> <Cert-file> command from command prompt on the Win2003
server PC. [Cert-file : destination certificate filename]
5.4.5.3 Installing CA & Server Certificate in WS5k:

1. Make sure the time in switch is in sync with 2003 server
2. Load the CA certificate in WS5k using import CA certificate on self-certificate window of applet.(
System Setting > Radius > Certificate Management > Self Certificate) by clicking on the Import
CA Certificate button.
Load the server certificate in WS5000. Select the request ID and then click on the Import Server certificate
button on self-certificate window of applet. (System Setting > Radius > Certificate Management > Self
Certificate).Once imported, installation of CA and server certificates can be done in the radius configuration
window. (System Setting > Radius > Configuration > Install Certificates Tab). Select the corresponding request
id and the CA certificate id and click on the Apply Certificate button.
5.5 Configuring Windows Server 2000

The Windows Server 2000 must have the following components installed:
• Active Directory
• Internet Authentication Service
If any one or all of these components are not installed, the installation instructions are included prior to the
configuration of the component.
5.5.1 Installing Active Directory

If Active Directory is already installed, go to 5.5.2 Configuring Active Directory Users on page 32.
1. To install Active Directory, go to the Start Menu, select Programs > Administrative Tools >
Configure Your Server
2. This will open Windows 2000 Configure Your Server. Select Active Directory from the left side menu.
3. Click on Start the Active Directory wizard.

4. This will open the Welcome to the Active Directory Installation Wizard. Click Next >.
5. Select Domain controller for a new domain. Click Next >.

6. Select Create a new domain tree. Click Next >.
7. Select Create a new forest of domain trees. Click Next >

8. Enter a Full DNS name for new domain. Click Next >.
9. The Domain NetBIOS name will be entered by the Wizard. Click Next >.
10. Keep the default locations for the Database and Log. Click Next >.
11. Keep the default location for the Folder. Click Next >.
12. You may get this alert. Click OK.
13. If you get the alert, you may be asked to configure a DNS server. Select No. Click Next >.
14. Use the default permission selected by the Wizard. Click Next >.
15. Enter the Administrator password. Click Next >.

16. Click Next >.
17. Wait while the Wizard configures Active Directory.

18. Click Finish.
19. Click Restart Now.

5.5.2 Configuring Active Directory Users
If you have not installed Active Directory, go to 5.5.1 Installing Active Directory on page 22
1. To configure Active Directory users, go to the Start Menu, select Programs > Administrative Tools
> Active Directory Users and Computers.
2. This will open the Active Directory Users and Computers. Select a domain from the tree menu on the
left side. Right click on the Users object and select New > User.
3. Enter a First name, Last name and User logon name. You will need to remember this User logon name
when you log into the wireless switch. Click Next >.
4. Enter a Password and Confirm password. You will need to remember this password when you log into
the switch. Click Next >.
5. Click Finish.
6. Right click on the Active Directory User you’ve just created and select Properties.
7. Click the Dial-in tab. Select Allow access. Click OK.

5.5.3 Installing Internet Authentication Service

If Internet Authentication Service is already installed, go ahead to 5.5.4 Configuring Internet Authentication
Service on page 40.
1. To install Internet Authentication Service, go to the Start Menu, select Settings > Control Panel.
2. Select Add/Remove Programs.

3. Click Add/Remove Windows Components.
4. Select Networking Services. Click Details….

5. Select Internet Authentication Service. Click OK.
6. Click Next >.

7. Wait while Windows configures components.
8. Click Finish. Manually restart Windows.

5.5.4 Configuring Internet Authentication Service

1. To configure Internet Authentication Service, go to the Start Menu, select Programs >
Administrative Tools > Internet Authentication Service.
2. This will open Internet Authentication Service. From the Tree, right-click Clients and select New
Client.
3. Enter a Friendly name. We suggest you to use the name of the wireless switch that you configured in
Step 3. Keep Protocol as RADIUS. Click Next >.
4. Enter the IP address of the switch configured in Step 3. Enter a Shared Secret and confirm. Click
Finish.
5. From Internet Authentication Service, right-click on Remote Access Policies and select New
Remote Access Policy.
6. Enter a Policy friendly name. Click Next >.

7. Click Add.
8. Select an Attribute type. If you are not sure which Attribute type to select, go to Windows-Groups.
Click Add…
9. If you selected Windows-Group, click Add… .
10. Select Domain Users. Click Add.

11. This will add Domain Users to the selected groups list. Click OK.
12. Click OK.

13. Click Next >.
14. Select Grant remote access permission. Click Next >.

15. Click Edit Profile …
16. Click on the Authentication tab. Select Unencrypted Authentication (PAP, SPAP). Unselect all
other authentication methods. Click OK.
17. Select the Advanced tab. Click Add… .
18. Select Vendor-Specific. Click Add.

19. Click Add.
20. Select No. It does not conform. Click Configure Attribute… .

21. Enter 3135 for Hexadecimal attribute value:. This value grants full administrative permissions to an
authorized user. Click OK.
22. Click OK.

23. Click OK.
24. Click Close.

25. Click OK.
26. If this warning displays. Click No.

27. Click Finish. This completes the configuration of Internet Authentication Service.
5.5.5 Testing the Configuration

1. To test the configuration, enter the user logon name and password from the new user created in the
Windows Server 2000 Active Directory in 5.5.2 Configuring Active Directory Users on page 32.
2. After successfully logging into the WS5000, check the local logfile for authentication details.
Note To see this message, event 39 (Mgt user auth success [radius]) must be enabled
for the local logfile.
3. Check the Event Viewer on the Windows Server 2000. From the System Log, open the properties for the
IAS source, information event.
4. This will show the details of the IAS event.

Configuring Policies
A network policy is a “packet filter.” It prioritizes packets as they are sent across the wireless network, and
ultimately reject packets completely. Network policies define what packets should be filtered inbound (input)
and outbound (output) based on Input and Output Network Policies.
Network policies should be created to implement QoS and types of service (ToS) protocols. See Quality of
Service on page 1-9 for more details on QoS and types of service protocols supported by the WS5000 Series
wireless switch.
The data from Access Port directed towards MU is governed by outbound Policy Object and the data from an
MU directed to an Access Port is governed by inbound Policy Object.
6.1 Configuring Network Policies

To view the configuration hierarchy while creating a Network Policy, click Where Am I? at any point. A Where
Am I? Dialog Box, such as Figure 6.1, displays.
Figure 6.1 Network Policy Where Am I? Dialog Box
Access Port policies use network policies (see Creating a Network Policy on page 6-13), but prior to creating a
network policy, other network related components and policies must be configured within the switch. These
are:
• Classifiers
• Classification Groups
See the following sections for more details on working with Network Policies:
• Classifiers on page 6-2
• Classification Groups on page 6-5
• Creating a Network Input Policy on page 6-9
• Creating a Network Output Policy on page 6-11
• Creating a Network Policy on page 6-13
• Modifying a Network Policy on page 6-38
6.1.1 Classifiers
A Classifier is a declaration that tests various aspects of a network packet and the path it travels along;
aspects such as source and destination IP, transport protocol, and so on.
A packet will either “pass” or “fail” the predicate. The action taken when a packet passes or fails a Classifier
is not included in the Classifier definition; the action is defined by a Classification Group (see Classification
Groups on page 6-5).
To see the configuration hierarchy while creating a Classifier, click Where Am I? at any point.
A Where Am I? Dialog Box, such as Figure 6.2, is displays.
Configuring Policies 6-3
Figure 6.2 Classifier Where Am I? Dialog Box
6.1.1.1 Creating a Classifier

To create a classifier:
1. From the WS5000 Series Switch GUI main window, select Create > Network > Classifier. The system
launches the Classifier Wizard.
Figure 6.3 Creating a Classifier—Naming the Classifier (and Optionally, Choosing a Template)
2. Enter a name and description for the new WLAN, then if desired, select Use an existing Classifier as
a template.
3. Click Next. A panel for defining match criteria for the classifier is displayed.
Figure 6.4 Creating a Classifier—Defining Match Criteria
Each row of the Match Criteria table is a simple declaration. For each Criteria type to be defined, a value
must also be defined. Unless otherwise noted, the Classifier uses a case-insensitive comparison when
evaluating network packet values.
Create a classifier(s) by referring to Table 6.1 which describes the meanings and acceptable values
ranges for the criteria types.
Table 6.1 Classifier Types and Acceptable Value Ranges
Criteria Type Description
Source Mac Address When evaluating the packet, the Classifier looks at the MAC address of the device
that sent the packet. The value is an arbitrary MAC address in the usual form.
Duplet-separating colons are inserted as you type.
Dest[ination] Mac Address MAC address of the device to which the packet is being sent. Arbitrary MAC
address in the usual form. Duplet-separating colons are inserted as you type.
Ethertype Ethernet type values, as defined by RFC 1700. Select pre-defined values 0x800
(IPv4) or 0x400 (nixdorf), or select and enter a hex number (with prefix “0x”) in the
text field to the right.
VLAN ID ID of the VLAN to/from which the packet is being sent/has been received. The
value is a number (only).
Priority Relative priority value. The value is a number (only).
Protocol Ethernet protocol. Choose from one of the pre-defined protocol constants, or type
in the number (only!) of the desired protocol.
ToS “Type of Service” identifier. The value is a number (only).
Source IP Address The IP address and subnet mask of the device where the packet emerged. The
values are expressed as two dot-separate IP addresses separated by a a single
forward-slash (/). For example: IPaddress/SubnetMaskAddress
Dest[ination] IP Address IP address and subnet mask of the device to which the packet is being sent. The
value is expressed in the same manner as Source IP Address.
Table 6.1 Classifier Types and Acceptable Value Ranges (Continued)

Criteria Type Description
Source Port The Ethernet port number, on the originating device, through which the packet
was sent.
Dest[ination] Port The Ethernet port number, on the recipient device, to which the packet is being
sent.
Multicast Mask MAC address that's used to mask the range of recipients of a broadcast packet.
This is particularly useful for restricting the broadcast of voice and video data.
4. If the predicate for the classifier has more than one clause, the Action conjunction is used to string
predicates together. For example,
• If the consecutive criteria are dissimilar, the predicates are conjoined with “AND”.
• If the consecutive criteria are similar, the predicates are conjoined with “OR”.
Predicates are evaluated and conjoined consecutively. In other words, there is no control over the
grouping of predicates other than logical ordering upon creating them.
Note Keep Classifier predicates as simple as possible, and build more complicated
tests by combining Classifiers in a Classification Group.
Use the Add or Remove buttons to add a new predicate or remove an existing predicate from a
Classifier.
5. When done, click Next. A Classifier Created Successfully! message panel is displayed.
6. Click Finish to save the new classifier and exit the wizard.
6.1.2 Classification Groups

A Classification Group (CG) is a collection of classifiers, or complex predicates that evaluate network packets
as they are sent to or arrive from wireless devices. In addition to collecting classifiers, the CG declares the
action that is to be taken after a packet is evaluated by a classifier. Specifically, the CG declares whether a
packet that passes the classifier evaluation is accepted (allowed to precede across the network) or denied
(thrown away).
To see the configuration hierarchy while creating an Network Policy, click Where Am I? at any point. A Where
Am I? Dialog Box, such as Figure 6.5, is displayed.
Figure 6.5 Classification Group Where Am I? Dialog Box
See the following sections for more details on working with Classification Groups:
• Creating a Classification Group on page 6-6
• Modifying a Classification Group on page 6-7
6.1.2.1 Creating a Classification Group

To create a classification group:
1. From the WS5000 Series Switch GUI main window, click Create > Network > Classification Group.
The system launches the Classification Group Wizard.
Figure 6.6 Creating a Classification Group—Naming the Group (and Optionally, Choosing a Template)
2. Enter a name and description for the new classification group, then if desired, select Use an existing
Classification Group as a template.
3. Click Next. A panel for adding classifiers to the group is displayed.
Figure 6.7 Creating a Classification Group—Adding Classifiers
4. Select from among the Available Classifiers and then click the >> button to move to the Selected
pane.
5. Select an action for each Classifier added to the Selected pane.
• allow – For classifiers with an allow action, packets that pass through the Classifier are allowed
to continue and they are marked as being part of the Classification Group (this is important, since
Input and Output Policies filter packets based on Classification Groups).
Packets that do not pass the evaluation are not immediately thrown away. They are allowed or
denied according to the default action defined in the Input or Output Policy that uses this
Classification Group.
• deny – Packets that have this action associated with the Classifier are thrown away. Packets that
do not pass are allowed to continue (with no Classification Group marking).
6. When done, click Next. A Classification Group Created Successfully! message panel is displayed.
7. Click Finish to save the new Classification Group and exit the wizard.
6.1.2.2 Modifying a Classification Group

To modify an existing Classification Group:
1. From the WS5000 Series Switch GUI main window, click Modify > Network > Classification Group.
The system launches the Classification Group Manager.
Figure 6.8 Classification Group Manager
2. This panel lists all available Classification Groups configured on the system. Table 6.2 describes the
fields and options within this panel. To edit a classification group, select the its name in the left pane
first.
Table 6.2 Classification Group Manager Fields and Controls
Field or Control Description
Name Name of the selected classification group.
Description Description of the selected classification group, if available.
Tree View This expandable tree lists the classification group selected as well as the classifiers that
make up that group.
Properties Displays a list of classifiers within the classification group. Clicking Properties with a
classifier selected launches a new panel displaying the rules for the selected classifier.
Create Launches the Classification Group Wizard to create a new classification group. See
Creating a Classification Group on page 6-6 for more details.
Delete Removes the selected classification group from the system. A dialog appears to confirm
this action.
Edit Opens a variation of the Classification Group Wizard, for editing it in the same fashion
that it was created. See Creating a Classification Group on page 6-6 for more details.
Close Closes the Classification Group Manager without saving any changes.
3. When done, click Next. A Classification Group Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Classification Group and exit the wizard.
5. Click Close in the Classification Group Manager panel.
6.1.3 Creating a Network Input Policy

Network Input Policies define incoming packet filters used with Network Policies. To create a Network Input
Policy:
1. From the WS5000 Series Switch GUI main window, select Create > Network > Input Policy. The
system launches New Input Policy Wizard.
Figure 6.9 Creating a Network Input Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Input Policy, then if desired, select Use an existing Input
Policy as a template.
3. Click Next. A panel for adding Classification Groups to the Input Policy is displayed.
Figure 6.10 Creating a Network Input Policy—Adding Classification Groups
4. Select from among the Available Classifier Groups and then click the >> button to move a group(s) to
the Selected pane, and to apply it to the Input Policy.
To create a new Classification Group, click Create. See Creating a Classification Group on page 6-6 for
more details.
5. Click Next. A panel for applying prioritization actions to each chosen classification group is displayed.
Figure 6.11 Creating a Network Input Policy—Applying Prioritization to Chosen Classification Group
Table 6.3 describes the Input Policy classification group prioritization and IP redirection options.
IMPORTANT! IP REDIRECTION ONLY APPLIES TO PACKETS THAT HAVE AN

! ETHERTYPE=2048, PROTOCOL=TCP, AND A DESTINATION PORT=[21, 23, 80].
REDIRECTION TO A WEB PAGE ONLY WORKS FOR DESTINATION PORT=80.
Table 6.3 Input Policy Classification Group Prioritization and IP Redirection Options
Parameter or Control Description
Classification Group Tree The tree on the left shows the Classification Groups (CG) added to the Input
Policy. Select a group before modifying the actions and packet prioritization
associated with a group.
Default Action Is... Sets the action performed on all packets that are neither rejected by nor marked
as being part of a CG. Packets can either be allowed to continue along the
network, or be denied (and thus, thrown away).
Packet Marking Tab Set the ToS (Type of Service) bits and set the Tx Priority packet as Data or Voice
(voice gets higher priority than data). To enable these markings, check the
Enable box.
IP Redirection Tab The IP Redirection feature allows packets to be redirected to a hard-coded

destination, such as an IP address (Enter the New IP Address...) or as the path
to a Web page (Enter the New Path...). To enable IP Redirection, check the
Enable box (until the box is checked, the input fields are disabled).
6. When done, click Next. An Input Policy Created Successfully! message panel is displayed.
7. Click Finish to save the new Input Policy and exit the wizard.
6.1.4 Creating a Network Output Policy

To create a network output policy:
1. From the WS5000 Series Switch GUI main window, select Create > Network > Output Policy. The
system launches Create a New Output Policy Wizard.
Figure 6.12 Creating a Network Output Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Output Policy, then if desired, select Use an existing Output
Policy as a template.
3. Click Next. A panel for adding Classification Groups to the Output Policy is displayed.
Figure 6.13 Creating a Network Output Policy—Adding Classification Groups
4. Select from among the Available Classifier Groups and then click the >> button to move a group(s) to
the Selected pane, and to apply it to the Output Policy.
To create a new Classification Group, click Create. See Creating a Classification Group on page 6-6 for
more details.
5. Click Next. A panel for applying prioritization actions to each chosen classification group is displayed.
Figure 6.14 Creating a Network Output Policy—Applying Prioritization Actions to Chosen Classification
Group
Table 6.4 describes the Output Policy classification group prioritization and weighted fair queuing
options that can be set.
Table 6.4 Output Policy Classification Group Prioritization and WFQ Options
Parameter or Control Description
Classification Group Tree The tree on the left shows the Classification Groups (CG) added to the Input
Policy. Select a group before modifying the actions and packet prioritization
associated with a group.
Default Action Is... Sets the action performed on all packets that are neither rejected by nor marked
as being part of a CG. Packets can either be allowed to continue along the
network, or be denied (and thus, thrown away).
Packet Marking Tab Set the ToS (Type of Service) bits and set the Tx Priority packet as Data or Voice
(voice gets higher priority than data). To enable these markings, check the
Enable box.
WFQ Weighted Fair Queuing. Assign a percentage of available bandwidth to the

classification group’s packets. To enable WFQ, check the Enable box.
This is where you implement QoS (Quality of Service). For more details refer 1.3.4.3 Weighted Fair
Queuing (WFQ) on page 11
6. When done, click Next. An Output Policy Created Successfully! message panel is displayed.
7. Click Finish to save the new Output Policy and exit the wizard.
6.1.5 Creating a Network Policy

To create a network policy:
1. From the WS5000 Series Switch GUI main window, select Create > Network > New Policy. The
system launches Create a New Network Policy Wizard
Figure 6.15 Creating a Network Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Network Policy, then if desired, select Use an existing
Network Policy as a template.
Note Currently, the interface type is always “Access Port”. That said, the Input
Policy evaluation is performed by the switch before it sends a packet (received from
a wireless device).
3. Click Next. A panel for selecting an Input Policy is displayed.

Input Policies define how to filter incoming packets. Select an Input Policy, or to create a new Input
Policy, click Create... See Creating a Network Input Policy on page 6-9 for more details.
Figure 6.16 Creating a Network Policy—Selecting an Input Policy
4. When done, click Next. A panel for selecting an Output Policy is displayed.
Output Policies define how to filter outgoing packets. Select an Output Policy, or to create a new Output
Policy, click Create... See Creating a Network Output Policy on page 6-11 for more details.
Figure 6.17 Creating a Network Policy—Selecting an Output Policy
5. When done, click Next. A Network Policy Created Successfully! message panel is displayed.
6. Click Finish to save the new Network Policy and exit the wizard.
6.1.5.1 Configuring the Switch from the Default Configuration (Example)

All of the steps below assume that the user is logged in to the WS5100/WS5000 series switch via the console
interface. The GUI may also be used (instructions are included later in this document).
1. Create a Spectralink Phone classifier (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> ce
If “Spectra_Link_Phone” is not present it needs to be created.

b. WS5000.(Cfg).CE> add Spectralink_Phone
c. WS5000.(Cfg).CE> addmc protocol 119
2. Create a Classification Group (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> cg
If “Spectralink_Group” is not present it needs to be created.
b. WS5000.(Cfg).CG> add SpectralinkGroup
c. WS5000.(Cfg).CG.[SpectralinkGroup]> set addce Spectralink_Phone
3. Create an Output Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> po
If “Spectralink Output Policy” is not present it needs to be created.
b. WS5000.(Cfg).PO> add SpectraLinkOutput 1
c. WS5000.(Cfg).PO.[SpectraLinkOutput]> set addcg SpectralinkGroup
d. WS5000.(Cfg).PO.[SpectraLinkOutput]> set cgtxprofile voice SpectralinkGroup
e. WS5000.(Cfg).PO.[SpectraLinkOutput]> set cgpktmod tos enable Spectralink_Group
f. WS5000.(Cfg).PO.[SpectraLinkOutput]> set cgwfq 70 Spectralink_Group
4. Create a Network Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> np
b. WS5000.(Cfg).NP> add SpectralinkNetwork
c. WS5000.(Cfg).NP.[SpectralinkNetwork]> set outboundpolicy SpectralinkOutput
5. Create a Security Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> security
b. WS5000.(Cfg).SecurityPolicy> add WPA2
c. WS5000.(Cfg).SecurityPolicy.[WPA2]> set encryption ccmp enable
Note This command is followed by prompts to enter the type of authentication (EAP
vs. Pre-Shared Key) and information about the key. NetLink Wireless Telephones only
support Pre-Shared Key (PSK) for WPA and WPA2 security.
6. Create a WLAN Policy (from the prompt WS5000.(Cfg)>)

a. WS5000.(Cfg)> wlan
b. WS5000.(Cfg).WLAN> add SpectralinkWLAN <essid>
c. WS5000.(Cfg).WLAN.[SpectralinkWLAN]> set security WPA2
7. Create an AP Policy (from the prompt WS5000.(Cfg)>)
a. WS5000.(Cfg)> appolicy
b. WS5000.(Cfg).APPolicy> add SpectralinkAP
c. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set supportedrates B none
d. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set basicrates B 1,2,5.5,11
e. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set dtim 3

f. WS5000.(Cfg).APPolicy.[SpectralinkAP]> add SpectralinkWLAN
g. WS5000.(Cfg).APPolicy.[SpectralinkAP]> set np SpectralinkNetwork SpectralinkWLAN
8. Create an Ethernet Policy
a. WS5000.(Cfg)> etherpolicy
b. WS5000.(Cfg).EtherPolicy> add SpectralinkEthernet
9. Create a Switch Policy
a. WS5000.(Cfg)> switch
b. WS5000.(Cfg).SPolicy> add SpectralinkSwitch
c. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set channel 36 a
d. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set channel 1 B
e. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set channel 1 G
f. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set etherpolicy SpectralinkEthernet
g. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set appolicy SpectralinkAP
h. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> set countrycode US
i. WS5000.(Cfg).SPolicy.[SpectralinkSwitch]> end
j. WS5000.(Cfg).SPolicy> end
k. WS5000.(Cfg)> set switchpolicy SpectralinkSwitch
10. Configure the Ethernet Ports
a. WS5000.(Cfg)> ethernet
b. WS5000.(Cfg).Ethernet> 1
c. WS5000.(Cfg).Ethernet.[1]> ipaddress 1.1.1.1 255.255.255.0
d. WS5000.(Cfg).Ethernet.[1]> end
e. WS5000.(Cfg).Ethernet> 2
f. WS5000.(Cfg).Ethernet.[2]> ipaddress dhcp disable
g. WS5000.(Cfg).Ethernet.[2]> ipaddress 10.3.0.47 255.0.0.0
11. Configure an Access Port
a. WS5000.(Cfg)> accessport
Access Ports Radio MAC Device MAC Type Status
--------------------- ---------- ---------- ----- --------
00:A0:F8:CD:EE:54 [G] 00:A0:F8:C0:38:8C 00:A0:F8:CD:EE:54 G Unavailable
00:A0:F8:CD:EE:54 [A] 00:A0:F8:C0:44:BC 00:A0:F8:CD:EE:54 A Unavailable
00:A0:F8:CD:EE:4D [G] 00:A0:F8:C0:38:60 00:A0:F8:CD:EE:4D G Unavailable
00:A0:F8:CD:EE:4D [A] 00:A0:F8:CD:DA:BC 00:A0:F8:CD:EE:4D A Unavailable
No. of Active Access Ports/Radios: 0/0
b. WS5000.(Cfg).APort> port "00:A0:F8:CD:EE:54 [G]"

c. WS5000.(Cfg).APort.[00:A0:F8:CD:EE:54 [G]]> set policy SpectralinkAP
d. WS5000.(Cfg).APort.[00:A0:F8:CD:EE:54 [G]]> set name Channel3_388c
e. WS5000.(Cfg).APort.[Channel3_388c]> set channel 3
12. Save the Configuration

a. WS5000.(Cfg)> end
b. WS5000> save config example.cfg
6.1.5.2 GUI Configration t oset up a switch (EXAMPLE)

1. Log onto the switch with the proper User ID and Password.
Figure 6.18 Configuring Ethernet 2 as a trunk port
2. Highlight Ethernet 2, check the 802.1q Trunk, select the Primary VLAN then click Apply.
Note The Primary VLAN is dictated by the connecting wired switches port settings.
In this example the connected ports native VLAN is 4. The Primary VLAN will vary
based on your installation.
3. Click OK in the Ethernet Port settings change confirmation dialog box.
Figure 6.19 Ethernet port configured as a trunk before log off
4. Log out of the switch to reflect the trunk port settings.

5. Click OK to log out.
6. Completely close your browser.
7. Log back into the switch.
Figure 6.20 Ethernet 2 configuration screen
8. Click on the VLAN Discovery button.
Figure 6.21 VLAN Discovery prior to Discovery
9. Click the Discover button.

10. Click Close.
Figure 6.22 WS5000 ready to create the Wireless Switch policy
Figure 6.23 Creating the Wireless Switch policy

11. Click Create, Wireless Switch, New Policy.
Figure 6.24 Naming the Wireless Switch Policy
12. Name the Wireless Switch Policy.
Figure 6.25 Create the Ethernet Port Policy

13. Click Ceate.
Figure 6.26 Name the Ethernet Port Policy
14. Name the Ethernet Port Policy and click Next.
Figure 6.27 Establishing VLAN to WLAN mappings

15. Click VLAN Discovery.
Figure 6.28 VLAN Discovery applet
16. Click Discover.

17. Click Continue.
Figure 6.29 Ethernet Port policy, continued

18. Click Next.
Figure 6.30 Ethernet Port Policy Wizard Creating the WLAN
19. Click Create WLAN.
Figure 6.31 WLAN Manager

20. Click Create.
Figure 6.32 WLAN Wizard
21. Name the WLAN and click Next.
Figure 6.33 Adding an ESSID to a WLAN

22. Give the WLAN an ESSID and click Next.
Figure 6.34 WLAN Wizard initiating the creation of the Security policy to be used
23. Click on Create.
Figure 6.35 Naming the Security Policy

24. Name the Security Policy; choose the encryption method that meets you organization's security
requirements and click Next.
Figure 6.36 Encryption manager selecting PSK
25. Check the appropriate Key Management and click Next.
Figure 6.37 Adding the Pre-Shared Key
26. Add the appropriate Hexadecimal value.

27. Click Finish.
Figure 6.38 Selecting the newly created Security Policy
28. Click the down arrow next to the Security Policy; select the newly created Security Policy and click
Next.
29. Click Finish.
Figure 6.39 Finished Creating the WLAN

30. Click Close.
Figure 6.40 Mapping the newly created WLAN to the wired VLAN
31. Click the down arrow for NIC 2; select the newly created WLAN and click Next.
32. Click Finish.
33. Click OK in Ethernet Policy completion information dialog box.
Figure 6.41 Adding the newly created Ethernet Port Policy to the Wireless Switch Policy
34. Click on the down-arrow next to the Ethernet Port Policy; select and click the newly created Ethernet
Port Policy; click Next.
Figure 6.42 Creating the Access Port Policy
35. Click Create.
Figure 6.43 Naming the Access Port Policy

36. Name the Access Port Policy; click Next.
Figure 6.44 Adding the newly created WLAN to the Access Port Policy
37. Select the newly created WLAN; click >>.

38. Click Next.
Figure 6.45 Mapping ESSIDs to WLANS

39. Assign the newly created WLAN its own ESSID; click Next.
Figure 6.46 Adding a Network Policy to the SpectralinkWLAN
40. Click the down-arrow next to the Spectralink WLAN; highlight and click the Spectralink Network
Policy; click Next.
Figure 6.47 Assigning bandwidth to the SpectralinkWLAN

41. Click the AP300a,300g,200b,4121,4131 tab; allocate 70 percent bandwidth to the SpectralinkWLAN;
click Next.
Figure 6.48 AP 300 settings
42. Click the 802.11g tab, change the DTIM to 3; leave the 1, 2, 5.5, 11 rates at Basic and others at
Supported; Beacon and RTS should be left at the defaults of 100 and 2347 respectively; click Next.
43. Click Finish.
Figure 6.49 Adding the newly created Access Port Policy to the Wireless Switch Policy
44. Highlight the newly created Access Port Policy; click >>.
Figure 6.50 Finishing adding the Access Port Policy to the Wireless Switch Policy
45. Click Next.
Figure 6.51 Wireless Switch adoption list allow

46. Click Next.
Figure 6.52 Wireless Switch adoption list disallow
47. Click Next.
Figure 6.53 Default Access Port Policy that will be adopted by unknown access ports
48. Click Next.
Figure 6.54 Wireless Switch Policy
49. Click Finish.
Figure 6.55 Activating the newly created Wireless Switch Policy
50. Click the down-arrow next to Policy Name; highlight and click the newly created Wireless Switch
Policy; click Apply.
51. Click OK in the Wireless Switch Policy activation warning.
52. Click OK in the Wireless Switch Policy activation confirmation dialog box.
Figure 6.56 Finished
At this point the access ports connected should now adopt.

6.1.6 Modifying a Network Policy

To modify an existing network policy:
1. From the WS5000 Series Switch GUI main window, select Modify > Network > Existing Policy. The
system launches the Network Policy Manager.
Figure 6.57 Modifying an Existing Network Policy—Network Policy Manager
2. This panel lists all available Network Policies configured on the system. Table 6.5 describes the fields
and options within this panel. To edit a policy, select the policy name in the left pane first.
Table 6.5 Network Policy Manager Fields and Controls
Name Name of the selected Network Policy.
Description Description of the selected Network Policy, if available.
Input Policy Tree view of the Classification Groups and Classifiers in the Input policy for the selected
Network Policy.
Output Policy Tree view of the Classification Groups and Classifiers in the Output policy for the selected
Network Policy.
Properties Displays information about the selected Input Policy, Output Policy, Classification Group
or Classifier, depending on what is selected/highlighted in the tree.
Create Launches the Network Policy Wizard to create a new Network Policy. See Creating a
Network Policy on page 6-13 for more details.
Delete Removes the selected policy from the system. A dialogue appears to confirm this action.
Edit Opens a variation of the Network Policy Wizard, for editing it in the same fashion that it
was created. See Creating a Network Policy on page 6-13 for more details.
Close Closes the Network Policy Manager without saving any changes.
3. When done, click Next. An Network Policy Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Network Policy and exit the wizard.
5. Click Close in the Network Policy Manager panel.
6.2 Switch Policies

A Switch Policy acts as a container for many other policies, and contains an “adoption list” that controls the
types of access ports (APs) that can be adopted. Therefore, to be logical, the other policies and related
components—Security Policy, ACL List(s), WLANs, Ethernet Policy, and Access Port Policy—should be created
prior to creating the Switch Policy. (However, this is not mandatory. The Switch Policy Wizard allows the
administrator to create the “other” policies along the way, as well, if desired.)
To see the configuration hierarchy while creating an Wireless Switch Policy, click Where Am I? at any point.
A Where Am I? Dialog Box, such as Figure 6.58, is displayed.
Figure 6.58 Wireless Switch Policy Where Am I? Dialog Box
See the following sections for more details on working with Switch Policies and related components that
comprise a Switch Policy:
• Security Policies on page 6-39
• Access Control Lists on page 6-47
• WLANs on page 6-50
• Ethernet Port Policies on page 6-55
• Setting the Country on page 6-66
• Creating a Switch Policy on page 6-66
• Defining/Activating an Emergency Switch Policy on page 6-71
6.2.1 Security Policies

A Security Policy defines the authentication and encryption methods used to secure communication between
the WS5000 Series switch, through its APs, and on to the mobile units. Each WLAN can have a different
security policy associated with it.
You can enable VPN authentication in the security policy only by using the CLI.
To see the configuration hierarchy while creating a Security Policy, click Where Am I? at any point. A Where
Am I? Dialog Box, such as Figure 6.59, is displayed.
Figure 6.59 Security Policy Where Am I? Dialog Box
6.2.1.1 Creating a Security Policy

To create a security policy:
1. From the WS5000 Series Switch GUI main window, select Create > Access Port > Security Policy.
The Security Policy Wizard appears.
Figure 6.60 Creating a Security Policy—Naming the Policy and Specifying an Encryption Type
2. Enter a name and description for the new Switch Policy.

3. Select one or more encryption methods for the Security Policy. The following are encryption options:
• None – No encryption. Any mobile unit that is set to “open” authentication is allowed to associate
with the system unless the adoption list specifically excludes it.
• WEP – 802.11 Wired Equivalent Privacy encryption. If using PSK, WEP must be configured by
choosing 40- or 128-bit encryption and supplying four keys.
• Keyguard MCM – KeyGuard encryption for TKIP (Temporal Key Integrity Protocol). This mode is only
supported by Symbol mobile devices. KeyGuard requires a 128-bit WEP key.
• TKIP – WPA1/WPA2 dynamic encryption. Wi-Fi Protected Access with Temporal Key Integrity
Protocol. If using PSK, an ASCII or hexadecimal value is required to configure TKIP.

• AES CCMP – WPA2 dynamic encryption. If using PSK, an ASCII or hexadecimal value is required to
complete configuration.
4. Click Next. A panel for specifying authentication/key management methods is displayed.
Figure 6.61 Creating a Security Policy—Authentication/Key Management Methods
5. Select one or more authentication/key management method to apply to the Security Policy, as described
in Table 6.6.
Table 6.6 Authentication/Key Management Method Settings
Setting Description
Manually Pre-Shared Key If you use Pre-shared Key (PSK) authentication, the same key is used for
authentication and encryption. The format and configuration of the key is set in
the Configure panel of the selected encryption method.
Kerberos Uses a Kerberos server for mobile unit authentication. You can specify an
external server or the switch's on-board server. To use the on-board server, you
must first configure the switch to be a Kerberos Master by visiting System
Settings > Kerberos > Configuration> KDC. Kerberos only supports KeyGuard and
WEP encryption. To configure the Kerberos settings used by this policy, click the
Configure button.
802.1x EAP Specifies 802.1x EAP authentication using an external Remote Authentication
Dial-In User Service (Radius) server. The Radius server must be accessible to the
switch. To configure the EAP settings used by this policy, click the Configure
button.
Broadcast Key Rotation EAP authentication provides dynamic unicast WEP keys for client devices but
uses static broadcast, or multicast, keys. When broadcast WEP key rotation is
enabled, the access point provides a dynamic broadcast WEP key and changes at
the specified interval. The default interval is 600 seconds.
6. When done, click Next. Depending on the Encryption and Authentication settings specified, the
subsequent panels change. These different panels, and how to configure their settings or controls
follow:
• Kerberos Authentication Settings on page 6-42
• WEP Encryption Settings on page 6-43
• EAP Authentication Settings on page 6-44
Figure 6.62 Kerberos Authentication Settings
The Kerberos Authentication Settings panel is where Kerberos KDC (Key Distribution Center) servers
and realm are specified for the Security Policy, as described in Table 6.7.
Table 6.7 Kerberos Authentication Settings
Setting Description
Primary/Backup/Remote KDC The three KDC text fields require fully-qualified domain names or IP addresses of
Address and Port the Primary KDC, and optionally, the Backup KDC, and Remote KDC servers. The
three servers should actually be thought of as "primary," "first backup," and
"second backup."
If the Primary KDC fails, the system looks for the Backup KDC. If the backup fails,
it looks for the (nominal) Remote KDC. Thus, for example, the Primary KDC can be
a remote server, the Backup KDC can be the on-board KDC of the Primary Switch
("Primary" in the failover mode sense), and the Remote KDC can be the Standby
Switch (again, in the failover sense).
If using the switch's on-board Kerberos server, specify the actual IP address of
NIC1 or NIC2, depending on which one you want to use.
Note A properly-formed, fully-qualified domain name or IP address

is required. The panel does not perform validation checking.
KDC Ports Typically, 88 (default value).

Table 6.7 Kerberos Authentication Settings (Continued)

Setting Description
Realm Name In addition to a Primary KDC server, a Kerberos Realm Name is required. The
Realm Name value should be all upper-case (since it is usually also the DNS
domain).
Note Only properly formed, full-qualified realm names are required.

The panel does not perform validation checking.
Saving the Settings To save settings, click the Save button. The button is disabled until a Primary
KDC server and a Realm Name value is entered.
Warning! A WS5000 model switch is not compatible to be configured as a

! standbys for a WS5100 model switch.
Figure 6.63 WEP Encryption Settings
Note NIC must have DNS name configured.
The WEP Encryption Settings panel is where four pre-shared, manually fixed WEP keys are defined for
the Security Policy, as described in Table 6.8.
Table 6.8 WEP Encryption Setting Descriptions
Setting Description
Key Size To set the key size, choose the 40 bit Key or 128 bit Key radio button in the Key
Size box. If you're using KeyGuard, the key size is automatically set to 128 bits.
Table 6.8 WEP Encryption Setting Descriptions (Continued)

Setting Description
Key Values There are three ways to define your WEP key values:
• Generate a key from a plain text password (or "pass key"). Enter the pass key
in the Pass Key field, select the key you want to generate by clicking a radio
button next to one of the Key #N fields, and then click the Generate button.
A valid pass key value is 1 to 20 ASCII characters in length.
• Define the keys by typing ASCII values into each of the Key #N slots. For a 40-
bit keys use 5-character ASCII values; for 128-bit keys use 10-character
values.
• Type hexadecimal values into the Key #N slots. Use 12 hex characters for 40-
bit keys and 26 hex characters for 128-bit keys.
Reset Keys This button resets the four keys to their factory-default values.
Key Use To indicate the key to be used, click the radio button to the left of its Key
#N slot.
The EAP (Radius) Authentication Settings panel lets you identify the Radius server and set the switch-
side parameters used during Radius authentication. Radius server can of two types
• Remote radius server
• On-board radius server
Figure 6.64 EAP Authentication Settings
If the radius server is remote then it cannot be completely configured through the tools provided by the
wireless switch. This association remains unused unless the Radius server also adds the switch as a
client.
If an On- board radius server is used then the switch should be added as a client. The IP address and
shared secret should be set as configurable.Refer Configuring Clients for more details.
Table 6.9 describes the EAP authentication settings and Radius identification settings to be configured.
Table 6.9 EAP Authentication Settings and Radius Identification Settings
Setting Description
Authentication Settings
Pre-authentication When enabled, pre-authentication (or “fast-associate in advance”) lets an access

port send a mobile unit's authentication credentials (from a previous Radius
authentication attempt) to the “next” access port. This feature enhances fast
roaming between APs.
Opportunistic PMK Caching When enabled, Pairwise Master Key (PMK) Caching tells the access ports to
cache the mobile unit's credentials as they (the MUs) are authenticated. If the
MU roams away from that AP and then back again, the MU doesn't have to re-
authenticate.
Reauthentication Period Specifies the time interval, in seconds, after which mobile units are forced to
reauthenticate with the Radius server. Valid values are in the range [30, 65535]
seconds; the default is 3600 seconds (1 hour). To edit the Reauthentication value,
click the corresponding checkbox.
Max Retries Specifies the number of times a mobile unit can try to authenticate during the
reauthentication phase. Valid values are in the range [1, 99]; the default is 5
attempts. A value of 1 means if the first reauthentication attempt fails, the
mobile unit will not be allowed to (re)associate with the switch.
Radius Server Identification
Radius Server Name/IP Specify the IP addresses or fully-qualified domain names of the servers. Radius
Port
Radius Port Radius UDP authentication port. This is the port number, in the range [1, 65535,
that the wireless switch uses to send requests to the Radius server. The default
is 1812.
Radius Shared Secret Specify the key used to encrypt communication between the wireless switch and
the Radius server(s). The secret that you supply here must match the secret that
was specified when the wireless switch was added as a client of the Radius
server. You have to add the switch to the Radius server using tools that are
provided by the Radius server itself. In other words, the switch can't “push” itself
onto the server, the server must “pull” the switch into its client corral.
Advanced Settings
(In general, default settings are acceptable. Only experienced Radius users should modify these values.)
Quiet Period Specifies how long the switch waits, in seconds, between (failed) attempts to
authenticate an MU.
Supplicant Timeout Specifies how long the switch waits, in seconds, for an authenticated-but-
recently-dissociated MU to respond to a re-associate request. When the
supplicant timeout expires, the MU will need to re-authenticate before re-
associating.
Tx Period Specifies how long the switch waits, in seconds, for an MU to respond to a
"request identity" message. After the Tx period expires, the switch sends another
"request identity" to the MU. When the MU responds to the message, the
authentication process begins.
Table 6.9 EAP Authentication Settings and Radius Identification Settings (Continued)
Setting Description
Max Retries If the reauthentication period is enabled, this value specifies the number of times
the switch will try to re-authenticate an MU that doesn't respond to the “request
identity” message.
Saving the Settings
Save To save your settings, click the Save button. The button is disabled until you
provide Radius Server Name/IP, Radius Port, and Radius Shared Secret values.
7. When done, click Next. An Security Policy Created Successfully! message panel is displayed.
8. Click Finish to save the new Security Policy and exit the wizard.
6.2.2 Access Control Lists

Use the switch Access Control List (ACL) to specify which mobile units can or cannot gain access to the WLAN.
The ACL employs an adoption rule for allowing or denying specific mobile units by way of exception. By default,
all mobile units can gain access.
The ACL contains MAC addresses for MUs allowed to associate with the switch. This provides security by
preventing unauthorized access. Additionally, the switch uses a disallowed address list of MAC addresses to
prevent the switch from communicating with specified destinations.
To see the configuration hierarchy while creating an Access Control List, click Where Am I? at any point. A
Where Am I? Dialog Box (such as Figure 6.65) displays.
Figure 6.65 ACL Where Am I? Dialog Box
See the following sections for more details on working with switch ACL:
• Creating an Access Control List on page 6-48
• Modifying an Access Control List on page 6-49
6.2.2.1 Creating an Access Control List

To create an access control list:
1. From the main window, select Create > Access Port > Access Control List. The system launches the
Access Control List Wizard.
Figure 6.66 Creating an Access Control List—Naming the ACL (and Optionally, Choosing a Template)
2. Enter a name and default action (allow or deny) for the new ACL, then if desired, select Use an existing
Access Control List as a template.
3. Click Next. A panel for configuring the ACL rules is displayed. An ACL rule consists of a MAC address
range, and an action (either allow or deny). When an MU is discovered, its MAC address is compared to
the defined ACL rules, as follows:
• If the MU is in an “allow” rule, the MU is allowed to associate.
• If the MU is in a “deny” rule, it's not allowed to associate.
• If the MU is in neither rule, the default action applies.
Figure 6.67 Creating an ACL—Defining ACL Rules
Configure the ACL rules per the control options described in Table 6.10.
Table 6.10 Creating an ACL—Control Options within Rule Configuration Panel
Control Description
Add... To add a new rule, click the Add... button. In the panel that appears, fill in the
start MAC, end MAC, and action (type).
Delete and Edit... The Delete and Edit... buttons work on the currently selected rule to remove or
edit a rule, respectively.
Upload... ACL rules can be defined in a text file, and then uploaded to the switch using the
the Upload button.
The ACL file format contains one rule per line. The rule must follow this format:
action StartMac EndMac
action is either add (allow) or delete (deny)

StartMac and EndMac are normal six-duplet, colon-separated MAX addresses.
To specify a specific MU, exclude the end MAC.
Search... To look for a specific MAC address among the rules defined, click Search... and
enter the address in the panel that appears (and click Find in the new panel). If
the MAC is affected by a rule, that rule is selected in the rule list.
4. When done, click Next. An Access Control List Rule Created Successfully! message panel is
displayed.
5. Click Finish to save the new Access Port Policy and exit the wizard.
6.2.2.2 Modifying an Access Control List

To modify an existing Access Control List:
1. From the WS5000 Series Switch GUI main window, select Modify > Access Port > Access Control
List. The system launches the Access Control List Manager.
Figure 6.68 Modifying an Access Control List—Access Control List Manager
2. This panel lists all available Access Control Lists configured on the system. See Table 6.10 for more
details on the controls within this panel to modify the ACL.
3. When done, click Next. An Access Control List Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Access Control List and exit the wizard.
5. Click Close in the Access Control List Manager panel.
6.2.3 WLANs
A WLAN defines attributes applied to mobile units on a portion of the wireless LAN. To see the configuration
hierarchy while creating a WLAN, click Where Am I? at any point. A Where Am I? Dialog Box, such as Figure
6.69, is displayed.
Figure 6.69 WLAN Where Am I? Dialog Box
See the following sections for more details on working with Ethernet Port Policies:
• Creating a WLAN on page 6-51
• Modifying a WLAN on page 6-53
6.2.3.1 Creating a WLAN

To define a WLAN:
1. From the WS5000 Series Switch GUI main window, select Create > Access Port > WLAN. The system
launches the WLAN Wizard.
Figure 6.70 Creating a WLAN—Naming the WLAN (and Optionally, Choosing a Template)
2. Enter a name and description for the new WLAN, then if desired, select Use an existing WLAN as a
template.
3. Click Next. A panel for configuring ESS ID, MU associations, and WLAN network addresses is
displayed.
4. Configure the ESS ID, mobile unit association and WLAN network address controls, as displayed in
Figure 6.71 and described in Table 6.11, for the WLAN being created. (If a template was selected in step
2, some components may already be defined.)
Figure 6.71 Creating a WLAN—Configuring ESS ID, MU Association and WLAN Network Address Controls
Table 6.11 Creating a WLAN—Configuring ESS ID, MU Associations, and WLAN Network Address Controls
Configuration Components Description
ESS ID Controls
ESSID Use this text field (1 to 32 characters) to assign an Extended Service Set Identifier
(ESSID) to the WLAN.
Accept Any ESSID When unchecked, an MU trying to associate with the access port on the WLAN
checkbox must have the same ESS ID.
When checked, the Access Port will allow any MU to associate. (However, an
ESSID value still must be supplied).
Secured Beacon checkbox When Use Secured Beacon is checked (in the lower right corner) is checked,
the WLAN's ESSID is not broadcast in the AP's beacon message, otherwise
(unchecked) it is.
MU Access Controls
Max MUs field Maximum number of MUs that can associate through this WLAN at a time, in the
range [1, 4095].
MU to MU Disallow When checked, MUs are disabled from being able to communicate directly with
checkbox each other. Instead, all MU to MU packets are routed through the network.
MU to MU Drop checkbox When checked, packets sent from one MU to another are dropped within the
switch.
ACL field To apply an Access Control List to the WLAN's gateway, choose an ACL from the
Create... button drop-down list. To create a new ACL, click Create... See Creating an Access
Control List on page 6-48 for more details.
Enable ACL checkbox When checked, the selected ACL is enabled.
Network Addresses
Default Route Set the IP address (default route) and subnet mask (netmask) of the WLAN's
Netmask gateway.
5. When done, click Next. A new wizard panel is displayed, as shown in Figure 6.72, to apply a security
policy.
6. Select a security policy or click the Create button to create a new security policy (see Creating a
Security Policy on page 6-40 for more details). If the selected security policy includes Kerberos
Authentication, a Kerberos Password field is enabled, and must also be entered.
Figure 6.72 Creating a WLAN—Applying a Security Policy to the WLAN
7. When done, click Next. A WLAN Created Successfully! message panel is displayed.
8. Click Finish to save the new WLAN and exit the wizard.
6.2.3.2 Modifying a WLAN

To modify an existing WLAN’s definition:
1. From the WS5000 Series Switch GUI main window, select Modify > Access Port > WLAN. The
system launches the WLAN Manager.
Figure 6.73 Modifying an Existing WLAN Definition—WLAN Manager
2. This panel lists all available WLANs configured on the system, as well as their settings. Table 6.12
describes the fields and options within this panel.
Table 6.12 WLAN Manager Fields and Controls
Name Name of the selected WLAN.
Description Description of the selected WLAN, if available.
ESSID Displays the ESSID for the selected WLAN.
Max MUs Maximum number of Mobile Units allowed on the selected WLAN.
Security Policy Active security policy for the selected WLAN.
MU Traffic Policy for mobile unit communication.
ACL Rule Active Access Control List policy for the selected WLAN.
ACL Whether ACLs are being used or not.
Secured Beacon Controls the behavior of the Access Port signal for this WLAN. One of two values:
• Enable stops broadcasting the beacon.
• Disable allows broadcasting.
Accept Any ESSID Whether ESSIDs are accepted or not. One of two values:
• If true, the ESSID field is ignored in mobile unit configurations and all mobile users are
allowed to connect to the switch.
• If false, a limited number of mobile user connections to mobile users are configured
with the switch’s ESSID.
Create Launches the WLAN Wizard to create a new WLAN. See Creating a WLAN on page 6-51
for more details.
Delete Removes the selected WLAN from the system. A dialog appears to confirm this action.
Edit Opens a variation of the WLAN Wizard, for editing it in the same fashion that it was
created. See Creating a WLAN on page 6-51 for more details.
Close Closes the WLAN Manager without saving any changes.
3. When done, click Next. An WLAN Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Ethernet Policy and exit the wizard.
5. Click Close in the WLAN Manager panel.
6.2.4 Ethernet Port Policies

The Ethernet Port Policy configures the switch’s Ethernet ports, and associates multiple WLANs with multiple
LANs or VLANs. There are two Ethernet ports on WS5000 Series switches. By convention, port 1 (the left port)
connects to the wireless LAN, and port 2 (the right port) connects to the wired LAN.
Note Before configuring an Ethernet policy, the administrator must determine if

either of the ports are to be configured as “trunk ports”. If so, they must be
configured on the switch first. Otherwise, the Ethernet policy configuration will not
allow VLAN discovery or mapping of WLANs to VLANs.
To see the configuration hierarchy while creating an Ethernet Port Policy, click Where Am I? at any point. A
Where Am I? Dialog Box, such as Figure 6.74, is displayed.
Figure 6.74 Ethernet Port Policy Where Am I? Dialog Box
See the following sections for more details on working with Ethernet Port Policies:
• Creating an Ethernet Port Policy on page 6-55
• Modifying an Ethernet Port Policy on page 6-58
• Configuring VLANs on page 6-59
6.2.4.1 Creating an Ethernet Port Policy

The default recommended Ethernet port configuration in the wireless switch has Ethernet ports (1) and (2) on
different subnets. Ethernet port (1) supports the WLAN infrastructure (access ports and associated MUs) and
Ethernet port (2) provides connectivity to the wired LAN infrastructure (the primary VLAN ID should always be
mapped to Ethernet port (2) in this configuration).
To create an Ethernet Port Policy:
1. From the WS5000 Series Switch GUI main window, click Create > Ethernet > New Policy. The system
launches the Ethernet Port Policy Wizard.
Figure 6.75 Creating an Ethernet Port Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Ethernet Port Policy, then if desired, select Use an existing
Ethernet Policy as a template.
3. Click Next. A panel for specifying VLAN support is displayed (Figure 6.76).
VLANs are virtual LANs that can support the wireless side of the network. The VLANs for the two
Ethernet ports are specified in separate tabs (ethernet1 tab, ethernet2 tab); otherwise, the contents of
the two tabs are the same. Specify a VLAN, based on the following available options:
• To force a discovery of any existing VLANs, click VLAN Discovery... If any appear, they can then
be selected from the discovery list and added to the Ethernet Port Policy.
• To manually add a new VLAN to the Ethernet policy, click Add and fill in the VLAN ID, Priority, and
Subnet fields.
The Priority setting is relative to other priorities. The greater the priority value, the greater service
that VLAN gets. If this is the Primary VLAN for the port, click the Primary radio button.
Note Before configuring an Ethernet policy, the administrator must determine if

either of the ports are to be configured as “trunk ports”. If so, they must be
configured on the switch first. Otherwise, the Ethernet policy configuration will not
allow VLAN discovery or mapping of WLANs to VLANs.
Figure 6.76 Creating an Ethernet Port Policy—Specifying VLAN Support
4. When done specifying a VLAN(s), click Next. A panel for associating WLANs to its NICs (or VLANs) is
displayed (for trunk ports only).
Figure 6.77 Creating an Ethernet Port Policy—Associating WLAN toNICs (or VLANs)
Select a VLAN row in the mapping table and select the WLAN you want to map it to. Other options
include:
• To add a new arbitrary mapping click Insert, select the NIC that the VLAN will be on, specify the
VLAN ID or IP address, and select the WLAN.
• If you need to create a new WLAN, click the Create WLAN... button. See Creating a WLAN on page
6-51 for more details.
• To remove a mapping, select the VLAN row and click the Remove button.
5. When done, click Next. An Ethernet Policy Created Successfully! message panel is displayed.
6. Click Finish to save the new Ethernet Policy and exit the wizard.
6.2.4.2 Modifying an Ethernet Port Policy

To modify an existing Ethernet Port Policy:
1. From the WS5000 Series Switch GUI main window, select Modify > Ethernet > Existing Policy. The
system launches the Ethernet Policy Manager.
Figure 6.78 Modifying an Existing Ethernet Policy—Ethernet Policy Manager
2. This panel lists all available Ethernet policies configured on the system. Table 6.13 describes the fields
and options within this panel. To edit a policy, select the policy name in the left pane.
Table 6.13 Ethernet Policy Manager Fields and Controls
Name Name of the selected Ethernet Policy.
Description Description of the selected Ethernet Policy, if available.
VLANs Interface configurations in the policy tree.
Properties Displays the the LANs or VLANs associated with the selected Ethernet policy.
Create Launches the Ethernet Policy Wizard to create a new Ethernet Policy. See Creating an Ethernet Port
Policy on page 6-55 for more details.
Delete Removes the selected policy from the system. A dialog appears to confirm this action.
Edit Opens a variation of the Ethernet Policy Wizard, for editing it in the same fashion that it was
created. See Creating an Ethernet Port Policy on page 6-55 for more details.
Close Closes the Ethernet Policy Manager without saving any changes.
3. When done, click Next. An Ethernet Policy Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Ethernet Policy and exit the wizard.
5. Click Close in the Ethernet Policy Manager panel.
6.2.4.3 Configuring VLANs

A WLAN to VLAN association is created in a Ethernet port policy. The Ethernet ports on the wireless switch
are configured to support one or more available VLANs for WLAN to VLAN association. See Creating an
Ethernet Port Policy on page 6-55 for more details.
Note The recommended Ethernet port configuration in the wireless switch has
Ethernet ports (1) and (2) on different subnets with Ethernet port (1) supporting the
WLAN infrastructure (access ports and associated MUs). Always map the primary
VLAN ID to Ethernet port (2) in this configuration.
6.2.5 Access Port Policies

An Access Port Policy defines access port configuration details such as an AP’s beacon interval, RTS threshold,
its set of supported data rates, and so on. The AP policy is also responsible for adding WLANs to the AP and
for attaching a security policy, access control list, and network policy (or packet filter) to each AP.
To see the configuration hierarchy while creating an Access Port Policy, click Where Am I? at any point. A
Where Am I? Dialog Box, such as Figure 6.79, is displayed.
Figure 6.79 Access Port Policy Where Am I? Dialog Box
See the following for more details on working with Access Port Policies:
• Creating an Access Port Policy on page 6-59
• Modifying an Access Port Policy on page 6-64
6.2.5.1 Creating an Access Port Policy

To create a new Access Port Policy:
1. From the WS5000 Series Switch GUI main window, select Create > Access Port > New Policy. The
system launches the New Access Port Policy Wizard.
Figure 6.80 Creating an Access Port Policy—Naming the Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Access port policy, then if desired, select Use an existing
Access Port Policy as a template.
3. Click Next. A panel for applying a WLAN(s) to the Access Port Policy is displayed.
Figure 6.81 Creating an Access Port Policy—Assigning an Available WLAN(s)
4. Select from among the Available WLANs and click the >> button to move a WLAN(s) (from 1 to 16
WLANs) to the Selected pane, and apply it to the Access Port Policy.
To create a new WLAN, click Create. See Creating a WLAN on page 6-51 for more details.
5. Click Next. A panel for specifying WLAN policy definitions for specific AP hardware types is displayed
(for example, Figure 6.82). Depending on the selected tab, the contents of this panel change slightly.
Figure 6.82 Creating an Access Port Policy—Specifying Policy Definition for Specific AP Hardware Types
There are seven AP hardware types: AP 100, AP 200a, AP 200b, AP 300a, AP 300g, and converted access
points AP 302x (frequency-hopping) and AP 4131. These hardware types are grouped by the number and
mapping of BSSIDs and ESSIDs. Therefore, each such group is presented in separate tabs. On each tab,
a WLAN(s) can be selected that will support that hardware group. Table 6.14 describes the WLAN
parameters that can be specified, per hardware type.
Table 6.14 WLAN Parameters, Per Hardware Type, within Access Port Policy Definition
Parameter Description
AP 100; 4BSS - 4ESS
WLAN Name Select as many as four WLANs that will support AP 100 Access Ports. These APs
provide a 1-1 mapping of four BSSIDs to four ESSIDs. The BSSID values are
created automatically. The WLANs will also be included in the beacon.
AP 200a; 1BSS - 16ESS
WLAN Name All WLANs are automatically added to the AP 200a group, and are given a single,
State auto-generated BSSID that maps to 16 ESSIDs. Use the State flag to declare
which of the listed WLANs should be considered the "Primary," WLAN.
AP 300a/g, AP 200b, 4121; 4BSS - 16ESS

WLAN Name All WLANs get included in this policy with the selected settings.
BSSID This group provides four 1-BSS-to-4-ESS mappings. Set the BSSID as a value
from 1 to 4.
Primary Set a Primary WLAN for each BSSID by clicking the checkbox. An Access Port
Policy must have at least one primary if one WLAN, or at least 4, if 4 or more
WLANs.
FHAP302x; 1BSS - 1ESS
Table 6.14 WLAN Parameters, Per Hardware Type, within Access Port Policy Definition (Continued)
Parameter Description
WLAN Name This group provides a single BSS/ESS mapping, by default, for Frequency
Hopping 302x (converted) Access Points. Use the radio buttons to select the
WLAN that will support these devices.
6. When done configuring the hardware type, click Next. A panel for assigning a network policy is
displayed. For each WLAN listed in the left column, select a Network Policy to be applied for the WLAN.
Figure 6.83 Creating an Access Port Policy—Assigning a Network Policy for Each WLAN in the Access Pol-
icy
To create a new Network Policy, click Create... See Creating a Network Policy on page 6-13 for more
details.
7. When done, click Next. A panel for assigning RF bandwidth settings is displayed. Bandwidth is set, per
hardware type, so four tabs are shown.
Figure 6.84 Creating an Access Port Policy—Assigning a Network Policy for WLANs in the Access Policy
A WLANs bandwidth is the guaranteed minimum amount of available network bandwidth reserved to
be used by a specific WLAN.
Edit the bandwidth field, in each hardware type tab, to divide the network RF bandwidth across all
WLANs assigned per hardware type grouping. The total bandwidth in each tab must be equal to 100%.
8. When done, click Next. A panel to specify radio characteristics for the Access Port Policy is displayed.
Figure 6.85 Creating an Access Port Policy—Specifying Radio Characteristics
Configure the Access Port Policy radio settings per the descriptions in Table 6.15. Radio settings should
be configured for all supported radio types in the four different tabs.
Table 6.15 Access Port Policy Radio Settings
Setting Description
DTIM Interval Sets the Delivery Traffic Indication Method (DTIM) Interval as a multiple of the
beacon interval. Valid settings are in the range [1, 20]. Broadcasts are stored by
the Access Port. When the Access Port receives a polling signal at the DTIM
interval, it releases the broadcast message to the MU.
Beacon Interval Sets the AP's beacon interval, in milliseconds. Valid intervals are in the range
[20 – 1000].
RTS Threshold Sets the Request to Send (RTS) threshold. This is the maximum size of packets
that use the 4-way handshake. The threshold is set by default to 2347 (the largest
packet size), and turns off the 4-way handshake. The 4-way handshake allows
nearby Access Ports to sense the wireless conversation and improve throughput.
Preamble Use the radio buttons to set the type of network message preamble (short or long)
that is added to messages that are sent through this Access Port Policy.
802.11x Tabs Declare the data rates supported as one of the following:
• Basic
• Supported
• Not Used
9. When done, click Next. An Access Port Policy Created Successfully! message panel is displayed.
10. Click Finish to save the new Access Port Policy and exit the wizard.
6.2.5.2 Modifying an Access Port Policy

To modify an existing Access Port Policy:
1. From the WS5000 Series Switch GUI main window, select Modify > Access Port > Existing Policy.
The system launches the Access Port Policy Manager.
Figure 6.86 Modifying an Existing Access Port Policy—Access Port Policy Manager
2. This panel lists all available Access Port Policies configured on the system. Table 6.16 describes the
fields and options within this panel. To edit a policy, select the policy name in the left pane first.
Table 6.16 Access Port Policy Manager Fields and Controls
Name Name of the selected Access Port Policy.
Description Description of the selected Access Port Policy, if available.
Policy Tree Access Port configurations in the policy tree.
Properties Displays a list of access ports (when highlighted in the tree) that can be adopted by the
policy. The list itself is defined by the Wireless Switch Policy.
See Switch Policies on page 6-39 for more details.
Create Launches the Access Port Policy Wizard to create a new Access Port Policy. See Creating
an Access Port Policy on page 6-59 for more details.
Delete Removes the selected policy from the system. A dialog appears to confirm this action.
Note Default Access Port Policy cannot be deleted.
Edit Opens a variation of the Access Port Policy Wizard, for editing it in the same fashion it
was created. See Creating an Access Port Policy on page 6-59 for more details.
Close Closes the Access Port Policy Manager without saving any changes.
3. When done, click Next. An Access Port Policy Updated Successfully! message panel is displayed.
4. Click Finish to save the updated Access Port Policy and exit the wizard.
5. Click Close in the Access Port Policy Manager panel.
6.2.6 Setting the Country

The WS5000 Series wireless switch is preconfigured from the factory with the “Default Wireless Switch
Policy” enabled. However, the Country selection for that policy is set to None, thus preventing the switch from
being enabled with a default country setting (United States, for example) that conflicts with the actual location
of the switch.
Note As long as the Country selection remains set to None, the wireless switch
cannot adopt any access port(s).
To set the country, modify the “Default Wireless Switch Policy”, or create a new Wireless Switch Policy with
the appropriate country for the wireless location. See Creating a Switch Policy on page 6-66 for more details.
6.2.7 Creating a Switch Policy

To create a wireless switch policy:
1. From the WS5000 Series Switch GUI main window, click Create > Wireless Switch > New Policy.
The system launches the Wireless Switch Policy Wizard.
Figure 6.87 Creating a Wireless Switch Policy—Naming a Policy (and Optionally, Choosing a Template)
2. Enter a name and description for the new Wireless Switch Policy, then if desired, select Use an
existing Wireless Switch Policy as a template.
3. Click Next. A panel for configuring the settings of the Wireless Switch Policy is displayed.
Figure 6.88 Creating a Wireless Switch Policy—Configuring Settings
Configure the Wireless Switch Policy settings per the descriptions in Table 6.17.
Table 6.17 Wireless Switch Policy Settings
Setting Description
Switch Settings
Country Select the appropriate country for the location of the wireless switch. The switch
will not adopt Access Ports until the country is set. Once a country is specified,
the None option is no longer available.
Note It is the responsibility of the switch owner to correctly set the

country. An incorrect country setting can cause the switch to use
illegal broadcast settings.
Emergency Check this box to designate the Wireless Switch Policy as the "Emergency"
Switch Policy (ESP). There can only be one ESP at a time (A Switch Policy that
previously assigned as the ESP will no longer act as such.)
After designating an Emergency Switch Policy, the ‘E’ icon in the lower left corner
of main window will turn red. You can turn the ESP on and off by clicking the icon.
When you turn the ESP off, the previously active Switch Policy will be re-
activated.
Ethernet Port Policy Each Switch Policy incorporates a (single) Ethernet Port Policy. To make this
assignment, you can select from among the existing Ethernet Port Policies, or you
can click Create... To create a new policy, see Creating an Ethernet Port Policy
on page 6-55.
Table 6.17 Wireless Switch Policy Settings (Continued)

Setting Description
AP Channel and Power Settings
Channel Select a value from the Channel.11x field. The set of discreet channels available
depends on the country of operation, and is further limited by the restricted
channels declared in the Automatic Channel Settings panel.Special values
include:
• Auto (once) – The AP uses Automatic Channel Selection (ACS) the first time
that it is adopted by the switch, and then sticks to the channel thereafter.
• Auto – The AP uses ACS every time that it is adopted.
• Random – The AP chooses a random channel every time it's adopted.
Power Select a mW value from the Power.11a field. The set of values depends on the
country.
Allow DS Coexistence. Only on the 802.11 FH tab. By checking this box, the Access Port divides the
frequency spectrum so Frequency-Hopping (FH) devices use one portion, and
Direct-Sequence (DS) devices use the other.
Note FH/DS co-existence isn't legal in all countries. If you have a

switch set to a country in which co-existence is not allowed, the
Allow DS Coexistence option is disabled.
ACS Settings Click this button to add/modify Restricted Channel Settings, which defines a set
of channels the Automatic Channel Selection (ACS) mechanism is not allowed to
choose.
Separate sets of restricted channels can be specified for 802.11a and 802.11b/g
devices. To add a restricted channel, click Add and choose a channel. If desired,
add descriptive text to explain why the channel is restricted.
To remove a channel from the list, select a channel in the list and click Delete.
4. When done, click Next. A panel to associate Access Port Policies to the Wireless Switch Policy is
displayed.
Figure 6.89 Creating a Wireless Switch Policy—Associating Access Port Policies
5. Select from among the Available Access Port Policies and click the >> button to move a Policy(s) to the
Selected pane, and to apply it to the Wireless Switch Policy.
6. When done, click Next. A panel to create a set(s) of access ports (and converted access points) the
switch is allowed to adopt is displayed.
Figure 6.90 Creating a Wireless Switch Policy—Allowed Adoption Lists
7. If desired, create an Access Port List that includes “allowed” MAC address ranges. Only those APs that
fall thin the specified address range(s) are allowed to be adopted.
If you do not specify an disallowed AP list, all APs are candidates for adoption.
8. When done, click Next. A panel to create a set(s) of access ports (and converted access points) that the
switch disallows to be adopted is displayed.
Figure 6.91 Creating a Wireless Switch Policy—Disallowed Adoption Lists
9. If desired, create an Access Port List that includes “disallowed” MAC address ranges. Only those APs
that fall within the specified address range(s) are disallowed to be adopted.
If you do not specify an allowed AP list, all APs are candidates for adoption.
10. When done, click Next. A panel to assign an action to be taken when the Wireless Switch detects an
“unknown” AP—or, in other words, an AP that is not in an “allowed” list or “disallowed” list—is
displayed.
Figure 6.92 Creating a Wireless Switch Policy—Assigning an Action for Unknown APs
11. Set the action within this panel.

• To deny adoption, select Deny Adoption. By checking the Send SNMP Trap box, an SNMP trap
is captured when such an AP is denied.
• To allow adoption, select Adopt, and select the Access Port Policy applied to the adopted AP, for
each of the radio types.

