WS5000 SysRef

Wireless Switch
WS 5000 Series: WS 5100

System Reference
WS 5000 Series System Reference
Table of Contents
Wireless Switch Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3

Wireless Switch Feature List .................................................................... 3 Hardware Overview ................................................................................. 5 Software Overview ................................................................................... 8
Installing the Software System Image - - - - - - - - - - - - - - - - - - - - - 15

Update Requirements ............................................................................. 15 Preparing the Wireless Switch System Image ........................................ 16 Uploading Files to the Local TFTP Server ............................................ 17 Upgrading the System Image File .......................................................... 17
Automatic Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23
Command File Options .......................................................................... 23 Command File Description .................................................................... 24 Command File Example ......................................................................... 24
System Configuration Using the GUI - - - - - - - - - - - - - - - - - - - - - - 33

Key Distribution Center ......................................................................... 33 Ethernet Port Policies ............................................................................. 38 Access Port Policies ............................................................................... 40 WLANs .................................................................................................. 41 Network Policies .................................................................................... 43 Access Control Lists ............................................................................... 46 Security Policies ..................................................................................... 46 Classifiers ............................................................................................... 48 Classification Groups ............................................................................. 49
CLI Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57
Common Commands .............................................................................. 58 System Context ...................................................................................... 62 Configuration (Cfg) Context .................................................................. 65 Access Control List (ACL) Context ....................................................... 69 Access Port (APort) Context .................................................................. 70 Access Port Policy (APPolicy) Context ................................................. 74 Chassis Context ...................................................................................... 79 Classification Group (CG) Context ........................................................ 80 Classifier Context (CE) .......................................................................... 82 Ethernet Port Context ............................................................................. 85
Table of Contents
WS 5000 Series System Reference - 1
Ethernet Policy (EtherPolicy) Context ...................................................87 Event Context .........................................................................................90 FTP Context ............................................................................................93 Host Context ...........................................................................................93 KDC Context ..........................................................................................95 Network Policy Context .........................................................................98 Policy Object Context ...........................................................................100 RADIUS Context ..................................................................................103 Security Policy Context ........................................................................104 SNMP Context ......................................................................................106 SSH (Secure Shell) Context .................................................................108 SSL (Secure Sockets Layer) Context ...................................................109 Standby (Failover) Context ..................................................................110 Switch Policy Context ..........................................................................112 Telnet Context ......................................................................................116 User Context .........................................................................................117 WLAN Context .....................................................................................119
Antennas and Power - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 123 MU Disassociation Error Codes - - - - - - - - - - - - - - - - - - - - - - - - - 127 Network Events- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 129
Table of Contents
3 - WS 5000 Series System Reference
Table of Contents
Wireless Switch Overview
The Wireless Switch provides a centralized management solution for wireless networking components across the wired network infrastructure. Unlike traditional wireless network infrastructures that reside at the edge of a network, the Wireless Switch uses centralized, policy-based management for all devices on the wireless network. The Wireless Switch connects to the network via Ethernet through a Layer 2 Switch or Hub. The Access Ports are connected to a POE-enabled hub which is connected to a Layer 2 Switch or Hub on the network. The Wireless Switch functions as the center of the wireless network. The Access Ports function as radio antennas at the edge of the network transmitting 802.11 packets to the Wireless Switch for management and routing. All of the system configuration and intelligence for the wireless network resides in the Wireless Switch. The Wireless Switch uses Access Ports to bridge data from the associated wireless devices to the Wireless Switch. The Wireless Switch applies appropriate policies to the data packets before routing them to their destinations. Data packets destined for devices on the wired network are processed by the Wireless Switch where appropriate policies are applied before they are encapsulated and sent to their destination. Access Port configuration is managed by the Wireless Switch through the Graphical User Interface (GUI) or the Command Line Interface (CLI). The WLAN Switch applies changes to a single Access Port, a group of Access Ports or all Access Ports on the system. This model streamlines management of a large wireless system and allows for network management features such as Quality of Service (QoS), Virtual WLANs and packet forwarding.
Wireless Switch Feature List

Installation Features
Single File Upgrade Automatic Installation and Configuration of Local or remote Wireless Switches using a Command File. Automatic Discovery and Adoption of Access Ports
Management Features
Policy-based Centralized Management. Secure Browser Based Management Console Command Line Interface (CLI ) accessible through Telnet, through the Serial Port, or through a Secure Shell (SSH) application (refer to the CLI Command Reference for more information). CLI Service Mode lets you capture system status information and send it to Symbol personnel for use in problem resolution.
Emergency Override lets you define an Emergency Switch Policy, and to activate it when required without system interruption. A Kerberos Principal File can update the Wireless Switch Internal KDC. SNMP v2 support. TFTP Upload and Download of Access Port Firmware and Configuration Files. Each Access Port can support Multiple WLANs. Access Point (AP 3020/21 and AP4021)conversion to Access Ports. System Redundancy with Auto Revert. CPU Temperature and Fan Monitoring
Security Features
Remote administrator login Authentication via external RADIUS server Central MAC Address based Access Control List WEP 40/128 KeyGuard Mobile Computing Mode (MCM) Wi-Fi Protected Access (WPA) with Temporal Key Integrity Protocol (TKIP) Optional Broadcast Key Rotation improves the security of Broadcast traffic On Board (KDC) Kerberos v5 on WNMP EAP/TLS on 802.1x VLAN Segregation No Serial Interface on the Access Ports prevents tampering Multiple ESSID/BSSID supported on AP 100, 200, and AP 4121 Access Point conversions Secure Beacon MU-to-MU disallow or drop
Networking Features
Quality of Service (QoS) support - 802.1p - DiffServ (Advanced TOS) - Tx Opportunity - Bandwidth Allocation - Congestion Management Customizable Classifiers and Classification Groups (packet filters) Support for VLANs and Virtual WLANs IP Redirection Ethernet Load Balancing Automatic Channel Selection (ACS) the Wireless Switch determines the best radio frequency or channel for Access Port performance DHCP Option 60 support
Access Port Support

AP 100 802.11b, AP 200 802.11a/b, AP 300 802.11a/b/g Access Ports Access Points converted to Access Ports - AP 4121 - AP 3020/3021 Access Ports work on any VLAN with connectivity to the Wireless Switch
Hardware Overview
Symbols Wireless Switch 5000 Series comprises two types of hardware, a Wireless Switch and a set of Access Ports. A Wireless Switch is a rack mountable device that manages all inbound and outbound traffic on the wireless network, and provides security, network services, and system management applications. Unlike traditional wireless infrastructure devices that reside at the edge of a network, the Wireless Switch uses centralized, Policy-based management to apply sets of rules or actions to all devices on the wireless network. This is done by collecting the management "intelligence" from individual access points and moving the collected intelligence into the centralized Wireless Switch. The access points are then replaced by "dumb" radio antennas known as Access Ports. Access Ports (APs) are 48V Power-over-Ethernet devices that are connected (by Ethernet cable) to the Wireless Switch. An Access Port receives 802.11x data from Mobile Units; it then forwards this data to the Wireless Switch, which applies the appropriate policies and then routes the packets to their destinations. Depending on the model an AP support as many as four WLANs.
Access Ports do not have software/firmware at factory-delivery. Once the Access Port is powered on and cleared for the network, the Wireless Switch passes the Access Port a small firmware file, making installation and upgrades of firmware automatic and transparent.
Physical Specifications
Width Height Depth Weight Max Power Consumption Operating Temperature Operating Humidity 48.1 cm / 18.93 in. (with mounting brackets) 4.29 cm / 16.89 in. (without mounting brackets) 4.39 cm / 1.73 in. 40.46 cm / 15.93 in. 6.25 kg / 13.75 lbs. 100 VAC, 50/60 Hz, 3A 240 VAC, 50/60 Hz, 1.5A 10C - 35C / 50F - 95F 5% - 85% without condensation
Power Cord Specifications A power cord is not supplied with the device. Use only a correctly rated power cord thats certified, as appropriate, for the country of operation. Power Protection If possible, use a circuit that is dedicated to data processing equipment. Commercial electrical contractors are familiar with wiring for data processing equipment and can help with the load balancing of these circuits. Install surge protection. Be sure to use a surge protection device between the electricity source and the WS 5100. Install an Uninterruptible Power Supply (UPS). A UPS provides continuous power during a power outage. Some UPS devices have integral surge protection. UPS equipment requires periodic maintenance to ensure reliability. A UPS of the proper capacity for the data processing equipment must be purchased.
Wireless Switch Overview WS 5000 Series System Reference - 5
Cable Requirements To connect the WS 5100 to the LAN and the WLAN, youll need two Category 6 Ethernet cables (not supplied), one for each of the two Ethernet ports on the front panel of the device. To connect the WS 5100 to a computer thats running a serial terminal emulator program (the configuration computer), you need the console cable thats supplied with the device. Youll use the terminal emulator program to access the switchs Command Line Interface (CLI) through which youll perform initial configuration as described in the WS 5100 Installation Guide.
LED Codes: System Status

The WS 5100 has two vertically-stacked LEDs on its front panel. The LEDs display three colors (blue, amber, and red), and three lit states (solid, blinking, and off). The following tables decode the combinations of LED colors and states. Start Up
Event Power off Power On Self Test (POST) running POST succeeded Software initializing Software initialized Off All colors in rotation Blue solid Blue solid Blue blinking Top LED Off All colors in rotation Blue solid Off Off Bottom LED
Configured as a Primary Switch

Event Active Monitoring Standby missing or not enabled Inactive Top LED Blue blinking Blue blinking Blue blinking Amber blinking Bottom LED Blue solid Amber solid Off Blue blinking
Configured as a Standby Switch

Event Active (acting as primary) Monitoring Standby not enabled Inactive Top LED Blue blinking Blue blinking Blue blinking Amber blinking Bottom LED Blue blinking Amber solid Off Amber blinking
Error Codes
Event POST failed (critical error) Software initialization failed Top LED Red blinking Amber solid Off Bottom LED Red blinking
Event
Top LED
Bottom LED Amber blinking Amber blinking Blue blinking
Country code not configured. Note: During first time setup, the LEDs Amber solid will remain in this state until the country code is configured. No access ports have been adopted Primary inactive or failed Blue blinking Amber blinking
10/100/1000 Port Status
There are two indicators for the RJ-45 ports: upper left (amber/green) for link rate and upper right (green) for link activity.
LED Off Upper left Green steady Amber steady Off Upper right Green steady Green blinking State Meaning 10 Mbps link rate 100 Mbps link rate 1 Gigabit link rate The port isnt linked The port is linked The port is linked and active
Access Point Conversion Overview

Some of the features available after converting a Access Point (AP 3020 or 3021) or an Access Point (AP 4121) are:
A central point of management for all Access Port conversions from the Wireless Switch Automatic updates of firmware files, when applicable, through the Wireless Switch Operation of legacy hardware A more centralized and consistent interface to manage the all devices through the same SNMP, GUI, or CLI interface Improved QoS capabilities because the Wireless Switch can apply QoS on a per-packet basis to all Access Port conversions universally, based upon a global view of the WLAN network utilization More types of encryption; the AP 4121 supports WPA and EAP authentication types Management of QoS through bandwidth allocation for AP 4121 Diffserv, an architecture for providing different types or levels of service for network traffic Support of multiple ESSIDs Support of multiple VLANs Disabling of serial port access Mobile IP functionality, although the use of VLAN mapping can substitute for this functionality Wireless bridging and wireless repeater mode FH units supporting 40-bit WEP encryption only Automatic Channel Select for FH Access Port Conversions
Conversion to Access Ports makes unavailable the following Access Point features:
Software Overview
Switch Policy Switch Policy
Ethernet Port Policy Ethernet Port Policy Access Port Policy Wireless LANs (WLANs) Security Policy Access Port Policy
Security Policy
Wireless LANs (WLANs)
Network Policy Network Policy
The WS 5100 uses sets of rules, or policies, to configure itself, the Wireless LAN (WLAN), the Access Ports that it adopts, and to integrate the wired LANs and VLANs. The Policy-based management architecture lets a network administrator create a Class Of Service (CoS) by defining network access, type of WLAN security, and Quality Of Service (QoS) for a group of users. The principal policies are displayed above and described below: A Switch Policy acts as a container for all the other policies, and contains an adoption list that controls the types of Access Ports (APs) that can be adopted. The Ethernet Port Policy configures the WS 5100s Ethernet ports, and associates multiple WLANs with multiple LANs or VLANs. There are two Ethernet ports on WS 5000 Series switches. By convention, port 1 (the left port on the front of the switch) connects to the wireless LAN, and port 2 connects to the wired LAN. An Access Port Policy defines Access Port configuration details such as the APs beacon interval, RTS threshold, its set of supported data rates, and so on. The APPolicy is also responsible for adding WLANs to the AP and for attaching a Security Policy, Access Control List, and Network Policy (or packet filter) to each AP. A WLAN Policy defines attributes that are applied to Mobile Units on a portion of the wireless LAN, attributes such as ESSID, beacon rate, DTIM interval, and so on. A Security Policy defines the authentication and encryption methods that are used to secure communication between the WS 5100, through its Access Ports, and on to the Mobile Units. Each WLAN can have a different Security Policy associated with it. A Network Policy is a packet filter. It prioritizes packets as theyre sent across the wireless network, and can reject packets altogether. Use you the Network Policy to implement Quality of Service and Types of Service protocols.
Access Port Adoption Process

Adoption is the process of adopting and configuring 802.11 Access Ports by the WS 5100. The process includes configuring the adoption lists, loading the correct firmware image to the Access Port, and configuring Access Port radios according to the policy. To begin the adoption process, the Access Port sends a packet to the Wireless Switch to provide a way for the switch to declare its intention to adopt. If the switch can adopt the Access Port, it replies with a message indicating its intention to adopt. Once the Access Port receives that message, the Access Port requests a firmware image download.
Following the firmware image download, the Access Port sends a configuration request packet from the MAC address of each of its radios. The configuration request informs the switch of the radio capabilities, including the radio MAC address, radio type, radio serial number, and whether the radio is equipped with an internal or external antenna. The switch then checks the Adoption List for policies and configures the radios accordingly. The power, channel (or if Automatic Channel Selection is enableda set of legal channels), BSSID and ESSIDs, and data rates are configured.
WLAN to VLAN Mapping

Virtual LANs (VLANs) segment large subnets of a network, which enables network administrators to control broadcasts and increase network security. A Wireless Switch connects to the wired network through one of two Ethernet ports, typically, through NIC 2. Each Access Port of the Wireless Switch can be connected to either a trunked or non-trunked Ethernet port of the Wireless Switch. Wireless Switch administrators configure an Ethernet policy so that it maps each WLAN to a non-trunked Ethernet port or to one of the VLANs that are visible to the trunked Ethernet port. Wireless Switch administrators enable WLANs to communicate with a VLAN by configuring each WLAN so that the rest of the network connects through a common router or Layer 2 switch. Access Ports within a VLAN are able to broadcast and multicast only within that VLAN. Using VLANs, Wireless Switch administrators limit the general traffic within the wireless network, including broadcast packets. Large numbers of broadcast packets can affect network performance. By segmenting a network into virtual LANs, Wireless Switch administrators limit the spread of broadcast packets. Using VLANs on the Wireless Switch: Limits broadcast and multicast traffic Increases security by limiting communication between groups Allocates network resources, such as servers, to specific groups An Ethernet Policy mapping one WLAN to a VLAN An Access Port Policy mapping one or more WLANs to a BSSID A Security Policy mapping one security policy to a WLAN policy.
Map WLANs on a one-to-one basis, configuring Wireless Switch policies such as:
Multi-BSSID and ESSID Access Ports

In a networked wireless environment, multiple Access Ports are connected to a Wireless Switch to provide RF connectivity to MUs. Each Access Port radio sends and receives RF signals over a range of space, the Basic Service Set (BSS). The BSS coverage area is identified by a Basic Service Set Identifier (BSSID). The Access Port beacon contains its BSSID, which enables the MU to recognize the Access Port and associate with it. Extended Service Sets (ESSs) are a logical group of BSSs. ESSs virtualize or increase the number of BSS radio signals. The beacon contains information about the Access Port and the network, which enables the MU to rank Access Ports based on the received signal strength. The beacon can optionally include the Extended Service Set Identifier (ESSID). MUs associate with the most preferable Access Port in the coverage area. After association, the MU continues to scan for other beacons to ensure that it is receiving the best, continuous signal strength, in case the signal from the currently associated Access Port becomes too weak to maintain communications as the MU moves throughout the area.
Wireless Switch Overview WS 5000 Series System Reference - 9
Most Access Ports support multiple BSSs (see Access Port Features on page 1-19). MUs sense each unique BSS as a separate radio signal. Access Ports with multiple BSSs solve performance and security issues by isolating broadcast traffic on a specific BSS rather than sending broadcasts to all BSSs. This enables MUs to save battery power by sensing only for their specific BSS rather than all traffic. An Access Port with multiple BSSs provides the same functionality as four single-BSS Access Points and requires less time for installation and configuration. Network administrators add WLANs to BSSs. The BSSIDs are mapped to ESSIDs by default. However, the network administrator can optionally change default settings. The network administrator can map each BSSID to multiple ESSIDs, so that the radios on Access Ports support multiple WLANs. As the RF traffic changes over time or the MU roams the location, the MU searches for Access Ports that have a matching ESSID. The MU associates with an Access Port with the same ESSID to synchronize communication. As the MU roams from coverage area to coverage area, it switches Access Ports. The MU switches between Access Ports when the MU analyzes the reception quality at a location and decides to communicate with another Access Port based on the best signal strength and lowest MU load distribution.
The AP 100, AP 200, AP 300 and AP 4121 Access Ports support multiple ESSIDs.
On-Board KDC
The WLAN Switch has an on-board Key Distribution Center (KDC) or Kerberos authentication server. Properly configured, the Wireless Switch provides a secure means for authenticating users/clients associated to a WLAN or ESS with the Kerberos security policy applied. The on-board KDC can be configured to use up to three Network Time Protocol servers (NTPs). A separate WLAN Switch with an on-board KDC can be configured as a Slave KDC to support the Master KDC in case of a Master KDC failure.
Standby Management
Failover or Standby Management enables the Network Administrator to significantly reduce the chance of a disruption in service to WLANs and associated MUs by placing one or more additional Wireless Switches as backup to a Primary Wireless Switch if it fails. After configuring a Primary and Standby Wireless Switch, the Primary Wireless Switch issues a Discovery packet on each configured interface. Assuming there is a properly configured Standby Wireless Switch, the Standby receives the Discover packet and starts sending heartbeats to the Primary. This establishes connectivity between the Primary and the Standby. The Primary Wireless Switch executes various internal monitors, in addition to any necessary to communicate with the Standby Wireless Switch. If heartbeats fail after being properly established, then this is considered a failover event by the Standby Wireless Switch, and the Standby Wireless Switch assumes the duties of the Primary Wireless Switch and adopts all the Access Ports. The Standby Wireless Switch sends an administrative alertSNMP trap, etc.to the administrator that a failover event has taken place.
Event Manager
An event notification system monitors an administrator-configured set of events in network performance. The Wireless Switch uses the Event Notification manager to log and collect application and system events on remote or local system log (Syslog) collectors or servers.
Events are conditions that the network administrator wants to be notified about. The network administrator can configure the Wireless Switch to send Event Notifications using SNMP to an SNMP trap server, to the Wireless Switch local log, or to a Syslog server. The network administrator chooses which events to be notified about and the appropriate severity level.
Automatic Channel Select

The Automatic Channel Selection (ACS) feature enables the Wireless Switch to determine the best radio frequency or channel for Access Port performance. The Wireless Switch determines the best channel for each Access Port through a set of algorithms that analyze the channels permitted by country regulations and the relative signal strength of each Access Port in the wireless coverage area. Using ACS optimizes channel selection which is helpful in areas where coverage is dynamic because either the site itself changes or coverage needs change. As conditions change, ACS is used to adapt and obtain the best coverage.
Quality of Service
QoS is used to give a user or an application relative precedence or priority over another. QoS applies in the case of congestion that may occur from excessive traffic or different data rates and link speeds10Mbps Ethernet, 100 Mbps Ethernet, 11Mbps Wireless, and so onthat exist in the same network. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. When total bandwidth is shared by different users and applications, QoS is required to provide policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements.
Different Dimensions of QoS
Different methods of QoS are applied for distinction between users and applications. The two main categories are:
QoS via Queuing.
A network shared by different users such as in a revenue-based, shared office building or a public hotspot is implemented with Service Level Agreements (SLA) based on how much each group of users pay for bandwidth. In this case, one or all points of aggregation, such as the Wireless Switch and some high-end Routers or policy managers, can allocate different percentages of the total bandwidth to different groups of users through the use of Queues. Bandwidth Allocation can also be further divided and applied to different applications again using Queues.
A network or a portion of the allocated bandwidth can be shared by different applications, and one applicationfor example, voice communication can be more latency sensitive or more mission-critical than others. In this case, a priority is assigned to the traffic type by adding the appropriate QoS marking or tags to network traffic to provide higher precedence while the data is passed through points of aggregationRouters, Wireless Switch, and Gatewaysand the medium of transfer.
Application QoS via Packet Marking.
Packet Filtering Packet filtering is a decision to allow or discard packets matching certain criteria defined by Classification Groups (CG) on an output packet port. Classification Groups on an output port are defined with allow decisions, discard decisions or a combination of both. A CG defined with allow decision is associated with a priority number in the range of 0 7, seven being the highest priority.
Weighted Fair Queuing (WFQ) Weighted Fair Queuing (WFQ) enables a mechanism on the Wireless Switch that uses up to eight queues to store datanetwork packetsand prioritize RF transmission to and from MUs depending on the data type. Once data is classified as voice or data, WFQ stores the packets, assuming the network traffic demands that the data be queued, by data type, then transmits the packets at a rate specified by the WFQ allocation percentage setting. WFQ uses one queue for each classification group, up to eight queues total, and one queue for all other data. For example, if the network has only one classification group for VoIP and no others, then WFQ automatically uses 2 queues: one for VoIP and the other for all other datadata not defined in a classification group. Each additional classification group uses another queue and keeps one queue open for all other data. The allocation setting determines the percentage of available network bandwidth for data from a classification group. For example, if the WFQ allocation for VoIP data is set to 80%, then four packets of VoIP data are sent for every one packet of other data during periods of network congestion. WFQ is implemented for the different types of traffic on the same ESSID and Access Port (AP) as well as between different ESSIDs on the same AP. This implementation shares voice and non-voice traffic across different network paths, thereby balancing the traffic load. A large volume of non-voice traffic on one ESSID doesnt starve voice traffic on another ESSID on the same AP. WFQ is enabled and disabled in a network output policy.
Simple Network Management Protocol (SNMP) Overview

