Config Commands
Config 802.11-a Commands
- config 802.11-a
- config 802.11-a antenna extAntGain
- config 802.11-a channel ap
- config 802.11-a txpower ap
Configure 802.11b Commands
- config 802.11b 11gSupport
- config 802.11b preamble
Configure 802.11h Commands
- config 802.11h channelswitch
- config 802.11h powerconstraint
- config 802.11h setchannel
Configure 802.11 11n Support Commands
- config 802.11 11nsupport
- config 802.11 11nsupport a-mpdu tx priority
- config 802.11 11nsupport a-mpdu tx scheduler
- config 802.11 11nsupport antenna
- config 802.11 11nsupport guard-interval
- config 802.11 11nsupport mcs tx
- config 802.11 11nsupport rifs
Configure 802.11 Antenna Commands
- config 802.11 antenna diversity
- config 802.11 antenna extAntGain
- config 802.11 antenna mode
- config 802.11 antenna selection
Configure 802.11 CleanAir Commands
- config 802.11 chan_width
- config 802.11 cleanair device
- config 802.11 cleanair alarm
Configure 802.11 CAC Commands
- config 802.11 cac defaults
- config 802.11 cac video acm
- config 802.11 cac video cac-method
- config 802.11 cac video load-based
- config 802.11 cac video max-bandwidth
- config 802.11 cac media-stream
- config 802.11 cac multimedia
- config 802.11 cac voice roam-bandwidth
- config 802.11 cac video sip
- config 802.11 cac video tspec-inactivity-timeout
- config 802.11 cac voice acm
- config 802.11 cac voice max-bandwidth
- config 802.11 cac voice roam-bandwidth
- config 802.11 cac voice tspec-inactivity-timeout
- config 802.11 cac voice load-based
- config 802.11 cac voice max-calls
- config 802.11 cac voice sip bandwidth
- config 802.11 cac voice sip codec
- config 802.11 cac voice stream-size
Config 802.11 Commands
- config 802.11 beacon period
- config 802.11 beamforming
- config 802.11 channel
- config 802.11 channel ap
- config 802.11 chan_width
- config 802.11 disable
- config 802.11 dtpc
- config 802.11 enable
- config 802.11 exp-bwreq
- config 802.11 fragmentation
- config 802.11 l2roam rf-params
- config 802.11 max-clients
- config 802.11 multicast data-rate
- config 802.11 rate
- config 802.11 tsm
- config 802.11 txPower
Configure Advanced 802.11 Commands
- config advanced 802.11 7920VSIEConfig
- config advanced 802.11 channel add
- config advanced 802.11 channel cleanair-event
- config advanced 802.11 channel dca anchor-time
- config advanced 802.11 channel dca chan-width-11n
- config advanced 802.11 channel dca interval
- config advanced 802.11 channel dca min-metric
- config advanced 802.11 channel dca sensitivity
- config advanced 802.11 channel foreign
- config advanced 802.11 channel load
- config advanced 802.11 channel noise
- config advanced 802.11 channel outdoor-ap-dca
- config advanced 802.11 channel pda-prop
- config advanced 802.11 channel update
- config advanced 802.11 coverage
- config advanced 802.11 coverage fail-rate
- config advanced 802.11 coverage exception global
- config advanced 802.11 coverage level global
- config advanced 802.11 coverage packet-count
- config advanced 802.11 coverage rssi-threshold
- config advanced 802.11 logging channel
- config advanced 802.11 logging coverage
- config advanced 802.11 logging foreign
- config advanced 802.11 logging load
- config advanced 802.11 logging noise
- config advanced 802.11 logging performance
- config advanced 802.11 logging txpower
- config advanced 802.11 monitor channel-list
- config advanced 802.11 monitor coverage
- config advanced 802.11 monitor load
- config advanced 802.11 monitor ndp-type
- config advanced 802.11 monitor noise
- config advanced 802.11 monitor signal
- config advanced 802.11 profile clients
- config advanced 802.11 profile customize
- config advanced 802.11 profile foreign
- config advanced 802.11 profile noise
- config advanced 802.11 profile throughput
- config advanced 802.11 profile utilization
- config advanced 802.11 receiver
- config advanced 802.11 edca-parameters
- config advanced 802.11 factory
- config advanced 802.11 group-member
- config advanced 802.11 tpc-version
- config advanced 802.11 tpcv1-thresh
- config advanced 802.11 tpcv2-intense
- config advanced 802.11 tpcv2-per-chan
- config advanced 802.11 tpcv2-thresh
- config advanced 802.11 txpower-update
- config advanced backup-controller primary
- config advanced backup-controller secondary
- config advanced client-handoff
- config advanced dot11-padding
- config advanced assoc-limit
- config advanced eap
- config advanced fastpath fastcache
- config advanced fastpath pkt-capture
- config advanced hotspot
- config advanced max-1x-sessions
- config advanced rate
- config advanced sip-preferred-call-no
- config advanced sip-snooping-ports
- config advanced statistics
- config advanced probe limit
- config advanced timers
- config advanced timers ap-fast-heartbeat
- config advanced timers ap-heartbeat-timeout
- config advanced timers ap-primary-discovery-timeout
- config advanced timers auth-timeout
- config advanced timers eap-timeout
- config advanced timers eap-identity-request-delay
Configure Access Point Commands
- config ap
- config ap bhrate
- config ap autoconvert
- config ap bridgegroupname
- config ap bridging
- config ap cdp
- config ap core-dump
- config ap crash-file clear-all
- config ap crash-file delete
- config ap crash-file get-crash-file
- config ap crash-file get-radio-core-dump
- config ap 802.1Xuser
- config ap 802.1Xuser delete
- config ap 802.1Xuser disable
- config ap ethernet duplex
- config ap ethernet tag
- config ap group-name
- config ap flexconnect central-dhcp
- config ap flexconnect local-split
- config ap flexconnect radius auth set
- config ap flexconnect vlan
- config ap flexconnect vlan add
- config ap flexconnect vlan native
- config ap flexconnect web-auth
- config ap flexconnect vlan wlan
- config ap flexconnect web-policy acl
- config ap hotspot
- config ap image predownload
- config ap image swap
- config ap led-state
- config ap link-encryption
- config ap link-latency
- config ap location
- config ap logging syslog level
- config ap mgmtuser add
- config ap mgmtuser delete
- config ap mode
- config ap monitor-mode
- config ap packet-dump
- config ap port
- config ap power injector
- config ap power pre-standard
- config ap primary-base
- config ap priority
- config ap reset
- config ap reporting-period
- config ap retransmit count
- config ap retransmit interval
- config ap role
- config ap rst-button
- config ap secondary-base
- config ap sniff
- config ap ssh
- config ap static-ip
- config ap stats-timer
- config ap syslog host global
- config ap syslog host specific
- config ap tcp-mss-adjust
- config ap telnet
- config ap tertiary-base
- config ap tftp-downgrade
- config ap username
- config ap venue
- config ap wlan
Configure Band-Select Commands
- config band-select cycle-count
- config band-select cycle-threshold
- config band-select expire
- config band-select client-rssi
Configure Client Commands
- config client ccx clear-reports
- config client ccx clear-results
- config client ccx default-gw-ping
- config client ccx dhcp-test
- config client ccx dns-ping
- config client ccx dns-resolve
- config client ccx get-client-capability
- config client ccx get-manufacturer-info
- config client ccx get-operating-parameters
- config client ccx get-profiles
- config client ccx log-request
- config client ccx send-message
- config client ccx stats-request
- config client ccx test-abort
- config client ccx test-association
- config client ccx test-dot1x
- config client ccx test-profile
- config client deauthenticate
- config client location-calibration
Configure Guest-LAN Commands
- config guest-lan
- config guest-lan custom-web ext-webauth-url
- config guest-lan custom-web global disable
- config guest-lan custom-web login_page
- config guest-lan custom-web webauth-type
- config guest-lan ingress-interface
- config guest-lan interface
- config guest-lan mobility anchor
- config guest-lan nac
- config guest-lan security
Configure IPv6 Commands
- config ipv6 disable
- config ipv6 enable
- config ipv6 acl
- config ipv6 neighbor-binding
- config ipv6 ns-mcast-fwd
- config ipv6 ra-guard
Configure Interface Group Commands
- config interface group
Configure Macfilter Commands
- config macfilter
- config macfilter description
- config macfilter interface
- config macfilter ip-address
- config macfilter mac-delimiter
- config macfilter radius-compat
- config macfilter wlan-id
Config Remote LAN Commands
- config remote-lan
- config remote-lan aaa-override
- config remote-lan acl
- config remote-lan create
- config remote-lan custom-web
- config remote-lan delete
- config remote-lan dhcp_server
- config remote-lan exclusionlist
- config remote-lan interface
- config remote-lan ldap
- config remote-lan mac-filtering
- config remote-lan max-associated-clients
- config remote-lan radius_server
- config remote-lan security
- config remote-lan session-timeout
- config remote-lan webauth-exclude
Configure Memory Monitor Commands
- config memory monitor errors
- config memory monitor leaks
Configure Mesh Commands
- config mesh alarm
- config mesh astools
- config mesh backhaul rate-adapt
- config mesh backhaul slot
- config mesh battery-state
- config mesh client-access
- config mesh ethernet-bridging vlan-transparent
- config mesh full-sector-dfs
- config mesh linkdata
- config mesh linktest
- config mesh lsc
- config mesh multicast
- config mesh parent preferred
- config mesh public-safety
- config mesh radius-server
- config mesh range
- config mesh secondary-backhaul
- config mesh security
- config mesh slot-bias
Configure Management-User Commands
- config mgmtuser add
- config mgmtuser delete
- config mgmtuser description
- config mgmtuser password
- config mgmtuser termination-interval
Configure Mobility Commands
- config mobility dscp
- config mobility group anchor
- config mobility group domain
- config mobility group keepalive count
- config mobility group keepalive interval
- config mobility group member
- config mobility group multicast-address
- config mobility multicast-mode
- config mobility secure-mode
- config mobility statistics reset
Configure Message Log Level Commands
- config msglog level critical
- config msglog level error
- config msglog level security
- config msglog level verbose
- config msglog level warning
Configure Media-Stream Commands
- config 802.11 media-stream multicast-direct
- config 802.11 media-stream video-redirect
- config media-stream multicast-direct
- config media-stream message
- config media-stream add
- config media-stream admit
- config media-stream deny
- config media-stream delete
Configure Net User Commands
- config netuser add
- config netuser delete
- config netuser guest-lan-id
- config netuser description
- config netuser guest-role apply
- config netuser guest-role create
- config netuser guest-role delete
- config netuser guest-role qos data-rate average-data-rate
- config netuser guest-role qos data-rate average-realtime-rate
- config netuser guest-role qos data-rate burst-data-rate
- config netuser guest-role qos data-rate burst-realtime-rate
- config netuser lifetime
- config netuser maxUserLogin
- config netuser password
- config netuser wlan-id
Configure Network Commands
- config network 802.3-bridging
- config network allow-old-bridge-aps
- config network ap-discovery
- config network ap-fallback
- config network ap-priority
- config network apple-talk
- config network bridging-shared-secret
- config network arptimeout
- config network broadcast
- config network fast-ssid-change
- config network ip-mac-binding
- config network master-base
- config network mgmt-via-wireless
- config network multicast global
- config network multicast igmp query interval
- config network multicast igmp snooping
- config network multicast igmp timeout
- config network multicast l2mcast
- config network multicast mld
- config network multicast mode multicast
- config network multicast mode unicast
- config network oeap-600 dual-rlan-ports
- config network oeap-600 local-network
- config network otap-mode
- config network profiling
- config network rf-network-name
- config network secureweb
- config network secureweb cipher-option
- config network ssh
- config network telnet
- config network usertimeout
- config network web-auth captive-bypass
- config network web-auth cmcc-support
- config network web-auth port
- config network web-auth proxy-redirect
- config network web-auth secureweb
- config network webmode
- config network web-auth
- config network zero-config
Configure Port Commands
- config port adminmode
- config qos average-realtime-rate
- config port autoneg
- config pmipv6 add profile
- config port linktrap
- config port multicast appliance
- config port power
Configure PMIPv6 Commands
- config pmipv6 domain
- config pmipv6 add profile
- config pmipv6 delete
- config pmipv6 mag binding init-retx-time
- config pmipv6 mag binding lifetime
- config pmipv6 mag binding max-retx-time
- config pmipv6 mag binding maximum
- config pmipv6 mag binding refresh-time
- config pmipv6 mag bri delay
- config pmipv6 mag bri retries
- config pmipv6 mag lma
- config pmipv6 mag replay-protection
Configure QoS Commands
- config qos average-realtime-rate
- config qos average-data-rate
- config qos burst-data-rate
- config qos burst-realtime-rate
- config qos description
- config qos max-rf-usage
- config qos dot1p-tag
- config qos priority
- config qos protocol-type
- config qos queue_length
Configure RADIUS Account Commands
- config radius acct
- config radius acct ipsec authentication
- config radius acct ipsec enable
- config radius acct ipsec disable
- config radius acct ipsec encryption
- config radius auth
- config radius acct ipsec ike
- config radius acct mac-delimiter
- config radius acct network
- config radius acct retransmit-timeout
Configure RADIUS Authentication Server Commands
- config radius auth
- config radius auth callStationIdType
- config radius auth IPsec authentication
- config radius auth ipsec disable
- config radius auth ipsec encryption
- config radius auth ipsec ike
- config radius auth keywrap
- config radius auth mac-delimiter
- config radius auth management
- config radius auth mgmt-retransmit-timeout
- config radius auth network
- config radius auth mgmt-retransmit-timeout
- config radius auth rfc3576
- config radius aggressive-failover disabled
- config radius backward compatibility
- config radius callStationIdCase
- config radius auth callStationIdType
- config radius fallback-test
Configure Redundancy Commands
- config redundancy interface address peer-service-port
- config redundancy mobilitymac
- config redundancy mode
- config redundancy peer-route
- config redundancy timer peer-search-timer
- config redundancy timer keep-alive-timer
- config redundancy unit
- redundancy force-switchover
- config interface address redundancy-management
Configure RF-Profile commands
- config rf-profile band-select
- config rf-profile client-trap-threshold
- config rf-profile create
- config rf-profile fra client-aware
- config rf-profile data-rates
- config rf-profile delete
- config rf-profile description
- config rf-profile load-balancing
- config rf-profile max-clients
- config rf-profile multicast data-rate
- config rf-profile out-of-box
- config rf-profile trap-threshold
- config rf-profile tx-power-control-thresh-v1
- config rf-profile tx-power-control-thresh-v2
- config rf-profile tx-power-max
- config rf-profile tx-power-min
Configure Rogue Commands
- config rogue adhoc
- config rogue ap classify
- config rogue ap friendly
- config rogue ap rldp
- config rogue ap ssid
- config rogue ap timeout
- config rogue auto-contain level
- config rogue ap valid-client
- config rogue client
- config rogue detection
- config rogue detection min-rssi
- config rogue detection monitor-ap
- config rogue rule
Configure SNMP Commands
- config snmp community accessmode
- config snmp community create
- config snmp community delete
- config snmp community ipaddr
- config snmp community mode
- config snmp engineID
- config snmp syscontact
- config snmp syslocation
- config snmp trapreceiver create
- config snmp trapreceiver delete
- config snmp trapreceiver mode
- config snmp v3user create
- config snmp v3user delete
- config snmp version
Configure Spanning Tree Protocol Commands
- config spanningtree port mode
- config spanningtree port pathcost
- config spanningtree port priority
- config spanningtree switch bridgepriority
- config spanningtree switch forwarddelay
- config spanningtree switch hellotime
- config spanningtree switch maxage
- config spanningtree switch mode
Configure TACACS Commands
- config tacacs acct
- config tacacs athr
- config tacacs athr mgmt-server-timeout
- config tacacs auth mgmt-server-timeout
- config tacacs auth
- config tacacs dns
Configure Trap Flag Commands
- config trapflags 802.11-Security
- config trapflags aaa
- config trapflags ap
- config trapflags authentication
- config trapflags client
- config trapflags configsave
- config trapflags IPsec
- config trapflags linkmode
- config trapflags multiusers
- config trapflags rogueap
- config trapflags rrm-params
- config trapflags rrm-profile
- config trapflags stpmode
- config trapflags wps
Configure Watchlist Commands
- config watchlist add
- config watchlist delete
- config watchlist enable
- config watchlist disable
Configure Wireless LAN Commands
- config wlan
- config wlan 7920-support
- config wlan 802.11e
- config wlan aaa-override
- config wlan acl
- config wlan apgroup
- config wlan band-select allow
- config wlan broadcast-ssid
- config wlan call-snoop
- config wlan chd
- config wlan ccx aironet-ie
- config wlan channel-scan defer-priority
- config wlan channel-scan defer-time
- config wlan dhcp_server
- config wlan diag-channel
- config wlan dtim
- config wlan exclusionlist
- config wlan flexconnect ap-auth
- config wlan flexconnect learn-ipaddr
- config wlan flexconnect vlan-central-switching
- config wlan flexconnect local-switching
- config wlan override-rate-limit
- config wlan interface
- config wlan ipv6 acl
- config wlan kts-cac
- config wlan ldap
- config wlan load-balance
- config wlan mac-filtering
- config wlan max-associated-clients
- config wlan max-radio-clients
- config wlan media-stream
- config wlan mfp
- config wlan mobility anchor
- config wlan mobility foreign-map
- config wlan multicast buffer
- config wlan multicast interface
- config wlan nac
- config wlan passive-client
- config wlan peer-blocking
- config wlan profiling
- config wlan qos
- config wlan radio
- config wlan radius_server acct
- config wlan radius_server acct interim-update
- config wlan radius_server auth
- config wlan radius_server overwrite-interface
- config wlan roamed-voice-client re-anchor
- config wlan sip-cac disassoc-client
- config wlan sip-cac send-486busy
- config wlan security wpa3
- config wlan session-timeout
- config wlan user-idle-threshold
- config wlan usertimeout
- config wlan webauth-exclude
- config wlan wmm
Configure Wireless LAN HotSpot Commands
- config wlan hotspot
- config wlan hotspot dot11u
- config wlan hotspot dot11u ipaddr-type
- config wlan hotspot dot11u 3gpp-info
- config wlan hotspot dot11u auth-type
- config wlan hotspot dot11u disable
- config wlan hotspot dot11u domain
- config wlan hotspot dot11u enable
- config wlan hotspot dot11u hessid
- config wlan hotspot dot11u nai-realm
- config wlan hotspot dot11u network-type
- config wlan hotspot dot11u roam-oi
- config wlan hotspot hs2
- config wlan hotspot msap
Configure Wireless LAN Mobile Concierge Commands
- config wlan mobile-concierge dot11u
- config wlan mobile-concierge dot11u realm
- config wlan mobile-concierge hotspot2
- config wlan mobile-concierge msap
Configure Wireless LAN Proxy Mobility IPv6 (PMIPv6) Commands
- config wlan pmipv6 default-realm
- config wlan pmipv6 mobility-type
- config wlan pmipv6 profile_name
Configure WPS Commands
- config wps ap-authentication
- config wps auto-immune
- config wps cids-sensor
- config wps client-exclusion
- config wps client-exclusion 802.1x-auth
- config wps mfp
- config wps shun-list re-sync
- config wps signature
- config wps signature frequency
- config wps signature interval
- config wps signature mac-frequency
- config wps signature quiet-time
- config wps signature reset
Other Config Commands
- config aaa auth
- config aaa auth mgmt
- config acl apply
- config acl counter
- config acl cpu
- config acl create
- config acl delete
- config acl rule
- config auth-list add
- config auth-list delete
- config auth-list ap-policy
- config boot
- config cdp
- config certificate
- config certificate lsc
- config certificate ssc
- config certificate use-device-certificate webadmin
- config coredump
- config coredump ftp
- config coredump username
- config country
- config cts sxp
- config cts sxp connection
- config cts sxp default password
- config cts sxp retry period
- config custom-web ext-webauth-mode
- config custom-web ext-webauth-url
- config custom-web ext-webserver
- config custom-web logout-popup
- config custom-web radiusauth
- config custom-web redirectUrl
- config custom-web sleep-client
- config custom-web webauth-type
- config custom-web weblogo
- config custom-web webmessage
- config custom-web webtitle
- config database size
- config dhcp
- config dhcp proxy
- config dhcp timeout
- config exclusionlist
- config flexconnect [ipv6] acl
- config flexconnect [ipv6] acl rule
- config flexconnect [ipv6] acl url-domain
- config flexconnect group vlan
- config flexconnect group web-auth
- config flexconnect group web-policy
- config flexconnect join min-latency
- config flexconnect office-extend
- config interface acl
- config interface create
- config interface delete
- config interface address
- config interface ap-manager
- config interface group
- config interface group
- config interface hostname
- config interface nat-address
- config interface port
- config interface quarantine vlan
- config interface vlan
- config known ap
- config lag
- config ldap
- config ldap add
- config ldap simple-bind
- config license agent
- config license boot
- config load-balancing
- config local-auth active-timeout
- config local-auth eap-profile
- config local-auth method fast
- config local-auth user-credentials
- config location
- config logging buffered
- config logging console
- config logging debug
- config logging fileinfo
- config logging procinfo
- config logging syslog facility ap
- config logging syslog host
- config logging syslog level
- config loginsession close
- config lsc mesh
- config nmsp notify-interval measurement
- config paging
- config passwd-cleartext
- config prompt
- config rfid auto-timeout
- config rfid status
- config rfid timeout
- config route add
- config route delete
- config serial baudrate
- config serial timeout
- config service timestamps
- config sessions maxsessions
- config slot
- config switchconfig boot-break
- config switchconfig fips-prerequisite
- config switchconfig flowcontrol
- config switchconfig mode
- config switchconfig secret-obfuscation
- config switchconfig ucapl
- config switchconfig ucapl
- config switchconfig wlancc
- config switchconfig password-encryption
- config switchconfig password-encryption key
- config switchconfig strong-pwd
- config switchconfig restore-password
- config sysname
- config time manual
- config time ntp
- config time timezone
- config time timezone location
- config wgb vlan