12. When done, click Next. A Wireless Switch Policy Created Successfully! message panel is
displayed.
13. Click Finish to save the new Wireless Switch Policy and exit the wizard.
6.2.8 Defining/Activating an Emergency Switch Policy

When creating or modifying a Wireless Switch Policy, the policy can be designated at the Emergency Switch
Policy (ESP). There can only be one ESP at a time; a Switch Policy previously assigned as the ESP is replaced
when a new ESP is designated.
After designating an Emergency Switch Policy, the ‘E’ icon in the lower left corner of main window turns red.
You can turn the ESP on and off by clicking the icon. When the ESP is turned off, a previously active Switch
Policy is re-activated as the ESP.
For more details, see Creating a Switch Policy on page 6-66.
Configuring Rogue AP Detection
Rogue Access Ports (APs) are an area of concern with respect to LAN security. The term Rogue AP denotes an
unauthorized access port connected to the production network or operating in a stand-alone mode (perhaps in
a parking lot or in a neighbor’s building). Rogue APs are not under the management of network administrators
and do not conform to any network security policies.
Although 802.1x security settings should completely protect the LAN, organizations are not always fully
compliant with the newest wireless-security best practices. In addition, organizations want the ability to
detect and disarm rogue APs. The WS5000 Wireless Switch provides a mechanism for detecting and reporting
rogue APs.
7.1 Configuring Rogue AP Detection

To configure Rogue AP detection, select System Settings > Rogue AP Detection.
The Rogue AP Detection screen appears.
Figure 7.1 Rogue AP Detection Screen
From the Rogue AP Detection field, select Enable to allow the switch to scan for rogue AP’s over the
network. If you set Rogue AP Detection to Disable, all UI components in this screen are disabled. Disabling
Rogue AP Detection leaves the switch vulnerable to data theft from rogue devices on the switch managed
network.
7.1.1 Defining the Detection Method

The switch provides three methods for detecting rogue Access Ports (APs). Use the Detection Method field
to set the method(s) the switch uses to detect rogue APs. The detection process involves defining a set of
options and detection intervals the switch uses for scanning for devices, then validating located devices as
either legitimate devices operating within the switch managed network, or categorizing the devices as rogue
APs that can be trapped by the administrator and prevented from interoperating with legitimate devices.
1. Check the RF Scan by MU box if you want the switch to work with mobile units (MUs) to detect a rogue
AP.
Each MU reports whether it supports rogue AP detection mechanisms. If it does, the switch sends
WNMP requests, at regular intervals, to the MU to get a list of APs. The MU scans all the channels for
APs in the vicinity. It prepares a list of APs (BSSIDs) and sends it back to the switch using the WNMP
response message. The switch, in turn, processes this information.
Configuring Rogue AP Detection 7-3
2. Check the RF Scan by AP box if you want the switch to work with the APs to detect a rogue AP. By
default, this method is selected.
The switch sends a WISP configuration message to each adopted AP indicating rogue AP detection is
required. Each AP listens for beacons on its present channel and passes the beacons to the switch
without modification. The switch then processes the beacons to determine whether any of them are
rogues. This method is less disruptive than the RF Scan by MU mode.
3. Check the RF Scan by Detector AP box if you want the switch to work with the detector AP on the
LAN (which you set up) to detect rogue APs.
Note Only some devices have the capability of being a Detector AP, including
Symbol AP100, AP200, and AP300 Access Ports.
4. Enter a time interval (in minutes) in the Scan Interval field for each enabled detection method. By
default, the scans are set at one hour intervals.
7.1.2 Specifying Detector APs

To specify an access port as a detector access port, click the Detector AP button in the Rogue AP Detection
screen. The Detector AP screen appears.
Figure 7.2 Detector AP Screen
The Detector AP screen displays the available AP list on the left and the detector AP list on the right.
To set an AP as a detector AP, click the AP from the available AP list and click the >> button to move it to the
detector AP list.
To move it back to the available AP list, click the << button. Click Apply.
7.1.3 Configuring Rule Management

The Rule Management field within the Rogue AP Detection screen contains a Rule List button for
determining whether a detected AP can be approved or not. Each entry in the table works as an AP evaluation
rule. Specify a particular MAC address or ESSID, or optionally indicate any MAC address or ESSID will work.
Figure 7.3 Rule Management Section
1. Check the Authorize Any AP Having a Symbol Defined MAC Address box to indicate any Symbol
AP (which has a known Symbol MAC address) is an approved AP. This is helpful for rendering all Symbol
devices as approved without having to filter through the list of located addresses.
2. Define the following Rule Management options:
MAC Address Enter a valid mac address used during the detection process or use a wild card
(FF:FF:FF:FF:FF:FF) to represent any MAC address.
ESSID Enter an approved ESSID used during the detection process or use a wild card(*)
to represent ANY ESSID.
3. Select a rule and click the Del button to delete it from the table.
4. Click the Delete All button to clear the entire rule list.
5. Click Apply from the Rogue AP screen to save your changes to the Rule List and Rogue AP screens.
6. Click Cancel from the Rogue AP screen to cancel all updates to the Rogue AP and Rule List screens.
7.1.4 Examining Approved and Rogue Access Ports

Use the AP List screen to display information about each AP (rogue or valid) known to the switch. All approved
APs are listed in the upper table. All rogue APs are listed in the lower table. The AP List screen also allows the
administrator to create detection rules from the information collected about approved or rogue APs.
To display the AP List, select System Settings > Rogue AP Detection and click the AP List tab in the Rogue
AP Detection screen.
Figure 7.4 Access Port List Section
Add a selected AP to Select a row and click to view the

the rule list details of the selected Rogue AP
Each row of the AP List represents all unapproved and approved APs that the switch has located. The MAC
and the ESSID for each AP are listed. Use this portion of the screen to change the age out time or to add a rule
to the rule list for a particular AP:
1. Enter a value in the Approved AP 's Entry Age Out Timer field to indicate the number of elapsed
minutes before an AP will be removed from the approved list and reevaluated. A zero (0) for this value
indicates an AP can remain on the list permanently.
2. Click the Add to Rule List button to add a rule to the Approved APs' Rule Management table on the
Rogue AP Detection screen. The generated rule uses the MAC address and ESSID of the selected AP.
The Rogue AP List
Each row of the Rogue AP List represents a rogue AP the switch has found. It lists the MAC address and the
ESSID for each rogue AP.
1. Enter a Rogue Entries Age out time to indicate the number of elapsed minutes before an AP is
removed from the rogue list and reevaluated. Entering a zero indicates an AP can stay on the list
permanently.
2. Click the Add AP to Rule List button to add the AP to the Approved APs' Rule Management table of
the Rogue AP Detection screen. The generated rule uses the MAC address and ESSID of the selected AP.
7.1.5 Viewing Details of the Rogue AP

To view detailed rogue AP information:
1. Select a rogue AP from the Rogue AP List.
2. Click the View Details button to open a new window to view detailed information about the rogue AP
and its detector.
The top of the Rogue AP Details screen lists information about the AP.
MAC Address The MAC address of the rogue AP.

ESSID The ESSID for the rogue AP.
Last Heard At Indicates the number of elapsed hours since the rogue AP was last noticed on
the network in hours:minutes:seconds.
Discovering AP Displays the MAC address of the AP that detected the rogue APs.
MAC
Signal Strength Displays the Receiver Signal Strength Indicator (RSSI) for the rogue. This value
is between 1 and 255. The larger the value, the better the signal strength and
the closer the AP.
Note The WS5000 Wireless Switch only reports rogue APs, it does not remove
them from the network. It is up to the administrator to change security settings or
disrupt the rogue AP's connection
7.1.6 SNMP Traps for Rogue AP Events

The WS5000 Series Switch supports two SNMP traps for capturing rogue AP data.
CcRapNewApprovedAp
The CcRapNewApprovedAp generates a trap whenever the switch finds and authorizes a new
AP. It generates a trap at the first instance when the AP is approved. It provides the ESSID and MAC
address of the approved AP.
• CcRapResultsApprovedPortalPtr: A bit maps data, which hints where this AP is
located.
• CcRapResultsApprovedHowFound: Traps information on how the rogue was detected
(over the air, AP scanning, wire scanning or MU scanning).
• CcRapResultsApprovedHowAuth: Traps information on how the was approved
• CcRapNewRogueAp
The CcRapNewRogueAp generates a trap when the switch determines that an AP is a rogue AP.
The trap provides ESSID and MAC address of the rogue AP.
• CcRapResultsRoguePortalPtr: Provides information on where the reporting AP is
located.
• CcRapResultsRogueHowFound: Traps information on how the rogue AP was detected
(over the air, AP scanning, wire scanning or MU scanning).
7.1.7 Rogue AP Syslog Messages

The WS5000 Series Switch logs a number of syslog events as rogue devices are encountered within the switch
managed network. The messages and event scenarios include:
Scenario Syslog Message

Rogue AP detection feature Rogue AP detection is enabled/disabled.
is enabled/disabled
MU scan detection is MU scan rogue AP detection is enabled/disabled.

enabled/disabled
AP scan detection is AP scan detection is enabled/disabled.
enabled/disabled
Detector AP scan is Detector AP scan is enabled/disabled.
enabled/disabled
AP is newly approved AP=<mac>, EssId=<essid> is detected and added to
“approved list.”
AP is newly determined as AP=<mac>, EssId=<essid> detected and added to “rogue list.”
Rogue
Age out occurs for rogue AP Rogue AP list entries aged out and deleted from the rogue list.
list
Age out occurs for Approved Approved AP list entries aged out and deleted from the approved list.
list
For more information on configuring the WS5000 Series Switch to support the Syslog events described in this
section, see Syslog Context on page 8-189.
CLI Command Reference
This chapter describes the commands that are defined by the WS5000 Series Command Line Interface (CLI).
Access the CLI by running a terminal emulation program on a computer that is connected to the serial port at
the front of the switch, or by using Telnet via secure shell (SSH) to access the switch over the network.
The default cli user is “cli”. The default username and password is admin and symbol, respectively.
8.1 CLI Overview

Before you begin working with the WS5000 Series Switch CLI, review the following sections to gain some
basic understandings of the CLI, in the following areas:
• About Contexts
• About Instances
• Basic Conventions
8-2 WS 5000 Series System Reference
8.1.1 About Contexts

For a WS5000 Series Switch, CLI commands are invoked within “contexts.” Contexts are hierarchical in a
manner similar to directories are hierarchal in a traditional file system; in other words, contexts may contain
other contexts.
When you log into the switch, by default you are in the System context—this is the top of the context
hierarchy. To enter a subcontext, type its name. The only subcontext of the System context is the Configure
context.
To get to the Configure Context from the System Context, type “configure” at the CLI prompt (as a
convenience, you can also type “cfg” to access the Configure Context). When invoked, the CLI prompt changes
to indicate the current context. For example:
WS5000> cfg
WS5000.(Cfg)>
Table 8.1 summarizes the context hierarchy found in the CLI for a WS5000 Series Switch. Named subcontexts
are called Instances (or Instance Contexts). Instances are described further in About Instances on page 8-5.
Table 8.1 CLI Context Hierarchy for a WS5000 Series Switch
Main Context Subcontext Subcontext Instance Context Subcontext
System Context Configuration (cfg) AAA
Access Port (APort) [APort_Name]

Access Control List (ACL) [ACL_Name]
Access Port Policy (APPolicy) [APPolicy_Name]
banner
Classification Element (CE) [CE_Name]

Classification Group (CG) [CG_Name]
Chassis
Ethernet Port (Ethernet) [Ethernet_Name]
Ethernet Policy (EtherPolicy) [EtherPolicy_Name]
Events Syslog
FTP
Firewall (FW)
Host [Host_Name]
Key Distribution Center
Network Policy [NP_Name]
Policy Object [PO_Name]
Radius
Rogue AP
CLI Command Reference 8-3
Main Context Subcontext Subcontext Instance Context Subcontext
Route
Security Policy [SecurityPolicy_Name]
Sensor [Sensor_MAC]
SNMP
Secure Shell
Secure Sockets Layer
Standby
Switch Policy [SPolicy_Name] Restricted

Channel
Telnet
Tunnel [GRE_Tunnel_Name]
User [User_Name]
WLAN [WLAN_Name]
WME [WME_Name]
WVPN
Most of the switch configuration is performed in subcontexts of the Configuration context. For example, to drop
into the WLAN subcontext you type “wlan” from the Configuration context:
WS5000.(Cfg)> wlan
WS5000.(Cfg).wlan>
To bump up a context level, type “..”:
WS5000.(Cfg).wlan> ..
ws5000.(Cfg)>
To jump to the system context use exit:
WS5000.(Cfg).wlan> exit
ws5000>
Note You can’t go “up and over” when navigating the CLI—constructions such as
“.. context” or “../context” do not work.
8.1.2 CLI Indexing

You can use CLI indexing and navigate to a subcontext by typing the index number instead of the context name.
The following CLI contexts have the indexing functionality:
• AAA
• Access Port
• Access Control List
• Access Port Policy

• Classifier Element
• Classification Group
• Ethernet
• Ethernet Policy
• Events
• Firewall
• Host
• Network Policy
• Policy Object
• Security Policy
• Sensor
• Switch Policy
• Tunnel
• User
• WLAN
• WME
The following example shows you how to use the index number 1 to access the Default Access Port Policy
subcontext.
WS5000.(Cfg).APPolicy>
WS5000.(Cfg).APPolicy> show
Available Access Port Policies:

1. Default Access Port Policy.
2. NewAP.
WS5000.(Cfg).APPolicy> 1
Access Port Policy details for "Default Access Port Policy":
Policy Name : Default Access Port Policy

Description : Default Access Port Policy, only ESSID 101
and no security, and default network policy
Basic Rate for 11a : 6,12,24
Supported Rate for 11a : 9,18,36,48,54
Basic Rate for 11b : 1,2
Supported Rate for 11b : 5.5,11
Basic Rate for 11g : 1,2,5.5,11
Supported Rate for 11g : 6,9,12,18,24,36,48,54
Basic Rate for FH : 1
Supported Rate for FH : 2
RF Preamble : short
RTS Threshold : 2347 Bytes
DTIM Period : 10
DTIM Period BSS 2 : 10
Beacon Interval : 100
Allow MUs w/o Spectrum Mgmt : false
WLAN details for the Access Port policy 'Default Access Port Policy'
WLAN Name Network Policy
--------- --------------
Symbol Default Default Network Policy
WS5000.(Cfg).APPolicy.[Default Access Port Policy]>
8.1.3 About Instances

Most contexts contain “instances” of themselves. An instance, is like a named context; it is a set of
configuration values that is identified by a name. Some contexts have pre-defined instances, but, in general,
instances must be created.
To create an instance, the add command is used with a <name> parameter. The following example creates a
Switch Policy instance:
WS5000.(Cfg)> switchpol
Active Switch Policy name: Default Wireless Switch Policy

Available Switch Policies:
1. Default Wireless Switch Policy.
WS5000.(Cfg).SPolicy> add TestPolicy
Adding Switch Policy...

Status: Success.

2. TestPolicy.
Switch Policy details

---------------------
Policy Name : TestPolicy
Description :
Country : AU
Channel for .11a : Auto (once)
Channel for .11b : Auto (once)
Channel for .11g : Auto (once)
Power Level for .11a : 20 dBm
Power Level for .11b : 20 dBm
Power Level for .11g : 20 dBm
Active EtherPolicy Name : Default Ethernet Policy
# of APPolicies attached : 0
Include Adoption List details : List is Empty.
Exclude Adoption List details : List is Empty.
Default Adoption action for .11a : Deny.
Default Adoption action for .11b : Deny.
Default Adoption action for FH : Deny.
Default Adoption action for .11g : Deny.
Send SNMP trap on adoption deny : Disabled
DS Coexistence : Disabled
WS5000.(Cfg).SPolicy.[TestPolicy]>
When you create an instance, the command prompt changes to that instance’s context; the name of the
instance context is shown in brackets. Like contexts, the available commands are based on the type of instance
created, and are used to configure the instance specifically.
8.1.4 Basic Conventions

Following are a few conventions to keep in mind while working within the command line interface:
• Pre-defined CLI commands and keywords are case-insensitive: cfg = Cfg = CFG. However, mostly
for clarity, CLI commands and keywords are displayed in this guide using mixed case. For example,
apPolicy, trapHosts, channelInfo.
• The names of all context instances, whether system defined or created by you, are case-sensitive.
• CLI commands can be concatenated when invoking them at the command line. For example, to jump
from the System context to the myWLAN instance, you can enter a command as follows:
WS5000> cfg wlan myWLAN
WS5000.(Cfg).wlan.[myWLAN]>
Of course, concatenating commands is quicker than, for example, entering three commands: one to jump
to the Cfg context, one to jump to the wlan context, and one to jump to the myWLAN instance):
• If an instance name (or other parameter) contains whitespace, the name must be enclosed in quotes:
WS5000.(Cfg)> spol "Default Switch Policy"
WS5000.(Cfg).SPolicy.[Default Switch Policy]>
• To abort an unresponsive command, type <Ctrl>-c. That is, hold down the Control key and type c.
8.2 Common Commands

Table 8.2 summarizes the commands common amongst many contexts and instance contexts within the
WS5000 Series command line interface.
Table 8.2 Common Commands Among Most Contexts
Command Description Ref.
.. or end Terminate a current session and moves up a context, hierarchically. page 8-7
exit Terminate a current session and returns to the “root” prompt. page 8-7
? or help Get the command information. page 8-7
logout or bye Close this session. page 8-8
clear Clear the screen. page 8-8
emergencymode Enable or disable Emergency mode. page 8-8
history Display command history within a context or instance page 8-9
ping Ping a network host/IP address page 8-9
show commands Display context specific attributes page 8-23

8.2.1 .. or end
Common to all contexts and instances, except System Context
Terminates the context or instance session, and changes the command prompt to be one higher.
Syntax
..
or
end
or
exit
Parameters
None.
Example
WS5000.(Cfg).NP> ..
WS5000.(Cfg)> end
WS5000>
8.2.2 exit
Common to all contexts and instances, except System Context
Terminates the context session, and returns the prompt to the root (for example, WS5000>).
For example, if you use the exit command in the ACL context, the prompt reverts to the System context prompt.
Syntax
exit
Parameters
None.
Example
WS5000.(Cfg).ACL> exit
WS5000>
8.2.3 ? or help
Common to all contexts and instances
Retrieves a list of commands supported given the context or instance.
Syntax
?
or
help
Parameters
None.
Example
WS5000> ?
or
WS5000> help
8.2.4 logout or bye

Closes or logs out of the current session.
Syntax
logout
or
bye
Parameters
None.
Example
WS5000 logout
or
WS5000> bye
8.2.5 clear
Clear the screen.
Syntax
clear
Parameters
None.
Example
WS5000> clear
8.2.6 emergencymode
Enables or disables the “Emergency” Switch Policy (ESP), a switch policy that can activated (enabled) at any
time in case of an emergency. When ESP is deactivated (disabled), the previous switch policy is reactivated.
To set the emergency policy, use the emergencymode command.
Syntax
> emergencyMode <enable_flag>
Parameters
enable_flag Indicates whether to enable or disable the ESP. Possible values are:
• enable
• disable
Example
WS5000.<context_path> > emergencymode enable
8.2.7 history
Display the history of commands invoked at the command prompt for any given context. Alternatively, using
the keyboard “up arrow” key is a short-cut to retrieve (and reuse) commands that were used previously in a
context session.
Syntax
history
Parameters
None.
Example
WS5000.<context_path> > history
8.2.8 ping
System Context, Configuration (Cfg) Context, Host Context
Sends ICMP ECHO_REQUEST packets to a network host.
Syntax
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize] <host/IP_address>
Parameters
-Rdfnqrv These optional flags are can be broken down as follows:

• -R: Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet
and displays the route buffer on returned packets. Note that the IP header is only
large enough for nine such routes. Many hosts ignore or discard this option.
• -d: Set the SO_DEBUG option on the socket being used. Essentially, this socket
option is not used by Linux kernel.
• -f: Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a rapid display of how
many packets are being dropped. If interval is not given, it sets interval to zero and
outputs packets as fast as they come back or one hundred times per second,
whichever is more. Only the super-user may use this option with zero interval.
• -n: Numeric output only. No attempt will be made to lookup symbolic names for host
addresses.
• -q: Quiet output. Nothing is displayed except the summary lines at startup time and
when finished.
• -r: Bypass the normal routing tables and send directly to a host on an attached
interface. If the host is not on a directly-attached network, an error is returned. This
option can be used to ping a local host through an interface that has no route through
it provided the option -I is also used.
• -v: Verbose output.
-c count Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for
count ECHO_REPLY packets, until the timeout expires.
-i wait Wait interval of seconds between sending each packet. The default is to wait for one
second between each packet normally, or not to wait in flood mode. Only super-user may
set interval to values less 0.2 seconds.
-l preload If preload is specified, ping sends that many packets not waiting for reply. Only the
super-user may select preload more than 3.
-p pattern You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for
diagnosing data-dependent problems in a network. For example,
-p ff will cause the sent packet to be filled with all ones.
-s packetsize Specifies the number of data bytes to be sent. The default is 56, which translates into
64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
host/IP_address The name or IP address of the host to which the request packets are sent.
Example
WS5000> ping WS5000
PING WS5000 (10.1.1.101): 56 data bytes
64 bytes from 10.1.1.101: icmp_seq=0 ttl=255 time=0.037 ms
--- WS5000 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.037/0.045/0.052 ms
WS5000>
8.3 System Context

Table 8.3 summarizes the commands within this context.
Table 8.3 System Context Command Summary
? or help Get the command information page 8-11
logout or bye Close this session page 8-12
clear Clear the screen page 8-12
configure Change to the Configuration Context to configure system attributes page 8-12
copy Copy files between the Switch and TFTP/FTP server page 8-13
delete Delete an image/config file from the system page 8-14
description Set description text page 8-15
directory Display the available image/config files in the system page 8-15
emergencymode Enable or disable Emergency mode page 8-15
export Export log files from the switch to the TFTP server page 8-16
install Install primary/standby or Kerberos config page 8-17
logdir Display the user saved log files page 8-18
name Set or change the name page 8-19
remove Remove a log file shown by ‘logdir’ command page 8-20
restore Restore a system image or configuration page 8-21
rfping Send a WNMP Ping to an Access Port page 8-21
save Save the current system configuration to a file page 8-22
service Switches to the Service mode page 8-22
show commands Display system context specific attributes page 8-23
8.3.1 ? or help
System Context
Retrieves a list of commands supported given the context or instance.
Syntax
?
or
help
Parameters
None.
Example
WS5000> ?
or
WS5000> help
8.3.2 logout or bye

System Context
Syntax
logout
or
bye
Parameters
None.
Example
WS5000 logout
or
WS5000> bye
8.3.3 clear
System Context
Clear the screen.
Syntax
clear
Parameters
None.
Example
WS5000 > clear
8.3.4 configure
System Context
Puts the user in the Configuration (Cfg) Context to configure system attributes. See Configuration (Cfg) Context
on page 8-45 for more details.
Syntax
configure
Parameters
None.
Example
WS5000 > configure
WS5000.(Cfg)>
Note As a shortcut, “cfg” can be used instead of “configure”.
8.3.5 copy
System Context
Copies a file from the WS5000 to a (T)FTP server, or vice versa. TFTP can be used to transfer *.sys.img,
*.cfg, and *.sym files. FTP can be used to transfer .krb, .sys.img, .cfg, and .sym files.
The default protocol is TFTP.
The default user for FTP: anonymous
The default mode for FTP: binary
If using FTP, and the user is not anonymous (using -u option), CLI prompts the user to enter password.
IMPORTANT! DO NOT USE THIS COMMAND FOR FILES LARGER THAN 32MB.
!
Syntax
copy <source> <destination> [-u user] [-m mode]
For TFTP:
copy <source> <destination>
For FTP:
copy <source> <destination> [ -u <ftp_user> ] [ -m <ftp_mode> ]
Parameters
source The source of the file. Possible values are:

• [protocol:]//<host_name or IP>/[file_name]. For example,
ftp://<ipAddress/path/[file_name]. If a filename is not supplied, the system will
prompt for one, in addition to a password.
• tftp
• ftp
• system
• .
• <filename, including path>
destination The destination of the file. Possible values are:

• tftp
• ftp
• system
• .
• /
• [protocol:]//<hostname or IP address>
ftp_user FTP username. Default is ftpuser.
mode FTP transfer mode, either ascii or binary. Default is binary.
protocol Either ‘ftp’ or ‘tftp’
Example
WS5000.(Cfg)> copy tftp system
Enter the file name to be copied from TFTP server : backup.sys.img
IP address of the TFTP server : 10.1.1.1
Copying 'backup.sys.img' from tftp://10.1.1.1 to Switch...
or
WS5000.(Cfg)> copy ftp://100.10.10.1/ftpimages/DefaultConfig.cfg system
Copying 'DefaultConfig.cfg' from ftp://100.10.10.1/ftpimages/ to Switch...
8.3.6 delete
System Context
Deletes the specified image or config file from the WS5000. Use the directory command to list the files that
can be deleted.
Note As a shortcut, “del” can be used instead of “delete”.
Syntax
delete <filename>
Parameters
filename Name of file to be deleted.
Example
WS5000> directory
Date & Time Bytes File Name
Jan 25 15:11 15155 WS5000Defaults_v2.1.0.0-008D.cfg

Jan 25 15:35 18819400 WS5000_v2.1.0.0-008D.sys.img
Jan 25 14:05 6517 cmd_template.sym
WS5000> delete WS5000Defaults_v2.1.0.0-008D.cfg

8.3.7 description
System Context
Sets a description about the switch displayed with system information.
Syntax
description <description_text>
Parameters
description_text Enter a brief description of the Wireless Switch.
Example
WS5000> description “Fifth Floor Switch”
8.3.8 directory
System Context
Lists the image and configuration files that are stored on the WS5000.
Note As a shortcut, “dir” can be used instead of “directory”.
Syntax
directory
Parameters
None.
Example
WS5000> directory
Jan 25 15:11 15155 WS5000Defaults_v2.1.0.0-008D.cfg

Jan 25 15:35 18819400 WS5000_v2.1.0.0-008D.sys.img
Jan 25 14:05 6517 cmd_template.sym
8.3.9 emergencymode
System Context
Syntax
emergencyMode <enable_flag>
Parameters
enable_flag Indicates whether to enable or disable the ESP. Possible values are:
• enable
• disable
Example
WS5000.<context_path> > emergencymode enable
8.3.10 export
System Context
Copy the log files from switch to remote TFTP server. Use logdir to view the list of user log files that can be
exported.
Syntax
WS5000 > export
Parameter
This command is interactive and asks for
destination Remote TFTP host

filename Log file name to be exported to the remote TFTP server
username Enter the user name which you mentioned at the time of logfile creation when
using diag command.The default user name is admin.
Example
WS5000> export
Enter the log file name :
8.3.11 history
System Context
Displays the history of the last 300 commands used.
Syntax
WS5000 > history
Parameters
None
Example
Command history...
1. copy ftp://157.235.188.237/home/pavank/dom/dominfo -u pavank -m bin
2. copy ftp://157.235.188.237/home/pavank/dom/dominfo system -u pavank -m bin
3. WS5000> copy ftp://157.235.188.237/home/pavank/dom/dominfo system -u pavank -m
bin
4. Enter the user password : ***********
5. Copying 'dominfo' from ftp://157.235.188.237 to Switch...
6. Data connection mode : BINARY (Connecting as 'pavank')
7. Status : 550 Failed to change directory.

8. clear
9. export
10. clear
11. export
12. export
13. clear
14. history
8.3.12 install
System Context
Configures the switch’s failover role as Primary or Standby, and applies all settings specified in the command
file (.sym). Alternatively, this command is used to update Kerberos principals from a specified Kerberos file
(.krb), without reset.
Syntax
install <install_option> [filename]
Parameters
install_option One of:

• primary – Configures the switch to act as Primary, and applies all settings specified
in the file <filename>. If the command file is not specified, install instead uses the
default “command.sym” file, if present. If “command.sym” is also not present,
install will not change anything.
• standby – Configures the switch to act as Standby, and applies all settings as
described for the primary parameter value.
• kerberos – Updates the Kerberos principals from the settings in the
< filename> file (.krb), without reset.
• runcli – Configures the switch with the commands in the CLI commands
filename Command (*.sym) or Kerberos (*.krb) file to use, which contains configuration settings.
The default .sym file is command.sym
Example
WS5000.(Cfg)> install primary cmd_template.sym
Begin command file processing...
Begin parsing command file for download and logging parameters...
Command file was parsed successfully.
Current Image Version is 2.1.0. FS patch will not be installed.
Begin processing image file...
Nothing to do. Skipping...
Begin processing config file...
Validating IP parameters...
ERROR: Hostname or IP has not been provided!
Cannot set switch to Primary.
ERROR: IP parameter validation failed.
WS5000.(Cfg)> install standby cmd_template.sym

Current Image Version is 2.1.0. FS patch will not be installed.
Begin processing image file...

Begin processing config file...
Validating IP parameters...
ERROR: Hostname or IP has not been provided!
Cannot set switch to Primary.
ERROR: IP parameter validation failed.
8.3.13 logdir
System Context
Lists all the user saved log files (history, syslog). For example capturing Packets on ethernet 1 and saving that
captured file can be listed by command logdir.It does not list image or config files.Use directory command to
list image/config files.
Syntax
WS5000 > logdir
or
WS5000 > logdir user <username>
Parameter
username The name of the user, whose logs are to be displayed
Example
WS5000.(Cfg)> ..
WS5000> service
SM-WS5000> capture packet ifname eth1 enable
Start Packet Capture....

sending ioctl to capture packet
SM-WS5000> cfg
SM-WS5000.(Cfg)> save packet examplepacketcapture
Saving captured packets....done
SM-WS5000.(Cfg)> logdir
File Name Bytes Date & time

========================================================
examplepacketcapture.pktbin 25835 Sun Feb 12 17:26:39 2006

8.3.14 name
System Context
Use the name command to change the system name.
Syntax
name <system_name>
Parameters
system_name The new name of the switch.
Example
WS5000> name MiamiWS5000
Configuring name...
Status : Success.
MiamiWS5000>
8.3.15 ping
System Context
Syntax
ping <host/ip_address>
OPTIONS:
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern][-s packetsize]
<host>
Parameters

addresses.
when finished.
host The name of the host to which the request packets are sent.
Example
WS5000> ping WS5000
PING WS5000 (10.1.1.101): 56 data bytes

4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.037/0.045/0.052 ms
WS5000>
8.3.16 remove
System Context
Removes specified log file.
Syntax
remove <filename> [username - optional]
Parameters
filename The name of the file that needs to be deleted

username The name of the user, from whose storage area, the log file is to be deleted
Example
WS5000.cfg>logdir

========================================================
Log1.history 7833 Thu Jan 19 04:36:16 2006
WS5000.(Cfg)> remove Log1.history
Removing file 'Log1.history'.... done.

8.3.17 restore
System Context
Restores the specified system image and/or configuration, and then resets (reboots) the system with the newly
restored image and/or configuration.
Syntax
restore <restore_option> <filename>
Parameters
restore_option The type of restore to be invoked. One of:

• system – Restores the system image and configuration from the specified file
• configuration – Restores the configuration from the specified file
• standby – Restores the standby configuration from the specified file
filename The system image or configuration file to be restored
Example
WS5000>restore config siteconfig.cfg
This command will reset the system and boot up with the new configuration.
Do you want to continue (yes/no) : y
Restoring configuration from siteconfig.cfg
Restoring Wireless Network Management Configuration ...
This may take a few mins ...
Restoring configuration from siteconfig.cfg
Software Ver. : 1.4.1.0-003D
Starting the Wireless Switch 5000 ...
Licensed to : Symbol
Configuring ethernet ports ...
Done.
Done.
No TFTP server is present.
Max Mobile Clients
Exiting auto install script...
Active Switch
Starting system database ...Wireless Switch Policy
Done.
Starting switch processes ...
8.3.18 rfping
System Context
This performs a ping to the specified access port, using WNMP, for a specified number of times.
Note This CLI is supported only for AP200 and AP300.
Syntax
rfping <mac address> [<count>]
Parameters
mac address The device MAC address of the Acess Port

Example
WS5000> rfping 00:A0:F8:00:00:26 10
Sending (10) WNMP Ping to 00:A0:F8:00:00:26

WnmpPing reply 1 received successfully
WS5000>
8.3.19 save
System Context
Saves the running system configuration to the specified file. Use directory to list the saved configuration files.
Syntax
save configuration <filename>
Parameters
filename The filename into which you want to save the running configuration. The .cfg extension
is automatically appended.
Example
WS5000> save configuration qwerty-config-14-dec
Saving running configuration in: qwerty-config-14-dec.cfg

WS5000> directory
Dec 11 02:36 60432 WS5000Defaults_v2.1.0.0-010B.cfg

Dec 4 03:04 6453 cmd_template.sym
Dec 14 14:34 61525 qwerty-config-14-dec.cfg
Dec 14 14:34 72256 qwerty-config-14-dec.cfg.txt
8.3.20 service
System Context
Places the user in a Service Mode (for which a password is required). This is a command line mode used mostly
by Symbol technicians.
For more details on working within Service Mode, refer to the WS5000 Series Switch Troubleshooting Guide.
8.4 show commands

System Context
Configuration (Cfg) Context
Show the settings for the specified system component. There are a number of ways to invoke the show
command:
• Invoked without any arguments, show displays information about the current context. If the current
context contains instances, then show command (usually) displays a list of these instances.
In the case of the System/Configuration context, show displays all the possible show command
variations. Use show system command to show system information.
• Invoked with the display_parameter, it displays information about that component.
Syntax
show [ display_parameter ]
Example
WS5000.(Cfg)> show wlan
WS5000 > show system
Parameters
Table 8.4 lists and describes the display_parameters in the show command.
Table 8.4 show command’s display_parameter Summary
Display_parameter Description Context Example
show aaa-server Displays AAA information system / cfg page 8-25
show accessports Displays details of all access ports or available system / cfg page 8-25
access ports
show acl Display ACL Information system / cfg page 8-26
show allconfig Displays all configurations on the switch system page 8-26
show appolicy Displays Access Port Policy system / cfg page 8-26
show arp Display arp cache cfg page 8-26
show autoinstalllog Displays autoinstall log system / cfg page 8-26
show ce Displays Classifiers system / cfg page 8-27
show cfghistory Displays configuration change history system / cfg page 8-27
show cg Displays Classification Group system / cfg page 8-28
show channelinfo Displays channel no and country code details system / cfg page 8-28
show chassis Displays Chassis details system / cfg page 8-31
show configaccess Displays configured system access restrictions system / cfg page 8-32
show ethernet Displays Ethernet Port details system / cfg page 8-32
show etherpolicy Displays EtherPolicy details system / cfg page 8-32


show events Show Syslog event details system / cfg page 8-32
show ftp Displays FTP status system / cfg page 8-34
show history Dispay previously executed CLI commands cfg page 8-34
show host Displays the Hosts defined in the system system / cfg page 8-34
show https Displays the Applet access type (http/https). system / cfg page 8-34
show interfaces Displays interface details system / cfg page 8-34
show kdc Displays KDC details system / cfg page 8-35
show knownap Displays known APs in the neighborhood. system / cfg page 8-35
show lan Displays LAN details system / cfg page 8-35
show mu Displays MU details (list) system / cfg page 8-35
show musummary Display MU summary cfg page 8-36
show np Displays Network Policy information system / cfg page 8-36
show po Displays Policy Object information system / cfg page 8-36
show radius-server Displays Radius information for authenticating system / cfg page 8-36
management users logins (to manage the WS5000
switch)
show rfstats Display RF statistics for specific AP cfg page 8-37
show rfthreshold Display RF Stats Threshold Values for SNMP traps cfg page 8-37
show rougeap Display Rouge AP configuration cfg page 8-38
show routes Displays configured routes system / cfg page 8-38
show securitypolicy Displays security policy details system / cfg page 8-38
show sensor Display Sensor Details system / cfg page 8-38
show snmpclients Displays the SNMP Client/community details system / cfg page 8-39
show snmpstatus Displays SNMP status system / cfg page 8-39
show ssh Displays SSH configuration system / cfg page 8-39
show standby Displays Standby configuration system / cfg page 8-39
show switchpolicy Displays Switch Policy system / cfg page 8-40
show sysalerts Displays system alert logs (events) system / cfg page 8-40
show syslog Displays Syslog details system / cfg page 8-40
show system Displays system information system / cfg page 8-40
show telnet Displays Telnet status system / cfg page 8-41


show time Displays date and time information system / cfg page 8-41
show traphosts Displays the SNMP trap-host details system / cfg page 8-41
show tunnels Displays the configured GRE on the system system / cfg page 8-41
show users Displays user information system / cfg page 8-42
show version Displays the system version details system / cfg page 8-42
show vlan Displays VLAN details system / cfg page 8-42
show vpnsupportstatus Displays vpn support status system / cfg page 8-42
show wlan Displays WLAN details system / cfg page 8-42
show wme Displays WME Profile details system / cfg page 8-43
show WSrfstats Display RF statistics for Wireless Switch (WS) cfg page 8-43
show wtls Display WTLS general settings cfg page 8-43
show wvpn Display WVPN general settings cfg page 8-43
8.4.1 show aaa-server

WS5000.(Cfg)> show aaa-server
AAA database update status:

-----------------------------
AAA Server StatusActive
Database Type local
8.4.2 show accessports

WS5000> show accessports

------------ --------- ---------- ---- ------
1 00:A0:F8:A2:26:66 [B] 00:A0:F8:A2:26:66 00:A0:F8:A2:26:66 B Active
2 00:A0:F8:BC:E8:37 [A] 00:A0:F8:BC:D3:F0 00:A0:F8:BC:E8:37 A Reset
3 00:A0:F8:BC:E8:37 [G] 00:A0:F8:BF:95:B4 00:A0:F8:BC:E8:37 G Reset
4 00:A0:F8:BC:E3:48 [G] 00:A0:F8:BC:B4:0C 00:A0:F8:BC:E3:48 G Unavailable
5 00:A0:F8:BC:E3:48 [A] 00:A0:F8:BC:A6:10 00:A0:F8:BC:E3:48 A Unavailable
6 00:A0:F8:00:00:26 [G] 00:A0:F8:BF:EF:30 00:A0:F8:00:00:26 G Active
7 00:A0:F8:00:00:26 [A] 00:A0:F8:BF:EE:54 00:A0:F8:00:00:26 A Active
8 00:A0:F8:BC:E3:47 [G] 00:A0:F8:BC:B4:40 00:A0:F8:BC:E3:47 G Unavailable
9 00:A0:F8:BC:E3:47 [A] 00:A0:F8:BC:A5:F8 00:A0:F8:BC:E3:47 A Unavailable
10 00:A0:F8:60:C6:64 [B] 00:A0:F8:60:C9:80 00:A0:F8:60:C6:64 B Unavailable
11 00:A0:F8:60:C6:64 [A] 00:A0:F8:60:BE:E6 00:A0:F8:60:C6:64 A Unavailable
show accessports available

WS5000> show accessports available

------------ --------- ---------- ---- ------
1 00:A0:F8:A2:26:66 [B] 00:A0:F8:A2:26:66 00:A0:F8:A2:26:66 B Active
2 00:A0:F8:BC:E8:37 [A] 00:A0:F8:BC:D3:F0 00:A0:F8:BC:E8:37 A Reset
3 00:A0:F8:BC:E8:37 [G] 00:A0:F8:BF:95:B4 00:A0:F8:BC:E8:37 G Reset
4 00:A0:F8:00:00:26 [G] 00:A0:F8:BF:EF:30 00:A0:F8:00:00:26 G Active
5 00:A0:F8:00:00:26 [A] 00:A0:F8:BF:EE:54 00:A0:F8:00:00:26 A Active
8.4.3 show acl

WS5000> show acl
Available ACLs:
1. New ACL.
8.4.4 show allconfig

WS5000> show allconfig
<displays all the configurations here>
8.4.5 show appolicy

WS5000> show appolicy

8.4.6 show arp

WS5000. (Cfg)> show arp
ARP Information:
(10.15.10.246) at 00:00:0C:07:AC:01 [ether] on psdT

wswksinba00100r.corp.internal.symbol.com (111.222.200.007) at 00:11:25:89:19:34
[ether] on psdT
8.4.7 show autoinstalllog

WS5000.(Cfg)> show autoinstalllog
Autoinstall log
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.
userid:
password:
Retrieving user and system information...

Setting user permissions flags..
Checking KDC access permissions...
Welcome...
System Name : primarynew
Switch Location :
Software Ver. : 2.1.0.0-012B
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F865B4E4

Active Switch Policy : WSP
8.4.8 show ce
WS5000> show ce
Classifier information...
Available Classifiers (CE):
1. Ex HTTP Traffic.
2. Ex Telnet Traffic.
3. RTP_Data.
4. Spectra_Link_Phone.
5. VoIP_Call_Setup_In.
6. VoIP_Call_Setup_Out.
7. VoIP_Ext_Services_Out.
8. VoIP_Ext_Services_In.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. New HTTP Traffic Classifier.
8.4.9 show cfghistory

WS5000.(Cfg)> show cfghistory
Last Configuration Change

--------------------------
wlans.[Private Access].essid changed to 7072697661746531, at Fri Sep 16
11:33:45 2005.
Note To view the config change history, enable snmptrap for “Switch configuration
changed “under Events context.
WS5000.(Cfg)> show cfghistory all
Last Configuration Change

--------------------------
1. cc.configchange changed to true, at Thu Sep 15 14:55:31 2005.
2. cc.snmpip changed to add rw 1.4.1.16 refe 161, at Thu Sep 15 14:56:41 2005.
3. cc.snmpip changed to add rw 138.200.200.11 symbol 161, at Fri Sep 16 11:32:32

2005.
4. wlans.[Private Access].essid changed to 7072697661746531, at Fri Sep 16
11:33:45 2005.
Note To view the config change history you have to enable snmptrap for “Switch
configuration changed “under Events context.
Note show cfghistory all displays — recent configuration changes upto a

maximum of 20 changes.
8.4.10 show cg
WS5000> show cg
Classification Group information...
Available Classification Groups:
1. NetVision_VoIP_In.
2. NetVision_VoIP_Out.
3. New Classification Group.
8.4.11 show channelinfo

WS5000.(Cfg)> show channelinfo
Country Name Code RF Channels (A, B, G and FH)

------------ ---- ----------------------------
Argentina AR B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
Australia AU B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
Austria AT B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Bahrain BH B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Belarus BL B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Belgium BE B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Brazil BR B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
Bulgaria BG B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Canada CA B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
Chile CL B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
China CN B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 149,153,157,161,165
Columbia CO B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
Costa Rica CR B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
Croatia HR B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Cyprus CY B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Czech Republic CZ B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Denmark DK B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Ecuador EC B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
Egypt EG B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Estonia EE B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Finland FI B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
France FR B Ch: 1-13 G Ch: 1-13 FH Ch: 48-82
A Ch: 36,40,44,48,52,56,60,64
Germany DE B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Greece GR B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Guatemala GT B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
Hong Kong HK B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
Hungary HU B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Iceland IS B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
India IN B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Indonesia ID B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Ireland IE B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Israel IL B Ch: 5-8 G Ch: 5-8 FH Ch: 20-54
A Ch:
Italy IT B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Japan JP B Ch: 1-14 G Ch: 1-14 FH Ch: 73-95
A Ch: 34,38,42,46
Jordan JO B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Kazakhstan KZ B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Kuwait KW B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Latvia LV B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80

A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Liechtenstein LI B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Lithuania LT B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Luxembourgh LU B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Malaysia MY B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 52,56,60,64,149,153,157,161,165
Malta MT B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Mexico MX B Ch: 11-13 G Ch: 11-13 FH Ch: 52-80
A Ch: 149,153,157,161,165
Morocco MA B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48
Netherlands NL B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
New Zealand NZ B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Norway NO B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Oman OM B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Panama PA B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
Peru PE B Ch: 1-13 G Ch: 1-13 FH Ch: 0-0
A Ch: 149,153,157,161,165
Philippines PH B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Poland PL B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Portugal PT B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Qatar QA B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Romania RO B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Russian Federation RU B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Saudi Arabia SA B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161
Singapore SG B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161
Slovak Republic SK B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Slovenia SI B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
South Africa ZA B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
South Korea KR B Ch: 1-13 G Ch: 1-13 FH Ch: 54-76
A Ch:
Spain ES B Ch: 1-13 G Ch: 1-13 FH Ch: 47-73
A Ch: 36,40,44,48,52,56,60,64
Sri Lanka LK B Ch: 1-2 G Ch: 1-2 FH Ch: 2-80
A Ch:
Sweden SE B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
Switzerland CH B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
Taiwan TW B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
52,56,60,64,100,104,108,112,116,120,124,1
28,132,136,140,149,153,157,161
Thailand TH B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Turkey TR B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch: 36,40,44,48,52,56,60,64
UAE AE B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Ukraine UA B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
United Kingdom GB B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,100,104,108,112,1
16,120,124,128,132,136,140
United States US B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch:
36,40,44,48,52,56,60,64,149,153,157,161,1
65
Uruguay UY B Ch: 1-13 G Ch: 1-13 FH Ch: 2-80
A Ch:
Venezuela VE B Ch: 1-11 G Ch: 1-11 FH Ch: 2-80
A Ch: 149,153,157,161,165
Vietnam VN B Ch: 1-12 G Ch: 1-12 FH Ch: 2-80
A Ch:
WS5000.(Cfg)>
8.4.12 show chassis

WS5000.(Cfg)> show chassis
Description Curr Value Max Value Min Value Notify Value

----------- ---------- --------- --------- ------------
CPU Temperature 24 C 32 C 24 C 0 C
System Temperature 29 C 30 C 29 C 0 C
System Fan (rpm) OFF - - None
CPU Fan (rpm) 16071 16463 16071 None
System Fan 2 (rpm) OFF - - None
8.4.13 show configaccess

WS5000> show configaccess
Configuration Access restriction details:

Telnet access (CLI) : Disable.
System access via SNMP : Enable.
KDC configuration over remote console : Enable.
KDC configuration through SNMP : Enable.
8.4.14 show ethernet

WS5000> show ethernet
Available EtherPorts are:

Ethernet 1
Ethernet 2
8.4.15 show etherpolicy

WS5000> show etherpolicy
Available EtherPolicies are:

1. Default Ethernet Policy.
2. New Ethernet Port Policy.
3. eth1.
8.4.16 show events

WS5000.(Cfg)> events
Num Events Local Log SNMP Trap Syslog Severity

--- ------ --------- --------- ---------------
1 License number change Enabled Disabled Disabled
2 Clock change Enabled Disabled Disabled
3 Packet discard [wrong NIC] Enabled Disabled Disabled
4 Packet discard [wrong VLAN] Enabled Disabled Disabled
5 AP adopt failure [general] Enabled Enabled Disabled
6 AP adopt failure [policy disallow] Enabled Enabled Disabled
7 AP adopt failure [acl disallow] Enabled Enabled Disabled
8 AP adopt failure [limit exceeded] Enabled Enabled Disabled
9 AP adopt failure [license disallow] Enabled Enabled Disabled
10 AP adopt failure [no image] Enabled Enabled Disabled
11 AP status [offline] Enabled Enabled Disabled
12 AP status [alert] Enabled Enabled Disabled
13 AP status [adopted] Enabled Enabled Disabled
14 AP status [reset] Enabled Enabled Disabled
15 AP config failed [no ESS] Enabled Enabled Disabled
16 AP max MU count reached Enabled Enabled Disabled
17 AP detected Enabled Disabled Disabled
18 Device msg dropped [info] Enabled Enabled Disabled
19 Device msg dropped [loadme] Enabled Enabled Disabled
20 Ether port connected Enabled Enabled Disabled
21 Ether port disconnected Enabled Enabled Disabled
22 MU assoc failed [ACL violation] Enabled Enabled Disabled
23 MU assoc failed Enabled Enabled Disabled
24 MU status [associated] Enabled Enabled Disabled
25 MU status [roamed] Enabled Enabled Disabled
26 MU status [disassociated] Enabled Enabled Disabled

27 MU EAP auth failed Enabled Enabled Disabled
28 MU EAP auth success Enabled Enabled Disabled
29 MU Kerberos auth failed Enabled Enabled Disabled
30 MU Kerberos auth success Enabled Enabled Disabled
31 MU TKIP [decrypt failure] Enabled Enabled Disabled
32 MU TKIP [replay failure] Enabled Enabled Disabled
33 MU TKIP [MIC error] Enabled Enabled Disabled
34 WLAN auth success Enabled Disabled Disabled
35 WLAN auth failed Enabled Enabled Disabled
36 WLAN max MU count reached Enabled Enabled Disabled
37 Mgt user auth failed [radius] Disabled Disabled Disabled
38 Mgt user auth rejected Disabled Disabled Disabled
39 Mgt user auth success [radius] Enabled Disabled Disabled
40 Radius server timeout Enabled Enabled Disabled
41 KDC user [added] Enabled Disabled Disabled
42 KDC user [changed] Enabled Disabled Disabled
43 KDC user [deleted] Enabled Disabled Disabled
44 KDC DB replaced Enabled Enabled Disabled
45 KDC propagation failure Enabled Enabled Disabled
46 WPA counter-measures [active] Enabled Enabled Disabled
47 Primary lost heartbeat Enabled Disabled Disabled
48 Standby active Enabled Enabled Disabled
49 Primary internal failure [reset] Enabled Disabled Disabled
50 Standby internal failure [reset] Enabled Disabled Disabled
51 Standby auto-revert Enabled Enabled Disabled
52 Primary auto-revert Enabled Enabled Disabled
53 Auto channel select error Enabled Enabled Disabled
54 Emergency Policy [active] Enabled Enabled Disabled
55 Emergency Policy [deactivated] Enabled Enabled Disabled
56 Low flash space on switch Enabled Enabled Disabled
57 Miscellaneous debug events Disabled Disabled Disabled
58 HSB Starts Up Enabled Disabled Disabled
59 HSB Peer Connect Enabled Disabled Disabled
60 CPU/SYS Temp Notification Enabled Enabled Disabled
61 Access Changed Notification Enabled Disabled Disabled
62 Radio power is reduced [TPC] Enabled Disabled Disabled
63 Radar is detected [DFS] Enabled Disabled Disabled
64 Channel selected to avoid radar [DFS] Enabled Disabled Disabled
65 Switch to new channel [DFS] Enabled Disabled Disabled
66 Revert back to original channel [DFS] Enabled Disabled Disabled
67 Radio is suspended Enabled Disabled Disabled
68 Radio is resumed Enabled Disabled Disabled
69 Radio is moved to random channel Enabled Disabled Disabled
70 A new rogue AP is detected Enabled Disabled Disabled
71 A new approved AP is detected Enabled Disabled Disabled
72 WVPN certificate anomalies Enabled Disabled Disabled
73 WVPN Config/connection changes Enabled Disabled Disabled
74 RADIUS Accounting Log Disabled Disabled Disabled
75 RADIUS Server Status Enabled Disabled Disabled
76 Switch configuration changed Disabled Disabled Disabled
77 Tunnel Status change Enabled Disabled Disabled
78 NON IP packet received on Tunnel Enabled Disabled Disabled
79 RF Stats threshold crossed by a AP Enabled Disabled Disabled
80 RF Stats threshold crossed by a MU Enabled Disabled Disabled
81 RF Stats threshold crossed by a WLAN Enabled Disabled Disabled
82 RF Stats threshold crossed by Switch Enabled Disabled Disabled
83 AP is converted to sensor Enabled Disabled Disabled
84 Sensor is reverted back to AP Enabled Disabled Disabled
85 Failed to communicate to a sensor Enabled Disabled Disabled
86 Sensor is no longer responding to ping Enabled Disabled Disabled
WS5000.(Cfg).Event>
8.4.17 show ftp

WS5000> show ftp
FTP Status: Active.
8.4.18 show history

WS5000. (Cfg)> show history
Displaying last <300> executed commands...
Command Name Command Context Date & Time
================================================================
show history (Cfg) Wed Dec 14 02:25:12 2005
show sensor (Cfg) Wed Dec 14 02:14:58 2005
show arp (Cfg) Wed Dec 14 02:12:23 2005
show history (Cfg) Wed Dec 14 02:11:04 2005
clear (Cfg) Wed Dec 14 02:11:00 2005
cfg WS5000 Wed Dec 14 02:10:58 2005
8.4.19 show host

You need to first add a syslog host in the WS5000.(Cfg).Event.Syslog context. Show host displays the
syslog host added in the Events context, as mentoned above.
WS5000> show host
Host Name IP Address Domain

--------- ---------- ------
1 syslogHost 192.192.4.111 symbol.com
WS5000>
8.4.20 show https

WS5000> show https
Web based configuration (Applet) access by : https
8.4.21 show interfaces

WS5000> show interfaces
Interface information

------------ --------- ---------- ---- ------
00:A0:F8:A2:91:7C [B] 00:A0:F8:A2:91:7C 00:A0:F8:A2:91:7C B Active
00:A0:F8:5D:B9:0C [A] 00:A0:F8:60:BC:3D 00:A0:F8:5D:B9:0C A Active
00:A0:F8:6E:4A:7A [G] 00:A0:F8:6E:55:30 00:A0:F8:6E:4A:7A G Unavailable
00:A0:F8:6E:4A:7A [A] 00:A0:F8:6E:4C:60 00:A0:F8:6E:4A:7A A Unavailable
00:A0:F8:BB:B3:6D [G] 00:A0:F8:BB:F6:E8 00:A0:F8:BB:B3:6D G Unavailable
00:A0:F8:BB:B3:6D [A] 00:A0:F8:BB:C7:6C 00:A0:F8:BB:B3:6D A Unavailable

Ethernet 1
Ethernet 2
8.4.22 show kdc

WS5000> show kdc
The system is configured as MASTER KDC.

Kerberos Realm : realm1
Interface : ethernet1
User count (Active + deleted) : 0
Active users (MUs and WLANs) : 0
Slave KDCsIP AddressDomain
--------------------------
No entry available.
List of all active KDC users (MUs & WLANs): No active Users available.
8.4.23 show knownap

WS5000> show knownap
Number of Access Points known to the Switch : 5
8.4.24 show lan

WS5000.(Cfg)> show lan LAN1
LAN information:
LAN details...
Name : LAN1
Description : Public LAN
ep : 1
np :
allow : https http telnet ftp
deny :
NAT list:
8.4.25 show mu
WS5000.(Cfg)> show mu
# of MUs: 1
MU : MU_0 ESSID: kris
Type MAC Address IP Address WLAN

---- ----------- ---------- ----
Data 00:0F:3D:E9:A6:6A 157.235.208.93 Symbol Default
RF Status Auth.Status Auth.Method Enc.Method Broadcast Enc.Method

--------- ----------- ----------- ---------- --------------------
Associated Authenticated Open Open Open
Access Port Interface RSSI Cur.Rate Supported Rates

----------- --------- ---- -------- ---------------
00:A0:F8:5A:B3:1B [B] RF 28 11 Mbps 1,2,5.5,11 Mbps
Power Mode VLAN Uptime Time left Last Activity Session Username
---------- ---- ------ --------- ------------- ----------------
CAM Mode NA 2267 sec 0 sec 21 sec NA
Statistics Transmitted Received
---------- ----------- --------
Packets : 34 2545
Bytes : 4578 600
WS5000.(Cfg)>
8.4.26 show musummary

WS5000.(Cfg)> show musummary
# of MUs: 1
# MU-MAC-Address MU-IP AP-NAME ESSID
1 00:0F:3D:E9:A6:6A 157.235.208.93 00:A0:F8:5A:B3:1B [B] kris
Associated(2327 sec.), Last Activity=21 sec., SNR=0 dB, #Roams=33
8.4.27 show np
WS5000> show np
Network Policy information
Available Network Policies:

1. Default Network Policy.
2. NetVision_VoIP_Priority.
3. New Network Policy.
8.4.28 show po
WS5000> show po
Policy Object information......
Available Policies (PO):

1. NetVision Priority for RF.
2. NetVision Packet Marking for Ethernet.
3. New Input Policy.
4. New Output Policy.
8.4.29 show radius-server

S5000.(Cfg)> show radius-server
RADIUS authentication status:

-----------------------------
Network users (Web, Telnet, etc.) : Disable
Local users (via serial port) : Disable
Authenticate locally if RADIUS server refuses access : Disable
Server Host Name/IP Port Retry Timeout

------ ------------ ---- ----- -------
Primary Not defined 1812 3 5
Secondary Not defined 1812 3 5
8.4.30 show rfstats

WS5000.(Cfg)> show rfstats
Must provide AP index or AP name
Syntax:show rfstats <radioname|radioindex> {<radioname>|<radioindex>}
where:
<radioname|radioindex> {<radioname>|<radioindex>} : adopted Radioname
or Radioindex.
Example:
show rfstats radioindex 1
8.4.31 show rfthreshold

WS5000.(Cfg)> show rfthreshold
Enter the Type.

Displays Threshold Values for RF Stats Traps
Syntax: show rfthreshold < ap|mu|switch > [CR]
WS5000.(Cfg)> show rfthreshold ap
Ap Threshold details :
Status : disabled
Min Packets for RF Traps : Not Set
Packets Per Second : Not Set
Throughput in Mbps : Not Set
Average Bit Speed in Mbps : Not Set
Percent of NUCast Packets : Not Set
Average Signal in Dbm : Not Set
Average Retries : Not Set
Percent of Dropped Packets : Not Set
Percent of Undecryp Packets : Not Set
Number of Associated MUs : Not Set
WS5000.(Cfg)> show rfthreshold mu
Mu Threshold details :
Status : disabled
WS5000.(Cfg)> show rfthreshold switch
Switch Threshold details :

Status : disabled
Associated MUs : Not Set
8.4.32 show rogueap

WS5000.(Cfg)> show rogueap
RogueAP configuration details:

------------------------------
RogueAP Status : disable
MU Scan Status : disable
AP Scan Status : disable
Detector Scan Status : disable
MU Scan Interval(min.) : 0
AP Scan Interval(min.) : 0
Detector Scan Interval(min.) : 0
8.4.33 show routes

WS5000.(Cfg)> show routes
Route Management:
Kernel IP routing table

Destination Gateway Genmask Flags
157.235.208.0 0.0.0.0 255.255.255.0 U
10.1.1.0 0.0.0.0 255.255.255.0 U
0.0.0.0 157.235.208.246 0.0.0.0 UG
8.4.34 show securitypolicy

WS5000> show securitypolicy
Available Security Policies:

1. Kerberos Default.
2. Default.
3. WEP40 Default.
4. WEP128 Default.
5. New WEP Security Policy.
8.4.35 show sensor

WS5000. (Cfg)> show sensor
Sensor functionality:Enabled
AP300’s
-------
00:A0:F8:00:00:26
00:A0:F8:BF:8A:9F
Sensor AP’s
-----------
WS5000.(Cfg).sensor>
8.4.36 show snmpclients

WS5000.(Cfg)> show snmpclients
State Port IP Address Community Name

----- ---- ---------- --------------
1. Read/Write 161 157.236.208.70 symbol
WS5000.(Cfg)>
8.4.37 show snmpstatus

WS5000> show snmpstatus
SNMP details:
-------------
SNMP (deamon) Status : Enabled
SNMP Traps : Disabled
8.4.38 show ssh

WS5000> show ssh
SSH configurations details:

---------------------------
SSH Status : Enabled
Version : V2
Port : 22
Session inactivity timeout : 0 (Disabled)
8.4.39 show standby

WS5000> show standby
Standby Management:
StandBy mode : Primary

Standby Status : Disable
State : Startup
Failover Reason :
Standby Connectivity status : Not Connected
Standby AutoRevert Mode : Disable
Standby AutoRevert Delay : 15 Minutes
Interface (Ethernet) 1
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Enable
Received Heart-Beat : No
----------------------
Heart-Beat status : Disable
8.4.40 show switchpolicy

WS5000> show switchpolicy

8.4.41 show sysalerts

WS5000.(Cfg)> show sysalerts
Generating the log file....
Reading the log file.....

[01/11/2006][12:23:00] Access Port (00:A0:F8:CD:C9:4A [B]) with MAC address "00.
[01/11/2006][12:22:57] Access Port (00:A0:F8:CD:C9:4A [A]) with MAC address "00.
[01/11/2006][12:21:18] Mobile Unit (00:0F:3D:E9:A6:6A) was associated to Access.
[01/11/2006][12:21:04] Access Port (00:A0:F8:00:00:26 [A]) with MAC address "00.
[01/11/2006][12:21:04] Access Port (00:A0:F8:00:00:26 [G]) with MAC address "00.
[01/11/2006][12:20:33] ACS success. Setting Radio 00:A0:F8:B5:7C:A4 to channel .
[01/11/2006][12:20:31] ACS success. Setting Radio 00:A0:F8:B5:3B:39 to channel .
[01/11/2006][12:20:25] Adopted an Access Port "00:A0:F8:CD:C9:4A".
8.4.42 show syslog

WS5000.(Cfg)> show syslog
Remote Syslog Status: Disable (Syslog Deamon is not running).
Local Syslog Status: (Local Syslog Disabled).
Host emerg alert crit err warning notice info debug

---- ----- ----- ---- --- ------- ------ ---- -----
sys x x x x x x x x
8.4.43 show system

WS5000.(Cfg)> show system

Switch Location :

Serial Number : 00A0F853C13D
Active Switch Policy : Default Wireless Switch Policy
Unassigned Access Ports :
1. 00:A0:F8:00:00:26 [G].
WS5000.(Cfg)>
8.4.44 show telnet

WS5000> show telnet
Telnet Status : Disabled.

8.4.45 show time

WS5000> show time
System clock: 05:29:46 AM

Date : Wed Feb 9 2005
Time Zone :
(GMT -08:00) Pacific Time (US & Canada); Tijuana
8.4.46 show traphosts

WS5000.(Cfg)> show traphosts
CommunityName Port Version IP Address

------------- ---- ------- ----------
1. symbol 162 v1 157.235.208.70
8.4.47 show tunnel

WS5000.(Cfg)> show tunnel
Tunnel details...
Tunnel Name Remote IP Address

----------- -----------------
1. tunnel1 11.1.11.11
2. tunnel2 none
3. tunnel3 none
4. tunnel4 none
8.4.48 show users

WS5000> show users
Available Users:
1. admin.
8.4.49 show version

WS5000.(Cfg)> show version
Version details:
---------------
Hardware Version : CC-5000
Firmware Version : 2.2(date 07/09/02)
Software Version : 2.1.0.0-012B
Release date : Fri Jan 6 16:39:44 IST 2006
CLI Version : 08a
MIB Version : v24b07
XML Version : 08a
WS5000.(Cfg)>
8.4.50 show vlan

WS5000> show vlan
ID Interface Priority # of WLANs Ethernet Policy

-- --------- -------- ---------- ---------------
LAN 1 Ethernet 1 0 1 eth1
LAN 2 Ethernet 2 0 0 eth1
8.4.51 show vpnsupportstatus

WS5000.(Cfg)> show vpnsupportstatus
VPN Support details:

-------------
VPN Support Status : Disabled
VPN Server Serial Number Status Query :
Serial number 151-34-13-254-68
8.4.52 show wlan

WS5000> show wlan
WLAN Name ESSID Security Policy

--------- ----- ---------------
Symbol Default 101 Default
Secure Access secure Kerberos Default
Private Access private WEP128 Default
Public Access public Default
8.4.53 show wme

WS5000.(Cfg)> show wme
WME Profile Name

----------------
1. Default MU WME Profile
2. Default AP WME Profile
3. new
8.4.54 show WSrfstats

WS5000.(Cfg)> show wsrfstats
Displaying RF Statistics for Wireless Switch
AP Status Gather- AP MUs Tx Rx Tx Avg Avg

MAC Stats Uptime PPS PPS Retry RSSI SNR
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
00:A0:F8:5A:B3:1B Active Disable - - - - -
=================================================================================
Total for WS: 0 0 0 0 0 0
WS5000.(Cfg)>
8.4.55 show wtls

WS5000.(Cfg)> show wtls
WTLS Settings:
Server number: : 1
Security mode: : defaultSecurity
Wanted FIPS mode: : Unavailable
Cipher: : AES128
MAC: : SHA_160
Minimum client RSA key size: : 1024 bits
Maximum client RSA key size: : 4096 bits
Minimum RSA key size: : 1024 bits
Maximum RSA key size: : 4096 bits
Handshake timeout: : 0h 1m( 90 secs)
Require client certificates: : false
Key refresh: : 256 packets
8.4.56 show wvpn

WS5000.(Cfg)> show wvpn
WVPN Management:
WVPN available : true
WVPN Status : Stopped
WVPN Server Address : 10.1.1.101 / 157.235.208.167
WVPN Server Port : 9102
WVPN Unused session timeout : 48h 0m (172800 secs)
WVPN Debug level : Debug Info Disabled
WVPN DOS Support : no
WVPN DOS Port : 9103
WVPN Client keep alive : 10 seconds
WVPN Maximum VPN Licenses : 50

WVPN Currently In-Use VPN Licenses : 0
WVPN License Type : Evaluation version,Total eval days
30,Eval days left 30
8.5 Configuration (Cfg) Context

The Configuration context is where detailed configurations for the switch and network can be accessed, as
well as configured. Also, in order to get to any uniquely defined policies for the switch, you must first access
the Configuration context.
Within the command prompt, the Configuration context is indicated by “Cfg”. For example:
WS5000.(Cfg)>
Table 8.5 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands section.
Table 8.5 Configuration Context Commands
.. or end Go back to the previous context page 8-47
exit Go back to root context. page 8-47
aaa Configure AAA setting. page 8-48
accessport Configure an Access Port. page 8-49
acl Configure ACL for the system. page 8-49
appolicy Configure an Access Port policy. page 8-50
banner Configure banner for the system. page 8-50
ce Configure a Classifier. page 8-50
cg Configure a Classification Group. page 8-51
chassis Configure Chassis settings. page 8-51
copy Copy files between the Switch and TFTP/FTP server. page 8-52
date Set or display system time and/or date. page 8-53
delete Delete an image files from the memory. page 8-54
description Set description text. page 8-55
directory Display the available image files in memory. page 8-55
encrypt Encrypt the password to be used in auto-install. page 8-56
ethernet Configure Ethernet Port. page 8-56
etherpolicy Configure an EtherPolicy. page 8-57
events Configure Event properties. page 8-57
export Exports log files from the Switch to TFTP server. page 8-59
Table 8.5 Configuration Context Commands (Continued)

ftp Configure system FTP settings. page 8-59
fw Configure Firewall for the system. page 8-60
host Configure Host properties. page 8-60
install Install primary/standby or Kerberos config. page 8-61
kdc Configure KDC server. page 8-61
logdir Display the user saved log files. page 8-62
name Set or change the name. page 8-62
np Configure a Network Policy. page 8-63
ping Ping a network host/IP address. page 8-63
po Configure a Policy Object. page 8-65
purge It clears the specified contents from memory only. It does not delete page 8-65
any files. Use logdir to view user log files and remove to delete user
log files.
radius Display the Radius authentication status on the switch. page 8-66
remove Remove a log file shown by ‘logdir’ command. page 8-66
reset Reset Switch. page 8-67
restore Restore system image or configuration. page 8-67
rougeap Configure RogueAP Detection feature for the system. page 8-68
route Configure system Route settings. page 8-68
runacs Run Automatic Channel Scan (ACS) on all adopted Access Ports. page 8-69
save Save the running system configuration to a file. page 8-69
securitypolicy Configure Security Policy for the system. page 8-69
sensor Configure the Sensors setting, including default sensor settings. page 8-70
set Displays the config specific set commands/parameters. page 8-70
show Display context specific attributes. page 8-81
shutdown Shutdown the switch. page 8-81
snmp Configure SNMP parameters. page 8-82
ssh Configure SSH settings. page 8-82
ssl Configure SSL settings. page 8-83
standby Configure system standby (failover) settings. page 8-83
switchpolicy Configure switch policy. page 8-84

Table 8.5 Configuration Context Commands (Continued)

telnet Configure system telnet settings. page 8-84
tunnel Configuring and mapping GRE to WLAN. page 8-85
user Configure user information. page 8-85
wlan Configure WLAN for the system. page 8-85
wme Configure WME setting. page 8-86
wvpn Configure system WVPN settings. page 8-86
8.5.1 .. or end
Terminates the context or instance session, and changes the command prompt to move up by one context.
Syntax
..
or
end
or
exit
Parameters
None.
Example
WS5000.(Cfg).NP> ..
WS5000.(Cfg)> end
WS5000>
8.5.2 exit
Terminates the context session, and returns the prompt to the root.
For example, if you use the exit command in the ACL context, the prompt reverts to the System context prompt.
Syntax
exit
Parameters
None.
Example
WS5000.(Cfg).ACL> exit
WS5000>
8.5.3 ? or help
Retrieves a list of commands supported in a given the context or instance.
Syntax
?
or
help
Parameters
None.
Example
WS5000> ?
or
WS5000> help
8.5.4 logout or bye

Syntax
logout
or
bye
Parameters
None.
Example
WS5000 logout
or
WS5000> bye
8.5.5 aaa
Display the current aaa settings managed by the switch.
Syntax
aaa
Parameters
None
Example
WS5000.(Cfg)> aaa

-----------------------------
AAA Server Status Disabled

Database Type local
WS5000.(Cfg).AAA>
8.5.6 accessport
Display the current access ports being managed by the switch. Also, the context is changed to the Access Port
(APort) Context. See page 8-118 for more details.
Note As a shortcut, “aport” can be used instead of “accessport”.
Syntax
accessport
Parameters
None.
Example
WS5000.(Cfg)> accessport

------------ --------- ---------- ---- ------
WS5000.(Cfg).APort>
8.5.7 acl
Display the currently available access control lists (ACLs) for the switch. Also, the context is changed to the
Access Control List (ACL) Context. See page 8-129 for more details.
Syntax
acl
Parameters
None.
Example
WS5000.(Cfg)> acl
Available ACLs:
1. New ACL.
WS5000.(Cfg).ACL>
8.5.8 appolicy
Display the currently available access port policies for the switch. Also, the context is changed to the Access
Port Policy (APPolicy) Context. See page 8-136 for more details.
Syntax
appolicy
Parameters
None.
Example
WS5000.(Cfg)> appolicy

8.5.9 banner
Use this to configure a Banner for the system
Syntax
banner
Parameters
None
Example
WS5000.(Cfg)> banner
WS5000.(Cfg).Banner> add testbanner
Adding Banner to the System...