SNMP defines the method for obtaining information about network operating characteristics as well as router and gateway behaviors. This application-layer protocol initiates the exchange of configuration and management information between network devices. The SNMP architecture allows a variety of relationships among network entities. The Wireless Switch GUI and CLI permit enabling and disabling of certain SNMP features. Disabling these features (hardening of the Wireless Switch) helps manage security. Hardening of the KDC only is also permitted. SNMP is also managed by the SNMP manager through a third-party SNMP client, software permitting the manipulation and configuration of SNMP components. There are three elements in this process:
Management Stations. software managing SNMP protocol parameters and communicating with SNMP Agents. The SNMP manager is responsible for this element. SNMP Agent.
local to the Wireless Switch, this SNMP server provides the network device information. It processes information requests from the SNMP manager via the management station using SNMP.
Management Information Base (MIB).
the storage area for network-management information. It consists of collections of managed objects, such as SNMP parameters and events. These objects describe the state of a particular network device.
Accessing and Configuring the Switch Software

Command Line Interface (CLI) The system features a powerful System command line interface (CLI) that is accessible via Telnet, through the console port on the front of the Wireless Switch, or through a Secure Shell (SSH)
application which enables protected access to the switch over the CLI. All configuration and management functions can be performed through the CLI. The command line interface also contains a Service Mode that allows customers to capture system status information and send it to Symbol engineers if required for problem resolution. Graphical User Interface (GUI) The Wireless Switch also provides graphical user interface (GUI) that can be accessed securely from any web browser on the network. The GUI provides tools that configure and maintain the wireless system. It also provides real time graphs displaying system load and traffic on the wireless network.
Installing the Software System Image
This software update procedure ensures the WS 5100 Wireless Switch is updated to the latest software version 1.4.0.0-0xxR.sys.img. To restore the Wireless Switch to the current running configuration, save the running configuration that supports the image to be loaded on the Wireless Switch. With the following current versions, perform the indicated actions:
Current Wireless Switch Software Version 1.4.0.0-0xxR.sys.img 1.3.0.0-0xxR.sys.img 1.2.0.39.sys.img 1.1.4.30.sys.img 1.1.3.20.sys.img 1.1.1.16.sys.img 1.0.0.15.sys.img Another version of software not listed To Update to 1.4.0.xx Do nothing the Wireless Switch software version is up to date Proceed to upgrading to software version 1.4.0.xx0xxR.sys.img Proceed to upgrading to software version 1.4.0.xx0xxR.sys.img Proceed to upgrading to software version 1.4.0.xx0xxR.sys.img Proceed to upgrading from 1.1.1.16 and above. Refer to documentation included with version 1.1.1.16 Wireless Switch. Proceed to upgrading from 1.1.1.16 and above. Refer to documentation included with version 1.1.1.16 Wireless Switch. Upgrade first to 1.1.1.16 Contact your Symbol Support representative
Login to the Wireless Switch with administrator rights and use the CLI command show system to display the current Wireless Switch software version.
WS5000>show system System Name Descriptions Software Ver. Licensed to Copyright Serial Number Number of Licenses Max Access Port Max Mobile Clients Active Switch Policy Emergency Switch Policy Switch Uptime : WS5000 : WS 5000 Wireless Network : 1.4.xx.xx : Symbol Technologies : Copyright (c) 2000-2004. All rights reserved. : 00A0F854042A : 0 : 0 : 4096 : Default Wireless Switch Policy : Not defined : 00d:00h:03m
# of Unassigned Access Ports : 0
Update Requirements
Before beginning the update process, verify that the updated image file has been downloaded and is available on the local file system of a TFTP server. The required upgrade file is:
Installing the Software System Image WS 5000 Series System Reference - 15
WS5000_1.4.0.0-0xxR.sys.img
A default configuration file is also included on the system CD but is not necessary for the upgrade The default configuration file contains the Wireless Switch factory configuration. Save a copy of the current running configuration file. It is not necessary to delete the current running configuration file. If the upgrade file is not on the TFTP server, then copy the file from the software directory on the WS 5000 Wireless Switch system CD. Refer to Uploading Files to the Local TFTP Server on page 1-17 for directions on copying the WS 5000 Wireless Switch configuration and system upgrade file to the TFTP server.
Preparing the Wireless Switch System Image

The upgrade process uses the command line interface and is not supported in the Graphical User Interface (GUI).
Saving and Copying the Current Running Configuration

Although the Wireless Switch is restored to the factory default configuration during the update procedure, the settings for the Ethernet Ports don't change. This allows users to update their Wireless Switch remotely through Telnet or Secure Shell (SSH).
1
At the system prompt, create a backup of the system configuration (this is the site-specific configuration) file.
WS5000> save configuration siteconfig
Verify the site specific configuration file was saved. In the example, siteconfig.cfg is the file name.
WS5000> directory Date & Time Feb 12 08:33 Feb 14 10:13 Feb 12 01:40 Feb 15 14:55 Bytes 14982 13535582 6452 15462 File Name WS5000Defaults_v1.4.0.xx.cfg WS5000_v1.4.0.xx.sys.img cmd_template.sym siteconfig.cfg
Copy the site specific configuration file from the Wireless Switch to the TFTP server.
WS5000>copy system tftp
The system prompts for the file name to download from the Wireless Switch.
Enter File Name to be copied to TFTP : siteconfig.cfg IP address of the TFTP server : xxx.xxx.xx.xx Copying from system to tftp... File: siteconfig.cfg copied successfully to xxx.xxx.xx.xx
Confirm that the file is on the host computer.
Deleting all Previous System Image and Default Configuration Files

The next step in updating the Wireless Switch to software version 1.3.0.0-0xxR is ensuring that the previous system image file is removed from the system. The customer site configuration file contains all the site specific settings for the Wireless Switch.
1 2
Login to the Wireless Switch using a Telnet application or through the console port.
At the system prompt, remove the configuration file WS5000_v1.3.0.xx.cfg, if present. If the file is not present, then proceed to Saving and Copying the Current Running Configuration.
WS5000> delete WS5000Defaults_v1.3.0.xx.cfg Removing WS5000Defaults_v1.3.0.xx.cfg.... done. WS5000>
At the system prompt, remove the system image file WS5000_v1.3.0.xx.sys.img or WS5000_v1.2.0.39.sys.img.
WS5000> delete WS5000_v1.3.0.xx.30.sys.img Removing WS5000_v1.1.4.30.sys.img.... done. WS5000>
Uploading Files to the Local TFTP Server

This procedure requires the CD that ships with the Wireless Switch, a computer with a TFTP server, and access to the switch through the Command Line Interface. There is no Graphical User Interface for this process. After restoring the new system image, do not restore any default configuration files below software version v1.3.0.0-0.xxR. Restoring default configuration images below version v1.3.0.0-0.xxR can render the Wireless Switch model number WS-5100- inoperable and require service by Symbol support representatives.
1
Insert the CD into the computers CD-ROM drive. If the CD does not launch automatically, use Windows Explorer and double click on ws_5000.exe. The update system image and configuration files are located in the software directory on the WS 5000 Wireless Switch system CD.
When the program launches, click Configuration and Image Files on the menu. Copy the file WS5000_v1.3.0.0-0xxR.sys.img to the TFTP server's local file system.
2 3
Upgrading the System Image File

1
Login to the Wireless Switch with the default login user name and password.
userid: admin password: Retrieving user and system information... Setting user permissions flags.. Checking KDC access permissions... Welcome... System information... System Name Descriptions Software Ver. Licensed to Copyright Serial Number : WS5000 : WS 5000 Wireless Network : 1.1.4.30f : Symbol Technologies : Copyright (c) 2000-2004. All rights reserved. : xxxxxxxxxxxx
Number of Licenses Max Access Port Max Mobile Clients Active Switch Policy Switch Uptime WS5000>
: 0 : 0 : 4096 : Default Switch Policy : 00d:00h:00m
At the system prompt, copy the system image file that was downloaded from WS 5000 Wireless Switch system CD to a TFTP server.
WS5000>copy tftp system
The system prompts for the file name to download from the TFTP server. Enter the new system image file name:
Enter the File Name to be copied from TFTP server : WS5000_v1.3.0.0-0xxR.sys.img IP address of the TFTP server : xxx.xxx.xx.xx Copying from tftp to system... File: WS5000_v1.3.0.0-0xxR.sys.img copied successfully from xxx.xxx.xx.xx Verifying imagefile Valid imagefile, completing verification. WS5000>
Confirm that the system image file is on the Wireless Switch.

WS5000> directory Date & Time May 9 11:59 Bytes 13548085 File Name WS5000_v1.3.0.0-0xxR.sys.img
WS5000> restore system WS5000_v1.3.0.0-0xxR.sys.img
Type yes or y when asked to continue, and press Enter.

This command will reset the system and boot up with the new restored image. Do you want to continue (yes/no) : yes
The new system image is updated and the system reboots. This reboot may take several minutes; all connections to the Wireless Switch are terminated.
Restoring system image and configuration from WS5000_v1.3.0.0-0xxR.sys.img It might take a few minutes....... Cleaning up system files... Done! Saving Wireless Network Management Configuration ... Done. Restoring Wireless Network Management System... Resetting the Wireless System... Shutting down running processes ... Resetting the Switch ... Starting Wireless Switch 5000 ... Configuring ethernet ports ... Verifying database entries...
Database verification complete. Launching auto-configuration procedure... Waiting for DHCP lease file to be created... DHCP lease file found. Begin parsing DHCP lease file... Results: --------------------------TFTP Server : Command File: --------------------------TFTP server option not found. Exiting auto-configuration...
Login to the Wireless Switch and verify the upgrade was successful.
user name:cli WS-5000 Wireless Switch... userid:admin password: Setting user permissions flags.. Checking KDC access permissions... Welcome... System information... System Name Descriptions Switch Location Software Ver. Licensed to Copyright Serial Number Number of Licenses Max Access Port Max Mobile Clients Active Switch Policy Emergency Switch Policy Switch Uptime WS5000> : WS5000 : WS 5000 Wireless Network : : 1.3.0.0-0xxR : Symbol Technologies : Copyright (c) 2000-2004. All rights reserved. : xxxxxxxxxxxx : 0 : 0 : 4096 : Default Wireless Switch Policy : Not defined : 00d:00h:12m
Verify the file names on the system.

WS5000> dir Date & Time May 20 May 19 May 20 May 19 14:43 19:49 11:59 19:24 Bytes 2108 16604 15305453 6452 File Name CmdProcErrors.txt WS5000Def_v1.3.0.0-0xxR.cfg WS5000_v1.3.0.0-0xxR.sys.img cmd_template.sym
Restore the Customer Site Configuration

1
Open a SSH or Telnet connection to the Wireless Switch or use the console port, and login to Command Line Interface (CLI). After logging in, the screen displays the upgraded system software version number.
Use the copy command to copy the saved running site configuration file to the Wireless Switch.
WS5000>copy tftp system
Restore the saved customer configuration file. In the example siteconfig.cfg is the saved customer configuration file.
WS5000> restore configuration siteconfig.cfg
Type yes or y when asked to continue, and press Enter.

This command will reset the system and boot up with the new configuration. Do you want to continue (yes/no) : y Restoring configuration from siteconfig.cfg Restoring Wireless Network Management Configuration ... This may take a few mins ... Restoring configuration from siteconfig.cfg Software Ver. Licensed to Done. Done. No TFTP server is present. Max Mobile Clients Exiting auto install script... Active Switch Starting system database ...Wireless Switch Policy Done. Starting switch processes ... Emergency Switch Policy CLI enabled UI enabled. SNMP agent started.h Uptime The IP address of this switch is xxx.xxx.xxx.xxx # of Unassigned Access Ports : 2 WS-5000 Wireless Switch... Unassigned Access Ports userid: admin Checking KDC access permissions... Welcome... System information... System Name Descriptions Software Ver. Licensed to : Wireless Switch : WS 5000 Wireless Network : 1.3.0.0-0xxR : Symbol Technologies : 1.3.0.0-0xxR : Symbol Starting the Wireless Switch 5000 ... Configuring ethernet ports ...
Copyright Serial Number Number of Licenses Max Access Port Max Mobile Clients Active Switch Policy Emergency Switch Policy Switch Uptime Unassigned Access Ports
: Copyright (c) 2000-2004. All rights reserved. : xxxxxxxxxxxx : 0 : 0 : 4096 : Default Wireless Switch Policy : Not defined : 00d:00h:02m :
# of Unassigned Access Ports : 2 1. xx:xx:xx:xx:xx:xx. 2. xx:xx:xx:xx:xx:xx. Wireless Switch>
5 6
After several minutes the system resets and loads the saved customer site configuration file. Verify the customer site specific file is present on the switch.
Date & Time May 12 May 14 May 12 08:33 10:13 01:40 Bytes 14982 13535582 6452 15462 File Name WS5000Defaults_v1.3.0.0-0xxR.cfg WS5000_v1.3.0.0-0xxR.sys.img cmd_template.sym siteconfig.cfg
May 15 14:55
Automatic Installation
To perform an automatic configuration the Wireless Switch requires these components: An external TFTP server. When a Kerberos authentication database is installed on the Wireless Switch, an external system that can generate a Wireless Switch-compatible Kerberos database file. A Command file: This is an ASCII text format file that contains site-specific settings for the Wireless Switch. The name of the file is obtained via DHCP and stored in the returned DHCP lease file. Once extracted from the lease file, the configuration file is downloaded, parsed and the Wireless Switch is configured accordingly. The file ends with a .sym suffix or it can't be accepted and parsed. This command file can also contain the CLI commands to configure the switch.
The command-file option specifies a valid file name for an ASCII text format file that exists on the TFTP server and contains site-specific settings for the wireless switch. The command file (see Command File Example on page 1-24) directs the switch to perform the following types of remote configuration options: Load a new wireless switch configuration file Reconfigure the Ethernet IP, DNS, Gateway, and DHCP settings on the switch Set SNMP community strings Reconfigure the master and slave Kerberos settings. Manually or automatically update Kerberos user database entries, with automatic propagation to the slave KDC, if present Enable or disable Hot Standby mode on the switch Optionally provide status and error logging of the automatic configuration operations Reconfiguration of Primary and Standby settings Reconfiguration of Master and Slave Kerberos settings Manual or automated update of Kerberos user database entries, with automatic propagation to the slave KDC if present
Command File Options

Several sections of site specific settings are available in the command file. The categories of settings available in the command file, which is the text file that the Wireless Switch downloads and uses to configure itself during a remote or automatic installation include:
Automatic Installation Command Event Logging Automatic Installation Command File TFTP Server Automatic Installation Command File Network
Command File Description

The command file is an ASCII text file that contains case sensitive letters, digits, and the underscore (_) character. The command file name uses the .sym extension. The command file contains all options necessary to perform a limited switch configuration or reconfiguration.
Syntax
Option <option> Value <value> Description #comment
When the system parses this file, it ignores any option that it does not understand. The Wireless Switch keeps the current configuration for that specific option unchanged. The following lines are considered equivalent.
#<option> <value> <option> #<value> <option> #some comment
All values of the command file are case insensitive except for SNMP community strings, domain names, realms, and filenames. The system converts the hostname value into lowercase even when specified using a combination of lower/upper case. The command file option items do have to be in any sequential order. A template of the command file is available and located on the WS 5000 Wireless Switch system CD included with the Wireless Switch called cmd_template.sym. Copy this file to a local host computer, then edit, save and rename it to serve as a command file (the .sym extension is required for the command file to be recognized by the Wireless Switch). Save the file to the system used to configure the Wireless Switch. Use the CLI copy tftp command (from the Wireless Switch CLI prompt; see WS5000> copy tftp in the CLI Command Reference) to copy the command file from the host computer to the Wireless Switch. The command file example shows the configuration of most options.
Command File Example

This example configuration file illustrates the configuration of most options available via the command file and supported by the Wireless Switch. The same command file can configure both a Primary Wireless Switch and an associated Standby Wireless Switch.
Example:
############################################################################# # # Copyright (c) 2003, Symbol Technologies, Inc. # All rights reserved. # # cmd_template.sym file # # This is a template file to illustrate the format of auto configuration command files. # The command file must end with the .sym extension and contain options to
# perform switch configuration. The format of the file is as follows: # # # # Each line is composed of an option name and its value. All options are # case sensitive. # # When this file is parsed, any option that is not found or has no value is ignored, # which means that the switch will keep the current configuration for this option # unchanged. The following lines are considered equivalent. # # # # # ############################################################################# ############################################################################# # SECTION: Special Options AutoConfigLog # ############################################################################# #on/off: Log errors and events to CmdProcErrors.txt #Default is 'on'. ############################################################################# # SECTION: Files to download TFTPServer ImageFile ConfigFile KerberosFile #tftp server where files are located #image file (.sys.img) #configuration file (.cfg) #kerberos username/passwd (.krb) # # ############################################################################# #<option> <option> <option> <value> #<value> #some comment <option> <value> #comment
############################################################################# # SECTION: General Network Configuration and Standby Management # # DNS configuration # Eth1DNSServer1 Eth1DNSServer2 Eth2DNSServer1 Eth2DNSServer2 # # Switch configuration # Eth1SubnetMask Eth2SubnetMask Eth1Domain Eth2Domain Eth1DHCP Eth2DHCP #subnet mask #subnet mask #domain name #domain name #on/off #on/off #dns server #dns server #dns server #dns server #############################################################################
Gateway #
#default gateway
# Primary IP configuration # HostnamePrimary Eth1PrimaryIP Eth2PrimaryIP # # Standby IP configuration # HostnameStandby Eth1StandbyIP Eth2StandbyIP # # Enable or disable the standby management # StandbyMgt #on/off # ############################################################################# # SECTION: Kerberos Configuration # # NTP server configuration # NTPServer1 NTPServer2 NTPServer3 # # Kerberos Master and Slave configuration # KDCRealm KDCInterface # # Add a remote backup master # (excluding the main Master/Primary & Slave/Standby from above) # KDCBackupHostname KDCBackupIP # # NOTE: All Security Policies which are configured for Kerberos Authentication # # # ############################################################################# # SECTION: SNMP Configuration # # SNMP community attributes # ############################################################################# will automatically be populated with the Master/Slave/Remote servers IP addresses if present in this file. KDCBackupDomain #Hostname of the backup slave #Domain of the backup slave #IP address of backup slave #kerberos realm #Interface on which KDC is configured (1 or 2) #NTP server 1 #NTP server 2 #NTP server 3 ############################################################################# #Hostname of standby CC #ip address of standby CC #ip address of standby CC #Hostname of primary CC #ip address of primary CC #ip address of primary CC
# SNMPCommunity1 SNMPCommunity1IP SNMPCommunity1Perm SNMPCommunity2 SNMPCommunity2IP SNMPCommunity2Perm SNMPCommunity3 SNMPCommunity3IP SNMPCommunity3Perm SNMPCommunity4 SNMPCommunity4IP SNMPCommunity4Perm # # SNMP Traps # SNMPCommunity1Trap SNMPCommunity1TrapIP SNMPCommunity2Trap SNMPCommunity2TrapIP SNMPCommunity3Trap SNMPCommunity3TrapIP SNMPCommunity4Trap SNMPCommunity4TrapIP #SNMP community trap #SNMP community trap IP #SNMP community trap #SNMP community trap IP #SNMP community trap #SNMP community trap IP #SNMP community trap #SNMP community trap IP # #SNMP community name #IP address for the community #RO/RW: Access permissions #SNMP community name #IP address for the community #RO/RW: Access permissions #SNMP community name #IP address for the community #RO/RW: Access permissions #SNMP community name #IP address for the community #RO/RW: Access permissions
############################################################################# # SECTION: SYSLOG Configuration # # Syslog severities # # Name #----------# Emergency # Alert # Critical # Error # Warning # Notice # Info # Debug # # Syslog host 1 # SysLogHostname1 SysLogIP1 SysLogSev1 # # Syslog host 2 #Hostname of syslog collector #IP address of syslog collector #Enter a list of severity numbers #separated by white spaces EX: 2 3 6 8 Number -------1 2 3 4 5 6 7 8 #############################################################################
# SysLogHostname2 SysLogIP2 SysLogSev2 #Hostname of syslog collector #IP address of syslog collector #Enter a list of severity numbers #separated by white spaces EX: 2 3 6 8
Event Logging
The service option is a setting to turn on or off the logging feature, which pushes auto-installation event messages to a log file named CmdProcErrors.txt. This error log file is automatically generated in the same directory as the system image/configuration/command files if logging is turned on. These log messages are generated when events such as firmware/configuration upgrades/downgrades occur, and/or the command file contains errors such as improper syntax, files that are not present on specified TFTP server, etc.
Section Service Option AutoConfig Logging Value <on|off> Notes This selection allows the user to enable or disable the use of the logging facility. The default is on.
TFTP Server Settings

This section specifies the location of the TFTP server used to download, the names of the system image, configuration and Kerberos files that need to be downloaded. These settings are used when upgrading/downgrading firmware, changing configuration files or updating the user database of the Wireless Switchs built-in Kerberos KDC.
Section Files to Download Option TFTP Server Value <xxx.xxx.xxx.xxx> Notes This is the TFTP server from where the configuration file, the image file, and the Kerberos file are downloaded. If the TFTP server is not specified, it is assumed that the user downloaded these files manually via CLI copy command or the auto install will look for them in the Wireless Switch. When the installation software executes, it will also consider the current image file revision level (filename) and the installing image file revision level (from file name) to see if they are the same. If the names are equal, the new image will not be installed since image files are considered identical. If the revision levels are different, then the image file will be downloaded from the TFTP server. After this step has completed successfully, the switch will perform a reset and continue to reboot with the most recent (and valid) system image available. If any error occurred during the file processing, the firmware will not be upgraded and an error message will be logged. The file name is case sensitive.
Files to Download
ImageFile
<image Name (.sys.img)>
Section Files to Download
Option
Value
Notes This is the name of a Wireless Switch configuration. This file is downloaded automatically from a specified TFTP server or though the CLI copy command. If the file is not found, or if there were errors during the TFTP download, the installation software will abort the configuration immediately and exit. This is considered a fatal error and any locally specific configurations should not be applied as well since they can be interrelated to the general configuration settings. The IP address of the WS will also remain unchanged. The file name is case sensitive. This is the name of a Kerberos username/password (Kerberos MIT DB file format) file and it is used to configure the primary Kerberos database of the on board KDC server. The database is completely flushed before the new principals are added. If an error occurs during the file downloading or processing, the installation software logs an error message and skips the Kerberos configuration. The installation software tries to find the file in the Wireless Switch. If it is not there, it logs an error message and continues. Once a Kerberos DB .krb file is provided for download and installation, this new file replaces the current database file. There is no automatic attempt to save the previous copy of this file on the master KDC. The file name is case sensitive.
ConfigFile <config_name (.cfg)>
Files to Download
KerberosFile <kerberos_name (.krb)>
Kerberos Configuration Section