Config Commands

Config 802.11-a Commands

config 802.11-a

To enable or disable the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a command.

config { 802.11-a49|802.11-a58} { enable|disable}cisco_ap

Syntax Description


802.11-a49	Specifies the 4.9-GHz public safety channel.
802.11-a58	Specifies the 5.8-GHz public safety channel.
enable	Enables the use of this frequency on the designated access point.
disable	Disables the use of this frequency on the designated access point.
`cisco_ap`	Name of the access point to which the command applies.

Command Default

The default 4.9-GHz and 5.8-GHz public safety channels on an access point is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the 4.9-GHz public safety channel on ap_24 access point:


(Cisco Controller) > config 802.11-a

config 802.11-a antenna extAntGain

To configure the external antenna gain for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a antenna extAntGain commands.

config { 802.11-a49|802.11-a58}antenna extAntGain ant_gain cisco_ap { global|channel_no}

Syntax Description


802.11-a49	Specifies the 4.9-GHz public safety channel.
802.11-a58	Specifies the 5.8-GHz public safety channel.
`ant_gain`	Value in .5-dBi units (for instance, 2.5 dBi = 5).
`cisco_ap`	Name of the access point to which the command applies.
global	Specifies the antenna gain value to all channels.
`channel_no`	Antenna gain value for a specific channel.

Command Default

Channel properties are disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Before you enter the config 802.11-a antenna extAntGain command, disable the 802.11 Cisco radio with the config 802.11-a disable command.

After you configure the external antenna gain, use the config 802.11-a enable command to reenable the 802.11 Cisco radio.

Examples

The following example shows how to configure an 802.11-a49 external antenna gain of 10 dBi for AP1:

(Cisco Controller) >config 802.11-a antenna extAntGain 10 AP1

config 802.11-a channel ap

To configure the channel properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a channel ap command.

config { 802.11-a49|802.11-a58}channel ap cisco_ap{global|channel_no}

Syntax Description


802.11-a49	Specifies the 4.9-GHz public safety channel.
802.11-a58	Specifies the 5.8-GHz public safety channel.
`cisco_ap`	Name of the access point to which the command applies.
global	Enables the Dynamic Channel Assignment (DCA) on all 4.9-GHz and 5.8-GHz subband radios.
`channel_no`	Custom channel for a specific mesh access point. The range is 1 through 26, inclusive, for a 4.9-GHz band and 149 through 165, inclusive, for a 5.8-GHz band.

Command Default

Channel properties are disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the channel properties:

(Cisco Controller) >config 802.11-a channel ap

config 802.11-a txpower ap

To configure the transmission power properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a txpower ap command.

config { 802.11-a49|802.11-a58}txpower ap cisco_ap{global|power_level}

Syntax Description


802.11-a49	Specifies the 4.9-GHz public safety channel.
802.11-a58	Specifies the 5.8-GHz public safety channel.
txpower	Configures transmission power properties.
ap	Configures access point channel settings.
`cisco_ap`	Name of the access point to which the command applies.
global	Applies the transmission power value to all channels.
`power_level`	Transmission power value to the designated mesh access point. The range is from 1 to 5.

Command Default

The default transmission power properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an 802.11-a49 transmission power level of 4 for AP1:


(Cisco Controller) >config 802.11-a txpower ap 4 AP1

Configure 802.11b Commands

Use the config 802.11b commands to configure settings specifically for an 802.11b/g network.

config 802.11b 11gSupport

To enable or disable the Cisco wireless LAN solution 802.11g network, use the config 802.11b 11gSupport command.

config 802.11b 11gSupport{enable|disable}

Syntax Description


enable	Enables the 802.11g network.
disable	Disables the 802.11g network.

Command Default

The default network for Cisco wireless LAN solution 802.11g is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Before you enter the config 802.11b 11gSupport {enable | disable} command, disable the 802.11 Cisco radio with the config 802.11 disable command.

After you configure the support for the 802.11g network, use the config 802.11 enable command to enable the 802.11 radio.

Note

To disable an 802.11a, 802.11b and/or 802.11g network for an individual wireless LAN, use the config wlan radio command.

Examples

The following example shows how to enable the 802.11g network:


(Cisco Controller) > config 802.11b 11gSupport enable
Changing the 11gSupport will cause all the APs to reboot when you enable 802.11b network.
Are you sure you want to continue? (y/n) n
11gSupport not changed!

config 802.11b preamble

To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.

config 802.11b preamble{long|short}

Syntax Description


long	Specifies the long 802.11b preamble.
short	Specifies the short 802.11b preamble.

Command Default

The default 802.11b preamble value is short.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Note

You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.

This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.

This command can be used any time that the CLI interface is active.

Examples

The following example shows how to change the 802.11b preamble to short:

  (Cisco Controller) >config 802.11b preamble short
  (Cisco Controller) >(reset system with save)

Configure 802.11h Commands

Use the config 802.11h commands to configure settings specifically for an 802.11h network.

config 802.11h channelswitch

To configure an 802.11h channel switch announcement, use the config 802.11h channelswitch command.

config 802.11h channelswitch{enable { loud|quiet} | disable}

Syntax Description


enable	Enables the 802.11h channel switch announcement.
loud	Enables the 802.11h channel switch announcement in the loud mode. The 802.11h-enabled clients can send packets while switching channel.
quiet	Enables 802.11h-enabled clients to stop transmitting packets immediately because the AP has detected radar and client devices should also quit transmitting to reduce interference.
disable	Disables the 802.11h channel switch announcement.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6. The loud and quiet parameters were introduced.

Examples

The following example shows how to disable an 802.11h switch announcement:


(Cisco Controller) >config 802.11h channelswitch disable

config 802.11h powerconstraint

To configure the 802.11h power constraint value, use the config 802.11h powerconstraint command.

config 802.11h powerconstraint value

Syntax Description


`value`	802.11h power constraint value.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the 802.11h power constraint to 5:


(Cisco Controller) >config 802.11h powerconstraint 5

config 802.11h setchannel

To configure a new channel using 802.11h channel announcement, use the config 802.11h setchannel command.

config 802.11h setchannel cisco_ap

Syntax Description


`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a new channel using the 802.11h channel:


(Cisco Controller) >config 802.11h setchannel ap02

Configure 802.11 11n Support Commands

Use the config 802.11 11nsupport commands to configure settings for an 802.11n network.

config 802.11 11nsupport

To enable 802.11n support on the network, use the config 802.11 11nsupport command.

config 802.11{ a|b}11nsupport { enable|disable}

Syntax Description


a	Specifies the 802.11a network settings.
b	Specifies the 802.11b/g network settings.
enable	Enables the 802.11n support.
disable	Disables the 802.11n support.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the 802.11n support on an 802.11a network:


(Cisco Controller) >config 802.11a 11nsupport enable

config 802.11 11nsupport a-mpdu tx priority

To specify the aggregation method used for 802.11n packets, use the config 802.11 11nsupport a-mpdu tx priority command.

config 802.11{ a|b}11nsupport a-mpdu tx priority{0-7|all} { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
0-7	Specifies the aggregated MAC protocol data unit priority level between 0 through 7.
all	Configures all of the priority levels at once.
enable	Specifies the traffic associated with the priority level uses A-MPDU transmission.
disable	Specifies the traffic associated with the priority level uses A-MSDU transmission.

Command Default

Priority 0 is enabled.

Usage Guidelines

Aggregation is the process of grouping packet data frames together rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU). A-MPDU is performed in the software whereas A-MSDU is performed in the hardware.

Aggregated MAC Protocol Data Unit priority levels assigned per traffic type are as follows:

1—Background
2—Spare
0—Best effort
3—Excellent effort
4—Controlled load
5—Video, less than 100-ms latency and jitter
6—Voice, less than 10-ms latency and jitter
7—Network control

all—Configure all of the priority levels at once.

Note

Configure the priority levels to match the aggregation method used by the clients.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure all the priority levels at once so that the traffic associated with the priority level uses A-MSDU transmission:


(Cisco Controller) >config 802.11a 11nsupport a-mpdu tx priority all enable

config 802.11 11nsupport a-mpdu tx scheduler

To configure the 802.11n-5 GHz A-MPDU transmit aggregation scheduler, use the config 802.11 11nsupport a-mpdu tx scheduler command.

config 802.11{ a|b}11nsupport a-mpdu tx scheduler{enable|disable |timeout rt timeout-value}

Syntax Description


enable	Enables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.
disable	Disables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.
timeout rt	Configures the A-MPDU transmit aggregation scheduler realtime traffic timeout.
`timeout-value`	Timeout value in milliseconds. The valid range is between 1 millisecond to 1000 milliseconds.