WS5000 Banner Interactive Terminal
Type: \q to exit the banner prompt

banner> First Example Banner \q
WS5000.(Cfg).Banner>
8.5.10 ce
Display list of classifiers available for configuration. Also, the context is changed to the Classifier Context (CE).
See page 8-155 for more details.
Syntax
ce <ce_name>
Parameters
ce_name Name of the configurable classifier.
Example
WS5000.(Cfg)> ce

1. Ex HTTP Traffic.
3. RTP_Data.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
WS5000.(Cfg).CE>
8.5.11 cg
Display the list of currently available classification group for the switch. Also, the context is changed to the
Classification Group (CG) Context. See page 8-163 for more details.
Syntax
cg
or
cg_name
Parameters
None.
Example
WS5000.(Cfg)> cg

WS5000.(Cfg).CG>
8.5.12 chassis
Display the currently available chassis environmental details for the switch. Also, the context is changed to
the Chassis Context. See page 8-170 for more details.
Syntax
chassis
Parameters
None.
Example
WS5000.(Cfg)> chassis

----------- ---------- --------- --------- ------------
System Fan (rpm) 8544 8653 8437 None
CPU Fan (rpm) 21093 24500 5000 None
System Fan 2 OFF - - None
System Fan 4 15340 15340 15000 None
WS5000.(Cfg).Chassis>
8.5.13 clear
Clear the screen of all running command input and output entries.
Syntax
clear
Parameters
None.
Example
WS5000> clear
8.5.14 copy
Copies a file from the switch to a (T)FTP server, or vice versa. The following types of files can be transferred
via TFTP or FTP:
• *.sys.img
• *.cfg
• *.sym
• *.krb (FTP only)
!
Syntax
For TFTP:
copy <source> <destination>
For FTP:
copy <source> <destination> [ -u <ftp_user> ] [ -m <ftp_mode> ]
Parameters

• [protocol:]//<hostname or IP address>/[filename]. For example,
ftp://<ipAddress/path/[file_name].
• tftp
• ftp
• system
• .
• <filename, including path>

• tftp
• ftp
• system
• .
• /
• [protocol:]//<hostname or IP address>
ftp_user FTP username. Default is anonymous.
Example
WS5000.(Cfg)> copy tftp system
or
WS5000.(Cfg)> copy ftp://100.10.10.1/ftpimages/DefaultConfig.cfg system
Copying 'DefaultConfig.cfg' from ftp://100.10.10.1/ftpimages/ to Switch...
8.5.15 date
Display or sets the system time and date. When no parameters, this command displays the time/date currently
set. Otherwise, it modifies the time/date based on the specified parameters.
Syntax
date [time_format] [time_zone]
Parameters
time_format The time to be set, in one of the following formats:

• yyyymmddhhmm[.ss]
• yymmddhhmm[.ss]
• mmddhhmm[.ss]
• ddhhmm[.ss]
• hhmm[.ss]
time_zone Valid range is -12:00 to +13:00 [+/-](HH:MM), where 0.00 is Greenwich Mean Time. Note
that the ‘+’ must be included for positive timezone values.
Note In WS5000 2.1, Daylight Saving is enabled by

default
Example
WS5000.(Cfg)> date 200502110245.11 -08:00 1
Setting system time/date...

Status: Success.
Fri Feb 11 02:45:11 PST 2005
Time Zone :
WS5000.(Cfg)> date
Fri Feb 11 02:45:15 PST 2005
Time Zone :
8.5.16 delete
Deletes the specified image or config file from the switch. Use the directory command to list the files that can
be deleted.
Note As a shortcut, “del” can be used instead of “delete”.
Syntax
delete <filename>
Parameters
filename Name of file to be deleted.

Example
WS5000.(Cfg)> directory
Jan 11 2006 86588 WS5000Defaults_v2.1.0.0-012B.cfg

Jan 11 2006 86137 WS5k_Auto_v2.0.0.0-034R_20060111.cfg
Jan 6 2006 6453 cmd_template.sym
Jan 4 2006 15484 upgrade.cfg
WS5000.(Cfg)> delete WS5000Defaults_v2.1.0.0-012B.cfg
8.5.17 description
Configuration (Cfg) Context.
Sets a description to the policy of the item in the selection.
Syntax
Parameters
description_text Enter brief text to describe a configuration item.
Example
WS5000.(Cfg)> description “Created 7-14-05”
8.5.18 directory
Lists the image and configuration files that are stored on the WS5000.
Note As a shortcut, “dir” can be used instead of “directory”.
Syntax
directory
Parameters
None.
Example
WS5000.(Cfg)> directory
Jan 11 2006 86588 WS5000Defaults_v2.1.0.0-012B.cfg

Jan 11 2006 86137 WS5k_Auto_v2.0.0.0-034R_20060111.cfg
Jan 6 2006 6453 cmd_template.sym
Jan 4 2006 15484 upgrade.cfg
WS5000.(Cfg)>
8.5.19 emergencymode
Syntax
emergencyMode <enable/disable>
Parameters
enable / disable Indicates whether to enable or disable the ESP.
Example
WS5000.(cfg)> emergencymode enable
8.5.20 encrypt
Use this command to get the encrypted password.This command encrypts CLI user passwords, kerberos user
passwords, service mode password, vpn simple auth password, radius secret, WEP keys.This encrypted
password is used in autoinstall command file.
Syntax
encrypt <password>
Parameters
password The password to be encrypted.
Example
WS5000.(Cfg)> encrypt <symbol>
Encrypting password '<symbol>'....

Actual Password <symbol>
Encrypted Password 4527w5630f51f
WS5000.(Cfg)>
8.5.21 ethernet
Display the currently available ethernet ports for the switch. Also, the context is changed to the Ethernet Port
Context. See page 8-172 for more details.
Syntax
ethernet
Parameters
None.
Example
WS5000.(Cfg)> ethernet
Ethernet 1
Ethernet 2
WS5000.(Cfg).Ethernet>
8.5.22 etherpolicy
Display the currently available ethernet policies applied to the switch. Also, the context is changed to the
Ethernet Policy (EtherPolicy) Context. See page 8-178 for more details.
Syntax
etherpolicy
Parameters
None.
Example
WS5000.(Cfg)> etherpolicy

3. eth1.
WS5000.(Cfg).EtherPolicy>
8.5.23 events
Display the event settings currently applied to the switch. Also, the context is changed to the Event Context.
Syntax
events
Parameters
None.
Example
WS5000.(Cfg)> events

--- ------ --------- --------- ---------------
1 RF Stats threshold crossed by a AP Enabled Disabled Disabled

11 Tunnel Status change Enabled Disabled crit
12 NON IP packet received on Tunnel Enabled Disabled alert
13 License number change Enabled Disabled crit
14 Clock change Enabled Disabled info
15 Packet discard [wrong NIC] Enabled Disabled err
16 Packet discard [wrong VLAN] Enabled Disabled err
17 AP adopt failure [general] Enabled Enabled crit
18 AP adopt failure [policy disallow] Enabled Enabled crit
19 AP adopt failure [acl disallow] Enabled Enabled alert
20 AP adopt failure [limit exceeded] Enabled Enabled crit
21 AP adopt failure [license disallow] Enabled Enabled crit
22 AP adopt failure [no image] Enabled Enabled crit
23 AP status [offline] Enabled Enabled alert
24 AP status [alert] Enabled Enabled alert
25 AP status [adopted] Enabled Enabled debug
26 AP status [reset] Enabled Enabled info
27 AP config failed [no ESS] Enabled Enabled crit
28 AP max MU count reached Enabled Enabled warning
29 AP detected Enabled Disabled info
30 Device msg dropped [info] Enabled Enabled debug
31 Device msg dropped [loadme] Enabled Enabled debug
32 Ether port connected Enabled Enabled info
33 Ether port disconnected Enabled Enabled alert
34 MU assoc failed [ACL violation] Enabled Enabled info
35 MU assoc failed Enabled Enabled info
36 MU status [associated] Enabled Enabled info
37 MU status [roamed] Enabled Enabled info
38 MU status [disassociated] Enabled Enabled info
39 MU EAP auth failed Enabled Enabled err
40 MU EAP auth success Enabled Enabled info
41 MU Kerberos auth failed Enabled Enabled err
42 MU Kerberos auth success Enabled Enabled info
43 MU TKIP [decrypt failure] Enabled Enabled debug
44 MU TKIP [replay failure] Enabled Enabled debug
45 MU TKIP [MIC error] Enabled Enabled debug
46 WLAN auth success Enabled Disabled info
47 WLAN auth failed Enabled Enabled debug
48 WLAN max MU count reached Enabled Enabled debug
49 Mgt user auth failed [radius] Disabled Disabled warning
50 Mgt user auth rejected Disabled Disabled warning
51 Mgt user auth success [radius] Enabled Disabled info
52 Radius server timeout Enabled Enabled notice
53 KDC user [added] Enabled Disabled notice
54 KDC user [changed] Enabled Disabled notice
55 KDC user [deleted] Enabled Disabled notice
56 KDC DB replaced Enabled Enabled notice
57 KDC propagation failure Enabled Enabled alert
58 WPA counter-measures [active] Enabled Enabled debug
59 Primary lost heartbeat Enabled Disabled alert
60 Standby active Enabled Enabled alert
61 Primary internal failure [reset] Enabled Disabled alert
62 Standby internal failure [reset] Enabled Disabled alert
63 Standby auto-revert Enabled Enabled alert
64 Primary auto-revert Enabled Enabled alert
65 Auto channel select error Enabled Enabled err
66 Emergency Policy [active] Enabled Enabled info
67 Emergency Policy [deactivated] Enabled Enabled warning
68 Low flash space on switch Enabled Enabled alert
69 HSB Starts Up Enabled Disabled alert
70 HSB Peer Connect Enabled Disabled alert
71 CPU/SYS Temp Notification Enabled Enabled crit
72 Access Changed Notification Enabled Disabled info

73 Radio power is reduced [TPC] Enabled Disabled alert
74 Radar is detected [DFS] Enabled Disabled alert
75 Channel selected to avoid radar [DFS] Enabled Disabled alert
76 Switch to new channel [DFS] Enabled Disabled alert
77 Revert back to original channel [DFS] Enabled Disabled alert
78 Radio is suspended Enabled Disabled alert
79 Radio is resumed Enabled Disabled alert
80 Radio is moved to random channel Enabled Disabled alert
81 A new rogue AP is detected Enabled Disabled alert
82 A new approved AP is detected Enabled Disabled alert
83 WVPN certificate anomalies Enabled Disabled alert
84 WVPN Config/connection changes Enabled Disabled alert
85 RADIUS Accounting Log Disabled Disabled info
86 RADIUS Server Status Enabled Disabled alert
WS5000.(Cfg).Event>
8.5.24 export
This CLI is used to copy the log files from switch to remote TFTP server. Use logdir to view the list of user log
files that can be exported.
This is an interactive command and asks for
a. destination: Remote TFTP host
b. filename : Log file name to be exported to the remote TFTP server.
c. username : Enter the user name which you mentioned at the time of logfile creation
when using diag command.
Default user name is admin.
Syntax
export
Parameters
None.
Example
WS5000.(Cfg)> export
VPN is NOT supported ...
Enter the log file name : WS5000
Enter the user name : admin
WS5000.(Cfg)>
8.5.25 ftp
Display the FTP settings currently applied to the switch. Also, the context is changed to the FTP Context. See
page 8-198 for more details.
Syntax
ftp
Parameters
None.
Example
WS5000.(Cfg)> ftp
FTP Status: Active.
WS5000.(Cfg).FTP>
8.5.26 fw
This CLI is used to configure Firewall and port filter rules.
Syntax
fw
Parameters
None
Example
WS5000.(Cfg)> fw
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg)> fw
8.5.27 host
Display the host settings currently applied to the switch. Also, the context is changed to the Host Context. See
page 8-209 for more details.
Syntax
host
Parameters
None.
Example
WS5000.(Cfg)> host

--------- ---------- ------
1 SFHost 157.235.208.117 symbol.com
8.5.28 install
Configures the switch’s failover role as Primary or Standby, and applies all settings specified in the command
file (.sym). Alternatively, this command is used to update Kerberos principal from a specified Kerberos file
(.krb), without reset.
Syntax
install <install_option> [filename]
Parameters
install_option One of:

• primary – Configures the switch to act as Primary, and applies all settings specified
in the <filename> command file (.sym).
By default, install uses the command.sym file, if present. If “command.sym” is not
present, install will not change anything.
• standby – Configures the switch to act as Standby, and applies all settings as
described for the primary parameter value.
• kerberos – Updates the Kerberos principal from the settings in the filename file (.krb),
without reset.
• runcli – Configure the switch with the commands in CLI command file.
filename Command (*.sym) or Kerberos (*.krb) file to execute, which contains configuration
settings. By dafault, this is command.sym.
Example
WS5000.(Cfg)> install primary
8.5.29 kdc
Display the Kerberos Key Distribution Center (KDC) status/settings currently applied to the switch. Also, the
context is changed to the KDC Context. See page 8-214 for more details.
The KDC context provides configuration options to configure the switch-resident KDC as a Master or Slave.
Syntax
kdc
Parameters
None.
Example
WS5000.(Cfg)> kdc

Slave KDCsIP AddressDomain
--------------------------
No entry available.
WS5000.(Cfg).KDC>
8.5.30 logdir
This CLI is used to list available user log (history, syslog) files. It does not list image/config files.
Use dir command to list image/config files.
Syntax
logdir
or
logdir user <username>
Parameters
username It is the storage directory for the logs
Example
WS5000.(Cfg)> ..
WS5000> service

SM-WS5000> cfg

========================================================
8.5.31 name
Use the name command to change the system name.
Syntax
name <system_name>
Parameters
system_name The new name of the switch.

Example
WS5000.(Cfg)> name MiamiWS5000
Configuring name...
Status : Success.
MiamiWS5000.(Cfg)>
8.5.32 np
Display the currently available network policies on the switch. Also, the context is changed to the Network
Policy (NP) Context. See page 8-222 for more details.
Syntax
np
Parameters
None.
Example
WS5000.(Cfg)> np

WS5000.(Cfg).NP>
8.5.33 ping
System Context, Configuration (Cfg) Context, Host Context
Syntax
options:ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern][-s packetsize] <host/IP_address>
Parameters

addresses.
when finished.
host/IP_address The name or IP address of the host to which the request packets are sent.
Example
WS5000.(Cfg)> ping WS5000
PING WS5000 (10.1.1.101) from 10.1.1.101 : 56(84) bytes of data.
64 bytes from WS5000 (10.1.1.101): icmp_seq=1 ttl=64 time=0.068 ms

4 packets transmitted, 4 received, 0% loss, time 2997ms
rtt min/avg/max/mdev = 0.028/0.039/0.068/0.016 ms
WS5000.(Cfg)>
8.5.34 po
Display the currently available policy object information on the switch. Also, the context is changed to the
Policy Object (PO) Context. See page 8-228 for more details.
Syntax
po
Parameters
None.
Example
WS5000.(Cfg)> po

WS5000.(Cfg).PO>
8.5.35 purge
This CLI is used to clear the specified contents from memory only. It does not delete any files. Use logdir to
view user log files and remove to delete user log files.
Syntax
purge <purge_option> [radioname|radioindex <radioname>|<radioindex>]
Parameters
purge_option Use one of:

• history : Clears global command history.
• rfstats : Clears RF stats for all or specified AP(s).
• rfstats ap <ap_mac> : To clear RF statistics for specified AP.
radioname Adopted Radioname
radioindex Adpoted RadioIndex
Example
1. To clear global history contents from memory, use
WS5000.(Cfg)> purge history
2. To clear RF statistics for all APs, use
WS5000.(Cfg)> purge rfstats
3. To clear RF statistics for specified AP, use
WS5000.(Cfg)> purge rfstats ap 1
WS5000.(Cfg)> purge rfstats ap <ap_mac>
8.5.36 radius
Display the Radius authentication status on the switch. Also, the context is changed to the Radius Context.
Syntax
radius
Parameters
None.
Example
WS5000.(Cfg)> radius
Radius authentication status:

-----------------------------
Local users (via serial port) : Disable
Authenticate locally if Radius server refuses access : Disable

------ ------------ ---- ----- -------
Primary Not defined 1812 3 5
WS5000.(Cfg).Radius>
8.5.37 remove
Removes the user log files (the once listed by logdir cli command). If a log file is saved using a username,
then username option is used to remove it. It does not remove image/config or local syslog files.
Syntax
remove <file_name> [username-optional]
where username is optional and is the storage directory for the logs
Parameters
filename the file that is to be removed

username Used to remove a log file in case the log file is saved using a user name.
Example
WS5000.cfg>logdir

========================================================
WS5000.(Cfg)> remove Log1.history

8.5.38 reset
WS5000.(Cfg)> reset
Resets the switch. Resetting the switch includes a graceful shutdown, and reboot.
Syntax
reset
Parameters
None.
Example
WS5000.(Cfg)> reset
This command will reset the system.

Are you sure (yes/no) : yes
System shutdown may take a few mins....

Shutting down cell controller....... done
Restarting system
8.5.39 restore
Restores the specified system image and/or configuration, and then resets (reboots) the system (based on the
restore_option) with the newly restored image and/or configuration.
Syntax
restore <restore_option> <filename>
Parameters
restore_option The type of restore to be invoked. image or configuration that you want to restore. One
of:
• system – Restores the system image and configuration from the specified file.
• configuration – Restores the configuration from the specified file.
• standby – Restores the standby configuration from the specified file.
filename The new system image or configuration file to be restored.
Example
WS5000.(Cfg)> restore config WS5000Defaults_v2.1.0.0-014B.cfg
Do you want to continue (yes/no) : y
Restoring configuration from WS5000Defaults_v2.1.0.0-014B.cfg


Shutting down cell controller......... done
Restarting system
8.5.40 rougeap
This CLI displays context specific attirbutes, rogue AP configuration, authorised AP rulelist and list of detector
APs. See Rogue AP Detection on page 1-22 for more details.
Syntax
rogueap
Parameters
None.
Example
WS5000.(Cfg)> rogueap

------------------------------
RogueAP Status : disable
WS5000.(Cfg).rogueap>
8.5.41 route
This CLI is used to configure system route settings.
Syntax
route
Parameters
None.
Example
WS5000.(Cfg)> route
Route Management:
Kernel IP routing table

Destination Gateway Genmask Flags Ref Use Iface
157.235.206.0 0.0.0.0 255.255.255.0 U 0 0 psdT
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 psdU
0.0.0.0 157.235.206.246 0.0.0.0 UG 0 0 psdT
WS5000.(Cfg).route>
8.5.42 runacs
Runs Automatic Channel Selection on all adopted access ports. See Automatic Channel Select on page 1-19
for more details.
Syntax
runacs
Parameters
None.
Example
WS5000.(Cfg)> runacs
Executing Automatic Channel Selection on all the adopted Access Ports...

Success.
WS5000.(Cfg)>
8.5.43 save
Saves the running system configuration to the specified file. Use directory to list the saved configuration files.
Syntax
save configuration <filename>
Parameters
filename The filename into which you want to save the running configuration. The .cfg extension
is automatically appended.
Example
WS5000.(Cfg)> save conf sample
Saving running configuration in: sample.cfg

8.5.44 securitypolicy
Display the security policy options available to the switch. Also, the context is changed to the Security Policy
Context. See page 8-243 for more details.
Syntax
securitypolicy
Parameters
None.
Example
WS5000.(Cfg)> securitypolicy

2. Default.
3. WEP40 Default.
4. WEP128 Default.
WS5000.(Cfg).SecurityPolicy>
8.5.45 sensor
Display details of all Sensors and the Active AP 300's.You can also configure the default sensor configuration
in this context.See 8.47 Sensor Context on page 252 for more details.
Syntax
sensor
Parameters
None.
Example
WS5000.(Cfg)> sensor
AP300's
-------
Sensor AP's
------------
1. 00:A0:F8:AA:BB:CC
8.5.46 set
Displays the set commands for the different system component. There are a number of ways to invoke the set
command:
• When invoked within any system component context, set is used to configure the attributes for the
current context.
• When invoked within the system configuration context, it is used to set the information about various
system parameters.
Syntax
set <system_parameter>
Parameters
Table 8.6 lists and describes the display_parameters in the set command:
Table 8.6 set command’s display_parameter Summary
Display Parameter Description Example
set arpcache Configure Arp Cache page 8-71

Table 8.6 set command’s display_parameter Summary
Display Parameter Description Example
set emergencypolicy Set the Emergency Switch Policy page 8-72
set autoinstall Enable/Disable auto-install page 8-73
set rfstats Enables/Disables RF Stats gathering page 8-73
set licensekey Update the port license page 8-74
set location Set the switch location string page 8-75
set muidletimeout Set the MU Idle Timeout value (for all MU's) page 8-75
set rfthreshold Set RF Stats threshold values for SNMP traps page 8-76
set logout Set CLI auto session logout time page 8-77
set snmptrap Enable/disable SNMP traps (global flag) page 8-77
set vpnsupport Enable VPN support page 8-78
set switchpolicy Activate a Switch Policy page 8-78
set time Set system time and/or date page 8-79
set zone Set the time zone page 8-80
set clearstat Clears Packet Stats page 8-81
set arpcache
Sets the address resolution display and control. The arp program displays and modifies the Internet-to-
Ethernet with no flags, the program displays the current ARP entry for hostname. The host may be specified
by name or by number, using Internet dot notation.
Syntax
set arpcache <command> <parameters>NAME
Parameters
hostname
-a The program displays all of the current ARP entries.
-d hostname A super-user may delete an entry for the host called hostname with the -d flag.
-s hostname ether_addr Create an ARP entry for the host called hostname with the Ethernet address ether_addr.
[temp] [pub] [trail] The Ethernet address is given as six hex bytes separated by colons. The entry will be
permanent unless the word temp is given in the command. If the word pub is given, the
entry will be 'published'; i.e., this system will act as an ARP server, responding to
requests for hostname even though the host address is not its own. The word trail
indicates that trailer encapsulations may
be sent to this host.
-f filename Causes the file filename to be read and multiple entries to be set in the ARP tables.
Entries in the file should be of the form hostname ether_addr [temp] [pub] [trail] with
argument meanings as given above.
Example
WS5000.(Cfg)> set arpcache -a
Arp cache operation....

Status : Success.
ARP Information:
? (157.235.208.246) at 00:00:0C:07:AC:01 [ether] on psdT
WS5000.(Cfg)>
set emergencypolicy
Sets a defined switch policy to be designated as the emergency switch policy (ESP). to the switch policy that
will assume the role of emergency switch policy (ESP). The ESP is provided as a means to quickly return to a
known, safe configuration.
Use the emergencymode command to enable or disable the ESP.
Note If the switch policy name includes “blank” spaces in the name, use quotation
marks within the command.
Syntax
set emergencypolicy <emergencypolicyname>
Parameters
emergencypolicyname Name of the switch policy to be designated as the emergency switch policy. To see
available switch policies, use the switchpolicy command.
Example
WS5000.(Cfg)> set emergencypolicy TestPolicy
Setting 'TestPolicy' as Emergency Policy....

Status: Success.
System Name : ABS01_DEPOT_081804

Switch Location :
Serial Number : 00A0F853C13D
Active Switch Policy : wm_stores

Emergency Switch Policy : TestPolicy
Global RF stats : Enabled
1. 00:A0:F8:CD:ED:C1 [G].
2. 00:A0:F8:CD:ED:C1 [A].
CLI AutoInstall Status : Disabled
WS5000.(Cfg)>
set autoinstall
Used to enable / disable the autoinstall feature.
Syntax
set autoinstall {enable|disable}
Parameters
enable Enables the auto install feature
disable Disables the auto install feature
Example
WS5000.(Cfg)> set autoinstall enable
Enabling autoinstall.... done
WS5000.(Cfg)>
set rfstats
Enables/Disables RF statistics gathering for all or specific AP(s).It can take only one
radioname|radioindex at a time.
To enable RF statistics gathering for all active Radios, use
set rfstats enable
To enable RF statistics gathering for Radio at index 1, use
set rfstats radioindex 1 enable
Syntax
set rfstats <radioname|radioindex> {<radioname|radioindex>} {enable|disable}
Parameters
radioname Adopted Radioname.
radioindex Adopted Radioindex.
enable To enable RF statistics gathering for all active Radios.

disable To disable RF statistics gathering for Radio at an index.
Example
WS5000.(Cfg)> set rfstats radioindex 1 enable
Success.
Invalid input '[A]'

Use quotes for name containing white space, e.g. "string1 string2"
Access Port details...
Name : 00:A0:F8:BF:8A:78 [A]
Device type : AP300
Radio MAC Address : 00:A0:F8:BF:EE:68
Device MAC Address : 00:A0:F8:BF:8A:78
Port Type : A
Description :
Status : Unavailable
Tx Channel : 52
Current Tx Channel : 0
Policy Attached : Default Access Port Policy
Tx Power : 20 dBm
Current Tx Power : 0 dBm
Location :
NIC Connected : Ethernet 1
VLAN id : None
VLAN Tags seen : None
CCA Mode : 1
CCA Threshold : 1
Diversity : Full
Maximum MUs allowed : 256
No. of MUs associated : 0
Up Time : 0d:0h:0m
Statistics gathering : Enable
Tx Packets/second : 0
Antenna : external
Indoor/Outdoor : in
DFS : Off
TPC : Off
Antenna Correction : 0
MU Power Adjustment : 0
All Channels : 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 16,5
Radar Channels :
Valid Power Range : 4-20
DetectorAP : disable
On Channel Scan : enable
WS5000.(Cfg)>
set licensekey
Sets the license key for the switch. The license key, issued by Symbol, is used to determine the number of APs
and MUs that the switch is able to support.
Syntax
set licensekey <licensekey>
Parameters
licensekey The license key, issued by Symbol. The switch must be configured as “Primary” if
updating the license key.
Use the set mode command to set the switch mode, if not already set as Primary.
Example
WS5000.(Cfg)> set licensekey <licensekey>
set location
Sets an informational location string for where the switch is located.
Syntax
set location <string>
Parameters
location Enter a string for where the switch is located, such as the NOC city, or campus building
#, for example. This information is displayed using the show system command.
Example
WS5000.(Cfg)> set location US
Setting the location string....

Status: Success.

Switch Location : US
Serial Number : 00A0F865A8E0
WS5000.(Cfg)>
set muidletimeout
Use set muidletimeout to set the MU Idle Timeout value (for all MUs).
MU idle timeout — It is the time for which each MU’s details ( which are associated) will retian in the switch
database. This helps MUs in PSP mode not ot get removed from the database till the timeout value expires.
The default value is 30 minutes.
Syntax
set muidletimeout <muIdleTimeout value>
Parameters
muIdleTimeout The time duration for which the MU should be idle
Example
WS5000.(Cfg)> set muidletimeout 88
Setting the MU Idle Timeout value....

Status: Success.

Switch Location : US
Serial Number : 00A0F865A8E0
WS5000.(Cfg)>
set rfthreshold
Syntax
set rfthreshold <Type> <Thresholdname> <Thresholdvalue / reset>
Parameters
Type Placeholder for the type of RF threshold. It can be either AP, MU or Switch.
Thresholdname Placeholder for the threshold associated with each of the threshold type mentioned
above.
Thresholdvalue Place holder for the value that can be associated with each of the threshold name.
Example
WS5000.(Cfg)> set rfthreshold mu pps 100
Success.
Mu Threshold details :
Status : disabled
Packets Per Second : 100
Note The threshold value for all the threshold names, except for average signal, can
be between zero and (no maximum limit).
Note The value for Average signal, measured in Dbm, must always be below zero
(negative value).
set logout
Sets the CLI’s auto-logout time, in minutes.
Syntax
set logout <#minutes>
Parameters
#minutes CLI’s auto-logout time, in minutes. Valid values are 0 through 1440 (24 hours). Use 0 to
disable auto-logout.
Example
WS5000.(Cfg)> set logout 10
Setting auto-logout time (10 min) for CLI.... done.
WS5000.(Cfg)> set logout 0
Disabling auto log-off.... done.
WS5000.(Cfg)>
set snmptrap
Enables or disables SNMP traps, globally.
Syntax
set snmptrap <snmptrap_flag>
Parameters
snmptrap_flag Indicates whether to enable or disable SNMP traps on the switch. Possible values are:
• enable
• disable
Example
WS5000.(Cfg)> set snmptrap enable
Setting SNMP Trap status....
Status: Success.
SNMP details:
-------------
SNMP Traps : Enabled
WS5000.(Cfg)> set snmptrap disable

Status: Success.
SNMP details:
-------------
WS5000.(Cfg)>
set vpnsupport
Used to enable or disable the VPN support.
Syntax
set vpnsupport enable|disable <license file>
Parameters
enable Use this to enables the VPN support.
disable Use this to disables the VPN support.
license_file Use this to enter the location for the VPN license file.
Example
WS5000.(Cfg)> set vpnsupport enable
Are you sure (yes/no) : y

Setting VPN Support status....
Status: Need minimum 256MB ram to enable vpn support !
WS5000.(Cfg)>
set switchpolicy
Sets a defined switch policy to be designated as the active switch policy.
Note If the switch policy name includes “blank” spaces in the name, use quotation
marks within the command.
Syntax
set switchpolicy <spolicy_name>
Parameters
spolicy_name Name of the switch policy to be designated as the active switch policy. To see available
switch policies, use the switchpolicy command.
Example
WS5000.(Cfg)> set switchpolicy "Default Wireless Switch Policy"
Setting active Switch Policy to 'Default Wireless Switch Policy'....

Status: Success.

Switch Location : San Francisco
Serial Number : 00A0F8658C10
Emergency Switch Policy : EmerPolicy2-10
1. 00:A0:F8:6E:4A:7A [G].
2. 00:A0:F8:BB:B3:6D [G].
WS5000.(Cfg)>
set time
Sets the system time and date based on the specified parameters.
Syntax
set time [time_format] [time_zone]
Parameters
time_format The time to be set, in one of the following formats:

• yyyymmddhhmm[.ss]
• yymmddhhmm[.ss]
• mmddhhmm[.ss]
• ddhhmm[.ss]
• hhmm[.ss]

default
Example
WS5000.(Cfg)> set time 200502110145.11 -08:00
Setting system time/date...

Status: Success.

Date : Fri Feb 11 2005
Time Zone :
WS5000.(Cfg)>
set zone
Sets the time zone, without changing the time and date.
Syntax
set zone <time_zone>
Parameters

default
Example
WS5000.(Cfg)> date

Time Zone :
WS5000.(Cfg)>
WS5000.(Cfg)> set zone -12:00
Setting the time zone...

Status: Success.

Time Zone :
(GMT -12:00) Eniwetok, Kwajalein
WS5000.(Cfg)>
set clearstat
Clears the packet statistics
Syntax
set clearstat
Parameters
none
Example
WS5000.(Cfg)> set clearstats
WS5000.(Cfg)>
8.5.47 show
Display all the available commands within the Configuration context. Also, any of the show commands, with
an associated <display_parameter> will show a summary specific to the parameter.
Syntax
show
or
show [<display_parameter> [instance_name]]
Parameters
display parameter Categories of information related to the switch or the network components associated
with the switch. Possible values are listed in Table 8.4 on page 8-23.
Example
For a complete list of display parameters refer – show commands on page 8-23
8.5.48 shutdown
Gracefully shuts down the switch. Before turning off the switch (power down), wait 10 seconds or more.
After the switch has been shut down, bring it back up with a full power cycle (power down and then power
back up).
Syntax
shutdown
Parameters
None.
Example
WS5000.(Cfg)> shutdown
This command will halt the system.

A manual power cycle will be required to re-start the switch.
Do you want to proceed (yes/no) : y
System shut down might take a few mins....

Shutting down the switch...
Please wait 10 secs before turning off power.
8.5.49 snmp
Display the SNMP settings currently applied to the switch. Also, the context is changed to the SNMP Context.
Syntax
snmp
Parameters
None.
Example
WS5000.(Cfg)> snmp
SNMP details:
-------------
WS5000.(Cfg).SNMP>
8.5.50 ssh
Display the Secure Shell settings currently applied to the switch. Also, the context is changed to the SSH
(Secure Shell) Context. See page 8-269 for more details.
Syntax
ssh
Parameters
None.
Example
WS5000.(Cfg)> ssh

---------------------------
SSH Status : Enabled
Version : V2
Port : 22
WS5000.(Cfg).SSH>
8.5.51 ssl
Display the Secure Socket Layer settings currently applied to the switch. Also, the context is changed to the
SSL (Secure Socket Layer) Context. See page 8-271 for more details.
Syntax
ssl
Parameters
None.
Example
WS5000.(Cfg)> ssl
Web based configuration (Applet) access by : https
WS5000.(Cfg).SSL>
8.5.52 standby
Display the standby (failover) management settings currently applied to the switch. Also, the context is
changed to the Standby Context. See page 8-273 for more details.
Syntax
standby
Parameters
None.
Example
WS5000.(Cfg)> standby
Standby Management:

State : Startup
Failover Reason :

----------------------
----------------------
WS5000.(Cfg).StandBy>
8.5.53 switchpolicy
Display the active and available switch policy currently defined on the switch. Also, the context is changed to
the Switch Policy (SPolicy) Context. See page 8-278 for more details.
Syntax
switchpolicy
Parameters
None.
Example
WS5000.(Cfg)> switchpolicy
2. EmerPolicy2-10.
WS5000.(Cfg).SPolicy>
8.5.54 telnet
Display the telnet accessibility settings currently defined on the switch. Also, the context is changed to the
Telnet Context. See page 8-291 for more details.
Syntax
telnet
Parameters
None.
Example
WS5000.(Cfg)> telnet
Telnet Status : Active.
WS5000.(Cfg).Telnet>
8.5.55 tunnel
Displays the GRE tunnels and the remote tunnel IP address that is used to map it to the WLAN. Only 4 GRE
tunnels can be configured in WS5000 switch. Also, the context changes to Tunnel Context. See page 8-294 for
more details.
Syntax
tunnel
Parameters
None.
Example
WS5000.(Cfg)> tunnel
Tunnel details...
----------- -----------------
tunnel1 none
tunnel2 none
tunnel3 none
tunnel4 none
8.5.56 user
Display the user accounts currently defined on the switch. Also, the context is changed to the User Context.
Syntax
user
Parameters
None.
Example
WS5000.(Cfg)> user
User information
Available Users:
1. admin.
2. techsupport.
WS5000.(Cfg).User>
8.5.57 wlan
Display the WLAN settings currently defined on the switch. Also, the context is changed to the WLAN Context.
Syntax
wlan
Parameters
None.
Example
WS5000.(Cfg)> wlan

--------- ----- ---------------
WS5000.(Cfg).WLAN>
8.5.58 wme
This CLI is used to displays and configure the various WME profiles.
Syntax
wme
Parameters
None.
Example
WS5000.(Cfg)> wme
WME Profile Name

----------------
WS5000.(Cfg).WME>
8.5.59 wvpn
This CLI is used to display and configure system WVPN settings
Syntax
wvpn
Parameters
None.
Example
WS5000.(Cfg)> wvpn
WVPN Management:


WS5000.(Cfg)> wvpn
8.6 AAA Context

The AAA context enables you to configure the onboard Radius server and user database.
Table 8.7 AAA Context Commands
Command Description
.. or end Go back to the previous context.
exit Go back to root context.
? or help To get the command information
logout or bye Close this session
acct Configure the RADIUS Accounting Server.
clear Clears the screen
client Configure Radius Clients setting.
disable Disable the AAA Server.
eap Configure EAP setting.
emergencymode Enable or disable Emergency Mode
enable Start the AAA Server.
ldap Configure LDAP setting.
policy Configure Access Policy.
proxy Configure Radius Proxy setting.
save Restart the AAA Server.
set Configure the AAA Server.
show Display context specific attributes
userdb Configure user database setting.
8.6.1 acct
AAA Context
Used to set the IP, Port Number, Timeout Value, and the Max Retry values for the Radius accounting server.
Syntax
acct <name/IP> <portNum> <timeoutVal> <retryVal>
acct host <IPAddr>
acct port <portNum>
acct timeout <timeoutVal>
acct retry <retryVal>
acct show
acct secret
acct dir [ipAddr] | [ipAddr/fileName]

acct tftp <destIpAddr> <srcDir>/<filename>
acct purge [force]
acct enable
acct disable
Parameters
ip IP address of the Radius accounting server.
portNum Port number of the accounting server.
TimeoutVal The time out value thats set for the switch after which it stops attempting to connect to
the Radius accounting server.
retryVal The number a tries the switch attempts to contact the Radius server.
Example
WS5000.(Cfg).AAA> acct 156.5.0.0 10 3 4
8.6.2 client
AAA Context
Configures client parameters.
Syntax
client
Parameters
None
Example
WS5000.(Cfg).AAA> client
Client information
Available Client Servers:

1. myclient.
WS5000.(Cfg).AAA.Client>
8.6.3 disable
AAA Context
Disables the AAA server settings.
Syntax
Disable
Parameters
None
Example
WS5000.(Cfg).AAA> disable
Configuring AAA server...

-----------------------------
Database Type local
8.6.4 eap
AAA Context
To configure EAP parameters, use the Eap command.
Syntax
eap
Parameters
None
Example
WS5000.(Cfg).AAA> eap
EAP Configurations :
-----------------------------
EAP Type peap
Private key password wwwww
8.6.5 enable
AAA Context
To start the AAA Server settings, use the enable command.
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).AAA> enable

-----------------------------
AAA Server Status Active
Database Type local
8.6.6 ldap
AAA Context
To configure LDAP parameters, use the ldap command.
Syntax
ldap
Parameters
None
Example
WS5000.(Cfg).AAA> ldap
LDAP information
LDAP Server IP 157.235.205.4

LDAP Server Port 389
LDAP Bind DN cn=Manager,o=symbol,c=India
LDAP Base DN o=symbol,c=India
LDAP Password Attribute userPassword
LDAP Login Attribute (uid=%{Stripped-User-Name:-%{User-Name}
})
LDAP Group Membership Filter (|(&(objectClass=GroupOfNames)(member=%
{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
LDAP Password secret

LDAP Group Name Attribute cn
LDAP Group Membership Attribute radiusGroupName
8.6.7 policy
AAA Context
To configure acceess policy for a group, use the policy command.
Syntax
policy
Parameters
None
Example
WS5000.(Cfg).AAA> policy
WS5000.(Cfg).AAA.Policy>
8.6.8 proxy
AAA Context
To configure proxies and proxy parameters, use the proxy command.
Syntax
proxy
Parameters
None
Example
WS5000.(Cfg).AAA> proxy
Proxy information
Available Proxy Servers:
1.symbol.
WS5000.(Cfg).AAA.Proxy>
8.6.9 save
AAA Context
To restart the AAA Server with the new configuration settings, use the save command.
Syntax
save [CR]
Parameters
None
Example
WS5000.(Cfg).AAA> save

Status : Success.

-----------------------------
Database Type local
8.6.10 set
AAA Context
To configure the AAA Server database type, use the set command.
Syntax
set dbtype <value>
Parameters
value the value can be either ldap or local
Example
WS5000.(Cfg).AAA> set dbtype ldap

Status : Success.

-----------------------------
Database Type ldap

Warning: Please commit these changes using Save command in AAA context.
8.6.11 show
AAA Context
Table 8.8 lists the show commands.
Table 8.8 Show Commands
Command Description
show eap-config Display EAP information
show ldap Display LDAP information
show certs Display Certificate information
show clients Display Clients or details of a specific Client
show radius-acct Display RADIUS Accounting Server information
show proxy Display Proxy or details of a specific Proxy
show aaa-server Display AAA information
8.6.12 userdb
AAA Context
To configure a user database for the AAA server, use the userdb command.This command leads you to userdb
context. Refer to AAA User Database Context for more information on userdb.
Syntax
userdb
Parameters
None
Example
Refer to AAA User Database Context for more information on userdb.
8.7 AAA Client Context

Table 8.9 shows the AAA client context commands.
Table 8.9 AAA Client Context Commands
Commands Description
? or help To get the command information.
logout or bye Close this session.
add Add a new Radius Client.
clear Clears the screen.
emergencymode Enable or disable Emergency Mode.
remove Remove the Radius client server.
show Display the current list of clients.
8.7.1 add
AAA Client Context
To add a new client, use the add command.
Syntax
add <client_name> <ip_address> <netmask> <secret>
Parameters
client_name Name of the new client added.
ip_address IP address of the new client
netmask Subnet mask of the new client’s IP address.
secret USed to encrypt packets between the RADIUS server (switch) and the RADIUS
client.
Example
WS5000.(Cfg).AAA.Client> add new 1.1.1.1 255.0.0.0 secret
Adding Client...
Status: Success.
Client information

1. myclient.
2. new.
8.7.2 remove
AAA Client Context
To remove a RADIUS client from the WS5000 Series Switch, use the remove command.
Syntax
remove <client_name> [CR]
Parameters
Client_name Name of AAA client
Example
WS5000.(Cfg).AAA.Client> remove new
Removing Client...
Status: Success.
Client information

1. myclient
8.7.3 show
AAA Client Context
To display list of clients or attributes of a specific client, use the show command.
Syntax
show — Display context specific attributes
show clients
Parameters
clients Display Clients or details of a specific Client
Example
WS5000.(Cfg).AAA.Client> show client
Client information

1.switch.
WS5000.(Cfg).AAA.Client> show client switch
Client information
Client IP 157.235.208.186
Client Secret WS5000
Client Netmask 255.255.255.0
8.8 AAA EAP Context

Table 8.10 shows the AAA EAP context commands.
Table 8.10 AAA EAP Context Commands
import Import Server and CA Certificates for EAP Server.
peap Configure PEAP setting.
set Configure the EAP Server.
show Display current EAP settings.
ttls Configure TTLS setting.
8.8.1 import
AAA EAP Context
To set server and CA Certificate paths, use the import command.
Syntax
Import <servcert/cacert> <path>
Parameters
servcert use servcert if server certificate is being imported.
cacert use cacert if ca certificate is being imported.
Example
WS5000.(Cfg)> aaa

-----------------------------
AAA Server Status Active
Database Type local
WS5000.(Cfg).AAA> eap
-----------------------------
EAP Type peap
Private key password WS5000
WS5000.(Cfg).AAA.EAP> import cacert root.pem
Configuring AAA EAP server...

Status :
Success.
WS5000.(Cfg).AAA.EAP> show cert
CA Certficate
-------------
Issuer /C=IN/ST=Karnataka/L=Bangalore/O=Symbol Technologies India
P
vt Ltd/OU=Testing and Validation/CN=ROOT/emailAddress=KumarBes@symbol.com
Serial Number AB111ABF223AA1A1
Valid From Jan 3 08:20:34 2006 GMT
Valid Till Feb 2 08:20:34 2006 GMT
WS5000.(Cfg).AAA.EAP>
8.8.2 peap
AAA EAP Context
To configure PEAP parameters, use the peap command.
Syntax
peap
Parameters
None
Example
WS5000.(Cfg).AAA.EAP> peap
PEAP Configurations :
-----------------------------
PEAP Type mschapv2
WS5000.(Cfg).AAA.EAP.PEAP>
8.8.3 set
AAA EAP Context
To set the EAP type and private key password, use the set command.
Syntax
set eaptype <peap/ttls>
set keypassword <password>
Parameters
Eaptype set EAP authentication type to peap or ttls
Keypassword set password used to protect the certificate being imported

Example
WS5000.(Cfg).AAA.EAP> set eaptype peap
Status : Success.
WS5000.(Cfg).AAA.EAP> set eaptype ttls

Status : Success.
WS5000.(Cfg).AAA.EAP> set keypassword 123

Status : Success.
8.8.4 show
Use the show command to display context specific attributes.
Syntax
show [display_parameter]
Parameters
eap-config Display EAP information.
certs Display Certificate information.
peap-config Display PEAP information.
ttls-config Display TTLS information.
Example
WS5000.(Cfg).AAA.EAP> show eap-config
-----------------------------
EAP Type ttls
Private key password 123
8.8.5 ttls
AAA Context
Use ttls context to configure TTLS parameters.
Syntax
ttls
Parameters
None
Example
WS5000.(Cfg).AAA.EAP> ttls
TTLS Configurations :
-----------------------------
TTLS Type mschapv2
WS5000.(Cfg).AAA.EAP.TTLS>
8.9 AAA LDAP Context

Table 8.11 shows the AAA LDAP context commands.
Table 8.11 AAA LDAP Context Commands
set Configure LDAP server
show Display current LDAP settings.
8.9.1 set
AAA LDAP Context
To configure a LDAP server components, use the set command.
Syntax
set <config_parameter> <parameter_value>
Parameters
config_parameter LDAP server parameter to be configured.

parameter_value Value for the LDAP server parameter
Table 8.12 shows the configurable attributes/parametes

Table 8.12 Configurable Attributes Using the set Command
Config Parameter Description Usage
ip Assign Server IP. Set ip <param_value>
port Assign Server Port Number Set port <param_value>
passwd Assign Password. set passwd <param_value>
login Assign Login Attribute. set login <param_value>
passattr Assign Password Attribute. set passattr <param_value>
filter Assign Group Membership Filter. set filter <param_value>
groupname Assign Group Name Filter. set groupname <param_value>
membership Assign Group Membership Attribute. set membership <param_value>

Table 8.12 Configurable Attributes Using the set Command

Config Parameter Description Usage
basedn Assign Base DN. set basedn <param_value>
binddn Assign Bind DN. set binddn <param_value>
Example
WS5000.(Cfg).AAA.LDAP> set ip 1.1.1.1
Configuring LDAP Server...Success.
LDAP information

})

8.9.2 show
AAA LDAP Context
To display LDAP information, use the show ldap command.
Syntax
show
or
show ldap
Parameters
ldap Displays LDAP information.
Example
WS5000.(Cfg).AAA.LDAP> show ldap
LDAP information

})

8.10 AAA Policy Context

AAA Policy Context shows the AAA policy context commands.
Table 8.13 AAA Policy Context Commands
add Add a new WLAN to a group
remove Remove a Policy for a group.
set set time of access policy to a Group
show Display current information on all policies information
8.10.1 add
AAA Policy Context
To add a new WLAN to a group, use the add command.
Syntax
add wlan <group> <wlan-name>
Parameters
group Name of the group to which you add the WLAN

wlan-name Name of the WLAN for the group
Example
WS5000.(Cfg).AAA.Policy> add wlan ws5k xyz
Adding Access Policy...

Status: Success.
WS5000.(Cfg).AAA.Policy>
8.10.2 remove
AAA Policy Context
To remove a policy from a group, use the remove command.
Syntax
remove <group> <wlan>
Parameters
group Name of the group to which you add the WLAN

wlan Name of the WLAN for the group
Example
WS5000.(Cfg).AAA.Policy> remove ws5k NewWlan
Configuring Policies..
Status : Success.
WS5000.(Cfg).AAA.Policy> show policies ws5k
Policy information
Available Policies for this group:
WLAN Policies:
1. xyz.
Days Policy: Sa-Su-Mo
StartTime Policy: 1000
EndTime Policy: 2200
8.10.3 set
AAA Policy Context
To set new time restrictions to a group, use the set command.
Syntax
set days <group> <attribute>
set time <group> <starttime> <endtime>
Parameters
group Name of the group.

attribute Day attribute for the group.
starttime Start time for the group.
endtime End time for the group.
Choose days restrictions as follows:

For All Days, specify all
For weekdays, specify weekdays
For specific days, type the days separated by space
eg : For Mo, Tu, Fr -- Type Mo<space>Tu<space>Fr
Use the following Codes
Mo Monday
Tu Tuesday
We Wednesday
Th Thursday
Fr Friday
Sa Saturday
Su Sunday
Use the following time format : hhmm

Example
WS5000.(Cfg).AAA.Policy> set days ws5k Sa Su Mo

Status: Success.
WS5000.(Cfg).AAA.Policy> set time ws5k 1000 2200

Status: Success.
8.10.4 show
AAA Policy Context
To view access policies attached to a group, use the show command.
Syntax
show policies [groupname]
Parameters
groupname Name of the group to which you add the WLAN
Example
WS5000.(Cfg).AAA.Policy> show policies ws5k
Policy information
WLAN Policies:
1. NewWlan.
2. xyz.
Days Policy: Sa-Su-Mo
StartTime Policy: 1000
EndTime Policy: 2200
8.11 AAA Proxy Context

Table 8.11 shows the AAA proxy context commands.
Table 8.14 AAA Proxy Context Commands
add Add a new Radius Proxy
remove Remove a Proxy Server
set Configure the Proxy Server.
show Display current Proxy settings.
8.11.1 add
AAA Proxy Context
Use add to add a new Proxy.
Syntax
add <proxy_name> <suffix> <ip_address> <port> <secret>
Parameters
proxy_name The name of the new proxy being added.
suffix Suffix
auth-server_ip AuthIP
port Port
secret Secret code to access the proxy.
Example
WS5000.(Cfg).AAA.Proxy> add NewProxy symbol.com 1.1.1.1 1812 secret
Adding Proxy...
Status: Success.
Proxy information
Available Proxy Servers:
1. NewProxy.
8.11.2 remove
AAA Proxy Context
Use remove to remove a Proxy from the system.
Syntax
remove <proxyname> [CR]
Parameters
proxy_name The name of the new proxy being removed.
Example
WS5000.(Cfg).AAA.Proxy> remove NewProxy
Removing Proxy...
Status: Success.
8.11.3 set
AAA Proxy Context
Use set to set Proxy configurations.
Syntax
set retry-delay <retry delay:5-10>
set retry-count <retry count:3-6>
Parameters
retry_delay The delay period you set for the proxy to attempt a retry.
retry_count To count the number of retries attempted.
Example
WS5000.(Cfg).AAA.Proxy> set retry-delay 6
Configuring AAA Proxy server...

Status : Success.
WS5000.(Cfg).AAA.Proxy> set retry-count 3
Configuring AAA Proxy server...

Status : Success.
8.11.4 show
AAA Proxy Context
Use d to display the current Proxy settings.
Syntax
show
show proxy
show config-proxy
Parameters
proxy Display Proxy or details of a specific Proxy

config-proxy Display details of Proxy
Example
WS5000.(Cfg).AAA.Proxy> show config-proxy
Proxy information
-----------------
Retry Count 3
Retry Delay 6 (seconds)
WS5000.(Cfg).AAA.Proxy> show proxy NewProxy
Proxy information
Proxy Suffix symbol.com
Proxy Auth Server IP 1.1.1.1
Proxy Secret secret
Proxy Port 1812
8.12 AAA User Database Context

Table 8.15 shows the AAA user database context commands.
Table 8.15 AAA User Database Context Commands
group Configure Groups.
user Configure Users.
8.12.1 group
AAA User Database - Group Context
This is a sub-context of userdb context. Use group to configure Group parameters.You can add and remove
Groups, using the group command.
Use AAA.userdb.Group context to
• add a new group to the system
• add a user to group
• remove a RADIUS group from the system
• remove a user from group
Syntax
group [CR]
Parameters
None
Example
WS5000.(Cfg).AAA.userdb.Group> add newGroup1
Adding RADIUS Group...

Status: Success.
Group information
Available Groups:
1. newGroup1.
Group information
WLAN Policies:
StartTime Policy : 0000
EndTime Policy : 2359
Days Policy : Any
WS5000.(Cfg).AAA.userdb.Group.[newGroup1]>
Note You need to enter into the Group sub-context level to add/remove a User/
Group.
8.12.2 user
AAA User Database - User Context
This is a sub-context of userdb context.To add and remove users, use the user command.Use
AAA.userdb.Group context to
• Add a new user to the system
• Add a User to Group.
• Remove a RADIUS User from the system
• Remove a User from Group
• Configure the Userdb
Syntax
user [CR]
Parameters
None
Example
WS5000.(Cfg).AAA.userdb.User> add newUser1
Enter User Password : ******
Re-Enter User Password : ******
Adding RADIUS User...

Status: Success.
WS5000.(Cfg).AAA.userdb.User>
Note You need to enter into the Group sub-context level to add/remove a User/
Group.
8.13 AAA User Database - Group Context

The AAA user database group context contains commands to add, remove, and configure Radius user groups.
This section describes the commands in the AAA user database group context.
Table 8.16 AAA User Database -Group Context Commands
add Add a new group to the system

adduser Add a User to Group.
group Select a Group to configure.
remove Remove a RADIUS Group from the system
remuser Remove a User from Group
show Display current User Database settings.
8.13.1 add
Use add to add a new group to the system.
Syntax
add <group_name>
Parameters
group_name Name of the Group.
Example
WS5000.(Cfg).AAA.userdb.Group> add newgroup
Adding RADIUS Group...
Status: Success.
Group information
Available Groups:
1. ws5k.
2. newgroup.
Group information
WLAN Policies:
Days Policy : Any
WS5000.(Cfg).AAA.userdb.Group.[newgroup]>
8.13.2 adduser
Use adduser to add a user to a group.
Syntax
adduser <user> <group>
Parameters
user Adds a new user to the group

group The group name to which you want to add the new User.
Example
WS5000.(Cfg).AAA.userdb.User> adduser new ws5k
Configuring Userdb...
Status : Success.
8.13.3 group
Use group to select group to configure.
Syntax
group <group_name>
Parameters
group name Displays the name of the group that you want to configure.
Example
WS5000.(Cfg).AAA.userdb.Group> group ws5k
Group information
WLAN Policies:
1. xyz.
Days Policy : Sa-Su-Mo
WS5000.(Cfg).AAA.userdb.Group.[ws5k]>
8.13.4 remove
Use remove to remove a RADIUS group from the system.
Syntax
remove <group_name> [CR]
Parameters
group name The RADIUS group that you want to remove from the system.
Example
WS5000.(Cfg).AAA.userdb.Group> remove newgroup
Removing Group...
Status: Success.
Group information
Available Groups:
1. ws5k.
8.13.5 remuser
Use remuser to remove a user from a group
Syntax
remuser <user> <group>
Parameters
User user name that you want to remove from the group.
Group group name to which the user is associated.
Example
WS5000.(Cfg).AAA.userdb.User> remuser abc ws5k
Status : Success.
8.14 AAA User Database - User Context

The AAA user database user context contains commands to add or remove a new user, add ore remove a new
group and to configure the user database. Table 8.17 shows the AAA user database
Table 8.17 AAA User Database User Context Commands
add Add a new user to the system
adduser Add a user to group.
clear Clear the screen
emergencymode Enable or disable emergency mode
remove Remove a Radius user from the system
remuser Remove a user from group
set Configure the user database
show Display the user database
8.14.1 add
Use add to add a new User to the system.
Syntax
add <user_name>
Parameters
user_name Name of the User.
Example
WS5000.(Cfg).AAA.userdb.User> add new
Enter User Password : ******
Re-Enter User Password : ******
Adding RADIUS User...

Status: Success.
8.14.2 adduser
Use adduser to add a user to a group
Syntax
adduser <user> <group>
Parameters
user Adds a new user to the group

group The group name to which you want to add the new User.
Example
WS5000.(Cfg).AAA.userdb.User> adduser new ws5k
Status : Success.
8.14.3 remove
Use remove to remove a RADIUS User from the system.
Syntax
remove <user_name> [CR]
Parameters
user_name Removes the RADIUS user from the system
Example
WS5000.(Cfg).AAA.userdb.User> remove new
Removing User...
Status: Success.
8.14.4 remuser
Use remuser to remove a user from a group
Syntax
remuser <user> <group>
Parameters
user removes the user from the group.

group The group name from which you want to remove the user.
Example
WS5000.(Cfg).AAA.userdb.User> remuser abc ws5k
Status : Success.
8.14.5 set
Use set to set password for an existing user.
Syntax
set passwd <username> [CR]
Parameters
username The user for which you intend to add a password.
Example
WS5000.(Cfg).AAA.userdb.User> set passwd abc
Enter New Password : ******
Re-Enter New Password : ******
Status : Success.
8.14.6 show
Use show to display user database information.
Syntax
show users
show groups <userid>
Parameters
users Display user database information.

userid Displays the group to which the user is associated.
Example
WS5000.(Cfg).AAA.userdb.User> show users
Available Users:
1.abc.
WS5000.(Cfg).AAA.userdb.User> show groups abc
Available Groups for the User:

1.ws5k.
8.15 Access Port (APort) Context

The Access Port context lets you name the RF devices (the radios in the Access Ports and converted Access
Points) that exist on your WLAN. You can create Access Port instances by hand through the add command, or
enable them to be created as Access Ports are discovered and adopted by the switch.
Note For brevity, converted Access Points are referred to as “Access Ports”
throughout this documentation.
Table 8.18 Access Port (APort) Context Command Summary
add Creates a new Access Port instance, AP type specific. page 8-118
port Changes the context to the named Access Port instance, while displaying the page 8-119
Access Port’s details.
remove Removes the named Access Port. page 8-120
show Shows the Access Port configuration values. page 8-121
8.15.1 add
Access Port (APort) Context
Creates a new Access Port instance (or two, for dual-radio APs). The first argument is the AP type. The rest of
the arguments depend on the AP type.
Syntax
add AP100 <MAC> <name> [location]
add AP200 <MAC> <a_name> <a_MAC> [b_name] [b_MAC] [location]
add AP300 <MAC> <g_name> <g_MAC> [a_name] [a_MAC] [location]
add AP3020-3021 <MAC> <name> [location]
add AP4121 <MAC> <name> [location]
Parameters
MAC The Access Port’s (unique) MAC address.

a_MAC, b_MAC, g_MAC For dual-radio APs, you must supply the MAC of (at least) the AP’s “first” radio. The MAC
of the second radio is optional. The a_name, b_name, and g_name arguments refer to
the 802.11x radio types.
name, a_name, b_name, Unique names that you give to the Access Port and/or its radios. The a_name, b_name,
g_name and g_name arguments refer to the 802.11x radio types. For single-radio APs, you only
need to supply one name. For dual-radio APs, the name for the second radio is optional.
location Optional, arbitrary string that identifies the Access Port’s location.
Example
WS5000.(Cfg).APort> add AP100 00:10:5b:63:36:81 a_name BC
Adding a new Access Port device...

Status: Success.

------------ --------- ---------- ---- ------
a_name 00:10:5B:63:36:81 00:10:5B:63:36:81 B Unavailable

Name : a_name
Device type : AP100
Radio MAC Address : 00:10:5B:63:36:81
Device MAC Address : 00:10:5B:63:36:81
Port Type : B
Description :
Tx Channel : Auto (once)
Tx Power : 20 dBm
Location : BC
NIC Connected : None
VLAN id : None
CCA Mode : 1
CCA Threshold : 1
Diversity : Full
Up Time : 0d:0h:0m
Antenna : unknown
Indoor/Outdoor : in
All Channels :
WS5000.(Cfg).APort.[a_name]>
8.15.2 port
Changes the context to the named Access Port instance, while displaying the Access Port’s details.
Note The system never needs to automatically assign a name to an 802.11g or a

frequency-hopping (FH) radio since you’re compelled to supply names for these
radios when you add their Access Port instances.
Syntax
port <APort_name>
Parameters
APort_name Selects the Access Port instance by name. Until you give an Access Port a name, it’s
known by the space-separated concatenation of its device MAC address and its 802.11
type (A or B), all enclosed in quotes: "xx:xx:xx:xx:xx:xx [A | B]"
For example: "00:A0:B0:C0:D0:E0 [A]"
Example
WS5000.(Cfg).APort> port a_name

Name : a_name
Device type : AP100
Radio MAC Address : 00:09:5B:63:33:81
Device MAC Address : 00:09:5B:63:33:81
Port Type : B
Description :
Tx Power : 20 dBm
Location : BC
NIC Connected : None
VLAN id : None
CCA Mode : 1
CCA Threshold : 1
Diversity : Full
Up Time : 0d:0h:0m
Antenna : unknown
Indoor/Outdoor : in
All Channels :
WS5000.(Cfg).APort.[a_name]>
8.15.3 remove
Removes the named Access Port. For a list of Access Port names, invoke the show command.
Syntax
remove <port_name>
Parameters
port_name Removes the port with the given name.
Example
WS5000.(Cfg).APort> remove "00:a0:f8:11:12:14 [B]"
Removing the dsp device of the radio 00:a0:f8:11:12:14 [B]....

Status: Success.
8.15.4 show
Shows the Access Port configuration values.
Syntax
show
show interfaces
show channelInfo
Parameters
(none) Display a list of Access Port instances.
interfaces Display a list of Access Port instances and lists the available Ethernet ports.
channelInfo Display a list of country codes and the channels each country supports.
Example
WS5000.(Cfg).APort> show

------------ --------- ---------- ---- ------
1 00:A0:F8:CD:C9:5A [B] 00:A0:F8:B5:7A:D0 00:A0:F8:CD:C9:5A B Unavailable
2 00:A0:F8:CD:C9:5A [A] 00:A0:F8:CD:D0:DE 00:A0:F8:CD:C9:5A A Unavailable
3 00:A0:F8:CF:20:1B [G] 00:A0:F8:CE:80:10 00:A0:F8:CF:20:1B G Unavailable
4 00:A0:F8:CF:20:1B [A] 00:A0:F8:CE:D8:48 00:A0:F8:CF:20:1B A Unavailable
WS5000.(Cfg).APort.[00:A0:F8:CF:20:1B [G]]> show

Name : 00:A0:F8:CF:20:1B [G]
Device type : AP300
Radio MAC Address : 00:A0:F8:CE:80:10
Device MAC Address : 00:A0:F8:CF:20:1B
Port Type : G
Description :
Tx Power : 20 dBm
Location :

VLAN id : None
CCA Mode : 1
CCA Threshold : 1
Diversity : Full
Up Time : 0d:0h:0m
Statistics gathering : Disable
ERP Protection : off
Short Slot : on
Antenna : external
DTIM per BSS : Enabled
WS5000.(Cfg).APort.[00:A0:F8:CF:20:1B [G]]> ..
WS5000.(Cfg).APort>
WS5000.(Cfg).APort> show interfaces


------------ --------- ---------- ---- ------

Ethernet 1
Ethernet 2
WS5000.(Cfg).APort>
WS5000.(Cfg).APort> show channelinfo

------------ ---- ----------------------------
A Ch: 149,153,157,161
A Ch: 36,40,44,48,52,56,60,64,149,153,11
A Ch: 36,40,44,48,52,56,60,64,100,104,10
A Ch:
A Ch:
A Ch: 36,40,44,48,52,56,60,64
A Ch: 149,153,157,161
A Ch:
A Ch: 36,40,44,48,52,56,60,64,149,153,11
...
8.16 Access Port Instance

To drop into an Access Port instance, use the port <name> command from within the APort context.
Table 8.19 summarizes the commands within this context.Common commands between multiple contexts are
Table 8.19 Access Port Instance Context Command Summary
history Display command history within a context or instance. page 8-9
description Create a description for thr Access Port instance. page 8-123
name Set the Access Port name. page 8-123
reset Resets the Access Port or its radio. page 8-124
set Configures settings for a particular Access Port. page 8-124
show Display context specific attributes page 8-127
8.16.1 description
Access Port Instance
Create a description for the Access Port instance.
Syntax
Parameters
description_text Brief text to describe the Access Port instance.
Example
WS5000.(Cfg).APort.[ap_name]> description “This is a generic AP”
8.16.2 name
Set the Access Port name.
Syntax
name <AP_name>
Parameters
AP_name Name defined for the Access Port.
Example
WS5000.(Cfg).APort.[ap_name]> name New_AP_name
WS5000.(Cfg).APort.[New_AP_name]>
8.16.3 reset
Resets the Access Port or its radio, depending on the parameter value.
Syntax
reset <reset_flag>
Parameters
reset_flag Indicates whether to reset the access port or radio. Valid options are:
• ap – Resets the Access Port that contains this radio that’s represented by this
instance. radio
• radio – Resets the radio that’s represented by this instance.
Example
WS5000.(Cfg).APort.[ap_name]> reset radio
WS5000.(Cfg).APort.[ap_name]> reset ap
8.16.4 set
The set command includes a group of different configuration commands to “set” or change Access Port device
parameters. The set of parameters that can be set or changed depends on the AP model, as shown inTable
8.20.
Table 8.20 Access Port Instance “Set” Command Summary
Set Command Description AP Models Syntax
name Set the Access Port name. All set name <ap_name>
description Access Port description string. All set description <desc_text>
policy Access Port policy thats applied to this Access All set policy <policy_name>
Port. See Access Port Policy (APPolicy) Context
on page 8-136.
Table 8.20 Access Port Instance “Set” Command Summary (Continued)

channel Access Port transmit channel. Possible values All except: set channel <value>
are: • AP 3020
• <channel#> – Specific channel number • AP 3021
• auto-once – The AP uses Automatic Channel
Selection (ACS) the first time it’s adopted by
the switch, and then sticks to that channel
thereafter.
• auto-always – The AP uses ACS every time
it’s adopted.
• random – The AP chooses a random channel
every time it's adopted.
power Access Port transmission power. Possible All except: set power <power_value>
values are 4-20 dBm • AP 3020
• AP 3021
muPower The amount in which associated mobile units All except: set muPower <mupwr_value>
are told to adjust (increase) their power. • AP 3020
Although this is a drain on MU batteries, it can • AP 3021
help improve signal fidelity. The possible
adjustment values are in positive, integral dB.
location Access Port location description. All set location <location_text>
ccaMode Sets the Access Port’s CCA mode. Possible All set ccaMode <CCA_mode#>
values are:
• 0–
• 1 – Energy above threshold
• 2 – Carrier sense only
• 3 – Carrier sense with energy above
threshold
ccaThreshold Sets the Clear Channel Assessment threshold, All set ccaThreshold <value>
which is the maximum level of traffic that the
AP will accept and still consider the channel to
be clear. 0 means no traffic; 31 means jam-
packed.
diversity Access port diversity antenna setting. Possible All set diversity <setting>
values are:
• full – The AP dynamically chooses the
antenna with the strongest signal.
• primary – Use this AP as a Primary antenna.
• secondary – Use this AP as a Secondary
antenna.
vLanId VLAN ID that the Access Port is to be part of. All set vLanId <vLAN_ID>
clearVLanTags Clears the VLAN tag register. All set clearVLanTags

Table 8.20 Access Port Instance “Set” Command Summary (Continued)

statistics Enable/disable Access Port information All set statistics <enable_flag>

gathering. When enabled, the Access Port
reports throughput in packets-per-second, as
well as the amount of time that it has been
adopted by the switch. Use the show command
with no argument to display.
dwellTime Frequency-hopping maximum dwell time. AP 3020 set dwellTime <maxdwelltime>

AP 3021
AP 100
hopSeq Frequency-hopping hop sequence. AP 3020 set hopseq <maxchannels>

maxChannels is the maximum number of AP 3021
channels (allowed by the country setting) AP 100
divided by three.
hopSet Frequency-hopping hop set. AP 3020 set hopSet <value>

AP 3021
AP 100
antCorrection The power correction (increase) due to the AP’s AP 300 set antCorrection <value>
(isotropic) antenna; in dB (dBi).
indoor Indicates whether the AP is being used indoors AP 300 set indoors <true_or_false>
(true) or outdoors (false).
simulateRadar Tells the Access Port to pretend that radar has AP 300 set simmulateRadar
been discovered.
user-802.1x Declares a username for the AP, for information AP 300 set user-802.1x <username>
only.
detectorap Scans for rougue APs in all the channels AP 3020 set detectorap
AP 3021
AP 100
onchannelscan Scans for rougue APs in its operating channel. AP 3020 set onchannelscan
AP 3021
AP 100
Syntax
set <attribute> <value>
Parameters
See the applicable set command in Table 8.20 for more details, as applicable.
Example
When access port device attributes are set, all access port settings for the access port instance are displayed,
with the change in place. For example, in the following, the CCA Threshold value was changed from 0 to 10.
See the Syntax examples in Table 8.20 for details on each set command.
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]> set ccathreshold 10
Configuring Access Port device...