The Wireless Switch features a built-in Kerberos KDC (Key Distribution Center) for authentication services, a site may require settings for configuring Kerberos functionality. The settings in the command file for configuring the KDC include Primary or Slave status, hostname, IP address, realm and domain. When applicable up to three NTP (Network Time Protocol) servers can be specified. A list of all available Kerberos actions is included in the command file (see Command File Example on page 1-24).
Option NTPServer1 NTPServer2 NTPServer3 KDCMasterIP Value <NTP xxx.xxx.xxx> <NTP server IP xxx.xxx.xxx> <NTP server IP Ixxx.xxx.xxx> <xxx.xxx.xxx> Notes NTP server IP address (for the on-board KDC server). The primary and standby switches need to be defined with the same NTP service host to insure that the time source is consistent. Second alternate NTP server IP address . Third alternate NTP server IP address or name. Key Distribution Center (KDC) IP address for the Kerberos master. If this IP address belongs to any of the Ethernet ports and the switch name matches KDCMasterHostname, the switch is configured as a master KDC. Otherwise, it attempts to configure itself. Slave KDC IP address for the Kerberos slave. If this IP address belongs to any of the Ethernet ports and the hostnames match, the switch is configured as a slave KDC. Otherwise, the switch is configured to use an external KDC database file. Kerberos Master Hostname where the KDC resides. Kerberos Slave Hostname where the KDC resides. Kerberos realm name KDC domain name These 2 actions require the definition of the Kerberos realm, domain, master hostname, and master IP options named KDCRealm, KDCDomain, KDCMasterHostname, KDCMasterIP. This action requires the definition of the Kerberos realm, domain, master hostname, master IP, slave hostname, slave IP options named KDCRealm, KDCDomain, KDCMasterHostname, KDCMasterIP, KDCSlaveHostname, KDCSlaveIP.
KDCSlaveIP
<xxx.xxx.xxx>
KDCMaster Hostname KDCSlave Hostname KDCRealm KDCDomain
<server name> <Slave KDC server name> <KDC realm name> <KDC domain name>
{CREATEMASTER: Creates a master Kerberos} {REMOVEMASTER: Removes the masterKerberos} {CREATEMASTERSLAVE: Creates a master Kerberos and adds a slave Kerberos}
Option
Value
Notes These 2 actions require the definition of the Kerberos realm, slave hostname, slave IP options named KDCRealm, KDCSlaveHostname, KDCSlaveIP.
{ADDSLAVE: Adds a slave to the master} {DELETESLAVE: Delete a slave from the master} {NOACTION: Default action. Nothing will be done}
SNMP Configuration Section

The SNMP section of the command file contains settings for community attributes and trap actions, that are used by SNMP-based network management tools to get/set MIB variables in order to configure the Wireless Switch along with gathering and monitoring device status.
Section SNMP Configuration SNMPCommunity[1-4] SNMPCommunity[1-4]IP SNMPCommunity[1-4]Perm SNMPCommunity[1-4]Action <string> <ip_address> <RO | RW permissions> <Add | Delete> {ADD: Add the SNMP community} {DELETE: Remove the SNMP community} This is the SNMP community for the designated group selection of [1..4] SNMP community IP address. Option Value Notes
General Network Configuration and Standby Management

Configure the network settings in this section such as; enabling/disabling DHCP, setting subnet masks, DNS servers and gateway settings. When the Wireless Switchs Standby Management capability is used, configure the settings for enabling/disabling Standby Management, and assigning hostnames and IP addresses to the Ethernet interfaces of the Primary and Standby Wireless Switches. Utilizing the Standby Management feature requires a pair of Wireless Switches, settings for both types (Primary and Standby) are in the command file so that a single file can be used at a site to install both the Primary and Standby Wireless Switch. When a Wireless Switch begins Standby configuration, pings the Primary Wireless Switchs IP address, as specified in the command file. If it does not receive a response, it assumes the role of Primary as long as it does not have a zero-port license key. The second Wireless Switch will subsequently configure itself as the Standby Wireless Switch.
Section Network Settings Option Value <ip_address> <ip_address> <ip_address> <ip_address> Notes DNS server configuration for each interface. Users can configure up to two DNS servers per interface. If it is not supplied, the DHCP configuration will be kept.
Eth1DNSServer1 Eth1DNSServer2 Eth2DNSServer1 Eth2DNSServer2
Eth1SubnetMask <ip_subnet_mask> Eth2SubnetMask <ip_subnet_mask>
These are the subnet masks for both interfaces. If the user specifies the IP address for the interface without specifying the subnet mask, an error is logged and the install of the selected interface network configuration does not completed.
Section
Option Eth1DHCP Eth2DHCP
Value <on | off> <on | off>
Notes Indicates whether the switch should use DHCP on any one of the interfaces. If DHCP is ON for an interface, all IP settings provided in the command file will be ignored and the interface will be configured to run the DHCP client. The DHCP can only be enabled on a single interface at this time. In requests to the DHCP server, the switch sends option 60 and the octets for the string WS5000. To use this feature, configure the DHCP server to handle the option, namely, either to ignore the octets or to allocate an address in a scope of addresses and offer the address. In accordance with the standard for DHCP Option 60, servers that respond should only use DHCP Option 43 to return vendor-specific information to the client. This is the default gateway for the box. There should be only one value since the Wireless Switch currently does not allow gateway settings per interface. If this option is not specified, the DHCP settings will be kept. Host names defined for the primary and Standby switches. The host name is case sensitive. These are the IP addresses of the primary and the standby switch respectively. If they are not specified in the command file, the DHCP settings will be kept. When an image upgrade is performed, it will not change the existing Ethernet configuration. The Ethernet configuration in this command file is the last to be performed and should override the existing configuration. Indicates whether Standby management is enabled. If it is enabled, then installation software queries the database for the number of licenses. If the switch is able to acquire a license, it may become a primary. If no license is available, it can only be considered as a standby unit.
Gateway
<ip_address>
HostnamePrimary HostnameStandby Eth1PrimaryIP Eth2PrimaryIP Eth1StandbyIP Eth2StandbyIP
<string> <string> <ip_address> <ip_address> <ip_address> <ip_address>
StandbyMgt
<on | off>
System Configuration Using the GUI
This guide is intended for use by the administrator responsible for the initial configuration of the system. It also serves as a reference for configuring and modifying most common system settings. Most Wireless Switch and Access Port configurations are accomplished through the use of a Graphical User Interface via a WEB browser, through SNMP commands or the Command Line Interface (CLI) from a telnet connection, through the Wireless Switch console port, or a secure shell (SSH) application. System configuration sections are broken down by Graphical User interface (GUI), Command Line Interface (CLI), and Simple Network Management Protocol (SNMP) system configuration. Not all areas of the system can be configured solely by the GUI, CLI, or SNMP. Where a specific system configuration is only accomplished through a specific interface, that information is clearly pointed out at the beginning of the configuration process. For information on advanced system settings, refer to the CLI Command Reference. To login to the WS 5000 standard graphical user interface, follow these steps:
1 2 3
Open a compatible browser.

Connect to the WS 5000 switch by typing http:// or https:// and the switchs IP address. Type the User Id and Password and click the Login button.
Key Distribution Center

The Wireless Switch has an on-board Key Distribution Center (KDC) or Kerberos authentication server. Properly configured, the Wireless Switch provides a secure means for authenticating users/clients associated to a WLAN or ESS with the Kerberos security policy applied. A separate Wireless Switch with an on-board KDC can be configured as a Slave KDC to support the Master KDC in case of a Master KDC failure. The KDC can use the system time or up to three Network Time Protocol servers (NTPs) when available. Configuration of NTP in the KDC is optional, except in a Master/Slave configuration. When an NTP server is configured for use, the KDC contacts the NTP server every 30 minutes to synchronize the system time. When a Slave KDC is present, use of an NTP server is recommended so the Master and Slave KDC times are synchronized. Not using an NTP server in a Master/Slave configuration requires periodic, manual time synchronization to propagate the Master database to the Slave KDC. This time synchronization step is not necessary if the Master and Slave KDC times are within 5 minutes. Use the Wireless Switch Graphical User Interface (GUI), the command line interface or SNMP to configure the onboard KDC. The following steps are necessary for initial configuration:
1 2 3
Set Master KDC information (see Setting Master KDC Information on page 34).
Set the Kerberos Time Synchronization. Use of an NTP server is optional (see Setting Kerberos Time Synchronization on page 34). Create a Kerberos WLAN (see Creating a Kerberos WLAN on page 35).
4 5
Create Kerberos User Accounts, including user name, password, and ticket life (in minutes) (see Creating Kerberos User Accounts on page 36). Set Slave KDC information (optional) (see Setting Slave KDC Information on page 37).
Setting Master KDC Information

This procedure configures the WLAN Switch to act as the Master KDC authentication server for all Kerberos enabled WLANs.
1 2
At the Graphical User Interface main window, click System Settings > Kerberos > Configuration, then click KDC.
The Kerberos Configuration dialog box appears.
Select Master from the drop-down list. By default, ethernet1 is selected as the interface of the Wireless Switch that connects to the wireless traffic. Enter the Kerberos Realm where the KDC resides. A Domain Name (the Domain and Realm name are the same) must be assigned to the Ethernet port prior to assigning a realm name to the KDC. Click Save to complete the Master KDC setup.
Setting Kerberos Time Synchronization

This procedure synchronizes the Network Time Protocol (NTP) server with the Wireless Switch on board KDC. The KDC can use the system time or an NTP server (when available). KDC NTP time configuration is optional (except in a Master/Slave configuration). When an NTP server is configured for use the KDC contacts the NTP server every 30 minutes to synchronize the system time and propagate the Master KDC database to the Slave KDC.
1
At the Graphical User Interface main window, click System Settings > Kerberos > Configuration, then click NTP.
The KDC Time Configuration dialog box appears. Enter the IP addresses for the Preferred Time Server, the First Alternate Time Server, and the Second Alternate Time Server (if available).
Click Save to apply settings.
Creating a Kerberos WLAN

1
At the Graphical User Interface main window, highlight System Settings > Kerberos > Administration, then click WLAN.
The Kerberos WLAN Administration dialog box appears. Select Create to create a new Kerberos WLAN.
When the WLAN Wizard, Create a New WLAN window appears, enter the information needed to create a WLAN (at a minimum enter the WLAN name), then follow the instructions on the subsequent screens to create your WLAN. Click the Help button for more information. When the WLAN Wizard WLAN Created Successfully window appears select Finish, to complete the Kerberos WLAN creation process.
Creating Kerberos User Accounts

This procedure creates a Kerberos user account for authentication on the WLAN.
1
At the Graphical User Interface main window, click System Settings > Kerberos > Administration, then click Users.
The Kerberos User Administration dialog box appears.
Enter the user name, realm, ticket life (in minutes), and password. Re-enter the password in the Confirm field and click Save to save the kerberos user account information.
Setting Slave KDC Information

To use the Wireless Switch on-board KDC in a Master/Slave KDC configuration, the network requires at least two Wireless Switches, one for the Master KDC and the other for the Slave KDC. Setting Slave KDC information is a two step process:
1
At the Graphical User Interface main window, click System Settings > Kerberos > Configuration, then click Slave.
The Kerberos Configuration dialog box appears.
3 4
Enter the Hostname, IP Address, and Domain for Kerberos authentication. Click Add to set the Slave KDC information.
The next part configures the Master KDC to recognize the Slave KDC.
1
At the Graphical User Interface main window, click System Settings > Kerberos > Configuration, then click Slave. The Kerberos Configuration dialog box, already shown, appears.
Select the Slave KDC from the list on the left side of the dialog box. Enter the hostname, IP address, and domain of the Master KDC server. Click Add to complete adding the Slave to the Master KDC.
2 3 4
Ethernet Port Policies

Creating an Ethernet Port Policy
The default recommended Ethernet port configuration in the Wireless Switch has Ethernet ports one and two on different subnets. Ethernet port one supports the WLAN infrastructure (Access Ports and associated MUs) and Ethernet port two provides connectivity to the Wired LAN infrastructure. Always map the primary VLAN ID to Ethernet port two in this configuration. Configure the Wireless Switch for Multi-ESSID Access Ports and assign WLANs.
1 2 3
At the Graphical User Interface main window, click Create.

Select Ethernet. Click New Policy. The system launches the Ethernet Port Policy Wizard.
4 5
Enter a name for the new Ethernet Port Policy and complete the applicable fields. Click Next to continue and follow the instructions on the subsequent screens. On the final screen, click Finish to complete creating the Ethernet Port policy.
Modifying an Ethernet Port Policy

1 2 3
At the Graphical User Interface main window, click Modify.

Select Ethernet. Click Existing Policy. The system launches the Ethernet Policy Manager..
4 5
Select an Ethernet Policy from the list and click Edit. The system will launch the Ethernet Policy Wizard. Follow the Wizards instructions. On the final screen, clicck Finish to save the modified Ethernet Port policy.
Configuring VLANs
A WLAN to VLAN association is created in the Ethernet Port Policy. Create a new Ethernet Port Policy or modify an existing Ethernet Port Policy. Configure the Ethernet ports on the Wireless Switch to support one or more of the available VLANs for WLAN to VLAN association. A WLAN to VLAN association is created in the Ethernet Port Policy.
1
Create a new Ethernet Port Policy to support VLAN to WLAN association.
The recommended Ethernet port configuration in the Wireless Switch has Ethernet Ports one and two on different subnets with Ethernet Port one supporting the WLAN infrastructure (Access Ports and associated MUs). Always map the primary VLAN ID to Ethernet Port two in this configuration.
2 3
Enter a name for the new Ethernet Port Policy and complete the applicable fields. Follow the Wizards instructions on the subsequent screens. On the final screen, click Finish to save the Ethernet Policy just created.
Access Port Policies

Creating an Access Port Policy
Configure the Wireless Switch for Multi-ESSID Access Ports and assign WLANs.
1 2 3

Select Access Port and click New Policy. The system launches Create a New Access Port Policy Wizard.
Select Use an existing Access Port Policy as a template if desired. Enter a name for the new Access Port Policy, complete the applicable fields, and click Next. Follow the instructions on the Wizards subsequent screens. On the final screen, click Finish to save the policy and exit the wizard.
Modifying an Access Port Policy

1 2

Select Access Port.
Click Existing Policy. The system launches the Access Port Policy Manager.
4 5
Select an Access Port Policy from the list and click Edit. The system launches the Access Port Policy Wizard, already shown In the final screen, click Finish to complete creating the Access Port policy. The system returns to the Access Port Policy Manager window and displays the modified Access Port Policy and WLAN.
WLANs
Creating a WLAN
1 2 3

Select Access Port. Click WLAN.
The system launches the WLAN Wizard.
Select Use an existing WLAN as a template if desired. Enter a name for the new WLAN, complete the applicable fields, and click Next. Following the instructions on the Wizards subsequent screens. On the final screen, click Finish to save the new WLAN and exit the wizard.
Modifying a WLAN
1 2

Select Access Port, then click WLAN.
The system launches the WLAN Manager.
4 5
Select a WLAN from the list and click Edit. The system launches the WLAN Wizard. Click Next to modify the selected WLAN and following the insrtructions on the Wizards screens On the final screen, click Finish to complete updating the WLAN. The system returns to the WLAN Manager window and displays the modified WLAN properties.
Network Policies
Creating a Network Policy
1 2

Select Network.
Click New Policy. The system launches Create a New Network Policy Wizard
4 5
Select Use an existing Network Policy as a template if desired, supply a Name, click Next and follow the instructions on the subsequent screens. On the final screen, click Finish.
Creating a Network Output Policy

1 2

Select Network, then click Output Policy. The system launches Create a New Output Policy Wizard.
Select Use an existing Output Policy as a template if desired. Enter a name for the new Output policy and, if desired, a description. Click Next to continue and follow the instructions on the subsequent screens. In the final screen, click Finish to return to the system main window.
Creating a Network Input Policy

1 2 3

Select Network, then click Input Policy. The system launches Create a New Input Policy Wizard.
Select Use an existing Input Policy as a template if desired. Enter a name for the new Input Policy and, if desired, a description. Click Next to continue and follow the instructions on the subsequent screens. In the final screen, click Finish to return to the system main window.
1.0.1 Modifying a Network Policy

1 2 3

Select Network. Click Existing Policy.
The system launches the Network Policy Manager.
Select a Network Policy from the list and click Edit. The system launches the Network Policy Wizard, already described. Follow the Wizards instructions.
Access Control Lists

Creating an Access Control List
1 2 3 4

Select Access Port. Click Access Control List. Select the default action for ACL rule, and then click Next to continue. Follow the instructions on the subsequent screens and click Finish on the final screen.
Security Policies
Creating a Security Policy
1 2 3

Select Access Port. Click Security Policy.
The Security Policy Wizard appears. Follow the instructions in the Wizards screens.
Modifying a Security Policy

1 2 3 4

Select Access Port. Click Security Policy. The system launches the Security Policy Manager.
Select a Security Policy from the list and click Edit. The system launches the Security Policy Wizard. Follow the instructions on the subsequent screens and click Finish on the final screen.
Classifiers
Creating a Classifier
1 2 3 4

Select Network. Select Classifier. The system launches the Classifier Wizard.
Type a Name and, optionally, a Description. If needed, click Use an existing Classifier as a template and select a classifier from the list to create a new Classifier. Click Next. Follow the instructions on the subsequent screens and click Finish on the final screen.
1.0.2 Modifying a Classifier

1 2 3

Select Network. Click Classifier.
The system launches the Classifier Manager.
Select a Classifier from the list and click Edit. The system launches the Classifier Wizard. Follow the instructions on the subsequent screens and click Finish on the final screen.
Classification Groups
Creating a Classification Group
1 2

Select Network.
Click Classification Group. The system launches the Classification Group Manager.
Select a Classification Group from the list and click Edit. The system launches the Classification Group Wizard.
Supply a Name, Description, Templates, click Next, and follow the instructions on the subsequent screen. Click Finish on the final screen.
Modifying a Classification Group

1
2 3 4
Select Network. Click Classification Group. The system launches the Classification Group Manager. Select from the list of available Classification Groups (displayed on the left side of the window) and click Edit. The system launches the Classification Group Wizard. Follow the Wizards instructions.
1.1 Wireless Switch Policies

1.1.1 Setting the Country
The Wireless Switch is preconfigured from the factory with the Default Wireless Switch Policy, Country selection set to None. This prevents the Wireless Switch from being enabled with a default country setting (United States, for example) that conflicts with the actual location of the Wireless Switch. As long as the Country selection remains set to None, the Wireless Switch cannot adopt any Access Ports. Modify the Default Wireless Switch Policy, or create one, then apply a new Wireless Switch Policy and select the appropriate country for the Wireless location. To set the Country for the WS 5000 switch:
1 2
From the WS 5000 Wireless Switch main window, click the Properties button.
From the Wireless Switch Policy Manager screen select the proper Country for the location of this Wireless Switch. Once a country is specified, the None option is no longer available.
Select the Channel and Power settings as desired.
The default Auto (once) Channel selection configures Access Ports upon start up to select the best channel as determined by the Automatic Channel Selection (ACS) engine. The ACS engine automatically determines the optimum channel based on available channels. Administrators can
customize the ACS process by clicking Automatic Channel Selection Settings and reserving those channels that the ACS engine will not consider available when assigning automatic channel settings to Access Ports. Because the ACS engine evaluates every channel defined for the country selected, process times can be improved by reserving channels not likely to be used. For example, if a WS 5000 should only use 802.11b channels 1, 6, and 11, administrators can reserve channels 2-5, 7-10, and 12-14. The ACS process then only has to evaluate three channels instead of 14. The Channel settings Auto (once) and Auto differ in that Auto (once) forces Access Ports to request channel assignments from ACS only at initial start up and adoption. Specifying Auto forces Access Ports to request channel assignments every time they need to reestablish a connection. Use Auto (once) in relatively stable environments where radio reception is not likely to change significantly. Use Auto in dynamically changing environments where radio reception is likely to vary significantly over time. The following table with the available Countries and their country codes is useful when setting the country code from the CLI.
Country Argentina Asia Pacific Australia Austria Bahrain Belarus Belgium Brazil Bulgaria Canada Chile China Columbia Costa Rica Croatia Czech Rep. Denmark Ecuador Estonia Finland France Germany Greece Guatemala Hong Kong Hungary Code AR AP AU AT BH BL BE BR BG CA CL CN CO CR HR CZ DK EC EE FI FR DE GR GT HK HU Country Mexico Morocco Netherlands New Zealand Norway Oman Panama Peru Philippines Poland Portugal Qatar R&TTE Romania Russian Federation Saudi Arabia Singapore Slovak Republic Slovenia South Africa South Korea Spain Sweden Switzerland Taiwan Thailand Code MX MA NL NZ NO OM PA PE PH PL PT QA RO RO RU SA SG SK SI ZA KR ES SE CH TW TH
Country Iceland India Indonesia Ireland Israel Italy Japan Jordan Kuwait Latvia Liechtenstein Lithuania Luxembourg Malaysia
Code IS IN ID IE IL IT JP JO KW LV LI LT LU MY
Country Turkey UAE Ukraine United Kingdom USA Uruguay Venezuela
Code TR AE UA UK US UY VE
1.1.2 Creating a Wireless Switch Policy

1 2

Select Wireless Switch. Click New Policy.
The system launches the Wireless Switch Policy Wizard. Select Use an existing Wireless Switch Policy as a template if desired. Enter a name for the new Wireless Switch Policy and complete the applicable fields. Click Next. Follow the instructions on the Wizards subsequent screens.
Defining an Emergency Switch Policy

When creating or modifying a switch policy, select that policy as the Emergency Switch Policy selecting Emergency Policy. To define a new switch policy as the Emergency Switch Policy:
1 2 3 4 5

Select Wireless Switch. Click New Policy. The system launches the Wireless Switch Policy Wizard. Enter the nameand optionally, the descriptionof the policy. Select Use an existing Wireless Switch Policy as a template. Click Next.
6 7
Select Country, Channel, Power Level for Access Ports, and the Ethernet Port Policy. Create a New Ethernet Port Policy if desired. Select Emergency to configure the policy as the Emergency Switch Policy. Click Next and follow the instructions on the subsequent screens.
Activating the Emergency Switch Policy

When the Emergency Switch Policy is active, the Switch Policy icon on the Device Tree Panel turns red, indicating that the switch is operating under the emergency policy. The emergency switch policy icon in the bottom right panel functions as a toggle. While the switch is operating under the emergency switch policy, clicking the icon and confirming the dialog box reverts the switch to the last active switch policy. After defining an Emergency Switch Policy, the icon in the bottom right panel (labeled E) turns red.
1
Select the Emergency icon (signified by to activate the Emergency Switch Policy.
located at the bottom of the main window)
After clicking the icon, a dialog window prompts for confirmation click OK.
To revert the switch to the last active switch policy, click the emergency switch policy icon at the bottom of the main window.
CLI Commands
This chapter describes the commands that are defined by the WS 5100 Command Line Interface (CLI). You can access the CLI by running a terminal emulation program on a computer thats connected to the serial port at the front of the switch, or by using telnet to access the switch over the network.
Navigating in the CLI

Before jumping into the CLI commands, well look at its architecture, show how to navigate, and provide some shortcuts.
Contexts
You invoke CLI commands within particular contexts. Contexts are hierarchical in a manner similar to directories in a traditional hierarchical file system: Contexts contain other contexts. When you log into the switch, youre placed at the System contextthis is the top of the context hierarchy. To enter a subcontext, you type its name. The only subcontext of the Service context is the Configure context. To get there from Service, you could type configure at the CLI prompt, but, as a convenience, the Configure context can also be accessed by typing cfg:
WS5000> cfg WS5000.(Cfg)>
As shown above, the CLI prompt changes to indicate the current context. Ignore the parentheses in the promptthey dont mean anything. Most of the switch configuration is performed in subcontexts of the Configuration context. For example, to drop into the WLAN subcontext you type wlan from the Configuration context:
WS5000.(Cfg)> wlan WS5000.(Cfg).wlan>
To bump up a context level, type ..:

WS5000.(Cfg).wlan> .. ws5000.(Cfg)>
To jump to the system context use exit:

WS5000.(Cfg).wlan> exit ws5000> NOTE
You cant go up and over when navigating the CLIconstructions such as .. context or ../context dont work.
Instances
Most contexts contain instances of themselves. An instance is a set of configuration values thats identified by name. Some contexts have pre-defined instances, but, in general, you have to create
CLI Commands
the instances yourself. To create an instance, you use the add command and supply a name. For example, here we create a WLAN instance:
WS5000.(Cfg)> wlan WS5000.(Cfg).wlan> add myWLAN WS5000.(Cfg).wlan.[myWLAN]>
When you create an instance, you drop into that instances context. As shown here, the prompt places the name of the instance context in brackets. Once youre in the instance context, you can use the commands that are defined there to configure the instance.
Typography and Shortcuts

Typographical odds and ends: All pre-defined CLI commands and keywords are case-insensitive: cfg = Cfg = CFG. For clarity, CLI commands and keywords are displayed, in this document, in mixed case: apPolicy, trapHosts, channelInfo. The names of all context instances, whether predefined or invented by you, are case-sensitive. CLI commands can be concatenated. For example, to jump from the System context to the myWLAN instance, you can type this:
WS5000> cfg wlan myWLAN WS5000.(Cfg).wlan.[myWLAN]>
If an instance name (or other parameter) contains whitespace, you must enclose the name in quotes:
WS5000.(Cfg)> spol "Default Switch Policy" WS5000.(Cfg).SPolicy.[Default Switch Policy]>
To abort an unresponsive command, type <ctrl>-c (i.e. hold down the control key and type c).
1 Common Commands
The following commands are defined in all (or most) contexts.
?
Displays a list of available commands. Same as help. You can also pass ? as the last argument to any command to see an expanded help description. For example, to list all of the arguments that a contexts set command recognizes, type set ?.
..
Changes the current context to the next higher level. Same as end.
bye
Exits the command line interface and returns to the login screen. Same as logout.
clear
Clears the screen.
CLI Commands
description
Adds a descriptive string to the switch (for the System and Configuration contexts), or to a specific context instance. The description string is displayed when you invoke the show command.
Syntax:
description <text>
Parameters:
text
The descriptive text that you want to add to the switch or context instance.
emergencyMode
Enables or disables the Emergency Switch Policy (ESP). This is a Switch Policy that you can activate (enable) at any time in case of an emergency. When you deactivate (disable) the ESP, the previous Switch Policy is reactivated. To set the emergency policy, use the set emergencyPolicy command; see WS5000.(Cfg)> set emergencyPolicy on page 67.
Syntax:
emergencyMode <enable | disable>
end
Changes the current context to the next higher level. Same as ...
exit
Returns you to the System context.
help
Displays a list of available commands. Same as ?.
history
Displays the last 100 commands that were executed in the current context. Each context keeps its own list.
CLI Commands
<instance_name>
When called from a context that contains instances, a reference to an existing instance name drops you into the context for that instance. To get a list of instances, invoke show.
Syntax:
<instance_name>
Example:
WS5000.(Cfg).APPolicy> show Available Access Port Policies: 1. Default Access Port Policy. 2. myAPPolicy. WS5000.(Cfg).APPolicy> myAPPolicy WS5000.(Cfg).APPolicy.[myAPPolicy]>
logout
Exits the command line interface and returns to the login screen. Same as bye.
name
In the System and Configuration contexts, name sets the name of the system. The system name is used as the CLI prompt. In an instance context, name sets the name of the instance.
Syntax:
name <name>
Parameters:
name
The name that you want to give to the system or to a context instance.
policy
Most policy contexts that contain instances define the policy command. policy drops you into the named instance. This is the same as typing the instance name by itself, as described in <instance_name>, above.
Syntax:
policy <instance_name>
show
There are a number of ways to invoke the show command: Invoked without any arguments, show displays information about the current context. If the current context contains instances, then show (usually) displays a list of these instances. Invoked with the component argument, it displays information about that component. Invoked with both the component and the instance_name argument, it displays information about the named instance within the component. This only applies to components that are contexts that contain instances. For example:
WS5000> show appolicy "myAPPolicy"
CLI Commands
Invoked with just the instance_name argument, the component argument defaults to the current context. Again, this only works when the current context contains instances. For example:
WS5000.(Cfg).APPolicy> show "myAPPolicy"
Syntax:
show [component] [instance_name]
Parameters:
component Valid component instance_name
arguments vary from one context to the next. However, all contexts support some number of context components. See the table, below.
The name of an instance of component, or of the current context when component is omitted. Context Components The gamut of context components are listed below. Not all contexts implement all of the component arguments listed here.
Component aPort acl apPolicy ce cg chassis ethernet etherPolicy event ftp host kdc np po radius securityPolicy service snmpstatus ssh standby switchPolicy syslog telnet users vlan wlan Context
Access Port (APort) Context on page 70 Access Control List (ACL) Context on page 69 Access Port Policy (APPolicy) Context on page 74 Classifier Context (CE) on page 82 Classification Group (CG) Context on page 80 Chassis Context on page 79 Ethernet Port Context on page 85 Ethernet Policy (EtherPolicy) Context on page 87 Event Context on page 90 FTP Context on page 93 Host Context on page 93 KDC Context on page 95 Network Policy Context on page 98 Policy Object Context on page 100 RADIUS Context on page 103 Security Policy Context on page 104 Service Mode on page 117 SNMP Context on page 106 SSH (Secure Shell) Context on page 108 Standby (Failover) Context on page 110 Switch Policy Context on page 112 Syslog Context on page 91 Telnet Context on page 116 User Context on page 117 VLAN Context on page 116 WLAN Context on page 119
CLI Commands
show system
Displays system informationsystem name, description, maximum number of concurrent AP adoptions, active Switch Policy name, and so on. The same information is displayed regardless of your context. Most, but not all, contexts support the show system command.
2 System Context
WS5000> cfg
Synonym of configure.
WS5000> configure
Drops into the Configuration context. See Configuration (Cfg) Context on page 65.
WS5000> copy
Copies a file from the WS 5100 to a (T)FTP server, or from a (T)FTP server to the WS 5100. Youre prompted to supply the name of the file that you want to copy and the IP address of the (T)FTP server. The TFTP and FTP versions of the command are described separately, below.
IMPORTANT DO NOT USE THIS COMMAND FOR FILES LARGER THAN 32MB.
For TFTP: TFTP can be used to transfer *.sys.img, *.cfg, and *.sym files.
Syntax:
copy <source> <destination>
Parameters:
source
The source of the file. Must be either system (i.e the WS 5100) or tftp.
destination
The destination of the file. Must be either tftp or system.

Example:
WS5000> copy tftp system Enter the file name to be copied from TFTP server : backup.sys.img IP address of the TFTP server : 10.1.1.1 Copying 'backup.sys.img' from tftp://10.1.1.1 to Switch...
CLI Commands
For FTP: FTP can be used to transfer .krb, .sys.img, .cfg, and .sym files.
Syntax:
copy <source> <destination> [ -u <ftp_user> ] [ -m <ftp_mode> ]
Parameters:
source
The source of the file. Must be either system (i.e the WS 5100) or the address and pathname of the FTP server (e.g. ftp://<ipAddress/path/[file_name]). If you dont supply a filename, youll be prompted for one. Youll be prompted to supply a password, as well.
destination
The destination of the file.

ftp_user
The FTP username. The default is anonymous.

mode
The FTP transfer mode, either ascii or binary. The default is binary.
WS5000> delete
Deletes the specified image or config file from the WS 5100. Use directory to list the files that can be deleted.
delete <filename>
Parameters:
filename
The name of the file thats to be deleted.
WS5000> directory
Lists the image and configuration files that are stored on the WS 5100.
Example:
WS5000> directory Date & Time Jan 2 Dec 27 16:43 2004 Bytes File Name
14657 WS5000Defaults_v1.4.0.0-0xxx.cfg 6453 cmd_template.sym
WS5000> install
Configures the switchs failover role as Primary or Standby, or installs Kerberos settings.
Syntax:
install <option> <filename>
Parameters:
option
One of: primary. Configures the switch to act as Primary, and applies all settings specified in the filename command file (.sym). If the command file is not specified, install uses the
CLI Commands
default command.sym file. If the default command file is missing, the current configuration isnt changed. standby. Configures the switch to act as Standby, and applies all settings as described for the primary parameter value. kerberos. Updates the Kerberos principals from the settings in the filename file (.krb).
filename
File that contains the system or Kerberos configuration.
WS5000> ping
Sends ICMP ECHO_REQUEST packets to a network host.
Syntax:
ping <switches> <host>
Parameters:
switches
Standard ping switches: -Rdfnqrv

host
The name or IP address of the host to which the request packets are sent.
WS5000> restore
Restores the specified system image and/or configuration, and then resets and reboots the system.
Syntax:
restore <type> <filename>
Parameters:
type
The image or configuration that you want to restore. One of: system. Restores the system image and configuration from filename. configuration. Restores the system configuration from filename. standby. Restores the standby configuration from filename.
filename
The file that supplies the new image and/or configuration.
WS5000> save configuration

Saves the current system configuration to the specified file. Use directory to list the saved configuration files.
Syntax:
save configuration <filename> Parameters: filename
The filename to which the configuration is saved. The .cfg extension is automatically appended.
WS5000> service
Drops into Service Mode. Youre prompted to supply the Service Mode password; the default is password. See Service Mode on page 117.
CLI Commands
WS5000> show
Shows the settings for the specified system component. show supports all of the context components listed in the table in show on page 60. Other components are listed in the table below.
Syntax:
show [<component> [name]]
Parameters: component allConfig channelInfo configAccess https interfaces mu ntpServers snmpClients sysAlerts sysLog system time trapHosts Meaning
Displays all configuration details. Displays a list of country codes and the channels each country supports. Tells you if you can use telnet and/or SNMP to configure the system and the KDC. Displays WS 5000 applet protocol, one of http (nonsecure), https (secure), or none (no access). Displays adopted Access Port info and lists the switchs Ethernet ports. Displays MU details. Displays NTP server information. Displays SNMP client and community list. Displays the contents of the local system event log. See Event Context on page 90. Displays the contents of the remote system event log, as maintained by the Syslog server. See Event Context on page 90 Displays general system information. Displays the current date and time. Displays the SNMP trap-host list.
3 Configuration (Cfg) Context

The Configuration context, the only context thats directly below the System context, is the hoop through which you must jump in order to get to the more meaningful contexts. The Configuration does have some important commandsshutdown, for examplebut as youre working, you mostly pass through the Configuration context to get to the policies that you apply to the switch, all of which are in contexts below Configuration. As a convenience, the Configuration context is represented by cfg. To go from the System context to the Access Port Policy context (APort), you can type this:
WS5000> cfg aport
The commands that drop you into a policy context are listed in the table under show on page 60. You can drop into an instance context by supplying, as an additional argument, the name of the instance. The rest of this section describes the Configuration contexts other commands.
WS5000.(Cfg)> copy
Same as WS5000> copy on page 62.
CLI Commands
WS5000.(Cfg)> date
Sets the time and date.
Syntax:
date <time> <timezone> <daylight_savings>
Parameters:
time
Expressed as [yyyy][mm][dd]hhmm[.ss]
timezone
Expressed as [-12.00, +13.00] where 0.00 is Greenwich Mean Time. Note that the + must be included for positive timezone values.
daylight_savings
A value in the range [0, 5] that represents a specific daylight savings type:
Value 0 1 2 3 4 5 Meaning
Disabled USA Australia Eastern Europe Central Europe Western Europe
WS5000.(Cfg)> WS5000.(Cfg)> WS5000.(Cfg)> WS5000.(Cfg)> WS5000.(Cfg)> WS5000.(Cfg)> WS5000.(Cfg)>
delete Same as WS5000> delete on page 63. description Same as description on page 59. directory Same as WS5000> directory on page 63. install Same as WS5000> install on page 63. name Same as WS5000> ping on page 64. ping Same as WS5000> ping on page 64. remove Same as ws5000> remove on page 60.
WS5000.(Cfg)> reset
Resets the WS 5100.
WS5000.(Cfg)> restore
Same as WS5000> restore on page 64.
WS5000.(Cfg)> runACS
Runs Automatic Channel Selection on all adopted Access Ports.
WS5000.(Cfg)> save
Same as WS5000> save configuration on page 64.
CLI Commands
WS5000.(Cfg)> set daylight

Sets the daylight savings type.
Syntax:
set daylight <0 | 1 | 2 | 3 | 4 | 5>
Parameters:
Value 0 1 2 3 4 5 Meaning
Disabled USA Australia Eastern Europe Central Europe Western Europe
WS5000.(Cfg)> set emergencyPolicy

Sets the Switch Policy that will assume the role of Emergency Switch Policy (ESP). The ESP is provided as a means to quickly return to a known, safe configuration. To activate and deactivate the ESP, use the emergencyMode command. See emergencyMode on page 59.
Syntax:
set emergencyPolicy <name>
Parameters:
name
The name of the Switch Policy that will assume the ESP role.
WS5000.(Cfg)> set licenseKey

Sets the license key for the WS 5100. The license key, issued by Symbol, is used to determine the number of APs and MUs that the switch is able to support.
NOTE
In order to update the license key, the WS 5100 must be configured as a primary switch. See WS5000.(Cfg).standby> set mode on page 111.
Syntax:
set licenseKey <key>
Parameters:
key
The license key.
CLI Commands
WS5000.(Cfg)> set location

Sets the switchs informational, human-readable location string.
Syntax:
set location <string>
Parameters:
string
The location string.
WS5000.(Cfg)> set logout

Sets the CLIs auto-logout time, in integral minutes. Valid values are in the range [0, 1440]. Use 0 to disable auto-logout.
Syntax:
set logout <0 - 1440>
WS5000.(Cfg)> set snmpTrap

Enables or disables SNMP traps.
Syntax:
set snmpTrap <enable | disable>
WS5000.(Cfg)> set time Same as WS5000.(Cfg)> date on page 66.
WS5000.(Cfg)> set zone

Sets the timezone.
Syntax:
set zone <timezone>
Parameters:
timezone
A value in the range [-12.00, +13.00] where 0.00 is Greenwich Mean Time. Note that the + must be included for positive timezone values. Same as WS5000> show on page 65.
WS5000.(Cfg)> show
WS5000.(Cfg)> shutdown
Gracefully shuts down the WS 5100. Youre prompted to confirm the action. After youve shut down the switch, wait for the CLI to tell you when its safe to power down.
NOTE
After you shut down your WS 5100, the only way to bring it back up is to power cycle (power it down and then power it back up).
CLI Commands
4 Access Control List (ACL) Context

An Access Control List (ACL) is a set of rules that governs the adoption of Mobile Units. Each rule contains a MAC address or MAC address range, and an allow or deny declaration. When a device attempts to associate with an Access Port, the switch looks for the device (by MAC address) in the ports ACL. If the device is in an allow rule, its allowed to associate; if its in a deny rule, its not allowed to associate. If the device isnt governed by a rule, the ACLs default action (again, either allow or deny) is enforced. The ACLs rules must be non-overlapping with regard to MAC addresses. If you try to create a rule that includes an address that already appears in the ACLwhether it appears as an individual address or as part of an address rangethe creation attempt is denied. You apply an ACL to a WLAN through the WLAN contexts set acl command.
WS5000.(Cfg).ACL> add
Adds a new ACL, gives it a name, and drops into its instance context.
Syntax:
add <name>
Parameters:
name
Name assigned to the ACL.
WS5000.(Cfg).ACL> remove
Removes the named ACL.
Syntax:
remove <name>
Parameters:
name
Removes the ACL with the given name.
CLI Commands
4.1 ACL Instance

WS5000.(Cfg).ACL.[Name]> set
Configures an ACL attribute.
Syntax:
set <operation> <arguments>
Parameters: operation name addItem editItem

name startMAC [endMAC] <allow | deny> oldStartMac newStartMac <<allow | deny> | newEndMAC>
arguments
Description
Changes the name assigned to the ACL. Adds a device (or range of devices) to the allow or deny adoption list. Redefines an existing ACL entry. You can switch between allow and deny, or reset the address range. You cant do both at the same time. Removes a device from the ACL. If the MAC address identifies the beginning of an device range, the entire range is removed from the ACL. Sets the default adoption action for this ACL. This is the action thats taken if a candidate device doesnt appear in any of the ACLs adoption lists.
remItem
MAC
defaultAction
allow | deny
5 Access Port (APort) Context

The Access Port context lets you name the RF devices (the radios in the Access Ports and converted Access Points) that exist on your WLAN. You can create Access Port instances by hand through the add command, or allow them to be created as Access Ports are discovered and adopted by the switch.
NOTE
For brevity, converted Access Points are referred to as Access Ports throughout this documentation.
CLI Commands
WS5000.(Cfg).APort> add
Creates a new Access Port instance (or two, for dual-radio APs). The first argument is the AP type. The rest of the arguments depend on the AP type.
Syntax:
add add add add add AP100 <MAC> <name> [location] AP200 <MAC> <a_name> <a_MAC> [b_name] AP300 <MAC> <g_name> <g_MAC> [a_name] AP3020-3021 <MAC> <name> [location] AP4121 <MAC> <name> [location]
[b_MAC] [location] [a_MAC] [location]
Parameters:
MAC
The Access Ports (unique) MAC address.

a_MAC, b_MAC, g_MAC
For dual-radio APs, you must supply the MAC of (at least) the APs first radio. The MAC of the second radio is optional. The a_name, b_name, and g_name arguments refer to the 802.11x radio types.
name, a_name, b_name, g_name
Unique names that you give to the Access Port and/or its radios. The a_name, b_name, and g_name arguments refer to the 802.11x radio types. For single-radio APs, you only need to supply one name. For dual-radio APs, the name for the second radio is optional.
location
Optional, arbitrary string that identifies the Access Ports location.
WS5000.(Cfg).APort> port
Drops into the named Access Port instance.
Syntax:
port
<name>
Parameters:
name
Selects the Access Port instance by name. Until you give an Access Port a name, its known by the space-separated concatenation of its device MAC address and its 802.11 type (A or B), all enclosed in quotes:
"xx:xx:xx:xx:xx:xx [A | B]"
For example:
"00:A0:B0:C0:D0:E0 [A]"
NOTE
The system never needs to automatically assign a name to an 802.11g or a frequency-hopping (FH) radio since youre compelled to supply names for these radios when you add their Access Port instances.
For a list of Access Port names, invoke the show accessPorts command.
CLI Commands
WS5000.(Cfg).APort> remove
Removes the named Access Port. For a list of Access Port names, invoke the show accessPorts command.
Syntax:
remove <name>
Parameters:
name
Removes the port with the given name.
WS5000.(Cfg).APort> show
Shows the Access Port configuration values.
Syntax:
show [component]
Parameters: component none channelInfo interfaces Meaning
Displays a list of Access Port instances. Displays a list of country codes and the channels each country supports. Display a list of Access Port instances and lists the available Ethernet ports.
np, po, standby, switchPolicy, wlan
context components: accessports, acl, appolicy, ethernet, etherPolicy, mu,
5.1 Access Port Instance

To drop into an Access Port instance, use the port <name> command from within the APort context; see WS5000.(Cfg).APort> port on page 71.
WS5000.(Cfg).APort.[name]> reset
Resets the Access Port or its radio, depending on the value of the argument.
Syntax:
reset <ap | radio>
Parameters:
ap
Resets the Acces Port that contains this radio thats represented by this instance.
radio
Resets the radio thats represented by this instance.
CLI Commands
WS5000.(Cfg).APort.[name]> set
Configure an Access Port device attribute. The set of attributes depends on the AP model, as shown in the table, below
Syntax:
set <attribute> <value>
Parameters:
attribute clearVLanTags description diversity
none text
value
All AP Models
Description
Clears the VLAN tag register. Access Port description string. Access Port diversity antenna setting:
full: The AP dynamically chooses the antenna with the strongest signal. primary: Use this AP as a Primary antenna. secondary: Use this AP as a Secondary antenna.
full | primary | secondary
ccaMode ccaThreshold
0 | 1 | 2 | 3 0 to 31
Sets the Access Ports CCA mode. Sets the Clear Channel Assessment threshold. This is the maximum level of traffic that the AP will accept and still consider the channel to be clear. 0 means no traffic; 31 means jam-packed. Access Port location description. Access Port name. Access Port policy thats applied to this Access Port. See Access Port Policy (APPolicy) Context on page 74. Enable/disable Access Port information gathering. When enabled, the Access Port reports is throughput in packets-per-second, and the amount of time its been adopted by the switch. You can view the statistics by invoking the show command with no argument. The ID of the VLAN that this Access Port is to be part of.
AP 30 20 -30 21 only
location name policy statistics
text name name
enable | disable
vLanId dwellTime hopSeq
1 - 4095 | none true | false 1 - maxChannels
Frequency-hopping maximum dwell time. Frequency-hopping hop sequence. maxChannels is the maximum number of channels (as allowed by the country setting) divided by three. Frequency-hopping hop set.
hopSet
1 | 2 | 3
CLI Commands
attribute channel
value
All models except AP 3020-3021 channelNumber | auto-once | auto-always | random
Description
Access Port transmit channel. This can be a specific channel number, or one of the following: auto-once: The AP uses Automatic Channel Selection (ACS) the first time its adopted by the switch, and then sticks to that channel thereafter. auto-always: The AP uses ACS every time its adopted. random: The AP chooses a random channel every time it's adopted. The amount by which associated Mobile Units are told to adjust (increase) their power. Although this is a drain on MU batteries, it can help improve signal fidelity. The adjustment is in positive, integral dB. Access Port transmission power in milliWatts.
muPower
offset
power antCorrection indoor simulateRadar user-802.1x
4 - 20 (dBm)
integer
A P 3 00 o n ly
The power correction (increase) due to the APs (isotropic) antenna; in dB (dBi). Tells the AP that its being used indoors (true) or outdoors (false). Tells the Access Port to pretend that radar has been discovered. Assigns a username to this AP. The name is for information only.
true | false
none
name
WS5000.(Cfg).APort.[MAC]> show
Same as WS5000.(Cfg).APort> show on page 72
6 Access Port Policy (APPolicy) Context

An Access Port Policy configures a physical Access Port by defining attributes such as beacon interval, RTS threshold, the set of supported data rates, and so on. The APPolicy is also responsible for adding WLANs to the Access Port, and for attaching a Security Policy, Access Control List, and Network Policy (or packet filter) to each AP.
WS5000.(Cfg).APPolicy> add
Creates and names a new Access Port policy instance. To drop into an Access Port policy instance context, use the policy command.
Syntax:
add <name>
Parameters:
name
The name thats given to the new policy.
CLI Commands
WS5000.(Cfg).APPolicy> policy
Drops into the named Access Port policy instance.
Syntax:
policy <name>
Parameters:
name
The name of the Access Port policy instance.
WS5000.(Cfg).APPolicy> remove
Removes the named Access Port policy.
Syntax:
remove <name>
Parameters:
name
The name of the Access Port policy thats to be removed.
6.1 Access Port Policy Instance