Command Default

None

Usage Guidelines

Ensure that the 802.11 network is disabled before you enter this command.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the A-MPDU transmit aggregation scheduler realtime traffic timeout of 100 milliseconds:


(Cisco Controller) >config 802.11 11nsupport a-mpdu tx scheduler timeout rt 100

config 802.11 11nsupport antenna

To configure an access point to use a specific antenna, use the config 802.11 11nsupport antenna command.

config 802.11{ a|b}11nsupport antenna cisco_ap { A|B|C|D} {enable|disable}

Syntax Description


a	Specifies the 802.11a/n network.
b	Specifies the 802.11b/g/n network.
`cisco_ap`	Access point.
A/B/C/D	Specifies an antenna port.
enable	Enables the configuration.
disable	Disables the configuration.

Command Default

None

Usage Guidelines

Cisco Catalyst 9120AXE, 9120AXP, and Cisco Catalyst 9130AXE access points should have at least two antennas configured if you want to disable this configuration.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure transmission to a single antenna for legacy orthogonal frequency-division multiplexing:


(Cisco Controller) >config 802.11 11nsupport antenna AP1 C enable

config 802.11 11nsupport guard-interval

To configure the guard interval, use the config 802.11 11nsupport guard-interval command.

config 802.11 { a|b}11nsupport guard-interval { any|long}

Syntax Description


any	Enables either a short or a long guard interval.
long	Enables only a long guard interval.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a long guard interval:


(Cisco Controller) >config 802.11 11nsupport guard-interval long

config 802.11 11nsupport mcs tx

To specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client, use the config 802.11 11nsupport mcs tx command.

config 802.11{ a|b}11nsupport mcs tx { 0-15} { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
11nsupport	Specifies support for 802.11n devices.
mcs tx	Specifies the modulation and coding scheme data rates as follows: 0 (7 Mbps) 1 (14 Mbps) 2 (21 Mbps) 3 (29 Mbps) 4 (43 Mbps) 5 (58 Mbps) 6 (65 Mbps) 7 (72 Mbps) 8 (14 Mbps) 9 (29 Mbps) 10 (43 Mbps) 11 (58 Mbps) 12 (87 Mbps) 13 (116 Mbps) 14 (130 Mbps) 15 (144 Mbps)
enable	Enables this configuration.
disable	Disables this configuration.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify MCS rates:


(Cisco Controller) >config 802.11a 11nsupport mcs tx 5 enable

config 802.11 11nsupport rifs

To configure the Reduced Interframe Space (RIFS) between data frames and its acknowledgment, use the config 802.11 11nsupport rifs command.

config 802.11{ a|b}11nsupport rifs { enable|disable}

Syntax Description


enable	Enables RIFS for the 802.11 network.
disable	Disables RIFS for the 802.11 network.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to enable RIFS:


(Cisco Controller) >config 802.11a 11nsupport rifs enable

Configure 802.11 Antenna Commands

Use the config 802.11 antenna commands to configure radio antenna settings for Cisco lightweight access points on different 802.11 networks.

config 802.11 antenna diversity

To configure the diversity option for 802.11 antennas, use the config 802.11 antenna diversity command.

config 802.11{ a|b} antenna diversity { enable|sideA|sideB}cisco_ap

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the diversity.
sideA	Specifies the diversity between the internal antennas and an external antenna connected to the Cisco lightweight access point left port.
sideB	Specifies the diversity between the internal antennas and an external antenna connected to the Cisco lightweight access point right port.
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable antenna diversity for AP01 on an 802.11b network:

(Cisco Controller) >config 802.11a antenna diversity enable AP01

The following example shows how to enable diversity for AP01 on an 802.11a network, using an external antenna connected to the Cisco lightweight access point left port (sideA):

(Cisco Controller) >config 802.11a antenna diversity sideA AP01

config 802.11 antenna extAntGain

To configure external antenna gain for an 802.11 network, use the config 802.11 antenna extAntGain command.

config 802.11{ a|b}antenna extAntGain antenna_gain cisco_ap

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`antenna_gain`	Antenna gain in 0.5 dBm units (for example, 2.5 dBm = 5).
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Before you enter the config 802.11 antenna extAntGain command, disable the 802.11 Cisco radio with the config 802.11 disable command.

After you configure the external antenna gain, use the config 802.11 enable command to enable the 802.11 Cisco radio.

Examples

The following example shows how to configure an 802.11a external antenna gain of 0.5 dBm for AP1 :

(Cisco Controller) >config 802.11 antenna extAntGain 1 AP1

config 802.11 antenna mode

To configure the Cisco lightweight access point to use one internal antenna for an 802.11 sectorized 180-degree coverage pattern or both internal antennas for an 802.11 360-degree omnidirectional pattern, use the config 802.11 antenna mode command.

config 802.11{ a|b} antenna mode { omni|sectorA|sectorB}cisco_ap

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
omni	Specifies to use both internal antennas.
sectorA	Specifies to use only the side A internal antenna.
sectorB	Specifies to use only the side B internal antenna.
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure access point AP01 antennas for a 360-degree omnidirectional pattern on an 802.11b network:

(Cisco Controller) >config 802.11 antenna mode omni AP01

config 802.11 antenna selection

To select the internal or external antenna selection for a Cisco lightweight access point on an 802.11 network, use the config 802.11 antenna selection command.

config 802.11{ a|b} antenna selection { internal|external}cisco_ap

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
internal	Specifies the internal antenna.
external	Specifies the external antenna.
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure access point AP02 on an 802.11b network to use the internal antenna:

(Cisco Controller) >config 802.11a antenna selection internal AP02

Configure 802.11 CleanAir Commands

Use the config 802.11 cleanair commands to configure cleanair settings on different 802.11 networks.

config 802.11 chan_width

To configure the channel width for a particular access point, use the config 802.11 chan_width command.

config 802.11{ a|b}chan_width cisco_ap{ 20 |40|80|160|best}

Syntax Description


a	Configures the 802.11a radio on slot 1 and 802.11ac/ax radio on slot 2.
b	Specifies the 802.11b/g radio.
`cisco_ap`	Access point.
20	Allows the radio to communicate using only 20-MHz channels. Choose this option for legacy 802.11a radios, 20-MHz 802.11n radios, or 40-MHz 802.11n radios that you want to operate using only 20-MHz channels.
40	Allows 40-MHz 802.11n radios to communicate using two adjacent 20-MHz channels bonded together.
80	Allows 80-MHz 802.11ac/ax radios to communicate using two adjacent 40-MHz channels bonded together.
160	Allows 160-MHz 802.11ac/ax radios to communicate.
best	In this mode, the device selects the optimum bandwidth channel.

Command Default

The default channel width is 20.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.3	This command was enhanced in this release with the inclusion of 160 MHz and best channel bandwidth modes.
8.9	This command was enhanced to support 802.11ax.

Usage Guidelines

This parameter can be configured only if the primary channel is statically assigned.

Caution

We recommend that you do not configure 40-MHz channels in the 2.4-GHz radio band because severe co-channel interference can occur.

Statically configuring an access point’s radio for 20-MHz or 40-MHz mode overrides the globally configured DCA channel width setting (configured by using the config advanced 802.11 channel dca chan-width command). If you change the static configuration back to global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.

Examples

The following example shows how to configure the channel width for access point AP01 on an 802.11 network using 40-MHz channels:


(Cisco Controller) >config 802.11a chan_width AP01 40

config 802.11 cleanair device

To configure CleanAir interference device types, use the config 802.11 cleanair device command.

config 802.11{ a|b}cleanair device { enable|disable|reporting { enable|disable}}device_type

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the CleanAir reporting for the interference device type.
disable	Disables the CleanAir reporting for the interference device type.
reporting	Configures CleanAir interference device reporting.
enable	Enables the 5-GHz Cleanair interference devices reporting.
disable	Disables the 5-GHz Cleanair interference devices reporting.
`device_type`	Interference device type. The device type are as follows: 802.11-nonstd—Devices using nonstandard WiFi channels. 802.11-inv—Devices using spectrally inverted WiFi signals. superag—802.11 SuperAG devices. all —All interference device types. cont-tx—Continuous Transmitter. dect-like—Digital Enhanced Cordless Communication (DECT) like phone. tdd-tx—TDD Transmitter. jammer—Jammer. canopy—Canopy devices. video—Video cameras. wimax-mobile—WiMax Mobile. wimax-fixed—WiMax Fixed.

Command Default

The default setting CleanAir reporting for the interference device type is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the CleanAir reporting for the device type jammer:


(Cisco Controller) > config 802.11a cleanair device enable jammer

The following example shows how to disable the CleanAir reporting for the device type video:


(Cisco Controller) > config 802.11a cleanair device disable video

The following example shows how to enable the CleanAir interference device reporting:


(Cisco Controller) > config 802.11a cleanair device reporting enable

config 802.11 cleanair alarm

To configure the triggering of the air quality alarms, use the config 802.11 cleanair alarm command.

config 802.11{ a|b} cleanair alarm { air-quality { disable |enable |threshold alarm_threshold}|device { disable device_type|enable device_type|reporting { disable |enable } |unclassified { disable|enable |threshold alarm_threshold}}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
air-quality	Configures the 5-GHz air quality alarm.
disable	Disables the 5-GHz air quality alarm.
enable	Enables the 5-GHz air quality alarm.
threshold	Configures the 5-GHz air quality alarm threshold.
`alarm_threshold`	Air quality alarm threshold (1 is bad air quality, and 100 is good air quality).
device	Configures the 5-GHz cleanair interference devices alarm.
all	Configures all the device types at once.
reporting	Configures the 5-GHz CleanAir interference devices alarm reporting.
unclassified	Configures the 5-GHz air quality alarm on exceeding unclassified category severity.
`device_type`	Device types. The device types are as follows: 802.11-nonstd—Devices using nonstandard Wi-Fi channels. 802.11-inv—Devices using spectrally inverted Wi-Fi signals. superag—802.11 SuperAG devices. all —All interference device types. cont-tx—Continuous Transmitter. dect-like—Digital Enhanced Cordless Communication (DECT) like phone. tdd-tx—TDD Transmitter. jammer—Jammer. canopy—Canopy devices. video—Video cameras. wimax-mobile—WiMax Mobile. wimax-fixed—WiMax Fixed.

Command Default

The default setting for 5-GHz air quality alarm is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the CleanAir alarm to monitor the air quality:


(Cisco Controller) > config 802.11a cleanair alarm air-quality enable

The following example shows how to enable the CleanAir alarm for the device type video:


(Cisco Controller) > config 802.11a cleanair alarm device enable video

The following example shows how to enable alarm reporting for the CleanAir interference devices:


(Cisco Controller) > config 802.11a cleanair alarm device reporting enable

Configure 802.11 CAC Commands

Use the config 802.11 cac commands to configure Call Admission Control (CAC) protocol settings.

config 802.11 cac defaults

To configure the default Call Admission Control (CAC) parameters for the 802.11a and 802.11b/g network, use the config 802.11 cac defaults command.

config 802.11 { a|b}cac defaults

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.

Usage Guidelines

CAC commands for video applications on the 802.11a or 802.11b/g network require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Gold.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to configure the default CAC parameters for the 802.11a network:

(Cisco Controller) > config 802.11 cac defaults

Related Commands

show cac voice stats

show cac voice summary

show cac video stats

show cac video summary

config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac video sip

config 802.11 cac video roam-bandwidth

config 802.11 cac load-based

config 802.11 cac media-stream

config 802.11 cac multimedia

config 802.11 cac video cac-method

debug cac

config 802.11 cac video acm

To enable or disable video Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac video acm command.

config 802.11{ a|b}cac video acm { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables video CAC settings.
disable	Disables video CAC settings.

Command Default

The default video CAC settings for the 802.11a or 802.11b/g network is disabled.

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the config 802.11{a | b} cac voice acm enable , or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the video CAC for the 802.11a network:


(Cisco Controller) > config 802.11 cac video acm enable

The following example shows how to disable the video CAC for the 802.11b network:


(Cisco Controller) > config 802.11 cac video acm disable

Related Commands

config 802.11 cac video max-bandwidth

 config 802.11 cac video roam-bandwidth

 config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video cac-method

To configure the Call Admission Control (CAC) method for video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video cac-method command.

config 802.11 { a|b}cac video cac-method { static |load-based}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
static	Enables the static CAC method for video applications on the 802.11a or 802.11b/g network. Static or bandwidth-based CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new video request and in turn enables the access point to determine whether it is capable of accommodating the request.
load-based	Enables the load-based CAC method for video applications on the 802.11a or 802.11b/g network. Load-based or dynamic CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by collocated channel interference. Load-based CAC also covers the additional bandwidth consumption results from PHY and channel impairment. The access point admits a new call only if the channel has enough unused bandwidth to support that call. Load-based CAC is not supported if SIP-CAC is enabled.

Command Default

Static.

Usage Guidelines

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Video CAC consists of two parts: Unicast Video-CAC and MC2UC CAC. If you need only Unicast Video-CAC, you must configure only static mode. If you need only MC2UC CAC, you must configure Static or Load-based CAC. Load-based CAC is not supported if SIP-CAC is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to enable the static CAC method for video applications on the 802.11a network:

(Cisco Controller) > config 802.11 cac video cac-method static

Related Commands

show cac voice stats

show cac voice summary

show cac video stats

show cac video summary

config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac video sip

config 802.11 cac video roam-bandwidth

config 802.11 cac load-based

config 802.11 cac defaults

config 802.11 cac media-stream

config 802.11 cac multimedia

debug cac

config 802.11 cac video load-based

To enable or disable load-based Call Admission Control (CAC) for video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video load-based command.

config 802.11 { a|b}cac video load-based { enable |disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables load-based CAC for video applications on the 802.11a or 802.11b/g network. Load-based or dynamic CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by collocated channel interference. Load-based CAC also covers the additional bandwidth consumption results from PHY and channel impairment. The access point admits a new call only if the channel has enough unused bandwidth to support that call.
disable	Disables load-based CAC method for video applications on the 802.11a or 802.11b/g network.

Command Default

Disabled.

Usage Guidelines

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Note

Load-based CAC is not supported if SIP-CAC is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to enable load-based CAC method for video applications on the 802.11a network:

(Cisco Controller) > config 802.11 cac video load-based enable

Related Commands

show cac voice stats

show cac voice summary

show cac video stats

show cac video summary

config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac video sip

config 802.11 cac video roam-bandwidth

config 802.11 cac load-based

config 802.11 cac defaults

config 802.11 cac media-stream

config 802.11 cac multimedia

config 802.11 cac video cac-method

debug cac

config 802.11 cac video max-bandwidth

To set the percentage of the maximum bandwidth allocated to clients for video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video max-bandwidth command.

config 802.11{ a|b}cac video max-bandwidth bandwidth

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`bandwidth`	Bandwidth percentage value from 5 to 85%.

Command Default

The default maximum bandwidth allocated to clients for video applications on the 802.11a or 802.11b/g network is 0%.

Usage Guidelines

The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.

Note

If this parameter is set to zero (0), the controller assumes that you do not want to allocate any bandwidth and allows all bandwidth requests.

Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the config 802.11{a | b} cac voice acm enable , or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the percentage of the maximum allocated bandwidth for video applications on the selected radio band:


(Cisco Controller) > config 802.11 cac video max-bandwidth 50

Related Commands

config 802.11 cac video acm

 config 802.11 cac video roam-bandwidth

 config 802.11 cac voice stream-size

config 802.11 cac voice roam-bandwidth

config 802.11 cac media-stream

To configure media stream Call Admission Control (CAC) voice and video quality parameters for 802.11a and 802.11b networks, use the config 802.11 cac media-stream command.

config 802.11 { a|b}cac media-stream multicast-direct { max-retry-percent retry-percentage|min-client-rate dot11-rate}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
multicast-direct	Configures CAC parameters for multicast-direct media streams.
max-retry-percent	Configures the percentage of maximum retries that are allowed for multicast-direct media streams.
`retry-percentage`	Percentage of maximum retries that are allowed for multicast-direct media streams.
min-client-rate	Configures the minimum transmission data rate to the client for multicast-direct media streams.
`dot11-rate`	Minimum transmission data rate to the client for multicast-direct media streams. Rate in kbps at which the client can operate. If the transmission data rate is below this rate, either the video will not start or the client may be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial. The available data rates are 6000, 9000, 12000, 18000, 24000, 36000, 48000, 54000, and 11n rates.

Command Default

The default value for the maximum retry percent is 80. If it exceeds 80, either the video will not start or the client might be classified as a bad client. The bad client video will be demoted for better effort QoS or is subject to denial.

Usage Guidelines

CAC commands for video applications on the 802.11a or 802.11b/g network require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Gold.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the maximum retry percent for multicast-direct media streams as 90 on a 802.11a network:

(Cisco Controller) > config 802.11 cac media-stream multicast-direct max-retry-percent 90

Related Commands

show cac voice stats

show cac voice summary

show cac video stats

show cac video summary

config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac video sip

config 802.11 cac video roam-bandwidth

config 802.11 cac load-based

config 802.11 cac defaults

config 802.11 cac multimedia

debug cac

config 802.11 cac multimedia

To configure the CAC media voice and video quality parameters for 802.11a and 802.11b networks, use the config 802.11 cac multimedia command.

config 802.11 { a|b}cac multimedia max-bandwidth bandwidth

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
max-bandwidth	Configures the percentage of maximum bandwidth allocated to Wi-Fi Multimedia (WMM) clients for voice and video applications on the 802.11a or 802.11b/g network.
`bandwidth`	Percentage of the maximum bandwidth allocated to WMM clients for voice and video applications on the 802.11a or 802.11b/g network. Once the client reaches the specified value, the access point rejects new calls on this radio band. The range is from 5 to 85%.

Command Default

The default maximum bandwidth allocated to Wi-Fi Multimedia (WMM) clients for voice and video applications on the 802.11a or 802.11b/g network is 85%.

Usage Guidelines

Call Admission Control (CAC) commands for video applications on the 802.11a or 802.11b/g network require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Gold.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the percentage of the maximum bandwidth allocated to WMM clients for voice and video applications on the 802.11a network:

(Cisco Controller) > config 802.11 cac multimedia max-bandwidth 80

Related Commands

show cac voice stats

show cac voice summary

show cac video stats

show cac video summary

config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac video sip

config 802.11 cac video roam-bandwidth

config 802.11 cac load-based

config 802.11 cac defaults

debug cac

config 802.11 cac voice roam-bandwidth

To configure the percentage of the Call Admission Control (CAC) maximum allocated bandwidth reserved for roaming voice clients on the 802.11a or 802.11b/g network, use the config 802.11 cac voice roam-bandwidth command.

config 802.11{ a|b}cac voice roam-bandwidth bandwidth

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`bandwidth`	Bandwidth percentage value from 0 to 85%.

Command Default

The default CAC maximum allocated bandwidth reserved for roaming voice clients on the 802.11a or 802.11b/g network is 85%.

Usage Guidelines

The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. The controller reserves the specified bandwidth from the maximum allocated bandwidth for roaming voice clients.

Note

If this parameter is set to zero (0), the controller assumes you do not want to allocate any bandwidth and therefore allows all bandwidth requests.

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients on the selected radio band:


(Cisco Controller) > config 802.11 cac voice roam-bandwidth 10

Related Commands

config 802.11 cac voice acm

config 802.11cac voice max-bandwidth

config 802.11 cac voice stream-size

config 802.11 cac video sip

To enable or disable video Call Admission Control (CAC) for nontraffic specifications (TSPEC) SIP clients using video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video sip command.

config 802.11 { a|b}cac video sip { enable |disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables video CAC for non-TSPEC SIP clients using video applications on the 802.11a or 802.11b/g network. When you enable video CAC for non-TSPEC SIP clients, you can use applications like Facetime and CIUS video calls.
disable	Disables video CAC for non-TSPEC SIP clients using video applications on the 802.11a or 802.11b/g network.

Command Default

None

Usage Guidelines

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11 {a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable command.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.
Enable call snooping on the WLAN on which the SIP client is present by entering the config wlan call-snoop enable wlan_id command.

Examples

The following example shows how to enable video CAC for non-TSPEC SIP clients using video applications on the 802.11a network:


(Cisco Controller) > config 802.11 cac video sip enable

Related Commands

config 802.11 cac video tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac video cac-method

config 802.11 cac video load-based

config 802.11 cac video roam-bandwidth

config 802.11 cac video tspec-inactivity-timeout

To process or ignore the Call Admission Control (CAC) Wi-Fi Multimedia (WMM) traffic specifications (TSPEC) inactivity timeout received from an access point, use the config 802.11 cac video tspec-inactivity-timeout command.

config 802.11{ a|b}cac video tspec-inactivity-timeout { enable|ignore}

Syntax Description


a	Specifies the 802.11a network.
ab	Specifies the 802.11b/g network.
enable	Processes the TSPEC inactivity timeout messages.
ignore	Ignores the TSPEC inactivity timeout messages.

Command Default

The default CAC WMM TSPEC inactivity timeout received from an access point is disabled (ignore).

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Examples

This example shows how to process the response to TSPEC inactivity timeout messages received from an access point:


(Cisco Controller) > config 802.11a cac video tspec-inactivity-timeout enable

This example shows how to ignore the response to TSPEC inactivity timeout messages received from an access point:


(Cisco Controller) > config 802.11a cac video tspec-inactivity-timeout ignore

Related Commands

config 802.11 cac video acm 

config 802.11 cac video max-bandwidth

config 802.11 cac video roam-bandwidth

config 802.11 cac voice acm

To enable or disable bandwidth-based voice Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac voice acm command.

config 802.11{ a|b}cac voice acm { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the bandwidth-based CAC.
disable	Disables the bandwidth-based CAC.

Command Default

The default bandwidth-based voice CAC for the 802.11a or 802.11b/g network id disabled.

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Examples

This example shows how to enable the bandwidth-based CAC:


(Cisco Controller) > config 802.11c cac voice acm enable

This example shows how to disable the bandwidth-based CAC:


(Cisco Controller) > config 802.11b cac voice acm disable

Related Commands

config 802.11 cac video acm 

config 802.11 cac voice max-bandwidth

To set the percentage of the maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g network, use the config 802.11 cac voice max-bandwidth command.

config 802.11{ a|b}cac voice max-bandwidth bandwidth

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`bandwidth`	Bandwidth percentage value from 5 to 85%.

Command Default

The default maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g network is 0%.

Usage Guidelines

The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the percentage of the maximum allocated bandwidth for voice applications on the selected radio band:


(Cisco Controller) > config 802.11a cac voice max-bandwidth 50

Related Commands

config 802.11 cac voice roam-bandwidth

config 802.11 cac voice stream-size

config 802.11 exp-bwreq  

config 802.11 tsm

config wlan save

show wlan 

show wlan summary

config 802.11 cac voice tspec-inactivity-timeout

config 802.11 cac voice load-based

config 802.11 cac video acm

config 802.11 cac voice roam-bandwidth

config 802.11{ a|b}cac voice roam-bandwidth bandwidth

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`bandwidth`	Bandwidth percentage value from 0 to 85%.

Command Default

The default CAC maximum allocated bandwidth reserved for roaming voice clients on the 802.11a or 802.11b/g network is 85%.

Usage Guidelines

The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. The controller reserves the specified bandwidth from the maximum allocated bandwidth for roaming voice clients.

Note

If this parameter is set to zero (0), the controller assumes you do not want to allocate any bandwidth and therefore allows all bandwidth requests.

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients on the selected radio band:


(Cisco Controller) > config 802.11 cac voice roam-bandwidth 10

Related Commands

config 802.11 cac voice acm

config 802.11cac voice max-bandwidth

config 802.11 cac voice stream-size

config 802.11 cac voice tspec-inactivity-timeout

To process or ignore the Wi-Fi Multimedia (WMM) traffic specifications (TSPEC) inactivity timeout received from an access point, use the config 802.11 cac voice tspec-inactivity-timeout command.

config 802.11{ a|b}cac voice tspec-inactivity-timeout { enable|ignore}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Processes the TSPEC inactivity timeout messages.
ignore	Ignores the TSPEC inactivity timeout messages.

Command Default

The default WMM TSPEC inactivity timeout received from an access point is disabled (ignore).

Usage Guidelines

Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the voice TSPEC inactivity timeout messages received from an access point:



(Cisco Controller) > config 802.11 cac voice tspec-inactivity-timeout enable

Related Commands

 config 802.11 cac voice load-based

config 802.11 cac voice roam-bandwidth 

config 802.11 cac voice acm

config 802.11cac voice max-bandwidth

config 802.11 cac voice stream-size

config 802.11 cac voice load-based

To enable or disable load-based Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac voice load-based command.

config 802.11{ a|b}cac voice load-based{enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables load-based CAC.
disable	Disables load-based CAC.

Command Default

The default load-based CAC for the 802.11a or 802.11b/g network is disabled.

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command .
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the voice load-based CAC parameters:


(Cisco Controller) > config 802.11a cac voice load-based enable

The following example shows how to disable the voice load-based CAC parameters:


(Cisco Controller) > config 802.11a cac voice load-based disable

Related Commands

config 802.11 cac voice tspec-inactivity-timeout

config 802.11 cac video max-bandwidth

config 802.11 cac video acm

config 802.11 cac voice stream-size

config 802.11 cac voice max-calls

Note

Do not use the config 802.11 cac voice max-calls command if the SIP call snooping feature is disabled and if the SIP based Call Admission Control (CAC) requirements are not met.

To configure the maximum number of voice call supported by the radio, use the config 802.11 cac voice max-calls command.

config 802.11{ a|b}cac voice max-calls number

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`number`	Number of calls to be allowed per radio.

Command Default

The default maximum number of voice call supported by the radio is 0, which means that there is no maximum limit check for the number of calls.

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command .
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the maximum number of voice calls supported by radio:


(Cisco Controller) > config 802.11 cac voice max-calls 10

Related Commands

config 802.11 cac voice roam-bandwidth

config 802.11 cac voice stream-size

config 802.11 exp-bwreq  

config 802.11 cac voice tspec-inactivity-timeout

config 802.11 cac voice load-based

config 802.11 cac video acm

config 802.11 cac voice sip bandwidth

Note

SIP bandwidth and sample intervals are used to compute per call bandwidth for the SIP-based Call Admission Control (CAC).

To configure the bandwidth that is required per call for the 802.11a or 802.11b/g network, use the config 802.11 cac voice sip bandwidth command.

config 802.11{ a|b}cac voice sip bandwidth bw_kbpssample-interval number_msecs

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`bw_kbps`	Bandwidth in kbps.
sample-interval	Specifies the packetization interval for SIP codec.
`number_msecs`	Packetization sample interval in msecs. The sample interval for SIP codec is 20 seconds.

Command Default

None

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the bandwidth and voice packetization interval for a SIP codec:


(Cisco Controller) > config 802.11 cac voice sip bandwidth 10 sample-interval 40

Related Commands

config 802.11 cac voice acm 

config 802.11 cac voice load-based  

config 802.11 cac voice max-bandwidth

config 802.11 cac voice roam-bandwidth

config 802.11 cac voice tspec-inactivity-timeout 

config 802.11 exp-bwreq

config 802.11 cac voice sip codec

To configure the Call Admission Control (CAC) codec name and sample interval as parameters and to calculate the required bandwidth per call for the 802.11a or 802.11b/g network, use the config 802.11 cac voice sip codec command.

config 802.11{ a|b}cac voice sip codec { g711 |g729}sample-interval number_msecs

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
g711	Specifies CAC parameters for the SIP G711 codec.
g729	Specifies CAC parameters for the SIP G729 codec.
sample-interval	Specifies the packetization interval for SIP codec.
`number_msecs`	Packetization interval in msecs. The sample interval for SIP codec value is 20 seconds.

Command Default

The default CAC codec parameter is g711.

Usage Guidelines

CAC commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the codec name and sample interval as parameters for SIP G711 codec:


(Cisco Controller) >  config 802.11a cac voice sip codec g711 sample-interval 40

This example shows how to configure the codec name and sample interval as parameters for SIP G729 codec:


(Cisco Controller) > config 802.11a cac voice sip codec g729 sample-interval 40

Related Commands

config 802.11 cac voice acm 

config 802.11 cac voice load-based  

config 802.11 cac voice max-bandwidth

config 802.11 cac voice roam-bandwidth

config 802.11 cac voice tspec-inactivity-timeout 

config 802.11 exp-bwreq

config 802.11 cac voice stream-size

To configure the number of aggregated voice Wi-Fi Multimedia (WMM) traffic specification (TSPEC) streams at a specified data rate for the 802.11a or 802.11b/g network, use the config 802.11 cac voice stream-size command.

config 802.11{ a|b}cac voice stream-size stream_sizenumbermean_datarate max-streams mean_datarate

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
stream-size	Configures the maximum data rate for the stream.
`stream_size`	Range of stream size is between 84000 and 92100.
`number`	Number (1 to 5) of voice streams.
mean_datarate	Configures the mean data rate.
max-streams	Configures the mean data rate of a voice stream.
`mean_datarate`	Mean data rate (84 to 91.2 kbps) of a voice stream.

Command Default

The default number of streams is 2 and the mean data rate of a stream is 84 kbps.

Usage Guidelines

Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for the Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.

Before you can configure CAC parameters on a network, you must complete the following prerequisites:

Disable all WLANs with WMM enabled by entering the config wlan disable wlan_id command.
Disable the radio network you want to configure by entering the config 802.11{a | b} disable network command.
Save the new configuration by entering the save config command.
Enable voice or video CAC for the network you want to configure by entering the  config 802.11{a | b} cac voice acm enable or config 802.11{a | b} cac video acm enable commands.

For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco Wireless LAN Controller Configuration Guide for your release.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the number of aggregated voice traffic specifications stream with the stream size 5 and the mean data rate of 85000 kbps:


(Cisco Controller) > config 802.11 cac voice stream-size 5 max-streams size 85

Related Commands

config 802.11 cac voice acm 

config 802.11 cac voice load-based  

config 802.11 cac voice max-bandwidth

config 802.11 cac voice roam-bandwidth

config 802.11 cac voice tspec-inactivity-timeout 

config 802.11 exp-bwreq

Config 802.11 Commands

Use the config 802.11 commands to configure settings for an 802.11 network.

config 802.11 beacon period

To change the beacon period globally for an 802.11a, 802.11b, or other supported 802.11 network, use the config 802.11 beacon period command.

config 802.11{ a|b}beacon period time_units

Note

Disable the 802.11 network before using this command. See the “Usage Guidelines” section.

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`time_units`	Beacon interval in time units (TU). One TU is 1024 microseconds.

Command Default

None

Usage Guidelines

In Cisco wireless LAN solution 802.11 networks, all Cisco lightweight access point wireless LANs broadcast a beacon at regular intervals. This beacon notifies clients that the 802.11a service is available and allows the clients to synchronize with the lightweight access point.