Status: Success.

Name : 00:A0:F8:A2:91:7C [B]
Device type : AP100
Radio MAC Address : 00:A0:F8:A2:91:7C
Device MAC Address : 00:A0:F8:A2:91:7C
Port Type : B
Description :
Status : Active
Tx Channel : 6
Policy Attached : appol1
Tx Power : 20 dBm1
Location :
VLAN id : None
CCA Mode : 1
CCA Threshold : 10
Diversity : Full
Up Time : 6d:20h:36m
Antenna : unknown
Indoor/Outdoor : in
All Channels : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]>
8.16.5 show
Display the configured details for the specified Access Port instance.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]> show

Name : 00:A0:F8:A2:91:7C [B]
Device type : AP100
Radio MAC Address : 00:A0:F8:A2:91:7C
Device MAC Address : 00:A0:F8:A2:91:7C
Port Type : B
Description :
Status : Active
Tx Channel : 6
Policy Attached : appol1
Tx Power : 20 dBm1
Location :
VLAN id : None
CCA Mode : 1
CCA Threshold : 10
Diversity : Full
Up Time : 6d:20h:36m
Antenna : unknown
Indoor/Outdoor : in
All Channels : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
WS5000.(Cfg).APort.[00:A0:F8:A2:91:7C [B]]
8.17 Access Control List (ACL) Context

An Access Control List is a set of rules that governs the adoption of mobile units. Each rule contains a MAC
address or MAC address range, and an allow or deny declaration deeming whether the device can have
associations with access ports or not. When a device attempts to associate with an access port, the switch
searches for the device (by MAC address) in the port’s ACL.
An ACL’s rules must be non-overlapping with regard to MAC addresses. If you try to create a rule that includes
an address that already appears in the ACL—whether it appears as an individual address or as part of an
address range—the creation attempt is denied.
You apply an ACL to a WLAN through the WLAN context’s set command.
Table 8.21 ACL Context Command Summary
acl Display the ACL and related details. page 8-129
add Adds a new ACL (and changes to that instance context). page 8-130
remove Removes an ACL. page 8-130
show Display all defined ACLs within the switch. page 8-131
8.17.1 acl
Access Control List (ACL) Context
Display the ACL, including device MAC addresses, associated allow or deny rule, as well as the default ACL
action for the ACL if no rule is assigned to a particular device.
Syntax
acl <ACLname>
Parameters
name Name assigned to the ACL to be added.
Example
WS5000.(Cfg).ACL> acl "New ACL"
ACL Name : New ACL

Default action on ACL items : allow
MAC address (range) Rule

------------------- ----
00:A0:F8:6E:4A:7A allow
WS5000.(Cfg).ACL.[New ACL]>
8.17.2 add
Adds a new ACL and then changes the context to the named ACL instance context.
Syntax
add <ACLname>
Parameters
ACLname Name of the ACL to be added.
Example
WS5000.(Cfg).ACL> add 2-10ACL
Adding ACL...
Status: Success.
Available ACLs:
1. newacl.
2. 2-10ACL.
ACL Name : 2-10ACL


------------------- ----
WS5000.(Cfg).ACL.[2-10ACL]>
8.17.3 remove
Removes the named ACL.
Syntax
remove <ACLname>
Parameters
ACLname The name of the ACL to be removed.
Example
WS5000.(Cfg).ACL> remove newacl
Removing ACL...
Status: Success.
Available ACLs:
1. 2-10ACL.
WS5000.(Cfg).ACL>
8.17.4 show
Display all defined ACLs within the switch.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).ACL> show
Available ACLs:
1. 2-10ACL.
WS5000.(Cfg).ACL>
8.18 ACL Instance Context

Table 8.22 ACL Instance Context Command Summary
name Renames an ACL. page 8-132
set Configures settings for a particular ACL. Includes set name, set addItem, set page 8-132
remItem, set editItem, and set defaultAction.
show Display the ACL device lists and default settings. page 8-135
8.18.1 name
ACL Instance Context
Rename an ACL. Similar command to the set name command.
Syntax
name <new_name>
Parameters
new_name New name of the ACL.
Example
WS5000.(Cfg).ACL.[2-10ACL]> name archive_ACL
Configuring name...
Status : Success.
WS5000.(Cfg).ACL.[archive_ACL]>
8.18.2 set
Configures settings for a particular ACL.
See set name, set addItem, set remItem, set editItem, and set defaultAction for more details.
Syntax
set <set_operation> [applicable_parameters]
Parameters
set_operation The configurable parameters of the ACL.
8.18.2.1 set name

Renames an ACL, while displaying the MAC addresses included with the ACL. Similar to the name command.
Syntax
name <new_name>
Parameters
new_name New name of the ACL.
Example
WS5000.(Cfg).ACL.[archive_ACL]> set name oldACL
Configuring Access Control List...

Status: Success.
ACL Name : oldACL

------------------- ----
WS5000.(Cfg).ACL.[oldACL]>
8.18.2.2 set addItem

Adds an MU to the ACL list.
Syntax
set addItem <MAC address>
Parameters
startMAC Adds a device to the adoption list.

<MAC_address>
Example
WS5000.(Cfg).ACL.[testacl]> set addItem 00:a0:f8:01:02:03 allow
Status: Success.
ACL Name : testacl
------------------- ----
00:A0:F8:01:02:03 allow
8.18.2.3 set remItem

Removes a device(s) from the ACL.
Syntax
set remItem <MAC_Address>
Parameters
MAC_Address The MAC address of the device(s) to be removed. If the MAC address identifies the
beginning of an device range, the entire range is removed from the ACL.
Example
WS5000.(Cfg).ACL.[testacl]> set remItem 00:a0:f8:01:02:03

Status: Success.
ACL Name : testacl

------------------- ----
8.18.2.4 set editItem

Edits an MU in the ACL list.
Syntax
set editItem <oldStartMac> <newStartMac> <allow | deny> | newEndMAC>
Parameters
oldStartMac Redefines an existing ACL entry. You can switch between allow and deny, or reset
newStartMac the address range. You can’t do both at the same time.
<allow | deny> |
newEndMAC>
Example
WS5000.(Cfg).ACL.[testacl]> set edititem 00:a0:f8:01:02:03 00:a0:f8:00:01:00 all
ow

Status: Success.
ACL Name : testacl

------------------- ----
00:A0:F8:00:01:00 allow
8.18.2.5 set defaultAction

Sets the default adoption action for this ACL.
Syntax
set defaultAction <allow | deny>
Parameters
allow | deny Indicates a default adoption action for devices that are not associated with any ACL. If
allow is set, the device is associated with this ACL. If not, the device remains
unassociated.
Example
WS5000.(Cfg).ACL.[oldACL]> set defaultAction allow

Status: Success.
ACL Name : oldACL

------------------- ----
8.18.3 show
Display the ACL device lists and default settings.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).ACL.[oldACL]> show
ACL Name : oldACL

------------------- ----
8.19 Access Port Policy (APPolicy) Context

An Access Port Policy configures a physical Access Port by defining attributes such as beacon interval, RTS
threshold, the set of supported data rates, and so on.
The APPolicy is also responsible for adding WLANs to the Access Port, and for attaching a Security Policy,
Access Control List, and Network Policy (or packet filter) to each AP.
Table 8.23 Access Port Policy Context Command Summary
history Display command history within the context. page 8-9
add Creates and names a new Access Port policy instance. page 8-136
policy Changes the context to a specific Access Port policy instance. page 8-137
remove Removes an Access Port policy. page 8-138
show Shows details about the Access Port policy. page 8-138
8.19.1 add
Access Port Policy (APPolicy) Context
Creates and names a new Access Port policy instance.
Syntax
add <name>
Parameters
name The name that’s given to the new policy.
Example
WS5000.(Cfg).APPolicy> add newpolicy
Adding Access Port policy...

Status: Success.

2. newpolicy.
Access Port Policy details for "newpolicy":
Policy Name : newpolicy

Description :
RF Preamble : long
DTIM Period : 10
WME Enaled : Disabled
WME Profile Name : Default AP WME Profile
WLAN details for the Access Port policy 'newpolicy'

--------- --------------
WS5000.(Cfg).APPolicy.[newpolicy]>
8.19.2 policy
Changes the command prompt into the named Access Port policy instance.
Syntax
policy <name>
Parameters
name The name of the Access Port policy instance.
Example
WS5000.(Cfg).APPolicy> policy appol1
Access Port Policy details for "appol1":
Policy Name : appol1

Description :
RF Preamble : long
DTIM Period : 10

WLAN details for the Access Port policy 'appol1'

--------- --------------
WLAN_NE
WS5000.(Cfg).APPolicy.[appol1]>
8.19.3 remove
Removes the named Access Port policy.
Syntax
remove <name>
Parameters
name The name of the Access Port policy that’s to be removed.
Example
WS5000.(Cfg).APPolicy> remove newpolicy
Removing Access Port Policy...

Status: Success.

8.19.4 show
Show’s details about the Access Port policy.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APPolicy> show

2. New Access Port Policy.
3. appol1.
4. NY_APpolicy.
8.20 Access Port Policy Instance

Table 8.24 Access Port Policy Instance Context Command Summary
add Add an access port policy instance page 8-139
add Adds an WLAN to the Access Port Policy instance. page 8-139
description Add a unique identifier or description to the policy instance. page 8-140
map The map command, depending on the specified AP hardware type, page 8-141
moves you into a WLAN-to-BSS/ESS mapping subcontext.
name Rename an access port policy instance. page 8-141
remove Remove an access port policy instance. page 8-142
show Show details for the Access Port Policy instance. page 8-142
set Set various configurations for the access port policy instance. This includes: page 8-143
set basicRates, set beacon, set dTim, set nonSpectrumMgmt, set np, set
preamble, set rtsThreshold, and set supportedRates.
8.20.1 add
Access Port Policy Instance
Adds an Access Port Policy instance.
Syntax
add <policy_name>
Parameters
policy_name The name of the Access Port Policy being added.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy]> add WLAN_NE
Adding WLAN...
Status: Success.
WLAN details for the Access Port policy 'NY_APpolicy'

--------- --------------
WLAN_NE
WS5000.(Cfg).APPolicy.[NY_APpolicy]>
8.20.2 description
Configures a brief description for the Access Port Policy instance.
Syntax
Parameters
description_text Brief description of the Access Port Policy instance.
Example
WS5000.(Cfg).APPolicy.[myAPPolicy]> description 2-11-05
Adding description...
Status : Success.
Access Port Policy details for "myAPPolicy":
Policy Name : myAPPolicy

Description : 2-11-05
RF Preamble : long
DTIM Period : 10
WLAN details for the Access Port policy 'myAPPolicy'

--------- --------------
WS5000.(Cfg).APPolicy.[myAPPolicy]>
8.20.3 map
The map command, depending on the specified AP hardware type, moves you into a WLAN-to-BSS/ESS
mapping subcontext.
Some explanation is necessary, as follows. There are six Access Port device/radio types: AP 100, AP 200a, AP
200b, AP 300(a/g), AP 302x, AP 4121, and AP 4131. These hardware types are grouped by the number of BSSs
and ESSs that they support. Each BSS/ESS combination is represented by a pre-defined Map subcontext (there
are four Maps). Upon invoking the map command and specifying the “AP hardware type” parameter, the
command prompt is automatically changed to the correct Map subcontext.
From within the Map subcontext, you can assign (or map) the WLAN(s) that will support the BSS/ESS
combination. See the Access Port Map Context section for more details.
Syntax
map <apType>
Parameters
apType Type of AP, which thus indicates the BSS/ESS Mapping. Possible values are:
• AP100 – 4 BSS to 4 ESS
• AP200a – 1 BSS to 16 ESS
• AP200b, AP300a, or AP4121 – 4 BSS to 16 ESS
• FH – 1 BSS to 1 ESS
a. The AP 300 802.11a radio uses the same mapping as the AP 300 802.11g.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy]> map ap4121
4BSS-16BSS mapping (used for AP200 11b radio, AP300 and AP4121):
WLAN Name BSS Primary BW(%)
--------- --- ------- -----
WLAN_NE 1 * 5.00%
Total BandWidth: 5.00%
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]>
WS5000.(Cfg).APPolicy.[SF_APpolicy]> map ap100
4BSS-4ESS mapping (used for AP100):

WLAN Name Selected BW(%)
--------- -------- -----
WLAN_NE * 5.00%
WS5000.(Cfg).APPolicy.[SF_APpolicy].Map.[4BSS-4ESS]>
8.20.4 name
Rename an access port policy instance.
Syntax
name <appolicy_name>
Parameters
appolicy_namename AP policy name of the access port policy.
Example
WS5000.(Cfg).APPolicy.[NY_appolicy]> name NY_APPolicy
Configuring name...
Status : Success.
WS5000.(Cfg).APPolicy.[NY_APPolicy]>
8.20.5 remove
Remove an AP Policy instance.
Syntax
remove <APPolicy_name>
Parameters
APPolicy_name Name of the AP Policy to be removed.
Example
WS5000.(Cfg).APPolicy> remove "New Access Port Policy"
Removing Access Port Policy...

Status: Success.

2. appol1.
3. NY_APPolicy.
8.20.6 show
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy]> show
Access Port Policy details for "NY_APpolicy":
Policy Name : NY_APpolicy

Description :

RF Preamble : short
DTIM Period : 10
WLAN details for the Access Port policy 'NY_APpolicy'

--------- --------------
WLAN_NE
WS5000.(Cfg).APPolicy.[NY_APpolicy]>
8.20.7 set
Used to configure the Access Port Policy instance related parameters.
Syntax
set <config_parameter>
Parameters
set <config_parameter> Description
set np Assigns the Network Policy that’s associated with the combination of this
Access Port Policy and WLAN.
set preamble Sets the length of the preamble (either short or long) that’s added to the
packets that are sent by Access Ports that adopt this policy
set rtsThreshold Sets the Request to Send (RTS) threshold.
set dTim Sets the Access Port’s DTIM interval as a multiple of the beacon interval. Valid
DTIM values are in the range [1, 20].
set beacon Sets the Access Port’s radio beacon interval, in milliseconds. Valid intervals are
in the range [20, 1000].
set basicRates Sets the basic frequency rates for a given 802.11 radio type
set supportedRates Sets the radio frequencies that are supported by the device.
set nonSpectrumMgmt Tells the Access Port to allow (true) or deny (false) association for mobile
devices that don’t have spectrum management capabilities.
set wmm Sets the wmn for the switch
Access Port Policy details

for "NY_APPolicy":
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy]> set
Syntax: set <config_parameter>
config_parameter is a required parameter.
Valid commands:
set name
set np
set preamble
set rtsthreshold
set dtim
set beacon
set basicrates
set supportedrates
set nonspectrummgmt
set wmm
set wmeprofile
Incomplete command... use '?' for help.... exiting...
8.20.7.1 set basicRates

Sets the basic frequency rates for a given 802.11 radio type.
Syntax
set basicRates <radioType> <rates ...>
Parameters
radioType One of A, B, G, or FH (frequency hopping). Radio values are:

• A – Frequencies 6, 9, 12, 18, 24, 36, 48, 54
• B – Frequencies 1, 2, 5.5, 11
• G – Frequencies 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54
• FH – Frequencies 1, 2
rates A list of frequency values, in Mbps. The list of candidate frequencies depends on the
radio type. You can set multiple basic rates by passing a list of frequencies, e.g.: > set
B basicrates 1 2 11
Example
WS5000.(Cfg).APPolicy.[QIAPPolicy01]> set basicrates b 1,2,5.5,11
Configuring a Access Port Policy...

Status: Success.
Access Port Policy details for "QIAPPolicy01":
Policy Name : QIAPPolicy01

Description :
Basic Rate for 11b : 1,2,5.5,11
Supported Rate for 11b :

RF Preamble : long
DTIM Period : 10
WS5000.(Cfg).APPolicy.[QIAPPolicy01]>
8.20.7.2 set beacon

Sets the Access Port’s radio beacon interval, in milliseconds. Valid intervals are in the range [20, 1000].
Syntax
set beacon <20 - 1000>
Parameters
beacon_interval Place holder to assign a becon interval period for the access port.
Example
WS5000.(Cfg).APPolicy.[QIAPPolicy01]> set beacon 150
Status: Success.
Access Port Policy details for "QIAPPolicy01":
Policy Name : QIAPPolicy01

Description :
RF Preamble : long
DTIM Period : 10
WS5000.(Cfg).APPolicy.[QIAPPolicy01]>
8.20.7.3 set dTim

Sets the Access Port’s DTIM interval as a multiple of the beacon interval. Valid DTIM values are in the range
[1, 20].
Syntax
set dtim <dtim_period : 1 - 20>
set dtim <bss1 | bss2 | bss3 | bss4> <dtim_period : 1 - 20>
Parameters
dtim period Used to set the range of dtim interval
bss Placeholder for selecting one of the four bss. AP which has only one bss use the value
for bss1.
Example
WS5000.(Cfg).APPolicy.[DtimTest5]> set dTim bss3 8

Status: Success.
Access Port Policy details for "DtimTest5":
Policy Name : DtimTest5

Description :
RF Preamble : long
DTIM Period : 10
WME Enabled : Disabled
8.20.7.4 set nonSpectrumMgmt

Tells the Access Port to allow (true) or deny (false) association for mobile devices that don’t have spectrum
management capabilities. This is only significant when the AP has DFS or TPC enabled.
Syntax
set nonSpectrumMgmt <flag>
Parameters
flag Indicates whether the AP will allow (true) or deny (false> association of mobile devices
that are not Spectrum-capable.
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy]> set nonSpectrumMgmt true
8.20.7.5 set np
Assigns the Network Policy that’s associated with the combination of this Access Port Policy and WLAN.
Syntax
set np <np_name> <wlan_name>
Parameters
name The name of the Network Policy.

wlan_name The name of the WLAN.
Example
WS5000.(Cfg).APPolicy.[testappolicy]> set np "Default Network Policy" WLAN10

Status: Success.
WLAN details for the Access Port policy 'testappolicy'

--------- --------------
WLAN10 Default Network Policy
8.20.7.6 set preamble

Sets the length of the preamble (either short or long) that’s added to the packets that are sent by Access
Ports that adopt this policy.
Syntax
set preamble <short | long>
8.20.7.7 set rtsThreshold

Sets the Request to Send (RTS) threshold.
Syntax
set rtsThreshold <threshold_value>
Parameters
threshold_value This is the maximum size of packets (in bytes) that use the four-way handshake, a
technique that allows nearby Access Ports to sense the wireless conversation and
improve throughput. The RTS threshold is set, by default, to 2347 (the largest packet
size). This effectively turns off the four-way handshake.
Possible values are 0 - 2347.
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy]> set rtsthreshold 200

Status: Success.
Access Port Policy details for "NY_APPolicy":
Policy Name : NY_APPolicy

Description :
RF Preamble : short
DTIM Period : 10
8.20.7.8 set supportedRates

Sets the radio frequencies that are supported by the device.
Note Same as set basicRates (set on page 8-143).
Syntax
set supportedRates <radioType> <rates ...>
Parameters
radioType used to set any one of the valid radio types. The Valid Radio types are: A, B, G or FH.
rates Place holder to set the supported rates for corresponding selected radio. The support
rates for the different radio types are
A: 6, 9, 12, 18, 24, 36,48,54 and none
B: 1, 2, 5.5,11and none
G: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 and none
FH: 1, 2 and none
Example
WS5000.(Cfg).APPolicy.[testappolicy]> set supportedrates a 36 54

Status: Success.
Access Port Policy details for "testappolicy":
Policy Name : testappolicy

Description :
Supported Rate for 11a : 36,54

RF Preamble : long
DTIM Period : 10
8.20.7.9 set wmm

Sets the wmn for the switch.
Syntax
set wmm <enable/disable>
Parameters
enable/disable Enables/Disables Wireless MultiMedia (wmm) capability support
Example
WS5000.(Cfg).APPolicy.[Default Access Port Policy]> set wmm enable
Policy Name : Default Access Port Policy

Description : Default Access Port Policy, only ESSID 101 and no
security, and default network policy
RF Preamble : short
DTIM Period : 10
WME : Enabled (At Next Reboot)
WME Profile Name : Default AP WME ProfileStatus: Success.
Access Port Policy details for "NY_APPolicy":
8.21 Access Port Map Context

See the map command for an introduction to the Map context, a context where mapping of WLANs to different
radio types is configured. The four Map contexts and the radios that use each mapping are shown in Table
8.25.
Depending on the pre-defined Map context, the following configurations can be set:
• Set the BSS index ID for each WLAN.
• Set the primary WLAN for the Map.
• Set the percentage of bandwidth that’s reserved for each WLAN.
Not all Map contexts support all of these settings. For example, it does not make sense to set the primary
WLAN for an AP radio that only supports one WLAN (such as is the case with frequency-hopping radios). Upon
changing into a particular map context instance, the command prompt changes to reflect the mapping..
Table 8.25 Map Context and Associated Radios
Map Radio Prompt Example
4 BSS to 4 ESS AP100 WS5000.(Cfg).APPolicy.[AP0].Map.[4BSS-4ESS]>
1 BSS to 16 ESS AP200a WS5000.(Cfg).APPolicy.[AP0].Map.[1BSS-16ESS]>
4 BSS to 16 ESS AP200b, AP300(a/g), WS5000.(Cfg).APPolicy.[AP0].Map.[4BSS-16ESS]>

AP4121
1 BSS to 1 ESS AP302x (frequency hopping WS5000.(Cfg).APPolicy.[AP0].Map.[1BSS-1ESS]>

radio)
Table 8.26 Access Port Map Context Command Summary
Command Description BSS Map (AP Type) Ref.
.. or end Terminate a current session and moves up a context, All page 8-7
hierarchically.
exit Terminate a current session and returns to the “root” All page 8-7
prompt.
? or help Get the command information. All page 8-7
logout or bye Close this session. All page 8-8
clear Clear the screen. All page 8-8
emergencymode Enable or disable Emergency mode. All page 8-8
select Assign a WLAN to the map. 4 BSS to 4 ESS page 8-151

(AP100)
1BSS-to-1ESS
(AP302x)
set bss Assign a BSS index ID to a WLAN. 4BSS-to-16ESS page 8-152

(AP200b, AP300,
AP4121)
Table 8.26 Access Port Map Context Command Summary (Continued)

Command Description BSS Map (AP Type) Ref.
set bw Set the guaranteed bandwidth that is assigned to a 1BSS-to-16ESS page 8-152
WLAN. (AP200a)
4BSS-to-16ESS
(AP200b, AP300,
AP4121)
set primaryWLAN Set the primary WLAN for this map. 1BSS-to-16ESS page 8-153
(AP200a)
4BSS-to-16ESS
(AP200b, AP300,
AP4121)
unselect Unassign a WLAN to the map. 4BSS-to-4ESS page 8-153

(AP100)
1BSS-to-1ESS
(AP302x)
show commands Display context specific attributes. All page 8-154
8.21.1 select
Access Port Map Context
Assigns a WLAN to the map.
Note This command applies only to: 4BSS-to-4ESS (AP100), 1BSS-to-1ESS

(AP302x).
Syntax
select <wlan_name>
Parameters
wlan_name The name of the WLAN to take on the BSS ID assignment.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-4ESS]> select WLAN_NE
Success.

--------- -------- -----
WLAN_NE * 5.00%
8.21.2 set bss

Assigns a BSS index ID to a WLAN. The WLAN must already be part of the Access Port Policy that owns this
Map.
Note This command applies only to: 4BSS-to-16ESS (AP200b, AP300, AP4121)
Syntax
set bss <bss_index> <wlan_name>
Parameters
bssid The BSS index ID that is being assigned to the WLAN. Possible values are:
1 - 4.
wlan_name The name of the WLAN to take on the BSS index assignment.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]> set bss 1 WLAN_NE

Status: Success.
--------- --- ------- -----
WLAN_NE 1 * 5.00%
8.21.3 set bw
Sets the guaranteed bandwidth that’s assigned to a WLAN. The total bandwidth for all WLANs within a Map
must equal 100. This command applies only to: 1BSS-to-16ESS (AP200a), 4BSS-to-16ESS (AP200b, AP300,
AP4121)
Syntax
set bw <bandwidth> <wlan_name>
Parameters
bandwidth The percentage of bandwidth assigned to the WLAN. Valid percentages are in the range
from 5 to 100.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-16ESS]> set bw 20 WLAN_NE

Status: Success.
--------- --- ------- -----
WLAN_NE 1 * 20.00%
8.21.4 set primaryWLAN

Sets the Primary WLAN for this map.
Note This command applies only to: 1BSS-to-16ESS (AP200a), 4BSS-to-16ESS

(AP200b, AP300, AP4121).
Syntax
set primaryWLAN <wlan_name>
Parameters
Example
WS5000.(Cfg).APPolicy.[QIAPPolicy01].Map.[4BSS-16ESS]> set primarywlan QIWLAN01

Status: Success.
4BSS-16BSS mapping (used for AP200 11b radio, AP300, AP4121 and AP4131):
--------- --- ------- -----
QIWLAN01 1 * 100.00%
WS5000.(Cfg).APPolicy.[QIAPPolicy01].Map.[4BSS-16ESS]>
8.21.5 unselect
Unassigns a WLAN to the map.
Note This command applies only to: 4BSS-to-4ESS (AP100), 1BSS-to-1ESS (AP302x)
Syntax
select <wlan_name>
Parameters
wlan_name The name of the WLAN to be unassigned from the BSSID assignment.
Example
WS5000.(Cfg).APPolicy.[NY_APpolicy].Map.[4BSS-4ESS]> unselect WLAN_NE
Success.

--------- -------- -----
WLAN_NE %
8.21.6 show
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).APPolicy.[NY_APPolicy].Map.[4BSS-4ESS]> show

--------- -------- -----
WLAN_NE * 5.00%
WS5000.(Cfg).APPolicy.[NY_APPolicy].Map.[4BSS-4ESS]>
8.22 Classifier Context (CE)

A Classifier is a predicate that tests various aspects of a network packet: Source and destination IP, transport
protocol, and so on. A packet will either “pass” or “fail” the predicate. The action that is taken when a packet
passes or fails a Classifier isn’t included in the Classifier definition—that is the job (primarily) of a
See the Network Policy (NP) Context for an overview of the objects that are involved in the packet filtering
mechanism. This mechanism also involves Classification Group (CG) Context and Classification Group (CG)
Context.
Table 8.27 Classifier Context Command Summary
add Add a new Classifier. page 8-155
ce Select a Classifier to configure. page 8-156
remove Remove a Classifier. page 8-156
show Display available classification groups. page 8-157
8.22.1 add
Classifier Context (CE)
Creates and names a Classifier instance, and changes the prompt to the instance’s context.
Syntax
add <ce_name>
Parameters
ce_name Name given to the new Classifier.
Example
WS5000.(Cfg).CE> add TestClassifier
Adding Classifier...
Status: Success.

1. Ex HTTP Traffic.
3. RTP_Data.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
11. Spectralink_Multicast.
12. TestClassifier.
Classifier Name : TestClassifier

CE Description :
# of Matching Criteria assigned : 0
WS5000.(Cfg).CE.[TestClassifier]> ..
8.22.2 ce
Changes the prompt to the context for the named Classifier instance.
Syntax
ce <ce_name>
Parameters
ce_name Selects the Classifier by name.
Example
WS5000.(Cfg).CE> ce 1
Classifier Name : Ex HTTP Traffic

CE Description :
Matching Criteria details for 'Destination Port' : (MC Offset: 10)

1. 80.
Matching Criteria details for 'EtherType' : (MC Offset: 2)

1. 800.
Matching Criteria details for 'Protocol' : (MC Offset: 5)

1. 6 : TCP Transmission Control [RFC793].
WS5000.(Cfg).CE.[Ex HTTP Traffic]>
8.22.3 remove
Use remove to remove a classifier.
Syntax
remove <name>
Parameters
name The name of the Classifier that is to be removed.
Example
WS5000.(Cfg).CE> remove TestClassifier
Removing Classifier...
Status: Success.

1. Ex HTTP Traffic.
3. RTP_Data.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
WS5000.(Cfg).CE>
8.22.4 show
WS5000.(Cfg).CE> show
Shows Classifier details.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).CE> show

1. Ex HTTP Traffic.
3. RTP_Data.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
WS5000.(Cfg).CE>
8.23 Classifier Instance

A Classifier instance contains a collection of “matching criteria” (MC). Each MC consists of a network packet
attribute and the value to which the attribute is compared. As packets arrive from or are sent to the wireless
network, they’re evaluated by the Classifier. If the packet attribute matches the value, then the packet
“passes” the MC; if the attribute doesn’t match, the packet “fails.” The action that’s taken when a packet
passes or fails a Classifier isn’t defined by the Classifier itself—it’s defined by the higher-level Classification
Group object.
A Classifier’s collection of MCs are evaluated and conjoined consecutively, in the order they were added. If
successive criteria identify the same packet attribute, the criteria are OR’d, otherwise they’re AND’d. You don't
have any control over the grouping of the criteria other than savvy ordering. In general, you should stick to
simple Classifier MCs and build more complicated tests by combining Classifiers in a Classification Group.
IMPORTANT! THE MATCHING CRITERIA ARE EVALUATED USING A CASE-

! SENSITIVE STRING COMPARISON.
Table 8.28 Classifier Instance Context Command Summary
addMC Add a new matching criteria. page 8-158
name Change the name of the Classifier. page 8-160
description Configure a brief description for the Classifier. page 8-160
removeMC Remove a matching criteria. page 8-161
setMC Configure matching criteria variables. page 8-161
show Show details about the Classifier. page 8-162
8.23.1 addMC
Classifier Instance
Adds a new matching criterion to the Classifier.
Syntax
addMC <parameters>
Parameters
MACsource <MAC_address> The MAC address of the device that sent the packet. The value is a MAC
address in the usual form.
MACdestination <dest_MAC_address> The MAC address of the device to which the packet is being sent. The
value is a MAC address in the usual form.
ethertype <RFC1700 Ethernet type values> Ethernet type values, as defined by RFC 1700. Values are hex numbers in
the range [0 - FFFF].
vlanid <IDnumber> The ID of the VLAN to/from which the packet is being sent/has been
received. The value is a number.
userpriority <priority_value> Relative priority value. The value is a number in the range [0 - 7].
protocol <protocol_value> Ethernet protocol. The value is a (decimal) number in the range [0 - 254].
tos <tos_value> Type of Service identifier. The value is a number in the range [0 - 63].
IPsource <IPaddress> <subnet_mask> The IP address and subnet mask of the device from which the packet
emerged. The subnet mask is passed as a second argument
(subnet_mask). Both arguments are dot-separated IP addresses.
IPdestination <IPaddress> <subnet_mask> The IP address and subnet mask of the device to which the packet is
being sent. The subnet mask is passed as a second argument
(subnet_mask). Both arguments are dot-separated IP addresses.
sourceport <port#> [end_port#] The Ethernet port number, on the originating device, through which the
packet was sent. Optionally, a specific port can be declared (as a decimal
number), or a range of ports by supplying a second port number as the
end_port argument. Valid port numbers are in the range [0, 65535].
destinationport <port#> [end_port#] The Ethernet port number, on the recipient device, to which the packet is
being sent. Optionally, a specific port can be declared (as a decimal
number), or a range of ports by supplying a second port number as the
end_port argument. Valid port numbers are in the range [0, 65535].
MCMask <MAC_address> Multicast mask. The value is a MAC address that’s used to mask the
range of recipients of a broadcast packet.
Example
WS5000.(Cfg).CE.[HTTP_ce]> addmc IPsource 172.39.80.2 255.255.255.0
Adding Matching Criteria for the CE...

Status: Success.
Classifier Name : HTTP_ce
CE Description :
Matching Criteria details for 'Destination IP' : (MC Offset: 8)
Matching Criteria details for 'Source Port' : (MC Offset: 9)

1. 7001.
2. 7001-7010.
Matching Criteria details for 'Source IP' : (MC Offset: 7)

1. 172.39.80.2 IP Mask: 255.255.255.0
WS5000.(Cfg).CE.[HTTP_ce]>
8.23.2 name
Classifier Instance
This CLI is used to change the name of the classifier.
Syntax
name <name>
Parameters
name The new name placeholder
Example
WS5000.(Cfg).CE.[NewTraffic]> name "Ex HTTP Traffic"
Configuring name...
Status : Success.
WS5000.(Cfg).CE.[Ex HTTP Traffic]>
8.23.3 description
This CLI is used to set the description for the policy or item selected in the context.
Syntax
Parameters
description_text The content of the description can be entered in this placeholder.
Example
WS5000.(Cfg).CE.[Ex Telnet Traffic]> description "This classifier is related to
Telnet Traffic"
Status : Success.
Classifier Name : Ex Telnet Traffic

CE Description : This classifier is related to Telnet
Traffic
Matching Criteria details for 'Destination Port' : (MC Offset: 10)

1. 23.
Matching Criteria details for 'EtherType' : (MC Offset: 2)

1. 800.
Matching Criteria details for 'Protocol' : (MC Offset: 5)

1. 6 : TCP Transmission Control [RFC793].
WS5000.(Cfg).CE.[Ex Telnet Traffic]>

8.23.4 removeMC
Classifier Instance
Removes the matching criterion for the named criteria.
Syntax
removeMC <parameters>
Parameters
See parameters described in addMC command on page 8-158.
Example
WS5000.(Cfg).CE.[HTTP_ce]> removemc IPsource
Removing Matching Criteria...

Status: Success.

CE Description :

1. 7001.
2. 7001-7010.
8.23.5 setMC
Classifier Instance
Sets the value of an existing matching criterion.
Syntax
setMC <paremeters>
Parameters
See parameters described in addMC command on page 8-158.
Example
WS5000.(Cfg).CE.[HTTP_ce]> setmc sourceport 7001 7010
Configuring CE Matching Criteria...

Status: Success.

CE Description :

1. 7001.
2. 7001-7010.
8.23.6 show
Classifier Instance
Shows details for this Classifier instance.
Syntax
show
show mc
Parameters
None.
Example
WS5000.(Cfg).CE.[Name]> show

CE Description :

1. 7001.
2. 7001-7010.

1. 172.39.80.2 IP Mask: 255.255.255.0
8.24 Classification Group (CG) Context

A Classification Group (CG) is a collection of classifiers that evaluate network packets as they are sent to or
received from wireless devices (in Layer 2/layer 3 filters) and wired devices in firewall filters. The CG collects
classifiers and specifies what the classifier should do after it evaluates a packet.
It declares whether a packet that passes the classifier evaluation is accepted (allowed to proceed along the
network) or denied (thrown away). See the Network Policy (NP) Context for an overview of the objects that are
involved in the packet filtering mechanism. Also, see Classifier Context (CE) and Policy Object (PO) Context
for more details.
Table 8.29 Classification Group Context Command Summary
add Creates and names a new Classification Group instance. page 8-163
cg Changes the prompt to the context to a specified Classification Group page 8-164
instance.
remove Removes a Classification Group instance. page 8-164
show commands Display available classification groups. page 8-165
8.24.1 add
Classification Group (CG) Context
Creates and names a new Classification Group instance, and changes the prompt to the instance’s context.
Syntax
add <cg_name>
Parameters
cg_name The name to be given to the new Classification Group.
Example
WS5000.(Cfg).CG> add voip_in_cg
Adding Classification Groups...

Status: Success.

4. voip_in_cg.

Classification Group Name : voip_in_cg
CG Description :
No of classifiers for this CG : 0
WS5000.(Cfg).CG.[voip_in_cg]>
8.24.2 cg
Changes the prompt to the context for a Classification Group instance.
Syntax
cg <cg_name>
Parameters
cg_name The selected Classification Group.
Example
WS5000.(Cfg).CG> cg voip_in_cg
CG Description :
Classifiers & Action details:

1. RTP_Data --> Allow
8.24.3 remove
Removes a Classification Group instance.
Syntax
remove <cg_name>
Parameters
cg_name The name of the Classification Group to be removed.
Example
WS5000.(Cfg).CG> remove "New Classification Group"
Removing Classification Group...

Status: Success.

3. voip_in_cg.
WS5000.(Cfg).CG>
8.24.4 show
Display information about a system component or named context instance.
Syntax
show
show ce
Parameters
None.
Example
WS5000.(Cfg).CG> show

3. new_CG.
WS5000.(Cfg).CG>
8.25 Classification Group Instance

When you drop into a Classification Group instance, the CG’s set of Classifiers and associated actions are
displayed.
Table 8.30 Classification Group Instance Context Command Summary
description Add a text string to describe the Classification Group in more detail. page 8-166
name Rename a classification Group Instance. page 8-167
set Set configuration parameters regarding the specific Classification Group page 8-167
Instance. Parameters such as name, adding and removing classifiers, and
setting actions
show Display available classification groups. page 8-168
8.25.1 description
Classification Group Instance
Configures a brief description for the Classification Group instance.
Syntax
Parameters
description_text Brief description of the Classification Group instance.
Example
WS5000.(Cfg).CG.[anotherName]> description "This is a VOIP Group"
Status : Success.

Classification Group Name : anotherName
CG Description : This is a VOIP Group
WS5000.(Cfg).CG.[anotherName]>
8.25.2 name
Rename a Classification Group Instance.
Syntax
name <new_name>
Parameters
new_name New Name that the current Classification Group will be renamed.
Example
WS5000.(Cfg).CG.[new_CG]> name anotherName
Configuring name...
Status : Success.
WS5000.(Cfg).CG.[anotherName]>
8.25.3 set
Performs an operation on the Classification Group instance.
Syntax
Parameters
attribute Description
name <cg_name> Sets the name of the Classification Group. Same as name command.
addCE <ce_name> Adds the named Classifier instance to the CG.
removeCE <ce_name> Removes the named Classifier instance from the CG.
action Associates an action with a Classifier (ce_name) that has been added to the CG.
Possible values are:
• allow <ce_name> – If this is set, packets that pass the Classifier are allowed to
continue and they’re marked as being part of this Classification Group instance (this
will be important when we bump up a level to Input and Output Policies). Packets that
don’t pass the evaluation are not immediately thrown away—they’re allowed or
denied according to the default action defined in the Input or Output Policy that uses
this CG.
• deny <ce_name> – Packets that pass the Classifier are thrown away. Packets that
don’t pass are allowed to continue (again, with no CG marking).
Example
WS5000.(Cfg).CG.[voip_in_cg]> set name VoIP_in_CG
WS5000.(Cfg).CG.[VoIP_in_CG]>
WS5000.(Cfg).CG.[voip_in_cg]> show ce

1. Ex HTTP Traffic.
3. RTP_Data.
9. VoIP_RAS_In.
10. VoIP_RAS_Out.
WS5000.(Cfg).CG.[voip_in_cg]> set addce Spectra_Link_Phone

Configuring Classification Group... done.
CG Description :

2. Spectra_Link_Phone --> Allow
WS5000.(Cfg).CG.[voip_in_cg]> set removece Spectra_Link_Phone

CG Description :

WS5000.(Cfg).CG.[voip_in_cg]> set action deny Spectra_Link_Phone

CG Description :

2. Spectra_Link_Phone --> Deny
8.25.4 show
Display information about this Classification Group instance.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).CG.[CG_name]> show
Classification Group Name : anotherName
CG Description : This is a VOIP Group
WS5000.(Cfg).CG.[CG_name]>
8.26 Chassis Context

Display and manage CPU and system temperature.
Table 8.31 Chassis Context Command Summary
set notify Tells the switch to send a notification if the temperature of the CPU or of the page 8-170
system, in general, rises above a given threshold.
8.26.1 set notify

Chassis Context
Tells the switch to send a notification if the temperature of the CPU or of the system rises above a given
threshold. Notifications are sent to the local system log, the Syslog, and cause an SNMP trap to be thrown.
IMPORTANT! THE SYSTEM AUTOMATICALLY SHUTS DOWN IF THE CPU OR

! SYSTEM TEMPERATURE RISES ABOVE 105 DEGREES.
Syntax
set notify <cpu-temperature | system-temperature> <threshold>
Parameters
threshold The temperature threshold is expressed in degrees centigrade and must fall in the range
[0, 105]. The notification is only sent when the temperature rises from below to above
the threshold temperature—it isn’t sent when the temperature drops from above to
below the threshold.
Example
WS5000.(Cfg).Chassis> set notify system-temperature 30
Configuring notify temperature...

Status: Success.

----------- ---------- --------- --------- ------------
CPU Fan (rpm) 23275 675000 5000 None
System Fan 4 15340 15340 15000 None
WS5000.(Cfg).Chassis> set notify cpu-temperature 40
Configuring notify temperature...

Status: Success.

----------- ---------- --------- --------- ------------
CPU Fan (rpm) 24107 675000 5000 None
System Fan 4 15340 15340 15000 None
WS5000.(Cfg).Chassis>
8.26.2 show
Chassis Context
Display a table of temperature and fan speed statistics.
Under normal circumstances, both the system and the CPU should hover around 36 degrees. The Max Value
and Min Value readings are the maximum and minimum temperatures since the switch was last booted.
Currently, you cannot install a notification for fan speed.
Syntax
WS5000.(Cfg).Chassis> show
Parameters
None.
Example
WS5000.(Cfg).Chassis> show

----------- ---------- --------- --------- ------------
System Fan (rpm) OFF - - None
CPU Fan (rpm) 21093 675000 9782 None
System Fan 4 15340 15340 15000 None
8.27 Ethernet Port Context

There are two Ethernet ports on WS5000 Series switches.
• Port 1 connects (by convention) to the wired LAN.
• Port 2 connects to the wireless LAN.
Table 8.32 Ethernet Port Context Command Summary
port Changes the context to an Ethernet port instance. page 8-172
8.27.1 port
Ethernet Port Context
Changes the context to an Ethernet port instance.
Syntax
port <port_number>
Parameters
port_number The index of the Ethernet port. Either 1 or 2.
Example
WS5000.(Cfg).Ethernet> port 1
Name : Ethernet 1
Network Interface Card # : 1
Description : Ethernet Adapter
MAC Address : 00:A0:F8:65:94:B8
Status : Enable
Online : Yes
Configured Mode : auto
Negotiated Mode - Duplex : Full
Negotiated Mode - Speed : 100
DHCP status : Disable
IP Address : 10.1.1.101
Network Mask : 255.255.255.0

Domain Name : domain1
Port type (trunk/non-trunk) : Non-Trunk
Up-Time : 12d:03h:54m
Transmit packets : 4260726
Received packets : 4959514
Gateway : 111.222.111.254
DNS servers :
1. 111.222.111.100.
WS5000.(Cfg).Ethernet.[1]>
8.27.2 show
Ethernet Port Context
Display Ethernet port details.
Syntax
show
show interfaces
Parameters
(none) Display a list of Ethernet port instances.
interfaces Shows adopted Access Port info and lists the switch’s Ethernet ports
Example
WS5000.(Cfg).Ethernet> show

Ethernet 1
Ethernet 2
WS5000.(Cfg).Ethernet>
8.28 Ethernet Port Instance

There are two Ethernet Port instances, one for each of the WS5000’s NICs. The instances are identified by
number: 1 or 2. By convention, the WLAN is connected to the switch through NIC 1, and NIC 2 connects the
switch to the wired network.
Table 8.33 Ethernet Port Instance Context Command Summary
ping Sends ICMP ECHO_REQUEST packets to a network host. page 8-9
description Set description text about the Ethernet port instance. page 8-15
ipAddress Configure an IP address for the Ethernet port. page 8-174
set Configure the Ethernet port. page 8-175
show Display details about the Ethernet Port instance. page 8-177
8.28.1 ipAddress
Ethernet Port Instance
Assigns an IP address to this Ethernet port instance.
Syntax
ipAddress <IP_address> <net_mask>
ipaddress dhcp <enable_flag>
Parameters
IP_address The IP address assigned to the Ethernet port if DHCP is disabled. Otherwise, use the
“ipaddress dhcp” command.
net_mask The network mask assigned to the Ethernet port if DHCP is disabled. Otherwise, use the
“ipaddress dhcp” command.
enable_flag When the ipaddress dhcp command is used, this flag indicates that the Ehernet port’s IP
address should be assigned by DHCP. Possible value is “enable” only, because
otherwise DHCP is disabled by default.
Example
WS5000.(Cfg).Ethernet.[1]> ipaddress 111.222.111.33 255.255.255.0
Configuring IP address of Ethernet 1...

Status: Success.
Name : Ethernet 1
Status : Enable
Online : Yes
IP Address : 10.1.1.101
Network Mask : 255.255.255.0
Port type (trunk/non-trunk) : Non-Trunk
Gateway : 111.222.111.254
DNS servers :
1. 111.222.111.100.
WS5000.(Cfg).Ethernet.[1]> ipaddress dhcp enable

Configuring IP address of Ethernet 1...
Status: Failed.
ERROR: Cannot set parameter. DHCP can only be enabled on single interface at a
time.
8.28.2 set
Sets an attribute of this Ethernet port instance.
Syntax
set <attribute> [<value>]
Parameters
cfgMode Sets the Ethernet port mode. Possible values are:

• Auto
• 10_Half
• 10_Ful
• 100_Half
• 100_Full
dhcp Enables/disables the DHCP client for this port. Possible values are:
• enable
• disable
gateway Sets the IP address of the gateway. Enter the IP address as a value.
nonTrunk Sets the port to be non-trunked.
trunk <primary_vLanID> Sets the port to be a trunked.
vLanId Sets the primary VLAN ID. The port automatically becomes trunked.
clearVlanTags Clears the VLAN tag register.
Example
WS5000.(Cfg).Ethernet.[1]> set
port_parameter is a required parameter.
Syntax: set <port_parameter> <value>
Valid commands:
set dhcp
set domain
set vlanid
set gateway
set dns
set trunk
set nontrunk
set clearvlantags
set cfgmode
WS5000.(Cfg).Ethernet.[1]> set vlanid 5

Configuring Ethernet port...
Status: Success.
Name : Ethernet 1
Status : Enable
Online : Yes
IP Address : 10.1.1.101
Network Mask : 255.255.255.0
Port type (trunk/non-trunk) : Trunk Port
Primary VLAN id : 5
Gateway : 111.222.111.254
DNS servers :
1. 111.222.111.100.
8.28.3 show
Display Ethernet Port instance information.
Syntax
show
show interfaces
Parameters
(none) Display a list of Ethernet port instances.
interfaces Shows adopted Access Port info and lists the switch’s Ethernet ports
Example
WS5000.(Cfg).Ethernet.[1]> show
Name : Ethernet 1
Status : Enable
Online : Yes
IP Address : 10.1.1.101
Network Mask : 255.255.255.0
Port type (trunk/non-trunk) : Trunk Port
Primary VLAN id : 5
Gateway : 111.222.111.254
DNS servers :
1. 111.222.111.100.
WS5000.(Cfg).Ethernet.[1]> show interfaces


------------ --------- ---------- ---- ------

Ethernet 1
Ethernet 2
8.29 Ethernet Policy (EtherPolicy) Context

Ethernet policies are used by the WS5000 Series switch to configure a VLAN ID to an Ethernet port.
Table 8.34 Ethernet Policy Context Command Summary
add Add a new Ether Policy to the system. page 8-178
policy Select an Ethenet policy to configure. page 8-179
remove Remove an Ethernet policy. page 8-179
show Display available classifier instance details. page 8-179
8.29.1 add
Ethernet Policy (EtherPolicy) Context
Creates and names an Ethernet Policy instance, and changes the prompt to the new instance’s context.
Syntax
add <name>
Parameters
name The name that’s given to the new Ethernet policy.
Example
WS5000.(Cfg).EtherPolicy> add LabEtherPolicy
Adding Ether Policy...

Status : Success.

2. eth1.
3. LabEtherPolicy.
Ether Policy Name : LabEtherPolicy

Description :
Rest of Network on : Ethernet 2
VLANs mapped are:
LAN2 --> Ethernet: 2
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]>
8.29.2 policy
Changes the prompt to the context of the named Ethernet policy instance.
Syntax
policy <name>
Parameters
name Selects the Ethernet policy.
Example
WS5000.(Cfg).EtherPolicy> policy LabEtherPolicy
Description :
VLANs mapped are:
8.29.3 remove
Removes an Ethernet Policy instance.
Syntax
remove <name>
Parameters
name The name of the Ethernet Policy that’s to be removed.
Example
WS5000.(Cfg).EtherPolicy> remove "New Ethernet Port Policy"
Removing EtherPolicy...
Status : Success.

2. eth1.
8.29.4 show
Display Ethernet Policy information.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).EtherPolicy> show

3. eth1.
8.30 Ethernet Policy Instance

An Ethernet policy instance configures the two Ethernet ports to support the LAN and the WLAN, and creates
and maps VLANs to the two ports.
Table 8.35 Ethernet Policy Instance Context Command Summary
add Create and adds a VLAN to this ethernet policy instance. page 8-181
add tunnel Create and add an existing GRE Tunnel to this ethernet policy instance. page 8-182
description Set the description text. page 8-15
emergencymode Enable or disable emergency mode. page 8-8
remove Remove a VLAN from this ethernet policy instance. page 8-182
remove tunnel Remove the GRE tunnel from this ethernet policy instance. page 8-183
set Configure attributes of the ethernet policy instance. page 8-183
show Display details about the ethernet policy instance. page 8-184
tunnel Select a tunnel to configure. page 8-185
vlan Select a VLAN to configure. page 8-185
8.30.1 add
Ethernet Policy Instance
Creates and adds a VLAN to this Ethernet Policy instance.
Syntax
add <vlan_ID> <NIC>
Parameters
vlan_ID The number that’s assigned to this VLAN. Valid VLAN ID numbers are in the range [1-4095].
NIC The NIC that will support this VLAN.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> add 200 1
Adding VLAN...
Status : Success.

Description :
VLANs mapped are:
VLAN 200 --> Ethernet: 1

-- --------- -------- ---------- ---------------
VLAN 200 Ethernet 1 0 0 LabEtherPolicy
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy].Vlan.[200]>
8.30.2 add tunnel

Creates/ adds a GRE Tunnel to this ethernet policy instance.
Syntax
addtunnel <tunnel_name>
Parameters
tunnel_name Place holders for one of the existing GRE tunnels.
Example
WS5000.(Cfg).EtherPolicy.[tunnelEP]> addtunnel tunnel4
Adding Tunnel...
Status : Success.
Ether Policy Name : tunnelEP

Description :
VLANs mapped are:
TUNNEL 1 --> Ethernet: 2
Tunnel Interface Priority # of WLANs Ethernet Policy

------- --------- -------- ---------- ---------------
tunnel4 Ethernet 2 0 0 tunnelEP
WS5000.(Cfg).EtherPolicy.[tunnelEP].Tunnel.[tunnel4]>
8.30.3 remove
Removes a VLAN from this Ethernet Policy instance.
Syntax
remove <vlan_id>
Parameters
vlan_id The ID number of the VLAN that’s to be removed. For a list of VLAN IDs, invoke
show vlan.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> remove LAN2
Description :
VLANs mapped are:
8.30.4 remove tunnel

Removes the Tunnel from the EtherPolicy.
Syntax
removetunnel <tunnel_name>
Parameters
tunnel_name Place holders for one of the existing GRE tunnels that you want to remove from the etherpolicy.
Example
WS5000.(Cfg).EtherPolicy.[tunnelEP]> removetunnel tunnel4
Removing Tunnel...
Status : Success.
Ether Policy Name : tunnelEP

Description :
VLANs mapped are:
WS5000.(Cfg).EtherPolicy.[tunnelEP]>
8.30.5 set
Configure attributes of the Ethernet Policy instance.
Syntax
Parameters
ronnic <Ethernet_Port#> Sets the “rest of the network” NIC. This is the NIC that connects the switch to the wired
network. Possible values are:
• 1 – Ethernet port 1
• 2 – Ethernet port 2
description <text_string> Adds a description string to the Ethernet Policy instance.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> show
Description :
VLANs mapped are:
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> set ronnic 1

Description :
VLANs mapped are:
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> description “Created 3-8-05”

Description : Created 3-8-05
VLANs mapped are:
8.30.6 show
Display Ethernet Policy details.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> show
Description :
VLANs mapped are:
8.30.7 tunnel
Use this to configure a tunnel.
Syntax
tunnel <tunnel_name>
Parameters
tunnel_name Place holders for one of the existing GRE tunnels that you want to configure.
Example
WS5000.(Cfg).EtherPolicy.[tunnelEP]> tunnel tunnel3
Tunnel Interface Priority # of WLANs Ethernet Policy

------- --------- -------- ---------- ---------------
tunnel3 Ethernet 2 0 0 tunnelEP
WS5000.(Cfg).EtherPolicy.[tunnelEP].Tunnel.[tunnel3]>
8.30.8 vlan
Changes the prompt to the context of the VLAN identified by VLAN ID.
Syntax
vlan <vlan_ID>
Parameters
vlan_ID The ID of the VLAN. For a list of VLAN IDs, invoke show vlan.
Example
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy]> vlan 200
Adding VLAN...
Status : Success.

Description :
VLANs mapped are:
VLAN 200 --> Ethernet: 1

-- --------- -------- ---------- ---------------
VLAN 200 Ethernet 1 0 0 LabEtherPolicy
WS5000.(Cfg).EtherPolicy.[LabEtherPolicy].Vlan.[200]>
8.31 Event Context

The Event context provides a place to configure notifications and severities of system events.
Table 8.36 Event Context Command Summary
set Configuration option to configure notifications and severities for page 8-186
events sent to the Syslog.
syslog Changes the prompt to the Syslog context. page 8-187
show Display available system events, and notification settings for various page 8-187
system logs.
8.31.1 set
Event Context
Provides event notification and event severity configurations for events sent to the Syslog.
Syntax
set <event> <target> <<enable | severity> | disable>
set all <localLog | snmpTrap | syslog> <<enable | severity> | disable>
set all default
Parameters
event Describes the event that you’re interested in. Either all or a number in the range [1,
69]. Use the show command for a list of available events.
target The recipient of the events. One of localLog, snmpTrap, syslog, or all.
enable, disable Enables and disables recording of the event. If your target is syslog, then you can
pass a severity value rather than simply enable’ing the event.
severity Events that are sent to the Syslog are tagged with a severity, one of emerg(ency),
alert, crit(ical), err(or), info, notice, and warning. If you enable an event
without a severity, it assumes a default severity setting.
all <localLog | snmpTrap | The first set all form of the command lets you send or repress all events to/from the
syslog> specified target.
all default This form of the command resets all events to their factory defaults.
8.31.2 syslog
Event Context
Changes the prompt to the Syslog Context. See page 8-189 for more details.
8.31.3 show
Event Context
Display available system events, and notification settings in terms of the following logging:
• Local log – Events are recorded in a local log file. You can dump the log file to the screen through show
sysAlerts in the System or Configuration context.
• SNMP Traps – You can ask to have an SNMP trap thrown when a specific event occurs.
• Syslog – The Syslog is a remote event-recording server. You have to set up the server yourself and
identify the server’s host.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg)> show

--- ------ --------- --------- ---------------

53 Auto channel select error Enabled Enabled Disabled
79 RF Stats threshold crossed by a Portal Enabled Disabled Disabled
WS5000.(Cfg).Event>
8.32 Syslog Context

The Syslog context is a subcontext of Event. The commands in the Syslog context let you configure and control
the remote and local event logging system. The remote service sends system logging information to a remote
host, which must have a message logging daemon running. The remote host is set through the add command.
To tailor the types of messages that the syslog will be sent, use the set command. The local file is saved under
/WS5000 Switch/Userlogs/admin (if admin is the user).
All syslog messages are in RFC 3164 message format.
Table 8.37 Syslog Context Command Summary
add Add a new host to the system. page 8-189
local Enables you to debug logs stored locally page 8-190
logsubsys Selects the subsystem to be sent to the remote syslog server page 8-191
purgelocal Purge the local syslog contents from memory page 8-192
remlocal Deletes the specified local syslog file page 8-193
remove Remove the syslog host page 8-193
save local Save local syslog in a file page 8-194
set Set syslog host severity level. page 8-194
show Display available classifier instance details page 8-196
start Start syslog service. page 8-196
stop Stop syslog service. page 8-197
8.32.1 add
Syslog Context
Add a new host to the system.
Syntax
add <host_name> <IP_address> [domain]
Parameters
host_name Gives a (local) name to the host.
IP_address IP address of the remote host.
domain Optional domain name of the remote host.
Example
WS5000.(Cfg).Event.Syslog> add SFhost 111.222.111.32 domain1
Adding Host...
Status: Success.

--------- ---------- ------
SFhost 111.222.111.32 domain1
WS5000.(Cfg).Event.Syslog>
8.32.2 local
Syslog Context
Stores the debug logs locally and maintains a ring buffer of debug logs.
To save the logs to a file use the command:
save local <filename>
To view the logs use the command:
view local <filename>
To delete the logs to a file use the command:
remlocal <filename>
Syntax
local <enable | disable>
Parameters
enable/disable Enable/disable the local syslog.
Example
WS5000.(Cfg).Event.Syslog> local enable
Local Syslog enabled
8.32.3 logdir
Syslog Context
This command displays the contents of all directories (one directory each for each user) under /WS5000
Switch/Userlogs/ <the local log log file saved with a .syslog extension>
Syntax
logdir
logdir <username>
Parameters
username A user of the switch as configured in cfg>user context.
Example
WS5000.(Cfg).Event.Syslog> logdir
========================================================
SymbolLocal.syslog 34 Thu Feb 23 03:14:13 2006
8.32.4 logsubsys
Syslog Context
Selects the subsystem logs (used for debugging) to be sent to the remote syslog server. These logs are different
from Event logs.
Syntax
logsubsys [<subsys>] enable | disable
The following subsys are available for logsusbys:
logsubsys general
logsubsys threads
logsubsys packets
logsubsys corba
logsubsys sharedmem
logsubsys rfimage
logsubsys rfport
logsubsys mu
logsubsys ess
logsubsys xmlcfg
logsubsys policy
logsubsys vlan
logsubsys ether
logsubsys QoS
logsubsys stats
logsubsys database
logsubsys snmp
logsubsys security
logsubsys DebugEvents
logsubsys driver
Parameters
subsys Use any of the above mentioned subsys.
enable/disable enable or disable the selected subsys.
Example
WS5000.(Cfg).Event.Syslog> logsubsys driver enable
Success!! Subsystems Enabled: driver
Subsystems saved: driver enable
8.32.5 ping
Syslog Context
Ping is used to send ICMP ECHO_REQUEST packets to network hosts.
Syntax
Options:
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload]
[-p pattern] [-s packetsize] host
Parameters
host Name of the host you want to ping to.
ip_address IP address of the host you want to ping to.
Example
WS5000.(Cfg)> ping 157.235.208.70
PING 157.235.208.70 (157.235.208.70) from 157.235.208.137 : 56(84) bytes of dat.
--- 157.235.208.70 ping statistics ---

WS5000.(Cfg)> ping
8.32.6 purgelocal
Syslog Context
This command is used to clears the local syslog memory.
Syntax
purgelocal
Parameters
None
Example
WS5000.(Cfg).Event.Syslog> purgelocal
Clearing local syslog memory...done.
8.32.7 remlocal
Syslog Context
This command is used to delete the specified local syslog file. Use 'logdir' to view list of previously saved local
syslog files.
Syntax
remlocal <file_name>
Parameters
file_name The log file that you want to delete.
Example
WS5000.(Cfg).Event.Syslog> remlocal SymbolLocal
Removing local syslog file SymbolLocal.... done.
8.32.8 remove
Syslog Context
Remove a syslog host.
Syntax
remove <name>
Parameters
name The name of the syslog host, as assigned in the add command.
Example
WS5000.(Cfg).Host> show

--------- ---------- ------
WS5000.(Cfg).Host>
8.32.9 save local

Syslog Context
This is used to save local syslog in specified file.
Syntax
save local <file_name>
Parameters
file_name the naame of the local log file without the .syslog extension.
Example
WS5000.(Cfg).Event.Syslog> save local SymbolLocal
Saving local syslog...done
8.32.10 set
Syslog Context
Set the types of messages that are sent to the syslog.
Syntax
set <host> <severity> <send_flag>
Parameters
host The name of the syslog host.
severity Specifies a type of message tracked to be sent to the syslog. Possible values are:
• emerg – emergency messages
• alert
• crit – critical messages
• err – error messages
• info – information only messages
• notice
• warning
• all – all messages of all types
send_flag Indicates whether messages are sent to the syslog or not. Possible values are:
• enable – messages of the specified type are sent to the syslog
• disable – messages are not sent to the syslog
Example
WS5000.(Cfg).Event.Syslog> set
Enter the host_name
set:
Set syslog host severity level values.
Syntax: set <host_name> <severity_level> <enable/disable> [CR]
severity_level:
emerg Enable or disable Severity level Emergency.

alert Enable or disable Severity level Alert.
crit Enable or disable Severity level Critical.
err Enable or disable Severity level Error.
warning Enable or disable Severity level Warning.
notice Enable or disable Severity level Notice.
info Enable or disable Severity level Info.
debug Enable or disable Severity level Debug.
all Enable or disable all the Severity levels.
WS5000.(Cfg).Event.Syslog> set SFhost alert enable
Changing severity level...

Status: Success.
Syslog Status: Enable (Syslog Deamon is Running).

---- ----- ----- ---- --- ------- ------ ---- -----
SFhost x
WS5000.(Cfg).Event.Syslog> set SFhost warning enable

Status: Success.

---- ----- ----- ---- --- ------- ------ ---- -----
SFhost x x
WS5000.(Cfg).Event.Syslog> set SFhost crit enable

Status: Success.

---- ----- ----- ---- --- ------- ------ ---- -----
SFhost x x x
WS5000.(Cfg).Event.Syslog> set SFhost err enable

Status: Success.

---- ----- ----- ---- --- ------- ------ ---- -----
SFhost x x x x
8.32.11 show
Syslog Context
Display information about the syslog service.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).Event.Syslog> show

---- ----- ----- ---- --- ------- ------ ---- -----
SFhost x x x x
WS5000.(Cfg).Event.Syslog> set SFhost all disable
Success.

---- ----- ----- ---- --- ------- ------ ---- -----
No Syslog hosts are defined in the switch.
WS5000.(Cfg).Event.Syslog> show

---- ----- ----- ---- --- ------- ------ ---- -----
No Syslog hosts are defined in the switch.
8.32.12 start
Syslog Context
Starts the syslog service.
Syntax
syslog
Parameters
None.
Example
WS5000.(Cfg).Event.Syslog> start
Status: Success.

---- ----- ----- ---- --- ------- ------ ---- -----

SFhost x x x x x x x x
8.32.13 stop
Syslog Context
Stops the syslog service.
Syntax
stop
Parameters
None.
Example
WS5000.(Cfg).Event.Syslog> stop
Status: Success.
Syslog Status: Disable (Syslog Deamon is not running).

---- ----- ----- ---- --- ------- ------ ---- -----
SFhost x x x x x x x x
8.33 FTP Context

Table 8.38 FTP Context Command Summary
enable Enable FTP. page 8-198
disable Disable FTP. page 8-198
8.33.1 enable
FTP Context
Enables the FTP server.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).FTP> enable
Enabling...
Status : Success.
FTP Status: Active.
WS5000.(Cfg).FTP>
8.33.2 disable
FTP Context
Disables the FTP server.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).FTP> disable
Disabling...
Status : Success.
FTP Status: Disabled.
WS5000.(Cfg).FTP>
8.33.3 show
FTP Context
Display the state of the FTP server.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).FTP> show
FTP Status: Active.
WS5000.(Cfg).FTP>
8.34 FW (Firewall) Context

Firewall is used to configure a LAN for traffic filtering.You need to first enable the VPN support to enter the
firewall context. You need to first create a NP and then add it to an exisitng LAN in the firewall context.
Table 8.39 Firewall Context Command Summary
add Add a new LAN to the system. page 8-200
addnat Add a new NAT entry to a LAN. page 8-201
addnp Add a new NP entry to a LAN. page 8-202
addpf Add a new Pf to a LAN. page 8-203
lan Select a LAN to configure. page 8-204
remove Remove a LAN from the system. page 8-204
8.34.1 add
FW (Firewall) Context
This command is used to add a new LAN to the system.
Syntax
add <lan_name>
Parameters
lan_name Name of the LAN that you wish too add to the system.
Example
WS5000.(Cfg).Fw> add testLAN
Adding LAN...
Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
4. testLAN
LAN information:
LAN details...
Name : testLAN
Description :
ep :
np :
deny :
NAT list:
WS5000.(Cfg).Fw.[testLAN]>
8.34.2 addnat
This command is used to add a NAT (Network Address Translation) entry to a specific LAN/LAN+ VLAN
combination.
Syntax
addnat <"remoteRealIp,localNatIp"> <lan_name> [vlanid]
Parameters
remoteRealIp This is the real IP address of the remote end
localNatIp This is the IP address of the remote device as seen by the device accross the WS5000
switch.
lan_name The LAN in which this NAT entry should be added to. Could be one of LAN 1 or LAN 2 or
LAN_VPN.
vlanid An optional VLAN ID.
Example
WS5000.(Cfg).Fw> addnat "1.2.3.4,10.2.3.4" LAN1
Addng a NAT entry to a LAN...

Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw> 1
LAN information:
LAN details...
Name : LAN1
ep : 1
np :

deny :
NAT list:
1: 1.2.3.4,10.2.3.4
WS5000.(Cfg).Fw.[LAN1]>
8.34.3 addnp
This command is used to add a new NP (network policy) to the system.
Syntax
addnp <lan_name> <NP> enter remove to delete the existing NP.
Parameters
lan_name The LAN in which this network policy should be added to. Could be one of LAN 1 or LAN
2 or LAN_VPN.
NP The network policy name.
Example
WS5000.(Cfg)> np

3. Spectralink Network Policy.
WS5000.(Cfg).NP> add TestNP
Adding Network Policy...

Status: Success.

3. Spectralink Network Policy.
4. TestNP.

Network Policy Name : TestNP
Policy Description :
Outbound Policy Object name :
Inbound Policy Object name :
WS5000.(Cfg).NP.[TestNP]>
WS5000.(Cfg)> fw
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw> addnp LAN2 TestNP
Addng a NP (network policy) entry to a LAN...

Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw> lan 2
LAN information:
LAN details...
Name : LAN2
Description : Private LAN
ep : 2
np : TestNP
deny :
NAT list:
8.34.4 addpf
This command is used to add a PF (port filter) to the system.
Syntax
addpf <lan_name> <allow/deny> <web/telnet/ftp>
Parameters
lan_name The LAN in which this port filter should be added to. Could be one of LAN 1 or LAN 2 or
LAN_VPN.
allow/deny Allows or denies traffic to the specified port to the sytem .
web/telnet/ftp Port to be allowed or denied
Example
WS5000.(Cfg).Fw> addpf LAN1 allow telnet
Addng a PF (Port Filter) to a LAN...

Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
WS5000.(Cfg).Fw>
8.34.5 lan
Use this command to select a LAN to configure.
Syntax
lan <lan_name>
Parameters
lan_name LAN which is to be configured. Could be one of LAN 1 or LAN 2 or LAN_VPN.
Example
WS5000.(Cfg).Fw> lan LAN1
LAN information:
LAN details...
Name : LAN1
ep : 1
np :
deny :
NAT list:
1: 1.2.3.4,10.2.3.4
8.34.6 remove
This command is used to remove a LAN from the system.
Syntax
remove <lan_name>
Parameters
lan_name LAN which is to be removed.
Example
WS5000.(Cfg).Fw> remove testLAN
Removing LAN...
Status: Success.
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
4. lan
WS5000.(Cfg).Fw>
8.34.7 show
This command is used to display the ACL information, security policy detials, LAN details and other context
specific attributes.
Syntax
show acl
show securitypolicy
show
show lan
Parameters
acl Display ACL information
securitypolicy Display security policy details
lan Display LAN details
Example
WS5000.(Cfg).Fw> show acl
Available ACLs:
1. testACL.
WS5000.(Cfg).Fw>
WS5000.(Cfg).Fw> show securitypolicy

2. Default.
3. WEP40 Default.
4. WEP128 Default.
WS5000.(Cfg).Fw>
WS5000.(Cfg).Fw> show lan
LAN information:
Available LANs:
1. LAN1
2. LAN2
3. LAN_VPN
4. lan
WS5000.(Cfg).Fw>
8.35 FW Instance
Table 8.40 Firewall Instance Command Summary

set Configure the LAN. page 8-207
8.35.1 set
FW Instance
This command is used to configure LAN parameters.
Syntax
Parameters
description Set the LAN description text.
ep Set the ethernet port.
np Set the network policy.
addnat Add a NAT entry "remoteRealIp,localNatIp"
addrange Add range of NAT entries "remoteRealIp,localNatIp,num"
delnat Delete a NAT entry "remoteRealIp,localNatIp"
delrange Delete range of NAT entries "remoteRealIp,localNatIp,num”
allow Allow management traffic "http|https|telnet|ftp"
deny Deny management traffic "http|https|telnet|ftp"
Example
WS5000.(Cfg).Fw.[LAN1]> set np "Default Network Policy"
Configuring a LAN...
Status: Success.
LAN information:
LAN details...
Name : LAN1
ep : 1
np : Default Network Policy
deny :
NAT list:
1: 1.2.3.4,10.2.3.4
8.35.2 show
FW Instance
This command is used to display firewalls LAN information.
Syntax
show
Parameters
None
Example
WS5000.(Cfg).Fw.[LAN1]> show
LAN information:
LAN details...
Name : LAN1
ep :
np : Default Network Policy
deny :
NAT list:
1: 1.2.3.4,10.2.3.4
8.36 Host Context

The Host context collects the various hosts that are declared in other contexts.
Table 8.41 Host Context Command Summary
add Add a host to the system. page 8-209
host Configure attributes for a particular host. page 8-210
remove Remove a defined host on the system. page 8-210
show Display available host details. page 8-210
8.36.1 add
Host Context
Adds a new host to the system.
Syntax
add host <name> <IP_address> [domain]
Parameters
name Name given to the host.
IP_address IP address of the host.
domain Optional domain of the host.
Example
WS5000.(Cfg).Host> add NYhost 111.222.111.30 NYdomain
Adding Host...
Status: Success.

--------- ---------- ------
NYhost 111.222.111.30 NYdomain
WS5000.(Cfg).Host.[NYhost]>
8.36.2 host
Host Context
Changes the prompt to the context of a specified Host instance context.
Syntax
edit <host>
Parameters
host The name of the host that you want to edit.
Example
WS5000.(Cfg).Host> host NYhost

--------- ---------- ------
8.36.3 remove
Host Context
Removes a host from the host list.
Syntax
remove <host_name>
Parameters
host_name The name of the host to be removed.
Example
WS5000.(Cfg).Host> remove NYhost

--------- ---------- ------
WS5000.(Cfg).Host>
8.36.4 show
Host Context
Display host information.
Syntax
show
show host
show syslog
show system
Parameters
host The name of the host defined in the system.
syslog Displays the syslog details.
system Displays the system information.
Example
WS5000.(Cfg).Host> show host NYhost 111.222.111.30 NYdomain

--------- ---------- ------
WS5000.(Cfg).Host>
8.37 Host Instance

The Host instance context lets you modify an entry in the host list.
Table 8.42 Host Instance Context Command Summary
set Configure attributes of a particular host. page 8-212
8.37.1 set
Host Instance
Configures a host.
Syntax
Parameters
domain The host’s domain name. The value of the domain should follow.
ip The host’s IP address. The IP address value should follow.
Example
WS5000.(Cfg).Host.[NYhost]> show

--------- ---------- ------
WS5000.(Cfg).Host.[NYhost]> set ip 111.222.111.30
Changing Host property...

Status: Success.

--------- ---------- ------
WS5000.(Cfg).Host.[NYhost]> set domain NYdomain1
Changing Host property...

Status: Success.

--------- ---------- ------
NYhost 111.222.111.30 NYdomain1
8.37.2 show
Host Instance
Shows host configuration details.
Syntax
show
show system
Parameters
None.
Example
WS5000.(Cfg).Host.[NYhost]> show host

--------- ---------- ------
NYhost 111.222.111.30 NYdomain1
WS5000.(Cfg).Host.[NYhost]> show system


Switch Location :
Serial Number : 00A0F86594B8
Active Switch Policy : sw1
1. 00:A0:F8:6E:4A:7A [G].
2. 00:A0:F8:BB:B3:6D [G].
8.38 KDC Context

KDC Context
The KDC context provides configuration options to configure the switch-resident Kerberos Key Distribution
Center (KDC) as a Master or Slave.
Table 8.43 KDC Context Command Summary
add Add a new KDC Slave or User. page 8-214
authenticate Authenticates a Slave KDC with a Master KDC. page 8-215
dump Dumps the principals to the specified file (The file can be moved to another page 8-216
machine and the database is thus transferred)
remove Remove a Slave KDC, User or NTP addresses. page 8-216
set Configure/create the KDC. page 8-217
show isplay context specific attribute page 8-219
synchronize Synchronize a Slave KDC DB with a Master KDC DB. page 8-221
8.38.1 add
KDC Context
Adds a Slave KDC to/from the Master KDC. This command can only be invoked if the switch is configured to
be the Master KDC.
Syntax
add mu <name> <ticket_life>
or
add slavekdc <name> <ip_address> <domain>
Parameters
mu Adds a KDC user of type MU.
slavekdc Adds a slave KDC.

name Name given to the user or slave KDC.
domain Domain of the slave KDC.
IP_address IP address of the Slave KDC
domain Domain of the Slave KDC.
Example
WS5000.(Cfg).KDC> add mu symbol 10
Enter password for the mu "symbol" : ******
Confirm password for mu "symbol" : ******
Adding mu 'symbol' to the KDC.

Status: Success.
List of active MUs (KDC user):

Type Name Ticket Life
---- ---- -----------
MU symbol 10 min.
WS5000.(Cfg).KDC>
8.38.2 authenticate
KDC Context
Authenticates a slave KDC with its master. This is used when a KDC master has been deleted and re-created
afterwards. In this case, the slave has no way of knowing if a new master has been configured, therefore it
needs to be manually authenticated again.
Note When you try to exectue this command on a switch which has been confiured
as a Master KDC , the following message is displayed:
WS5000.(Cfg).KDC> authenticate
This command is available only for a SLAVE KDC.
The present KDC is configured as MASTER.
WS5000.(Cfg).KDC>
Syntax
authenticate
Parameters
None
Example
WS5000.(Cfg).KDC> authenticate
Authenticating slave KDC with Master....

Status: Success.
WS5000.(Cfg).KDC>
8.38.3 dump
KDC Context
Writes the KDC database to a file.
Syntax
dump <filename>
Parameters
filename Name of the file to which the database is written. The “.krb” extension is
automatically appended.
Example
WS5000.(Cfg).KDC> dump kdcTracks
Saving KDC principals in: kdcTracks.krb

Status: Success.
WS5000.(Cfg).KDC> ..
WS5000.(Cfg)> dir
May 5 21:33 1068 KerberosErrorLog.txt

Jan 25 15:11 15155 WS5000Defaults_v1.4.0.0-026R.cfg
Apr 23 16:18 18821897 WS5000_v1.4.1.0-003D.sys.img
Feb 10 17:31 6517 cmd_template.sym
May 5 21:33 2105 kdcTracks.krb
WS5000.(Cfg)>
8.38.4 remove
KDC Context
This command is used to remove to delete Slave-KDC or MU from the Master KDC or to delete NTP Servers.
Syntax
remove mu <name>
remove slavekdc <name> <ip_address> <domain>
remove ntpserver <ntp_index>
Parameters
mu KDC user of type MU to be removed.
slavekdc Slave KDC to be removed.
name Name of the User (MU) or slave KDC.
ip_address IP address of the slave KDC.
domain Domain of the slave KDC.
ntp_server NTP server index: 1 - 3 or all.
Example
WS5000.(Cfg).KDC> remove mu symbol
Deleting mu 'symbol' from the KDC.

Status: Success.
List of active MUs (KDC user):No active Users available.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> remove slavekdc standby 1.1.1.1 symbol.com

Deleting slave KDC....
Status: Success.

Kerberos Realm : SYMBOL.LOCAL
Slave KDCs IP Address Domain

---------- ---------- ------
No entry available.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> remove ntpserver 1
Deleting NTP Server....

Status: Success.
No NTP IP Entry exist, Time synchronization is Disabled
Time Server (NTP) details:
Primary NTP Server :

First alternate NTP Server :
Second alternate NTP Server :
WS5000.(Cfg).KDC>
8.38.5 set
KDC Context
Use set to configure or create the KDC in the system or configure KDC access type.
Syntax
set master <realm> <if_num>
set slave <realm> <masters_name> <masters_ip> <if_num>
set clear
set ntpserver <server_no> <server_ip>
set access <cli/snmp> <enable/disable>
Parameters
master Configure the switch as master KDC.

slave Configure the switch as slave KDC.
clear Clear all KDC configuration on the switch.
realm Kerboros realm name.
masters_name Name assigned to the Master KDC. Required if kdc_type is slave.
masters_ip Domain over which the KDC has dominion.Required is kdc_type is slave.
if_num interface number, 1 or 2.
server_no Sets one of the three NTP servers for this switch.NTP server number, 1 to 3.
server_ip NTP server IP address.
access Permits or denies configuration of the on-board KDC through Telnet (CLI) or SNMP.
Example
WS5000.(Cfg).KDC> set access cli disable
Configuring KDC access restriction for cli....

Status : Success.

KDC configuration over remote console : Disable.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set access snmp

Enter enable/disable.
Syntax: set access snmp <enable/disable> [CR]
WS5000.(Cfg).KDC> set access snmp enable
Configuring KDC access restriction for snmp....

Status : Success.

WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set clear

Deleting all KDC configurations.....
Status : Success.
KDC is not configured in this machine.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set ntpserver 1 192.192.4.111
Configuring time server (NTP) ....

Status : Success.
Primary NTP Server : 192.192.4.111

WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> set slave test1 test2 1.1.1.1 2

Configuring KDC as slave.
Status : Success.
The system is configured as SLAVE KDC.

Kerberos Realm : test1
Master KDC :
Name : test2
IP address : 1.1.1.1
WS5000.(Cfg).KDC>
8.38.6 show
KDC Context
Shows KDC details.
Syntax
show
show configaccess
show kdc
show ntpservers
show users
Parameters
configaccess Display configured system access restrictions
kdc Display KDC details
ntpservers Display NTP Server information
users Display the list of active KDC users
Example
WS5000.(Cfg).KDC> show


---------- ---------- ------
slaveKDC_NY 111.222.111.30 NYdomain1
List of all active KDC users (MUs & WLANs):

Type Name Ticket Life ESSID
---- ---- ----------- -----
MU 489-45-5672 3 min. Not Available
WS5000.(Cfg).KDC> show users

---- ---- ----------- -----
MU 489-45-5672 3 min. Not Available
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show configaccess

WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show kdc

Kerberos Realm : a
---------- ---------- ------
No entry available.
WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show ntpservers
Primary NTP Server : 192.192.4.111

WS5000.(Cfg).KDC>
WS5000.(Cfg).KDC> show users

---- ---- ----------- -----
MU symbol1 7 min. Not Available
WS5000.(Cfg).KDC>
8.38.7 synchronize
KDC Context
The krb database propagates from master to slave so that slave gets all the user information. It copies the
Master KDC database to the Slave KDC.
Syntax
synchronize <slave_name> <slave_ip> <slave_domain>
Parameters
slave_name Name of the KDC slave.
slave_ip IP address of the KDC slave.
slave_domain Domain of the KDC slave.
Example
WS5000.(Cfg).KDC> synchronize standby 111.222.111.30 Symbol.com
Synchronizing slave KDC (standby) DB with master....

8.39 Network Policy (NP) Context

A Network Policy is a collection of packet filters that you can use to implement various Quality of Service
requirements. Each Network Policy contains an inbound Policy Object and an outbound Policy Object. The
inbound policy filters packets that are sent from wireless devices to the WS5000. The outbound policy filters
packets that are sent from the switch to the wireless devices.
A Policy Object contains some number of Classification Groups, which contain Classifiers. It is at the Classifier
and Classification Group levels that the filtering rules are defined.
Table 8.44 Network Policy Context Command Summary
np Select a Network Policy to configure page 8-223
remove Remove a Network Policy page 8-223
8.39.1 add
Network Policy (NP) Context
Creates and adds a Network Policy instance.
Syntax
add <name>
Parameters
name The name that’s given to the new Network Policy.
Example
WS5000.(Cfg).NP> add NY_ntwk_SwitchPolicy
Adding Network Policy...

Status: Success.


4. NY_ntwk_SwitchPolicy.

Network Policy Name : NY_ntwk_SwitchPolicy
WS5000.(Cfg).NP.[NY_ntwk_SwitchPolicy]>
8.39.2 np
Changes the prompt to the context of a specific Network Policy instance.
Syntax
np <name>
Parameters
name Selects the Network Policy by name.
Example
WS5000.(Cfg).NP> np NY_ntwk_SwitchPolicy
Network Policy Name : NY_ntwk_SwitchPolicy
WS5000.(Cfg).NP.[NY_ntwk_SwitchPolicy]>
8.39.3 remove
Removes a Network Policy instance.
Syntax
remove <name>
Parameters
name The name of the Network Policy that’s to be removed.
Example
WS5000.(Cfg).NP> show

WS5000.(Cfg).NP> remove "New Network Policy"

Removing Network Policy...

Status: Success.

WS5000.(Cfg).NP>
8.39.4 show
Shows Network Policy details.
Syntax
show ce Display Classifiers
show cg Display Classification Group
show np Display Network Policy information
show po Display Policy Object information
Parameters
None.
Example
WS5000.(Cfg).NP> show

WS5000.(Cfg).NP>
8.40 Network Policy Instance

Table 8.45 Network Policy Instance Context Command Summary
show Display available classifier instance details.
8.40.1 set
Network Policy Instance
Sets an attribute of this Network Policy instance.
Syntax
Parameters
attribute value Description
name name Sets the name of the Network Policy. Enter the name after the “name” attribute.
inboundPolicy name | remove Adds the named Policy Object as the inbound policy. If the value is remove, the
policy is removed.
outboundPolicy name | remove Adds the named Policy Object as the outbound policy. If the value is remove, the
policy is removed.
Example
WS5000.(Cfg).NP.[NY_NetworkPolicy]> set
set:
Use set to configure a Network Policy components.
Syntax: set <config_parameter>, <parameter_value>
where:
config_parameter Network Policy parameter to be cofigured.
parameter_value Value for the NP parameter.
Type 'remove' to remove a Policy Object
config_parameter:
name Change name of the Network Policy.
inboundpolicy Assign Input Policy Object.

outboundpolicy Assign Output Policy Object.
ERROR: Command 'set' cancelled due to invalid or unrecognized parameter.
WS5000.(Cfg).NP.[NY_NetworkPolicy]>
WS5000.(Cfg).NP.[NY_NetworkPolicy]> show po

WS5000.(Cfg).NP.[NY_NetworkPolicy]> set inboundpolicy "New Input Policy"

Configuring Network Policy... done.
Network Policy Name : NY_NetworkPolicy
Inbound Policy Object name : New Input Policy
WS5000.(Cfg).NP.[NY_NetworkPolicy]> set outboundpolicy "New Output Policy"

Configuring Network Policy... done.
Outbound Policy Object name : New Output Policy
8.40.2 show
Network Policy Instance
Syntax
show ce
show cg
show np
show po
show
Parameters
ce Display Classifiers
cg Display Classification Group
np Display Network Policy information
po Display context specific attributes
Example
WS5000.(Cfg).NP.[NY_NetworkPolicy]> show
Policy Description : For NY switching
Outbound Policy Object name : New Output Policy
WS5000.(Cfg).NP.[NY_NetworkPolicy]>
8.41 Policy Object (PO) Context

Table 8.46 Policy Object Context Command Summary
add Adds a new Policy Object page 8-228
po Select a Policy Object to configure page 8-229
remove Removes a Policy Object page 8-230
show Displays context specific attributes page 8-230
8.41.1 add
Policy Object (PO) Context
Creates and adds a Policy Object instance.
Syntax
add <name> <type>
Parameters
name The name that’s given to the new Policy Object.
type The “direction” of the policy: Possible values are: 1 = outbound; 2 = inbound.
Example
WS5000.(Cfg).PO> add
po_name is a required parameter.
Syntax: add <po_name> <po_type> [CR]
Where: <po_types> can be,
1. Outbound Access Port

2. Inbound Access Port
3. Outbound Ethernet **
4. Inbound Ethernet **
5. Outbound Bluetooth **
6. Inbound Bluetooth **
** These types will be implemented in future release.

WS5000.(Cfg).PO> add Inbound 2
Adding Policy Object...

Status: Success.

5. Inbound.
Network Policy Name : Inbound

Description :
Type : Inbound Access Port
Default action : Allow
No of CG Associated with the Policy Object: 0
WS5000.(Cfg).PO.[Inbound]>
8.41.2 po
Changes the prompt to the context of a specified Policy Object instance.
Syntax
po <name>
Parameters
name Selects the Policy Object by name.
Example
WS5000.(Cfg).PO> 1
Network Policy Name : NetVision Priority for RF

Description :
Type : Outbound Access Port
The list of CG associated:
CG TOS WFQ Tx-Profile Pkt Modifier(s) WME-AC

-- --- --- ---------- --------------- ------
NetVision_VoIP_Out 000000 66% Voice Priority & TOS 1
8.41.3 remove
Removes a Policy Object instance.
Syntax
remove <name>
Parameters
name The name of the Policy Object to be removed.
Example
WS5000.(Cfg).PO> remove Inbound
Removing Policy Object...

Status: Success.

WS5000.(Cfg).PO>
8.41.4 show
Shows Policy Object details.
Syntax
show
show ce
show cg
show np
show po
Parameters
po Display Policy Object information
Example
WS5000.(Cfg).PO> show

5. Inbound.
WS5000.(Cfg).PO>
8.42 Policy Object Instance

Table 8.47 Policy Object Instance Context Command Summary
set Configure Policy Object page 8-232
8.42.1 set
Policy Object Instance
Sets an attribute of this Policy Object instance.
Syntax
Parameters
attribute Description Syntax
addCG Adds the named Classification Group to the Policy set addCG <cg_name>
Object.
defaultAction Sets the default action for this Policy Object. set defaultAction <allow_deny_flag>
name Sets the name of this Policy Object instance. set name <policy_object_name>
removeCG Removes the named Classification Group from the set removeCG <cg_name>
Policy Object.
cgPktmod Packet modification variables include: set cgPktMod disable <cg_name>

• disable – Disables packet prioritization for all set cgPktMod tos <enable_flag> <cg_name>
packets that are marked with the named
Classification Group. To re-enable packet
prioritization, remove and then re-add the
• Enables (enable) or disables (disable) Type of
Service modification for all packets that are
marked with the named Classifier Group.
IPredirect
priority
tos Sets the ToS packet marking bits for packets set tos <bits> <cg_name>
marked with the named Classification Group. The
bits value is the packet marking/ToS given as a 6-bit
bit-field. For example: 101101.
Example
WS5000.(Cfg).PO.[Inbound]> set
Valid commands:
set name
set addcg
set removecg
set cgpktmod
set defaultaction
set ipredirect
set priority
set tos
WS5000.(Cfg).PO.[Inbound]> show cg

3. voip_in_cg.
WS5000.(Cfg).PO.[Inbound]> set addcg voip_in_cg
Configuring Policy Object...

Status: Success.
Network Policy Name : Inbound

Description :
Type : Inbound Access Port
1. voip_in_cg.
CG VlanPriority TOS IP-Redirect Pkt Modifier(s)

-- ------------ --- ----------- ---------------
voip_in_cg 0 000000 0.0.0.0 Disabled
WS5000.(Cfg)> po

2. NetVision Packet Marking for Ethernet
WS5000.(Cfg).PO> 1
Network Policy Name : NetVision Priority for RF

Description :
Type : Outbound Access Port
CG TOS WFQ Tx-Profile Pkt Modifier(s) WME-AC

-- --- --- ---------- --------------- ------
NetVision_VoIP_Out 000000 66% Voice Priority & TOS 1
8.42.2 show
Policy Object Instance
Show details about the Policy Object or related components.
Syntax
show
show ce
show cg
show np
show po
Parameters
po Display Policy Object information
Example
WS5000.(Cfg)> po

2. NetVision Packet Marking for Ethernet
8.43 Radius Context

The Radius context enables you to specify an external Radius server for authenticating network users (Web,
Telnet, and SSH) and local user through the serial port.
Table 8.48 Radius Context Command Summary
set configure the RADIUS Server page 8-235
8.43.1 set
8.43.1.1 set authentication
Radius Context
Sets the type of connection for which logins must be authenticated by the Radius server.
Syntax
set authentication <connection>
Parameters
connection The type of connection. Possible values are:

• serial
• network
• localDB
Example
WS5000.(Cfg).RADIUS> set authentication serial enable
Configuring RADIUS server...

Status : Success.

-----------------------------
Local users (via serial port) : Enable

------ ------------ ---- ----- -------
Primary 157.235.207.46 1812 3 5
WS5000.(Cfg).RADIUS>
8.43.1.2 set primary

Radius Context
Sets the identity or parameter value of the primary Radius server.
Syntax
set primary <radius_parameter> <value>
set primary host <host_name/IP> [port] [timeout] [retry]
set primary port <port: 1-65535>
set primary timeout <time: 5-20>
set primary retry <retry: 1-10>
Parameters
host name | IP [port] [timeout] [retry] Identifies the Radius server by name or IP address. The other three
attributes can be set here, as well
port 0 - 65535 Sets the port number of the Radius server.
retry 1 - 10 Specifies the number of times a Mobile Unit can try to authenticate
itself during the reauthentication phase. The default is 5 attempts.
timeout 30, 65535 Specifies the time interval, in seconds, after which Mobile Units are
forced to reauthenticate with the Radius server. Valid values are in the
range seconds; the default is 3600 seconds (1 hour).
Example
WS5000.(Cfg).RADIUS> set primary port 20

Status : Success.

-----------------------------

------ ------------ ---- ----- -------
Primary 157.235.207.46 20 3 5
8.43.1.3 set secondary

Radius Context
Sets the identity or parameter value of the secondary Radius server.
Syntax
set secondary <radius_parameter> <value>
set secondary host <host_name/IP> [port] [timeout] [retry]
set secondary port <port: 1-65535>
set secondary timeout <time: 5-20>
set secondary retry <retry: 1-10>
Parameters
host name | IP [port] [timeout] [retry] Identifies the Radius server by name or IP address. The other three
attributes can be set here, as well
port 0 - 65535 Sets the port number of the Radius server.
retry 1 - 10 Specifies the number of times a Mobile Unit can try to authenticate
itself during the reauthentication phase. The default is 5 attempts.
timeout 30, 65535 Specifies the time interval, in seconds, after which Mobile Units are
forced to reauthenticate with the Radius server. Valid values are in the
range seconds; the default is 3600 seconds (1 hour).
Example
WS5000.(Cfg).RADIUS> set secondary retry 5

Status : Success.

-----------------------------

------ ------------ ---- ----- -------
Primary 157.235.207.46 20 3 5
WS5000.(Cfg).RADIUS>
8.43.2 show
Radius Context
Display the WS5000’s Radius settings.
Syntax
show radius-server Display Radius information
Parameters
None.
Example
WS5000.(Cfg).Radius> show

-----------------------------
Network users (Web, Telnet, etc.) : Enable

Authenticate locally if Radius server refuses access : Enable

------ ------------ ---- ----- -------
Primary SFhost 1812 3 5
Secondary NYhost 1812 3 5
WS5000.(Cfg).Radius> show radius-server

-----------------------------
Network users (Web, Telnet, etc.) : Enable
Authenticate locally if Radius server refuses access : Enable

------ ------------ ---- ----- -------
Primary SFhost 1812 3 5
Secondary NYhost 1812 3 5
8.44 Rogueap Context

The RougeAP context helps you to configure RogueAP detection for the system.
Table 8.49 RogueAP Context Command Summary
clear Clears the screen. page 8-8
approvedlist View or configure the Approved AP List. page 8-239
detectorap View or configure the DetectorAP List. page 8-240
roguelist View or configure the Detected RogueAP List. page 8-240
rulelist Configure Authorized AP Rule List. page 8-240
set Set or Reset any or all of the detection mechanism page 8-241
8.44.1 approvedlist
Rogueap Context
Use approvedlist to view or configure Approved AP List for RogueAP detection.
Syntax
approvedlist
Parameters
None
Example
WS5000.(Cfg).rogueap> approvedlist
List Entry AgeOut Interval (min.) : 0
Index MAC ESSID

----- ---- -----
1 11:22:22:22:22:22 test
2 00:A0:F8:C5:F6:F8 GRE
WS5000.(Cfg).rogueap.approvedlist>
8.44.2 detectorap
Rogueap Context
Use detectorap to view or configure DetectorAP List for DetectorAP scan.
Syntax
detectorap
Parameters
None
Example
WS5000.(Cfg).rogueap.detectorap> add "00:A0:F8:BF:8A:6B [A]"
Adding DetectorAP...
Status: Success.
Available DetectorAPs:
----------------------
1 00:A0:F8:BF:8A:6B [A]
WS5000.(Cfg).rogueap.detectorap>
8.44.3 roguelist
Rogueap Context
Use roguelist to view or configure Approved AP List for RogueAP detection.
Syntax
roguelist
Parameters
None
Example
WS5000.(Cfg).rogueap> roguelist
List Entry AgeOut Interval (min.) : 0
Index MAC ESSID

----- ---- -----
1 11:33:22:22:22:33 ESSID1
2 00:B0:F8:C5:F6:F8 ESSID2
WS5000.(Cfg).rogueap.roguelist>
8.44.4 rulelist
Rogueap Context
Use rulelist to configure Authorised AP List for RogueAP detection.
Syntax
rulelist
Parameters
None
Example
WS5000.(Cfg).rogueap.rulelist> add 11:22:22:22:22:22 test
Adding AuthAP...
Status: Success.
Authorise Symbol AP : disable
Index MAC ESSID

----- ---- -----
0 11:22:22:22:22:22 test
WS5000.(Cfg).rogueap.rulelist>
8.44.5 set
Rogueap Context
Use set to set or reset any or all of the detection mechanism.
Note Detectorscan requires detector APs to be configured on the system. Use

detectorap context to do the same.
Syntax
set <feature_name> <enable/disable> [<interval>]
Parameters
feature_name It can be either the rogueap OR muscan/apscan/detectorscan.

interval Integer value between 5 and 65535. Applicable only when muscan/apscan/
detectorscan is enabled.
Example
WS5000.(Cfg).rogueap> set rogueap enable
Configuring RogueAP...
Status: Success.

------------------------------
RogueAP Status : enable
or
WS5000.(Cfg).rogueap> set apscan enable 8

Configuring APScan...
Status: Success.

------------------------------
AP Scan Status : enable
8.44.6 show
Rogueap Context
Lists the available RogueAP instances.
Syntax
Parameters
rogueap Display Rogue AP configuration
rulelist Display Authorised AP rulelist
approvedlist View Approved AP list
roguelist View Rogue AP list
detectorap Display list of DetectorAPs
Example
WS5000.(Cfg).rogueap> show rogueap

------------------------------
AP Scan Status : enable
8.45 Security Policy Context

Table 8.50 Security Policy Context Command Summary
add Creates and adds a new Security Policy Instance. page 8-243
policy Changes the prompt to the context of the named Security Policy instance. page 8-244
remove Removes the named Security Policy instance. page 8-244
show Lists the available Security Policy instances. page 8-245
8.45.1 add
Security Policy Context
Creates and adds a new Security Policy Instance.
Syntax
add <name>
Parameters
name The name of the new Security Policy.
Example
WS5000.(Cfg).SecurityPolicy> add NewKerberosPolicy
Adding Security Policy...

Status: Success.

2. Default.
3. WEP40 Default.
4. WEP128 Default.
6. NewKerberosPolicy.
Security Policy details...

Policy name : NewKerberosPolicy
Description :
Beacon ESSID : Enabled
EAP PreAuthentication : Enabled

Opportunistic PMK Caching : Enabled
Encryption Open WEP KeyGuard-MCM TKIP AES CCMP
---------- ---- --- ------------ ---- --------
Status: Enable Disable Disable Disable Disable
Authentication Pre-Shared Kerberos 802.1x,EAP with Radius

-------------- ---------- -------- ----------------------
Status: Disable Disable Disable
8.45.2 policy
Changes the prompt to the context of the named Security Policy instance.
Syntax
policy <name>
Parameters
Example
WS5000.(Cfg).SecurityPolicy> policy Default

Policy name : Default
Description : Default Security Policy
Beacon ESSID : Enabled
EAP PreAuthentication : Disabled
Opportunistic PMK Caching : Disabled
---------- ---- --- ------------ ---- --------
Status: Enable Disable Disable Disable Disable

-------------- ---------- -------- ----------------------
Status: Disable Disable Disable
WS5000.(Cfg).SecurityPolicy.[Default]>
8.45.3 remove
Removes the named Security Policy instance.
Syntax
remove <name>
Parameters

Example
WS5000.(Cfg).SecurityPolicy> remove NewKerberosPolicy
Removing Security Policy...

Status: Success.

2. Default.
3. WEP40 Default.
4. WEP128 Default.
8.45.4 show
Lists the available Security Policy instances.
Syntax
show securitypolicy Display security policy details
Parameters
None.
Example
WS5000.(Cfg).SecurityPolicy> show securitypolicy

2. Default.
3. WEP40 Default.
4. WEP128 Default.
8.46 Security Policy Instance

A Security Policy instance declares the types of encryption and authentication that can be used to create
secure login and data communication on the WLAN.
The type of encryption that can be set are as follows:
• Open – No encryption; any unsecured Mobile Unit is allowed to associate with the system unless the
adoption list specifically excludes it.
• KeyGuard encryption for TKIP (Temporal Key Integrity Protocol) – This mode is only supported by Symbol
mobile devices. KeyGuard requires a 128-bit WEP key.
• Wired Equivalent Privacy (WEP) – WEP comes in a choice of 40- or 128-bit encryption, and lets you
define and choose from four different keys.
• WPA/TKIP – Wi-Fi Protected Access with Temporal Key Integrity Protocol
• WPA2 AES
In addition, the type of authentication methodologies used are as follows:
• None – If encryption is set to open, then there’s no authentication.
• Pre-Shared Key (PSK) – In PSK, the same key is used for authentication and encryption.
• Kerberos – Uses a Kerberos server for mobile unit authentication. You can specify an external server or
use the switch’s on-board server. To use the on-board server, you must first configure the switch to be a
Kerberos Master (see set on page 8-217). Kerberos only supports KeyGuard and WEP encryption.
• 802.1x EAP – Authentication is performed by an external Remote Authentication Dial-In User Service
(Radius) server. The Radius server must be accessible to the switch.
A single Security Policy can accept more than one method (of each), thus providing wider support for MUs that
use expect different security methods. However, the Security Policy is only as strong as its weakest method.
Table 8.51 Security Policy Instance Context Command Summary
set Sets an attribute of the Security policy instance. page 8-247
show Display the attributes of this Security policy instance. page 8-251
8.46.1 set
Security Policy Instance
Sets an attribute of the Security policy instance. The tables, below, divide the settings into topical groups.
Syntax
set <attribute> <value(s)>
Parameters
General Settings
description Adds a description string to the Security policy instance. set description <text_string>
name Sets the name of the Security policy instance. set name <name_string>
Encryption and Authentication Settings
encryption Enables or disables a data encryption type. Possible set encryption <type> <enable>
values:
• open
• wep40
• wep128
• keyguard
• tkip
• ccmp
authentication Enables or disables an authentication type. Possible set authentication <type> <enable>
values are:
• preshared
• kerberos
• eap
You can enter multiple authetication values in the CLI with
a space between each value.
Note The WS5000 Series

Switch does not work with the
combination of wep40 encryption
and kerberos authentication.
Pre-Shared Key (PSK) Settings
presharedKey Sets the PSK key in either ASCII or Hexidecimal format. An set presharedKey
ASCII key must be between 8 and 63 characters long. A <ascii_or_hex_key>
hex key must be 64 characters.
WEP Settings
activeWepKey Sets the active WEP key string, identified by key index. set activeWepKey <key_index>
Valid key_index values are [0, 3].
wepKey Sets the WEP key string for the given key index. Valid set wepKey <key_index> <key
key_index values are [1, 4]. The key_string argument must string>
be enclosed in quotation marks.
Kerberos Settings
kerberos Sets the active WEP key string, identified by key index. set kerberos <key_index>
Valid key_index values are [0, 3].
wepKey Sets the WEP key string for the given key index. Valid set wepKey <key_index>
key_index values are [1, 4]. The key_string argument must <key_string>
be enclosed in quotation marks.
Example
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set
Valid commands:
set name
set description
set encryption
set authentication
set wepkey
set activewepkey
set kerberos
set eap
set radius
set groupkeyupdate
set presharedkey
set preauthentication
set opppmkcaching
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set encryption

Enter encryption_type.
Syntax: set encryption <encryption_type> <enable/disable> [CR]
Valid commands:
set encryption open
set encryption wep40
set encryption wep128
set encryption keyguard
set encryption tkip
set encryption ccmp
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set authentication

Enter authentication_type.
Syntax: set authentication <authentication_type> <enable/disable> [CR]
Valid commands:
set authentication preshared
set authentication kerberos
set authentication eap
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set webkey

Invalid config_parameter.
Valid commands:
set name
set description
set encryption
set authentication
set wepkey
set activewepkey
set kerberos
set eap
set radius
set groupkeyupdate
set presharedkey
set preauthentication
set opppmkcaching
ERROR: Command 'set' cancelled due to invalid or unrecognized parameter.
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set wepkey

Enter the WEP Key number or keyword 'string' to generate the Keys.
Enter 'default' to set the WEP Keys to default values.
Syntax: set wepkey <wep_key_no:1-4> <wepkey> [CR]
set wepkey string <genkey_string> [CR]
set wepkey default [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]>
===
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set activewepkey

Enter the WEP Key number.
Syntax: set activewepkey <wep_key_no:1-4> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos

Enter the Kerberos option
Syntax: set kerberos <option> [1-3]/[realm] [value]
Valid commands:
set kerberos enable
set kerberos disable
set kerberos realm
set kerberos port
set kerberos server
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos realm

Enter the realm.
Syntax: set kerberos realm <realm> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos port

Enter the index.
Syntax: set kerberos port <1-3> <value> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set kerberos server

Enter the index.
Syntax: set kerberos server <1-3> <value> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap

Enter the EAP option.
Syntax: set eap <option> [enable/disable]/[time]/[count]
Valid commands:
set eap enable
set eap disable
set eap quietperiod
set eap txperiod
set eap reauthentication
set eap suplicanttimeout
set eap maxrequestretries

WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap quietperiod

Enter the value for EAP quietperiod.
Syntax: set eap quietperiod <period: 1-99> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap txperiod

Enter the value for EAP txperiod.
Syntax: set eap txperiod <period: 1-99> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap reauthentication

Enter EAP Re-authentication option
Syntax: set eap reauthentication <option> [time/count]
Valid commands:
set eap reauthentication enable
set eap reauthentication disable
set eap reauthentication period
set eap reauthentication maxretries

period
Enter the value for EAP Re-authentication period
Syntax: set eap reauthentication period <time: 30-65535> [CR]

maxretries
Enter the value for EAP Re-authentication maxretries
Syntax: set eap reauthentication maxretries <count: 1-99> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap suplicanttimeout

Enter the value for EAP suplicanttimeout.
Syntax: set eap suplicanttimeout <time: 1-99> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set eap maxrequestretries
Enter the value for EAP maxrequestretries.

Syntax: set eap maxrequestretries <count: 1-10> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set radius

Enter the Radius option.
Syntax: set radius <option> <host_name>/<1-2> <value> [CR]
Valid commands:
set radius hostname
set radius port
set radius server
set radius secret
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set groupkeyupdate

Enter the group key update time
Syntax: set groupkeyupdate <time:30-65535> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set presharedkey

Enter the pre-shared key date entry option
Syntax: set presharedkey <ascii/hex> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set preauthentication

Enter 'enable' or disable'
Syntax: set preauthentication <enable/disable> [CR]
WS5000.(Cfg).SecurityPolicy.[New WEP Security Policy]> set opppmkcaching

Enter 'enable' or disable'
Syntax: set opppmkcaching <enable/disable> [CR]
8.46.2 show
Security Policy Instance
Display the attributes of this Security policy instance.
Syntax
Parameters
None.
Example
WS5000.(Cfg).SecurityPolicy.[WEP40 Default]> show

Policy name : WEP40 Default
Description : 40-bit WEP with default WEP Keys
EAP PreAuthentication : Disabled
Opportunistic PMK Caching : Disabled

---------- ---- --- ------------ ---- --------
Status: Disable Enable(WEP40) Disable Disable Disable

-------------- ---------- -------- ----------------------
Status: Enable Disable Disable
Wep Key to use : 1

Wep Key 1 : **********
Wep Key 2 : **********
Wep Key 3 : **********
Wep Key 4 : **********
VPN Authentication : Disabled
WS5000.(Cfg).SecurityPolicy.[WEP40 Default]>
8.47 Sensor Context

Table 8.52 Sensor Context Command Summary
convert Used to convert the AP 300 to a sensor page 8-252
disable Disables the sensor functionality. page 8-253
enable Enable sensor functionality page 8-253
revert Revert from a sensor to an AP 300 page 8-253
sensor Select a sensor to Configure page 8-254
8.47.1 convert
Sensor Context
This is used to convert the AP 300 to a sensor.
Syntax
convert <ap300 mac>
Parameters
ap300 mac MAC address of AP that is to be converted to a sensor.
Example
WS5000.(Cfg).sensor> convert 00:A0:F8:BF:8A:6B
Converting to a sensor ...

Status : Success.
8.47.2 disable
Sensor Context
Disbales the sensor functionality.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).sensor> disable
Disable Sensor Functionality ...

Status : Success.
8.47.3 enable
Sensor Context
Enables the sensor functionality
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).sensor> enable
Enabling Sensor Functionality ...

Status : Success.
8.47.4 revert
Sensor Context
This is used to revert the sensor back to AP.
Syntax
revert <sensor mac>
Parameters
sensor mac MAC address of sensor that needs to be reverted back as AP.
Example
WS5000.(Cfg).sensor> revert 00:A0:F8:BF:8A:6B
Reverting to a Sensor ...

Status : Success.
8.47.5 sensor
Sensor Context
This is used to configure a sensor.
Syntax
sensor <sensor/ap300 mac address>
Parameters
sensor The mac address of the sensor to be configured

ap300 mac address The mac address of the AP to be configured
Example
WS5000.(Cfg).sensor> sensor 1
Sensor Details
--------------
DHCP : disable
IP Address : 0.0.0.0
Netmask : 0.0.0.0
Gateway IP Address : 0.0.0.0
Primary WIPS IP : 0.0.0.0
Secondary WIPS IP : 0.0.0.0
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]>
8.47.6 show
Sensor Context
This displays the sensor context specific attributes.
Syntax

show sensor Display Sensor's and AP 300's / Sensor details
Parameters
sensor Display Sensor's details
ap300 Display AP 300's details
Example
WS5000.(Cfg).sensor> show
AP300's
-------
Sensor AP's
-----------
1. 00:A0:F8:AA:BB:CC
8.48 Sensor Instance

Table 8.53 Sensor Instance Command Summary
set Configure the Sensor Profile page 8-256
8.48.1 description
Sensor Instance
This is used to enter a description text for the sensor.
Syntax
Parameters
description_text Brief description of the switch policy instance.
8.48.2 set
Sensor Instance
Used to configure sensor parameters.
Syntax
Parameters
config_parameter parameter_value
dhcp Enable or disable DHCP

ip Set the IP address
mask Set the subnet mask
gateway Set the gateway address

primary Set primary WIPS server's IP address
secondary Set secondary WIPS server's IP address
Example
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]> set dhcp enable
Configuring Sensor Parameters...

Status: Success.
Sensor Details
--------------
DHCP : enable
8.48.3 show
Sensor Instance
This command displays the sensor context attributes.
Syntax
show sensor Display Sensor Profile details

Parameters
sensor Display Sensor Profile details
ap300 Display AP300’s details
Example
WS5000.(Cfg).sensor.[00:A0:F8:AA:BB:CC]> show
Sensor Details
--------------
DHCP : enable
8.49 SNMP Context

The Wireless 5000 Series Switch supports Simple Network Management Protocol (SNMP) version 1 ,SNMP
v2 and SNMP v3. The switch supports SNMPv1 and SNMPv2 traps.
Use the SNMP CLI context to configure the SNMP trap destinations, the SNMP clients as well as the SNMP
agent status. There are two sub-contexts where in the SNMP can be configured.
• SNMP v2 (v2 context)
• SNMP v3 (v3 context)
Note No special configuration for V1 access is required, it can be done with v2

communities.
The SNMP context provides commands that configures the SNMP system and that controls the activity of the
SNMP daemon.
Table 8.54 SNMP Context Command Summary
enable Starts the SNMP daemon. page 8-258
disable Stops the SNMP daemon. page 8-259
remove Remove an SNMP trap destination. page 8-259
set Enable/Disable KDC config through SNMP, and Enable/Disable SNMP traps, page 8-260
Configure SNMP trap destinations.
show Shows details pertaining to the SNMP sub-system. page 8-262
v2 Configure SNMP v2 access parameters page 8-263
v3 Configure SNMP v3 access parameters page 8-263
8.49.1 enable
SNMP Context
Starts the SNMP daemon.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).SNMP> enable
Enabling...
Status : Success.
SNMP details:
-------------
8.49.2 disable
SNMP Context
Stops the SNMP daemon.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).SNMP> disable
Disabling...
Status : Success.
SNMP details:
-------------
SNMP (deamon) Status : Disabled
8.49.3 remove
SNMP Context
Removes an SNMP trap destination.
Syntax
remove traphost <client_ip> <community_name>
Parameters
traphost Remove an SNMP trap-host.
client_ip IP address of the SNMP trap destination.
community_name Name of the SNMP community
Example
WS5000.(Cfg).SNMP> remove traphost 123.121.112.112 testing
Removing SNMP trap-host...
Status : Success.
8.49.4 set
SNMP Context
Syntax
set <kdcconfig | snmptrap | traphost>
Parameters
set kdcconfig Enable/disable KDC configuration through SNMP
set snmptrap Enable/disable SNMP traps (global flag)
set traphost Configure SNMP trap destination
8.49.4.1 set kdcconfig

SNMP Context
Allows or disallows the configuration of the on-board Kerberos KDC through SNMP.
Syntax
set kdcconifg <enable_flag>
Parameters
enable_flag Enable or disable Kerberos KDC configuration, as appropriate. Possible values are:
• enable — can configure KDC through SNMP
• disable — cannot configure KDC through SNMP
Example
WS5000.(Cfg).SNMP> set kdcconfig enable
Setting KDC configuration rights...
Status : Success.

8.49.4.2 set snmptrap

SNMP Context
Enables or disables SNMP traps.
Syntax
set snmptrap <enable/disable>
Parameters
enable_flag Enable or disable SNMP traps, as appropriate. Possible values are:

• enable — Enables sending of the SNMP traps
• disable — Disables sending of the SNMP traps
Example
WWS5000.(Cfg).SNMP> set snmptrap enable

Status: Success.
SNMP details:
-------------
WS5000.(Cfg).SNMP>set snmptrap disable

Status: Success.
SNMP details:
-------------
8.49.4.3 set traphost

SNMP Context
Configures a destination IP to which the switch will send the SNMP traps.
Syntax
set traphost <ip_address> <community_name> [<port> <version>]
set traphost <ip_address> <community_name> [port]
Parameters
ip_address SNMP manager host IP address

community_name SNMP community name for the trap host
port Port number to which the traps would be sent
version SNMP trap version (v1 or v2)
Example
To configure the SNMP v1 trap host at 192.168.204.4, with community name as Symbol, and use port 162,
enter:
WS5100.(Cfg).SNMP> set traphost 192.168.204.4 Symbol 162 v1
Note SNMP v1/v2 trap message format in WS5000 has been implemented such that
the Variable Bindings in the SNMP TRAP PDU, has minimum of two bindings:
name = snmpTrapOID, value = OID of the trap being raised
name = OID of ccTargetTrapString, value = Display String
For v2 traps, the variable binding in the SNMP TRAP PDU also has:
name = OID of sysUpTime, value = current time
8.49.5 show
SNMP Context
Displays the various details of the SNMP in the switch.
Syntax
show configaccess
show snmpclients
show snmpstatus
show traphosts
show v3users
Parameters
configaccess Displays configured system access restrictions

snmpclients Displays the configured SNMP clients
snmpstatus Displays the current SNMP status
traphosts Displays the configured trap destinations
v3users Displays the configured SNMP v3 user profile details
Example
WS5000.(Cfg).SNMP> show configaccess

WS5000.(Cfg).SNMP> show snmpclients

----- ---- ---------- --------------
1. Read/Write 161 123.123.123.123 testing
WS5000.(Cfg).SNMP> show snmpstatus
SNMP details:
-------------
WS5000.(Cfg).SNMP> show traphosts

CommunityName Port Version IP Address
------------- ---- ------- ----------
1. domain1 162 v1 172.34.35.68
WS5000.(Cfg).SNMP> show v3users
SNMPv3 users information:
SNMP v3 User Auth. Priv.

-------------------------------
1. snmpv3AllRW MD5 DES
2. snmpv3AllRO MD5 DES
8.49.6 v2
SNMP Context
Use v2 to configure SNMP v2 access parameters. You need to enter the v2 Context to set the SNMP v2
parameters
Syntax
v2
Parameters
None
Example
WS5000.(Cfg).SNMP> v2

----- ---- ---------- --------------
8.49.7 v3
SNMP Context
Use v3 to configure SNMP v3 access parameters. You need to enter the v3 Context to configure the SNMP v3 parameters.
Syntax
v3
Parameters
None
Example
WS5000.(Cfg).SNMP> v3

-------------------------------
2. snmpv3AllRO MD5 DES
8.50 v2 Context
SNMP Context
The v2 context provides commands that configure the SNMP v2 access parameters.
Table 8.55 SNMP v2 Context Command Summary
remove Remove an SNMP client/community or SNMP trap. page 8-264
set Set SNMP attributes. page 8-265
8.50.1 remove
v2 Context
Use remove to remove SNMP v2 client.
Syntax
remove <access-perm> <client_ip> <community_name> [port_no]
Parameters
access-perm The access permission of the SNMP client. Can be one of:
• ro — readonly
• rw — readwrite
client_ip IP address of the SNMP client.
community_name Name of the community the client is a member of.
port_no Optional port number. The default is 161.
Example
WS5000.(Cfg).SNMP.v2> remove rw 172.34.35.68 symbol
Removing SNMP Client...

Status : Success.
8.50.2 set
v2 Context
Sets SNMP attributes
8.50.2.1 set client

v2 Context
Use set client command to add SNMP clients, to which the swtich will respond. If no SNMP client is configured
in the switch, the switch will respond to get requests, from clients with community as ‘public’; the switch will
respond to get/set requests, from clients with community as ‘private’.
Syntax
set client <rw/ro> <client_ip> <community_name> [port_no]
Parameters
rw Client will have read-write access permissions.

ro Client will have read-only acess permissions.
client_ip IP address of the snmp client.
community_name Name of the SNMP community.
port_no SNMP port (0 - 65535), default is 161
Example
WS5000.(Cfg).SNMP.v2> set client rw 172.34.35.68 symbol
Configuring SNMP client...
Status : Success.

----- ---- ---------- --------------
8.50.3 show
v2 Context
Shows SNMP details
Syntax
show
show snmpclients
Parameters
snmpclients Display the SNMP Client/community details

Example
WS5000.(Cfg).SNMP.v2> show
----- ---- ---------- --------------
WS5000.(Cfg).SNMP.v2> show snmpclients

----- ---- ---------- --------------
8.51 v3 Context
SNMP Context
The v3 context provides commands that configure the SNMP v3 access parameters.
Table 8.56 SNMP v3 Context Command Summary
set Set SNMP attributes page 8-269
show Shows SNMP details. page 8-265
8.51.1 set
v3 Context
Set SNMP attributes
8.51.1.1 set profile

v3 Context
Use set profile to configure SNMP v3 user profile.
Syntax
set profile <user> <algorithm> <auth_pass> [ priv_pass ]
Parameters
user User profile name, can be one of : snmpv3AllRW, snmpv3AllRO

algorithm Algorithm to be used, can be one of : MD5, SHA
auth_pass Authentication pass-phrase
priv_pass Privacy pass-phrase, default is same as <auth_pass>
Example
To set the profile of snmpv3AllRO with algorithm as SHA and with pass phrase as test1234
WS5100.(Cfg).SNMP.v3> set profile snmpv3AllRO SHA test1234
Configuring SNMP client...
Status : Success.


-------------------------------
2. snmpv3AllRO SHA DES
8.51.2 show
v3 Context
Displays the details of the SNMP v3 in the switch
Syntax
show
show v3users
Parameters
v3users Display the SNMP v3 user profile details
Example
WS5000.(Cfg).SNMP.v3> show

-------------------------------
WS5000.(Cfg).SNMP.v3> show v3users

-------------------------------
8.52 SSH (Secure Shell) Context

The SSH context lets you configure the WS5000’s Secure Shell daemon.
Note Do not change the SSH port number because this can create conflicts with
other applications running in the WS5000 Series Switch.
Table 8.57 SSH Context Command Summary
set Configures the SSH daemon. page 8-269
show Display connection configuration and session information. page 8-270
8.52.1 set
SSH (Secure Shell) Context
Configures the SSH daemon.
Syntax
Parameters
ssh enable | disable Enables or disables the SSH daemon.
version V1/V2 | V2 Configures the daemon to accept SSH V1 and SSH V2 client connections (V1/V2),
or to only accept SSH V2 (V2). SSH V2 is more secure than SSH V1.
port 22 | 1025 - 65535 Sets the port through which SSH connections are accepted. By default, the SSH
port is set to 22.
8.52.2 show
SSH (Secure Shell) Context
Display connection configuration and session information.
Syntax
show <attribute> <value>
Parameters
(none) Display SSH configuration and session information.
telnet Display telnet configuration and session information. See 8.58 Telnet Context on page
291
ssh Display SSH configuration and session information.
Example
WS5000.(Cfg).SSH> show
WS5000.(Cfg).SSH> show telnet
WS5000.(Cfg).SSH> show ssh
8.53 SSL (Secure Socket Layer) Context

The SSL context defines the protocol (http or https) that a client needs to access the WS5000 Series Switch
applet, or graphical user interface. With SSL enabled, the applet can only be accessed through the (secure)
https protocol; if it’s disabled, the applet can only be accessed through (non-secure) http.
Table 8.58 SSL Context Command Summary
enable Enables SSL client authentication. page 8-271
disable Disables SSL client authentication. page 8-271
revert certificate Tells the Web server to use the currently installed authentication certificate. page 8-272
show Display the Web server’s accessibility setting. page 8-272
8.53.1 enable
SSL (Secure Socket Layer) Context
Turns on SSL client authentication. To access the applet, a client must use https. For example:
https://192.0.0.1
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).SSL> enable
8.53.2 disable
Turns off SSL client authentication. To access the applet, a client must use https. For example:
https://192.0.0.1
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).SSL> disable
8.53.3 revert certificate

Tells the Web server to use the currently installed authentication certificate. You use this command after
uploading a new certificate. Until the certificate is reverted, clients will not be able to establish new
connections to the applet. Reverting the certificate causes the Web server to restart.
Syntax
revert certificate
Parameters
None.
Example
WS5000.(Cfg).SSL> revert certificate
8.53.4 show
Display the Web server’s accessibility setting.
Syntax
show
show https
Parameters
None.
Example
WS5000.(Cfg).SSL> show
Web based configuration (Applet) access by : https.

8.54 Standby Context

The Standby context lets you configure the failover system (aka “Standby” or “warm Standby”). You need two
switches to implement the failover system: The “Primary” switch handles all network traffic; the Standby
switch takes over if the Primary switch goes down. After the Primary comes back up, it can automatically take
over active duty, or you can configure the switch so that it waits to be re-activated manually.
Except for the declarations of their roles in the failover system, the configurations of the two WS5000s must
be exactly the same. If you modify one of them, you must modify the other in the same way.
The failover system must be disabled (disable) before you can call most of the commands defined in the
Standby context. Moreover, it’s a good idea to disable the failover system before making any significant
changes to the WS5000. Re-configuring the Primary switch while the Standby system is enabled could cause
the switch to fail.
Warning! A WS5000 model switch is not compatible to be configured as a

! standby for a WS5100 model switch.
Table 8.59 Standby Context Command Summary
enable Adds the switch to the Standby system. page 8-274
disable Removes the switch from the Standby system. page 8-274
set autorevert Enables or disables the automatic reversion feature. page 8-274
set arDelay Enables or disables the (sending of the) heartbeat on a particular NIC. page 8-275
set heartbeat Sets the heartbeat for the Standby switch. page 8-275
set mac Sets the Ethernet port on the other WS5000 to which this WS5000 sends its page 8-275
heartbeat (per NIC).
set mode Set the mode that the switch should be running in (that is primary, standby, etc.). page 8-276
show Display available Standby context details. page 8-276

8.54.1 enable
Standby Context
Adds the switch to the Standby system.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).standby> enable
8.54.2 disable
Standby Context
Removes the switch from the Standby system.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).standby> disable
8.54.3 set autorevert

Standby Context
Enables or disables the automatic reversion feature. When auto-revert is enabled, a Standby switch that has
become active due to a failover automatically reverts to its monitoring role after the Primary switch comes back
up. If you disable auto-revert, you can manually revert the Standby switch through the revert option of the set
mode command.
Note Be sure to call the disable command before calling this command.
“Auto-revert delay.” If auto-revert is enabled, this is the amount of time to wait, in minutes, before the Primary
switch becomes active after it has come back up.
Syntax
set autorevert <enable_flag>
Parameters
enable_flag Enable of disable auto-revert, as applicable.
Example
WS5000.(Cfg).standby> set autorevert enable
8.54.4 set arDelay

Standby Context
Enables or disables the (sending of the) heartbeat on a particular NIC by setting an auto-revert delay, in
minutes.
Note You must call disable before calling this command.
Syntax
set arDelay <delay>
Parameters
delay The delay time, in minutes. An integer in the range [0, 9999].
Example
WS5000.(Cfg).StandBy> set ardelay 10
8.54.5 set heartbeat

Standby Context
Sets the heartbeat for the Standby switch.
Syntax
set heartbeat <enable_flag> <NIC>
Parameters
enable_flag Valid values are enable, to enable the heartbeat, or disable—to disable the heartbeat.
NIC The NIC through which the heartbeat is sent.
Example
WS5000.(Cfg).standby> set heartbeat enable
8.54.6 set mac

Standby Context
Sets the Ethernet port on the other WS5000 to which this WS5000 sends its heartbeat (per NIC). You can set
the port by its MAC address, or you can ask the switch to discover the port automatically.
Note You must call disable before calling this command.
Syntax
set mac <port> <NIC>
Parameters
port Either the MAC address of the port, or auto for automatic discovery.
NIC The local NIC through which the heartbeat is sent. Either 1 or 2.
Example
WS5000.(Cfg).standby> set mac auto 1
8.54.7 set mode

Standby Context
Set the mode that the switch should be running in (that is primary, standby, etc.). The mode command is used
for three things:
• It can set the switch to be the Primary or the Standby.
• It can manually revert the switch to its original role after a failover.
• It can enable and disable the switch’s participation in the standby system.
IMPORTANT! YOU MUST CALL DISABLE BEFORE SETTING THE SWITCH’S

! FAILOVER ROLE.
Syntax
set mode <option>
Parameters
option Description
primary Sets the switch to be the Primary.
standby Sets the switch to be secondary.
revert Standby mode–Reverts the switch to its original role.

Primary (active) mode–Switchs back to standby mode
enable Adds the switch to the standby system. Same as the enable command.
disable Removes the switch from the standby system. Same as the disable command.
8.54.8 show
Standby Context
Display Standby details for the switch.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).StandBy> show
Standby Management:

State : Startup
Failover Reason :
----------------------
----------------------
WS5000.(Cfg).StandBy>
8.55 Switch Policy (SPolicy) Context

A Switch Policy acts as a container for all the other policies. Although you can define any number of Switch
Policies, only one of them can be active at a time.
The WS5000 lets you designate an “Emergency Switch Policy” (ESP). The ESP, which you can quickly activate
from any of the WS5000 access venues (CLI, SNMP, and GUI), is meant to serve as a known, safe, and
conservative policy that you use in the case of an emergency, such as a security breach. To designate the ESP,
see set emergencypolicy. To activate the ESP, use the enable option with the emergencymode command within
any context
In addition to containing all the other policies, the Switch Policy defines an adoption list that defines the types
of Access Ports that can be adopted.
Table 8.60 Switch Policy Context Command Summary
add Add a new Switch Policy to the system. page 8-278
policy Select a Switch Policy to configure. page 8-279
remove Remove a Switch Policy from the system. page 8-280
show Display available Switch Policy details. page 8-280
8.55.1 add
Switch Policy (SPolicy) Context
Creates and adds a new Switch Policy instance.
Syntax
add <name>
Parameters
name The name of the new Switch policy.
Example
WS5000.(Cfg).SPolicy> add new_policy
Adding Switch Policy...

Status: Success.

2. EmerPolicy2-10.
3. new_policy.
Switch Policy details

---------------------
Policy Name : new_policy
Description :
Country : US
Default Adoption action for .11a : Deny.

Default Adoption action for .11b : Deny.
Press any key to continue...or (q)uit
8.55.2 policy
Changes the prompt to the context to the named Switch policy instance.
Syntax
policy <name>
Parameters
name The name of the Switch Policy.
Example
WS5000.(Cfg).SPolicy> policy sw1
Active Switch Policy details
----------------------------
Policy Name : sw1
Description :
Country : US
Active EtherPolicy Name : eth1
List of APPolicies attached :

1. appol1.
Default Adoption action for .11a : Adopt .11a with APPolicy appol1
Default Adoption action for .11b : Adopt .11b with APPolicy appol1

DS Coexistence : Not Applicable for current country setting.
WS5000.(Cfg).SPolicy.[sw1]>
8.55.3 remove
Removes the named Switch Policy instance.
Syntax
remove <name>
Parameters
name The name of the Switch Policy to be removed.
Example
WS5000.(Cfg).SPolicy> remove new_policy
Removing Switch Policy...

Status: Success.

2. EmerPolicy2-10.
8.55.4 show
Display switch policy details, or details about other entities if specified in the command.
Syntax
show accessports Display access port details
show acl Display ACL information
show appolicy Display Access Port Policy
show channelinfo Display channel no and country code details
show ethernet Display Ethernet Port details
show etherpolicy Display EtherPolicy details
show interfaces Display interface details
show switchpolicy Display Switch Policy
show system Display system information
Parameters
component Description
none Display information about this Switch Policy instance.
channelInfo Display a list of country codes and the channels each country supports.
interfaces Display a list of Access Port instances and lists the available Ethernet ports.
Example
WS5000.(Cfg).SPolicy> show
----------------------------
Policy Name : Default Wireless Switch Policy
Description : Switch Policy with Default Settings
Country : None

Default Adoption action for .11a : Adopt .11a with APPolicy Default Access Porty
Default Adoption action for .11b : Adopt .11b with APPolicy Default Access Porty
Default Adoption action for FH : Adopt FH with APPolicy Default Access Port Py
Default Adoption action for .11g : Adopt .11g with APPolicy Default Access Porty
WS5000.(Cfg).SPolicy> show interfaces


------------ --------- ---------- ---- ------
g_name 00:04:E2:5E:B5:3A 00:04:E2:5E:B5:3A FH Unavailable

Ethernet 1
Ethernet 2
WS5000.(Cfg).SPolicy> show channelinfo
Generating country/channel tables. Please wait for few seconds...

------------ ---- ----------------------------
A Ch: 149,153,157,161
A Ch: 36,40,44,48,52,56,60,64,149,153,11
A Ch: 36,40,44,48,52,56,60,64,100,104,10
A Ch:
A Ch:
A Ch: 36,40,44,48,52,56,60,64
A Ch: 149,153,157,161
A Ch:
A Ch: 36,40,44,48,52,56,60,64,149,153,11
8.56 Switch Policy Instance

Table 8.61 Switch Policy Instance Context Command Summary
edit Edit adoption list entry. page 8-284
name Set or change the name of the switch policy. page 8-284
restrictedchannel Select a radio type to configure restricted channels. page 8-285
set adoptionList Adds/removes an entry to/from the access port adoption-inclusion and page 8-285
adoption-exclusion lists.
set Configure various parameters for the switch policy (name, description, country page 8-286
code, channel, power, AP policy, Ethernet policy, DS co-existence).
show Display available switch policy instance details. page 8-287
8.56.1 description
Switch Policy Instance
Set description text.
Syntax
Parameters
description_text Brief description of the switch policy instance.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> description Sample descrn
Status : Success.

----------------------------
Description : Sample description
Country : None


8.56.2 edit
Edit adoption list entry to include or exclude a radio type. Same as “include” and “exclude” options within the
set adoptionList command.
Syntax
edit include <old_radio_type> <start_MAC> [<end_MAC>] <app_name | remove>
edit exclude <old_radio_type> <start_MAC> [<end_MAC>] [remove]
Parameters
old_radio_radio The radio type that this list applies to. Valid values are: A, B, G, or FH (case-insensitive).
For exclude, ALL is also a valid value.
start_MAC, end_MAC Identifies the access ports that are part of this list entry. If end_MAC is excluded, the
entry consists of the AP identified by start_MAC; otherwise, the entry contains all APs
between start_MAC and end_MAC.
app_name The access port policy used when an AP is adopted.
remove Removes the entry from the list. To remove an address range, you need only supply the
starting address.
Example
8.56.3 name
Set or change the name of the switch policy. Same as when “name” parameter is used with the set command.
Syntax
name <new_name>
Parameters
new_name New name to set or change the switch policy name to.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> name newname
Configuring name...
Status : Success.
WS5000.(Cfg).SPolicy.[newname]>
8.56.4 restrictedchannel
Changes the prompt to the Restricted Channel context, where channels that cannot be chosen by Automatic
Channel Selection for a particular radio type can be specified.
See Restricted Channel Instance on page 8-289 for more details.
Syntax
restrictedchannel <radio_type>
Parameters
radio_type Type of radio to configure restricted channels for. Valid values are a, b, g, for 802.11a,
802.11b, or 802.11g, respectively.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> restrictedchannel A
Radio Restricted Ch. Description

----- -------------- -----------
A 153
A 46
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]>
8.56.5 set adoptionList

Adds/removes an entry to/from the access port adoption-inclusion and adoption-exclusion lists. APs that are
in the inclusion list are adopted through a specified access port policy. APs in the exclusion list are never
adopted.
This command to also used to set the default action (adopt or not) for APs that are in neither list.
APs are identified by MAC address. Each entry in either listed as a single MAC address or a range of MAC
addresses.
The adoption lists are based on radio type. There is a different list for each radio type: 802.11a, 802.11b,
802.11g, and frequency hopping radios. In addition, the switch policy contains a master adoption list that is
applied to all radios.
Syntax
set adoptionList <radio> include <start_MAC> [<end_MAC>] <app_name | remove>
set adoptionList <radio> exclude <start_MAC> [<end_MAC>] [remove]
set adoptionList <radio> default allow <app_name>
set adoptionList <radio> default deny [traps <enable | disable>]
Parameters
radio The radio type that this list applies to. Valid values are: A, B, G, or FH (case-insensitive).
For exclude, ALL is also a valid value.
start_MAC, end_MAC Identifies the access ports that are part of this list entry. If end_MAC is excluded, the
entry consists of the AP identified by start_MAC; otherwise, the entry contains all APs
between start_MAC and end_MAC.
app_name The access port policy used when an AP is adopted.
remove Removes the entry from the list. To remove an address range, you need only supply the
starting address.
traps <enable | disable> If the default action is deny, you can ask to have the apAdoptFail SNMP trap sent when
an unknown AP asks to be adopted. Pass enable to ask for the trap, and disable to ask
that the trap not be sent. By default the trap is sent.
Example
8.56.6 set
Configures the switch policy. Adds or removes an access port policy to or from the switch policy.
Syntax
set <attribute> <value> [remove]
Parameters
attribute and value Description
adoptionList See set adoptionList on page 8-285.
apPolicy name [remove] Adds or removes the named Access Port Policy to/from the Switch Policy’s list
of AP Policies.
channel <integer> Sets the default channel. The set of candidate channel numbers depends on
the country code setting.
countryCode <ISO_3166_code> Sets the country code. The switch won’t adopt Access Ports until the country
is set.
IMPORTANT! IT IS THE RESPONSIBILITY OF THE SWITCH
! OWNER TO CORRECTLY SET THE COUNTRY CODE. AN

INCORRECT COUNTRY SETTING CAN CAUSE THE SWITCH TO
USE ILLEGAL BROADCAST SETTINGS.
attribute and value Description
dsCoexistence <enable_flag> Frequence hopping/direct sequence (FH/DS) coexistence. With coexistence

enabled, the access port divides the frequency spectrum such that FH devices
use one portion, and DS devices use the other. Possible values are: enable or
disable.
Note: FH/DS co-existence isn't legal in all countries.

The dsCoexistence attribute is always turned off in
these countries.
description <description_text> Brief descriptive text to identify the switch policy.
etherPolicy <etherpolicy_name> Sets the switch policy’s active ethernet policy
name <SwitchPolicyName> Sets the switch policy’s name.
power <power_setting> <radio_type> Sets the power, in milliWatts, for the specified 802.11x radio type. Valid
power settings are in the range 4 through 20.
Valid radio types are a, b, g, for 802.11a, 802.11b, or 802.11g respectively.
8.56.7 show
Display details about the switch policy instance, or other entities if specified in the command.
Syntax
show accessports Display access port details
show restrictedchannels Display the restricted channels
Parameters
None.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> show
----------------------------
Description : Switch Policy with Default Settings
Country : None

Default Adoption action for FH : Adopt FH with APPolicy Default Access Port Py
Default Adoption action for .11g : Adopt .11g with APPolicy Default Access Porty
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]>
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> show interfaces


------------ --------- ---------- ---- ------
g_name 00:04:E2:5E:B5:3A 00:04:E2:5E:B5:3A FH Unavailable

Ethernet 1
Ethernet 2
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]>

WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy]> show channelinfo
Generating country/channel tables. Please wait for few seconds...