WS5000.(Cfg).APPolicy.[Name]> map
Drops you into the WLAN-to-BSS/ESS mapping subcontext. Some explanation is necessary: There are six Access Port device/radio types: AP 100, AP 200a, AP 200b, AP 300(a/g), AP 302x, and AP 4121. These hardware types are grouped by the number of BSSs and ESSs they support. Each BSS/ESS combination is represented by a pre-defined Map subcontext (there are four Maps). When you invoke the map command, you supply an AP hardware type argument that automatically selects and drops you into the correct Map subcontext. From the Map subcontext, you assign (or map) the WLAN(s) that will support the BSS/ESS combination. For more information see Access Port Map Context on page 77.
Syntax:
map <apType> Parameters:
apType AP100 AP200a AP200b AP300 AP4121 FH

NOTE
BSS/ESS combination
4 BSS to 4 ESS 1 BSS to 16 ESS 4 BSS to 16 ESS 4 BSS to 16 ESS 4 BSS to 16 ESS 1 BSS to 1 ESS The AP 300 802.11a radio uses the same mapping as the AP 300 802.11g. Thus, theres only one entry for the two AP 300 radios.
CLI Commands
WS5000.(Cfg).APPolicy.[Name]> set basicRates

Sets the basic frequency rates for a given 802.11 radio type.
Syntax:
set basicRates <radioType> <rates ...>
Parameters:
radioType
One of A, B, G, or FH (frequency hopping).

rates
A list of frequency values, in Mbps. The list of candidate frequencies depends on the radio type, as shown in the following table. You can set multiple basic rates by passing a list of frequencies, e.g.:
set B basicrates 1 2 11
The valid frequencies are:

Radio A B G FH Frequencies 6, 9, 12, 18, 24, 36, 48, 54 1, 2, 5.5, 11 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 1, 2
WS5000.(Cfg).APPolicy.[Name]> set beacon

Sets the Access Ports radio beacon interval, in milliseconds. Valid intervals are in the range [20, 1000].
Syntax:
set beacon <20 - 1000>
WS5000.(Cfg).APPolicy.[Name]> set dTim

Sets the Access Ports DTIM interval as a multiple of the beacon interval. Valid DTIM values are in the range [1, 20].
Syntax:
set dTim <1 - 20>
WS5000.(Cfg).APPolicy.[Name]> set nonSpectrumMgmt

Tells the Access Port to allow (true) or deny (false) association for mobile devices that dont have spectrum management capabilities. This is only significant when the AP has DFS or TPC enabled.
Syntax:
set nonSpectrumMgmt <true | false>
CLI Commands
WS5000.(Cfg).APPolicy.[Name]> set np
Assigns the Network Policy thats associated with the combination of this Access Port Policy and WLAN.
Syntax:
set np <np_name> <wlan_name>
Parameters:
name
The name of the Network Policy.

wlan_name
The name of the WLAN.
WS5000.(Cfg).APPolicy.[Name]> set preamble

Sets the length of the preamble (either short or long) thats added to the packets that are sent by Access Ports that adopt this policy.
Syntax:
set preamble <short | long>
WS5000.(Cfg).APPolicy.[Name]> set rtsThreshold

Sets the Request to Send (RTS) threshold. This is the maximum size of packets (in bytes) that use the four-way handshake, a technique that allows nearby Access Ports to sense the wireless conversation and improve throughput. The RTS threshold is set, by default, to 2347 (the largest packet size). This effectively turns off the four-way handshake.
Syntax:
set rtsThreshold <0 - 2347>
WS5000.(Cfg).APPolicy.[Name]> set supportedRates

Sets the radio frequiencies that are supported by the device.
Syntax:
set basicRates <radioType> <rates ...>
Parameters:
radioType, rates
Same as WS5000.(Cfg).APPolicy.[Name]> set basicRates on page 76
6.2 Access Port Map Context

See the explanation of the WS5000.(Cfg).APPolicy.[Name]> map command on page 75 for an introduction to the Map (sub)context. The point of the context is for you to configure the mapping of WLANs to different radio types. The four pre-defined Map contexts provides commands that let you do the following: Set the BSSID for each WLAN. Set the Primary WLAN for the Map.
CLI Commands
Set the precentage of bandwidth thats reserved for each WLAN.
Not all Map contexts support all of these attributes. For example, it doesnt make sense to set the Primary WLAN for an AP radio that only supports one WLAN (such as is the case with frequency-hopping radios). The four Map contexts and the radios that use each mapping are listed below.
Map Radio
4 BSS to 4 ESS 1 BSS to 16 ESS 4 BSS to 16 ESS 1 BSS to 1 ESS
AP100 AP200a AP200b, AP300(a/g), AP4121 AP302x (frequency hopping radio)
When you drop into a Map context, the CLI prompt changes to reflect which context youre in:
WS5000.(Cfg).APPolicy.[AP0].Map.[4BSS-4ESS] WS5000.(Cfg).APPolicy.[AP0].Map.[1BSS-16ESS] WS5000.(Cfg).APPolicy.[AP0].Map.[4BSS-16ESS] WS5000.(Cfg).APPolicy.[AP0].Map.[1BSS-1ESS]
WS5000.(Cfg).APPolicy.[Name].Map.[map]> select
Assigns a WLAN to the Map.
Syntax:
select <wlan_name>
Parameters:
wlan_name
The name of the WLAN thats taking on the BSSID assignment.

Applies to:
4BSS-to-4ESS (AP100), 1BSS-to-1ESS (AP302x)
WS5000.(Cfg).APPolicy.[Name].Map.[map]> set bss

Assigns a BSSID to a WLAN. The WLAN must already be part of the Access Port Policy that owns this Map.
Syntax:
set bss <bssid> <wlan_name>
Parameters:
bssid
The BSSID that youre assigning to the WLAN.

wlan_name
The name of the WLAN thats taking on the BSSID assignment.

Applies to:
4BSS-to-16ESS (AP200b, AP300, AP4121)
CLI Commands
WS5000.(Cfg).APPolicy.[Name].Map.[map]> set bw
Sets the guaranteed bandwidth thats assigned to a WLAN.
Syntax:
set bw <bandwidth> <wlan_name>
Parameters:
bandwidth
The percentage of bandwidth assigned to the WLAN. Valid percentages are in the range [5, 100].
wlan_name

Applies to:
1BSS-to-16ESS (AP200a), 4BSS-to-16ESS (AP200b, AP300, AP4121)

NOTE
The total bandwidth for all WLANs within a Map must equal 100.
WS5000.(Cfg).APPolicy.[Name].Map.[map]> set primaryWLAN

Sets the Primary WLAN for this Map.
Syntax:
set primaryWLAN <wlan_name>
Parameters:
wlan_name

Applies to:
1BSS-to-16ESS (AP200a), 4BSS-to-16ESS (AP200b, AP300, AP4121)
7 Chassis Context
The Chassis context displays and manages CPU and system temperature.
WS5000.(Cfg).Chassis> set notify

Tells the switch to send a notification if the temperature of the CPU or of the system in general rises above a given threshold. Notifications are sent to the local system log, the Syslog, and cause an SNMP trap to be thrown.
Syntax:
set notify <cpu-temperature | system-temperature> <threshold>
Parameters:
threshold
The temperature threshold is expressed in degrees centigrade and must fall in the range [0, 105]. The notification is only sent when the temperature rises from below to above the threshold temperatureit isnt sent when the temperature drops from above to below the threshold.
IMPORTANT THE SYSTEM AUTOMATICALLY SHUTS DOWN IF THE CPU OR SYSTEM TEMPERATURE RISES ABOVE 105 DEGREES.
CLI Commands
WS5000.(Cfg).Chassis> show
Displays a table of temperature and fan speed statistics.
Example:
WS5000.(Cfg).Chassis> show Description ----------CPU Temperature System Temperature System Fan (rpm) CPU Fan (rpm) Curr Value ---------34 C 36 C OFF 21093 Max Value --------36 C 38 C 675000 Min Value --------33 C 32 C 9782 Notify Value -----------45 C 45 C None None
Under normal circumstances, both the system and the CPU should hover around 36 degrees. The Max Value and Min Value readings are the maximum and minimum temperature since the WS 5100 was last booted. Currently, you cant install a notification for fan speed.
8 Classification Group (CG) Context

Classification Groups are part of the switchs packet filtering mechanism. This mechanism also involves Classifiers(page 82), Policy Objects (page 100), and Network Policies (page 98). A Classification Group (CG) is a collection of Classifiers that evaluate network packets as they are sent to or arrive from wireless devices. In addition to collecting Classifiers, the CG declares the action thats to be taken after a packet is evaluated by a Classifier. Specifically, the CG declares whether a packet that passes the Classifier evaluation is accepted (allowed to procede along the network) or denied (thrown away). See the Network Policy context (page 98) for an overview of the objects that are involved in the packet filtering mechanism. WS5000.(Cfg).CG> add Creates and names a new Classification Group instance, and drops into the instances context.
Syntax:
add <name>
Parameters:
name
The name thats given to the new Classification Group.
WS5000.(Cfg).CG> cg
Drops into the context for a Classification Group instance.
Syntax:
cg <name>
Parameters:
name
The selected Classification Group.
CLI Commands
WS5000.(Cfg).CG> remove
Removes a Classification Group instance.
Syntax:
remove <name>
Parameters:
name
The name of the Classification Group thats to be removed.
WS5000.(Cfg).CG> show
Displays information about a system component or named context instance.
Syntax:
show [component]
Parameters: component none

context components: ce, cg, np, po
Meaning
Displays a list of Classification Group instances.
8.1 Classication Group Instance

When you drop into a Classification Group instance, the CGs set of Classifiers and associated actions are displayed.
WS5000.(Cfg).CG.[Name]> set
Performs an operation on the Classification Group instance.
Syntax:
set <op> <value>
Parameters: op name addCE removeCE action

cg_name ce_name ce_name
value
Meaning
<allow ce_name> | <deny ce_name>
Sets the name of the Classification Group. Adds the named Classifier instance to the CG. Removes the named Classifier instance from the CG. Associates an action with a Classifier (ce_name) thats been added to the CG.. See below.
Action Values: If you set action to allow, packets that pass the Classifier are allowed to continue and theyre marked as being part of this Classification Group instance (this will be important when we bump up a level to Input and Output Policies). Packets that dont pass the evaluation are not immediately thrown awaytheyre allowed or denied according to the default action defined in the Input or Output Policy that uses this CG. If you set action to deny, packets that pass the Classifier are thrown away. Packets that dont pass are allowed to continue (again, with no CG marking).
CLI Commands
WS5000.(Cfg).CG.[Name]> show
Displays information about this Classification Group instance.
Syntax:
show [component]

Meaning
Displays information about this Classification Group instance..
9 Classifier Context (CE)

Classifiers are part of the switchs packet filtering mechanism. This mechanism also involves Classification Groups (page 80), Policy Objects (page 100), and Network Policies (page 98). A Classifier is a predicate that tests various aspects of a network packet: Source and destination IP, transport protocol, and so on. A packet will either pass or fail the predicate. The action that's taken when a packet passes or fails a Classifier isnt included in the Classifier definitionthats the job (primarily) of a Classification Group. See the Network Policy context (page 98) for an overview of the objects that are involved in the packet filtering mechanism.
WS5000.(Cfg).CE> add
Creates and names a Classifier instance, and drops into the instances context.
Syntax:
add <name>
Parameters:
name
The name thats given to the new Classifier.
WS5000.(Cfg).CE> ce
Drops into the context for the named Classifier instance.
Syntax:
ce <name>
Parameters:
name
Selects the Classifier by name.
CLI Commands
WS5000.(Cfg).CE> remove
Removes a Classifier instance.
Syntax:
remove <name>
Parameters:
name
The name of the Classifier thats to be removed.
WS5000.(Cfg).CE> show
Shows Classifier details.
Syntax:
show [component]
Parameters: component Meaning
none
Displays a list of Classifier instances.
9.1 Classifier Instance

A Classifier instance contains a collection of matching criteria (MC). Each MC consists of a network packet attribute and the value to which the attribute is compared. As packets arrive from or are sent to the wireless network, theyre evaluated by the Classifier. If the packet attribute matches the value, then the packet passes the MC; if the attribute doesnt match, the packet fails. The action thats taken when a packet passes or fails a Classifier isnt defined by the Classifier itselfits defined by the higher-level Classification Group object. A Classifiers collection of MCs are evaluated and conjoined consecutively, in the order they were added. If successive criteria identify the same packet attribute, the criteria are ORd, otherwise theyre ANDd. You don't have any control over the grouping of the criteria other than savvy ordering. In general, you should stick to simple Classifier MCs and build more complicated tests by combining Classifiers in a Classification Group.
IMPORTANT THE MATCHING CRITERIA ARE EVALUATED USING A CASE-SENSITIVE STRING COMPARISON.
CLI Commands
WS5000.(Cfg).CE.[Name]> addMC
Adds a new matching criterion to the Classifier.
Syntax:
addMC <criterion> <value> <subnet_mask> [end_port]
Parameters:.
criterion and value
The packet attribute name (case-sensitive!) and the value to which its compared. Valid attributes and associated values are listed in the table, below.
subnet_mask
A subnet mask is required if attribute is IPsource or IPdestination.

end_port
Optional port range end if attribute is sourceport or destinationport.

attribute MACsource MACdestination ethertype vlanid userpriority protocol tos IPsource value
The MAC address of the device that sent the packet. The value is a MAC address in the usual form. The MAC address of the device to which the packet is being sent. The value is a MAC address in the usual form. Ethernet type values, as defined by RFC 1700. Values are hex numbers in the range [0, FFFF]. The ID of the VLAN to/from which the packet is being sent/has been received. The value is a number. Relative priority value. The value is a number in the range [0, 7]. Ethernet protocol. The value is a (decimal) number in the range [0, 254]. Type of Service identifier. The value is a number in the range [0, 63]. The IP address and subnet mask of the device whence the packet emerged. The subnet mask is passed as a second argument (subnet_mask). Both arguments are dot-separated IP addresses. The IP address and subnet mask of the device to which the packet is being sent. The subnet mask is passed as a second argument (subnet_mask). Both arguments are dot-separated IP addresses. The Ethernet port number, on the originating device, through which the packet was sent. You can declare a specific port (as a decimal number), or a range of ports by supplying a second port number as the end_port argument. Valid port numbers are in the range [0, 65535]. The Ethernet port number, on the recipient device, to which the packet is being sent. You can declare a specific port (as a decimal number), or a range of ports by supplying a second port number as the end_port argument. Valid port numbers are in the range [0, 65535]. Multicast mask. The value is a MAC address thats used to mask the range of recipients of a broadcast packet.
IPdestination
sourceport
destinationport
MCMask
CLI Commands
WS5100_VPN.(Cfg).CE.[Name]> removeMC
Removes the matching criterion for the named attribute
Syntax:
removeMC <criterion>
Parameters:
criterion
See the table in WS5000.(Cfg).CE.[Name]> addMC on page 84.
WS5100_VPN.(Cfg).CE.[Name]> setMC
Set the value of an existing matching criterion.
Syntax:
setMC <attribute> <value> [subnet_mask] [end_port]
Parameters:
attribute, value, subnet_mask, end_port
See the parameters for WS5000.(Cfg).CE.[Name]> addMC on page 84.
WS5000.(Cfg).CE.[Name]> show
Shows details for this Classifier instance.
Syntax:
show [component]
Parameters: component Meaning
none
mc
Displays details of this Classifier instance. Displays the Classifiers matching criteria.
10 Ethernet Port Context

There are two Ethernet ports on WS 5000 Series switches. Port 1 connects (by convention) to the wired LAN. Port 2 connects to the wireless LAN.
WS5000.(Cfg).Ethernet> ping
Sends ICMP ECHO_REQUEST packets to a host.
Syntax:
ping <hostIP>
Parameters:
hostIP
CLI Commands
WS5000.(Cfg).Ethernet> port
Drops into an Ethernet port instance.
Syntax:
port <port_number>
Parameters:
port_number
The index of the Ethernet port. Either 1 or 2.
WS5000.(Cfg).Ethernet> show
Displays Ethernet port details.
Syntax:
show [component]
Parameters: component none interfaces Meaning
Displays a list of Ethernet port instances. Shows adopted Access Port info and lists the switchs Ethernet ports
context components: ethernet, etherPolicy, vlan, wlan
10.1 Ethernet Port Instance

There are two Ethernet Port instances, one for each of the WS 5100s NICs. The instances are identified by number: 1 or 2. By convention, the WLAN is connected to the switch through NIC 1, and NIC 2 connects the switch to the wired network.
WS5000.(Cfg).Ethernet.[N]> ipAddress
Assigns an IP address to this Ethernet port instance.
Syntax:
ipAddress <IP_address> <net_mask>
Parameters:
IP_address
The IP address thats assigned to this Ethernet port.

net_mask
The network mask thats used by this Ethernet port.
CLI Commands
WS5000.(Cfg).Ethernet.[N]> ping Same as WS5000.(Cfg).Ethernet> ping on page 85.
WS5000.(Cfg).Ethernet.[N]> set
Sets an attribute of this Ethernet port instance.
Syntax:
set <attribute> [<value>]
Parameters:: attribute cfgMode value Auto | 10_Half | 10_Full | 100_Half | 100_Full enable | disable
IP_address
Meaning
Sets the Ethernet port mode. Enables/disables the DHCP client for this port. Sets the IP address of the gateway. Sets the port to be non-trunked. Sets the port to be a trunked. Sets the primary VLAN ID. The port automatically becomes trunked. Clears the VLAN tag register.
dhcp gateway nonTrunk trunk vLanId clearVlanTags
none none
1 - 4095
none
WS5000.(Cfg).Ethernet.[N]> show
Displays Ethernet port details.
Syntax:
show [component]
Parameters: component none interfaces Meaning
Displays information about this Ethernet port. Display a list of Access Port instances and lists the available Ethernet ports.
context components: accessports, ethernet, etherPolicy, vlan, wlan
11 Ethernet Policy (EtherPolicy) Context

WS5000.(Cfg).EtherPolicy> add
Creates and names an Ethernet Policy instance, and drops into the instances context.
Syntax:
add <name>
Parameters:
name
The name thats given to the new Ethernet policy.
CLI Commands
WS5000.(Cfg).EtherPolicy> policy
Drops into the context for the named Ethernet Policy instance.
Syntax:
policy <name>
Parameters:
name
Selects the Ethernet policy.
WS5000.(Cfg).EtherPolicy> remove
Removes an Ethernet Policy instance.
Syntax:
remove <name>
Parameters:
name
The name of the Ethernet Policy thats to be removed.
WS5000.(Cfg).EtherPolicy> show
Displays Ethernet Policy information.
Syntax:
show [component]
Parameters: component none Meaning
Displays a list of Ethernet Policy instances.
11.1 Ethernet Policy Instance

An Ethernet Policy instance configures the two Ethernet ports to support the LAN and the WLAN, and creates and maps VLANs to the two ports.
WS5000.(Cfg).EtherPolicy.[Name]> add
Creates and adds a VLAN to this Ethernet Policy instance.
Syntax:
add <vlan_ID> <NIC>
Parameters:
vlan_ID
The number thats assigned to this VLAN. Valid VLAN ID numbers are in the range [1, 4095].
NIC
The NIC that will support this VLAN.
CLI Commands
WS5000.(Cfg).EtherPolicy.[Name]> remove
Removes a VLAN from this Ethernet Policy instance.
Syntax:
remove <vlan_id>
Parameters:
vlan_id
The ID number of the VLAN thats to be removed. For a list of VLAN IDs, invoke show vlan.
WS5000.(Cfg).EtherPolicy.[Name]> set
Sets an attribute of this Ethernet Policy instance.
Syntax:
Parameters: attribute ronnic description value 1 | 2 <string> Meaning
Sets the rest of the network NIC. This is the NIC that connects WS 5100 to the wired network. Adds a description string to the Ethernet Policy instance.
WS5000.(Cfg).EtherPolicy.[Name]> show
Shows Ethernet Policy details.
Syntax:
show [component]
Displays a list of Ethernet Policy instances.
WS5000.(Cfg).EtherPolicy.[Name]> vlan
Drops into the context of the VLAN identified by VLAN ID.
Syntax:
vlan <vlan_ID>
Parameters:
vlan_ID
The ID of the VLAN. For a list of VLAN IDs, invoke show vlan.
CLI Commands
12 Event Context
The Event context lets you register for notification of specific system events. To see a list of the system events that you can monitor, go to the Event context and type show:
WS5000.(Cfg).Event> show Num Events --- -----1 License number change 2 Clock change 3 Packet discard [wrong NIC] 4 Packet discard [wrong VLAN] 5 AP adopt failure [general] 6 AP adopt failure [policy disallow] etc... Local Log --------Enabled Enabled Enabled Enabled Enabled Enabled SNMP Trap --------Disabled Disabled Disabled Disabled Enabled Enabled Syslog Severity --------------Disabled Disabled Disabled Disabled Disabled Disabled
The notification systems that you can use are:

Local log. Events are recorded in a local log file. You can dump the log file to the screen through show sysAlerts in the System or Configuration context. Syslog. The Syslog is a remote event-recording server. You have to set up the server yourself and identify the servers host. You cant view the Syslogs file directlyyou have to go to the server itself for that. SNMP Traps.
You can ask to have an SNMP trap thrown when a specific event occurs.
WS5000.(Cfg).Event> ping
Syntax:
Parameters:
switches

host
CLI Commands
WS5000.(Cfg).Event> set
Lets you ask for event notifications, and sets the severity of events that are sent to the Syslog.
Syntax:
set <event> <target> <<enable | severity> | disable> set all <localLog | snmpTrap | syslog> <<enable | severity> | disable> set all default
Parameters:
event
Describes the event that youre interested in. Either all or a number in the range [1, 69]. Use the show command for a list of available events.
target
The recipient of the events. One of localLog, snmpTrap, syslog, or all.

enable, disable
Enables and disables recording of the event. If your target is syslog, then you can pass a severity value rather than simply enableing the event.
severity
Events that are sent to the Syslog are tagged with a severity, one of emerg(ency), alert, crit(ical), err(or), info, notice, and warning. If you enable an event without a severity, it assumes a default severity setting.
all <localLog | snmpTrap | syslog> The first set all form of the command lets you send or repress all events to/from the specified
target.
all default
This form of the command resets all events to their factory defaults.
WS5000.(Cfg).Event> show
Displays Event information.
Displays a list of event codes.
context components: host, syslog
WS5000.(Cfg).Event> syslog
Drops into the Syslog subcontext, described below.
12.1
Syslog Context
The Syslog context is a subcontext of Event. The commands in the Syslog context let you configure and control the remote event logging service. The remote service sends system logging information to a remote host, which must have a message logging daemon running. The remote host is set through the add command. To tailor the types of messages that the Syslog will be sent, use the set command. All syslog messages are in RFC 3164 message format.
CLI Commands
WS5000.(Cfg).Event.Syslog> add
Adds a Syslog host.
Syntax:
add <host_name> <IP_address> [domain]
Parameters:
host_name
Gives a (local) name to the host.