Before you change the beacon period, make sure that you have disabled the 802.11 network by using the config 802.11 disable command. After changing the beacon period, enable the 802.11 network by using the config 802.11 enable command.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to configure an 802.11a network for a beacon period of 120 time units:


(Cisco Controller) > config 802.11 beacon period 120

Related Commands

show 802.11a

config 802.11b beaconperiod 

config 802.11a disable

config 802.11a enable

config 802.11 beamforming

To enable or disable Beamforming (ClientLink) on the network or on individual radios, enter the config 802.11 beamforming command.

config 802.11{ a|b}beamforming { global|ap ap_name} { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Specifies all lightweight access points.
ap `ap_name`	Specifies the Cisco access point name.
enable	Enables beamforming.
disable	Disables beamforming.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable Beamforming on the network, it is automatically enabled for all the radios applicable to that network type.

Follow these guidelines for using Beamforming:

Beamforming is supported only for legacy orthogonal frequency-division multiplexing (OFDM) data rates (6, 9, 12, 18, 24, 36, 48, and 54 mbps).

Note

Beamforming is not supported for complementary-code keying (CCK) data rates (1, 2, 5.5, and 11 Mbps).

Beamforming is supported only on access points that support 802.11n (AP1250 and AP1140).
Two or more antennas must be enabled for transmission.
All three antennas must be enabled for reception.
OFDM rates must be enabled.

If the antenna configuration restricts operation to a single transmit antenna, or if OFDM rates are disabled, Beamforming is not used.

Examples

The following example shows how to enable Beamforming on the 802.11a network:

(Cisco Controller) >config 802.11 beamforming global enable

config 802.11 channel

To configure an 802.11 network or a single access point for automatic or manual channel selection, use the config 802.11 channel command.

config 802.11{ a|b} channel { global [ auto|once|off|restart]} |ap { ap_name[global|channel]}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Specifies the 802.11a operating channel that is automatically set by RRM and overrides the existing configuration setting.
auto	(Optional) Specifies that the channel is automatically set by Radio Resource Management (RRM) for the 802.11a radio.
once	(Optional) Specifies that the channel is automatically set once by RRM.
off	(Optional) Specifies that the automatic channel selection by RRM is disabled.
restarts	(Optional) Restarts the aggressive DCA cycle.
`ap_name`	Access point name.
`channel`	Manual channel number to be used by the access point. The supported channels depend on the specific access point used and the regulatory region.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When configuring 802.11 channels for a single lightweight access point, enter the config 802.11 disable command to disable the 802.11 network. Enter the config 802.11 channel command to set automatic channel selection by Radio Resource Management (RRM) or manually set the channel for the 802.11 radio, and enter the config 802.11 enable command to enable the 802.11 network.

Note

See the Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points document for the channels supported by your access point. The power levels and available channels are defined by the country code setting and are regulated on a country-by-country basis.

Examples

The following example shows how to have RRM automatically configure the 802.11a channels for automatic channel configuration based on the availability and interference:

(Cisco Controller) >config 802.11a channel global auto

The following example shows how to configure the 802.11b channels one time based on the availability and interference:

(Cisco Controller) >config 802.11b channel global once

The following example shows how to turn 802.11a automatic channel configuration off:

(Cisco Controller) >config 802.11a channel global off

The following example shows how to configure the 802.11b channels in access point AP01 for automatic channel configuration:

(Cisco Controller) >config 802.11b AP01 channel global

The following example shows how to configure the 802.11a channel 36 in access point AP01 as the default channel:

(Cisco Controller) >config 802.11a channel AP01 36

config 802.11 channel ap

To set the operating radio channel for an access point, use the config 802.11 channel ap command.

config 802.11{ a|b} channel apcisco_ap{global|channel_no}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`cisco_ap`	Name of the Cisco access point.
global	Enables auto-RF on the designated access point.
`channel_no`	Default channel from 1 to 26, inclusive.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable auto-RF for access point AP01 on an 802.11b network:

(Cisco Controller) >config 802.11b channel ap AP01 global

config 802.11 chan_width

To configure the channel width for a particular access point, use the config 802.11 chan_width command.

config 802.11{ a|b}chan_width cisco_ap{ 20 |40|80|160|best}

Syntax Description


a	Configures the 802.11a radio on slot 1 and 802.11ac/ax radio on slot 2.
b	Specifies the 802.11b/g radio.
`cisco_ap`	Access point.
20	Allows the radio to communicate using only 20-MHz channels. Choose this option for legacy 802.11a radios, 20-MHz 802.11n radios, or 40-MHz 802.11n radios that you want to operate using only 20-MHz channels.
40	Allows 40-MHz 802.11n radios to communicate using two adjacent 20-MHz channels bonded together.
80	Allows 80-MHz 802.11ac/ax radios to communicate using two adjacent 40-MHz channels bonded together.
160	Allows 160-MHz 802.11ac/ax radios to communicate.
best	In this mode, the device selects the optimum bandwidth channel.

Command Default

The default channel width is 20.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.3	This command was enhanced in this release with the inclusion of 160 MHz and best channel bandwidth modes.
8.9	This command was enhanced to support 802.11ax.

Usage Guidelines

This parameter can be configured only if the primary channel is statically assigned.

Caution

We recommend that you do not configure 40-MHz channels in the 2.4-GHz radio band because severe co-channel interference can occur.

Examples

The following example shows how to configure the channel width for access point AP01 on an 802.11 network using 40-MHz channels:


(Cisco Controller) >config 802.11a chan_width AP01 40

config 802.11 disable

To disable radio transmission for an entire 802.11 network or for an individual Cisco radio, use the config 802.11 disable command.

config 802.11{ a|b} disable { network|cisco_ap}

Syntax Description


a	Configures the 802.11a on slot 1 and 802.11ac/ax radio on slot 2. radio.
b	Specifies the 802.11b/g network.
network	Disables transmission for the entire 802.11a network.
`cisco_ap`	Individual Cisco lightweight access point radio.

Command Default

The transmission is enabled for the entire network by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must use this command to disable the network before using many config 802.11 commands.
This command can be used any time that the CLI interface is active.

Examples

The following example shows how to disable the entire 802.11a network:

(Cisco Controller) >config 802.11a disable network

The following example shows how to disable access point AP01 802.11b transmissions:

(Cisco Controller) >config 802.11b disable AP01

config 802.11 dtpc

To enable or disable the Dynamic Transmit Power Control (DTPC) setting for an 802.11 network, use the config 802.11 dtpc command.

config 802.11{ a|b} dtpc { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the support for this command.
disable	Disables the support for this command.

Command Default

The default DTPC setting for an 802.11 network is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable DTPC for an 802.11a network:


(Cisco Controller) > config 802.11a dtpc disable

config 802.11 enable

To enable radio transmission for an entire 802.11 network or for an individual Cisco radio, use the config 802.11 enable command.

config 802.11{ a|b} enable { network|cisco_ap}

Syntax Description


a	Configures the 802.11a radioon slot 1 and 802.11ac/ax on slot 2.
b	Specifies the 802.11b/g network.
network	Disables transmission for the entire 802.11a network.
`cisco_ap`	Individual Cisco lightweight access point radio.

Command Default

The transmission is enabled for the entire network by default.

Usage Guidelines

Use this command with the config 802.11 disable command when configuring 802.11 settings.

This command can be used any time that the CLI interface is active.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable radio transmission for the entire 802.11a network:


(Cisco Controller) > config 802.11a enable network

The following example shows how to enable radio transmission for AP1 on an 802.11b network:


(Cisco Controller) > config 802.11b enable AP1

Related Commands

show sysinfo show 802.11a

config wlan radio 

config 802.11a disable 

config 802.11b disable

config 802.11b enable

 config 802.11b 11gSupport enable

config 802.11b 11gSupport disable

config 802.11 exp-bwreq

To enable or disable the Cisco Client eXtension (CCX) version 5 expedited bandwidth request feature for an 802.11 radio, use the config 802.11 exp-bwreq command.

config 802.11{ a|b}exp-bwreq { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the expedited bandwidth request feature.
disable	Disables the expedited bandwidth request feature.

Command Default

The expedited bandwidth request feature is disabled by default.

Usage Guidelines

When this command is enabled, the controller configures all joining access points for this feature.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the CCX expedited bandwidth settings:


(Cisco Controller) > config 802.11a exp-bwreq enable
Cannot change Exp Bw Req mode while 802.11a network is operational.

The following example shows how to disable the CCX expedited bandwidth settings:


(Cisco Controller) > config 802.11a exp-bwreq disable

Related Commands

show 802.11a

 show ap stats 802.11a

config 802.11 fragmentation

To configure the fragmentation threshold on an 802.11 network, use the config 802.11 fragmentation command.

config 802.11{ a|b} fragmentation threshold

Note

This command can only be used when the network is disabled using the config 802.11 disable command.

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`threshold`	Number between 256 and 2346 bytes (inclusive).

Command Default

None.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to configure the fragmentation threshold on an 802.11a network with the threshold number of 6500 bytes:


(Cisco Controller) > config 802.11a fragmentation 6500

Related Commands

config 802.11b fragmentation

show 802.11b

show ap auto-rtf

config 802.11 l2roam rf-params

To configure 802.11a or 802.11b/g Layer 2 client roaming parameters, use the  config 802.11 l2roam rf-params command.

config 802.11{ a|b}l2roam rf-params { default |custom min_rssiroam_hyst scan_threshtrans_time}

Syntax Description

Specifies the 802.11a network.

Specifies the 802.11b/g network.

default

Restores Layer 2 client roaming RF parameters to default values.

custom

Configures custom Layer 2 client roaming RF parameters.

min_rssi

Minimum received signal strength indicator (RSSI) that is required for the client to associate to the access point. If the client’s average received signal power dips below this threshold, reliable communication is usually impossible. Clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached. The valid range is –80 to –90 dBm, and the default value is –85 dBm.

roam_hyst

How much greater the signal strength of a neighboring access point must be in order for the client to roam to it. This parameter is intended to reduce the amount of roaming between access points if the client is physically located on or near the border between the two access points. The valid range is 2 to 4 dB, and the default value is 2 dB.

scan_thresh

Minimum RSSI that is allowed before the client should roam to a better access point. When the RSSI drops below the specified value, the client must be able to roam to a better access point within the specified transition time. This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when the RSSI is below the threshold. The valid range is –70 to –77 dBm, and the default value is –72 dBm.

trans_time

Maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan threshold. The valid range is 1 to 10 seconds, and the default value is 5 seconds.

Note

For high-speed client roaming applications in outdoor mesh environments, we recommend that you set the transition time to 1 second.

Command Default

The default minimum RSSI is -85 dBm. The default signal strength of a neighboring access point is 2 dB. The default scan threshold value is -72 dBm. The default time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam is 5 seconds.

Usage Guidelines

For high-speed client roaming applications in outdoor mesh environments, we recommend that you set the trans_time to 1 second.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure custom Layer 2 client roaming parameters on an 802.11a network:


(Cisco Controller) > config 802.11 l2roam rf-params custom –80 2 –70 7

Related Commands

show advanced 802.11 l2roam

 show l2tp

config 802.11 max-clients

To configure the maximum number of clients per access point, use the config 802.11 max-clients command.

config 802.11{ a|b} max-clients max-clients

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
max-clients	Configures the maximum number of client connections per access point.
`max-clients`	Maximum number of client connections per access point. The range is from 1 to 200.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the maximum number of clients at 22:


(Cisco Controller) > config 802.11 max-clients 22

Related Commands

show ap config 802.11a 

config 802.11b rate

config 802.11 multicast data-rate

To configure the minimum multicast data rate, use the config 802.11 multicast data-rate command.

config 802.11{ a|b} multicast data-rate data_rate[ ap ap_name|default]

Syntax Description


`data_rate`	Minimum multicast data rates. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter 0 to specify that APs will dynamically adjust the number of the buffer allocated for multicast.
`ap_name`	Specific AP radio in this data rate.
default	Configures all APs radio in this data rate.

Command Default

The default is 0 where the configuration is disabled and the multicast rate is the lowest mandatory data rate and unicast client data rate.

Usage Guidelines

When you configure the data rate without the AP name or default keyword, you globally reset all the APs to the new value and update the controller global default with this new data rate value. If you configure the data rate with default keyword, you only update the controller global default value and do not reset the value of the APs that are already joined to the controller. The APs that join the controller after the new data rate value is set receives the new data rate value.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure minimum multicast data rate settings:


(Cisco Controller) > config 802.11 multicast data-rate 12

config 802.11 rate

To set mandatory and supported operational data rates for an 802.11 network, use the config 802.11 rate command.

config 802.11{ a|b} rate { disabled|mandatory|supported}rate

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
disabled	Disables a specific data rate.
mandatory	Specifies that a client supports the data rate in order to use the network.
supported	Specifies to allow any associated client that supports the data rate to use the network.
`rate`	Rate value of 6, 9, 12, 18, 24, 36, 48, or 54 Mbps.

Command Default

None

Usage Guidelines

The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory , the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the 802.11b transmission at a mandatory rate at 12 Mbps:


(Cisco Controller) > config 802.11b rate mandatory 12

Related Commands

show ap config 802.11a 

config 802.11b rate

config 802.11 tsm

To enable or disable the video Traffic Stream Metric (TSM) option for the 802.11a or 802.11b/g network, use the config 802.11 tsm command.

config 802.11{ a|b}tsm { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the video TSM settings.
disable	Disables the video TSM settings.

Command Default

By default, the TSM for the 802.11a or 802.11b/g network is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the video TSM option for the 802.11b/g network:


(Cisco Controller) > config 802.11b tsm enable

The following example shows how to disable the video TSM option for the 802.11b/g network:


(Cisco Controller) > config 802.11b tsm disable

Related Commands

show ap stats

show client tsm

config 802.11 txPower

To configure the transmit power level for all access points or a single access point in an 802.11 network, use the config 802.11 txPower command.

config 802.11{ a|b}txPower { global { power_level|auto |max |min |once } |ap cisco_ap}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Configures the 802.11 transmit power level for all lightweight access points.
auto	(Optional) Specifies the power level is automatically set by Radio Resource Management (RRM) for the 802.11 Cisco radio.
once	(Optional) Specifies the power level is automatically set once by RRM.
`power_level`	(Optional) Manual Transmit power level number for the access point.
ap	Configures the 802.11 transmit power level for a specified lightweight access point.
`ap_name`	Access point name.

Command Default

The command default (global , auto ) is for automatic configuration by RRM.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The supported power levels depends on the specific access point used and the regulatory region. For example, the 1240 series access point supports eight levels and the 1200 series access point supports six levels. See the Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points document for the maximum transmit power limits for your access point. The power levels and available channels are defined by the country code setting and are regulated on a country-by-country basis.