------------ ---- ----------------------------
A Ch: 149,153,157,161
A Ch: 36,40,44,48,52,56,60,64,149,153,11
A Ch: 36,40,44,48,52,56,60,64,100,104,10
A Ch:
A Ch:
A Ch: 36,40,44,48,52,56,60,64
A Ch: 149,153,157,161
A Ch:
A Ch: 36,40,44,48,52,56,60,64,149,153,11
8.57 Restricted Channel Instance

Restricted Channel is a subcontext of a Switch Policy instance.
There are three Restricted Channel instances, one for each of the three 802.11x radio types. You drop into an
instance by invoking restrictedchannel command from a Switch Policy instance.
Restricted channels are removed from the set of channels that can be chosen during Automatic Channel
Selection (ACS).
Table 8.62 Classifier Instance Context Command Summary
add Add a channel to the restricted list. page 8-289
remove Remove a channel from the restricted list. page 8-290
show Display available restricted channel instance details. page 8-290
8.57.1 add
Restricted Channel Instance
Add a channel to the list of restricted channels. Use show channelinfo to see a list of channels for the radio
type for which instance you are in.
Syntax
add channel [optional_description]
Parameters
channel_num The channel that you want to restrict. The set of valid channel numbers depends on the
country setting and radio type.
description Optional description that explains why the channel is restricted.
Example
WS5000.(Cfg).SPolicy.[Name].Restricted.[Radio]> add channel 153
Adding 153 to the restricted list...
Status: Success.
WS5000.(Cfg).SPolicy.[Name].Restricted.[Radio]>
8.57.2 remove
Restricted Channel Instance
Remove a channel from the list of restricted channels, thus making it available for use during Automatic
Channel Selection.
Syntax
remove <channel_num>
Parameters
channel_num The channel that you want to “unrestrict”. The set of valid channel numbers depends on
the country setting and radio type.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]> remove 153
Removing 153 from the restricted list...

Status : Success.
8.57.3 show
Display restricted channel details.
Syntax
show
or
show <attribute>
Parameters
channelInfo Display a list of country codes and the channels each country supports. If channelInfo is
not used, a list of restricted channels is displayed.
Example
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]> show
Radio Restricted Ch. Description

----- -------------- -----------
A 153
A 46
WS5000.(Cfg).SPolicy.[Default Wireless Switch Policy].Restricted.[A]>

8.58 Telnet Context

You can use telnet to access the CLI and/or to configure the on-board KDC. The Telnet context provides
commands to configure (enable or disable) telnet access.
Table 8.63 Telnet Context Command Summary
enable Enable the port/telnet service. page 8-291
disable Disable the port/telnet service. page 8-292
set Configure telnet services, such as enabling/disabling for configuration to be done page 8-292
via the KDC.
8.58.1 enable
Telnet Context
Enable the port/service on the switch to enable Telnet configuration through the CLI.
Syntax
enable
Parameters
None.
Example
WS5000.(Cfg).Telnet> enable
Enabling...
Status : Success.

8.58.2 disable
Telnet Context
Disable the port/service on the switch to enable Telnet configuration via the CLI.
Syntax
disable
Parameters
None.
Example
WS5000.(Cfg).Telnet> disable
WARNING: This will disable all remote (CLI) access to the switch.
Do you want to continue (yes/no)? : n
8.58.3 set
Telnet Context
WS5000.(Cfg).Telnet> set kdcConfig
Enables or disables on-board KDC configuration through telnet.
Syntax
set <attribute>
Parameters
kdcConfig <enable_flag> Enable or disable whether KDC configuration can be performed via Telnet connections.
Possible values are: enable, disable.
Example
WS5000.(Cfg).Telnet> set kdcconfig enable
Status : Success.

Telnet access (CLI) : Enable.
WS5000.(Cfg).Telnet> set kdcconfig disable

Status : Success.

KDC configuration over remote console : Disable.
8.58.4 show
Telnet Context
Display Telnet-related details based on the attribute used with the command.
Syntax
show
or
show <attribute>
Parameters
(none) Display statistics about the current telnet session.
configAccess Display the permissibility of configuring the system and the KDC through telnet and
SNMP.
ssh Display information about the ssh configuration. See SSH (Secure Shell) Context for
more details.
Example
WS5000.(Cfg).Telnet> show

WS5000.(Cfg).Telnet> show configaccess

WS5000.(Cfg).Telnet> show ssh

---------------------------
SSH Status : Disabled
Version : V2
Port : 22
8.59 Tunnel Context

Table 8.64 Tunnel Context Command Summary
Commands Brief Description Ref.
tunnel Select a Tunnel to configure page 8-295
8.59.1 show
Tunnel Context
Display Tunnel-related details based on the attribute used with the command.
Syntax
show
or
show tunnels
Parameters
tunnel Displays the tunnel details
Example
WS5000.(Cfg).Tunnel> show
Tunnel Details...

----------- ------------------
1. tunnel1 1.1.1.1
2. tunnel2 2.2.2.2
3. tunnel3 3.3.3.3
WS5000.(cfg).Tunnel>
8.59.2 tunnel
Tunnel Context
Syntax
tunnel
or
tunnel <attribute>
Parameters
Name Name of the GRE tunnel
Description Description provided for the GRE tunnel
Mode GRE
State Active or inactive
Remote IP Address IP Address of the Tunnel EndPoint
Time To Live Time To Live.(1-255)
Keepalive Keepalive timer of the Tunnel.(0-5)
Example
WS5000.(Cfg).Tunnel> tunnel
Tunnel details...
Name : tunnel1
Description : tunnel one
Mode : GRE
State : active
Remote IP Address : none
Time To Live : 255
Keepalive : 0
WS5000.(Cfg).Tunnel>
8.60 Tunnel Instance

Table 8.65 Tunnel Instance Command Summary
Commands Brief Description Ref.
set Configure the tunnel setting page 8-296
8.60.1 set
Tunnel Instance
Sets the value of an attribute of this tunnel instance.
Syntax
set <config_parameter>, <parameter_value>
set remote_ip <new_remote_ip/none>
where
config_parameter Tunnel parameter to be cofigured.
parameter_value Value for the Tunnel parameter.
Parameters
remote_ip Change IPaddress of the Tunnel EndPoint
ttl Change Time To Live. Value ranges from 1-255
keepalive Change Keepalive timer of the tunnel. Value ranges from 0-5
Example
WS5000.(Cfg).Tunnel.[tunnel1]> set remote_ip 1.1.1.1
Configuring Tunnel Settings...

Status: Success.
Tunnel details...
Name : tunnel1
Mode : GRE
State : active
Remote IP Address : 1.1.1.1
Time To Live : 255

Keepalive : 0
Clear IP DF : disable
WS5000.(Cfg).Tunnel.[tunnel1]>
8.60.2 show
Tunnel Instance
Syntax
show
or
show <attribute>
Parameters
tunnel displays the tunnel details.
Example
WS5000.(Cfg).Tunnel.[tunnel1]> show
Tunnel details...
Name : tunnel1
Mode : GRE
State : active
Remote IP Address : 1.1.1.1
Time To Live : 255
Keepalive : 0
Clear IP DF : disable
WS5000.(Cfg).Tunnel.[tunnel1]>
8.61 User Context

The user context is where users privileges are specified for particular users of the system. Users are added,
removed, and configured via the User Context. Privileges that a specific user can have are categorized as
follows:
• Policy Administration
• SNMP Administration
• Security Administration
• System Administration
After a user is added, administration privileges are configured via that specific user’s instance command
options -- namely the allow command.
Table 8.66 User Context Command Summary
add Add a new user to the switch. page 8-299
remove Remove a user from the switch. page 8-299
user Select a user to configure (and drop into specified user instance). page 8-300

8.61.1 add
User Context
Adds a new user to the switch. You are prompted to provide and then confirm the new user’s password.
Syntax
add <user_name>
Parameters
user_name The name (login) of the new user. The name can be 6 to 20 characters long.
Example
WS5000.(Cfg).User> add mktgmgr
Enter User Password (6 - 20 characters) : ******
Re-Enter User Password (6 - 20 characters) : ******
Adding user...
Status: Success.
User information
Available Users:
1. admin.
2. efeaheny.
3. mktgmgr.
User information
User Name : mktgmgr

Policy Administration : false
SNMP Administration : false
Security Administration : false
System Administration : false
WS5000.(Cfg).User.[mktgmgr]>
8.61.2 remove
User Context
Removes an existing user from the switch.
Syntax
remove <user_name>
Parameters
user_name The name the user to be removed.
Example
WS5000.(Cfg).User> remove mktgmgr
Removing user...
Status: Success.
User information
Available Users:
1. admin.
2. techsupport.
WS5000.(Cfg).User>
8.61.3 user
User Context
Select a user to configure and drop into specified user instance context.
Syntax
user <user_name>
Parameters
user_name The user name of the user to be configured.
Example
WS5000.(Cfg).User> user admin
User information
User Name : admin

Policy Administration : true
SNMP Administration : true
Security Administration : true
System Administration : true
WS5000.(Cfg).User.[admin]>
8.61.4 show
User Context
Display a summary of all available users within the system, or details about a specific user, if specified.
Syntax
show
or
show <user_name>
Parameters
user_name User name for which details will be displayed. If no user name parameter, then display
a summary of all available users in the system.
Example
WS5000.(Cfg).User> show
User information
Available Users:
1. admin.
2. techsupport.
WS5000.(Cfg).User> show admin

User information
User Name : admin


WS5000.(Cfg).User>
8.62 User Instance

Table 8.67 User Instance Context Command Summary
allow Grant specific user permissions. page 8-303
deny Deny specific user permissions. page 8-303
password Change the user password. page 8-303
show Display details regarding the user instance. page 8-304

8.62.1 allow
User Instance
Sets the list of subsystems that you can configure.
Syntax
allow <subsystem1> [<subsystem2>] [...]
Parameters
subsystemN The subsystem that you can configure with one or more of the following possible values:
• all
• default
• system
• policy
• security
• SNMP
Example
WS5000.(Cfg).User.[Name]> allow system policy security
8.62.2 deny
User Instance
WS5000.(Cfg).User.[Name]> deny
Sets the list of subsystems that you cannot configure.
Syntax
deny <subsystem1> [<subsystem2>] [...]
Parameters
subsystemN The subsystem that you cannot configure with one or more of the following possible
values:
• all
• default
• system
• policy
• security
• SNMP
Example
WS5000.(Cfg).User.[Name]> deny SNMP policy security
8.62.3 password
User Instance
Set the user password. You are prompted to provide a new password and then confirm the new password.
Syntax
password
Parameters
None.
Example
WS5000.(Cfg).User.[admin]> password
Enter new password : ******
Confirm new password : ******
Changing user password... done.
8.62.4 show
User Instance
Show the details of the user instance.
Syntax
show
Parameters
None.
Example
WS5000.(Cfg).User.[admin]> show
User information
User Name : admin

8.63 WLAN Context

Table 8.68 WLAN Context Command Summary
add Add a new WLAN to the system. page 8-306
remove Remove a WLAN from the system. page 8-306
show Display available WLAN details. page 8-307
wlan Select a WLAN to configure. page 8-307

8.63.1 add
WLAN Context
Creates and adds a new WLAN instance.
Syntax
add <WLAN_name>
Parameters
WLAN_name The name to be given to the WLAN (instance).
Example
WS5000.(Cfg).WLAN> add EastCoastWLAN 124
Adding WLAN...
Status: Success.

--------- ----- ---------------
WLAN_NE 111 Default
EastCoastWLAN 124 Default
WLAN details...
Name : Symbol Default
ESSID # : 101
Description : Default WLAN
Security Policy : Default
WLAN Auth. Status : Authenticated
Kerberos auth. name : 101
ACL Attached : None
Accept any ESSID : Disable
Secured Beacon : Disable
Mu Traffic : MU to MU Allow
Current MUs : 0
Default Route : 0.0.0.0
Network Mask : 0.0.0.0
WME Enabled : Disabled
WME Profile : Default MU WME Profile
WS5000.(Cfg).WLAN.[EastCoastWLAN]>
8.63.2 remove
WLAN Context
Removes a WLAN from the system
Syntax
remove <name>
Parameters
name The name of the WLAN instance that is to be removed.
Example
WS5000.(Cfg).WLAN> remove <WLAN_name>
8.63.3 show
WLAN Context
Display summary details about all available WLAN instances, or specific details about a WLAN instance if the
instance is called out as a parameter.
Syntax
show
or
show [WLAN_name]
Parameters
WLAN_name When a WLAN_name is indicated, details about that WLAN instance is shown.
Otherwise, with no parameter, a summary list of all WLAN instances is shown.
Example
WS5000.(Cfg).WLAN> show

--------- ----- ---------------
WS5000.(Cfg).WLAN>
or
WS5000.(Cfg).WLAN> show "Secure Access"
WLAN details...
Name : Secure Access
ESSID # : secure
Security Policy : Kerberos Default
WLAN Auth. Status : Not-Authenticated
ACL Status : Disabled
ACL Attached : None
Accept any ESSID : Enable
Broadcast Encryption : Wep128(11a), Wep128(11b/11g), Wep128(FH)
Current MUs : 0
WS5000.(Cfg).WLAN>
8.63.4 wlan
WLAN Context
Syntax
wlan <name>
Parameters
name The name of the WLAN instance.
Example
WS5000.(Cfg).WLAN> wlan "Secure Access"
WLAN details...
Name : Secure Access
ESSID # : secure
Security Policy : Kerberos Default
WLAN Auth. Status : Not-Authenticated
ACL Attached : None
Accept any ESSID : Enable
Broadcast Encryption : Wep128(11a), Wep128(11b/11g), Wep128(FH)
Current MUs : 0
WS5000.(Cfg).WLAN.[Secure Access]>
8.64 WLAN Instance

Table 8.69 WLAN Instance Context Command Summary
name Set or change the name of the WLAN instance. page 8-310
set Configure the WLAN instance. Configurable parameters include name, ESSID, page 8-310
description, security, Kerberos name, MU acl, acl, broadcast ESS, secured beacon,
MU traffic, maximum MUs, default route.
show Display details for the WLAN instance. page 8-311
8.64.1 description
WLAN Instance
Set description text.
Syntax
Parameters
description_text String of text that briefly describes the WLAN instance.
Example
WS5000.(Cfg).WLAN.[Symbol Default]> description “Sample description text”
Status : Success.
WLAN details...
ESSID # : 101
Description : Sample description text
ACL Attached : None

Broadcast Encryption : Open(11a), Open(11b/11g), Open(FH)
Current MUs : 0
WS5000.(Cfg).WLAN.[Symbol Default]>
8.64.2 name
WLAN Instance
Changes the name of the WLAN instance.
Syntax
name <new_name>
Parameters
new_name The new name of the WLAN instance.
Example
WS5000.(Cfg).WLAN.[Name]> name new_name
8.64.3 set
WLAN Instance
Sets the value of an attribute of this WLAN instance.
Syntax
Parameters
attribute <value> Description
acl <acl_name/none> Sets the WLAN’s Access Control List. See Access Control List (ACL) Context
for more details.
securedbeacon <enable_flag> Enable or disable the secured beacon. Possible values are: enable, disable.
defaultroute <IP_address> Sets the IP address of the WLAN’s default route.
description <description_text> Sets the WLAN instance’s informational description.
essID <ESSID> Sets the ESSID.
kerberosname <kerberos_auth_name> Sets the Kerberos authentication name.
maxmus <1 - 4096> Sets the maximum number of Mobile Units that may be asssociated through
this WLAN.
muacl <enable_flag> Enable or disable the WLAN’s Access Control List. Possible values are:
enable, disable.
mutraffic <allow_flag> Specifies what to do with mobile unit traffic passed through the switch.
Possible values are: allow, disallow, drop.
name <new_name> Sets the name of the WLAN instance.
security <security_policy_name> Sets the Security policy that’s applied to this WLAN.
broadcastess <enable_flag> Enable or disable broadcast ESS. Possible values are: enable, disable.
Example
8.64.4 show
WLAN Instance
Show details about the WLAN instance.
Syntax
show wlan Display WLAN details
Parameters
None.
Example
WS5000.(Cfg).WLAN.[Symbol Default]> show
WLAN details...
ESSID # : 101
Description : Sample description text
ACL Attached : None
Broadcast Encryption : Open(11a), Open(11b/11g), Open(FH)
Current MUs : 0
WS5000.(Cfg).WLAN.[Symbol Default]>
8.65 WME Context

Table 8.70 WME Context Command Summary
add Add a new WME Profile to the system. page 8-313
remove Remove a WME from the system. page 8-314
show Display available WME details. page 8-314
wme Select a WME Profile to configure. page 8-314

8.65.1 add
WME Context
Creates and adds a new WME Profile to the instance.
Syntax
add <WME_ProfileName>
Parameters
WME_ProfileName The name to be given to the WME Profile
Example
WS5000.(Cfg).WME> add symbol3
# of params = 1
param #0 = symbol3
Adding WME...
Status: Success.
WME Profile Name

----------------
3. symbol1
4. symbol2
5. symbol3
WME Profile Details

-------------------
Name : symbol3
Description :
eCWMin [VO/AC1] : 2
eCWMax [VO/AC1] : 3
Txop Lim [VO/AC1] : 102/[b] 47/[a/g]
AIFSN [VO/AC1] : 2
eCWMin [VI/AC2] : 3
eCWMax [VI/AC2] : 4
Txop Lim [VI/AC2] : 188/[b] 94/[a/g]
AIFSN [VI/AC2] : 2
eCWMin [BE/AC3] : 4
eCWMax [BE/AC3] : 10
Txop Lim [BE/AC3] : 0/[b] 0/[a/g]
AIFSN [BE/AC3] : 3
eCWMin [BK/AC4] : 4
eCWMax [BK/AC4] : 10
Txop Lim [BK/AC4] : 0/[b] 0/[a/g]
AIFSN [BK/AC4] : 7
QoS Param Info : 19
WS5000.(Cfg).WME.[symbol3]>
8.65.2 remove
WME Context
Removes a WME from the system
Syntax
remove <wmeProfileName>
Parameters
wmeProfileName The name of the WME instance that is to be removed.
Example
WS5000.(Cfg).WME> remove symbol2
Removing WME Profile...

Status: Success.
WS5000.(Cfg).WME>
8.65.3 show
WME Context
Display summary details about all available WME profiles.
Syntax
show
or
show wme
Parameters
None.
Example
WS5000.(Cfg).WME> show
WME Profile Name

----------------
3. symbol1
4. symbol3
WS5000.(Cfg).WME>
8.65.4 wme
WME Context
Syntax
wme <wme_profile_name>
Parameters
wme_profile_name The name of the WME Profile.
Example
WS5000.(Cfg).WME> wme symbol1
WME Profile Details

-------------------
Name : symbol1
Description :
eCWMin [VO/AC1] : 2
eCWMax [VO/AC1] : 3
Txop Lim [VO/AC1] : 102/[b] 47/[a/g]
AIFSN [VO/AC1] : 2
eCWMin [VI/AC2] : 3
eCWMax [VI/AC2] : 4
Txop Lim [VI/AC2] : 188/[b] 94/[a/g]
AIFSN [VI/AC2] : 2
eCWMin [BE/AC3] : 4
AIFSN [BE/AC3] : 3
eCWMin [BK/AC4] : 4
AIFSN [BK/AC4] : 7
QoS Param Info : 19
8.66 WME Instance

Table 8.71 WME Instance Context Command Summary
.. or end Terminate a current session and moves up a context, hierarchically.
exit Terminate a current session and returns to the “root” prompt.
? or help Get the command information.
logout or bye Close this session.
clear Clear the screen.
emergencymode Enable or disable Emergency mode.
description Set description text.
name Set or change the name of the WME Profile.
set Configure the WME Profile.
Configurable parameters include name, ESSID, description, security, Kerberos

name, MU acl, acl, broadcast ESS, secured beacon, MU traffic, maximum MUs,
default route.
show Display details for the WME Profile.
8.66.1 description
WME Instance
Set description text to the policy or item in the selected context.
Parameters
description_text String of text that briefly describes the WME Profile.
Example
WS5000.(Cfg).WME.[symbol1]> description <Sample Text for Symbol1>
Status : Success.
WME Profile Details

-------------------
Name : symbol1
Description : <Sample Text for Symbol1>
eCWMin [VO/AC1] : 2
eCWMax [VO/AC1] : 3
Txop Lim [VO/AC1] : 102/[b] 47/[a/g]
AIFSN [VO/AC1] : 2
eCWMin [VI/AC2] : 3
eCWMax [VI/AC2] : 4
Txop Lim [VI/AC2] : 188/[b] 94/[a/g]
AIFSN [VI/AC2] : 2
eCWMin [BE/AC3] : 4
AIFSN [BE/AC3] : 3
eCWMin [BK/AC4] : 4
AIFSN [BK/AC4] : 7
QoS Param Info : 19
8.66.2 name
WME Instance
Changes the name of the WME Profile.
Syntax
name <name>
Parameters
name The new name of the WME Profile.
Example
WS5000.(Cfg).WME.[symbol3]> name <symbol3>
Configuring name...
Status : Success.
WS5000.(Cfg).WME.[<symbol3>]>
8.66.3 set
WME Instance
Sets the value of an attribute of this WME Profile.
Syntax
set <ac> <configParam> <value>
Parameters
ac Sets the AC to be configured. It can be either of the following:

• ac1 | vo
ac2 | vi
• ac3 | be
• ac4 | bk
configParam Sets the WME parameter to be configured.
value Sets the value for the WME parameter.
8.66.4 show
WME Instance
Show details about the WME Profile.
Syntax
Parameters
display_parameter Display WME Profile details.
Example
WS5000.(Cfg).WME.[symbol1]> show
WME Profile Details

-------------------
Name : symbol1
Description : <Sample Text for Symbol1>
eCWMin [VO/AC1] : 2
eCWMax [VO/AC1] : 3
Txop Lim [VO/AC1] : 102/[b] 47/[a/g]
AIFSN [VO/AC1] : 2
eCWMin [VI/AC2] : 3
eCWMax [VI/AC2] : 4
Txop Lim [VI/AC2] : 188/[b] 94/[a/g]
AIFSN [VI/AC2] : 2
eCWMin [BE/AC3] : 4
AIFSN [BE/AC3] : 3
eCWMin [BK/AC4] : 4
AIFSN [BK/AC4] : 7
QoS Param Info : 19
8.67 WVPN Context

The commands mentioned under this context are used to configure system WVPN settings. Table 8.72
summarizes the commands within this context. Common commands between multiple contexts are described
in further detail in the Common Commands section.
Table 8.72 WVPN Context Command Summary
auth Configure authentication settings. page 8-319
cert Configure certicate settings. page 8-320
ddns Configure DDNS settings. page 8-321
directory Display the uploaded WVPN files from local repository. page 8-321
disable Disable the WVPN service. page 8-322
enable Enable the WVPN service. page 8-322
ip_pools Configure ip pool settings. page 8-323
rt See VPN runtime session info. page 8-323
set Configure WVPN general attributes. page 8-324
wtls Configure system WTLS settings. page 8-326
8.67.1 auth
WVPN Context
This command is used to configure authentication settings.
Syntax
auth
Parameters
None
Example
WS5000.(Cfg).wvpn> auth
Authentication Management:
Simple authentication: : Enabled

Simple user name: :

Simple password: : ******
Simple domain: :
RADIUS authentication: : Disabled
Primary Host: : Unset
Primary Port: : 1645
Primary Retry: : 2
Primary Timeout: : 5 ms
Primary User Password: : Unset
Primary Secret: : Unset
Secondary Host: : Unset
Secondary Port: : 1645
Secondary Retry: : 2
Secondary Timeout: : 5 ms
Secondary User Password: : Unset
Secondary Secret: : Unset
LDAP authentication: : Unavailable
Local database authentication: : Unavailable
WS5000.(Cfg).wvpn.auth>
Authentication is of 2 types: Simple and Radius.

Example : Simple Authentiction
WS5000.(Cfg).wvpn.auth> simple
Simple Authentication Settings : Disable
Simple user name: :

Simple domain: :
Example: Radius Authentication
RadiusWS5000.(Cfg).wvpn.auth> radius
RADIUS authentication status : Enable
Server Host Name/IP Port Retry Timeout Secret User Password

------ ------------ ---- ----- ------- ------ -------------
Primary 192.168.1.2 1812 3 5 ms ****** ******
Secondary Unset 1645 2 5 ms ****** ******
8.67.2 cert
WVPN Context
This command is used to configure certificate settings. This command changes the context to cert. For details
of cert context see cert Instance on page 8-327
Syntax
cert
Parameters
None
Example
WS5000.(Cfg).wvpn> cert
Certificate Management:
Index Serial Number Issuer Keylen Valid

------------------------------------------------------------------
1 1434020001 OU=CA ; O=Symbo 1024 5Apr2005 to 6Apr2010

------------------------------------------------------------------
1 ServerCert OU=CA ; O=Symbo 1024 5Apr2005 to 6Apr2010
WS5000.(Cfg).wvpn.cert>
8.67.3 ddns
WVPN Context
This command is used to configure DDNS settings.This command changes the context to ddns. For details of
cert context see ddns Instance on page 8-332
Syntax
ddns
Parameters
None
Example
WS5000.(Cfg).wvpn> ddns
DDNS Settings:
DNS Enable : true

Time to Live (ttl) : 50%
Cleanup Timeout : 5
Forward Zone : forward.update.net
Reverse Zones : 1. 1.168.192.in-addr.arpa.
DNS Servers : 1. 192.168.1.1
WS5000.(Cfg).wvpn.ddns>
8.67.4 directory
WVPN Context
This comand is used to display the uploaded WVPN files from local repository.
Syntax
dir
Parameters
None
Example
WS5000.(Cfg).wvpn> dir
total 1
-rw-r--r-- 1 nobody root 429 Jan 18 13:55 CA_WVPN.cer
WS5000.(Cfg).wvpn>
8.67.5 disable
WVPN Context
This command is used to disable the interface/service in CC.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).wvpn> disable
Disabling...
Status : Success.
WVPN Management:

WS5000.(Cfg).wvpn>
8.67.6 enable
WVPN Context
This command is used to enable the interface/service.
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).wvpn> enable
Enabling...
Status : Success.
WVPN Management:

WVPN Status : Started

WS5000.(Cfg).wvpn>
8.67.7 ip_pools
WVPN Context
This command is used to configure ip pools.This command changes the context to ip_pools. For details of cert
context see 8.70 ip pools Instance on page 338
Syntax
ip_pools [pool_name]
Parameters
pool_name The ip pool that you wish to configure for the WVPN.
Example
WS5000.(Cfg).wvpn> ip
WVPN IP Pools:
DHCP Enabled : no
Use DHCP Gateway : no
Available Pools:
1. Default.
WS5000.(Cfg).wvpn.ip_pools>
8.67.8 rt
WVPN Context
This command is used to see VPN runtime session info. This command changes the context to rt. For details
of cert context see 8.71 rt Instance on page 344
Syntax
rt
Parameters
None
Example
WS5000.(Cfg).wvpn> rt
1 VPN sessions
'*' indicates inactive VPN tunnel.
Session VPN IP Real IP MAC Addr User Class

------- --------------- --------------- ----------------- ---------------
1 192.168.1.100 10.1.1.60 00:a0:f8:65:f5:81
WS5000.(Cfg).wvpn.rt>
8.67.9 set
WVPN Context
This command is used to configure WVPN Management attributes.
Syntax
set <parameter> <value>
Parameters
restart Restart WVPN.
licensefile Installs/upgrades WVPN session license file.
debug Enable WVPN debug support.
sport Sets IP port number to listen on for client VPN requests.
session_timeout Unused session timeout (seconds).
dosSupport Enable DOS support - enables use of Reliable UDP.
dosPort Reliable UDP port.
clientKeepAlive Reliable UDP keep alive time (seconds).
Example
WS5000.(Cfg).wvpn> set session_timeout 150
Configuring WVPN ....

Status : Success.
WVPN Management:

WS5000.(Cfg).wvpn>
8.67.10 show
WVPN Context
This command displays the details about the WVPN specific attributes like — Auth general settings, installed
certificates, DDNS settings, pool information, VPN session details, VPN runtime summary, WTLS general
settings and WVPN general settings.
Syntax
show
show auth
show certs
show ddns
show ip_pools
show session
show sessions
show wtls
show wvpn
Parameters
auth Display Auth general settings.
certs Display installed certificates.
ddns Display DDNS settings.
ip_pools Display pool information.
session Display VPN session details.
sessions Display VPN runtime summary.
wtls Display WTLS general settings.
wvpn Display WVPN general settings.
Example
WS5000.(Cfg).wvpn> show auth
Authentication Management:
Simple authentication: : Enabled

Simple user name: :
Simple domain: :
RADIUS authentication: : Disabled
Primary Host: : Unset
Primary Port: : 1645
Primary Retry: : 2
Primary Timeout: : 5 ms
Primary User Password: : Unset
Primary Secret: : Unset
Secondary Host: : Unset
Secondary Port: : 1645
Secondary Retry: : 2
Secondary Timeout: : 5 ms
Secondary User Password: : Unset
Secondary Secret: : Unset
LDAP authentication: : Unavailable
Local database authentication: : Unavailable
WS5000.(Cfg).wvpn>
8.67.11 wtls
WVPN Context
This command is used to configure system WTLS settings.This command changes the context to wtls. For
details of cert context see 8.72 wtls Instance on page 347
Syntax
wtls
Parameters
None
Example
WS5000.(Cfg).wvpn> wtls
WTLS Settings:
Server number: : 1
Cipher: : AES128
MAC: : SHA_160
WS5000.(Cfg).wvpn.wtls>
8.68 cert Instance

WVPN Context
This context is an instance of WVPN context.Table 8.73 summarizes the commands within this context.
Common commands between multiple contexts are described in further detail in the Common Commands
section.
Table 8.73 cert Instance Command Summary
directory Display the uploaded WVPN files from local repository. page 8-327
dump cert Dump contents of specified certificate file. page 8-328
import Import Certificates from local repository. page 8-328
purge Deletes a certificate file from the local repository. page 8-329
remove Remove installed Certificates. page 8-329
show Display installed certificate attributes. page 8-330
tftpImport Download & Import Certificates from remote location. page 8-330
8.68.1 directory
cert Instance
Display the uploaded WVPN files from local repository.
Syntax
directory
Parameters
None
Example
WS5000.(Cfg).wvpn.cert> dir
total 1
-rw-r--r-- 1 nobody root 429 Jan 18 13:55 CA_WVPN.cer
8.68.2 dump cert

cert Instance
This is used to view the contents of the certificate.
Syntax
dump cert <value>
Parameters
value The certificate filename that you want to view.
Example
WS5000.(Cfg).wvpn.cert> dump cert CA_WVPN.cer
Certificate Information:
Serial number: 1434020001

Issuer: OU=CA ; O=Symbol India - WID; C=IN; CN=WS5000; E=balasubk@symbol.com; SN
=1434020001
Subject: OU=CA ; O=Symbol India - WID; C=IN; CN=WS5000; E=balasubk@symbol.com; S
N=1434020001
Valid From: 20050405183000Z
Valid To: 20100406182959Z
Key length: 1024
8.68.3 import
cert Instance
This command is used to install certificates.
Syntax
import caCert <caCertFile>
import serverCert <serverPkcs12KeyFile> <passwd> [<serverCertFile>]
Parameters
caCert Used to install a CA certificate file.
CaCertFile The CA certificate file that you want import and install.
serverCert Used to install a server certificate file.
serverPkcs12KeyFile Pkcs12 format of server certificate file.
passwd password to decrypt the Pkcs12 format server certificate file (*.pl2 file).
serverCertFile The server certificate file (*.cer file) that you want to import.
Example
WS5000.(Cfg).wvpn.cert> import ca /image/CA_WVPN.cer
Importing Certificate ....

Status : Success.

------------------------------------------------------------------

------------------------------------------------------------------
8.68.4 purge
cert Instance
This command is used to delete a certificate file from the local repository.
Syntax
purge <file_name>
Parameters
filename The name of the certificate file that you want to purge or delete.
Example
WS5000.(Cfg).wvpn.cert> purge CA_WVPN.cer
Purging CA_WVPN.cer... done.
8.68.5 remove
cert Instance
This command is used to remove installed certificates.
Syntax
remove <cert_type> [<index>]
remove caCert <index> removes CA Certificate (index required)
remove serverCert removes Server Certificate (no index used)
Parameters
cert_type This can be either of the below two:

• caCert— Removes CA certificate. You need to pass index as value.
• serverCert— Removes server certificate. You do not need to pass a value.
index Pass a index value if the cert_type is caCert.
Example
WS5000.(Cfg).wvpn.cert> remove ca 1
Removing Certificate 1...

Status : Success.

------------------------------------------------------------------
8.68.6 show
cert Instance
This command is used to view all the installed certificates information.
Syntax
show certs to see all installed certificates.
show [index] to see a installed CA certificate.
show server to see the installed server certificate.
Parameters
index Optional, this is used to see a installed CA certificate.
server This is used to see the installed server certificate.
Example
WS5000.(Cfg).wvpn.cert> show

------------------------------------------------------------------

------------------------------------------------------------------
8.68.7 tftpImport
cert Instance
This command is used to download and import certificates from remote location.
Syntax
tftpImport caCert <ipAddr> <caCertFile>
tftpImport serverCert <ipAddr> <serverPkcs12KeyFile> <passwd> [<serverCertFile>]
Parameters
caCert Used to install a CA certificate file.
ipAdd IP address of the tftp server from where the CA certificate needs to be downloaded.
aCertFile The CA certificate file that you want to import/download.
serverCert Used to install a server certificate file.

ipAddr IP address of the tftp server from where the CA certificate needs to be downloaded.
serverPkcs12keyFile Pkcs12 format of server certificate file.
passwd password to decrypt the Pkcs12 format server certificate file (*.pl2 file).
serverCertFile The server certificate file that you want to download/import.
Example
WS5000.(Cfg).wvpn.cert> tftpI CA 192.168.1.1 CA_WVPN.cer
Downloading and Importing Certificate CA_WVPN.cer...

Status : Success.

------------------------------------------------------------------

------------------------------------------------------------------
8.69 ddns Instance

WVPN Context
This context is an instance of WVPN context and is used to configure the DDNS settings. Table 8.73
in further detail in the Common Commands
Table 8.74 ddns Instance Command Summary
add Add DNS Server attributes. page 8-332
clearClientDns Clear client DNS table. page 8-333
disable Disable DDNS. page 8-334
enable Enable DDNS. page 8-334
remove Delete DNS Server attributes. page 8-335
set Configure DDNS attributes page 8-336
updateClientDns Update client DNS table. page 8-337
8.69.1 add
ddns Instance
This command is used to add DNS Server attributes.
Syntax
add <add_parameter> <value>
Parameters
add_parameter This can be either of the two:

• dnsServerAddr— This command adds a DNS server IP address to the existing list of
addresses.
• dnsReverseZone— This command adds a DNS reverse zone.
value Takes IP address of DNS server to be added as the value.
Example
WS5000.(Cfg).wvpn.ddns> add dnsServerAddr 192.168.1.3
Adding dynamicDnsSettings.addDnsAddr....
Status : Success.
DDNS Settings:
DNS Enable : true

Cleanup Timeout : 5
Reverse Zones : 1. 1.168.192.in-addr.arpa.
DNS Servers : 1. 192.168.1.1
2. 192.168.1.3
WS5000.(Cfg).wvpn.ddns> add dnsReverseZone 2.168.192.in-addr.arpa
Adding dynamicDnsSettings.addReverseZone....
Status : Success.
DDNS Settings:
DNS Enable : true

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
2. 192.168.1.3
8.69.2 clearClientDns
ddns Instance
Use clearClientDns to clear client DNS table at DNS server.
Syntax
clearClientDns
Parameters
None
Example
WS5000.(Cfg).wvpn.ddns> clearClientDns
Sending clear command to DNS serversdynamicDnsSettings.clearClientDns....

Status : Success.
DDNS Settings:
DNS Enable : true

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
2. 192.168.1.3
8.69.3 disable
ddns Instance
This command disables the DDNS.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).wvpn.ddns> disable
Disabling DDNS dynamicDnsSettings.update....

Status : Success.
DDNS Settings:
DNS Enable : false

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
2. 192.168.1.3
8.69.4 enable
ddns Instance
Enable DDNS.
Syntax
enable
Parameters
none
Example
WS5000.(Cfg).wvpn.ddns> enable
Disabling DDNS dynamicDnsSettings.update....

Status : Success.
DDNS Settings:
DNS Enable : true

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
2. 192.168.1.3
8.69.5 remove
ddns Instance
Use remove to remove DNS specific attributes.
Syntax
remove <rem_parameter> <value>
rem_parameter:
dnsServerAddr This command removes a DNS Server IP Address from
existing list of addresses. Takes IP Address of DNS
Server to be removed as the value.
dnsReverseZone This command removes a DNS reverse zone.
Parameters
rem_parameter This can be either of the two:

• dnsServerAddr— This command removes the DNS server IP address to the existing
list of addresses.
• dnsReverseZone— This command removes the DNS reverse zone.
value Takes IP address of DNS server to be removed as the value.
Example
WS5000.(Cfg).wvpn.ddns> remove dnsServerAddr 192.168.1.3
Removing dynamicDnsSettings.deleteDnsAddr....
Status : Success.
DDNS Settings:
DNS Enable : false

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
8.69.6 set
ddns Instance
This command is used to configure DDNS management attributes.
Syntax
set <cfg_parameter> <value>
Parameters
ttl Time-To-Live.A long value indicating ttl as a percentage of unused session

timeout (0-100).
forwardZone Text string containing the forward zone to be updated.
cleanupTimeout Duration of cleanup timeout (currently locked at 5).
value A long value indicating ttl as a percentage of unused session timeout (0-100).
Example
WS5000.(Cfg).wvpn.ddns> set ttl 39
Configuring DDNS dynamicDnsSettings.ttl....

Status : Success.
DDNS Settings:
DNS Enable : false

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
8.69.7 show
ddns Instance
This command is used to view the DDNS setting.
Syntax
show
show ddns
Parameters
ddns This is used to display the DDNS settings.
Example
WS5000.(Cfg).wvpn.ddns> show ddns
DDNS Settings:
DNS Enable : true

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
8.69.8 updateClientDns
ddns Instance
This command is used to update client DNS table.
Syntax
updateClientDns
Parameters
None
Example
WS5000.(Cfg).wvpn.ddns> updateClientDns
Sending update command to DNS serversdynamicDnsSettings.updateClientDns....

Status : Success.
DDNS Settings:
DNS Enable : true

Cleanup Timeout : 5
Reverse Zones :
1. 1.168.192.in-addr.arpa.
2. 2.168.192.in-addr.arpa.
DNS Servers :
1. 192.168.1.1
8.70 ip pools Instance

WVPN Context
Table 8.75 ip_pools Instance Command Summary
add Add IP Address pools. page 8-338
disable Disable DHCP WVPN Service. page 8-339
enable Enable DHCP WVPN Service. page 8-339
ip_pools Select a Pool to configure. page 8-340
remove Remove IP Address pool. page 8-341
set Configure WVPN DHCP. page 8-342
8.70.1 add
ip pools Instance
This command is used to add IP Address pools.
Syntax
add pool <pool_name> <begin IP> <end IP>
Parameters
pool_name The name of the IP pool that you want to add.
begin IP The starting/first IP address of the IP pool.
end IP The last/closing IP address of the IP pool.
Example
WS5000.(Cfg).wvpn.ip_pools> add pool TestPool 192.168.1.10 192.168.1.20
Adding ....
Status : Success.
WVPN IP Pools:
DHCP Enabled : no
Available Pools:
1. Default.
2. TestPool.
8.70.2 disable
ip pools Instance
This command disable DHCP WVPN service.
Syntax
disable
Parameters
None
Example
WS5000.(Cfg).wvpn.ip_pools> disable
Disabling...
Status : Success.
WVPN IP Pools:
DHCP Enabled : no
Available Pools:
1. Default.
2. TestPool.
8.70.3 enable
ip pools Instance
This command enables the DHCP WVPN service.
Syntax
enable
Parameters
None
Example
WS5000.(Cfg).wvpn.ip_pools> enable
Enabling...
Status : Success.
WVPN IP Pools:
DHCP Enabled : yes

Use DHCP Gateway : yes
Available Pools:
1. Default.
2. TestPool.
8.70.4 ip_pools
ip pools Instance
This command issued to select a Pool to configure.
Syntax
ip_pools <pool_name_or_number> [CR]
Parameters
pool_name The name of the IP pool that you want to configure.
Example
WS5000.(Cfg).wvpn.ip_pools> ip_pools TestPool
WVPN IP Pools:
Name : TestPool
Netmask : 255.255.255.0
DHCP Server Address : 0.0.0.0
Default Gateway : 0.0.0.0
DNS Address : 0.0.0.0
WINS Address : 0.0.0.0
Domain name :
NETBIOS Node type : H-node
Reuse Address Time : 0 seconds
Number of ranges : 1
IP Ranges:
0) 192.168.1.10-192.168.1.20
WS5000.(Cfg).wvpn.ip_pools.[TestPool]>
You need to further configure the ip_pools for setting the DHCP Server Addres,Default Gateway,DNS
Address,WINS Address and Domain name mentioned in the example above. For this you have to enter
the sub context level of ip_pools. You can enter this sub-context level by either entering the ip_pool name or
the index of the ip_pools. The following are the contents of the sub-context of ip_pools:
1. To enter the sub-context of ip_pools
WS5000.(Cfg).wvpn.ip_pools> ip_pools 1
WVPN IP Pools:
Name : TestPool
Netmask : 255.255.255.0
Domain name :
IP Ranges:
0) 198.162.1.10-198.162.1.20
WS5000.(Cfg).wvpn.ip_pools.[1]>
2. Configure the DHCP Server Addres,Default Gateway,DNS Address,WINS Address and

Domain name mentioned in the above example using the set command
Syntax
Parameters
netmask The IP address of the network mask.
dhcpServer The IP address of the DHCP server.
dns The IP address of the DNS server.
defaultGateway The IP address of the default gateway.
wins The IP address of Wins.
domainName Domain name for the IP pool.
nodeType NETBIOS node type.
reuseTime Idle timeout to reuse addresses when addresses are exhausted.
Example
WS5000.(Cfg).wvpn.ip_pools.[1]> set dhcpServer 192.168.1.2
Configuring pool[1] information....

Status : Success.
WVPN IP Pools:
Name : TestPool
Netmask : 255.255.255.0
Domain name :
IP Ranges:
0) 198.162.1.10-198.162.1.20
WS5000.(Cfg).wvpn.ip_pools.[1]>
8.70.5 remove
ip pools Instance
This command is used to delete IP pools.
Syntax
remove pool <pool_name>
Parameters
pool_name The name of the IP pool that you want to remove.

Example
WS5000.(Cfg).wvpn.ip_pools> remove pool TestPool
Removing pool TestPool....

Status : Success.
WVPN IP Pools:
DHCP Enabled : no
Available Pools:
1. Default.
8.70.6 set
ip pools Instance
This command issued to configure WVPN DHCP.
Syntax
set useDhcpGateway <yes/no> [CR]
Enable/disable the DHCP Gateway (Relay) function.

Also use "enable/disable" command to enable/disable
DHCP Gateway (Relay) functionality.
Parameters
None
Example
WS5000.(Cfg).wvpn.ip_pools> set useDhcpGateway yes
Configuring WVPN DHCP ....

Status : Success.
WVPN IP Pools:
DHCP Enabled : yes

Available Pools:
1. Default.
8.70.7 show
ip pools Instance
This command is used to display the pool information.
Syntax
show ip_pools Display pool information
Parameters
ip_pools Displays the pool information.
Example
WS5000.(Cfg).wvpn.ip_pools> show ip_pools
WVPN IP Pools:
DHCP Enabled : yes

Available Pools:
1. Default.
8.71 rt Instance
WVPN Context
This context is an instance of WVPN context and is used to view the VPN runtime session information. Table
8.76 summarizes the commands within this context. Common commands between multiple contexts are
described in further detail in the Common Commands
Table 8.76 rt Instance Command Summary
Kill Kill VPN sessions page 8-344
Show Display context specific attributes page 8-345
8.71.1 Kill
rt Instance
This command is used to kill VPN sessions.
Syntax
kill<session_id>
Parameters
Session_id It can be either one of the below three:

• nn— The VPN session number.
• ipaddr— The VPN session IP address (trusted/untrusted).
• macaddr— The VPN session MAC address.
Example
WS5000.(Cfg).wvpn.rt> kill 1
Session 1:
VPN Assigned IP: 192.168.1.15

Real Client IP: 10.1.1.50
MAC Address: 00:40:96:a8:4e:38
User Class:
Logged in at: Mon Mar 6 20:09:51 2006
Last roamed at: Mon Mar 6 20:09:51 2006
Last activity at: Mon Mar 6 20:22:22 2006
Session ID: 0x21000005
Really KILL this VPN session ? (Yes/No) yes

Killing session 1...
Succeeded - Session 1 was killed
8.71.2 Show
rt Instance
This command is used to view the VPN session and VPN runtime details.
Syntax
Syntax: show [display_parameter]

show session Display VPN session details.
show sessions Display VPN runtime summary.
Parameters
session Displays VPN session details. Provide one of the three values wile using this parameter:
• n— The session number. (show session n)
• ipaddr— The IP address of the session. (show session ipaddr)
• macaddr— The MAC address of the session. (show session mac)
sessions Displays VPN runtime summary.
Example
WS5000.(Cfg).wvpn.rt> show
1 VPN sessions

------- --------------- --------------- ----------------- ---------------
1 192.168.1.15 10.1.1.50 00:40:96:a8:4e:38
WS5000.(Cfg).wvpn.rt> show session 1
Session 1:
VPN Assigned IP : 192.168.1.15

Real Client IP : 10.1.1.50
MAC Address : 00:40:96:a8:4e:38
User Class :
Current Time : Mon Mar 6 20:24:11 2006
Logged in at : Mon Mar 6 20:09:51 2006
Last roamed at : Mon Mar 6 20:09:51 2006
Last activity at : Mon Mar 6 20:22:22 2006
Session ID : 0x21000005
Tunnel Status : Active
WS5000.(Cfg).wvpn.rt> show sessions
1 VPN sessions

------- --------------- --------------- ----------------- ---------------
1 192.168.1.15 10.1.1.50 00:40:96:a8:4e:38
8.72 wtls Instance

WVPN Context
Table 8.77 ip_pools Instance Command Summary
set Configure WTLS attributes page 8-347
8.72.1 set
wtls Instance
This command is used to configure the security attributes.
Syntax
Parameters
customCipher Set a custom cipher.

customMac Set a custom MAC.
handshakeTimeout Handshake timeout in seconds.
maxClientKey Maximum length RSA key for client.
minClientKey Minimum length RSA key for client.
maxRsaKey Maximum RSA key.
minRsaKey Minimum RSA key.
requireClientCert Set whether client certificates are required.
keyRefresh Key refresh- specified as 2 to the power of N packets.
securityMode Set security mode.
serverNumber Set server number.
Example
WS5000.(Cfg).wvpn.wtls> set customCipher AES256
Configuring WTLS....
Status : Success.
WTLS Settings:
Server number: : 1
Security mode: : customSecurity
Cipher: : AES256
MAC: : SHA_160
WS5000.(Cfg).wvpn.wtls> set customMAC MD5_128
Configuring WTLS....
Status : Success.
WTLS Settings:
Server number: : 1
Security mode: : customSecurity
Cipher: : AES256
MAC: : MD5_128
8.72.2 show
wtls Instance
This command issued to view the WTLS general settings.
Syntax
show
show wtls
Parameters
wtls Displays WTLS general setting.

Example
WS5000.(Cfg).wvpn.wtls> show wtls
WTLS Settings:
Server number: : 1
Cipher: : AES128
MAC: : SHA_160
Service Mode CLI
9.1 CLI Service Mode Overview

The CLI Service Mode allows retrieval of system data that includes tables, log files, configuration, status, and
operation, for use in debugging and problem resolution while troubleshooting the WS5000 Series Switch
configuration.
Only Symbol Technologies trained and customer-authorized personnel should use the advanced commands
within the CLI Service Mode. Occasionally, the customer may be asked to retrieve system data and provide it
to a Symbol Support Engineer who uses this data to examine the system status.
To enter Service Mode Configuration context, invoke the service command within the System or Configuration
context (WS5000> or WS5000.(Cfg)> prompts, for example). The CLI user can either output the data to the
standard display, or capture the data in a file stored in the default system directory. The user can immediately
access the file, or transport it to another host.
The Service mode includes almost all of the commands that are provided in “normal” CLI mode. The same
commands from the “normal” CLI mode execute identically in the Service Mode CLI System context and
Configuration context.
9-2 WS5000 Series Switch System Reference
9.1.1 Logging into the Service Mode

Initially, to log into the Service mode, follow these steps:
1. Enter service at the WS5000> System Context prompt.
2. Enter the CLI Service Mode password. The default password is password.
WS5000> service
Enter CLI Service Mode password:********
SM-WS5000>
The customer can allow or deny access to the CLI Service Mode by maintaining the CLI Service Mode
password. The service mode password command is used to update/change the Service Mode password.
9.1.2 Basic Conventions

When working within Service Mode, consider the following basic conventions:
• Service Mode is clearly marked by its differentiated prompt. You know you are in “service mode” when
the prompt is:
SM-WS5000>
• All CLI commands are case insensitive but, all user data is case sensitive.
• Any time a name is assigned that contains two or more words separated by a space, use double quotes
around the words that make up the name. For example:
SM-WS5000>name "Wireless Switch"
• The Service Mode is password-protected and should only be used by customer-authorized personnel
such as Symbol support personnel.
9.2 SM-WS5000> Command Review

This section provides detailed command and syntax descriptions, as well as examples of the Service Mode
commands.
Table 9.1 Service Mode Command Summary
? or help To get the command information page 9-4
logout or bye Close this session page 9-5
exit Exit from the Service CLI mode. page 9-5
capture Capture the current system status to a file page 9-5
cleanapdbglog Cleanup AP300 debug log files page 9-6
clear Clears the screen page 9-6
configure Configure system attributes page 9-6
copy Copy files between the Switch and TFTP/FTP server page 9-8
debug Enable/disable debug information to the log file page 9-9

Service Mode CLI 9-3
Table 9.1 Service Mode Command Summary

delete Delete an image files from the memory page 9-10
diag Diagnostic utility page 9-12
directory Display the available image files in memory page 9-12
emergencymode Enable or disable Emergency Mode page 9-13
enablecclog Enable Switch log information to the log file page 9-13
execute CLI Service Mode command file execution page 9-13
export Exports log files from the Switch to TFTP server. page 9-14
ftpPasswd Changes password for FTP operations page 9-14
getcclogfile Upload Switch log file to TFTP Server page 9-15
install Install primary/standby/Kerberos config or CLI commands. page 9-15
launch Launches the specified program page 9-16
ledcolor Get or set the color of the LEDs page 9-17
name Set or change the name page 9-18
password Change the CLI Service Mode password page 9-18
remove Remove a log file shown by 'logdir' command. page 9-20
restore Restore system image or configuration page 9-20
rfping Send a WNMP ping to a Access Port page 9-21
save Save the running system configuration to a file page 9-21
setThresholds Enable/Disable/Set thresholds for periodic monitoring page 9-22
shell Enter into the embedded O.S. command prompt page 9-22
showAPFirmware Displays AP Firmware images available page 9-25
showBuildInfo Displays build version Information page 9-25
showDiskUsage Displays current disk usage page 9-26
showHardwareInfo Displays current hardware Information page 9-26
showMemUsage Displays current memory usage page 9-27
showThresholds Display current settings for various thresholds page 9-27
watchdogtimer Enable/disable watch dog timer page 9-28
wvpnctl Enable/disable wvpn logging page 9-28

9.2.1 ? or help
Displays a list of available commands. Identical to "help" command.
Syntax
?
Parameters
None
Example
SM-WS5000> ?
System Context.
----------------------------------------------
Commands Brief Description
----------------------------------------------
exit Exit from the Service CLI mode.
capture Capture the current system status to a file
cleanapdbglog Cleanup AP300 debug log files
configure Configure system attributes
copy Copy files between the Switch and TFTP/FTP server.
debug Enable/disable debug information to the log file
delete Delete an image files from the memory
diag Diagnostic utility.
directory Display the available image files in memory
enablecclog Enable Switch log information to the log file
execute CLI Service Mode command file execution
export Exports log files from the Switch to TFTP server.
ftpPasswd Changes password for FTP operations.
getcclogfile Upload Switch log file to TFTP Server
install Install primary/standby/Kerberos config or CLI
commands.
launch Launches the specified program
ledcolor Get or set the color of the LEDs
logdir Display the user saved log files
name Set or change the name.
password Change the CLI Service Mode password
ping Ping a network host/IP address
remove Remove a log file shown by 'logdir' command.
restore Restore system image or configuration.
rfping Send a WNMP ping to a Access Port
save Save the running system configuration to a file.
setThresholds Enable/Disable/Set thresholds for periodic monitoring.
shell Enter into the embedded O.S. command prompt
showAPFirmware Displays AP Firmware images available.
showBuildInfo Displays build version Information.
showDiskUsage Displays current disk usage.
showHardwareInfo Displays current hardware Information.
showMemUsage Displays current memory usage.
showThresholds Display current settings for various thresholds.
watchdogtimer Enable/disable watch dog timer
wvpnctl Enable/disable wvpn logging
SM-WS5000>
9.2.2 logout or bye

Exits service mode and logs the user out of the switch. Identical to the command "bye".
Syntax
bye
Parameters
None
Example
SM-WS5000> bye
Logging out...
user name:
9.2.3 exit
Exits the CLI Service Mode and returns to the switch command prompt (normal CLI).
Syntax
exit
Parameters
None
Example
SM-WS5000> exit
Disabling CLI Service Mode commands...... done.
WS5000>
9.2.4 capture
This command saves the current system status (and packets) of various tables, files and processes of the
switch to a file, for use by Symbol engineers during problem resolution. The file name, ssm_report, appears in
the WS5000/scripts/service/ directory. Any previous ssm_report file gets renamed to ssm_report.prev.
After capturing the system status, it can be displayed by using the show sysstat command. Use 'logdir' to list
the captured file names.Similarly, use 'remove' to delete the saved files and 'export' command to copy files to
remote TFTP server.
Syntax
capture <option>
Parameters
option It can be either of the below two:

• sysstat— Saves the system status to a file.
• packet— Captures packets in real time.
Example
SM-WS5000> capture sysstat
Capturing current system status....

Starting the SSM capture ...
Finished the SSM capture ...
SM-WS5000>
9.2.5 cleanapdbglog
This command is used to clean up AP300 debug log files.
Syntax
cleanapdbglog
Parameters
None
Example
This command does not generate any output.
9.2.6 clear
Clears the screen contents and returns to the service mode prompt.
Syntax
clear
Parameters
None
Example
SM-WS5000> clear
SM-WS5000>
9.2.7 configure
The command changes the Service Mode CLI to the Service Mode “Configuration” context, allowing the
administrator to configure system attributes within the Service Mode. The sub-contexts and related commands
available in the normal System Context (WS5000> prompt) are the same.
Syntax
configure
Parameters
None
Example
SM-WS5000> configure
SM-WS5000.(Cfg)> ?
Config Context.
----------------------------------------------
Commands Brief Description
----------------------------------------------

aaa Configure AAA setting.
accessport Configure an Access Port.
acl Configure ACL for the system.
appolicy Configure an Access Port policy.
banner Configure Banner for the system.
ce Configure a Classifier.
cg Configure a Classification Group.
chassis Configure Chassis settings.
copy Copy files between the Switch and TFTP/FTP server.
date Set or display system time and/or date
delete Delete an image files from the memory
diag Diagnostic utility.
directory Display the available image files in memory
encrypt Encrypt the passwd to be used in auto-install
ethernet Configure Ethernet Port.
etherpolicy Configure an EtherPolicy.
events Configure Event properties.
export Exports log files from the Switch to TFTP server.
ftp Configure system FTP settings.
ftpPasswd Changes password for FTP operations.
fw Configure LAN for the system.
host Configure Host properties.
install Install primary/standby/Kerberos config or CLI
commands.
kdc Configure KDC server.
launch Launches the specified program
ledcolor Get or set the color of the LEDs
logdir Display the user saved log files
name Set or change the name.
np Configure a Network Policy.
ping Ping a network host/IP address
po Configure a Policy Object.
purge Purge the specified contents.
radius Configure RADIUS setting.
remove Remove a log file shown by 'logdir' command.
reset Reset Switch
restore Restore system image or configuration.
rogueap Configure RogueAP Detection feature for the system.
route Configure system Route settings.
runacs Run ACS on all adopted Access Ports
save Save the running system configuration to a file.
securitypolicy Configure Security Policy for the system.
sensor Configure Sensor setting.
set Set Switch attributes
setThresholds Enable/Disable/Set thresholds for periodic monitoring.
showAPFirmware Displays AP Firmware images available.
showBcmcStats Displays BCMC statistics for PSD.
showBuildInfo Displays build version Information.
showDiskUsage Displays current disk usage.
showDriverStats Displays driver statistics for ethernet ports.
showEthernetStats Displays ethernet port statistics
showHardwareInfo Displays current hardware Information.
showMemUsage Displays current memory usage.
showStartupLog Displays system startup log.
showThresholds Display current settings for various thresholds.
showUpgradeLog Displays system restore log.
shutdown Shutdown the Switch
snmp Configure SNMP parameters.

ssh Configure SSH settings.
ssl Configure SSL settings.
standby Configure system Standby settings.
switchpolicy Configure Switch Policy.
telnet Configure system Telnet settings.
tunnel Configure tunnel information.
user Configure user information.
watchdogtimer Enable/disable watch dog timer
wlan Configure WLAN for the system.
wvpn Configure system WVPN settings.
wvpnctl Enable/disable wvpn logging
SM-WS5000.(Cfg)>
9.2.8 copy
Copies a file (system image (*.img) or configuration file (*.cfg) from the WS5000 to a (T)FTP server, or vice
versa. TFTP can be used to transfer *.sys.img, *.cfg, and *.sym files. FTP can be used to transfer .krb,
.sys.img, .cfg, and .sym files.
The following are the default modes:
• Default protocol is TFTP
• Default user for FTP: anonymous
• Default mode for FTP: binary.
If using FTP, and the user is not anonymous (using -u option), CLI prompts the user to enter password.
Syntax
copy <source> <destination> [-u user] [-m mode]
Parameters

• [protocol:]//<host_name or IP>/[file_name].For example,
ftp://<ipAddress/path/[file_name]. If a filename is not supplied, the system
will prompt for one, in addition to a password.
• tftp
• ftp
• system
• .
• [/]<file_name>

• tftp
• ftp
• system
• .
• /
user FTP username. Default is anonymous.
Example
SM-WS5000> copy tftp system
9.2.9 debug
Allows enabling or disabling logging of debug messages in the debug log file. User must execute the debug
command to see the log of the operating function. Entering a specific option displays the debug option that is
enabled.
Syntax
debug [<option> <enable/disable>]
Parameters
Option Parameters Descriptions.
errors enable/disable Error messages.

general enable/disable General messages.
threads enable/disable Process thread information.
sharedmem enable/disable Shared memory data.
accessport enable/disable Access Port information.
ess enable/disable ESS handling.
policy enable/disable policy handling.
ethernet enable/disable Ethernet data.
stats enable/disable Statistical data.
snmp enable/disable SNMP data.
driver enable/disable Driver messages.
standby enable/disable Standby information.
frames enable/disable Frame information.
events enable/disable Events information.

corba enable/disable Corba handling.
packets enable/disable Packets data.
apfirmware enable/disable AP firmware information.
mu enable/disable Mobile unit data.
xml enable/disable XML information.
qos enable/disable QOS handling.
vlan enable/disable VLAN handling.
database enable/disable Database information.
security enable/disable Security handling.
memory enable/disable Memory use information.
kdc enable/disable Kerboros messages.
acs enable/disable ACS information.
all enable/disable Select all the above options.
Example
SM-WS5000> debug sharedmem enable
Enabling SHARED MEMEORY data logging ...

Status: Success.
Debug flag value (Hex): 0000000000000100

Enabled options are:
-------------------
sharedmem - SHARED MEMEORY data
SM-WS5000>
9.2.10 delete
Deletes the specified image or config file from the WS5000. As a shortcut, “del” can be used instead of
“delete”. Use the directory command to list the files that can be deleted.
Syntax
delete <file_name>
Parameters
filename Name of the file to be deleted.

Example
SM-WS5000> directory
Mar 9 23:25 115219 WS5000Defaults_v2.1.0.0-017B.cfg

Mar 9 20:42 92004 WS5k_Auto_v2.1.0.0-015B_20060309.cfg
Mar 10 00:01 7531 cmd_template.sym
Mar 9 23:05 17020 kp.cfg
Mar 9 23:31 17023 pavan.cfg
Mar 10 00:01 17023 test1.cfg
Mar 9 20:50 34603 walmart_new.cfg
SM-WS5000> delete WS5000Defaults_v2.1.0.0-017B.cfg
Removing test1.cfg.... done.
SM-WS5000>
9.2.11 description
Sets the description to the policy or item in the selected context.
Syntax
Parameters
description_text Enter a brief description of the switch.
Example
SM-WS5000> description WS5000 Wireless Network
Status : Success.

Switch Location :
Serial Number : 00A0F853D9A9
Active Switch Policy : wm_stores
Use JumboSupport : enable
AP300 debugging : disable
1. 00:A0:F8:B8:10:96.
2. 00:A0:F8:B8:10:5A.
SM-WS5000>
9.2.12 diag
Use diag to create a text file for memory dump of different data structures. It dumps all the information related
to the object in /logfile which can be viewed using the root permission.This command is to be used by an admin
with a root permission (access to the shell).
The output file will be saved in logs dir which can be viewed using 'logdir' command.
Syntax
diag <obj_name> <file_name> <user_name>
Parameters
obj_name <obj_name>={inQ|outQ|muo|bfio|ALT|cgo|ceo|mco|po}
Name of object whose memory dump is required. It can be either of the following:
• inQ=Input Q.
• outQ=Output Q.
• muo=MU Object.
• bfio=Interface Object (both NIC and AP).
• ALT=Address Lookup Table.
• cgo=CG Object.
• ceo=CE Object.
• mco=MC Object.
• po=Policy Object.
file_name Name of file where the output needs to be saved.
user_name Name of user executing the command.
Example
SM-WS5000> diag ALT TestFile admin
SM-WS5000> logdir
========================================================
TestFile.ALT.diag 454 Sat Mar 11 18:20:26 2006
SM-WS5000>
9.2.13 directory
Lists the image and configuration files that are stored on a WS5000. As a shortcut, “dir” can be used instead
of “directory”.
Syntax
directory
Parameters
None
Example
SM-WS5000> directory
Mar 9 23:25 115219 WS5000Defaults_v2.1.0.0-017B.cfg

Mar 10 00:01 7531 cmd_template.sym
Mar 9 23:05 17020 kp.cfg
Mar 9 23:31 17023 pavan.cfg
Mar 9 20:50 34603 walmart_new.cfg
SM-WS5000>
9.2.14 emergencymode
Enables or disables the “Emergency” Switch Policy (ESP). This is a switch policy that can activated (enabled)
at any time in case of an emergency. When ESP is deactivated (disabled), the previous switch policy is
reactivated.
Define an Emergency switch Policy prior to enabling the Emergency Wireless Switch Policy. Create two or
more switch policies. An error message displays if less than two Switch Policies are available.
Syntax
emergencymode <enable/disable>
Parameters
enable/disable Indicates whether to enable or disable the ESP.
Example
SM-WS5000> emergencyMode enable
9.2.15 enablecclog
This command is used to enable the CC log with dd.conf input file.
Syntax
enablecclog
Parameters
None
Example
9.2.16 execute
Executes the specified file. The command is used with specified optimization (patch file) files provided from
Symbol Technologies when a service upgrade is needed on the WS5000 Series Switch.
Syntax
execute
Parameters
None
Example
SM-WS5000> execute
Executing CLI Service Mode command file....
Enter the command file name:
9.2.17 export
This command is used to copy the log files from the switch to the remote TFTP server. use ‘logdir’ to view the
list of user log files that can be exported.
Syntax
export
Parameters
This is an interactive command and you will be asked for the following:
• destination — This is the remote TFTP host.
• filename — The name of the log file that has to be exported to the remote TFTP server.
• username — Enter the user name which you mentioned at the time of log file creation when using the
‘diag’ command. The default user name would is admin.
Example
SM-WS5000> logdir
========================================================
TestFile.ALT.diag 454 Sat Mar 11 18:20:26 2006

TestBfio.bfio.diag 41560 Sat Mar 11 18:35:33
2006
SM-WS5000> export
Enter the log file name : TestBfio.bfio.diag
Enter the user name : admin
IP address of the remote TFTP server : 192.168.168.10
Optional storage path in the TFTP server (press ENTER if none) :
Copying log file TestBfio.bfio.diag to remote TFTP Server 192.168.168.10 ...
File: TestBfio.bfio.diag copied successfully to 192.168.168.10
SM-WS5000>
9.2.18 ftpPasswd
This command is used to reset the FTP password for the switch.
This command is used to change the password of the standard user for FTP operations. The default user name
is — ftpuser. You have to use the default user name to FTP to the switch along with the password that you
provide using ftpPasswd.
Syntax
ftpPasswd
Parameters
None
Example
SM-WS5000> ftpPasswd
Enter new UNIX password:

Retype new UNIX password:
passwd: password updated successfully
Password for FTP operations updated
SM-WS5000>
9.2.19 getcclogfile
This command is used to upload the CC log file to the TFTP server.
Syntax
getcclogfile
Parameters
None
Example
SM-WS5000> getcclogfile
Enter IP Address of TFTP Server where log file to be copied:192.168.168.10

File: CCErrors.txt copied successfully to 192.168.168.10
Do you want to disable Switch debug logging (yes/no) : y

Disabled Switch Debug Logging successfully.
SM-WS5000>
9.2.20 install
Configures the switch as primary or standby, installs Kerberos settings, or runs a CLI command file, depending
on the value of the first parameter.
Syntax
install <install_option> [file_name]
Parameters
install_option Specify Primary or Standby to configure the switch as the primary or standby
Switch.Specify which command (.sym) file to install. Omitting a specific
command file, forces the system to install the default command *.sym file. If no
default command file exits, omitting the file name results in no changes to the
current configuration.
file_name The optional command file name extensions are (.sym) or Kerberos file (.krb) to
install. Specifying a valid command file (*.sym) causes the switch to shutdown
and reset. Specifying a valid Kerberos file to update (*.krb) does not require the
Kerberos enabled switches to reset.
Example
SM-WS5000> install primary test.sym

/WS5000/scripts/cmd_process: tr: command not found
/WS5000/scripts/cmd_process: tr: command not found...
Shutting down running processes. This may take a while...
Shutting down running processes...
Resetting the Switch...
SM-WS5000>
9.2.21 launch
Use launch to specify the program or shell command to be executed. Observe the following constraints:
• For executing a Linux program, its path must be available in the environment variable $PATH.
• When executing a command, the command must be available in the /WS5000/scripts/engg directory
with executable permission.
Syntax
launch -p <key> <option> <program_name>
Parameters
<key> Secret key for password to access launch command.
Note Use encrypt command along with the root

password to generate the key for executing the launch
command.
<option> It can be either of the below mentioned two:

• -c for command
• -f for file
<program_name> It can be either of the below mentioned two:
• for -c option it is command name
• for -f option it is a file name to be executed
Example
SM-WS5000> cfg encrypt B20!FlyIn
Encrypting password 'B20!FlyIn'....