IP_address
IP address of the remote host.

domain
Optional domain name of the remote host.
WS5000.(Cfg).Syslog> remove
Removes a Syslog host.
Syntax:
remove <name>
Parameters:
name
The name of the Syslog host, as assigned in the add command.
WS5000.(Cfg).Syslog> sets
Sets the types of messages that are sent to the Syslog.
Syntax:
set <host> <severity> <enable | disable>
Parameters:
host
The name of the Syslog host.

severity
Specifies a type of message. The value is one of emerg(ency), alert, crit(ical), err(or), info, notice, warning, or all. If the final argument is enable, messages of the specified type are sent to the Syslog; if its disable, the messages arent sent.
WS5000.(Cfg).Syslog> show
Displays information about the Syslog service.
Syntax:
show <component>
Display the list of Syslog hosts.
context components: events, host
CLI Commands
WS5000.(Cfg).Event.Syslog> start
Starts the Syslog service.
WS5000.(Cfg).Event.Syslog> stop
Stops the Syslog service.
13 FTP Context
WS5000.(Cfg).FTP> enable
Enables the FTP server.
WS5000.(Cfg).FTP> disable
Disables the FTP server.
WS5000.(Cfg).FTP> show
Displays the state of the FTP server.
14 Host Context
The Host context collects the various hosts that are declared in other contexts.
WS5000.(Cfg).Host> add
Adds a new host to the system.
Syntax:
add host <name> <IP_address> [domain]
Parameters:
name
Name given to the host.

IP_address
IP address of the host.

domain
Optional domain of the host.
CLI Commands
WS5000.(Cfg).Host> edit
Drops into a Host instance context.
Syntax:
edit <host>
Parameters:
host
The name of the host that you want to edit.
WS5000.(Cfg).Host> ping
Syntax:
Parameters:
switches

host
WS5000.(Cfg).Host> remove
Removes a host from the host list.
Syntax:
remove <host>
Parameters:
host
The name of the host that you want to remove.
WS5000.(Cfg).Syslog> show
Displays host information.
Syntax:
show <component>
Display a list of hosts.
context components: syslog
14.1 Host Instance

The Host instance context lets you modify an entry in the host list.
CLI Commands
WS5000.(Cfg).Host.[host]> ping
Syntax:
Parameters:
switches

host
WS5000.(Cfg).Host.[host]> set
Configures a host.
Syntax:
Parameters: attribute domain ip value name address Meaning
The hosts domain name The hosts IP address.
WS5000.(Cfg).Host.[host]> show
Shows host configuration details.
15 KDC Context
The WS 5100 contains a Kerberos Key Distribution Center. The KDC context lets you configure the local KDC as a Master or Slave.
WS5000.(Cfg).KDC> add slaveKDC WS5000.(Cfg).KDC> remove slaveKDC

Adds or removes a Slave KDC to/from the Master KDC. This command can only be invoked if the switch is configured to be the Master KDC.
Syntax:
add slaveKDC <name> <IP_address> <domain> remove slaveKDC <name> <IP_address> <domain>
Parameters:
name
Name given to the Slave KDC.

IP_address
IP address of the Slave KDC

domain
Domain of the Slave KDC.
CLI Commands
WS5000.(Cfg).KDC> add mu WS5000.(Cfg).KDC> remove mu

Adds or removes, to/from the Master KDC, a reference to a Mobile Unit. This command can only be invoked if the switch is configured to be the Master KDC.
Syntax:
add mu <name> <ticket_life> remove mu <name>
Parameters:
mu
Name of the MU.

ticket_life
Ticket life duration, in minutes.
WS5000.(Cfg).KDC> dump
Writes the KDC database to a file.
Syntax:
dump <filename>
Parameters:
filename
Name of the file to which the database is written. The .krb extension is automatically appended.
WS5000.(Cfg).KDC> remove ntpServer

Removes, from the on-board KDC, a reference to an NTP server. This command can only be invoked if the switch is configured to be the Master KDC. To add a reference to an NTP server, use set ntpServer.
Syntax:
remove ntpserver <1 | 2 | 3>
WS5000.(Cfg).KDC> set access

Permits or denies configuration of the on-board KDC through the CLI (via telnet) and SNMP.
Syntax:
set access <CLI | SNMP> <enable | disable>
WS5000.(Cfg).KDC> set clear

Clears all KDC settings on the switch.
CLI Commands
WS5000.(Cfg).KDC> set master

Sets the WS 5100 to be the Master KDC.
Syntax:
set master <realm> [master_name] [domain]
Parameters:
realm
KDC realm name

master_name
Name assigned to the Master KDC.

domain
Optional domain over which the KDC has dominion.
WS5000.(Cfg).KDC> set ntpServer

Sets one of the three NTP servers for this switch.
Syntax:
set ntpServer <ntp_number> <ntp_ip>
Parameters:
ntp_number
The index of the NTP server that youre setting. Either 1, 2, or 3.

ntp_ip
IP address of the NTP server thats assigned as server #ntp_number.
WS5000.(Cfg).KDC> set slave

Sets the WS 5100 to be the Slave KDC.
Syntax:
set slave <realm> <master_name> <master_ip> <NIC>
Parameters:
realm
KDC realm name

master_name
Name of the Master KDC.

master_ip
IP address of the Master KDC.

NIC
The Ethernet port (1 or 2) through which the Slave will communicate with the Master.
CLI Commands
WS5000.(Cfg).KDC> show
Shows KDC details.
Syntax:
show [attribute]
Parameters: attribute none configAccess ntpServers users Meaning
Displays all KDC information. Displays KDC communication access permissions. Displays the IP addresses of the three NTP servers. Displays a list of active KDC users (MUs).
WS5000.(Cfg).KDC> synchronize
Copies the Master KDC database to the Slave KDC.
Syntax:
synchronize <slave_name> <slave_ip> <slave_domain>
Parameters:
slave_name
Name of the KDC slave.

slave_ip
IP address of the KDC slave.

slave_domain
Domain of the KDC slave.
16 Network Policy Context

A Network Policy is a collection of packet filters that you can use to implement various Quality of Service requirements. Each Network Policy contains an inbound Policy Object and an outbound Policy Object. The inbound policy filters packets that are sent from wireless devices to the WS 5100; the outbound policy filters packets that are sent from the switch to the wireless devices. A Policy Object contains some number of Classification Groups, which contain Classifiers. Its at the Classifier and Classification Group levels that the filtering rules are defined.
WS5000.(Cfg).NP> add
Creates and adds a Network Policy instance.
Syntax:
add <name>
Parameters:
name
The name thats given to the new Network Policy.
CLI Commands
WS5000.(Cfg).NP> np
Drops into the context for a specific Network Policy instance.
Syntax:
np <name>
Parameters:
name
Selects the Network Policy by name.
WS5000.(Cfg).NP> remove
Removes a Network Policy instance.
Syntax:
remove <name>
Parameters:
name
The name of the Network Policy thats to be removed.
WS5000.(Cfg).NP> show
Shows Network Policy details.
Syntax:
show [component]

context components: ce, cg, po
Meaning
Displays a list of all Network Policy instances.
16.1 Network Policy Instance

WS5000.(Cfg).NP.[Name]> set
Sets an attribute of this Network Policy instance.
Syntax:
Parameters: attribute name inboundPolicy

name name | remove
value
Meaning
Sets the name of the Network Policy. Adds the named Policy Object as the inbound policy. If the value is remove, the policy is removed.
CLI Commands
attribute outboundPolicy
value
name | remove
Meaning
Adds the named Policy Object as the outbound policy. If the value is remove, the policy is removed.
WS5000.(Cfg).NP.[Name]> show
See WS5000.(Cfg).NP> show on page 99.
17 Policy Object Context

WS5000.(Cfg).PO> add
Creates and adds a Policy Object instance.
Syntax:
add <name> <type>
Parameters:
name
The name thats given to the new Policy Object.

type
The direction of the policy: 1 = outbound; 2 = inbound.
WS5000.(Cfg).PO> po
Drops into the context for a specific Policy Object instance.
Syntax:
po <name>
Parameters:
name
Selects the Policy Object by name.
WS5000.(Cfg).PO> remove
Removes a Policy Object instance.
Syntax:
remove <name>
Parameters:
name
The name of the Policy Object thats to be removed.
CLI Commands
WS5000.(Cfg).PO> show
Shows Policy Object details.
Syntax:
show [component]

context components: ce, cg, np
Meaning
Displays a list of all Policy Object instances.
17.1 Policy Object Instance

WS5000.(Cfg).PO.[Name]> set
Sets an attribute of this Policy Object instance.
Syntax:
Parameters: attribute addCG

name
value
Meaning
defaultAction allow | deny name removeCG name name
Adds the named Classification Group to the Policy Object. Sets the default action for this Policy Object. Sets the name of this Policy Object instance. Removes the named Classification Group from the Policy Object.
WS5000.(Cfg).PO.[Name]> set cgPktMod disable

Disables packet prioritization for all packets that are marked with the named Classification Group. To re-enable packet prioritization, remove and then re-add the Classification Group.
Syntax:
set cgPktMod disable <cg_name>
Parameters:
cg_name
The name of the Collection Group.
CLI Commands
WS5000.(Cfg).PO.[Name]> set cgPktMod tos

Enables or disables Type of Service modification for all packets that are marked with the named Classifier Group.
Syntax:
set cgPktMod tos <enable | disable> <cg_name>
Parameters:
cg_name
The name of the Classification Group.
WS5000.(Cfg).PO.[Name]> set cgTxProfile

Sets the data transmission type for packets marked with the named Classification Group.
Syntax:
set cgTxProfile <type> <cg_name>
Parameters:
type
Either voice or data.

cg_name
WS5000.(Cfg).PO.[Name]> set cgWFq

Reserves a maximum amount of bandwidth reserved for packets marked with the named Classification Group.
Syntax:
set cgWFq <bandwidth> <cg_name>
Parameters:
bandwidth
The allowable bandwidth as a percentage of total bandwidth.

cg_name
WS5000.(Cfg).PO.[Name]> set tos

Sets the ToS packet marking bits for packets marked with the named Classification Group.
Syntax:
set tos <bits> <cg_name>
Parameters:
bits
The packet marking/ToS given as a 6-bit bit-field. For example: 101101.

cg_name
WS5000.(Cfg).PO.[Name]> show
Same as WS5000.(Cfg).PO> show on page 101.
CLI Commands
18 RADIUS Context
The RADIUS context you identify your RADIUS server and set the switch-side parameters that are used during RADIUS authentication. The RADIUS server is always remote; the wireless switch doesnt provide an on-board instance. You cant configure the RADIUS server through the tools provided by the wireless switch. Most importantly, while you can identify the RADIUS server that you want the switch to use, this affection will be for naught unless the RADIUS server has added the switch to itself as a client.
WS5000.(Cfg).RADIUS> set authentication

Sets the type of connection for which logins must be authenticated by the RADIUS server.
Syntax:
set authentication <connection>
Parameters:
connection
The type of connection. One of serial, network, or localDB.
WS5000.(Cfg).RADIUS> set primary .WS5000.(Cfg).RADIUS> set secondary

Sets the identity or parameter value of the primary or secondary RADIUS server.
Syntax:
set <primary | secondary> <attribute> <value>
Parameters: attribute host port retry value

name | IP [port] [timeout] [retry]
Meaning
Identifies the RADIUS server by name or IP address. The other three attributes can be set here, as well Sets the port number of the RADIUS server. Specifies the number of times a Mobile Unit can try to authenticate itself during the reauthentication phase. The default is 5 attempts. Specifies the time interval, in seconds, after which Mobile Units are forced to reauthenticate with the RADIUS server. Valid values are in the range seconds; the default is 3600 seconds (1 hour).
0 - 65535 1 - 10
timeout
30, 65535
WS5000.(Cfg).FTP> show
Displays the WS 5100s RADIUS settings.
CLI Commands
19 Security Policy Context

WS5000.(Cfg).securityPolicy> add
Creates and adds a new Security Policy instance.
Syntax:
add <name>
Parameters:
name
The name of the new Security Policy.
WS5000.(Cfg).securityPolicy> policy
Drops into the context for the named Security Policy instance.
Syntax:
policy <name>
Parameters:
name
WS5000.(Cfg).securityPolicy> remove
Removes the named Security Policy instance.
Syntax:
remove <name>
Parameters:
name
WS5000.(Cfg).securityPolicy> show
Lists the available Security Policy instances.
19.1 Security Policy Instance

A Security Policy instance declares the types of encryption and authentication that can be used to create secure login and data communication on the WLAN. There are five encryption types methods... encryption; any unsecured Mobile Unit is allowed to associate with the system unless the adoption list specifically excludes it.
KeyGuard encryption for TKIP (Temporal Key Integrity Protocol). This mode is only supported by Open. No
Symbol mobile devices. KeyGuard requires a 128-bit WEP key.

Wired Equivalent Privacy (WEP).
WEP comes in a choice of 40- or 128-bit encryption, and lets you define and choose from four different keys.
Wi-Fi Protected Access with Temporal Key Integrity Protocol (WPA/TKIP).
CLI Commands
WPA with Counter-mode/CBC-MAC Protocol (WPA2/CCMP).
...and four authentication methods:

None.
If encryption is set to open, then theres no authentication. In PSK, the same key is used for authentication and encryption.
Pre-Shared Key (PSK). Kerberos.
Uses a Kerberos server for mobile unit authentication. You can specify an external server or use the switchs on-board server. To use the on-board server, you must first configure the switch to be a Kerberos Master (see WS5000.(Cfg).KDC> set master on page 97). Kerberos only supports KeyGuard and WEP encryption.
802.1x EAP. Authentication is performed by an external Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS server must be accessible to the switch.
A single Security Policy can accept more than one method (of each), thus providing wider support for MUs that use expect different security methods. However, the Security Policy is only as strong as its weakest method.
WS5000.(Cfg).securityPolicy.[Name]> set
Sets an attribute of the Security policy instance. The tables, below, divide the settings into topical groups.
Syntax:
Parameters:
General Settings
attribute description name value
string name
Meaning
Adds a description string to the Security policy instance. Sets the name of the Security policy instance.
Encryption and Authentication Type

attribute encryption value <open | wep40 | wep128 | keyguard | tkip | ccmp> <enable | disable> Meaning
Enables or disables a data encryption type. Enables or disables an authentication type.
authentication <preshared | kerberos | eap> <enable | disable>
Pre-Shared Key Settings

attribute presharedKey value <ascii key> | <hex key> Meaning
Sets the PSK key. An ASCII key must be between 8 and 63 characters long. A hex key must be 64 characters.
CLI Commands
WEP Settings
attribute activeWepKey
key_index
value
Meaning
Sets the active WEP key string, identified by key index. Valid key_index values are [0, 3]. Sets the WEP key string for the given key index. Valid key_index values are [1, 4]. The key_string argument must be enclosed in quotes (*********).
wepKey
key_index key_string
Kerberos Settings
attribute kerberos value Meaning
Sets the active WEP key string, identified by key index. Valid key_index values are [0, 3].
key_index key_string
wepKey
Sets the WEP key string for the given key index. Valid key_index values are [1, 4]. The key_string argument must be enclosed in quotes (*********).
WS5000.(Cfg).securityPolicy.[Name]> show
Displays the attributes of this Security policy instance.
Syntax:
show
20 SNMP Context
The SNMP context provides commands that configure the SNMP system and that control the activity of the SNMP daemon.
WS5000.(Cfg).SNMP> enable WS5000.(Cfg).SNMP> disable

Starts and stops the SNMP daemon.
CLI Commands
WS5000.(Cfg).SNMP> remove ro WS5000.(Cfg).SNMP> remove rw

Removes an SNMP client.
Syntax:
remove <permission> <client_ip> <community_name> [port_no]
Parameters:
permission
The access permission of the SNMP community. Either ro for read-only, or rw for read-write.
client_ip
IP address of the SNMP client.

community_name
Name of the community the client is a member of.

port_no
Optional port number. The default is 161.
WS5000.(Cfg).SNMP> remove trapHost

Removes an SNMP trap host.
Syntax:
remove trapHost <host_ip> <community_name>
Parameters:
host_ip
IP address of the trap host.

community_name
The name of the SNMP community the trap host belongs to.
WS5000.(Cfg).SNMP> set kdcConfig

Allows (enable) or disallows (disable) the configuration of the on-board Kerberos KDC through SNMP.
Syntax:
set kdcConifg <enable | disable>
WS5000.(Cfg).SNMP> set snmpTrap

Allows (enable) or disallows (disable) SNMP traps.
Syntax:
set snmpTrap <enable | disable>
CLI Commands
WS5000.(Cfg).SNMP> set trapHost

Identifies a remote host to which this switch will send SNMP traps.
Syntax:
set trapHost <host_ip> <community_name> [port_no]
Parameters:
host_ip
IP address of the trap host.

community_name
The SNMP community the trap host belongs to.

port_no
Optional port number to which traps are sent. The default is 162.
WS5000.(Cfg).SNMP> show
Shows SNMP details.
Syntax:
show [attribute]
Parameters: attribute (none) configAccess Meaning
Displays SNMP status information. (Same as show snmpstatus.)

Displays the permissibility of configuring the system and the KDC through SNMP and telnet. See WS5000.(Cfg).Telnet> show on page 117 for an example.
snmpClients snmpStatus trapHosts
Lists the SNMP v2 clients. Displays SNMP status information. Lists the hosts to which this switch sends traps.
21 SSH (Secure Shell) Context

The SSH context lets you configure the WS 5100s Secure Shell daemon.
WS5000.(Cfg).SSH> set
Configures the SSH daemon.
Syntax:
Parameters: attribute ssh version value enable | disable V1/V2 | V2 Meaning
Enables or disables the SSH daemon. Configures the daemon to accept SSH V1 and SSH V2 client connections (V1/V2), or to only accept SSH V2 (V2). SSH V2 is more secure than SSH V1.
CLI Commands
attribute port
value
Meaning
22 | 1025 - 65535
Sets the port through which SSH connections are accepted. By default, the SSH port is set to 22.
WS5000.(Cfg).SSH> show
Displays connection configuration and session information.
Syntax:
Parameters: attribute none telnet Meaning
Displays SSH configuration and session information. Displays telnet configuration and session information. See Telnet Context on page 116
22 SSL (Secure Sockets Layer) Context

The SSL context defines the protocol (http or https) that a client needs to use in order to access the WS 5100s Web server (and, concommitantly, the WS 5000 Series applet). With SSL enabled, the applet can only be accessed through the (secure) https protocol; if its disabled, the applet can only be accessed through (non-secure) http.
WS5000.(Cfg).SSL> enable WS5000.(Cfg).SSL> disable

enable turns on SSL client authentication. To access the applet, a client must use https. For
example:
https://192.0.0.1
disable turns off SSL client authentication. To access the applet, a client must use http. For
example:
http://192.0.0.1
WS5000.(Cfg).SSL> revert certificate

Tells the Web server to read use the currently installed authentication certificate. You use this command after uploading a new certificate. Until the certificate is reverted, clients will not be able to establish new connections to the applet. Reverting the certificate causes the Web server to restart.
WS5000.(Cfg).SSL> show
Displays the Web servers accessibility setting:
WS5000.(Cfg).SSL> show Web based configuration (Applet) access by : https.
CLI Commands
23 Standby (Failover) Context

The Standby context lets you configure the failover system (aka Standby or warm Standby). You need two WS 5100 switches to implement the failover system: The Primary switch handles all network traffic; the Standby switch takes over if the Primary switch goes down. After the Primary comes back up, it can automatically take over active duty, or you can configure the switch so that it waits to be re-activated manually. Except for the declarations of their roles in the failover system, the configurations of the two WS 5100s must be exactly the same. If you modify one of them, you must modify the other in the same way. The failover system must be disabled (disable) before youre allowed to call most of the commands defined in the Standby context. Moreover, its a good idea to disable the failover system before making any significant changes to the WS 5100. Re-configuring the Primary switch while the Standby system is enabled could cause the switch to fail.
WS5000.(Cfg).standby> enable WS5000.(Cfg).standby> disable

Adds the switch to and removes it from the Standby system.
WS5000.(Cfg).standby> set autorevert

Enables or disables the automatic reversion feature. When auto-revert is enabled, a Standby switch that has become active due to a failover automatically reverts to its monitoring role after the Primary switch comes back up. If you disable auto-revert, you can manually revert the Standby switch through set mode revert.
NOTE
You must call disable before calling this command.
Syntax:
set autorevert <enable | disable>
WS5000.(Cfg).standby> set arDelay

Auto-revert delay. If auto-revert is enabled, this is the amount of time to wait, in minutes, before the Primary switch becomes active after it has come back up.
NOTE
Syntax:
set arDelay <delay>
Parameters:
delay
The delay time, in minutes. An integer in the range [0, 9999].
WS5000.(Cfg).standby> set heartbeat

Enables or disables the (sending of the) heartbeat on a particular NIC. S
CLI Commands
NOTE
Syntax:
set heartbeat <enable | disable> <NIC>
Parameters:
NIC
The NIC through which the heartbeat is sent.
WS5000.(Cfg).standby> set mac

Sets the Ethernet port on the other WS 5100 to which this WS 5100 sends its heartbeat (per NIC). You can set the port by its MAC address, or you can ask the switch to discover the port automatically.
NOTE
Syntax:
set mac <port> <NIC>
Parameters:
port
Either the MAC address of the port, or auto for automatic discovery.
NIC
The local NIC through which the heartbeat is sent. Either 1 or 2.
WS5000.(Cfg).standby> set mode

The mode command is used for three things: It can set the switch to be the Primary or the Standby. It can manually revert the switch to its original role after a failover. It can enable and disable the switchs participation in the standby system.
Syntax:
set mode <option>
Parameters: option primary standby revert Meaning
Sets the switch to be the Primary.