Examples

The following example shows how to automatically set the 802.11a radio transmit power level in all lightweight access points:


(Cisco Controller) > config 802.11a txPower auto

The following example shows how to manually set the 802.11b radio transmit power to level 5 for all lightweight access points:


(Cisco Controller) > config 802.11b txPower global 5

The following example shows how to automatically set the 802.11b radio transmit power for access point AP1:


(Cisco Controller) > config 802.11b txPower AP1 global

The following example shows how to manually set the 802.11a radio transmit power to power level 2 for access point AP1:


(Cisco Controller) > config 802.11b txPower AP1 2

Related Commands

show ap config 802.11a 

config 802.11b txPower 

Configure Advanced 802.11 Commands

Use the config advanced 802.11 commands to configure advanced settings and devices on 802.11a, 802.11b/g, or other supported 802.11 networks.

config advanced 802.11 7920VSIEConfig

To configure the Cisco unified wireless IP phone 7920 VISE parameters, use the config advanced 802.11 7920VSIEConfig command.

config advanced 802.11{ a|b}7920VSIEConfig { call-admission-limit limit |   G711-CU-Quantum quantum}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
call-admission-limit	Configures the call admission limit for the 7920s.
G711-CU-Quantum	Configures the value supplied by the infrastructure indicating the current number of channel utilization units that would be used by a single G.711-20ms call.
`limit`	Call admission limit (from 0 to 255). The default value is 105.
`quantum`	G711 quantum value. The default value is 15.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to configure the call admission limit for 7920 VISE parameters:


(Cisco Controller) >config advanced 802.11 7920VSIEConfig call-admission-limit 4

config advanced 802.11 channel add

To add channel to the 802.11 networks auto RF channel list, use the config advanced 802.11 channel add command.

config advanced 802.11{ a|b}channel add channel_number

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
add	Adds a channel to the 802.11 network auto RF channel list.
`channel_number`	Channel number to add to the 802.11 network auto RF channel list.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a channel to the 802.11a network auto RF channel list:

(Cisco Controller) >config advanced 802.11 channel add 132

config advanced 802.11 channel cleanair-event

To configure CleanAir event driven Radio Resource Management (RRM) parameters for all 802.11 Cisco lightweight access points, use the config advanced 802.11 channel cleanair-event command.

config advanced 802.11{ a|b}channel cleanair-event { enable |disable |sensitivity [ low |medium |high] |custom threshold threshold_value}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the CleanAir event-driven RRM parameters.
disable	Disables the CleanAir event-driven RRM parameters.
sensitivity	Sets the sensitivity for CleanAir event-driven RRM.
low	(Optional) Specifies low sensitivity.
medium	(Optional) Specifies medium sensitivity
high	(Optional) Specifies high sensitivity
custom	Specifies custom sensitivity.
threshold	Specifies the EDRRM AQ threshold value.
`threshold_value`	Number of custom threshold.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the CleanAir event-driven RRM parameters:

(Cisco Controller) > config advanced 802.11 channel cleanair-event enable

The following example shows how to configure high sensitivity for CleanAir event-driven RRM:

(Cisco Controller) > config advanced 802.11 channel cleanair-event sensitivity high

config advanced 802.11 channel dca anchor-time

To specify the time of day when the Dynamic Channel Assignment (DCA) algorithm is to start, use the config advanced 802.11 channel dca anchor-time command.

config advanced 802.11{ a|b} channel dca anchor-time value

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`value`	Hour of the time between 0 and 23. These values represent the hour from 12:00 a.m. to 11:00 p.m.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the time of delay when the DCA algorithm starts:


(Cisco Controller) > config advanced 802.11 channel dca anchor-time 17

Related Commands

config advanced 802.11 channel dca interval

config advanced 802.11 channel dca sensitivity

config advanced 802.11 channel

config advanced 802.11 channel dca chan-width-11n

To configure the Dynamic Channel Assignment (DCA) channel width for all 802.11n radios in the 5-GHz band, use the config advanced 802.11 channel dca chan-width-11n command.

config advanced 802.11{ a|b} channel dca chan-width-11n { 20|40|80}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
20	Sets the channel width for 802.11n radios to 20 MHz.
40	Sets the channel width for 802.11n radios to 40 MHz.
80	Sets the channel width for 802.11ac/ax radios to 80-MHz.

Command Default

The default channel width is 20.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you choose 40, be sure to set at least two adjacent channels in the config advanced 802.11 channel {add | delete} channel_number command (for example, a primary channel of 36 and an extension channel of 40). If you set only one channel, that channel is not used for the 40-MHz channel width.

To override the globally configured DCA channel width setting, you can statically configure an access point’s radio for 20- or 40-MHz mode using the config 802.11 chan_width command. If you then change the static configuration to global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.

Examples

The following example shows how to add a channel to the 802.11a network auto channel list:


(Cisco Controller) >config advanced 802.11a channel dca chan-width-11n 40

Examples

The following example shows how to set the channel width for the 802.11ac radio as 80-MHz:


(Cisco Controller) >config advanced 802.11a channel dca chan-width-11n 80

config advanced 802.11 channel dca interval

To specify how often the Dynamic Channel Assignment (DCA) is allowed to run, use the config advanced 802.11 channel dca interval command.

config advanced 802.11{ a|b} channel dca interval value

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`value`	Valid values are 0, 1, 2, 3, 4, 6, 8, 12, or 24 hours. 0 is 10 minutes (600 seconds).

Command Default

The default DCA channel interval is 10 (10 minutes).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If your controller supports only OfficeExtend access points, we recommend that you set the DCA interval to 6 hours for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 10 minutes to 24 hours can be used.

Examples

The following example shows how often the DCA algorithm is allowed to run:


(Cisco Controller) > config advanced 802.11 channel dca interval 8

Related Commands

config advanced 802.11 dca anchor-time

config advanced 802.11 dca sensitivity

show advanced 802.11 channel

config advanced 802.11 channel dca min-metric

To configure the 5-GHz minimum RSSI energy metric for DCA, use the config advanced 802.11 channel dca min-metric command.

config advanced 802.11{ a|b} channel dca RSSI_value

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`RSSI_value`	Minimum received signal strength indicator (RSSI) that is required for the DCA to trigger a channel change. The range is from –100 to –60 dBm.

Command Default

The default minimum RSSI energy metric for DCA is –95 dBm.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the minimum 5-GHz RSSI energy metric for DCA:

(Cisco Controller) > config advanced 802.11a channel dca min-metric –80

In the above example, the RRM must detect an interference energy of at least -80 dBm in RSSI for the DCA to trigger a channel change.

Related Commands

config advanced 802.11 dca interval

config advanced 802.11 dca anchor-time

show advanced 802.11 channel

config advanced 802.11 channel dca sensitivity

To specify how sensitive the Dynamic Channel Assignment (DCA) algorithm is to environmental changes (for example, signal, load, noise, and interference) when determining whether or not to change channels, use the config advanced 802.11 channel dca sensitivity command.

config advanced 802.11{ a|b} channel dcasensitivity { low|medium|high}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
low	Specifies the DCA algorithm is not particularly sensitive to environmental changes. See the “Usage Guidelines” section for more information.
medium	Specifies the DCA algorithm is moderately sensitive to environmental changes. See the “Usage Guidelines” section for more information.
high	Specifies the DCA algorithm is highly sensitive to environmental changes. See the “Usage Guidelines” section for more information.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The DCA sensitivity thresholds vary by radio band as shown in the table below.

To aid in troubleshooting, the output of this command shows an error code for any failed calls. This table explains the possible error codes for failed calls.

Table 1. DCA Sensitivity Thresholds
Sensitivity	2.4-GHz DCA Sensitivity Threshold	5-GHz DCA Sensitivity Threshold
High	5 dB	5 dB
Medium	15 dB	20 dB
Low	30 dB	35 dB

Examples

The following example shows how to configure the value of DCA algorithm’s sensitivity to low:


(Cisco Controller) > config advanced 802.11 channel dca sensitivity low

Related Commands

config advanced 802.11 dca interval

config advanced 802.11 dca anchor-time

show advanced 802.11 channel

config advanced 802.11 channel foreign

To have Radio Resource Management (RRM) consider or ignore foreign 802.11a interference avoidance in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel foreign command.

config advanced 802.11{ a|b}channel foreign { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the foreign access point 802.11a interference avoidance in the channel assignment.
disable	Disables the foreign access point 802.11a interference avoidance in the channel assignment.

Command Default

The default value for the foreign access point 802.11a interference avoidance in the channel assignment is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to have RRM consider foreign 802.11a interference when making channel selection updates for all 802.11a Cisco lightweight access points:


(Cisco Controller) > config advanced 802.11a channel foreign enable

Related Commands

show advanced 802.11a channel

config advanced 802.11b channel foreign

config advanced 802.11 channel load

To have Radio Resource Management (RRM) consider or ignore the traffic load in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel load command.

config advanced 802.11{ a|b}channel load { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the Cisco lightweight access point 802.11a load avoidance in the channel assignment.
disable	Disables the Cisco lightweight access point 802.11a load avoidance in the channel assignment.

Command Default

The default value for Cisco lightweight access point 802.11a load avoidance in the channel assignment is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to have RRM consider the traffic load when making channel selection updates for all 802.11a Cisco lightweight access points:


(Cisco Controller) > config advanced 802.11 channel load enable

Related Commands

show advanced 802.11a channel

config advanced 802.11b channel load

config advanced 802.11 channel noise

To have Radio Resource Management (RRM) consider or ignore non-802.11a noise in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel noise command.

config advanced 802.11{ a|b}channel noise { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables non-802.11a noise avoidance in the channel assignment. or ignore.
disable	Disables the non-802.11a noise avoidance in the channel assignment.

Command Default

The default value for non-802.11a noise avoidance in the channel assignment is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to have RRM consider non-802.11a noise when making channel selection updates for all 802.11a Cisco lightweight access points:


(Cisco Controller) > config advanced 802.11 channel noise enable

Related Commands

show advanced 802.11a channel

config advanced 802.11b channel noise

config advanced 802.11 channel outdoor-ap-dca

To enable or disable the controller to avoid checking the non-Dynamic Frequency Selection (DFS) channels, use the config advanced 802.11 channel outdoor-ap-dca command.

config advanced 802.11{ a|b}channel outdoor-ap-dca{enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables 802.11 network DCA list option for outdoor access point.
disable	Disables 802.11 network DCA list option for outdoor access point.

Command Default

The default value for 802.11 network DCA list option for outdoor access point is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The config advanced 802.11{a | b} channel outdoor-ap-dca {enable | disable} command is applicable only for deployments having outdoor access points such as 1522 and 1524.

Examples

The following example shows how to enable the 802.11a DCA list option for outdoor access point:

(Cisco Controller) > config advanced 802.11a channel outdoor-ap-dca enable

Related Commands

show advanced 802.11a channel

config advanced 802.11b channel noise

config advanced 802.11 channel pda-prop

To enable or disable propagation of persistent devices, use the config advanced 802.11 channel pda-prop command.

config advanced 802.11{ a|b}channel pda-prop { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the 802.11 network DCA list option for the outdoor access point.
disable	Disables the 802.11 network DCA list option for the outdoor access point.

Command Default

The default 802.11 network DCA list option for the outdoor access point is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable or disable propagation of persistent devices:


(Cisco Controller) > config advanced 802.11 channel pda-prop enable

config advanced 802.11 channel update

To have Radio Resource Management (RRM) initiate a channel selection update for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel update command.

config advanced 802.11{ a|b}channel update

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to initiate a channel selection update for all 802.11a network access points:


(Cisco Controller) > config advanced 802.11a channel update

config advanced 802.11 coverage

To enable or disable coverage hole detection, use the config advanced 802.11 coverage command.

config advanced 802.11 { a | b } coverage { enable | disable }

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the coverage hole detection.
disable	Disables the coverage hole detection.

Command Default

The default coverage hole detection value is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you enable coverage hole detection, the controller automatically determines, based on data that is received from the access points, whether any access points have clients that are potentially located in areas with poor coverage.

If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.

Examples

The following example shows how to enable coverage hole detection on an 802.11a network:

 (Cisco Controller) > config advanced 802.11a coverage enable

Related Commands

config advanced 802.11 coverage exception global

config advanced 802.11 coverage fail-rate

config advanced 802.11 coverage level global

config advanced 802.11 coverage packet-count

config advanced 802.11 coverage rssi-threshold

config advanced 802.11 coverage fail-rate

To specify the failure rate threshold for uplink data or voice packets, use the config advanced 802.11 coverage fail-rate command.

config advanced 802.11{ a|b} coverage { data|voice}fail-rate percent

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
data	Specifies the threshold for data packets.
voice	Specifies the threshold for voice packets.
`percent`	Failure rate as a percentage. Valid values are from 1 to 100 percent.

Command Default

The default failure rate threshold uplink coverage fail-rate value is 20%.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If both the number and percentage of failed packets exceed the values that you entered in theconfig advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.

Examples

The following example shows how to configure the threshold count for minimum uplink failures for data packets:


(Cisco Controller) > config advanced 802.11 coverage fail-rate 80

Related Commands

config advanced 802.11 coverage exception global

config advanced 802.11 coverage level global

config advanced 802.11 coverage packet-count

config advanced 802.11 coverage rssi-threshold

config advanced 802.11 coverage

config advanced 802.11 coverage exception global

To specify the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point, use the config advanced 802.11 coverage exception global command.

config advanced 802.11{ a|b} coverage exception global percent

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`percent`	Percentage of clients. Valid values are from 0 to 100%.

Command Default

The default percentage value for clients on an access point is 25%.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in theconfig advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.

Examples

The following example shows how to specify the percentage of clients for all 802.11a access points that are experiencing a low signal level:


(Cisco Controller) > config advanced 802.11 coverage exception global 50

Related Commands

config advanced 802.11 coverage exception global

config advanced 802.11 coverage fail-rate

config advanced 802.11 coverage level global

config advanced 802.11 coverage packet-count

config advanced 802.11 coverage rssi-threshold

config advanced 802.11 coverage

config advanced 802.11 coverage level global

To specify the minimum number of clients on an access point with an received signal strength indication (RSSI) value at or below the data or voice RSSI threshold, use the config advanced 802.11 coverage level global command.

config advanced 802.11{ a|b} coverage level global clients

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`clients`	Minimum number of clients. Valid values are from 1 to 75.

Command Default

The default minimum number of clients on an access point is 3.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to specify the minimum number of clients on all 802.11a access points with an RSSI value at or below the RSSI threshold:


(Cisco Controller) > config advanced 802.11 coverage level global 60

Related Commands

config advanced 802.11 coverage exception global

config advanced 802.11 coverage fail-rate

config advanced 802.11 coverage packet-count

config advanced 802.11 coverage rssi-threshold

config advanced 802.11 coverage

config advanced 802.11 coverage packet-count

To specify the minimum failure count threshold for uplink data or voice packets, use the config advanced 802.11 coverage packet-count command.

config advanced 802.11{ a|b} coverage { data|voice}packet-count packets

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
data	Specifies the threshold for data packets.
voice	Specifies the threshold for voice packets.
`packets`	Minimum number of packets. Valid values are from 1 to 255 packets.

Command Default

The default failure count threshold for uplink data or voice packets is10.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to configure the failure count threshold for uplink data packets:

(Cisco Controller) > config advanced 802.11 coverage packet-count 100

Related Commands

config advanced 802.11 coverage exception global

config advanced 802.11 coverage fail-rate

config advanced 802.11 coverage level global

config advanced 802.11 coverage rssi-threshold

config advanced 802.11 coverage

config advanced 802.11 coverage rssi-threshold

To specify the minimum receive signal strength indication (RSSI) value for packets that are received by an access point, use the config advanced 802.11 coverage rssi-threshold command.

config advanced 802.11{ a|b} coverage { data|voice}rssi-threshold rssi

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
data	Specifies the threshold for data packets.
voice	Specifies the threshold for voice packets.
`rssi`	Valid values are from –60 to –90 dBm.

Command Default

The default RSSI value for data packets is –80 dBm.
The default RSSI value for voice packets is –75 dBm.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The rssi value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. If the access point receives a packet in the data or voice queue with an RSSI value that is below the value that you enter, a potential coverage hole has been detected.