Actual Password B20!FlyIn
Encrypted Password 14c8bf727be6e37b3fbd25489b00b3b1
SM-WS5000.(Cfg)> launch -p 14c8bf727be6e37b3fbd25489b00b3b1 -c ps

PID TTY TIME CMD
20808 pts/0 00:00:00 CLI
25402 pts/0 00:00:00 ps
SM-WS5000.(Cfg)>
9.2.22 ledcolor
This command is not supported in WS5000 hardware platform.
Syntax
None
Parameters
None
Example
None
9.2.23 logdir
This command is used to lists available user log (history, syslog, pktlog, diag log, system status log) files. It
does not list image/config files. Use dir command to list image/config files.
Syntax
logdir
OR
logdir user <username>
Parameters
username This s the storage directory for the logs.
Example
WS5000.(Cfg)> ..
WS5000> service

SM-WS5000> cfg

========================================================
9.2.24 name
This command is used to change the systems name.
Syntax
name <name>
Parameters
name The name which you want to assign to the switch.
Example
SM-WS5000> name Bangalore_WS5000
WARNING: Changing the switch name will require

the KDC configuration to be recreated
Are you sure? (yes/no) : yes
Configuring name...
Status : Success.
9.2.25 password
This command is used to change the CLI Service Mode password.
Syntax
password
Parameters
None
Example
SM-WS5000> password
Changing CLI Service Mode password....
Enter the new password : *********

Re-Enter the new password : *********
SUCCESS: CLI Service Mode password update successful.
SM-WS5000>
9.2.26 ping
Syntax
Options:
ping [-Rdfnqrv] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize] host
Parameters

• -R — Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST
packet and displays the route buffer on returned packets. Note that the IP header is
only large enough for nine such routes. Many hosts ignore or discard this option.
• -d — Set the SO_DEBUG option on the socket being used. Essentially, this socket
option is not used by linux kernel.
• -f — Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever
• -n — Numeric output only. No attempt will be made to lookup symbolic names for host
addresses.
• -q — Quiet output. Nothing is displayed except the summary lines at startup time and
when finished.
• -r — Bypass the normal routing tables and send directly to a host on an attached
• -v — Verbose output.
-c count Stop after sending count ECHO_REQUEST packets. With deadline option, ping
waits for count ECHO_REPLY packets, until the timeout expires.
-i wait Wait interval of seconds between sending each packet. The default is to wait for
one second between each packet normally, or not to wait in flood mode. Only
super-user may set interval to values less 0.2 seconds.
-l preload If preload is specified, ping sends that many packets not waiting for reply. Only
the super-user may select preload more than 3.
-p pattern You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful
for diagnosing data-dependent problems in a network. For example, -p ff will
cause the sent packet to be filled with all ones.
-s packetsize Specifies the number of data bytes to be sent. The default is 56, which translates
into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
host/ip_address The name or IP address of the host to which the request packets are sent.
Example
SM-WS5000> ping WS5000
PING WS5000 (10.1.1.101) from 10.1.1.101 : 56(84) bytes of data.

SM-WS5000>
9.2.27 remove
This command is used to remove specified log (history, packet, diag log, sysstatus) file. It does not remove
image/config or local syslog files.To remove image/config files use 'delete'. To remove local syslog files use
‘remlocal’.
Syntax
remove <file_name> [username-optional]
Parameters
file_name The log file that you want to remove.

username This field is optional and is the storage directory for the logs.
Example
WS5000.cfg>logdir

========================================================
SM-WS5000> remove Log1.history
9.2.28 restore
This command is used to restore system images and configuration. This command will reset the system and
boot up with the new restored image/config.
Syntax
restore <restore_option> <file_name>
Parameters
restore_option It can be one of the following three:

• system — Restore the system image and configurations from file_name.
• configuration — Restore the configuration from the specified file name.
• standby — Restore the configuration from the specified file name.
file_name The system image file name to be restored.
Example
SM-WS5000> restore configuration kp.cfg
Restoring configuration from kp.cfg
9.2.29 rfping
This command is used to ping to the Access Port. You need to enter the Access Port MAC address to ping.
Syntax
rfping <mac address> [<count>]
Parameters
mac_address The MAC address of the Access Port to which you want to ping.
count The number of ping attempts to be made
Example
SM-WS5000> rfping 00:A0:F8:B5:59:1E 4
Sending (4) WNMP Ping to 00:A0:F8:B5:59:1E

SM-WS5000>
9.2.30 save
This command is used to save the running system configuration to a file.
Syntax
save <save_option> [nocertificate] <file_name>
Parameters
save_option It ca nbe one of the following three:

• configuration — Save the present configuration in file_name.
• history — Save global command history in <file_name>.
• packets — Save captured packets in <file_name> (last packet first).
nocertificate Use nocertificate option to save configuration without RADIUS certificates.
file_name The name you assign to the file.
Example
SM-WS5000> save config TestConfig
Saving running configuration in: TestConfig.cfg

SM-WS5000>
9.2.31 setThresholds
This command is used to set/clear thresholds for monitoring.Whenever any of the cpu/mem/disk usage goes
above the specified threshold percent value, an alert is sent. As long as the usage remains above this
threshold, no more alerts are sent. When the usage goes down and subsequently, this threshold is crossed, an
alert will be sent again, and so on.
Please enable monitoring using 'set monitor' command before using this command.
Specify zero value to disable corresponding threshold monitoring.
Syntax
setThresholds [-c <nn>] [-m <nn>] [-d <nn>]
Parameters
-c <nn> Add syslog when cpu usage percent goes above <nn>.
-d <nn> Add syslog when disk usage percent goes above <nn>.
-m <nn> Add syslog when memory usage percent goes above <nn>.
Example
SM-WS5000> setThresholds -c 95
Various thresholds are now:
CPU Usage : 95% Alert Sent: No

Memory Usage : Monitoring disabled
Disk Usage : Monitoring disabled
SM-WS5000>
9.2.32 shell
This command is used to enter into the embedded OS Command prompt and environment.
Syntax
shell
Parameters
None
Example
SM-WS5000> shell
Entering into O.S.Command shell....

password:
WS5000#
WS5000# exit
SM-WS5000>
9.2.33 show
Displays a list of details about the WS5000 system related to the chosen display_parameter.
Syntax
show <display_parameter>
Parameters
show aaa-server Display AAA information

show accessports Display details of all access ports or all available access ports
show allconfig Display all config details
show autoinstalllog Display autoinstall log
show ce Display Classifiers
show cfghistory Display configuration change history
show cg Display Classification Group
show chassis Display Chassis details
show configaccess Display configured system access restrictions
show cpuUsage Displays CPU Usage
show ddnsupdatealllog Display the current system restore log
show debuglog Display the current dynamic debug log
show events Show Syslog event details
show ftp Display FTP status
show host Display the Hosts defined in the system
show https Display the Applet access type (http/https).
show kdc Display KDC details
show knownap Display known APs in the neighborhood.
show lan Display LAN details
show logfolder Display the current Log folder contents
show mu Display MU details (list)

show musummary Display MU summary
show np Display Network Policy information
show po Display Policy Object information
show radius-server Display RADIUS information
show restorelog Display the current system restore log
show routes Display configured routes
show sensor Display Sensor's and AP 300's / Sensor details
show snmpclients Display the SNMP Client/community details
show snmpstatus Display SNMP status
show ssh Display SSH configuration
show standby Display Standby configuration
show sysalerts Display system alert logs (events)
show syslog Display Syslog details
show sysstat Display the current system status
show telnet Display Telnet status
show time Display date and time information
show traphosts Display the SNMP trap-host details
show tunnels Display Tunnel details
show users Display user information
show version Display the system version details
show vlan Display VLAN details
show vpnsupportstatus Display vpn support status
show watchdog Display the watch dog status
show wlan Display WLAN details
Example
SM-WS5000> show accessports
Access Ports Radio MAC Device MAC Type

Status
------------ --------- ---------- ---- -----
-
1 00:A0:F8:BC:E8:F2 [G] 00:A0:F8:BC:97:48 00:A0:F8:BC:E8:F2 G
Unavailable
2 00:A0:F8:BC:E8:F2 [A] 00:A0:F8:BF:99:00 00:A0:F8:BC:E8:F2 A
Unavailable
3 00:A0:F8:BF:8A:9F [G] 00:A0:F8:BF:E0:EC 00:A0:F8:BF:8A:9F G Active
4 00:A0:F8:BF:8A:9F [A] 00:A0:F8:BF:ED:00 00:A0:F8:BF:8A:9F A Active
SM-WS5000>
9.2.34 showAPFirmware
This command is used to show Access Port image information.
Syntax
showAPFirmware
Parameters
None
Example
SM-WS5000> showAPFirmware
AP Firmware is loaded with following image

------------------------------------------
ap-302x-revert.bin.img root 329596 Mar 9
ap-302x.bin.img root 169664 Mar 9
ap-413x-revert.bin.img root 665704 Mar 9
ap-413x.bin.img root 191440 Mar 9
ap-41xx-revert.bin.img root 391688 Mar 9
ap-41xx.bin.img root 158924 Mar 9
ccrf-5020.bin.img root 31034 Mar 9
wsap-5030.bin.img root 257860 Mar 9
wsap-51x0-sensor.bin.img root 295196 Mar 9
wsap-51x0.bin.img root 293320 Mar 9
------------------------------------------
SM-WS5000>
9.2.35 showBuildInfo
This command is used to show current build information.
Syntax
showBuildInfo
Parameters
None
Example
SM-WS5000> showBuildInfo
WVPND ver= 126

RFIMG ver= ap-302x-revert.bin.img root 329596 Mar 9
RFIMG ver= ap-302x.bin.img root 169664 Mar 9
RFIMG ver= ap-413x-revert.bin.img root 665704 Mar 9
RFIMG ver= ap-413x.bin.img root 191440 Mar 9
RFIMG ver= ap-41xx-revert.bin.img root 391688 Mar 9
RFIMG ver= ap-41xx.bin.img root 158924 Mar 9
RFIMG ver= ccrf-5020.bin.img root 31034 Mar 9
RFIMG ver= wsap-5030.bin.img root 257860 Mar 9
RFIMG ver= wsap-51x0-sensor.bin.img root 295196 Mar 9
RFIMG ver= wsap-51x0.bin.img root 293320 Mar 9
CC root 5384312 Mar 9

CLI root 2974924 Mar 9
SNMPD root 2708330 Mar 13
DHCP SERVER root 559164 Mar 9
SYSLOG DAEMON root 27808 Jan 24
Patches Installed: None.
SM-WS5000>
9.2.36 showDiskUsage
This command is used to show current disk usage.
Syntax
showDiskUsage
Parameters
None
Example
SM-WS5000> showDiskUsage
Disk Space: In Use: 95% Free: 5%
SM-WS5000>
9.2.37 showHardwareInfo
This command is used to view the hardware information of the switch.
Syntax
showHardwareInfo
Parameters
None
Example
SM-WS5000> showHardwareInfo
Hardware Type : 5000

Ethernet Port Type : 10/100
DOM Size : 121M
RAM Size : 376 M
SM-WS5000>
9.2.38 showMemUsage
This command is used to view the current memory usage.
Syntax
showMemUsage
Parameters
None
Example
SM-WS5000> showMemUsage
total: used: free: shared: buffers: cached:
Mem: 395223040 135512064 259710976 0 8073216 55934976
Swap: 0 0 0
MemTotal: 385960 kB
MemFree: 253624 kB
MemShared: 0 kB
Buffers: 7884 kB
Cached: 54624 kB
SwapCached: 0 kB
Active: 27048 kB
Inactive: 48424 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 385960 kB
LowFree: 253624 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Committed_AS: 63244 kB
VmallocTotal: 647148 kB
VmallocUsed: 44596 kB
VmallocChunk: 602552 kB
SM-WS5000>
9.2.39 showThresholds
This command is used to view current values of various thresholds for monitoring.
Syntax
showThresholds
Parameters
None
Example
SM-WS5000> showThresholds
Various thresholds are now:
CPU Usage : Monitoring disabled

Memory Usage : Monitoring disabled
Disk Usage : Monitoring disabled
SM-WS5000>
9.2.40 watchdogtimer
This command is used t oeither enable or disable the watch dog timer.
Syntax
watchdogtimer <enable/disable>
Parameters
enable/disable Either enable or disable the watch dog timer.
Example
SM-WS5000> watchdogtimer enable
Watch Dog Timer status: Enabled
SM-WS5000>
9.2.41 wvpnctl
This command is used to configure wvpn server logging.
Syntax
wvpnctl enable [flags=<flags>] [size=<size>] [filename=<name>]
or
wvpnctl disable
Parameters
enable Enable wvpn logging.

disable Disable wvpn logging.
flags WVPN logging filter flags.
size Maximum file size of WVPN log.
filename WVPN log file name (complete path).
Example
SM-WS5000> wvpnctl enable size=1024 filename=/image/Testwvpn
WVPN debugging is now enabled with filename="/image/Testwvpn" size="1024"

flags="All"
SM-WS5000>
9.3 Diagnosing problems in WS5000/WS5100 Switch

The WS5000/WS5100 generates logs for various features in /log folder which cannot be seen using CLI,
Applet or SNMP.
9.3.1 Diagnose User

1. To view the log files in the /log folder, use the new diagnose login created in the switch with the
following details
Diagnose Username : diagnose
Diagnose Password : bf20jbin
2. Once logged in, the diagnose user can go to logs folder using the following command
cd /log
3. To view the list of log files the user can use the following command
ls -l
4. You can view the contents of any specific log file using cat command as follows
cat <filename>
5. If the file is longer than one screen of display, you can see the contents of the file one screen at a time
using the following command.
cat <filename> | more
For example, to find out when the switch was last started or rebooted, you can view the file
shutdownhistory.log using the following command
cat shutdownhistory.log
Use the cat command as mentioned baove to view:

• The CC logs (if enabled in the file /CC/dd.conf) in the file /CC/CCErrors.txt.
• The logs of the CC during the previous boot can be seen in the file /CC/CCErrors.txt.save.
If the switch has crashed for some reason, then a file called Fault.dmp will be generated in /CC folder. This
contains the trace of the stack at the time the switch was crashed.
The switch administrator can send the logs/Fault.dmp to the engineering team using the standard ftp/tftp
command.
9.3.2 Finding whether a particular process is running or not

1. Login to the switch as diagnose user and execute any of the following command
ps -amx | grep <process_name>
2. If the process is running then this displays the process name together with its process id, else
3. Use the following command to view the process ID of the process, if it is running
pidof <process_name>
9.3.3 Encrypt, Launch and Execute commands of Service mode CLI

launch command is modified in WS5000 2.1, to take an additional argument which indicates the encrypted
version of root password for security reasons. It is a mandatory requirement for launch command to take this
encrypted version of root password as argument.
9.3.3.1 encrypt Command

The encrypt command is available under config context of service mode CLI. This command takes a string as
an argument and returns its equivalent encrypted version.
This is used primarily to create the encrypted version of the root password which is then passed as the
argument to launch command.
The encrypted version of the root password is "14c8bf727be6e37b3fbd25489b00b3b1".
9.3.3.2 launch Command

The launch command is available under both "system" and "config" context of Service mode CLI. This
command can be used to execute any linux command or any script (or any executable program) placed in
/scripts/engg folder. Its syntax is
Syntax
launch -p <key> <option> <program_name>
Parameters
key Is the secret key for password to access launch command.

option It can one of the following:
• {-c|-f}— c for command and -f for file.
program_name • For -c option it is command name.
• For -f option it is a file name to be executed.
9.3.4 execute Command

This command is available under "system" context of Service mode CLI. This command is used to install
patches provided by the engineering team. Its syntax is
SM-WS5000> Execute
This command will prompt for the patch file name which should be present in the /image folder of the switch.
Antennas and Power
Use this table to determine the correct power settings for International use when using external antennas with
the AP 100 802.11b Access Port, Model CCRF-5020-10-WW.
Note For US (FCC), all Symbol Technologies, certified antennas can be used on the
maximum power level setting.
Table 10.1 International Antenna and Power Settings for AP 100 802.11b Access Port
Antenna Model Max Power Setting Antenna Type Comments
ML-2499-APA2-01 1 Dipole
ML-2499-HPA3-01 2 Indoor/Outdoor Omni

Directional
Table 10.1 International Antenna and Power Settings for AP 100 802.11b Access Port (Continued)
Antenna Model Max Power Setting Antenna Type Comments
ML-2499-PNAHD-01 3 Heavy-duty Indoor/Outdoor

65° H-Plane Directional
Panel
ML-2499-7PNA2-01 4 Indoor/Outdoor 65° H-Plane

Diversity Directional Panel
ML-2499-BMMA1-01 3 Heavy Duty, High Gain Also valid at Power setting:

Outdoor Mast Mount 2 with 25ft cable ML-1499-25JK-01
1 with 100ft cable ML-1499-100JK-01
ML-2499-SD3-01 1 Low Profile Ceiling Mount

Omni Directional
ML-2499-SDD1-01 1 Low Profile Dual Integrated

Diversity Omni Directional
ML-2499-12PNA2-01 3 High gain Indoor/Outdoor

Panel
ML-2499-11PNA2-01 3 High gain Indoor/Outdoor

Panel
ML-2499-BYGA2-01 4 Heavy-duty Outdoor 35° Also valid at Power setting:

High-gain Directional Yagi 3 with 50 ft cable ML-1499-50JK-01
2 with 100 ft cable ML-1499-100JK-01
ML-2499-BPNA3-01 4 Heavy-duty Indoor/Outdoor Also valid at Power setting:

35° High-gain Directional 3 with 50 ft cable,
Panel 2 with 100 ft cable
ML-2499-BPDA1-01 5 Heavy Duty 10° Directional Use with 100ft cable ML-1499-100JK-01
High Gain Parabolic Dish
Use this table to determine the correct European Union power settings for the AP 200 802.11a/b Access Port,
Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW.
Use this table to determine the correct Japanese power settings for the AP 200 802.11a/b Access Port, Model
Table 10.2 European Union and Japanese Antenna and Power Settings for The AP 200 802.11a/b Access Port
Additional Cable Length in Feet
Antenna Model Antenna Type/Pattern Max Authorized Power Settings
2.4 GHz 0 6 10 25 50 100
ML-2499-APA2-01 Flexible Rubber Dipole Omni-Directional Any Any Any Any Any Any
ML-2499-HPA3-01 Hi-gain Dipole Omni-directional Any Any Any Any Any Any
ML-2499-PNAHD-01 Hi-gain in/outdoor Panel Directional Any Any Any Any Any Any
Antennas and Power 10-3
Table 10.2 European Union and Japanese Antenna and Power Settings for The AP 200 802.11a/b Access Port (Con-
ML-2499-7PNA2-01 Panel Directional Any Any Any Any Any Any
ML-2499-BMMA1-01 Hi-gain in/outdoor Dipole Omni- Any Any Any Any Any Any
Directional
ML-2499-SD3-01 Patch Omni-Directional Any Any Any Any Any Any
ML-2499-SDD1-01 Patch w/diversity Omni-Directional Any Any Any Any Any Any
ML-2499-12PNA2-01 Panel Directional 2, 3, Any 2, 3, Any Any Any

4, 5 4, 5
ML-2499-11PNA2-01 Panel Directional 2, 3, Any Any Any Any Any

4, 5
ML-2499-BYGA2-01 In/Outdoor Yagi Directional 3, 4, 2, 3, 3, 4, 3, 4, Any Any

5 4, 5 5 5
ML-2499-BPNA3-01 In/Outdoor Panel Directional 2, 3, Any 2, 3, 2, 3, Any Any

4, 5 4, 5 4, 5
ML-2499-BPDA1-01 Outdoor Parabolic Dish Directional 5 5 5 5 4, 5 4, 5
Internal Antenna Omni Directional Any Any Any Any Any Any
5 GHz
ML-5299-APA1-01 Omni-directional Any N/A Any Any Any Any
ML-5299-HPA1-01 Hi-gain Dipole 2, 3, N/A Any Any Any Any

4, 5
ML-5299-WPNA1-01 Panel Omni-directional Any N/A Any Any Any Any
Internal Omni-Directional Any N/A N/A N/A N/A N/A
Table 10.3 CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW
2.4 GHz 0 6 10 25 50 100
ML-2499-APA2-01 Flexible Rubber Dipole Omni-Directional Any Any Any Any Any Any
ML-2499-HPA3-01 Hi-gain Dipole Omni-directional Any Any Any Any Any Any
ML-2499-PNAHD-01 Hi-gain in/outdoor Panel Directional Any Any Any Any Any Any
ML-2499-BMMA1-01 Hi-gain in/outdoor Dipole Omni- None None 3, 4 2, 3, Any Any

Directional 4
Table 10.3 CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW (Continued)
ML-2499-SD3-01 Patch Omni-Directional 2, 3, Any Any Any Any Any

4
ML-2499-SDD1-01 Patch w/diversity Omni-Directional Any Any Any Any Any Any
ML-2499-BYGA2-01 In/Outdoor Yagi Directional 2, 3, 2, 3, Any Any Any Any

4 4
ML-2499-BPNA3-01 In/Outdoor Panel Directional 2, 3, 2, 3, Any Any Any Any

4 4
ML-2499-BPDA1-01 Outdoor Parabolic Dish Directional None None 4 4 3, 4 2, 3,

4
Internal Antenna Omni Directional Any N/A N/A N/A N/A N/A
5 GHz
ML-5299-HPA1-01 Hi-gain Dipole Any N/A Any Any Any Any
ML-5299-WPNA1-01 Panel Omni-directional None N/A None None None 1
Use this table to determine the correct United States power settings for the AP 200 802.11a/b Access Port,
Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna
802.11a/b radio), CCRF-5030-210-WW.
Note All Symbol Technologies certified antennas can be used on the maximum power
level setting.
Table 10.4 United States Antenna and Power Settings for the AP 200 802.11a/b Access Port
2.4 GHz 0 6 10 25 50 100
ML-2499-APA2-01 Flexible Rubber Dipole Omni-Directional 2, 3, 2, 3, 2, 3, 2, 3, Any Any

4, 5 4, 5 4, 5 4, 5
ML-2499-HPA3-01 Hi-gain Dipole Omni-directional 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 2, 3,

5 5 5 5 5 4, 5
Antennas and Power 10-5
Table 10.4 United States Antenna and Power Settings for the AP 200 802.11a/b Access Port (Continued)
ML-2499-PNAHD-01 Hi-gain in/outdoor Panel Directional 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 2, 3,

5 5 5 5 5 4, 5
ML-2499-7PNA2-01 Panel Directional 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 2, 3,

5 5 5 5 5 4, 5
ML-2499-BMMA1-01 Hi-gain in/outdoor Dipole Omni- 2, 3, Any Any Any Any Any
Directional 4, 5
ML-2499-SD3-01 Patch Omni-Directional Any Any Any Any Any Any
ML-2499-SDD1-01 Patch w/diversity Omni-Directional 2, 3, 2, 3, 2, 3, 2, 3, Any Any

4, 5 4, 5 4, 5 4, 5
ML-2499-12PNA2-01 Panel Directional 4, 5 4, 5 4, 5 4, 5 3, 4, 3, 4,

5 5
ML-2499-11PNA2-01 Panel Directional 4, 5 4, 5 4, 5 4, 5 3, 4, 3, 4,

5 5
ML-2499-BYGA2-01 In/Outdoor Yagi Directional None None None None None 5
ML-2499-BPNA3-01 In/Outdoor Panel Directional None None None None None 5
ML-2499-BPDA1-01 Outdoor Parabolic Dish Directional None None None None None None
Internal Antenna Omni Directional Any N/A N/A N/A N/A N/A
5 GHz
ML-5299-HPA1-01 Hi-gain Dipole Any N/A Any Any Any Any
ML-5299-WPNA1-01 Panel Omni-directional N/A N/A N/A N/A N/A N/A

Converting AP-4131 Access Points to RF
Ports
You can convert the Symbol AP-4131 model access point to RF Ports for use with the WS5000. The port
conversion enables existing customers to utilize an existing Symbol wireless infrastructure with the WS5000
Series Switch.
A converted AP-4131 is one of the many different types of AP's that can be adopted, configured and monitored
by WS5000. After the conversion, the AP-4131 becomes a thin AP responsible for receiving and transmitting
wireless data. All other functionality (such as 802.11 management, security, and packet switching) is
performed by the switch.
The WS5000 CDROM contains an installation package with new firmware image files for AP-4131:
• ap-4131.bin.img
• ap-4131-revert.bin.img
The WS5000 CDROM also includes the following file used for the initial AP-4131 port conversion:
• ap-4131.bin
11.1 AP-4131 Features in the WS5000 Series Switch

This section describes some of the AP-4131 features in the WS5000 Series Switch.
11.1.1 AP-4131 Port Adoption

A WS5000 Series Switch can adopt different types of Symbol RF ports. The switch supports
AP-100, AP-200, AP-300 and AP-3121 ports. It reuses the existing AP-4131’s implementation and supports AP-
4131 as well. The switch recognizes the AP-4131 model number and uploads the appropriate firmware to the
port.
Note SNMP traps or Syslog messages are not defined for AP-4131 port conversion
support.
11.1.2 AP-4131 Radio Configuration

An AP-4131 contains one 802.11b radio. The AP-4131 radio supports the same set of configuration parameters
as other 802.11b radios supported by the switch (such as power, channel, rates, secure beacon, CCA, and
diversity).
An AP-4131 does not support antenna type detection (external vs. internal).It always displays the antenna type
as Unknown. You must enter a valid Antenna Correction Factor to prevent the radio from transmitting at
power levels illegal for the configured regulatory domain.
11.1.3 Multiple BSS and ESS Support

A converted AP-4131 supports 4 BSSIDs and 16 ESSIDs. It uses the same mapping as other APs with similar
features such as the AP3000 and the AP-200B.
11.1.4 Rate Scaling

The rate scaling algorithm is not impacted by the AP-4131 conversion. Rate information is stored and
communicated to AP-4131 as a bit mask with the rates sorted by their numeric value irrespective of the
AP-4131 modulation (1, 2, 5.5 and 11Mbps).
11.1.5 AP-4131 Features Unavailable after Conversion

When the AP-4131 operates as an access point, it supports Bluetooth Coexistence. Bluetooth Coexistence
allows the AP-4131 and MUs to share network resources with Bluetooth RF terminals during a user-specified
interval. Bluetooth Coexistence is not available after the AP-4131 is converted and adopted by a WS5000
Series Switch.
Converting AP-4131 Access Points to RF Ports 11-3
11.2 Converting AP-4131 to Access Ports

To convert AP-4131 to access ports:
1. Connect the AP4131 to a PC with serial cable.
2. Open the Hyper terminal select the COM port to which the serial cable is connect and set the following
parameters:
Baud Rate : 19200
Data: 8 bit
Parity : None
Stop : 1 bit
Flow Control : hardware
The Access Point Configuration Main Menu appears.
3. Enter the Admin mode. The default password is Symbol (it is case-sensitive).
4. Select the Special Functions --> Firmware Update menu.
5. Press the F3 button.
6. Update the access point firmware using the TFTP or XMODEM.
11.2.1 Updating the Access Point Firmware Using the TFTP Program
To update the access point using the TFTP program:
1. Change the firmware filename to ap-413X.bin in the Alter Filename(s)/HELP URL/TFTP Server
section.
2. Change the TFTP server IP address to point to your TFTP server.
3. Select Firmware from the Use TFTP to update Access Points: section and press the enter key.
You can also update the firmware using the TFTP program by configuring the AP4131 applet. The default login
and password (both case-sensitive) for the AP4131 applet are:
Username: admin
Password: Symbol
11.2.2 Updating the Access Point Firmware Using the XMODEM

To update the access point using the XMODEM:
1. Select Firmware from the Use XMODEM to update Access Points: section and press the enter key.
2. Select Transfer menu --> Send from the HyperTerminal. Select the file ap-4131.bin as the file to be
transferred and select the XMODEM protocol. Click Send.
This updates the access point firmware.
After the system updates the firmware, it displays the message: Downloading firmware using
WISP on the HyperTerminal. Now, the AP4131 is ready to get adopted by the switch.
11.2.3 Adding an Access Port

To add an AP-4131 to the WS5000, use the add AP4131 command:
Description
Adds new AP-4131 access port to the WS5000 Series Switch
Syntax
WS5000.(Cfg).APPort> add AP4131 <AP MAC> <Radio 1> <Radio 1 MAC> [location] [CR]
Parameters
Name of radio 1, MAC of radio 1 - B radio, mandatory location - optional
Example
WS5000.(Cfg).APPort> add AP4131 <00A0F8A0A89D> <Radio 1> <00A0F8A1A66E>
[location] [CR]
11.2.4 Mapping BSS and ESS IDs

To map up to four ESS IDs to four primary BSS IDs to a converted AP-4131, use the map ap4131 command.
Description
Enters four ESS IDs and four primary BSS IDs that are mapped and used for the AP-4131
Syntax
WS5000.(Cfg).APPolicy.[pol_name]> map ap4131 [CR]
Parameters
None
11.3 Reverting to Access Point Functionality

The WS5000 Series Switch can revert a converted AP-4131 to a traditional access point.
To revert an AP-4131 to a traditional access point, the switch must keep multiple versions of the firmware for
the same type of RF port. During adoption, the switch uses the version of the firmware with the highest version
number by default. You can specify a different version of the firmware for the RF port.
To revert an AP-4131 back to access point functionality, the switch includes an additional firmware file (ap-
4131-revert.bin.img). The firmware version is set to 0.0.0.0 to ensure the file can never be used as a default
adoption file. The file is created using the latest released version of AP-4131 firmware.
To revert the AP-4131:
Select the ap-4131-revert.bin.img for each AP-4131 requiring conversion
The switch sends the file to a converted AP-4131 using an existing WISP firmware download.
After the download completes, the AP-4131 becomes an independent access point again. You can apply any
custom releases or patches after the revert procedure completes.
Converting AP-4131 Access Points to RF Ports 11-5
11.4 WS5000 Switch Applet Behavior

The WS5000 Series Switch applet displays three new icons for an adopted AP-4131:
• normal
• alert
• offline
The applet adds ap4131 to 4BSS-16ESS tabs in the WLAN-BSS Mapping screen and the Bandwidth screen.
The applet also adds AP-4131 to the list of device types. AP-4131 has an 802.11b radio with the MAC address
the same as the device MAC address.
Configuring the WS5100 WTLS VPN
A Virtual Private Network or VPN is a protected network connection that tunnels through an unprotected
connection. The WS5100-VPN uses a VPN connection to protect wireless transmissions on the untrusted side
of the switch.
The VPN functionary includes the following:
• On Board VPN server
• Firewall
• Network Address Translation (NAT)
This chapter also includes
• VPN Session Setup
12.1 Onboard DHCP

Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to computers using TCP/IP. A
DHCP server assigns addresses to computers configured as DHCP clients.
WS5100 VPN consists of two DHCP servers:

1. Onboard DHCP server—This server is on the box and provides public IP address to the VPN client.
2. VPN DHCP server —This server resides inside the VPN server and provides private IP address to the VPN
client.The VPN server can relay DHCP requests to an external DHCP server or use its own DHCP server.
Note You can configure the internal DHCP server on the box to provide public IP
addresses to VPN clients. The server uses relay to transfer virtual IP addresses to VPN
clients.
A device on the untrusted side of the network receives a public IP address from the onboard DHCP server. After
the server authenticates the device, it retrieves a virtual IP address using DHCP relay from the external DHCP
server or from the VPN DHCP server. When the device sends and receives packets, the virtual IP address is
“wrapped around” the public address to enforce secure transmission.See Configuring DHCP Server using CLI
in Chapter 1, WS5000 Series Switch Overview.
12.2 On Board VPN server

The VPN functionary introduces the concept of trusted and untrusted networks. A trusted network is a
collection of devices authenticated and authorized to access network resources using a secure network
connection. To ensure that the network is completely secure, the connection should be fixed (wired) and the
network perimeter should be defined (in a secure building, for example).
An untrusted network is any network connection not secured (such as wireless, wired internet and dial-in) and
the identity of a connected device cannot be directly verified. Each device on the untrusted LAN segment
connects to the trusted network through a VPN tunnel.
Figure 12.1 shows a network with trusted and untrusted segments.
Configuring the WS5100 WTLS VPN 12-3
Figure 12.1 Network with Trusted and Untrusted Elements
WS 5100-V P N
Eth1 Eth2
Layer 2 S witch Layer 2 S witch

A B
P OE
AP 100
Internet
Wireles s
C lients
C omputer
LAN WL A N
Trusted Network
Untrusted Network
12.2.1 DHCP Relay and VPN

DHCP relay is a mechanism that enables an external DHCP server assign virtual IP addresses. The VPN server
relays DHCP request to an external DHCP server in the private side.
To configure the DHCP relay mechanism so that it relays the DHCP for getting private IP address to the external
DHCP server:
1. Enable the DHCP relay and configure the IP address, netmask etc., of the external DHCP server as
follows:
WS5000.(Cfg).wvpn.ip_pools> enable
Enabling...Status : Success.
WVPN IP Pools:
DHCP Enabled : yes
Available Pools:
1. default.
2. Set the DHCP IP address as the External DHCP server's IP (where you want to relay the DHCP req)
WS5000.(Cfg).wvpn.ip_pools.[default]> set dhcpServer 1.1.1.1
12.2.2 Dynamic DNS

Each time a VPN client connects to the VPN server, an IP-address is allocated for the client. The server then
sends a DNS Update to a pre-configured DNS server. Both the forward and reverse zone will be updated. The
master DNS server for the zone will be obtained through a DNS SQA query.
The following CLI commands are used to configure the Dynamic DNS settings:
1. Show dynamic DNS settings:
WS5000.(Cfg).WVPN.DDNS>show
The output of this CLI command will look like the following:
DNS Enable : boolean
Time to Live (ttl) : long
Forward Zone : string
Reverse Zone : string
Total DNS addresses : xx
1 : IP address
…
XX : IP address
2. Configure DNS Update Commands

WS5000>configure WVPN DDNS
WS5000.(Cfg).WVPN.DDNS>set updateClientDns
This CLI command sends an updateClientDns request to the AirBeam Safe VPN Server to send
new updates to the DNS server for all clients that are currently established to the AirBeam Safe
Server.
WS5000>configure WVPN DDNS
WS5000.(Cfg).WVPN.DDNS>set clearClientDns
This CLI command sends a clearClientDns request to the AirBeam Safe Server to send delete operation
for all clients that are currently established to the AirBeam Safe Server.
3. Add/Remove DNS Server address
• Add a DNS Server ip address
WS5000>Configure WVPN DDNS
WS5000.(Cfg).WVPN.DDNS>add DnsServerAddr < ip>
This CLI command adds a DNS Server address to the existing list of DNS Server addresses.
• Remove a DNS Server ip address
WS5000.(Cfg). WVPN. DDNS>remove DnsServerAddr <ip>
This CLI command removes an existing DNS Server address from current list of DNS Server
addresses.
4. Configure DNS Properties

• update
WS5000.(Cfg). WVPN. DDNS> set enable <Boolean value>
• ttl
WS5000.(Cfg). WVPN. DDNS> set ttl <Long value>
• entry (clientName)
WS5000.(Cfg). WVPN. DDNS>add entry <String value>
• forwardZone
WS5000.(Cfg). WVPN. DDNS> set forwardZone <String value>
• reverseZone
WS5000.(Cfg). WVPN. DDNS> set reverseZone <String value>
12.2.3 Certificates
Certificates are security credentials that allow network users to prove their identity. A certificate includes the
owner's public key, the expiration date of the certificate, the owner's name and other information about the
public key owner. The verification of these items is done through a Certificate Authority (CA). A CA is a
company that’s set up to generate individual certificates to requestors upon verification of proof of identity.
The WS5100-VPN requires the following types of certificates:
• A CA certificate that’s used to authenticate the certificate issuer.
• A PKCS12 server certificate, issued by a Certificate Authority.
Both certificates must be made available to the WS5100-VPN by copying them to a switch-accessible TFTP
server.
In addition, the Symbol AirBEAM VPN Client must be loaded on all Mobile Units requesting VPN services,
AirBEAM Client is used to download the certificate to the device.
12.2.3.1 PKI and PKCS12 Certificates

Public Key Infrastructure is a protocol that creates encrypted public keys using digital certificates from
Certificate Authorities. PKI ensures that each online party is who they claim to be.
PKCS12 is the Personal Information Exchange Syntax Standard and specifies a portable format for storing or
transporting a user's private keys, certificates and miscellaneous secrets. PKCS12 is for client certificates only,
and is used during SSL client authentication. For the WS5100-VPN, even low-end legacy devices (like DOS-
based terminals) can use PKCS12 certificates.
For more information on PKCS12, see:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.htm
12.2.4 WVPN Authentication

A request for authentication made by a VPN client on the untrusted network can be forwarded to a VPN server
which proxies to the RADIUS server (internal or external). The trusted RADIUS server authenticates the client
and allows VPN client access from the untrusted network to the trusted network.
Note VPN server supports both, internal and external, RADIUS server authentication.
The RADIUS server database can be either Local or LDAP.
12.2.4.1 Simple Authentication

To configure simple authentication (non-RADIUS), set the simple username, password and domain by using the
following CLI command:
WS5100_VPN>conf wvpn auth simple
WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleUser userName
WS5000(Cfg) .wvpn.auth.simpleAuth>set simplePassword ******
WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleDomain domainName
Table 12.1 lists and describes the CLI commands used to configure simple authentication server settings:
Table 12.1 Simple Authentication Settings
To Use the CLI Command

Show Authentication Server WS5000>show WVPN AUTH
settings. (This command will show
all the Authentication Server
related configurable parameters)
Configure simpleAuthUserName WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleUser
userName
Configure simpleAuthPassword WS5000(Cfg) .wvpn.auth.simpleAuth>set
simplePassword ******
Configure simpleAuthDomain WS5000(Cfg) .wvpn.auth.simpleAuth>set simpleDomain
domainName
12.2.4.2 RADIUS Authentication

A request for authentication made by a VPN client on the untrusted network can be forwarded to a VPN server
which proxies to the RADIUS server. The RADIUS server authenticates the client and allows VPN client access
from the untrusted network to the trusted network. RADIUS Proxy can be enabled by typing enable at the CLI
command prompt as shown below.
WS5000.(Cfg).wvpn.auth.wvpnradius> enable
Enabling...
Status : Success.
RADIUS authentication status :Enable
The primary and secondary RADIUS servers can be set using either of the following commands in CLI.
WS5000.(CFG).wvpn.auth.wvpnradius>set ?
set <primary/secondary> host <name/IP> [port] [timeout] [retry] [userpwd]
or
set <primary/secondary> <radius_parameter> <value>
Table 12.2 describes how to configure the server by settings the parameters for each RADIUS server. The VPN
server supports any number of servers:
Table 12.2 RADIUS Authentication Setting
To Parameter used CLI command used

set the RADIUS host name host WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> host <name/IP>
or IP address.
Note To use on-board RADIUS server to authenticate the VPN clients, set any of the
switch interface IP address as the RADIUS IP address (in the configuration above).
set the RADIUS port. Port WS5000.(Cfg).wvpn.auth.wvpnradius>set ?

set <primary/secondary> port <value>
Default is 1812
set RADIUS timeout. timeout WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> timeout <value>
Value range is 5-20
millisecs
set RADIUS retry. Valid retry WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> retry <value>
range 1- 10.
set RADIUS user userpwd WS5000.(Cfg).wvpn.auth.wvpnradius>set ?
set <primary/secondary> userpwd <value>
password. (Dummy
password).
Note Some servers require the password attribute to be a non empty string.If this value
is set, this string will be used as password. This password is usually left blank to ensure
that different RADIUS users are authenticated.
12.2.4.3 IP Pool configuration

Table 12.3 lists and describes the CLI commands used to configure the WVPN IP Pool settings:
Table 12.3 IP Pool Configuration
To CLI command used

enter WVPN Pool configuration Configure wvpn pool [enter]
WS5000.(Cfg).wvpn.pool>
add an IP Pool WS5000.(Cfg).wvpn.pool >add pool <pool name> <begin
IP> <end IP>
remove an IP Pool WS5000.(Cfg).wvpn.pool >remove pool <pool name>
Table 12.3 IP Pool Configuration
To CLI command used

get the index number WS5000.(Cfg).wvpn.pool >show pool <pool name>
Output of this command (Index is in bold)

IP Ranges:
0) 111.111.111.150-111.111.111.160
enable/disable use of DHCP WS5000.(Cfg).wvpn.pool >enable/disable

Gateway
set ip pool netmask WS5000.(Cfg).wvpn.pool[pool name] >set netmask
<netmask>
set IP Pool DHCP Server IP WS5000.(Cfg).wvpn.pool[pool name] >set dhcpServer
<ip address>
address
set IP Pool default gateway WS5000.(Cfg).wvpn.pool[pool name] >set
<defaultGateway <ip address>
set IP Pool DNS Address WS5000.(Cfg).wvpn.pool[pool name] >set dns
<ip address>
set IP Pool WINS Address WS5000.(Cfg).wvpn.pool[pool name] >set wins
<ip address>
set IP Pool domain name WS5000.(Cfg).wvpn.pool[pool name] >set domain
<domain name>
set IP Pool NETBIOS Node Type WS5000.(Cfg).wvpn.pool[pool name] >set nodeType
<node type>
Node type can be: H-node, B-node, P-node, & M-node. H-node is the
default
set IP Pool domain name WS5000.(Cfg).wvpn.pool[pool name] >set domain
<domain name>
set IP Pool DHCP Lease Time WS5000.(Cfg).wvpn.pool[pool name] >set dhcpLeaseTime
< duration in seconds>
add a range to an existing pool WS5000.(Cfg).wvpn.pool[pool name] >add range
<begin IP> <end IP>
remove a range from an existing WS5000.(Cfg).wvpn.pool[pool name] >remove range
<begin IP> <end IP>
pool
OR
WS5000.(Cfg).wvpn.pool[pool name] >remove rangeIndex
<index number>
set IP Pool Reuse timer WS5000.(Cfg).wvpn.pool[pool name] >set reuseTime <

duration in seconds>
This IP address reuse time is used only when all pool ranges are exhausted.
Once pool is depleted and a new request is made for an address, the current
list of active IP addresses are checked to see how long they are idle. Those
IP addresses that are greater than this reuse time are reallocated and
handed out to the new client.
12.2.4.4 Certificate configuration

Table 12.4 lists and describes the CLI commands used to configure the WVPN certificate loading, generation
and configuration in switch:
Table 12.4 Certificate Configuration
To CLI command used

enter certificate Configure wvpn
cert
configuration
show the server WS5000>show cert
certificates
Expected output
Certificate end user names:
----------------------------
server
CA Certificate Serial Numbers:
--------------------------------
781077985
show the properties of a WS5000.(Cfg).wvpn.cert >decode cert <Certificate number>

server certificate
Expected output
Certificate Information:
Serial number: 1
Issuer: C=ZA; S=Western Cape; localityName=Cape Town;
O=Thawte Consulting cc; OU=Certification Services
Division; CN=Thawte Server CA; E=server-certs@thawte.com
Subject: C=ZA; S=Western Cape; localityName=Cape Town;

O=Thawte Consulting cc; OU=Certification Services
Division; CN=Thawte Server CA; E=server-certs@thawte.com
Valid from 838854000 to 1609459199
import a CA certificate WS5000.(Cfg).wvpn.cert >import caCert <filename>
import Server certificate WS5000.(Cfg).wvpn.cert >import serverCert <PKCS file>

<password> [<CA Cert filename>]
TFTP a remote file and WS5000.(Cfg).wvpn.cert >tftpImport caCert <IP address>
<path/filename>
import a CA certificate
TFTP a remote server WS5000.(Cfg).wvpn.cert >import serverCert <TFTP Server IP
Address> <PKCS file> <password> [<CA Cert filename>]
certificate and import
remove a CA certificate WS5000.(Cfg).wvpn.cert > remove caCert <Certificate
number>
Table 12.4 Certificate Configuration
To CLI command used

show list of uploaded WS5000.(Cfg).wvpn.cert > directory certs
certificates
Expected output
anotherca.cer 582 Mar 16 07:39

ca-x509.cer 791 Mar 16 07:39
ca.cer 815 Mar 16 07:39
jiar.cer 578 Mar 16 07:39
jiar.p12 834 Mar 16 07:39
server-x509.cer 873 Mar 16 07:39
test(wtls).cer 390 Mar 16 07:39
test(wtls).p12 3642 Mar 16 07:39
testCA(wtls).cer 405 Mar 16 07:39
12.2.4.5 VPN Session License

A licensing mechanism ensures that the user provide a valid license key to access the VPN. The number of
simultaneous license sessions serverd by the VPN server is controlled by the license file—/etc/wvpn/
license.lk.This file is unique for every switch and is generated on the basis of the MAC based serial
number of the switch.
The switch,by default, does not support VPN. To enable the VPN you need to supply a valid license file.Table
12.5 lists and describes the CLI commands used to configure the VPN session license:
Table 12.5 Configuring VPN Session License
To CLI command used

supply a valid license file to enable the VPN cfg> set vpnsupport enable <license file>
session
pick the license file from /image cfg> copy tftp system
Note This CLI picks up the license file and places it

at /etc/wvpn/ license.lk, which is then
accepted by the VPN server.This CLI also reboots the
switch and on restart the WVPN server is allocated
the number of sessions as indicated by the license
file.
disable the VPN support cfg> set vpnsupport disable
Note This CLI reboots the switch and disables the

VPN on restart.
Table 12.5 Configuring VPN Session License
To CLI command used

enable the VPN support cfg> set vpnsupport enable
Note You don’t need to provide the name of the

license file as the switch will use the license.lk file
that was either disabled earlier or use the pre-
loaded file.
show the status of vpnsupport, whether its cfg> show vpnsupport

enabled or disabled.
show the MAC based serial number that is cfg> show vpnsupport
used to generate a license file
increase the number of sessions allowed in cfg> wvpn> set licensefile <license file>
license file
Note This CLI picks up the license file and places it
at /etc/wvpn, which is then accepted by the VPN
server. This CLI does not reboot the switch.
The license key is decrypted to yield two items-a MAC address, which must match the switch being configured
and the number of VPN sessions to allow.
Note A site license will have a customer-specific code embedded into the MAC
address field; in this case the MAC address value will not be a valid address for any
Ethernet device anywhere. This license entitlement will be meant for use by any and all
switches owned by the customer.
Note Both wired and non-wired VPN clients are supported.
12.2.5 AES versus 3DES

The Advanced Encryption Standard (AES) protocol is a block cipher that supports 128, 192 and 256-bit keys and
encryption blocks and is being implemented as a replacement for 3DES (Triple Data Encryption Standard).
The critical advantage of AES over 3DES is that 3DES has been defeated while AES has proven to be much
more difficult to defeat. A further advantage of AES is that it is faster than 3DES.
In addition to being stronger and faster, AES can also protect WS5100-VPN DOS-based clients.
12.2.6 Wireless Transport Layer Security (WTLS)

WTLS is a security level protocol specifically designed to provide authentication and data
integrity for wireless traffic where access devices can change dynamically (such as access port
change due to environmental changes or roaming).
12.2.6.1 WTLS versus IPSec

The WS5100-VPN supports WTLS and not IP security (IPSec) for the following reasons:
• IPSec is a wired security protocol and WTLS provides for wireless communication in a
roaming environment.
• IPSec does not support IP fragmentation which forces packet sizes to be smaller and more
numerous. This increases overhead (by approximately 50%).
• IPSec does not support DOS devices.
• IPSec does not support standard NAT.
IPSec requires a full session handshake when a connection is lost then restored.
12.2.6.2 WTLS configuration

Table 12.6 lists and describes the CLI commands that are used to configure the WVPN WTLS (Wireless
Transport layer Security):
Table 12.6 WTLS Configuratin
To CLI command used

enter WTLS submenu WS5000> Configure WVPN
WS5000.(Cfg).wvpn> wtls
configure the ClientRsaKeySize WS5000.(Cfg).wvpn.wtls> set maxClientKey <Integer

value>
maximum values
Key sizes available: 512, 768, 1024, 1536, 2048, 3072, 4096, 7680, 15360
configure the ClientRsaKeySize WS5000.(Cfg).wvpn.wtls > set minClientKey <Integer
value>
minimum value
Key sizes available:512, 768, 1024, 1536, 2048, 3072, 4096, 7680,
15360
configure the RsaKeySize WS5000.(Cfg).wvpn.wtls > set maxRsaKey <Integer

value>
maximum value
Key sizes available: 512, 768, 1024, 1536, 2048, 3072, 4096, 7680,
15360
Table 12.6 WTLS Configuratin
To CLI command used

configure the RsaKeySize WS5000.(Cfg).wvpn.wtls > set minRsaKey <Integer
value>
maximum and minimum values
Key sizes available: 512, 768, 1024, 1536, 2048, 3072, 4096, 7680,
15360
configure the customCipher WS5000.(Cfg).wvpn.wtls > set customCipher <Integer

value>
value
Ciphers available: AES256, AES192, AES128, 3DES, DES56, DES40
configure the customMac value WS5000.(Cfg).wvpn.wtls > set customMac <Integer

value>
MACs available: MD5_128, MD5_80, MD5_40, SHA_512, SHA_384,

SHA_256, SHA_160, SHA_80, SHA_40
configure WS5000.(Cfg).wvpn.wtls > set

requireClientCertificate <Boolean value>
requireClientCertificate
configure keyRefresh WS5000.(Cfg).wvpn.wtls > set keyRefresh <Integer
value>
configure securityMode WS5000.(Cfg).wvpn.wtls > set securityMode <string>
The modes are: customSecurity, defaultSecurity
configure serverNumber WS5000.(Cfg).wvpn.wtls > set serverNumber <Integer

value>
show WTLS settings WS5000>show WVPN WTLS
(This command will show all the

WTLS related configurable
parameters)
12.3 VPN Session Setup
Figure 12.2 VPN Network Setup
12.3.1 Switch Setup

Table 12.7 lists and describes the CLI commands used to configure the various switch parameters.
Table 12.7 Switch Setup
To Use
set VPN support status set vpnsupport enable <license file> [CR]
set vpnsupport disable [CR]
WS5000.(Cfg)> set vpnsupport enable
Are you sure (yes/no) : yes
set up a new WLAN WS5000.(Cfg)>wlan add SampleWlan SampleEssid
Where SampleEssid is the ESSID

setup Access Port Policy WS5000.(Cfg)>appolicy
WS5000.(Cfg).APPolicy> add SampleAPPolicy
WS5000.(Cfg).APPolicy.[SampleAPPolicy]> add SampleWlan
Table 12.7 Switch Setup
To Use
setup Security Policy Create a new security policy SampleSecurity and assign it to SampleWlan.
WS5000.(Cfg)>securitypol
WS5000.(Cfg).SecurityPolicy> add SampleSecurity
Go to Wlan context
WS5000.(Cfg).WLAN.[ SampleWlan]> set security
SampleSecurity
In the SampleSecurity Policyt context enable VPN authentication:

WS5000.(Cfg)>securitypol
WS5000.(Cfg).SecurityPolicy>SampleSecurity
WS5000.(Cfg).SecurityPolicy.[SampleSecurity]>set
vpn enable
Setup Ether Policy WS5000.(Cfg)> etherpolicy
WS5000.(Cfg).EtherPolicy> add SampleEtherPolicy
WS5000.(Cfg).EtherPolicy.[SampleEtherPolicy]>vlan LAN1
WS5000.(Cfg).EtherPolicy.[SampleEtherPolicy].Vlan.
[LAN1]>set wlan SampleWlan
WS5000.(Cfg).EtherPolicy.[SampleEtherPolicy].Vlan.
[LAN1]> ..
setup Switch Policy WS5000.(Cfg)> spolicy
WS5000.(Cfg).SPolicy> add SampleSwitchPolicy
WS5000.(Cfg).SPolicy.[SampleSwitchPolicy]> set
countrycode US
etherpolicy SampleEtherPolicy
WS5000.(Cfg).SPolicy.[SampleSwitchPolicy]> set appolicy
SampleAPPolicy
adoptionlist default allow SampleAPPolicy
activate the Switch WS5000.(Cfg)> set switchpolicy SampleSwitchPolicy
Policy
setup DHCP Server Ethernet interface 1 is configured by default to 10.1.1.101
WS5000.(Cfg) Ethernet 1
WS5000.(Cfg).Ethernet.[1]> set dhcp_IP_Range 10.1.1.102
10.1.1.110
WS5000.(Cfg).Ethernet.[1]> set dhcpsrv enable
12.3.2 WVPN Setup

Download the CA certificate, server certificate, and server certificate keys on the switch using FTP or TFTP. The
server certificate keys should be in pfx/p12 format.Ensure the date and time on the swiitch are correct by using
WS5000.(Cfg)> date
Wed Aug 24 09:09:37 PDT 2005
Use the following CLI commands to download the CA certificate, server certificate, and server certificate keys
on the switch
WS5000.(Cfg)> wvpn
WS5000.(Cfg).wvpn> cert
WS5000.(Cfg).wvpn.cert> import /image/caCert cacert.cer
WS5000.(Cfg).wvpn.cert> import serverCert ?
import serverCert <server_pkcs12_key_file> <password> [<server_cert_file>]
Note File names must always be accompanied by directory path. For example: /
certs/ca.cer
WS5000.(Cfg).wvpn.cert> import serverCert /image/server.p12 password

server.cer
Certificates can also be placed on the tftp server. The tftp server import can be done by issuing the following
CLI commands:
WS5000.(Cfg).wvpn.cert> tftpimport caCert 192.168.4.3 cacert.cer
WS5000.(Cfg).wvpn.cert> tftpimport serverCert 192.168.4.3 server.p12 <key-
password> server.cer
Where 192.168.4.3 is the address of the tftp server.
Table 12.8 lists and describes the CLI commands used to configure the various WVPN parameters.
Table 12.8 WVPN Setup
To Use
setup the Authentication WS5000.(Cfg)> wvpn auth
WS5000.(Cfg).wvpn.auth> simple
WS5000.(Cfg).wvpn.auth.simpleAuth> set
simpleUser test
simplePassword test
simpleDomain test
Configuring IP Pools and the DHCP WS5000.(Cfg)> wvpn ip_pools
WS5000.(Cfg).wvpn.ip_pools> add pool default
server for WVPN. 192.168.4.70 192.168.4.90
WS5000.(Cfg).wvpn.ip_pools> default
WS5000.(Cfg).wvpn.ip_pools.[default]> set
dhcpServer 10.1.1.101
WS5000.(Cfg).wvpn.ip_pools.[default]> set
defaultGateway 10.1.1.101
WS5000.(Cfg).wvpn.ip_pools.[default]> set dns
1.1.1.1
Make sure you have atleast one ip_pool with name default.
Note The above setup—Configuring IP Pools and the DHCP server for WVPN, is based
on an onboard VPN DHCP server. The configuration for using an extrernal/corporate
DHCP server is same except you need to provide the IP, defaultGateway and DNS of the
external DHCP server
12.3.3 Starting VPN Service

VPN serveice can be started once you download the CA certificate, server certificate, and server certificate
keys on the switch. To start the VPN service use
WS5000.(Cfg).wvpn> enable
The expected output of this command is
Enabling...
Status : Success.
WVPN Management:
WVPN License Type : Evaluation version,Total eval days 30,Eval days left
30
12.3.4 Client Setup

Open Mobile Companion on the client and create a new profile and enter a valid ESSID in the ESSID field.
Set the IP Config tab to DHCP and encryption to Open System to enable WEP encryption on the server side. Set
the Operating mode to infrastructure and the country code to USA.
12.3.4.1 Installing Certificates

Transfer the CA Certificate using ActiveSync (or any other program ) to a hand-held and import these
certificates in the VPN client. You can import the certificates by clicking on
AirBeam->Certificates>CA Certificates menu
Click Import and browse for the folder where the certificates were transferred during ActiveSync transfer.
Click on the Certificate to install the certificates on the hand-held. Repeat the process for all the certificates
that need to be imported.
12.3.5 Testing VPN Session Setup

Open the Mobile Companion and connect it to a switch (via the access port). This establishes a basic IP
connectivity via the WLAN and the client can obtain the outer IP address via DHCP (The range is between
10.1.1.102 to 10.1.1.110). You can now ping the public interface (In this case it is 10.1.1.101) of the switch from
the Mobile Companion in the hand-held.
To establish the VPN connection, open Air Beam and go to AirBeam->Profiles->Settings and set the VPN
server address in the Air Beam to point to the VPN Server. Change the Host to 10.1.1.101 and Port to
9102.Then establish the VPN connection using AirBeam->Connect option.
A successful authentication will create a virtual interface which will give access to the trusted network. This
provides access to the private interface/network of the switch.
Once the sessions are established use the config show sessions command to examine the established VPN
sessions. You should be able to see all VPN sessions established in the switch using following CLI command:
WS5000.(Cfg)> show sessions
12.3.6 TroubleShooting
Problem: 1 The Access Ports are not adopted
Possible Reasons:
1. You don't have a valid license key.
2. The country code in the switchpolicy is not set.
3. The MAC address corresponding to the Access Port is in the access port deny list of the switchpolicy.
4. Default action for the switchpolicy is deny.
Problem: 2 Show mu command does not show the hand-held in the list of mobile units although the
hand-held shows it is connected.
Possible Reasons:
1. Hand-held is not associated with the essid of the switch. It is associated with some other essid. In this
case make sure you associate with the essid of the switch
Problem: 3 Show mu command shows the hand-held in the list of mobile units but the ip address of the
hand-held is 0.0.0.0 or 169.x.x.x
Possible Reasons:
1. DHCP server is not running on the Ethernet interface 1 of the switch. Enable the DHCP server on the
switch.
2. IP Pool Range is not set for the DHCP server on Ethernet interface 1.
3. Etherpolicy is not configured properly on the switch. Make sure you have followed all the steps for
creating new etherpolicy and associating it with the active switch policy.
4. Hand-held is not configured properly. Make sure if encryption is used on the switch then the hand-held
has proper encryption settings. This can be done by editing the profile for current essid in Mobile
Companion and setting the correct encryption key.
Problem: 4 Hand-held gets a IP Address but Airbeam safe fails to connect to the VPN server
Possible Reasons:
1. VPN server address is not set properly in the Airbeam safe. This can be done by setting the Host value
in the Airbeam safe to the IP address of the Ethernet 1.
2. Default ip pool is not present in the switch. Make sure you create a "default" ip pool and set the DNS
and DefaultGetway entries for this pool.
3. ip_pool has dhcp server enabled.
4. Certificates are not properly installed on the switch. Install both client and server certificates on the
client.
5. CA Certificates are not installed on the hand-held. Install the proper certificates on the hand-held.
6. The date settings of the hand-held are not current. Change the date setting of the hand-held to the
current dates.
Problem: 5 Hand-held looses ip address after some time. It shows 0.0.0.0 as IP address on renewing
the ip address.
Possible Reasons:
1. Try warm-booting the hand-held. This may be because of the problem in the hand-helds.
12.4 Firewall
WS5000, with the introduction of VPN services, acts as a device at the boundary between a public and a
private network. As such it must act not only as an encryption/decryption point but also as a gateway and a
firewall between two networks.Hence Firewall and Port Filter functionality is required, which can filter the
traffic based on a configured list of hosts. It also provides selective enable/disable of web (http or https), telnet
and ftp on the management interface.
WS5000 acts as gateway and a firewall between public and a private network in the below pattern:
• Public: Un-Trusted LAN
• Private: Trusted LAN
WS5000 provides limited stateless firewall functionality for a configurable list of peers on private and public
networks. Firewall filtering is based on the existing packet classification engine. Part of the existing packet
classification functionality allows the traffic that matches classifiers to be allowed or denied. Same
functionality is used to implement firewall filtering.
Following are the different policies applied for the packets from different type of hosts:
1. LAN 1 - This LAN object refers to all the clients configured on Ethernet 1 (ep =1 by default).
2. LAN 2 - This LAN object refers to all the wired clients (Non VPN)configured on Ethernet 2 (ep =2 by
default).
3. LAN_VPN - This LAN object refers to wired VPN clients (ep = 3, refers to virtual interface for VPN
clients).IN policy is applied before the packets from the private LAN are forwarded from the Packet
Switch to the VPN server.OUT policy is applied to the packets as the VPN server sends them to the
private LAN.
The filters can applied in any of the LAN context by attaching a network policy to the LAN object.
Filters for MU with or without VPN are applied by attaching Network Policy to the WLAN object in the appolicy
context.
4. Wired hosts without VPN - Filtering uses IN and OUT policies that are associated with a LAN
configuration object.
Note You can create any number of LAN objects but at any given instance only LAN
object can be associated with a particular Ethernet port.
Table 12.9 lists and describes the CLI commands used to manage firewall in WS5000:
Table 12.9 Managing Firewall
To CLI command
enter firewall context WS5000.(Cfg)> fw
add a new LAN - lan3 WS5000.(Cfg).Fw> add lan3
add a network policy to the lan3 WS5000.(Cfg).Fw.[lan3]> set np testnppolicy
add port filter configuration to lan3 WS5000.(Cfg).Fw> addpf lan3 allow web
show lan3 configuration WS5000.(Cfg).Fw> lan3
remove lan3 WS5000.(Cfg).Fw> remove lan3
show details of all LAN WS5000.(Cfg).Fw> show
set Ethernet port to lan3 WS5000.(Cfg).Fw.[lan3]> set ep 1
set network policy for lan3 WS5000.(Cfg).Fw.[lan3]> set np testnppolicy
disable ftp on lan3 WS5000.(Cfg).Fw> addpf lan3 deny ftp
enable ftp on lan3 WS5000.(Cfg).Fw> addpf lan3 allow web
set description for lan3 WS5000.(Cfg).Fw.[lan3]> set desc "Lan 3"
12.5 Network Address Translation (NAT)

Twice NAT is used for non-VPN clients to establish communication with the trusted side network. When the
NAT feature is enabled, the switch can alter the source and destination IP addresses of packets so that hosts
on different subnets can communicate with each other.
For instance, when VPN is used, the real IP addresses of MUs are are allocated from a different subnet from
trusted wired hosts. A host cannot communicate with another host on a different subnet without an
intermediate router. This does not pose a problem for MUs that run the VPN client. They communicate with
trusted hosts, since the VPN server performs the IP address translation. However, MUs not running a VPN
session will be unable to do so. To get around this problem, the switch can translate the source and destination
IP address between the MU and wired host so that the MU can address the latter with an IP address on its
own subnet and vice versa.
Figure 12.2.1 displays the issues that need to be addressed to have an external device at address a.b.c.1
communicate with a device behind the firewall at address x.y.z.1:
Figure 12.3 Configuring NAT
12.5.1 Twice NAT Commands

To add the NAT entry pairs associating the local NAT address and the real IP address, go to the
conf.fw.eth2 context and use the set addnet command:
WS5100_VPN> config fw eth2
WS5100_VPN.(Cfg).Fw.[eth2]> set addnat ?
Syntax: set addnat <"remoteRealIp,localNatIp">
In this command, a NAT entry was added in the eth2 LAN.
To delete a NAT entry, use set delnat and specify the addresses to be deleted.
To add a range of NAT addresses, use set addrange:
WS5100_VPN.(Cfg).Fw.[eth2]> set addrange ?
Syntax: set addrange <"remoteRealIp,localNatIp,numEntries">
In this command, a range of NAT addresses was added in the eth2 LAN.
To delete a range of NAT addresses, use set delrange and specify the range to be deleted.
Neighboring APs
Access ports send out beacons at periodic intervals. By default, access ports send out one beacon frame every
100 milli-seconds. If more than one Access Port is connected to the WS5000 switch and all such Access Ports
are adopted, each Access Port will receive beacons from their neighboring access ports. These beacon frames
are passed to the WS5000 Switch.
The switch maintains a table, on a adopted AP - found AP basis, along with other information like the signal
strengths etc. Also, the switch maintains a similar table for the APs detected by an associated Mobile Unit.
(Only Symbol Mobile Units support this).
The following are the details of the two tables, accessible through SNMP:
13.1 ccPortalBeaconRptTable
This table describes the identification information and the signal values (in dBm) of beacons heard from
other Portals.
This table is indexed on
a. ccRapResultsRogueIndex
b. ccPortalBeaconRptPortalIndex
Table 13.1 ccPortalBeaconRptTable
Field Type Description

ccRapResultsRogueIndex Integer The index of the neighbor AP
that has been heard.
ccPortalBeaconRptPortalIndex Integer The index of the portal (adopted by
the switch), that has detected the
neighboring AP
ccPortalBeaconRptNumBeaconsHeard Counter32 Number of beacons reported in this
entry
ccPortalBeaconRptBest Integer32 The strongest beacon signal
strength heard
ccPortalBeaconRptWorst Integer32 The weakest beacon signal
strength heard
ccPortalBeaconRptSum Integer32 The sum of all signal values heard
ccPortalBeaconRptSumSquares Counter64 The sum of each signal value heard,
squared before summing
ccPortalBeaconRptMostRecent Integer32 The most-recent value of signal
heard for a beacon
ccPortalBeaconRptLastHeard DisplayString The time, at which the Finder AP
last heard from Found AP
ccPortalBeaconRpFinderMac DisplayString The MAC address of the finder AP
ccPortalBeaconRpFoundMac DisplayString The MAC address of the found AP
13.2 ccMuProbeRptTable
This table reports the AP’s detected by a Mobile Unit. It has information on the signal strength and when
the Mobile Unit last heard from the AP. It is indexed on
a. ccMuMac
b. ccPortalIndex
Table 13.2 ccMuProbeRptTable

ccMuProbeRptSignalMostRecent Integer32 The signal strength (in dBm), of the most-
recently heard beacon from the AP, as
reported by the MU.
ccMuProbeRptLastHeard DisplayString Snapshot of sysUpTime at the time the
prior item(s) in this entry were last
updated
ccMuProbeRptFinderMac DisplayString The MAC address of the MU, that
detected beacons from the Found AP
ccMuProbeRptFoundMac DisplayString The MAC address of the AP, that was
detected by the MU
Neighboring APs 13-3
13.3 Management Interface

The above tables, are populated when the the RogueAP/DetectorAP scan is enabled or the MU scan is enabled
in the RogueAP CLI context. You can also enable these using the RogueAP feature within the GUI.
Enhanced RF Statistics
Enhanced RF Stats is a feature to monitor the RF environment of the wireless switch system. RF stats includes
an extensive set of RF parameters which are maintained by the wireless switch which are sourced from the
data packets and the WISP packets that are transmitted to and from the switch. All the statistics are gathered
at runtime and none of these parameters are persistent. Hence on a reboot all these parameters are reset. The
system provides only an SNMP interface to query the parameters. All the parameters are read-only. The
parameters include AP, Radio and MU statistics. Each of Radio and MU in-turn have Static, Raw and Derived
parameters which are grouped based on type. For the AP, only the static parameters are supported. The
description of the SNMP tables and their contents is as below.
This chapter also describes how enhanced RF Statistics can be used to detect common wireless networking
problems in Explanation of Enhanced RF Statisitcs on page 14-32
14.1 ccApTable
DESCRIPTION: This table contains general information related to an AP. It holds details regarding the APs
connected to the switch and all their packet information. It identifies all access ports and their radios, (called
“Portals”) associated with the wireless switch.
INDEXED ON:ccApIndex

ccApIndex Integer32 Small, arbitrary integer index.
ccApNicMac PhysAddress MAC Address of Access Port.
ccApModelNumber DisplayString Model number of Access Port.
ccApSerialNumber DisplayString Serial number of this Access Port.
ccApPcbRevision DisplayString Revision of the printed circuit board for this
Access Port.
ccApBootLoaderRev DisplayString Revision of the boot loader code in this Access
Port.
ccApWispVersion DisplayString Version of the WISP (AP / Switch) protocol
implemented by this Access Port.
ccApRuntimeFwVersion DisplayString Version of run-time code on this Access Port.
ccApNumPortals Unsigned32 The number of portals implemented on this
Access Port.
ccApPointersToPortals MultiPointer255 If bit <n> of this value is set, this ApTable entry
'points' to entry <n> in the portal Table.
Such a reference conveys that the portal entry
pointed-to represents a portal contained in the
Access Port represented by this entry.
Note Since one

Access Port can
implement 1, 2, (and
in the future
possibly more) portals, this
'pointer' field is a bit-mask
14.2 ccPortal
14.2.1 ccPortalTable
DESCRIPTION: It contains all the general information related to each portal. It indentifies all access ports and
their radios (called “Portals”) associated with the wireless switch.
The ccPortalTable lists all radios (“Portals”) currently adopted by the wireless switch.
INDEXED ON:ccPortalIndex

ccPortalIndex INTEGER Small, arbitrary integer index
Enhanced RF Statistics 14-3

ccPortalPointerToAp SinglePointer This value is the index in the ApTable for the
entry representing the Access Port that
contains this portal.
Since each portal has one and only one Access
Port as 'Parent', this value is a simple integer,
not a bit-mask.
ccPortalPointersToWlans MultiPointer63 Reserved for future implementation.
ccPortalName DisplayString Name of this portal, as assigned by the web UI
or CLI.
ccPortalLocation DisplayString Location string for this portal, as assigned by
the Web UI or CLI.
ccPortalOptions BITS This value describes the presence/absence of
internal and/or external primary and/or
secondary antennas. It also indicates if the
portal supports DTIM per BSS and/or WME.
ccPortalMac PhysAddress MAC address of the portal.
ccPortalNumberofEss Integer32 The number of ESSs implemented by this
portal.
ccPortalNumberOfBss Integer32 The number of BSSs implemented by this
portal.
ccPortalAssociatedMus Integer32 The number of MUs currently associated to
this portal.
ccPortalRadioType RadioType Radio type of the portal.
ccPortalChannel INTEGER The value describes the channel the portal is
currently operating on.
ccPortalTxPowerLevel Integer32 Output power level for the portal.
ccPortalLastAdoption TimeTicks The number of time-ticks elapsed since this
portal got adopted.
ccPortalState INTEGER This indicates the current state of the portal. It
can be one of:
offline
active
alert
reset
ccPortalBackgroundNoise Counter32 The number of samples, used to compute the
NumSamples
background noise statistics.
ccPortalBackgroundNoise Integer32 The least value of the background noise heard
Best
till now expressed in dBm.
ccPortalBackgroundNoise Integer32 The maximum value of the background noise
Worst
heard till now expressed in dBm.

ccPortalBackgroundNoise Integer32 Sum of the noise values (in dBm)
Sum
Note This value is

normally a negative
value ranging from -
10dBm to -80dBm. It
is possible for this value to be
positive, but that would be rare,
and would signal an
exceptionally strong signal.
ccPortalBackgroundNoise Counter64 Sum of the squares of the noise values (in

SumSquares
dBm)
(This value can be used to calculate the
standard deviation for noise values)
14.2.2 ccPortalLast Mac

ccPortalLastMac PhysAddress This scalar records the MAC address of the
most recent portal to be Adopted, UnAdopted,
or Denied.
14.2.3 ccPortalLastReason
ccPortalLastReason Integer This value indicates the reason for the most-
recent portal UnAdoption or Denial.
14.2.4 ccPortalSystemStatsTable
DESCRIPTION: The table contains statistics related to the management packets sent/received by each portal
INDEXED ON: ccPortalIndex

ccPortalSystemStatsBeaconTx Integer32 The number of beacons sent.
ccPortalSystemStatsBeaconsTxO Unsigned32 The number of octets sent in beacons.
ctets
ccPortalSystemStatsProbeReqRx Unsigned32 The number of probe request packets
received.

ccPortalSystemStatsProbeReqRx Unsigned32 The number of octets received in probe
Octets
request packets.
ccPortalSystemStatsProbeRespR Unsigned32 The number of probe response packets
etriesNone
sent with no retries.
etries1
sent with 1 retry.
etries2
sent with 2 retries.
etries3OrMore
sent with 3 or more retries.
etriesFailed
that were never successfully
transmitted because the max retry
count was reached.
ccPortalSystemStatsProbeRespT Unsigned32 The number of octets successfully
xOctets
transmitted in probe response packets.
(For example, the octets in a probe
response that is transmitted twice - i.e.
one retry - only counts once in this sum.
14.2.5 ccPortalStatsTable
DESCRIPTION: This table describes general statistics about data packets sent/received through each portal on
the switch.

ccPortalTxPktsUcast Counter32 Count of unicast packets sent through
the portal.
ccPortalRxPktsUcast Counter32 Count of unicast packets received
through the portal.
ccPortalRxPktsNUcast Counter32 Count of non-unicast (broadcast &
multicast) packets received through
the portal.
ccPortalTxOctetsUcast Counter32 Count of unicast octets transmitted
through the portal.
ccPortalRxOctetsUcast Counter32 Count of unicast octets received
through the portal.
ccPortalRxOctetsNUcast Counter32 Count of non-unicast (broadcast &
multicast) octets received through the
portal.
ccPortalRxUndecryptablePkts Counter32 Count of packets received through the
portal that could not be decrypted.

ccPortalLastActivity TimeTicks The number of time ticks elapsed since
portal’s last activity.
14.2.6 ccPortalRxPktsTable
DESCRIPTION: This table gives the statistics of the packets received by a portal at various rates.

ccPortalRxPktsAt1Mb Counter32 Number of packets received through
this portal at 1 Mbps
this portal at 2 Mbps
ccPortalRxPktsAt5pt5Mb Counter32 Number of packets received through
this portal at 5.5 Mbps.
this portal at 6 Mbps.
14.2.7 ccPortalTxPktsTable
DESCRIPTION: This table gives the statistics of the packets transmitted by a portal at various rates.

ccPortalTxPktsAt1Mb Counter32 Number of packets transmitted
through this portal at 1 Mbps.
ccPortalTxPktsAt5pt5Mb Counter32 Number of packets transmitted
through this portal at 5.5 Mbps.
14.2.8 ccPortalRxOctetsTable
DESCRIPTION: This table gives the statistics of the number of octets received by a portal at various rates.

ccPortalRxOctetsAt1Mb Counter32 Number of octets received through this
portal at 1 Mbps.
portal at 2 Mbps.
ccPortalRxOctetsAt5pt5Mb Counter32 Number of octets received through this
portal at 5.5 Mbps.

portal at 6 Mbps.
portal at 9 Mbps.
portal at 11 Mbps.
portal at 12 Mbps.
portal at 18 Mbps.
portal at 22 Mbps.
portal at 24 Mbps.
portal at 36 Mbps.
portal at 48 Mbps.
portal at 54 Mbps.
14.2.9 ccPortalTxOctetsTable
DESCRIPTION: This table gives the statistics of the number of octes transmitted by a portal at various rates.

ccPortalTxOctetsAt1Mb Counter32 Number of octets transmitted through
ccPortalTxOctetsAt5pt5Mb Counter32 Number of octets transmitted through
this portal at 5.5 Mbps.