NOTE NOTE
You must call disable before setting the switchs failover role. You must call disable before setting the switchs failover role.
Sets the switch to be secondary.
Reverts the switch to its original role. enable Adds the switch to the standby system. Same as the enable command. disable Removes the switch from the standby system. Same as the disable command. WS5000.(Cfg).standby> show
Displays Standby details for this switch.
CLI Commands
24 Switch Policy Context

A Switch Policy acts as a container for all the other policies. Although you can define any number of Switch Policies, only one of them can be active at a time. The WS 5100 lets you designate an Emergency Switch Policy (ESP). The ESP, which you can quickly activate from any of the WS 5100 access venues (CLI, SNMP, and GUI), is meant to serve as a known, safe, and conservative policy that you use in the case of an emergency, such as a security breach. To designate the ESP, see WS5000.(Cfg)> set emergencyPolicy on page 67. To activate the ESP, you call emergencyMode enable from any context; see emergencyMode on page 59. In addition to containing all the other policies, the Switch Policy defines an adoption list that defines the types of Access Ports that can be adopted.
WS5000.(Cfg).SPolicy> add
Creates and adds a new Switch Policy instance.
Syntax:
add <name>
Parameters:
name
The name of the new Switch policy.
WS5000.(Cfg).SPolicy> policy
Drops into the context for the named Switch policy instance.
Syntax:
policy <name>
Parameters:
name
The name of the Switch Policy.
WS5000.(Cfg).SPolicy> remove
Removes the named Switch Policy instance.
Syntax:
remove <name>
Parameters:
name
The name of the Switch Policy.
CLI Commands
WS5000.(Cfg).SPolicy> show
Displays Switch Policy details.
Syntax:
show [component]
Displays a list of Switch Policy instances. Displays a list of country codes and the channels each country supports. Display a list of Access Port instances and lists the available Ethernet ports.
context components: accessports, acl, appolicy, ethernet, etherPolicy
24.1 Switch Policy Instance

WS5000.(Cfg).SPolicy.[Name]> restrictedChannel
Drops into the Restricted Channel subcontext, where you can specify the channels that cant be chosen by Automatic Channel Selection. The argument specifies the 802.11x radio type.
Syntax:
restrictedChannel < A | B | G >
CLI Commands
WS5000.(Cfg).SPolicy.[Name]> set adoptionList

Adds/removes an entry to/from the Access Port adoption-inclusion and adoption-exclusion lists. APs that are in the inclusion list are adopted through a specified Access Port policy; APs in the exclusion list are never adopted. You also use this command to set the default action (adopt or not) for APs that are in neither list. APs are identified by MAC address; each entry in either list is a single MAC address or a range of MAC addresses. The adoption lists are based on radio type; theres a different list for each of 802.11a, 802.11b, 802.11g, and frequency hopping radios. In addition, the Switch Policy contains a master adoption list thats applied to all radios.
Syntax:
set set set set adoptionList adoptionList adoptionList adoptionList <radio> <radio> <radio> <radio> include exclude default default <start_MAC> [<end_MAC>] <app_name | remove> <start_MAC> [<end_MAC>] [remove] allow <app_name> deny [traps <enable | disable>]
Parameters:
radio
The radio type that this list applies to. One of A, B, G, or FH (case-insensitive).
start_MAC, end_MAC
Identifies the Access Ports that are part of this list entry. If end_MAC is excluded, the entry consists of the AP identified by start_MAC; otherwise, the entry contains all APs between start_MAC and end_MAC.
app_name
The Access Port Policy that will be used when an AP is adopted.

remove
Removes the entry from the list. To remove an address range, you need only supply the starting address.
traps <enable | disable>
If the default action is deny, you can ask to have the apAdoptFail SNMP trap sent when an unknown AP asks to be adopted. Pass enable to ask for the trap, and disable to ask that the trap not be sent. By default the trap is sent.
WS5000.(Cfg).SPolicy.[Name]> set
Configures the Switch Policy.Adds or removes an Access Port policy to or from the Switch Policy.
Syntax:
set <attribute> <value> [remove]
Parameters: attribute adoptionList apPolicy channel

See
value
Meaning
WS5000.(Cfg).SPolicy.[Name]> set adoptionList on page 114 Adds or removes the named Access Port Policy to/from the Switch Policys list of AP Policies. Sets the default channel. The set of candidate channel numbers depends on the country code setting.
name [remove] integer
CLI Commands
attribute countryCode
value
ISO_3166_code
Meaning
Sets the country code. The switch wont adopt Access Ports until the country is set.
IMPORTANT ITS THE RESPONSIBILITY OF THE SWITCH OWNER TO CORRECTLY SET THE COUNTRY CODE; AN INCORRECT COUNTRY SETTING CAN CAUSE THE SWITCH TO USE ILLEGAL BROADCAST SETTINGS.
dsCoexistence
enable | disable
FH/DS coexistence. With coexistence enabled, you let the Access Port divide the frequency spectrum such that Frequency-Hopping (FH) devices use one portion, and Direct-Sequence (DS) devices use the other. NOTE FH/DS co-existence isn't legal in all countries. The dsCoexistence attribute is always turned off in these countries. Arbitrary descriptive string. Sets the Switch Policys active Ethernet Policy Sets the Switch Policys name. Valid power settings are in the range [4, 20].
description etherPolicy name power
string string string
<4-20> <A | B | G> Sets the power, in milliWatts, for the specified 802.11x radio type.
WS5000.(Cfg).SPolicy.[Name]> show
Displays Switch Policy details.
Syntax:
show [component]
Displays information about this Switch Policy instance. Displays a list of country codes and the channels each country supports. Display a list of Access Port instances and lists the available Ethernet ports.
switchPolicy
context components: accessports, acl, appolicy, ethernet, etherPolicy,
24.2 Restricted Channel Instance

There are three Restricted Channel instances, one for each of the three 802.11x radio types. You drop into an instance by invoking restrictedChannel radio from a Switch Policy instance (see WS5000.(Cfg).SPolicy.[Name]> restrictedChannel on page 113. Restricted channels are removed from the set of channels that can be chosen during Automatic Channel Selection (ACS). Restricted Channel is a subcontext of a Switch Policy instance.
CLI Commands
WS5000.(Cfg).SPolicy.[Name].Restricted.[Radio]> add
Adds a channel to the list of restricted channels.
Syntax:
add channel [ description ]
Parameters:
channel
The channel that you want to restrict. The set of valid channel numbers depends on the country setting and radio type.
description
Optional description that explains why the channel is restricted.
WS5000.(Cfg).SPolicy.[Name].Restricted.[Radio]> remove
Removes a channel from the list of restricted channels, thus making it available for use during Automatic Channel Selection.
Syntax:
remove channel
Parameters:
channel
The channel that you want to unrestrict. The set of valid channel numbers depends on the country setting and radio type.
WS5000.(Cfg).[Name].Restricted.[Radio]> show
Displays restricted channel details.
Syntax:
show [component]
Parameters: component none channelInfo Meaning
Displays the list of restricted channels. Displays a list of country codes and the channels each country supports.
context components: switchPolicy
25 Telnet Context
You can use telnet to access the CLI and to configure the on-board KDC. The Telnet context provides commands that let you allow and disallow telnet access.
WS5000.(Cfg).Telnet> enable WS5000.(Cfg).Telnet> disable

Enables and disables telnet access of the CLI.
CLI Commands
WS5000.(Cfg).Telnet> set kdcConfig

Enables or disables on-board KDC configuration through telnet.
Syntax:
set kdcConfig <enable | disable>
WS5000.(Cfg).Telnet> show
Display telnet details.
Syntax:
show <attribute>
Parameters: attribute none configAccess Meaning
Displays statistics about the current telnet session. Displays the permissibility of configuring the system and the KDC through telnet and SNMP:
WS5000.(Cfg).Telnet> show configAccess Configuration Access restriction details: Telnet access (CLI) : System access via SNMP : KDC configuration over telnet console : KDC configuration through SNMP :
Disable. Enable. Enable. Enable.
ssh
Displays information about the ssh configuration. See SSH (Secure Shell) Context on page 108.
26 User Context
WS5000.(Cfg).User> add
Adds a new user to the switch. Youre prompted to provide and then confirm the new users password.
Syntax:
add <user_name>
Parameters:
user_name
The name (login) of the new user. The name can be 6 to 20 characters long.
WS5000.(Cfg).User> remove
Removes an existing user from the switch.
Syntax:
remove <user_name>
Parameters:
user_name
The name the user.
CLI Commands
WS5000.(Cfg).User> show
Displays a list of the current users, or info for a particular user.
Syntax:
show user [<user_name>]
Parameters:
user_name
If supplied, shows info about the designated user. If not supplied, displays a list of the current users.
WS5000.(Cfg).User> user
Drops into the context for the specified user instance.
Syntax:
user <user_name>
Parameters:
user_name
The user.
26.1 User Instance

WS5000.(Cfg).User.[Name]> allow
Sets the list of subsystems that the user is allowed to configure.
Syntax:
allow <subsystem1> [<subsystem2>] [...]
Parameters:
subsystemN
The subsystem that the user is allowed to configure. One or more of all, default, system, policy, security, and SNMP.
WS5000.(Cfg).User.[Name]> deny
Sets the list of subsystems that the user is not allowed to configure.
Syntax:
deny <subsystem1> [<subsystem2>] [...]
Parameters:
subsystemN
The subsystem that the user is not allowed to configure. One or more of all, default, system, policy, security, and SNMP.
WS5000.(Cfg).User.[Name]> password
Sets the users password. Youre prompted to provide and then confirm the users new password.
Syntax:
password
CLI Commands
WS5000.(Cfg).User.[Name]> show
Same as WS5000.(Cfg).User> show on page 118.
27 WLAN Context
WS5000.(Cfg).WLAN> add
Creates and adds a new WLAN instance.
Syntax:
add <name> <essid>
Parameters:
name
The name thats given to the WLAN.

essid
The ESSID thats used by the WLAN.
WS5000.(Cfg).WLAN> remove
Removes an existing WLAN instance.
Syntax:
remove <name>
Parameters:
name
The name of the WLAN instance thats to be removed.
WS5000.(Cfg).WLAN> show
Displays information thats pertinent to the WLAN context.
Syntax:
show [<component>]
Displays a list of the existing WLAN instances.
context components: acl, securityPolicy, wlan
WS5000.(Cfg).WLAN> wlan
Drops into the context of an existing WLAN instance.
Syntax:
wlan <name | index>
Parameters:
name
The name of the WLAN instance.

index
The index (starting with 1) of the WLAN instance in the list of all instances.
CLI Commands WS 5000 Series System Reference - 119
27.1 WLAN Instance

WS5000.(Cfg).WLAN.[Name]> name
Changes the name of the WLAN instance.
Syntax:
name <new_name>
Parameters:
new_name
The new name of the WLAN instance.
WS5000.(Cfg).WLAN.[Name]> set
Sets the value of an attribute of this WLAN instance.
Syntax:
Parameters: attribute acl anonESS basicRates

name
value
Meaning
Sets the WLANs Access Control List. See Access Control List (ACL) Context on page 69 Enable or disable anonymous ESSID association.
[, ...]>
enable | disable <1 | 2 | 5.5 | 11 | <none>
Sets the WLANs BSS basic rate set; values are in Mbps. You can set multiple basic rates by passing more than one setting separated by whitespace or commas, e.g.:
set basicrates 1 2 11
To clear the basic rate set, pass none:

set basicrates none
beacon defaultRoute description dtim essID kerberosName maxMus muACL
20 - 1000
IP_address description
1 - 20
essid name
1 - 4096 enable | disable
Sets the beacon interval, in milliseconds. Sets the IP address of the WLANs default route. Sets the WLAN instances informational description. Sets the DTIM interval, as a multiple of the beacon interval (the beacon attribute). Sets the ESSID. Sets the Kerberos authentication name. Sets the maximum number of Mobile Units that may be asssociated through this WLAN. Enable or disable the WLANs Access Control List. Enable or disable mu-to-mu (ad hoc) communication. enable means that ad hoc communication is not allowed; disable means that it is. Sets the name of the WLAN instance.
CLI Commands
muToMuDisallow enable | disable
name
name
attribute netMask IP_mask
value
Meaning
Sets the netmask for this WLAN. preamble short | long Sets the type of RF preamble. rtsThreshold 1 - 2047 The RTS threshold packet size, in octets. security_policy_name security Sets the Security policy thats applied to this WLAN. supportedRates <1 | 2 | 5.5 | 11 [, ...]> Sets the transmission rates that are supported on | this WLAN, in Mbps. You can set multiple rates by
<none>
passing more than one setting separated by whitespace or commas, e.g.:

set supportedrates 1 2 11
To clear the supported rate set, pass none:

set supportedrates none
WS5000.(Cfg).WLAN.[Name]> show
Same as WS5000.(Cfg).WLAN> show on page 119.
CLI Commands
CLI Commands
Antennas and Power
Use this table to determine the correct power settings for International use when using external antennas with the AP 100 802.11b Access Port, Model CCRF-5020-10-WW. For US (FCC) all Symbol Technologies, certified antennas can be used on the maximum power level setting.
Max Power Setting Antenna Type 1 2 3 4 3 Dipole Indoor/Outdoor Omni Directional Heavy-duty Indoor/Outdoor 65 H-Plane Directional Panel Indoor/Outdoor 65 H-Plane Diversity Directional Panel Heavy Duty, High Gain Outdoor Mast Mount Also valid at Power setting: 2 with 25ft cable ML-1499-25JK-01 1 with 100ft cable ML-1499-100JK-01
Antenna Model ML-2499-APA2-01 ML-2499-HPA3-01 ML-2499-PNAHD-01 ML-2499-7PNA2-01 ML-2499-BMMA1-01
Comments
ML-2499-SD3-01 ML-2499-SDD1-01 ML-2499-12PNA2-01 ML-2499-11PNA2-01 ML-2499-BYGA2-01
1 1 3 3 4
Low Profile Ceiling Mount Omni Directional Low Profile Dual Integrated Diversity Omni Directional High gain Indoor/Outdoor 60 H-Plane Directional Panel High gain Indoor/Outdoor 120 H-Plane Directional Panel Heavy-duty Outdoor 35 High-gain Directional Yagi Also valid at Power setting: 3 with 50 ft cable ML-1499-50JK-01 2 with 100 ft cable ML-1499-100JK-01 Also valid at Power setting: 3 with 50 ft cable, 2 with 100 ft cable Use with 100ft cable ML-1499-100JK-01
ML-2499-BPNA3-01
Heavy-duty Indoor/Outdoor 35 High-gain Directional Panel Heavy Duty 10 Directional High Gain Parabolic Dish
ML-2499-BPDA1-01
Use this table to determine the correct European Union power settings for the AP 200 802.11a/b Access Port, Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna 802.11a/b radio), CCRF-5030-210-WW.
Additional Cable Length in Feet Max Authorized Power Settings 0 Any Any 6 Any Any 10 Any Any 25 Any Any 50 Any Any 100 Any Any
Antenna Model
Antenna Type/Pattern 2.4 GHz
ML-2499-APA2-01 ML-2499-HPA3-01
Flexible Rubber Dipole Omni-Directional Hi-gain Dipole Omni-directional
Antennas and Power
Antenna Model ML-2499-PNAHD-01 ML-2499-7PNA2-01 ML-2499-BMMA1-01 ML-2499-SD3-01 ML-2499-SDD1-01 ML-2499-12PNA2-01 ML-2499-11PNA2-01 ML-2499-BYGA2-01 ML-2499-BPNA3-01 ML-2499-BPDA1-01 Internal Antenna
Antenna Type/Pattern Hi-gain in/outdoor Panel Directional Panel Directional Hi-gain in/outdoor Dipole Omni-Directional Patch Omni-Directional Patch w/diversity Omni-Directional Panel Directional Panel Directional In/Outdoor Yagi Directional In/Outdoor Panel Directional Outdoor Parabolic Dish Directional Omni Directional
Additional Cable Length in Feet Max Authorized Power Settings Any Any Any Any Any 2, 3, 4, 5 2, 3, 4, 5 3, 4, 5 2, 3, 4, 5 5 Any 5 GHz Any Any Any Any Any Any Any 2, 3, 4, 5 Any 5 Any Any Any Any Any Any 2, 3, 4, 5 Any 3, 4, 5 2, 3, 4, 5 5 Any Any Any Any Any Any Any Any 3, 4, 5 2, 3, 4, 5 5 Any Any Any Any Any Any Any Any Any Any 4, 5 Any Any Any Any Any Any Any Any Any Any 4, 5 Any
ML-5299-APA1-01 ML-5299-HPA1-01 ML-5299-WPNA1-01 Internal
Omni-directional Hi-gain Dipole Panel Omni-directional Omni-Directional
Any 2, 3, 4, 5 Any Any
N/A N/A N/A N/A
Any Any Any N/A
Any Any Any N/A
Any Any Any N/A
Any Any Any N/A
Use this table to determine the correct Japanese power settings for the AP 200 802.11a/b Access Port, Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna 802.11a/b radio), CCRF-5030-210-WW.
Additional Cable Length in Feet Max Authorized Power Settings 0 Any Any Any Any None 2, 3, 4 Any Any Any 2, 3, 4 2, 3, 4 None Any 5 GHz ML-5299-APA1-01 Omni-directional Any N/A Any Any Any Any 6 Any Any Any Any None Any Any Any Any 2, 3, 4 2, 3, 4 None N/A 10 Any Any Any Any 3, 4 Any Any Any Any Any Any 4 N/A 25 Any Any Any Any 2, 3, 4 Any Any Any Any Any Any 4 N/A 50 Any Any Any Any Any Any Any Any Any Any Any 3, 4 N/A 100 Any Any Any Any Any Any Any Any Any Any Any 2, 3, 4 N/A
Antenna Model
ML-2499-APA2-01 ML-2499-HPA3-01 ML-2499-PNAHD-01 ML-2499-7PNA2-01 ML-2499-BMMA1-01 ML-2499-SD3-01 ML-2499-SDD1-01 ML-2499-12PNA2-01 ML-2499-11PNA2-01 ML-2499-BYGA2-01 ML-2499-BPNA3-01 ML-2499-BPDA1-01 Internal Antenna
Flexible Rubber Dipole Omni-Directional Hi-gain Dipole Omni-directional Hi-gain in/outdoor Panel Directional Panel Directional Hi-gain in/outdoor Dipole Omni-Directional Patch Omni-Directional Patch w/diversity Omni-Directional Panel Directional Panel Directional In/Outdoor Yagi Directional In/Outdoor Panel Directional Outdoor Parabolic Dish Directional Omni Directional
Antennas and Power
Antenna Model ML-5299-HPA1-01 ML-5299-WPNA1-01 Internal
Antenna Type/Pattern Hi-gain Dipole Panel Omni-directional Omni-Directional
Additional Cable Length in Feet Max Authorized Power Settings Any None Any N/A N/A N/A Any None N/A Any None N/A Any None N/A Any 1 N/A
Use this table to determine the correct United States power settings for the AP 200 802.11a/b Access Port, Model CCRF-5030-100-WW (external antenna 802.11a radio only), CCRF-5030-200-WW (external antenna 802.11a/b radio), CCRF-5030-210-WW. (All Symbol Technologies certified antennas can be used on the maximum power level setting.)
Additional Cable Length in Feet Max Authorized Power Settings 0 2, 3, 4, 5 3, 4, 5 3, 4, 5 3, 4, 5 6 2, 3, 4, 5 3, 4, 5 3, 4, 5 3, 4, 5 Any Any 2, 3, 4, 5 4, 5 4, 5 None None None N/A 5 GHz ML-5299-APA1-01 ML-5299-HPA1-01 ML-5299-WPNA1-01 Internal Omni-directional Hi-gain Dipole Panel Omni-directional Omni-Directional Any Any N/A Any N/A N/A N/A N/A Any Any N/A N/A Any Any N/A N/A Any Any N/A N/A Any Any N/A N/A 10 2, 3, 4, 5 3, 4, 5 3, 4, 5 3, 4, 5 Any Any 2, 3, 4, 5 4, 5 4, 5 None None None N/A 25 2, 3, 4, 5 3, 4, 5 3, 4, 5 3, 4, 5 Any Any 2, 3, 4, 5 4, 5 4, 5 None None None N/A 50 Any 3, 4, 5 3, 4, 5 3, 4, 5 Any Any Any 3, 4, 5 3, 4, 5 None None None N/A 100 Any 2, 3, 4, 5 2, 3, 4, 5 2, 3, 4, 5 Any Any Any 3, 4, 5 3, 4, 5 5 5 None N/A
Antenna Model
ML-2499-APA2-01 ML-2499-HPA3-01 ML-2499-PNAHD-01 ML-2499-7PNA2-01 ML-2499-BMMA1-01 ML-2499-SD3-01 ML-2499-SDD1-01 ML-2499-12PNA2-01 ML-2499-11PNA2-01 ML-2499-BYGA2-01 ML-2499-BPNA3-01 ML-2499-BPDA1-01 Internal Antenna
Flexible Rubber Dipole Omni-Directional Hi-gain Dipole Omni-directional Hi-gain in/outdoor Panel Directional Panel Directional
Hi-gain in/outdoor Dipole Omni-Directional 2, 3, 4, 5 Patch Omni-Directional Patch w/diversity Omni-Directional Panel Directional Panel Directional In/Outdoor Yagi Directional In/Outdoor Panel Directional Outdoor Parabolic Dish Directional Omni Directional Any 2, 3, 4, 5 4, 5 4, 5 None None None Any
Antennas and Power
Antennas and Power
MU Disassociation Error Codes
Value 0 1. 3. 4. 5. 6. 7. 8. 9. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 44.
802.11 or Symbol/WPA Reason Code REASON_CODE_80211_SUCCESS REASON_CODE_80211_UNSPECIFIED_ERROR DISASSOCIATION_REASON_CODE_STATION_LEAVING_ESS DISASSOCIATION_REASON_CODE_INACTIVITY DISASSOCIATION_REASON_CODE_STATION_LIMIT_EXCEEDED DISASSOCIATION_REASON_CODE_CLASS_2_PKT_FROM_NON_AUTH DISASSOCIATION_REASON_CODE_CLASS_3_PKT_FROM_NON_ASSOC DISASSOCIATION_REASON_CODE_STATION_LEAVING_BSS DISASSOCIATION_REASON_CODE_STATION_NOT_AUTHENTICATED DISASSOCIATION_REASON_CODE_INVALID_INFORMATION_ELEMENT DISASSOCIATION_REASON_CODE_MIC_FAILURE DISASSOCIATION_REASON_CODE_4WAY_HANDSHAKE_TIMEOUT DISASSOCIATION_REASON_CODE_GROUP_KEY_UPDATE_TIMEOUT DISASSOCIATION_REASON_CODE_4WAY_IE_DIFFERENCE DISASSOCIATION_REASON_CODE_MULTICAST_CIPHER_INVALID DISASSOCIATION_REASON_CODE_UNICAST_CIPHER_INVALID DISASSOCIATION_REASON_CODE_AKMP_NOT_VALID DISASSOCIATION_REASON_CODE_UNSUPPORTED_RSNE_VERSION DISASSOCIATION_REASON_CODE_INVALID_RSNE_CAPABILITIES DISASSOCIATION_REASON_CODE_8021X_AUTHENTICATION_FAILED DISASSOCIATION_REASON_CODE_PSP_TX_PKT_BUFFER_EXCEEDED
Description Reserved internally to indicate success Unspecified Reason Deauthenticated because sending station has left or is leaving IBSS or ESS Disassociated due to inactivity Disassociated because AP is unable to handle all currently associated stations Class 2 frame received from non-authenticated station Class 3 frame received from non-associated station Disassociated because sending station has left or is leaving BSS Station requesting re-association is not authenticated with responding station Invalid Information Element Michael MIC failure 4-Way Handshake timeout Group key update timeout Information element in 4-Way Handshake different from Re-associated request/Proberesponse/Beacon Multicast Cipher is not valid Unicast Cipher is not valid AKMP is not valid Unsupported RSN IE version Invalid RSN IE Capabilities IEEE 802.1X Authentication failed Symbol defined (non 802.11 standard) code. The Wireless Switch has exceeded its time limit in attempting to deliver buffered PSP frames to the Mobile Unit without receiving a single 802.11 PS Poll or NULL data frame. The Wireless Switch begins the timer when it sets the Mobile Units bit in the TIM section of the 802.11 beacon frame for the BSS. The time limit is at least 15 seconds. The Mobile Unit is probably gone (or may be faulty). Symbol defined (non 802.11 standard) codes. The Wireless Switch has exceeded its retry limit in attempting to deliver a 802.1x EAP message to the Mobile Unit without receiving a single 802.11 ACK. The retry limit varies according to traffic type but is at least 64 times. The Mobile Unit is either gone or has incorrect 802.1x EAP authentication settings.
77.
DISASSOCIATION_REASON_CODE_TRANSMIT_RETRIES_EXCEEDED
Network Events
ID 0. 1. 2.
Event License number change Clock change Packet discard [wrong NIC]
Message Changed license level from <XX> license number Access Ports to <YY> number Access Ports. \n The Wireless Switch clock was changed <XX>/ <YY> seconds.\n Discarded Packet: Wrong NIC <XX> <XX> vs <YY> from Access Port ZZ.
Parameters XX = previous license number (an integer) YY = new license number (an integer) XX = + or YY = offset in seconds (an integer) XX = Ethernet Port that received the packet = 1 or 2 YY = Ethernet Port the Access Port was adopted from = 1 or 2 ZZ = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port
3.
Packet discard [wrong VLAN]
Discarded Packet: Wrong VLAN <XX> <XX> vs <YY> from XX = VLAN that received the packet (an integer) Access Port <ZZ>. YY = VLAN the Access Port was adopted from (an integer) ZZ = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port. Adoption <XX> failed. The MAC address has been used by XX = MAC (xx:xx:xx:xx:xx:xx) address of the radio or an existing Access Port.\n Access Port. Access Port Policy prevented Port with MAC <XX> from being adopted.\n XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port.
4. 5. 6 7. 8. 9. 10.
AP adopt failure [general] AP adopt failure [policy disallow] AP adopt failure [acl disallow] AP adopt failure [limit exceeded] AP adopt failure [license disallow] AP adopt failure [no image] AP status [offline]
This event and message is currently not configured. It will Not Applicable be configured in the next service release. Access Port <XX> was not adopted because maximum limit has been reached. License denied Access Port <XX> adoption. Maximum Access Ports allowed with current license = <YY>.\n XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port. XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port. YY = License Level (integer )
Access Port with MAC <XX> can not be adopted because XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port no valid Firmware Image file can be found.\n Access Port <XX> with MAC address <YY> is unavailable. XX = Name (string) of the Access Port <YY> = MAC(xx:xx:xx:xx:xx:xx) address of the Access Port Taking Access Port <XX> with MAC address <YY> offline. XX = Name (string) of the Access Port <YY> = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port
11.
AP status [alert]
Access Port <XX> with MAC address <YY> is in Alert status due to country not set. Access Port <XX> with MAC address <YY> is in Alert status.
XX = Access Port name (string) YY = Access Port MAC (xx:xx:xx:xx:xx:xx)Address XX = Access Port name (string) <YY> = Access Port MAC (xx:xx:xx:xx:xx:xx)Address XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port XX = Access Port name (string) YY = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port
12.
AP status [adopted]
Adopted an Access Port <XX>. Radio <XX> with Mac <YY> is adopted.\n
Network Events
ID 13.
Event AP status [reset]
Message Radio <XX> with MAC <YY> was reset. Reset the Access Port <XX>.
Parameters XX = Name (string) of the radio YY = MAC (xx:xx:xx:xx:xx:xx) address of the radio XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port XX = Name (string) of the Radio YY = MAC (xx:xx:xx:xx:xx:xx) address of the Radio XX (integer ) = Number of Mobile Units associated to this Access Port XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port
14. 15. 16. 17.
AP config failed [wrong ESS] AP max MU count reached AP detected Device msg dropped [info] debug Device msg dropped [loadme]
Radio <XX> <YY> no ESS - configuration FAIL.\n MUs for this RF Port are over margin: <XX>. Detected a new Access Port <XX>.
Dropping DeviceInfo message from <XX> whose parent is XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port <YY>.\n YY = MAC (xx:xx:xx:xx:xx:xx) address of the Wireless Switch this Access Port is adopted to Dropping Loadme message from <XX> whose parent is <YY>.\n Ethernet Port <XX> is connected. Ethernet port <XX> disconnected.\n XX = MAC (xx:xx:xx:xx:xx:xx) address of the Access Port YY = MAC (xx:xx:xx:xx:xx:xx) address of the Wireless Switch this Access Port is adopted to XX = Ethernet Port number 1 or 2 XX = Ethernet Port number 1 or 2 XX = Mobile Unit MAC (xx:xx:xx:xx:xx:xx)address XX = Wireless Client MAC (xx:xx:xx:xx:xx:xx) address <YY> = Reason Code number ( integer) XX = MAC (xx:xx:xx:xx:xx:xx) address of the mobile unit YY = Name (string) of the Access Port XX = Name (string) of the mobile unit YY = MAC (xx:xx:xx:xx:xx:xx) address of the mobile unit ZZ = Name (string)of the Access Port the Mobile Unit roamed from XX = Name (string) of the mobile unit YY = MAC (xx:xx:xx:xx:xx:xx) address of the mobile unit ZZ = Reason ( integer) Code number XX = MAC (xx:xx:xx:xx:xx:xx) address of the Mobile Unit XX = MAC (xx:xx:xx:xx:xx:xx) address of the Mobile Unit YY = EAP (integer) Type (see Appendix C, 802.11 Mobile Unit Disassociation Reason Codes) ZZ = number (integer) of minutes [MAC address of MU][MAC xx:xx:xx:xx:xx of Radius server][port on Radius server][radius error code]
18.
19. 20. 21. 22. 23. 24.
Ether port connected Ether port disconnected
MU assoc failed [ACL violation] ACL denied MU (XX) association. MU assoc failed MU status [associated] MU status [roamed] Access port refused MU <XX> association. Error <YY>. Mobile Unit <XX> was associated to Access Port <YY>. Mobile Unit <XX> with MAC <YY> roamed from Access Port <ZZ> to (Name of the Access Port the Mobile Unit roamed to).
25.
MU status [disassociated]
Mobile Unit <XX> with MAC address <YY> was disassociated. Reason Code <ZZ>
26. 27.
MU EAP auth failed MU EAP auth success
MU <XX> failed to authenticate with RADIUS Server. Mobile Unit <XX> successfully authenticated with EAP Type <YY>, authentication valid for <ZZ> minutes
28. 29.
MU Kerberos auth failed MU Kerberos auth success
"MU %s failed to authenticate with the KDC at %d.%d.%d.%d:%d : %s (Error code %d)."
"MU at (%s) failed authentication via Kerberos. [Error [MAC address of MU][ radius error code] code %d]" [MAC address of MU][ ][# of minutes this authentication "Mobile Unit with MAC \"%s\" successfully authenticated is valid for] via Kerberos - authentication expires in %d minutes." "MU %02x:%02x:%02x:%02x:%02x:%02x has high decrypt failure rate" "MU %02x:%02x:%02x:%02x:%02x:%02x has high replay failure rate" "MIC validation failed for MU %s on ESS '%s'." [MAC address of MU (in 6 octets)] [MAC address of MU (in 6 octets)] [MAC address of MU][ESS-ID this MU is associated with]
30. 31. 32. 33.
MU TKIP [decrypt failure] MU TKIP [replay failure] MU TKIP [MIC error] WLAN auth success
"WLAN %s (ESS %s) successfully authenticated with KDC [WLAN name][ESSID] ][MAC xx:xx:xx:xx:xx of KDC at %d.%d.%d.%d:%d" server][port on KDC server]
Network Events
ID 34. 35. 36.
Event WLAN auth failed WLAN max MU count reached Mgt user auth failed [radius]
Message
Parameters
"WLAN %s (ESS %s) could not be authenticated with KDC [WLAN name][ESSID] ][MAC xx:xx:xx:xx:xx of KDC at %d.%d.%d.%d:%d after %d attempts - still trying..." server][port on KDC server][number of attempts] ACL denied MU (%s) association." GUI/CLI User userid Authentication Failure: "User userid rejected by Radius server RADIUS server hostname/IP address.\n" NOT USED User userid authenticated locally.\n userid = string "User userid successfully authenticated by Radius server RADIUS server hostname/IP address = string RADIUS server hostname/IP address.\n" "Radius server %s is unreachable.\n" "Adding KDC User:[%s] time:[%ld]" "Changed KDC User:[%s] time:[%ld]" "Removed KDC USER:[%s] Time:[%ld]" "Replaced KDC DB:Modified Locally" "Replaced KDC DB:Modified by SEMM" "KDC Propgation fails on host (%s)." "KDC Propgation fails !" [host-name] [name of WLAN][ESSID] [radius server name] [user name][timestamp] [user name][timestamp] [user name][timestamp] [MAC address of MU] userid = string RADIUS server hostname/IP address = string
37. 38.
Mgt user auth rejected Mgt user auth success [radius]
39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52.
Radius server timeout KDC user [added] KDC user [changed] KDC user [deleted] KDC DB replaced KDC propagation failure
WPA counter-measures [active] "Began WPA counter-measures for WLAN %s (ESS %s)" Primary lost heartbeat Standby active Primary internal failure [reset] Standby internal failure [reset] Standby auto-revert Primary auto-revert Auto channel select error Primary lost heartbeat(s) Fail-over took place, Standby machine is now in Active state "Primary internal failure, Resetting" "Standby internal failure, Resetting" Standby Auto Reverting Primary Auto Reverting
"ACS failed to find a valid channel, err %d.\n" "ACS failed [Channel#] to find a valid channel. Reusing existing channel %d.\n" MAC address of the Access Port = xx:xx:xx:xx:xx:xx ACS success. Setting Radio MAC address of the AP to Channel = integer channel.\n Emergency Switch Policy Emergency Switch Policy is activated.\n Emergency Switch Policy = string Emergency Switch Policy = string [previous de-activated policy name]
53. 54.
Emergency Policy [active]
Emergency Policy [deactivated] Emergency Switch Policy Emergency Switch Policy is deactivated,.\n "Emergency Switch Policy %s is deactivated.\n"
55.
Low flash space on switch-alert Found disk=percent disk spaced used USED disk-space percent disk spaced used = decimal (xx.xx) - VACUUMing Database in 5 secs to free-up space
Network Events
ID 56.
Event Miscellaneous debug events KerberosWlanAuthOperation:: OnStart() RADIO_TYPE_FH != pRadio->GetType() NULL == pCountry->GetFHInfo() CWlan::KerberosClientAuth()
Message
Parameters
Internal Failure, out of ethernet buffers" "The license key on a WS-Lite cannot be upgraded." "WSLiteValidation:FAILURE:%s is invalid %d-port license [XML error string(if any)][number of radios (APs) in-use] for WS-Lite\n" "EtherPortManager::EnsureNoCollisions(FOUND [string containing explanation of collision in policy] PROBLEM: %s)\n" "Etherport policies \"%s\" and \"%s\" are on the same subnet(%d). " [policy name] [policy name] "Began authentication process for WLAN %s (ESS %s) with KDC %lu.%lu.%lu.%lu..." [WLAN name][ESSID string][KDC MAC] "Mobile Unit \"%s\" successfully authenticated with %s" (+) ", authentication valid for %d minutes" (or) ", no re-authentication period set" [MAC of MU][EAP type][# of minutes] "No valid channel for 802.11%s radio. Adoption is denied.\n" [type of radio (A or B or FH)] "No valid country info for 802.11%s radio. Adoption is denied.\n" [type of radio (A or B or FH)] "Began authentication process for WLAN %s (ESS %s) with KDC '%s'... [name of WLAN][ESSID][KDC Server Hostname] "End WPA counter-measures for WLAN %s (ESS %s)" [name of WLAN][ESSID]
ID 0. 1. 2.
Event License number change Clock change Packet discard [wrong NIC]
Description
Possible Course of Action
A license key was entered changing the number of Access Port This event can only occur by entering a license key. this wireless switch can adopt. The date/time setting was changed on the Wireless Switch When an Access Port is adopted, the Wireless Switch remembers which Ethernet Port the Access Port was adopted from. The Wireless Switch will only accept data from that Access Port through the Ethernet Port which it was adopted from. If the Wireless Switch receives data from that Access Port on another Ethernet Port, it will be discarded. This event can only occur by changing the date/time. The Access Port may have been removed and reconnected to another part of the network that is connected to the other Ethernet port of the Wireless Switch. Or, the Access Ports logical connection to the network has changed, causing it to be connected to the other Ethernet port of the Wireless Switch. If this is intentional, the Access Port must first be removed from the Wireless Switch and readopted through the new Ethernet port. If this is unintentional, reconnect the Access Port to the Ethernet port that it was adopted through. The Access Port may have been removed and reconnected to another part of the network that is connected to the other Ethernet port of the Wireless Switch. Or, the Access Ports logical connection to the network has changed, causing it to be connected to the other Ethernet port of the Wireless Switch. If this is intentional, the Access Port must first be removed from the Wireless Switch and readopted through the new Ethernet port. If this is unintentional, reconnect the Access Port to the Ethernet port that it was adopted through. Confirm that there are actually two Access Ports with the same MAC address and contact Symbol customer support.
3.
Packet discard [wrong VLAN]
If an Ethernet Port is configured for 802.1q trunking, when an Access Port is adopted, the Wireless Switch remembers which VLAN the Access Port was adopted from. The Wireless Switch will only accept data from that Access Port through the VLAN which it was adopted from. If the Wireless Switch receives data from that Access Port on another VLAN, it will be discarded.
4.
AP adopt failure [general]
An Access Ports request to be adopted has been rejected because there is already another Access Port with the same MAC address currently active on the Wireless Switch.
Network Events
ID 5.
Event AP adopt failure [policy disallow]
Description An Access Ports request to be adopted has been rejected because the Wireless Switch Policy is configured to deny adoption of Access Ports.
Possible Course of Action If the Wireless Switch is to adopt this Access Port, either manually adopt it by including it in the Include List of the Adoption List or by configuring the Wireless Switch Policy to Allow Adoption of Access Ports. If the Wireless Switch is to adopt this Access Port, remove the Access Port from the Exclude List of the Adoption List. You have more AP devices than you have licenses for. Either remove the APs or purchase more licenses. You have more AP devices than you have licenses for. Either remove the APs or purchase more licenses.
6 7. 8. 9.
AP adopt failure [acl The Access Ports request for adoption was rejected because disallow] the Access Port is in the Exclude List of the Adoption List. AP adopt failure [limit exceeded] AP adopt failure [license disallow] AP adopt failure [no image] AP status [offline] AP status [alert] We ran out of licenses or (unlikely) we ran out of memory to create a Radio-object. We ran out of licenses and could not adopt this AP.
It appears the switch does not have a valid AP image firmware From your Symbol WS500 Applet interface go to System file to download onto the AP. Settings > Firmware Management > Available Images and make sure you have an image for that model of AP. This Access Port has been unavailable for a long time. The status of this Access Port has changed to Unavailable. The status of this Access Port has changed to Alert. The status of this Access Port has changed to Alert. .Unavailable means that the Wireless Switch has not been able to communicate with this Access Port for more than 10 seconds. The country setting for the Wireless Switch Policy has to be set to something other than None before an Access Port can be adopted. Until then, all Access Ports will be at Alert status. The Access Port needs attention. Look for other Event Notification messages for details.
10. 11.
12. 13. 14.
AP status [adopted] AP status [reset] AP config failed [wrong ESS] There are no in-use WLANs configured on this switch. This Access Port will be Alert status until it is configured with an Access Port Policy with a valid WLAN. If the WLAN is using Kerberos security, check that the WLAN is authenticated by the KDC. When the limit has been reached, the Access Port will not allow any additional Mobile Units to associate.
15. 16. 17.
AP max MU count reached AP detected
An Access Port has reached the maximum limit of 128 Mobile Units which can associate to a single Access Port. A new Access Port was detected.
Device msg dropped We received a DEVICEINFO message from an AP (telling us You may have multiple Primary and Active WS5000s on the [info] about the APs configuration) but the AP claims to have another same physical subnet. Either remove the extra WS5000s or switch as a Parent. configure them for Hot Standby operation. Device msg dropped We received a LOADME request from an AP (a WSAP-50xx) but You may have multiple Primary and Active WS 5000s on the [loadme] the AP claims to have another switch as a Parent. same physical subnet. Either remove the extra WS 5000s or configure them for Hot Standby operation. Ether port connected A previously disconnected Ethernet port was re-connected. Ether port disconnected MU assoc failed [ACL violation] MU assoc failed A previously connected Ethernet port was disconnected. If you see excessive amounts of this message you may have a cable or switch hardware problem. See above.
18.
19. 20. 21. 22.
This Mobile Unit was rejected as it requested to associate to the If this is not intentional check your Access Control List and make sure this MAC address is not rejected by policy. WLAN with an Access Control List. The error codes are listed in the table below 802.11 reason codes. This message cannot be due to REASON CODE 80211 STATION LIMIT EXCEEDED A Mobile Unit associated to an Access Port. A Mobile Unit roamed from to another Access Port. A Mobile Unit disassociated from an Access Port. None
23. 24. 25.
MU status [associated] MU status [roamed] MU status [disassociated]
None Refer to Reason Codes table for an explanation.
Network Events
ID 26. 27. 28. 29. 30. 31. 32.
Event MU EAP auth failed MU EAP auth success MU Kerberos auth failed MU Kerberos auth success MU TKIP [decrypt failure] MU TKIP [replay failure]
Description A Mobile Unit EAP authentication request failed. A Mobile Unit EAP authentication request succeeded. A Mobile Unit Kerberos authentication request failed A Mobile Unit Kerberos authentication request succeeded. The switch has encountered high levels of sequential decrypt failures with this MU. The switch has encountered high levels of sequential decrypt failures with this MU.
This could be suspicious, if this is a known-MU it should be re-associated.
MU TKIP [MIC error] This MU has failed a MIC encryption, this could potentially be an attempt to break security, if this is detected twice within 60 seconds the switch will implement the WPA countermeasures. WLAN auth success WLAN auth failed WLAN max MU count reached This is an incorrect message, it was not really the ACL that denied association it was that we exceeded the 802.11 limit (REASON CODE 80211 STATION LIMIT EXCEEDED)
33. 34. 35.
36.
Mgt user auth failed Management user not authenticated on the Wireless Switch [radius] local user database. Management user not authenticated on the remote RADIUS server database. Mgt user auth rejected Mgt user auth success [radius] [UNUSED] Management user successfully authenticates on the wireless switch local user database. Management user successfully authenticates on the remote RADIUS user database. Check you r Radius Server configuration on the WS 5000.
37. 38.
39. 40. 41. 42. 43. 44. 45.
Radius server timeout KDC user [added] KDC user [changed] KDC user [deleted] KDC DB replaced KDC propagation failure WPA counter-measures [active] Primary lost heartbeat The Primary Wireless Switch in Standby mode did not receive monitoring heartbeats from the Standby Wireless Switch. Host name is unknown
The WS5000 will be down for a short length of time and then come back and re-associate MUs If this event occurs but failover does not occur, then there is possible congestion on the network causing the heartbeats to be lost. Also, look for other events prior to the lost heartbeats that might indicate a problem, such as Ethernet port disconnected. A failover has occurred.
46.
47.
Standby active
The Standby Wireless Switch has changed its state from Monitoring to Active.
Network Events
ID 48. 49. 50.
Event Primary internal failure [reset] Standby internal failure [reset] Standby auto-revert
Description
The Standby Wireless Switch is auto-reverted from Active to Monitoring. This event is reported by the Standby Wireless Switch. The Primary wireless switch is auto-reverted from Halted to Connected. This event is reported by the Primary wireless switch. Misleading text, its the Channel# not an error that is in the string The Emergency Switch Policy is activated. The Emergency Switch Policy is deactivated. The used disk space exceeds 80%. This will be reported approximately every five hours. Case ASEVENT_EVENT_PSD_REBOOT_NOBDOS KerberosWlanAuthOperation::OnStart() RADIO_TYPE_FH != pRadio->GetType() NULL == pCountry->GetFHInfo() CWlan::KerberosClientAuth() Remove any unused policies, ACLs, user names, files, etc. Switch will need to re-boot and should do so within 120 seconds
51.
Primary auto-revert
52. 53. 54. 55. 56.
Auto channel select error Emergency Policy [active] Emergency Policy [deactivated] Low flash space on switch-alert Miscellaneous debug events
Network Events
Network Events

WS5000 SysRef

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WS5000 SysRef

Uploaded by

Copyright:

Available Formats

Wireless Switch

WS 5000 Series: WS 5100

WS 5000 Series System Reference

Wireless Switch Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3

Installing the Software System Image - - - - - - - - - - - - - - - - - - - - - 15

System Configuration Using the GUI - - - - - - - - - - - - - - - - - - - - - - 33

WS 5000 Series System Reference - 1

WS 5000 Series System Reference - 2

3 - WS 5000 Series System Reference

WS 5000 Series System Reference

Wireless Switch Overview

Wireless Switch Feature List

Wireless Switch Overview

WS 5000 Series System Reference - 3

Access Port Support

4 - WS 5000 Series System Reference

LED Codes: System Status

Configured as a Primary Switch

Configured as a Standby Switch

6 - WS 5000 Series System Reference

Wireless Switch Overview

Bottom LED Amber blinking Amber blinking Blue blinking

10/100/1000 Port Status

Access Point Conversion Overview

Wireless Switch Overview

WS 5000 Series System Reference - 7

Wireless LANs (WLANs)

Network Policy Network Policy

Access Port Adoption Process

8 - WS 5000 Series System Reference

Wireless Switch Overview

WLAN to VLAN Mapping

Multi-BSSID and ESSID Access Ports

10 - WS 5000 Series System Reference

Wireless Switch Overview

Automatic Channel Select

QoS via Queuing.

Wireless Switch Overview

WS 5000 Series System Reference - 11

Simple Network Management Protocol (SNMP) Overview

Management Information Base (MIB).

Accessing and Configuring the Switch Software

12 - WS 5000 Series System Reference

Wireless Switch Overview

Wireless Switch Overview

WS 5000 Series System Reference - 13

14 - WS 5000 Series System Reference

Wireless Switch Overview

WS 5000 Series System Reference

Installing the Software System Image

# of Unassigned Access Ports : 0

Preparing the Wireless Switch System Image

Saving and Copying the Current Running Configuration

Confirm that the file is on the host computer.

Deleting all Previous System Image and Default Configuration Files

16 - WS 5000 Series System Reference

Installing the Software System Image

Uploading Files to the Local TFTP Server

Upgrading the System Image File

Installing the Software System Image

WS 5000 Series System Reference - 17

: 0 : 0 : 4096 : Default Switch Policy : 00d:00h:00m

# of Unassigned Access Ports : 0