The access point takes RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Examples

The following example shows how to configure the minimum receive signal strength indication threshold value for data packets that are received by an 802.11a access point:


(Cisco Controller) > config advanced 802.11a coverage rssi-threshold -60

Related Commands

config advanced 802.11 coverage exception global

config advanced 802.11 coverage fail-rate

config advanced 802.11 coverage level global

config advanced 802.11 coverage packet-count

config advanced 802.11 coverage

config advanced 802.11 logging channel

To turn the channel change logging mode on or off, use the config advanced 802.11 logging channel command.

config advanced 802.11{ a|b}logging channel { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
logging channel	Logs channel changes.
on	Enables the 802.11 channel logging.
off	Disables 802.11 channel logging.

Command Default

The default channel change logging mode is Off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a logging channel selection mode on:


(Cisco Controller) > config advanced 802.11a logging channel on

Related Commands

show advanced 802.11a logging

config advanced 802.11b logging channel

config advanced 802.11 logging coverage

To turn the coverage profile logging mode on or off, use the config advanced 802.11 logging coverage command.

config advanced 802.11{ a|b}logging coverage { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
on	Enables the 802.11 coverage profile violation logging.
off	Disables the 802.11 coverage profile violation logging.

Command Default

The default coverage profile logging mode is Off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a coverage profile violation logging selection mode on:


(Cisco Controller) > config advanced 802.11a logging coverage on

Related Commands

show advanced 802.11a logging

config advanced 802.11b logging coverage

config advanced 802.11 logging foreign

To turn the foreign interference profile logging mode on or off, use the config advanced 802.11 logging foreign command.

config advanced 802.11{ a|b}logging foreign { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
on	Enables the 802.11 foreign interference profile violation logging.
off	Disables the 802.11 foreign interference profile violation logging.

Command Default

The default foreign interference profile logging mode is Off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a foreign interference profile violation logging selection mode on:


(Cisco Controller) > config advanced 802.11a logging foreign on

Related Commands

show advanced 802.11a logging

config advanced 802.11b logging foreign

config advanced 802.11 logging load

To turn the 802.11a load profile logging mode on or off, use the config advanced 802.11 logging load command.

config advanced 802.11{ a|b}logging load { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
on	Enables the 802.11 load profile violation logging.
off	Disables the 802.11 load profile violation logging.

Command Default

The default 802.11a load profile logging mode is Off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a load profile logging mode on:


(Cisco Controller) > config advanced 802.11 logging load on

Related Commands

show advanced 802.11a logging

config advanced 802.11b logging load

config advanced 802.11 logging noise

To turn the 802.11a noise profile logging mode on or off, use the config advanced 802.11 logging noise command.

config advanced 802.11{ a|b}logging noise { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
on	Enables the 802.11 noise profile violation logging.
off	Disables the 802.11 noise profile violation logging.

Command Default

The default 802.11a noise profile logging mode is off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a noise profile logging mode on:


(Cisco Controller) > config advanced 802.11a logging noise on

Related Commands

show advanced 802.11a logging

config advanced 802.11b logging noise

config advanced 802.11 logging performance

To turn the 802.11a performance profile logging mode on or off, use the config advanced 802.11 logging performance command.

config advanced 802.11{ a|b}logging performance { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
on	Enables the 802.11 performance profile violation logging.
off	Disables the 802.11 performance profile violation logging.

Command Default

The default 802.11a performance profile logging mode is off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a performance profile logging mode on:


(Cisco Controller) > config advanced 802.11a logging performance on

Related Commands

show advanced 802.11a logging

config advanced 802.11b logging performance

config advanced 802.11 logging txpower

To turn the 802.11a transmit power change logging mode on or off, use the config advanced 802.11 logging txpower command.

config advanced 802.11{ a|b}logging txpower { on|off}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
on	Enables the 802.11 transmit power change logging.
off	Disables the 802.11 transmit power change logging.

Command Default

The default 802.11a transmit power change logging mode is off (disabled).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn the 802.11a transmit power change mode on:


(Cisco Controller) > config advanced 802.11 logging txpower off

Related Commands

show advanced 802.11 logging

config advanced 802.11b logging power

config advanced 802.11 monitor channel-list

To set the 802.11a noise, interference, and rogue monitoring channel list, use the config advanced 802.11 monitor channel-list command.

config advanced 802.11{ a|b}monitor channel-list{all|country|dca}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
all	Monitors all channels.
country	Monitors the channels used in the configured country code.
dca	Monitors the channels used by the automatic channel assignment.

Command Default

The default 802.11a noise, interference, and rogue monitoring channel list is country.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to monitor the channels used in the configured country:


(Cisco Controller) > config advanced 802.11 monitor channel-list country

Related Commands

show advanced 802.11a monitor coverage

config advanced 802.11 monitor coverage

To set the coverage measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor coverage command.

config advanced 802.11{ a|b}monitor coverage seconds

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`seconds`	Coverage measurement interval between 60 and 3600 seconds.

Command Default

The default coverage measurement interval is180 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the coverage measurement interval to 60 seconds:


(Cisco Controller) > config advanced 802.11 monitor coverage 60

Related Commands

show advanced 802.11a monitor

config advanced 802.11b monitor coverage

config advanced 802.11 monitor load

To set the load measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor load command.

config advanced 802.11{ a|b}monitor load seconds

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`seconds`	Load measurement interval between 60 and 3600 seconds.

Command Default

The default load measurement interval is 60 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the load measurement interval to 60 seconds:


(Cisco Controller) > config advanced 802.11 monitor load 60

Related Commands

show advanced 802.11a monitor

config advanced 802.11b monitor load

config advanced 802.11 monitor ndp-type

To configure the 802.11 access point radio resource management (RRM) Neighbor Discovery Protocol (NDP) type, use the config advanced 802.11 monitor ndp-type command:

config advanced 802.11{ a|b}monitor ndp-type { protected|transparent}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
protected	Specifies the Tx RRM protected NDP.
transparent	Specifies the Tx RRM transparent NDP.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Before you configure the 802.11 access point RRM NDP type, ensure that you have disabled the network by entering the config 802.11 disable network command.

Examples

The following example shows how to enable the 802.11a access point RRM NDP type as protected:


(Cisco Controller) > config advanced 802.11 monitor ndp-type protected

Related Commands

config advanced 802.11 monitor

config advanced 802.11 monitor mode

config advanced 802.11 disable

config advanced 802.11 monitor noise

To set the 802.11a noise measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor noise command.

config advanced 802.11{ a|b}monitor noise seconds

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`seconds`	Noise measurement interval between 60 and 3600 seconds.

Command Default

The default 802.11a noise measurement interval is 80 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the noise measurement interval to 120 seconds:


(Cisco Controller) > config advanced 802.11 monitor noise 120

Related Commands

show advanced 802.11a monitor

config advanced 802.11b monitor noise

config advanced 802.11 monitor signal

To set the signal measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor signal command.

config advanced 802.11{ a|b}monitor signal seconds

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`seconds`	Signal measurement interval between 60 and 3600 seconds.

Command Default

The default signal measurement interval is 60 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the signal measurement interval to 120 seconds:


(Cisco Controller) > config advanced 802.11 monitor signal 120

Related Commands

show advanced 802.11a monitor 

config advanced 802.11b monitor signal

config advanced 802.11 profile clients

To set the Cisco lightweight access point clients threshold between 1 and 75 clients, use the config advanced 802.11 profile clients command.

config advanced 802.11{ a|b}profile clients { global|cisco_ap}clients

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Configures all 802.11a Cisco lightweight access points.
`cisco_ap`	Cisco lightweight access point name.
`clients`	802.11a Cisco lightweight access point client threshold between 1 and 75 clients.

Command Default

The default Cisco lightweight access point clients threshold is 12 clients.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set all Cisco lightweight access point clients thresholds to 25 clients:

(Cisco Controller) >config advanced 802.11 profile clients global 25
Global client count profile set.

The following example shows how to set the AP1 clients threshold to 75 clients:

(Cisco Controller) >config advanced 802.11 profile clients AP1 75
Global client count profile set.

config advanced 802.11 profile customize

To turn customizing on or off for an 802.11a Cisco lightweight access point performance profile, use the config advanced 802.11 profile customize command.

config advanced 802.11{ a|b}profile customize cisco_ap{on|off}

Syntax Description


a	Specifies the 802.11a/n network.
b	Specifies the 802.11b/g/n network.
`cisco_ap`	Cisco lightweight access point.
on	Customizes performance profiles for this Cisco lightweight access point.
off	Uses global default performance profiles for this Cisco lightweight access point.

Command Default

The default state of performance profile customization is Off.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to turn performance profile customization on for 802.11a Cisco lightweight access point AP1:

(Cisco Controller) >config advanced 802.11 profile customize AP1 on

config advanced 802.11 profile foreign

To set the foreign 802.11a transmitter interference threshold between 0 and 100 percent, use the config advanced 802.11 profile foreign command.

config advanced 802.11{ a|b}profile foreign { global|cisco_ap}percent

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Configures all 802.11a Cisco lightweight access points.
`cisco_ap`	Cisco lightweight access point name.
`percent`	802.11a foreign 802.11a interference threshold between 0 and 100 percent.

Command Default

The default foreign 802.11a transmitter interference threshold value is 10.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the foreign 802.11a transmitter interference threshold for all Cisco lightweight access points to 50 percent:

(Cisco Controller) >config advanced 802.11a profile foreign global 50

The following example shows how to set the foreign 802.11a transmitter interference threshold for AP1 to 0 percent:

(Cisco Controller) >config advanced 802.11 profile foreign AP1 0

config advanced 802.11 profile noise

To set the 802.11a foreign noise threshold between –127 and 0 dBm, use the config advanced 802.11 profile noise command.

config advanced 802.11{ a|b}profile noise { global|cisco_ap}dBm

Syntax Description


a	Specifies the 802.11a/n network.
b	Specifies the 802.11b/g/n network.
global	Configures all 802.11a Cisco lightweight access point specific profiles.
`cisco_ap`	Cisco lightweight access point name.
`dBm`	802.11a foreign noise threshold between –127 and 0 dBm.

Command Default

The default foreign noise threshold value is –70 dBm.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the 802.11a foreign noise threshold for all Cisco lightweight access points to –127 dBm:

(Cisco Controller) >config advanced 802.11a profile noise global -127

The following example shows how to set the 802.11a foreign noise threshold for AP1 to 0 dBm:

(Cisco Controller) >config advanced 802.11a profile noise AP1 0

config advanced 802.11 profile throughput

To set the Cisco lightweight access point data-rate throughput threshold between 1000 and 10000000 bytes per second, use the config advanced 802.11 profile throughput command.

config advanced 802.11{ a|b}profile throughput { global|cisco_ap}value

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Configures all 802.11a Cisco lightweight access point specific profiles.
`cisco_ap`	Cisco lightweight access point name.
`value`	802.11a Cisco lightweight access point throughput threshold between 1000 and 10000000 bytes per second.

Command Default

The default Cisco lightweight access point data-rate throughput threshold value is 1,000,000 bytes per second.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set all Cisco lightweight access point data-rate thresholds to 1000 bytes per second:

(Cisco Controller) >config advanced 802.11 profile throughput global 1000

The following example shows how to set the AP1 data-rate threshold to 10000000 bytes per second:

(Cisco Controller) >config advanced 802.11 profile throughput AP1 10000000

config advanced 802.11 profile utilization

To set the RF utilization threshold between 0 and 100 percent, use the config advanced 802.11 profile utilization command. The operating system generates a trap when this threshold is exceeded.

config advanced 802.11{ a|b}profile utilization { global|cisco_ap}percent

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
global	Configures a global Cisco lightweight access point specific profile.
`cisco_ap`	Cisco lightweight access point name.
`percent`	802.11a RF utilization threshold between 0 and 100 percent.

Command Default

The default RF utilization threshold value is 80 percent.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the RF utilization threshold for all Cisco lightweight access points to 0 percent:

(Cisco Controller) >config advanced 802.11 profile utilization global 0

The following example shows how to set the RF utilization threshold for AP1 to 100 percent:

(Cisco Controller) >config advanced 802.11 profile utilization AP1 100

config advanced 802.11 receiver

To set the advanced receiver configuration settings, use the config advanced 802.11 receiver command.

config advanced 802.11{ a|b}receiver {default |rxstart jumpThreshold value}

Syntax Description

Specifies the 802.11a network.

Specifies the 802.11b/g network.

receiver

Specifies the receiver configuration.

default

Specifies the default advanced receiver configuration.

rxstart jumpThreshold

Specifies the receiver start signal.

Note

We recommend that you do not use this option as it is for Cisco internal use only.

value

Jump threshold configuration value between 0 and 127.

Command Default

None

Usage Guidelines

Before you change the 802.11 receiver configuration, you must disable the 802.11 network.
We recommend that you do not use the rxstart jumpThreshold value option as it is for Cisco internal use only.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to prevent changes to receiver parameters while the network is enabled:


(Cisco Controller) > config advanced 802.11 receiver default

config advanced 802.11 edca-parameters

To enable a specific Enhanced Distributed Channel Access (EDCA) profile on a 802.11a network, use the config advanced 802.11 edca-parameters command.

config advanced 802.11{ a | b} edca-parameters { wmm-default | svp-voice | optimized-voice | optimized-video-voice | custom-voice | fastlane | custom-set { QoS Profile Name } { aifs AP-value (0-16 ) Client value (0-16) | ecwmax AP-Value (0-10) Client value (0-10) | ecwmin AP-Value (0-10) Client value (0-10) | txop AP-Value (0-255) Client value (0-255) } }

Syntax Description

Specifies the 802.11a network.

Specifies the 802.11b/g network.

wmm-default

Enables the Wi-Fi Multimedia (WMM) default parameters. Choose this option if voice or video services are not deployed on your network.

svp-voice

Enables Spectralink voice-priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.

optimized-voice

Enables EDCA voice-optimized profile parameters. Choose this option if voice services other than Spectralink are deployed on your network.

optimized-video-voice

Enables EDCA voice-optimized and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Note

If you deploy video services, admission control must be disabled.

custom-voice

Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under this option also match the 6.0 WMM EDCA parameters when this profile is applied.

fastlane

Enables fastlane on compatible devices.

custom-set

Enables customization of EDCA parameters

aifs—Configures the Arbitration Inter-Frame Space.

AP Value (0-16) Client value (0-16)
ecwmax—Configures the maximum Contention Window.

AP Value(0-10) Client Value (0-10)
ecwmin—Configures the minimum Contention Window.

AP Value(0-10) Client Value(0-10)
txop—Configures the Arbitration Transmission Opportunity Limit.

AP Value(0-255) Client Value(0-255)

QoS Profile Name - Enter the QoS profile name:

bronze
silver
gold
platinum

Command Default

The default EDCA parameter is wmm-default .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.2.110.0	In this release, custom-set keyword was added to edca-parameters command.
8.3	This command was modified and the fastlane keyword was added.