14.2.10 ccPortalTxRetriesPktsTable
DESCRIPTION: This table gives the statistics of the number of retries for the packets transmitted by a portal.

ccPortalTxRetriesPktsNone Counter32 Number of packets successfully
transmitted through this portal with no
retries.
ccPortalTxRetriesPkts01 Counter32 Number of packets successfully
transmitted through this portal with 1
retry.
retries.
retries.
retries.
retries.
retries.
retries.

retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries. This counter is deprecated.
ccPortalTxRetriesPktsFailed Counter32 Number of packets that never were
successfully transmitted through this
portal because the maximum retry
count was exceeded.
14.2.11 ccPortalTxRetriesOctetsTable
DESCRIPTION: This table gives the statistics of the number of retries w.r.t the octets transmitted by the portal.

ccPortalTxRetriesOctetsNone Counter32 Number of octets successfully
transmitted through this portal with no
retries.
ccPortalTxRetriesOctets01 Counter32 Number of octets successfully
retry.

retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries.
retries. This counter is deprecated.

ccPortalTxRetriesOctetsFailed Counter32 Number of octets that never were
successfully transmitted through this
portal because the maximum retry
count was exceeded.
14.2.12 ccPortalSigStatsTable
DESCRIPTION: This table gives statistics about RSSI, Signal, Noise, and SNR for packets received by a portal.

ccPortalSigStatsNumPkts Counter32 Total packets received by the portal.
ccPortalSigStatsSignalBest Integer32 The best signal value seen by the portal so
far. (-20dBm is better than -60dBm)
ccPortalSigStatsSignalWorst Integer32 The worst signal value seen by the portal so
far. (-80dBm is worse than -60dBm).
ccPortalSigStatsSignalSum Integer32 Sum of all signal values (in dBm) received by
the portal.
Note This
normally is a
negative value
ranging from -
10dBm to -80dBm. It is
possible for this value to be
positive, but that would be
rare, and would signal an
exceptionally strong signal.
ccPortalSigStatsSignalSumSquares Counter64 Sum of the squares of each signal value (in

dBm), calculated for the packets received by
this portal.
Unlike SignalSum, this value is never
negative, since the square of a negative
number is a positive.
ccPortalSigStatsSignalMostRecent Integer32 The signal value (in dBm) of the most recent
packet received by the portal. (-20dBm
signal is better than -60dBm).
This value is invalid, if the
ccPortalSigStatsNumPkts equals to 0.
ccPortalSigStatsNoiseBest Integer32 The best noise value seen by the portal so
far. (-80dBm noise is better than -70dBm).

ccPortalSigStatsNoiseWorst Integer32 The worst noise value seen by the portal so
far. (-50dBm noise is worse than -
60dBm).
ccPortalSigStatsNoiseSum Integer32 The sum of the noise values (in dBm)
received by the portal.
Like SignalSum, this value is normally a
negative value.
ccPortalSigStatsNoiseSumSquares Counter64 A sum of the squares of each noise value
calculated for packets received through this
portal.
As with SignalSumSquares, this value is
never negative.
ccPortalSigStatsNoiseMostRecent Integer32 The most recent noise value seen by the
portal so far. (-80dBm noise is better than
-70dBm).
This value is invalid when
ccPortalSigStatsSnrBest Integer32 The best SNR value seen by the portal so
far. (+30dBm SNR is better than +20dBm).
ccPortalSigStatsSnrWorst Integer32 The worst SNR value seen by the portal so
far. (+10dBm SNR is worse than +20dBm).
ccPortalSigStatsSnrSum Integer32 The sum of all the SNR values (in dBm)
calculated for this portal.
Unlike signal and noise, this value is never
negative.
ccPortalSigStatsSnrSumSquares Counter64 Sum of the squares of each SNR value (in
dBm) calculated for packets received
through this portal.
This value is never negative.
ccPortalSigStatsSnrMostRecent Integer32 The most recent SNR value seen by the
portal so far. (+30dBm SNR is better than
+20dBm).
This value is invalid if
14.2.13 ccPortalSumStatsShortTable
DESCRIPTION: This table contains the derived statistics calculated over 30 seconds window for each portal.

ccPortalSumStatsShortTimestamp TimeTicks The number of time ticks
elapsed since the beginning of
this window
ccPortalSumStatsShortNumPkts Unsigned32 The number of packets used to
calculate the statistics in this
window.
ccPortalSumStatsShortPktsPerSec100 ScaleBy100 Packets per second as
averaged over the 'window'.
Since SNMP does not convey
decimal values, the result is
multiplied by 100.
ccPortalSumStatsShortPktsPerSecTx100 ScaleBy100 Number of packets transmitted
per second as averaged over
the 'window'.
multiplied by 100.
ccPortalSumStatsShortPktsPerSecRx100 ScaleBy100 Number of packets received per
second as averaged over the
'window'.Since SNMP does not
convey decimal values, the
result is multiplied by 100.
ccPortalSumStatsShortThroughput Unsigned32 Actual number of bits sent and
received over the window,
divided by the number of
seconds in the window.
ccPortalSumStatsShortThroughputTx Unsigned32 Actual number of bits
transmitted over the window,
ccPortalSumStatsShortThroughputRx Unsigned32 Actual number of bits received
over the window, divided by the
number of seconds in the
window.
ccPortalSumStatsShortAvgBitSpeed Unsigned32 An average of the speeds of all
bits sent/received by the portal.
(For each possible speed,
multiply the number of octets
sent received by that speed;
divide the sum by the total
number of octets; multiply by
8).
ccPortalSumStatsShortAvgMuSignal Integer32 The average of all signal values
received over the window.

ccPortalSumStatsShortAvgMuNoise Integer32 The average of all noise values
over the window. (in dBm)
ccPortalSumStatsShortAvgMuSnr Integer32 The average of all SNR values
ccPortalSumStatsShortPp10kNUcastPkts PartsPer10k Ratio of packets that were not
unicast to the total number of
packets sent/received by the
portal. Expressed as parts-per-
10000.
ccPortalSumStatsShortPp10kTxWithRetries PartsPer10k Ratio of transmitted packets
that experienced one or more
retries to the total number of
transmission retries by this
portal.
Expressed as parts-per-10000.
ccPortalSumStatsShortPp10kTxMaxRetries PartsPer10k Ratio of transmitted packets
that were dropped due to
excessive retries to the total
number of packets transmitted
by this portal.
ccPortalSumStatsShortTxAvgRetries100 ScaleBy100 For all transmitted packets
(including those that
experienced some retries,
those that were successfully
transmitted in first attempt of
transmission, and those that
attempted maximum times and
gave-up), the average number
of re-transmission attempts.
multiplied by 100.
If there were no re-
transmissions, this value would
be 0. If every single packet
required exactly two
tranmissions, this value would
be 100, (representing 1.00).
ccPortalSumStatsShortPp10kRxUndecrypt PartsPer10k Ratio of received packets that
were undecryptable to the total
number of received packets.

ccPortalSumStatsShortTotalMus Unsigned32 The total number of Mobile
Units associated with the
portal.
ccPortalSumStatsShortPp10kRfUtil PartsPer10k The approximate utilization of
the portal's RF port. Calculated
as Throughput divided by
AvgBitSpeed. Expressed as
parts-per-10000.
ccPortalSumStatsShortPp10kDropped PartsPer10k The total number of packets
dropped divided by total
number of packets sent.
Dropped here means dropped
intentionally due to the
appropriate QoS queue being
full. Expressed as parts-per-
10000.
14.2.14 ccPortalSumStatsLongTable
DESCRIPTION: The derived statistics calculated over 1 hour window for each portal.

ccPortalSumStatsLongTimestamp TimeTicks The number of time ticks
the this window
ccPortalSumStatsLongNumPkts Unsigned32 The number of packets used to
window.
ccPortalSumStatsLongPktsPerSec100 ScaleBy100 Packets (both rx, tx) per second
as averaged over the 'window'.
multiplied by 100.
ccPortalSumStatsLongPktsPerSecTx100 ScaleBy100 Number of packets transmitted
per second as averaged over the
'window'.
multiplied by 100.

ccPortalSumStatsLongPktsPerSecRx100 ScaleBy100 Number of packets received per
'window'.Since SNMP does not
convey decimal values, the
result is multiplied by 100.
ccPortalSumStatsLongThroughput Unsigned32 Actual number of bits sent and
ccPortalSumStatsLongThroughputTx Unsigned32 Actual number of bits
ccPortalSumStatsLongThroughputRx Unsigned32 Actual number of bits received
window.
ccPortalSumStatsLongAvgBitSpeed Unsigned32 An average of the speeds of all
bits sent/received by the portal.
(For each possible speed,
multiply the number of octets
sent received by that speed;
divide the sum by the total
number of octets; multiply by 8).
ccPortalSumStatsLongAvgMuSignal Integer32 The average of all signal values
received over the window.
ccPortalSumStatsLongAvgMuNoise Integer32 The average of all noise values
ccPortalSumStatsLongAvgMuSnr Integer32 The average of all SNR values
ccPortalSumStatsLongPp10kNUcastPkts PartsPer10k Ratio of packets that were not
packets sent/received by the
portal. Expressed as parts-per-
10000.
ccPortalSumStatsLongPp10kTxWithRetries PartsPer10k Ratio of transmitted packets
transmission retries by this
portal.

ccPortalSumStatsLongPp10kTxMaxRetries PartsPer10k Ratio of transmitted packets
number of packets transmitted
by this portal.
ccPortalSumStatsLongTxAvgRetries100 ScaleBy100 For all transmitted packets
experienced some retries, those
that were successfully
gave-up), the average number of
re-transmission attempts.Since
SNMP does not convey decimal
values, the result above is
multiplied by 100.
be 0.If every single packet
ccPortalSumStatsLongPp10kRxUndecrypt PartsPer10k Ratio of received packets that
number of received packets.
ccPortalSumStatsLongTotalMus Unsigned32 The total number of Mobile
Units associated with given
portal.
ccPortalSumStatsLongPp10kRfUtil PartsPer10k The approximate utilization of
the portal's RF port. Calculated
as Throughput divided by
AvgBitSpeed. Expressed as
parts-per-10000.
ccPortalSumStatsLongPp10kDropped PartsPer10k The total number of packets
dropped divided by total number
of packets sent. Dropped here
means dropped intentionally
due to the appropriate QoS
queue being full. Expressed as
parts-per-10000.
14.3 ccMus
14.3.1 ccMuInfoTable
DESCRIPTION: This table describes general information about each MU associated to the switch/AP.
INDEXED ON: ccMuMac

ccMuMac PhysAddress MAC address of the MU.
ccMuWlanIndex Integer32 Reserved for future implementation.
ccMuWlanName DisplayString The name of the WLAN this MU is associated
to.
ccMuIsDataReady TruthValue This value is true if the WS5000 is ready to
forward/switch packets to/from this MU.
Otherwise this value is false.
ccMuPortalIndex Integer32 The index of the entry in the portal table to
which this MU is associated.
ccMuPortalMac PhysAddress The MAC address of the portal to which this
MU is associated.
ccMuSymbolRogueApEna TruthValue If true, this MU supports Symbol's Rogue AP
detection assist algorithm.
ccMuIpAddr IpAddress IP address of the MU.
ccMuType INTEGER Type of the MU.
ccMuRadioType RadioType Radio type of the MU.
ccMuSupportedRates BITS A bit-mask of rates supported by this MU.
ccMuPowerMode INTEGER Power-mode implemented by the MU.
ccMuAuthenticationMethod INTEGER Authentication method used by the MU.
ccMuEncryptionMethod INTEGER Encryption method used by the MU.
ccMuVlanId Unsigned32 The VLAN that this MU is assigned to.
14.3.2 ccMuStatsTable
DESCRIPTION: It contains the number of data packets received form/transmitted to a MU which includes
unicast, non unicast and undecryptable packets
INDEXED ON: ccMuMac

ccMuTxPktsUcast Counter32 The number of unicast packets transmitted to
the MU.
ccMuRxPktsUcast Counter32 The number of unicast packets received from
the MU.

ccMuRxPktsNUcast Counter32 The number of non-unicast packets received
from a MU.
ccMuTxOctetsUcast Counter32 The number of unicast bytes transmitted to
the MU.
ccMuRxOctetsUcast Counter32 The number of unicast bytes received from an
MU.
ccMuRxOctetsNUcast Counter32 The number of non-unicast bytes received
from an MU.
ccMuRxUndecryptablePkts Counter32 The number of undecryptable packets
received from an MU.
ccMuRxRssiNumPkts Counter32 The number of packets received from a MU.
ccMuRxRssiSum Counter32 The sum of signal strength values of all the
packets received from this MU.
ccMuRxRssiSumSquares Counter32 The sum of the squares of signal strength
values of all the packets received from this
MU.
ccMuRxRssiMostRecent INTEGER The most recent value of the signal strength
received from this MU.
ccMuLastActivity TimeTicks The number of time ticks elapsed since MU’s
last activity.
14.3.3 ccMuRxPktsTable
DESCRIPTION: The number of packets received at various rates from the MU.
INDEXED ON: ccMuMac

ccMuRxPktsAt1Mb Counter32 The number of packets received from the MU at
1 Mbps.
2 Mbps.
ccMuRxPktsAt5pt5Mb Counter32 The number of packets received from the MU at
5.5 Mbps.
ccMuRxPktsAt6Mb Counter32 The number of packets received from the MU
at 6 Mbps.
9 Mbps.
11 Mbps.
12 Mbps.

18 Mbps.
22 Mbps.
24 Mbps.
36 Mbps.
48 Mbps.
54 Mbps.
14.3.4 ccMuTxPktsTable
DESCRIPTION: The number of packets transmitted to the MU at various rates
INDEXED ON: ccMuMac

ccMuTxPktsAt1Mb Counter32 The number of packets transmitted to the MU
at 1 Mbps.
at 2 Mbps.
ccMuTxPktsAt5pt5Mb Counter32 The number of packets transmitted to the MU
at 5.5 Mbps.
at 6 Mbps.
at 9 Mbps.
at 11 Mbps.
at 12 Mbps.
at 18 Mbps.
at 22 Mbps.
at 24 Mbps.
at 36 Mbps.

at 48 Mbps.
at 54 Mbps.
14.3.5 ccMuRxOctetsTable
DESCRIPTION: The number of bytes received from the MU at various rates.
INDEXED ON: ccMuMac

ccMuRxOctetsAt1Mb Counter32 The number of bytes received from the MU at 1 Mbps.
ccMuRxOctetsAt5pt5Mb Counter32 The number of bytes received from the MU at 5.5 Mbps.
14.3.6 ccMuTxOctetsTable
DESCRIPTION: The number of bytes transmitted to the MU at various rates.
INDEXED ON: ccMuMac

ccMuTxOctetsAt1Mb Counter32 The number of bytes transmitted to the MU at 1 Mbps.
ccMuTxOctetsAt5pt5Mb Counter32 The number of bytes transmitted to the MU at 5.5 Mbps.

14.3.7 ccMuTxRetriesTable
DESCRIPTION: The number of packets transmitted to the MU at various retries
INDEXED ON: ccMuMac

ccMuTxRetriesNone Counter32 The number of packets transmitted to the MU
with 0 retries.
ccMuTxRetries01 Counter32 The number of packets transmitted to the MU
with 1 retry.
with 2 retries.
with 3 retries.
with 4 retries.
with 5 retries.
with 6 retries.
with 7 retries.
with 8 retries.
with 9 retries.
with 10 retries.
with 11 retries.
with 12 retries.
with 13 retries.

with 14 retries.
with 15 retries.
ccMuTxRetriesFailed Counter32 The number of failed packet transmissions to
the MU.
ccMuTxRetriesTotal Counter32 A total sum of all retries across all packets
sent to this MU.
For example, if 4 packets have been sent, with
the following number of retires: 2, 0, 5, gave-
up, this value would be 2+0+5+16 = 23
ccMuTxRetriesMostRecent Counter32 The number of retries of the packet most
recently transmitted to the MU.
14.4 ccMuRfSum
14.4.1 ccMuTxRetriesOctetsTable
DESCRIPTION: The number of retries experienced w.r.t the bytes transmitted to the MU
INDEXED ON: ccMuMac

ccMuTxRetriesOctetsNone Counter32 The number of octets transmitted to the MU
with 0 retries.
ccMuTxRetriesOctets01 Counter32 The number of octets transmitted to the MU
with 1 retry.
with 2 retries.
with 3 retries.
with 4 retries.
with 5 retries.
with 6 retries.
with 7 retries.
with 8 retries.
with 9 retries.

with 10 retries.
with 11 retries.
with 12 retries.
with 13 retries.
with 14 retries.
with 15 retries.
ccMuTxRetriesOctetsFailed Counter32 The number of octets in failed packet
transmissions.
14.4.2 ccMuSigStatsTable
DESCRIPTION: The various signal strength information for this MU
INDEXED ON: ccMuMac

ccMuSigStatsNumPkts Counter32 The number of packets received from the MU.
ccMuSigStatsSignalBest Integer32 The best value of the signal strength in dBm.
ccMuSigStatsSignalWorst Integer32 The worst value of signal strength in dBm.
ccMuSigStatsSignalSum Integer32 The sum of signal strength of all the packets
received from the MU in dBm.
ccMuSigStatsSignalSumSquares Counter64 The sum of the square of the signal strength
of all the packets received from the MU in
dBm.
ccMuSigStatsSignalMostRecent Integer32 The most recent signal strength value
received from the MU in dBm.
ccMuSigStatsNoiseBest Integer32 The best noise value in dBm heard by the
Radio to which this MU is associated.
Here best value of noise implies the the least
noise value.
ccMuSigStatsNoiseWorst Integer32 The worst value of the noise strength in dBm
as received by the radio to which the MU is
associated.
ccMuSigStatsNoiseSum Integer32 The sum of all noise samples in dBm received
from the Radio to which the MU is
associsated.

ccMuSigStatsNoiseSumSquares Counter64 The sum of the square of all the noise samples
in dBm received from the radio to which this
MU is associated.
ccMuSigStatsNoiseMostRecent Integer32 The strength of the most recent noise value
heard from the radio to which this MU is
associated.
ccMuSigStatsSnrBest Integer32 The best value of SNR in dBm calculated for
this MU.
ccMuSigStatsSnrWorst Integer32 The worst value of SNR in dBm calculated for
this MU.
ccMuSigStatsSnrSum Integer32 The sum of all the SNR values in dBm
calculated for this MU.
ccMuSigStatsSnrSumSquares Counter64 The sum of the square of all the SNR values in
dBm calculated for this MU.
ccMuSigStatsSnrMostRecent Integer32 The most recent value of the SNR calculated
for this MU.
14.4.3 ccMuSumStatsShortTable
DESCRIPTION: The table contains derived statistics calculated over a window of 30 seconds.
INDEXED ON: ccMuMac

ccMuSumStatsShortTimestamp TimeTicks The number of time ticks
this window.
ccMuSumStatsShortNumPkts Unsigned32 The number of packets used to
window.
ccMuSumStatsShortPktsPerSec100 ScaleBy100 Packets per second as averaged
over the 'window'. Since SNMP
does not convey decimal
values, the result is multiplied
by 100.
ccMuSumStatsShortPktsPerSecTx100 ScaleBy100 The number of transmitted
packets per second as
multiplied by 100.

ccMuSumStatsShortPktsPerSecRx100 ScaleBy100 Number of received packets per
'window'.
multiplied by 100.
ccMuSumStatsShortThroughput Unsigned32 Actual number of bits sent and
ccMuSumStatsShortThroughputTx Unsigned32 Actual number of bits
divided by the total number of
ccMuSumStatsShortThroughputRx Unsigned32 Actual number of bits received
window.
ccMuSumStatsShortAvgBitSpeed Unsigned32 The average of the speeds of all
packets sent/received. (For
each possible speed, multiply
the number of octets sent/
received by that speed; divide
the sum by the total number of
octets; multiply by 8).
i.e. the average bit-speed at
which packets were sent/
received.
ccMuSumStatsShortAvgMuSignal Integer32 The average of all signal values
over the window.
ccMuSumStatsShortAvgMuNoise Integer32 The average of all noise values
over the window.
ccMuSumStatsShortAvgMuSnr Integer32 The average of all SNR values
over the window.
ccMuSumStatsShortPp10kNUcastPkts PartsPer10k Ratio of packets that were not
packets sent/received.
ccMuSumStatsShortPp10kTxWithRetries PartsPer10k Ratio of transmitted packets
packets sent or received.

ccMuSumStatsShortPp10kDropped PartsPer10k Ratio of transmitted packets
number of transmitted pakets.
ccMuSumStatsShortTxAvgRetries100 ScaleBy100 For all transmitted packets
decimal values, the result
above is multiplied by 100.
be 0. If every single packet
ccMuSumStatsShortPp10kRxUndecrypt PartsPer10k Ratio of received packets that
number of packets received.
Expressed in parts per 10000.
14.4.4 ccMuSumStatsLongTable
DESCRIPTION: The table contains derived statistics calculated over a window of 1 hour.
INDEXED ON: ccMuMac

ccMuSumStatsLongTimestamp TimeTicks The number of time ticks
this window.
ccMuSumStatsLongNumPkts Unsigned32 The number of packets used to
window.
ccMuSumStatsLongPktsPerSec100 ScaleBy100 Packets per second as averaged
over the 'window'. Since SNMP
does not convey decimal
values, the result is multiplied
by 100.

ccMuSumStatsLongPktsPerSecTx100 ScaleBy100 The number of transmitted
packets per second as
multiplied by 100.
ccMuSumStatsLongPktsPerSecRx100 ScaleBy100 Number of received packets per
'window'.
multiplied by 100.
ccMuSumStatsLongThroughput Unsigned32 Actual number of bits sent and
ccMuSumStatsLongThroughputTx Unsigned32 Actual number of bits
ccMuSumStatsLongThroughputRx Unsigned32 Actual number of bits received
window.
ccMuSumStatsLongAvgBitSpeed Unsigned32 The average of the speeds of all
packets sent/received. (For
each possible speed, multiply
thenumber of octets sent/
received by that speed; divide
the sum by the total number of
octets; multiply by 8).
i.e. the average bit-speed at
which packets were sent/
received.
ccMuSumStatsLongAvgMuSignal Integer32 The average of all signal values
over the window.
ccMuSumStatsLongAvgMuNoise Integer32 The average of all noise values
over the window.
ccMuSumStatsLongAvgMuSnr Integer32 The average of all SNR values
over the window.

ccMuSumStatsLongPp10kNUcastPkts PartsPer10k Ratio of packets that were not
packets sent/received.
ccMuSumStatsLongPp10kTxWithRetries PartsPer10k Ratio of transmitted packets
packets sent or received.
ccMuSumStatsLongPp10kDropped PartsPer10k Ratio of transmitted packets
number of transmitted pakets.
ccMuSumStatsLongTxAvgRetries100 ScaleBy100 For all transmitted packets
decimal values, the result
above is multiplied by 100.
If there were no re -
be 0.If every single packet
ccMuSumStatsLongPp10kRxUndecrypt PartsPer10k Ratio of received packets that
number of packets received.
Expressed in parts per 10000.
14.5 RF-Traps
RF Traps are used to generate SNMP traps when some of the RF statistical values exceed a particular
threshold.The threshold values can be configured from the CLI. You can configure only the maximun value of
the threshold. The threshold values will always be compared with the most recent short window of the
corresponding RF statistical value.
A short window can be explained as :Time period over which the threshold values (of the derived statistics)
are computed (it has a value of 30 seconds).
To enable the RF Traps you have to set the snmp_trap for the corresponding event in events context. WS5000
v2.1 supports traps for AP, Switch and MU. Currently, traps for WLAN are not supported.
The following are the traps generated for AP, Switch and MU:
Table 14.1 RF Traps for APs
Trap Name Description
rfthreshold ap pps Packets per second as averaged over the 'window'.For transmitted packets,
each packet sucessfully sent counts as 1.
rfthreshold ap thrput Actual number of bits sent and received over the window, divided by the
number of seconds in the window.
rfthreshold ap avgbitspeed An octet-weighted average of the speeds of all packets sent/received. (For
each possible speed, multiply the number of octets sent received by that
speed; divide the sum by the total number of octets; multiply
by 8).
rfthreshold ap nonucast Ratio of packets that were non-unicast to the total number of packets sent/
received.
rfthreshold ap avgsig The average of all signal values over the window.
rfthreshold ap avgretries For all transmitted packets, the average number of re-transmission attempts.
rfthreshold ap percentdrop Packets dropped divided by packets sent. Dropped here means dropped
intentionally due to the appropriate QoS queue being full.
rfthreshold ap undecryptable Ratio of packets that were undecryptable to the total number of received
packets.
rfthreshold ap associatedmus The total number of MUs associated to the given AP.
rfthreshold ap minpkts Read the note below.
Note minpkts - Its the minimum number of packets required for the SNMP trap to
be fired.This should not be treated as a trap.
Table 14.2 RF Traps for MUs
rfthreshold mu pps Packets per second as averaged over the 'window'.
rfthreshold mu thrput Actual number of bits sent and received over the window, divided by the
Table 14.2 RF Traps for MUs
rfthreshold mu avgbitspeed An octet-weighted average of the speeds of all packets sent/received. (For each
possible speed, multiply the number of octets sent received by that speed;
divide the sum by the total number of octets; multiply
by 8).
rfthreshold mu nonucast Ratio of packets that were non-unicast to the total number of packets sent/
received.
rfthreshold mu avgsig The average of all signal values over the window.
rfthreshold mu avgretires For all transmitted packets, the average number of re-transmission attempts.
rfthreshold mu percentdrop Packets dropped divided by packets sent. Dropped here means dropped
intentionally due to the appropriate QoS queue being full.
rfthreshold mu undecryptable Ratio of packets that were undecryptable.
rfthreshold mu minpkts Read the note below.
Table 14.3 RF Traps for Switch
rfthreshold switch pps Packets per second as averaged over the 'window'.
rfthreshold switch thrput Actual number of bits sent and received over the window, divided by the
rfthreshold switch associatedmus The total number of MUs associated to the given Switch.
rfthreshold switch minpkts Read the note below.
14.6 Explanation of Enhanced RF Statisitcs

Symbol’s family of wireless products all share a rich set of monitoring variables, called enhanced RF
Statisitcs .This section describes those statistics, and how they can be used to detect common wireless
networking problems.
The information shown here is available both via SNMP and via the embedded Web UI. In mostcases, the
SNMP tables are shown for the sake of brevity.The statistics described here for a pyramid of information. The
specific details will be described from the bottom of this pyramid, working upwards.
Figure 14.1 Pyramid” of network infrastructure monitoring statistics.
Information is available to identify all Access Ports and their embedded radios, (called “Portals”), associated
with the wireless switch. Figure 14.2 and Figure 14.3 show the tables that give this general information.
Figure 14.2 The ccApTable lists all the Access Ports currently adopted by the wireless switch.
I
Figure 14.3 The ccPortalTable lists all radios (“Portals”) currently adopted by the wireless switch.
In a similar fashion, (see Figure 14.4 ), every MU currently associated with the device are shown in a table,
along with general information.
Figure 14.4 The ccMuInfoTable lists general information about every mobile unit currently associated.
Additional “raw” statistics are maintained for:

• Every MU currently associated to the device

• Every Portal currently adopted by the device
• The device in it’s entirety
For the remainder of this description, only the MU tables are shown, but there are nearly identical tables for
the Portals (the entire switch is represented by entry #1001 in the WLAN tables).
These stats are labeled “raw” as they count total occurrences since reboot. They are not timebased. To
determine the number of occurrences that have taken place over an interval of time, the counter is read at the
start of the interval and at the end of the interval, and the difference is calculated. These “raw” stats will form
the foundation of the “time-based” stats described below.
These stats are also “raw” in the sense that, (where possible), no resolution is lost. In most cases, every single
counter is offered in the form of an array that represents a histogram; (those histograms are summarized by
the “time-based” stats, described below).
Figure 14.5 shows tables that count the number of packets and octets that have been affected by each
possible number of retry attempts on transmission.
Figure 14.5 These tables show how many packets/octets have been affected by the given number of retries.
Figure 14.6 shows the tables that count the number of packets or octets, (bytes), that have been either
transmitted or received at every possible data rate.
Figure 14.6 These tables show counts of all packets/octets transmitted/received to/from the MU
Note In all cases, variables are named from the perspective of the network
infrastructure device. For example, a packet sent from an MU is, (for the MU), a
transmitted packet, but for the wireless switch, a received packet. Using this rule,
it would be counted as a received packet.
Figure 14.7 shows sums of signal, noise, and SNR readings for all packets received, in addition to the total
number of readings that have been taken, (“NumPkts”). Specifically, for each attribute, (signal, noise, SNR),
each of the following are maintained:
• sum — this can be used to calculate the average.
• sum of each value squared — this can be used to calculate the standard deviation.
• best, worst ever seen.
• most recent value observed — this is useful for determining the trend of the most recent values.
(It would have been prohibitive to provide a histogram of all signal/noise/SNR values observed).
Figure 14.7 The ccMuSigStatsTable shows statistics for signal, noise, and SNR.
All of the above “raw” statistics have no time interval – they count the number of occurrences
since the device booted-up. Those “raw” stats are summarized over selected time-intervals: the
“short” and “long” window.
The short window represents a summary of all the packets seen in the past 30 seconds. This 30 second
backwards view is recalculated every 30 seconds. The long window represents a summary of all the packets
seen in the past 1 hour, and is updated every 1 hour.
Note The intervals mentioned above are not configurable, and could possibly
change in the future. Their actual values can be determined from read-only SNMP
variables provided in each device.
Since the “raw” stats count all occurrences since reboot, these time-based stats avoid the need to read the
values, wait, read them again, and calculate the deltas.
When the network condition changes significantly, the values in the short window will vary significantly from
those in the long window, (see the detailed example below).
Figure 14.8 shows the short and long tables – they are identical, except for the time-interval represented.
Figure 14.8 The ccMuSumStats tables show the key history for the past 30 seconds and past 1hr.
The device can be programmed with thresholds for most of these time-based stats. Those thresholds can be
different for the entire switch than for the WLANs than for the APs than for the MUs. When a threshold is
crossed, an SNMP trap is generated. In order to avoid false-alarms, a trap is only generated if a sufficient
number of packets have been processed to be statistically significant.
14.6.1 A Sample Usage Example

The section below explains the appropriate way in which enhanced RF stats can be used to monitor the
wireless switch system’s RF environment. The Figure 14.9 shows a sample comparision of short stats and
long stats which are claculated over a period of 30 seconds and 1 hour respectively. As shown in the figure,
the short stats reflect sudden changes to the RF environment whereas the long stats reflect a long term
average of the RF environment.
Figure 14.9 Just minutes after the antenna was removed, the long-term (1hr) average bit speed continues to-
hover near 7Mb/s while short-term (30sec) value sinks quickly to less than 2Mb.
Figure 14.10 Only one minute after the antenna was removed, the short-term statistics reflect the new
[poor]wireless conditions, while the long-term stats show the (mostly good) prior hour.
The RF environment is also effected by the presence/absence of antennas in the APs. The Figure 14.11 and
Figure 14.12 below shows the received and transsmit speed are severly degraded without the antenna
installed. Figure 14.13 shows retries also increase significantly without the antennas.
Figure 14.11 Without the antenna, most packets were received (by the AP300) at 1Mb/s.
Figure 14.12 Without the antenna, most packets were transmitted (by the AP300) at 1 or 2 Mb/s.
Figure 14.13 Without the antenna, many packets had 1 to 4 retries.
The “raw” stats also accumulate the number of packets received, the sum of all signal values on those packets,
and the sum of all each signal value squared. Taking the delta of each of those values over both the interval
with the antenna present and absent, results in average signal readings with corresponding standard
deviations.
With the antenna absent, the average signal was –88.5 dB with a stddev of 3.4, (meaning that 67% of packets
had signal values of –91.9 to –85.1 dB).
Note The greater variance while the antenna is present can be explained by the
fact that the AP radio has a certain floor of receive sensitivity, probably around –
91 dB. This fact compresses the range of possible values.
With the antenna present, the average signal was –63.6 with a stddev of 10.2 dB. Assuming the signal
readings fit a normal distribution, those curves would look approximately as shown in Figure 14.14. Note that
these values match very close to the values, (–89 and –67 dB), shown in Figure 14.10.
Figure 14.14 Distributions of received signal strength, as predicted by the average and standard deviationcalculated
across the collection of packets received.
14.6.1.1 Watching min, max, or average is not enough

Suppose your SLA (Service Level Agreement) states to provide a wireless signal strength of –63dB (or better)
to your customers partners/colleagues. What variables would you need to monitor to assure all involved that
the agreed service level was being achieved?
SLA 1 — End stations will experience –63dB or better
Monitoring min/max would not suffice. In most wireless infrastructures, this would tell you nothing as at least
one end station would have experienced –20dB (or some such excellent signal), and at least one end station
would have experienced –90dB (or some such signal at the very threshold of being detected).
Monitoring the mean would also not suffice. Figure 14.15 shows three possible scenarios. In the red case, all
end stations are experiencing a very similar level of signal ranging from –53dB to –63dB. In the blue case,
some are experiencing very strong signal while an equal number are experiencing very weak signal. Note that
in all cases the mean is identical.
Process control theory has addressed many such problems for decades using standard deviation. For any
normal distribution, 68% of the population resides in the range of mean +/– one standard deviation. 95% of
the population resides in the range of mean +/– two standard deviations, and 99.7% within three standard
deviations.
Note Six standard deviations include all but two billionths of the sample. Due to
the quality control methodology called ‘Six Sigma’, the term has acquired a
commonplace meaning as containing 99.99966% of the sample. Many
corporations have adopted the Six Sigma methodology for Quality Control and try
to achieve a defect rate of 3.4 per million. The rate of 3.4 per million, however, actually
corresponds to 4.5 standard deviations, because the Six Sigma founders assumed a natural
offset of 1.5 sigma to account for drift in production quality over time.
Figure 14.15 Graph dispalying the 3 possible scenarios while monitoring the signal strenght
This begs the question: what percentage of end stations must be experiencing –63dB or better at any given
time? Depending on the situation, the requirement might be that 80% must have 63dB or better, (which the
red and green distributions achieve). Or, the requirement might be that 98% have better than –63dB, (which
only the red distribution achieves).
SLA 2 — 80% of end stations will experience –63dB or better
In any case, both the mean and the standard deviation must be monitored. If success was defined as having
80% of the end stations at –63dB or better, that would suggest that the mean of the measured signal strengths
needs to be at least one standard deviation better than –63dB; (since +/– one standard deviation accounts for
68% of a normally distributed population, that means one ‘tail’ would leave 32% / 2 = 16%, which is just
slightly better than the 20% we permit to be worse than –63dB).
So, to ensure that our threshold is met, we routinely fetch the mean and standard deviation from the wireless
infrastructure and check that mean + [one] standard deviation is less than or equal to – 63dB.10.
14.6.1.2 Who calculates Standard Deviation?

There are two possibilities: the network infrastructure devices themselves, or an external, server-based
network management application.
When a SLA is negotiated, it must specify not just the threshold, (–63dB in our example), and the percentage
of the population in compliance, (80% in our example), but also the monitoring interval. An environment that
has 80% of the end stations at –63dB or better as averaged over a 24 hour period may not have met that
standard each and every hour of that day.
SLA 3 — Within each 30 seconds interval, 80% of end stations will experience -63dB or
better
Whatever interval the SLA specifies is the minimum interval at which monitoring must take place. Since those
intervals are often relatively short, it would clearly be more efficient for the network infrastructure device to
perform this monitoring, rather than an external server. For the infrastructure to do this well, it would allow
the threshold (-63dB in our case) to be specified, as well as the number of standard deviations, (1 in our case),
which the current mean should be from the threshold. If standard deviation is relatively constant, solely the
mean could be monitored, (but for many installations that might be a big assumption).
Additionally, it’s important that the infrastructure device ignore any calculations that are performed on too few
packets to be statistically significant. A time-period that only represents 5 packets is meaningless, regardless
of the mean and/or standard deviation.
14.6.1.3 How is Standard Deviation calculated from running sums?

In order to calculate the mean, for efficiency reasons the network infrastructure device would typically
maintain a total sum of received signal strengths, and ‘n’, the number of readings/packets. Such running sums
are much more efficient to maintain than re-calculating the mean after each new reading/packet.
Note Re-calculating average and stddev after each new sample would require
several multiplication, division, and square-root calculations for each packet.
Keeping a running sum and sum-of-squares requires only two additions per
packet, and a lookup (in place of the squaring function).
Additionally, using sum and sum-of-squares allows the average and standard deviation to be calculated over
any arbitrary interval of time.
Note Note that this would not be possible if the device were maintaining a
‘running’ average and ‘running’ standard deviation. The delta calculation: end-
average – start-average does not yield the average over a given interval of time.
Likewise for standard deviation.
Mean (average) can be easily calculated at any time by dividing the sum of readings by ‘n’.
Standard deviation can be calculated from ‘n’, the sum of all readings, and the sum of each reading squared.
Or, in terms more suited to a programmer, rather than a math major:

// at start of the time interval
GET start-n, start-sum-of-values, start-sum-of-squares
:
// wait for the time interval to expire
:
// at end of the time interval
GET end-n, end-sum-of-values, end-sum-of-squares
// calculate the delta of readings over the interval
n = end-n - start-n
sum-of-values = end-sum-of-values – start-sum-of-values
sum-of-squares = end-sum-of-squares – start-sum-of-squares
// calculate average & stddev
mean = sum-of-values / n
std-dev = SQRT( (sum-of-squares – (n * mean * mean)) / (n – 1) )
AP-300 Sensor Conversion
15.1 Overview
WS5000 switch is capable of adopting different types of Access Ports. It is capable of using custom firmware
instead of default firmware images for specified APs. This functionality is used to perform the conversion from
an AP to an W-IPS sensor.
A new conversion firmware image is added to the WS5000 distribution. This image is similar to all other
firmware images that are used by the switch to adopt the variety of APs.This image contains standard WS5000
image header that identifies the image as AP300 firmware. The image version in the header is set to 0.0.0.0.
This prevents it from being used as a default image during AP300 adoption. The firmware is provided by
AirDefense and contains the code necessary for AP300 to operate in the W-IPS sensor mode.
15.1.1 Sensor Implementation

The switch can convert an AP300 to a W-IPS sensor and vice-versa. The conversion of an AP300 to a sensor is
possible only on the currently active AP’s.
15.2 Functionality
In addition to the basic AP to sensor conversion it is also desirable that the switch provide some minimal
management capabilities for the sensors. You should be able to view the list of sensors, read and send sensors'
configuration and revert selected sensors back to AP.
AirDefense defines Layer 2 communication protocol that can be used to discover sensors connected to the
switch and to send commands to the sensors. A broadcast ping packet is used for sensor discovery, which
implies that the sensors must stay in the same broadcast domain as the switch after the conversion. This is
not an unreasonable expectation because AP adoption and subsequent conversion to a sensor would not be
possible without it.
This extended sensor management functionality has minimal potential impact on the core WS5000
functionality.The switch maintains the list of known sensors in a separate list that does not interfere with an
existing list of AP's.
15.2.1 Sensor Discovery

The switch discovers sensors by sending PINGREQUEST packets on all VLAN's connected to the switch. The
switch dynamically obtains the list of all known VLAN's from the switch Ethernet configuration. All sensors
that are reachable by the switch respond with PINGRESPONSE packet. The switch then sends
REQ_CONFIG command to all discovered sensors. The switch maintains the list of all sensors and their
configuration.The list is refreshed on a regular basis. The content of the list is returned to UI/CLI via an XML
command
15.2.2 Sensor Configuration

Sensor configuration consists of:
• DHCP or Static IP address
• IP/mask/gateway for Static IP
• Primary and secondary IP address of AirDefense server
The configuration is sent to a sensor after the initial conversion and at any other time based on user's request.
The switch persistently stores a single default configuration that is sent to every sensor immediately after the
conversion. The switch does not store per-sensor configuration. You can also interactively request for
configuration of an individual sensor, modify it and send it back to the sensor.
After the conversion, the switch continuously ping newly converted sensor by sending unicast
PINGREQUEST packets to the MAC address on the VLAN in which the AP300 has been created. After the
switch receives PINGRESPONSE from the sensor it sends CONFIG_UPDATE command to the sensor and
waits for an acknowledgement. That completes the initial configuration after the conversion. If the switch fails
to receive PINGRESPONSE after 10 seconds of conversion or if the switch fails to receive an acknowledgement
after the switch logs an error.
You can select one of the sensors to change its configuration.The switch issues REQ_CONFIG command and
waits for a response. The response contains current sensor's configuration and you can make changes in it.
After the changes are made the switch sends CONFIG_UPDATE command to the sensor and waits for an
acknowledgement. If the switch fails to receive an acknowledgement it logs an error.
AP-300 Sensor Conversion 15-3
15.2.3 Sensor Revert

You can revert sensors back to AP's by selecting sensors from the list and issuing a revert command. The
switch sends a DOWNGRADE command to all selected sensors and waits for an acknowledgement from
every one of them. DOWNGRADE commands forces the sensor to reactivate WISP bootloader at which point
AP300 can be adopted as an access port. If the switch failed to receive and ACK it logs an error.
Note At any given time, you cannot send more than one configuration command to
a sensor. The sensor resets after receiving the first command and is unavailable for
45 seconds.
15.3 GUI and CLI Interface

The actions related to sensor configuration and revert are performed asynchronously and outside the normal
interaction between the switch and UI/CLI. Its because of this, the switch returns success for any command
that has valid syntax and parameters, i.e. valid MAC address of the sensor, valid IP/network mask/gateway,
etc. The command itself is executed after the initial result is returned to UI/CLI. For complete CLI reference
see 8.47 Sensor Context on page 252
The convert and revert command take some time for completion. When you issue a convert command using
CLI, you get a success. This means the command has been accepted and the syntax and MAC address is valid.
It will take anywhere between 45 seconds upto a minute to complete the conversion. Hence the newly
converted AP will get displayed in the sensor list only after about a minute.
A syslog/SNMP trap is generated whenever the sensor is disconnected anytime during the period when it was
discovered and the moment you attempt to issue a command to the sensor.
Note All the sensor conversion and management related functionality is disabled
by default. User is required to enable it through UI/CLI command before using any of
the described functionality. Configuration through SNMP is also supported.
15.3.1 Converting an AP300 into a Sensor

To convert an AP300 to a sensor, select AP300/Sensor from the left hand side tree menu of the main window.
This will open AP300/Sensor configuration window. By default the window displays the AP300 tab details.
Follow the steps mentioned below to convert an AP300 to a sensor:
1. The sensor conversion and management functionality is disabled by default. Select Enable from the
Enable Sensor drop-down box, this will enable you to convert the AP300 to a sensor.
Figure 15.1 AP300/Sensor window
2. Select an AP300 by clicking on the checkbox associated with each AP300. Click on the Default Config
button to view the default configuration of the sensor. This opens the WIPS Default Configuration
window. All the fields in this window are configurable and you can change the default configuration if
required and commit it by clicking on the Save button.
Figure 15.2 The WIPS Default configuration window
Note If you enable the DHCP, then you cannot edit Sensor IP, Subnet Mask and
Gateway fields.
3. Click on the Convert to Sensor button to convert the selected AP300 into a sensor. This opens the WIPS
Configuration window. Click on the Save button to commit the changes made.
Figure 15.3 The WIPS Configuration window
4. The switch opens a dialog box prompting you to confirm the changes made. Click OK to confirm the
changes made (if any) and save the configuration to start the conversion from an AP to W-IPS.
Note If you enable the DHCP server type in the WIPS Configuration window, the
Sensor IP, Subnet Mask, Gateway will be disabled. These values will now be
provided by the DHCP server.
5. To view the new sensor, click on the AP300/Sensor from the tree menu on the left hand side. Select the
Sensor tab and then click on the Refresh button in the main AP300/Sensor window. It generally takes
about a minute to convert the AP into a sensor.
Figure 15.4 Viewing the newly created sensor in the Sensor tab
15.3.2 Converting an Sensor into AP300

To convert an sensor to a AP300, select AP300/Sensor from the left hand side tree menu of the main window.
This will open AP300/Sensor configuration window. Click on the Sensor tab to view the list of sensors
available. Follow the steps mentioned below to convert an sensor to a AP300:
1. Select Enable from the Enable Sensor drop-down box, this will enable you to convert the sensor to a
AP300.
Figure 15.5 Sensor tab displaying the available sensor(s)
2. Select an sensor by clicking on the checkbox associated with the sensor that you want to convert to an
AP300. Click on the Modify button to view the current/default configuration of the sensor. This opens
the WIPS Configuration window.
Disable the DHCP, by clicking on the checkbox, to modify the values of Sensor IP and Subnet Mask . If
the DHCP server is enabled then these values (Sensor IP and Subnet Mask ) is provided by DHCP and
you cannot modify it. Click the Save button to commit the changes made, if any.
Figure 15.6 The default WIPS Configuration window displaying the default sensor configuration
3. The switch opens a dialog box prompting you to save the configuration. Click OK to confirm the changes
made (if any) and save the configuration.
Figure 15.7 Converting a Sensor to an AP300
4. To view the new AP300,click on the AP300/Sensor from the tree menu on the left hand side.Select the
AP300 tab and then click on the Refresh button in the main AP300/Sensor window. It generally takes
about a minute to convert the sensor into a AP300.
Syslog and Traps
The WS5000 switch supports raising of SNMP Traps and/or logging of Syslog messages, on certain events.
The list of events are listed in the table below.
The user can configure, for each event, if a SNMP Trap is to be sent, a syslog message is to be logged or both
16.1 List of Traps and Syslog Messages.

Table 16.1 Default Syslog and Traps Configuration
S.No Event Default Default Default

Local Log SNMP Syslog
Trap Severity

Whenever the number of access port licences that is supported by the
switch, has changed.

Trap Severity

Whenever the time changes.

Whenever the switch has received a packet from the access port via a NIC that
is different from the one through which the access port is/was adopted.

Whenever the switch has received a packet from the access port via a VLAN
that is different from the one through which the access port is/was adopted.

Whenever the switch fails to adopt an access port.

Whenever the switch fails to adopt an access port because the access port
policy dis-allowed it.

Whenever the switch fails to adopt an access port because the access port is
in the exclude list.

Whenever the switch fails to adopt an access port because the # of licenses for
access port has reached its maximum.

whenever the switch fails to adopt an access port because the license would
not allow it to do so.

Whenever the switch fails to adopt an access port because the switch did not
find an AP image corresponding to the information sent by the AP.

Whenever the communication with the AP is lost.

Whenever the communication with the AP is active but the ap is not adopted
(for various reasons).

Whenever the ap is adopted.

Whenever a reset has been issued to an AP.

Whenever the access policy used to adopt an AP does not have any ESS.

Whenever the maximum number of MU’s that can be associated with an AP is
reached.
Syslog and Traps 16-3

Trap Severity

Whenever an AP is detected by the switch.

Whenever the device info message from the AP is dropped (for various
reasons).

Whenever the load me info message from the AP is dropped (for various
reasons).

Whenever the ethernet port is connected.

Whenever the ethernet port is dis connected.

Whenever an MU association with an AP/switch fails because ACL (Access
Control List) does not allow this MU to be associated.

Whenever an MU association with an AP/switch fails (for various reasons).

Whenever an MU is successfully associated with an AP/Switch.

Whenever the MU has roamed form one AP to another AP.

Whenever an MU is disassociated (for various reasons).

Whenever an MU EAP authentication has failed for (var reasons).

Whenever the MUs EAP auth is completed successfully.

Whenever the MUs kerboros auth has failed.

Whenever the MUs kerboros auth has is completed successfully.

whenever an MU using TKIP encryption mechanicsm has encountered a
decryption failure.

Whenever an MU using TKIP encryption mechanicsm has encountered a replay
counter failure.

Trap Severity

Whenever an MU using TKIP encryption mechanism has encountered a micheal
intergrity check failure.

Whenever the MU (associating to an ESSID) is authenticated successfully
through Kerboros KDC.

Whenever the MU (associating to an ESSID) is not authenticated successfully
to a KerborosKDC.

Whenever the number of MU’s associated with this WLAN/ESSID has exceed
the permissible limit.

Whenever the given management user’s authentication request has been
rejected by the RADIUS server.

rejected locally.

sucessfully accepted by the RADIUS server (OR) locally.

Whenever the given management user’s authentication request to the RADIUS
server has timed out, at the RADIUS server end.

Whenever an KDC user is added.

Whenever a KDCuser is changed.

Whenever a KDC user is deleted.

Whenever a KDC user is replaced.

Whenever KDC propagation failed on the specified host.

Whenever the WPA counter measures has been started for the specified WLAN

Whenever no heart beat is received from standby.

Trap Severity

Whenever standby is taken over from primary.

Whenever primary interface is stopped.

Whenever standby interface is stopped.

Whenever the standby, which is currently active enters the non-active state
because primary switch has come up.

Whenever the primary, which is currently active enters the non-active state
because standby switch has come up.
53 Auto channel select success/error Enabled Enabled Disabled

Whenever the switch has successfully/unsuccessfully performed the ACS for
an Access Port.

Whenever the emergency switch policy is activated.

Whenever the emergency switch policy is de activated.

Whenever the freespace on the flash drive (DOM) has gone below a user
configurable threshold.

For various miscellaneous events:
• license key on a WS-Lite cannot be upgraded.
• Invalid License key for WS-Lite
• Watchdog timer could not be updated
• Ethernet port configuration issues.
• DFS radio channelscan results overdue.
• No valid country for 2.11 radio
• End of WPA counter measures.

Whenever the HSB feature is enabled.

Whenever the primary/standby switch gets connected.

Whenever the CPUs/ systems temp exceeds the user specified threshold.

Whenever the access mechanism to the system (telnet,ssh) are changed

Trap Severity

Whenever the radio power is reduced.

Whenever a radar is detected by a radio (in an adopted AP) in the current
operation channel.

Whenever the radio in am adopted AP moves the channel because a radar was
detected int eh current operating channel.

The radio in an AP switches to a new channel.

Whenever the radio in the AP moves back to the original channel (for various
reasons).

Whenever the radio is suspended.

Whenever the radio re starts / resumes.

Whenever the radio (in an adopted AP) moves from a user selected channel to
a random channel (for various reasons).

Whenever a new rougue AP is detected.

Whenever a new approved AP is detected, as determined by the rule list or
explicitly specified by the operator.

Whenever the certificates associated with the VPN are not valid.

Whenever an MU is associated or dis associated with an AP/Switch, a
corresponding start or stop log is generated.

Whenever the status (enable/disable) of the on board RADIUS server is
changed.

Whenever there is a change to the switch configuration.

Whenever the status of the tunnel has changed.

Trap Severity

Whenever a non IP (internet protocol) packet is received in the tunnel.
79 Statistics has crossed the prescribed threshold by a AP Enabled Disabled Disabled

Whenever the AP has exceeded the threshold for a one or more monitored
parameters.
80 Statistics has crossed the prescribed threshold by a MU Enabled Disabled Disabled

Whenever the MU has exceeded the threshold for a one or more monitored
parameters.
81 Statistics has crossed the prescribed threshold by a WLAN Enabled Disabled Disabled
Whenever the WLAN has exceeded the threshold for a one or more monitored
parameters.
82 Statistics has crossed the prescribed threshold by switch Enabled Disabled Disabled
Whenever the Switch has exceeded the threshold for one or more monitored
parameters.

Whenever an AP300 is converted to an Sensor.

Whenever a Sensor is re converted to an AP300.

Whenever the communication with the sensor is lost.

Whenever connectivity with the sensor is lost.
DDNS
DDNS is based on the current ISC DHCP server on WS5000. It implements the update all feature by parsing
the existing DHCP server lease database and sends an update for every valid lease. The user class option send
by the DHCP client must perform in accordance to RFC3004. To know about this the user must specify whether
the user class option must be interpreted as a multiple user option field or not.
17.1 Update Mechanism

The update mechanism followed by DDNS to parse the existing DHCP server lease is as follows:
1. On receipt of a DHCPREQUEST, the server send a DDNS update to add a DNS entry.
2. The DDNS update is send to the master server for the zone.
3. When a new lease is allocated, the DNS server creates a hash as specified in draft-ietf-dnsext-dhcid-
rr-06.
4. A DNS update adds an A record with the name and a TXT record with the hash, the prerequisite being
that the A record with the same name must not exist.
5. If this fails because the A entry already exists, an update is sent for the A record with the name, the
prerequisite being that the TXT record must have the same hash.
6. It next sends a PTR update.
When the lease expires or when the client sends a DHCPRELEASE, the A and PTR entries are deleted.
When an update all command is issued to a DHCP server, all leases issued by the DHCP server will be updated
on the DNS server. As this command may take considerable time to complete, it runs asynchronously. You may
view the status of the last update all command at any time.
If the update of a DDNS entry fails, it is recorded and the update all process continues with the next entry.The
status displayed will be as follows:
• If no update command has been issued since system bootup: No manual update initiated
• If an update is in progress: Update being performed: [x total, y completed, z failures]
• If an update completed with no failures: Completed x updates successfully
• If an update had failures: Update failed: [x total, y failed]
DOM Firmware Upgrade
Images Needed
1. For Upgrade on Mantis DOM's
domfix.patch.sys.img
2. For Upgrade on 1.4 DOM's

WS5k_domfix.cfg
Procedure to Upgrade On the Mantis DOM

1. FTP/TFTP the domfix.patch.sys.img on the switch using copy tftp/ftp command.
2. In the Cfg mode, run patch command to install the Firmware Upgrade Patch
ie: Cfg> patch domfix.patch.sys.img
3. This will check if the DOM firmware is up to date. If yes, it will just exit or else it will reboot the switch
and upgrade the DOM Firmware.
-2 WS5000 Series Switch System Reference Guide
Procedure to Upgrade On the WS5x00 Series Wireless Switch DOM

1. FTP/TFTP the WS5k_domfix.cfg on the switch using copy tftp/ftp command.
2. In the service mode CLI, run exec command to install the Firmware Upgrade Patch
ie: SM-WS5000> exec
Enter the command file: WS5k_domfix.cfg
3. This will check if the DOM firmware is up to date. If yes, it will just exit or else it will reboot the switch
and upgrade the DOM Firmware.
This is only supported for Kouwell DOM.

DTIM Interval per BSS
The WS5000 switch allows the user to modify the DTIM interval. This value, also called as DTIM Period, is set
on a per AP Policy basis.
The choice of this DTIM period depends on what is more important–power consumption, or WLAN
performance.
• A longer DTIM interval results in reduced power consumption for devices in PSP mode.
• A shorter DTIM period would be desirable for voice traffic to improve voice quality.
This creates a conflict when the customer has both–WLAN phones and battery operated mobile devices that
transfer data on the same infrastructure. These two sets of devices may be on different WLANs but share
access ports. So the DTIM interval is forced to be the same for both. To solve this conflict, the user is now
enabled to set the DTIM on a per BSS basis.
Overview
The AP policy CLI context is enhanced to enable the user to set 4 DTIM interval values number 1-4. DTIM value
1 is used for BSS1, DTIM value 2 for BSS2, and so on. The first DTIM interval value is also the default, and is
used when the AP does not support setting of DTIM per BSS, and will be indicated as such through the user
interface.
The AP indicates its ability to set the DTIM interval on a per BSS basis through the DeviceInfo message. If the
AP supports this feature, the switch will include an item with DTIM interval for each BSS the AP supports in
the configuration packet sent at adoption of the AP. If not, the switch will send the older configuration item
setting a per radio DTIM interval with the value indicated as the default DTIM interval in the AP Policy map.
If you modify the value of DTIM period for an AP Policy currently applied to any adopted APs, the switch will
send a configuration packet with the updated DTIM interval value to any such APs.
The AP sends a DTIM_POLL / QOS_DTIM_POLL for each BSS before DTIM time. The switch sends stored
broadcasts to the AP for that BSS on receipt of the message.
Currently only AP100 and AP300 support this feature.
AP300 LED Codes
The AP300 LED operates under the following circumstances:

• Quiet state.
• RF Transmit activity state.
• RF Receive activity state.
The maximum flash rate for each LED in the AP300 is ten times per second.
Table C.1 AP300 LED code
Current AP300 State LED Code
Quiet State Both LEDs flash together (on/off) every five

(AP300 is powered on with normal operation and no RF traffic) seconds
RF Transmit activity state Every non-beacon radio packet transmitted causes

(non-beacons) the corresponding LED to flash (followed by off)
• Amber for the 802.11a radio
• Green for the 802.11b/g radio
Table C.1 AP300 LED code

Current AP300 State LED Code
RF Receive activity state Each data packet received causes the

corresponding LED to flash.
Customer Support
Symbol Technologies provides its customers with prompt and accurate customer support. Use
the Symbol Support Center as the primary contact for any technical problem, question or support
issue involving Symbol products.
If the Symbol Customer Support specialists cannot solve a problem, access to all technical
disciplines within Symbol becomes available for further assistance and support. Symbol
Customer Support responds to calls by email, telephone or fax within the time limits set forth in
individual contractual agreements.
When contacting Symbol Customer Support, please provide the following information:
• serial number of unit
• model number or product name
• software type and version number.
A-2 WS5000 Series Switch System Reference
North American Contacts

Inside North America:
Symbol Technologies, Inc.
One Symbol Plaza Holtsville, New York 11742-1300
Telephone: 1-631-738-2400/1-800-SCAN 234
Fax: 1-631-738-5990
Symbol Support Center (for warranty and service information):
telephone: 1-800-653-5350
fax: (631) 738-5410
Email: support@symbol.com
International Contacts
Outside North America:
Symbol Technologies
Symbol Place
Winnersh Triangle, Berkshire, RG41 5TP
United Kingdom
0800-328-2424 (Inside UK)
+44 118 945 7529 (Outside UK)
A-3
Web Support Sites

MySymbolCare
http://www.symbol.com/services/msc
Symbol Services Homepage
http://symbol.com/services
Symbol Software Updates
http://symbol.com/services/downloads
Symbol Developer Program
http://software.symbol.com/devzone
Additional Information
Obtain additional information by contacting Symbol at:
1-800-722-6234, inside North America
+1-516-738-5200, in/outside North America
http://www.symbol.com/
A-4 WS5000 Series Switch System Reference
Symbol Technologies, Inc.
One Symbol Plaza
Holtsville, New York 11742-1300
http://www.symbol.com
72E-81435-01
Document Revision A March 2006

Ws-5000 User Manual

Uploaded by

Copyright:

Available Formats

Ws-5000 User Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ws-5000 User Manual

Uploaded by

Copyright:

Available Formats

WS5000 Series Switch

System Reference Guide

Chapter 1. WS5000 Series Switch Overview

1.3 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Chapter 2. Installing the System Image

Chapter 3. Configuring the WS5000 Series Switch Automatically

Chapter 4. Using the WS5000 Series Switch GUI

4.2.3 Creating Kerberos User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Chapter 5. Configuring User and Management Authentication

Chapter 6. Configuring Policies

Chapter 7. Configuring Rogue AP Detection

Chapter 8. CLI Command Reference

8.4.6 show arp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

8.4.49 show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

8.5.35 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-65

8.8.1 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-96

8.16.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124

8.21.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-154

8.30.5 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-183

8.37.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212

8.45.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-245

8.54 Standby Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-273

8.62.3 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303

8.69.3 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334

Chapter 9. Service Mode CLI

9.2.18 ftpPasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Chapter 10. Antennas and Power

Chapter 11. Converting AP-4131 Access Points to RF Ports

Chapter 12. Configuring the WS5100 WTLS VPN

Chapter 13. Neighboring APs

Chapter 14. Enhanced RF Statistics

Chapter 15. AP-300 Sensor Conversion

15.2.2 Sensor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Chapter 16. Syslog and Traps

Chapter 17. DDNS

Appendix A. DOM Firmware Upgrade

Appendix B. DTIM Interval per BSS

Appendix C. AP300 LED Codes

Appendix D. Customer Support

Who Should Use this Guide

How to Use this Guide

Chapter 6, “Configuring Configure network policies and switch policies.

Chapter 12, “Configuring the Configure WS5100 WTLS VPN.

Chapter 13, “Neighboring Configure AP to AP beacon using SNMP.

Chapter 14, “Enhanced RF Learn about RF Stats configuration.

Table 1 Quick Reference on How This Guide Is Organized (Continued)

Chapter 17, “DDNS” Learn about the DDNS updateall mechanism.

Conventions Used in this Guide

Note This symbol signals recommended behavior or reference information that

IMPORTANT! THIS SYMBOL SIGNALS INFORMATION ABOUT A PROCESS OR CONDITION

! THAT COULD CAUSE DAMAGE TO EQUIPMENT, INTERRUPTION OF SERVICE, OR LOSS OF

Warning! This symbol indicated information about conditions that could

1.1 Key Features

1.1.1 Installation Features

1.1.2 Management Features

1.1.3 Security Features

• 802.1Q functionality and interoperability

1.1.4 Networking Features

1.1.5 Access Port Support

1.2 Hardware Overview