Examples

The following example shows how to enable Spectralink voice-priority parameters:


(Cisco Controller) > config advanced 802.11 edca-parameters svp-voice

Related Commands


config advanced 802.11b edca-parameters	Enables a specific Enhanced Distributed Channel Access (EDCA) profile on the 802.11a network.
show 802.11a	Displays basic 802.11a network settings.

config advanced 802.11 factory

To reset 802.11a advanced settings back to the factory defaults, use the config advanced 802.11 factory command.

config advanced 802.11{ a|b}factory

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to return all the 802.11a advanced settings to their factory defaults:


(Cisco Controller) > config advanced 802.11a factory

Related Commands

show advanced 802.11a channel

config advanced 802.11 group-member

To configure members in 802.11 static RF group, use the config advanced 802.11 group-member command.

config advanced 802.11{ a|b}group-member { add |remove}controllercontroller-ip-address

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
add	Adds a controller to the static RF group.
remove	Removes a controller from the static RF group.
`controller`	Name of the controller to be added.
`controller-ip-address`	IP address of the controller to be added.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a controller in the 802.11a automatic RF group:

(Cisco Controller) > config advanced 802.11a group-member add cisco-controller 209.165.200.225

Related Commands

show advanced 802.11a group

config advanced 802.11 group-mode

config advanced 802.11 tpc-version

To configure the Transmit Power Control (TPC) version for a radio, use the config advanced 802.11 tpc-version command.

config advanced 802.11{ a|b}tpc-version { 1|2}

Syntax Description


1	Specifies the TPC version 1 that offers strong signal coverage and stability.
2	Specifies TPC version 2 is for scenarios where voice calls are extensively used. The Tx power is dynamically adjusted with the goal of minimum interference. It is suitable for dense networks. In this mode, there could be higher roaming delays and coverage hole incidents.

Command Default

The default TPC version for a radio is 1.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the TPC version as 1 for the 802.11a radio:


(Cisco Controller) > config advanced 802.11a tpc-version 1

Related Commands

config advanced 802.11 tpcv1-thresh

To configure the threshold for Transmit Power Control (TPC) version 1 of a radio, use the config advanced 802.11 tpcv1-thresh command.

config advanced 802.11{ a|b}tpcv1-thresh threshold

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g/n network.
`threshold`	Threshold value between –50 dBm to –80 dBm.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the threshold as –60 dBm for TPC version 1 of the 802.11a radio:


(Cisco Controller) > config advanced 802.11 tpcv1-thresh -60

Related Commands

config advanced 802.11 tpc-thresh

config advanced 802.11 tpcv2-thresh

config advanced 802.11 tpcv2-intense

To configure the computational intensity for Transmit Power Control (TPC) version 2 of a radio, use the config advanced 802.11 tpcv2-intense command.

config advanced 802.11{ a|b}tpcv2-intense intensity

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g/n network.
`intensity`	Computational intensity value between 1 to 100.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the computational intensity as 50 for TPC version 2 of the 802.11a radio:


(Cisco Controller) > config advanced 802.11 tpcv2-intense 50

Related Commands

config advanced 802.11 tpc-thresh

config advanced 802.11 tpcv2-thresh

config advanced 802.11 tpcv2-per-chan

To configure the Transmit Power Control Version 2 on a per-channel basis, use the config advanced 802.11 tpcv2-per-chan command.

config advanced 802.11{ a|b}tpcv2-per-chan { enable|disable}

Syntax Description


enable	Enables the configuration of TPC version 2 on a per-channel basis.
disable	Disables the configuration of TPC version 2 on a per-channel basis.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable TPC version 2 on a per-channel basis for the 802.11a radio:


(Cisco Controller) > config advanced 802.11 tpcv2-per-chan enable

Related Commands

config advanced 802.11 tpc-thresh

config advanced 802.11 tpcv2-thresh

config advanced 802.11 tpcv2-intense

config advanced 802.11 tpcv2-thresh

To configure the threshold for Transmit Power Control (TPC) version 2 of a radio, use the config advanced 802.11 tpcv2-thresh command.

config advanced 802.11{ a|b}tpcv2-thresh threshold

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
`threshold`	Threshold value between –50 dBm to –80 dBm.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the threshold as –60 dBm for TPC version 2 of the 802.11a radio:


(Cisco Controller) > config advanced 802.11a tpcv2-thresh -60

Related Commands

config advanced 802.11 tpc-thresh

config advanced 802.11 tpcv1-thresh

config advanced 802.11 tpcv2-per-chan

config advanced 802.11 txpower-update

To initiate updates of the 802.11a transmit power for every Cisco lightweight access point, use the config advanced 802.11 txpower-update command.

config advanced 802.11{ a|b}txpower-update

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to initiate updates of 802.11a transmit power for an 802.11a access point:


(Cisco Controller) > config advanced 802.11 txpower-update

Related Commands

config advance 802.11b txpower-update

config advanced backup-controller primary

To configure a primary backup controller, use the config advanced backup-controller primary command.

config advanced backup-controller primary system name IP addr

Syntax Description


`system name`	Configures primary\|secondary backup controller.
`IP addr`	IP address of the backup controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

To delete a primary backup controller entry (IPv6 or IPv4), enter 0.0.0.0 for the controller IP address.

Examples

The following example shows how to configure the IPv4 primary backup controller:

(Cisco Controller) >config advanced backup-controller primary Controller_1 10.10.10.10

The following example shows how to configure the IPv6 primary backup controller:

(Cisco Controller) >config advanced backup-controller primary systemname 2001:9:6:40::623

The following example shows how to remove the IPv4 primary backup controller:

(Cisco Controller) >config advanced backup-controller primary Controller_1 10.10.10.10

The following example shows how to remove the IPv6 primary backup controller:

(Cisco Controller) >config advanced backup-controller primary Controller_1 0.0.0.0

Related Commands

show advanced back-up controller

config advanced backup-controller secondary

To configure a secondary backup controller, use the config advanced backup-controller secondary command.

config advanced backup-controller secondary system nameIP addr

Syntax Description


`system name`	Configures primary\|secondary backup controller.
`IP addr`	IP address of the backup controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

To delete a secondary backup controller entry (IPv4 or IPv6), enter 0.0.0.0 for the controller IP address.

Examples

The following example shows how to configure an IPv4 secondary backup controller:

(Cisco Controller) >config advanced backup-controller secondary Controller_2 10.10.10.10

The following example shows how to configure an IPv6 secondary backup controller:

(Cisco Controller) >config advanced backup-controller secondary Controller_2 2001:9:6:40::623

The following example shows how to remove an IPv4 secondary backup controller:

(Cisco Controller) >config advanced backup-controller secondary Controller_2 0.0.0.0

The following example shows how to remove an IPv6 secondary backup controller:

(Cisco Controller) >config advanced backup-controller secondary Controller_2 0.0.0.0

Related Commands

show advanced back-up controller

config advanced client-handoff

To set the client handoff to occur after a selected number of 802.11 data packet excessive retries, use the config advanced client-handoff command.

config advanced client-handoff num_of_retries

Syntax Description


`num_of_retries`	Number of excessive retries before client handoff (from 0 to 255).

Command Default

The default value for the number of 802.11 data packet excessive retries is 0.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command is supported only for the 1000/1510 series access points.

Examples

This example shows how to set the client handoff to 100 excessive retries:

(Cisco Controller) >config advanced client-handoff 100

config advanced dot11-padding

To enable or disable over-the-air frame padding, use the config advanced dot11-padding command.

config advanced dot11-padding{enable|disable}

Syntax Description


enable	Enables the over-the-air frame padding.
disable	Disables the over-the-air frame padding.

Command Default

The default over-the-air frame padding is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable over-the-air frame padding:


(Cisco Controller) > config advanced dot11-padding enable

Related Commands

debug dot11  

debug dot11 mgmt interface

 debug dot11 mgmt msg  

debug dot11 mgmt ssid

debug dot11 mgmt state-machine  

debug dot11 mgmt station  

show advanced dot11-padding  

config advanced assoc-limit

To configure the rate at which access point radios send association and authentication requests to the controller, use the config advanced assoc-limit command.

config advanced assoc-limit{enable [ number of associations per interval|interval] |disable}

Syntax Description


enable	Enables the configuration of the association requests per access point.
disable	Disables the configuration of the association requests per access point.
`number of associations per interval`	(Optional) Number of association request per access point slot in a given interval. The range is from 1 to 100.
`interval`	(Optional) Association request limit interval. The range is from 100 to 10000 milliseconds.

Command Default

The default state of the command is disabled state.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When 200 or more wireless clients try to associate to a controller at the same time, the clients no longer become stuck in the DHCP_REQD state when you use the config advanced assoc-limit command to limit association requests from access points.

Examples

The following example shows how to configure the number of association requests per access point slot in a given interval of 20 with the association request limit interval of 250:

(Cisco Controller) >config advanced assoc-limit enable 20 250

config advanced eap

To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.

config advanced eap { bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | key-index index | max-login-ignore-identity-response { enable | disable} request-timeout timeout | request-retries retries} | rsn-capability-validation {enable | disable }}

Syntax Description


bcast-key-interval `seconds`	Specifies the EAP-broadcast key renew interval time in seconds. The range is from 120 to 86400 seconds.
eapol-key-timeout `timeout`	Specifies the amount of time (200 to 5000 milliseconds) that the controller waits before retransmitting an EAPOL (WPA) key message to a wireless client using EAP or WPA/WPA-2 PSK. The default value is 1000 milliseconds.
eapol-key-retries `retries`	Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client. The default value is 2.
identity-request- timeout `timeout`	Specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting an EAP Identity Request message to a wireless client. The default value is 30 seconds.
identity-request- retries	Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client. The default value is 2.
key-index `index`	Specifies the key index (0 or 3) used for dynamic wired equivalent privacy (WEP).
max-login-ignore- identity-response	When enabled, this command ignores the limit set for the number of devices that can be connected to the controller with the same username using 802.1xauthentication. When disabled, this command limits the number of devices that can be connected to the controller with the same username. This option is not applicable for Web auth user. Use the command config netuser maxUserLogin to set the limit of maximum number of devices per same username
enable	Ignores the same username reaching the maximum EAP identity response.
disable	Checks the same username reaching the maximum EAP identity response.
request-timeout	For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting the message to a wireless client. The default value is 30 seconds.
request-retries	(Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the maximum number of times (0 to 20 retries) that the controller retransmits the message to a wireless client. The default value is 2.
rsn-capability-validation {enable \| disable}	Allows you to enable or disable RSN-capability (2-Byte in EAPOL-M2 frame) validation with respect to association request.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.5.151.0 8.10	The rsn-capability-validation parameter was added.

Examples

The following example shows how to configure the key index used for dynamic wired equivalent privacy (WEP):


(Cisco Controller) > config advanced eap key-index 0

config advanced fastpath fastcache

To configure the fastpath fast cache control, use the config advanced fastpath fastcache command.

config advanced fastpath fastcache { enable|disable}

Syntax Description


enable	Enables the fastpath fast cache control.
disable	Disables the fastpath fast cache control.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the fastpath fast cache control:


(Cisco Controller) > config advanced fastpath fastcache enable

Related Commands

config advanced fastpath pkt-capture

To configure the fastpath packet capture, use the config advanced fastpath pkt-capture command.

config advanced fastpath pkt-capture { enable|disable}

Syntax Description


enable	Enables the fastpath packet capture.
disable	Disables the fastpath packet capture.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the fastpath packet capture:


(Cisco Controller) > config advanced fastpath pkt-capture enable

Related Commands

config advanced fastpath fastcache

config advanced hotspot

To configure advanced hotspot configurations, use the config advanced hotspot command.

config advanced hotspot { anqp-4way { disable |enable |threshold value}|cmbk-delay value|garp { disable |enable }|gas-limit { disable |enable } }

Syntax Description


anqp-4way	Enables, disables, or, configures the Access Network Query Protocol (ANQP) four way fragment threshold.
disable	Disables the ANQP four way message.
enable	Enables the ANQP four way message.
threshold	Configures the ANQP fourway fragment threshold.
`value`	ANQP four way fragment threshold value in bytes. The range is from 10 to 1500. The default value is 1500.
cmbk-delay	Configures the ANQP comeback delay in Time Units (TUs).
`value`	ANQP comeback delay in Time Units (TUs). 1 TU is defined by 802.11 as 1024 usec. The range is from 1 milliseconds to 30 seconds.
garp	Disables or enables the Gratuitous ARP (GARP) forwarding to wireless network.
disable	Disables the Gratuitous ARP (GARP) forwarding to wireless network.
enable	Enables the Gratuitous ARP (GARP) forwarding to wireless network.
gas-limit	Limits the number of Generic Advertisement Service (GAS) request action frames sent to the switch by an access point in a given interval.
disable	Disables the GAS request action frame limit on access points.
enable	Enables the GAS request action frame limit on access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the ANQP four way fragment threshold value:

(Cisco Controller) >config advanced hotspot anqp-4way threshold 200

config advanced max-1x-sessions

To configure the maximum number of simultaneous 802.1X sessions allowed per access point, use the config advanced max-1x-sessions command.

config advanced max-1x-sessions no_of_sessions

Syntax Description


`no_of_sessions`	Number of maximum 802.1x session initiation per AP at a time. The range is from 0 to 255, where 0 indicates unlimited.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the maximum number of simultaneous 802.1X sessions:

(Cisco Controller) >config advanced max-1x-sessions 200

config advanced rate

To configure switch control path rate limiting, use the config advanced rate command.

config advanced rate { enable|disable}

Syntax Description


enable	Enables the switch control path rate limiting feature.
disable	Disables the switch control path rate limiting feature.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable switch control path rate limiting:

(Cisco Controller) >config advanced rate enable

config advanced sip-preferred-call-no

To configure voice prioritization, use the config advanced sip-preferred-call-no command.

config advanced sip-preferred-call-no call_index{call_number|none}

Syntax Description


`call_index`	Call index with valid values between 1 and 6.
`call_number`	Preferred call number that can contain up to 27 characters.
none	Deletes the preferred call set for the specified index.

Command Default

None

Usage Guidelines

Before you configure voice prioritization, you must complete the following prerequisites:

Set the voice to the platinum QoS level by entering the config wlan qos wlan-id platinum command.
Enable the admission control (ACM) to this radio by entering the config 802.11 {a | b} cac {voice | video} acm enable command.
Enable the call-snooping feature for a particular WLAN by entering the config wlan call-snoop enable wlan-id command.

To view statistics about preferred calls, enter the show ap stats {802.11{a | b} | wlan} cisco_ap command.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a new preferred call for index 2:


(Cisco Controller) > config advanced sip-preferred-call-no 2 0123456789

Related Commands

config wlan qos

config 802.11 cac video acm

 config 802.11 cac voice acm  

config wlan call-snoop

 show ap stats  

config advanced sip-snooping-ports

To configure call snooping ports, use the config advanced sip-snooping-ports command.

config advanced sip-snooping-ports start_portend_port

Syntax Description


`start_port`	Starting port for call snooping. The range is from 0 to 65535.
`end_port`	Ending port for call snooping. The range is from 0 to 65535.

Usage Guidelines

If you need only a single port for call snooping, configure the start and end port with the same number.

The port used by the CIUS tablet is 5060 and the port range used by Facetime is from 16384 to16402.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the call snooping ports:


(Cisco Controller) > config advanced sip-snooping-ports 4000 4500

Related Commands

show cac voice stats

show cac voice summary

show cac video stats

show cac video summary

config 802.11 cac video sip

config 802.11 cac voice sip

show advanced sip-preferred-call-no

show advanced sip-snooping-ports

debug cac

config advanced statistics

To enable or disable the Cisco wireless LAN controller port statistics collection, use the config advanced statistics command.

config advanced statistics{enable|disable}

Syntax Description


enable	Enables the switch port statistics collection.
disable	Disables the switch port statistics collection.

Command Default

The default switch port statistics collection value is enable.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the switch port statistics collection settings:


(Cisco Controller) > config advanced statistics disable

config advanced probe limit

To limit the number of probes sent to the WLAN controller per access point per client in a given interval, use the config advanced probe limit command.

config advanced probe limit num_probesinterval

Syntax Description


`num_probes`	Number of probe requests (from 1 to 100) forwarded to the controller per client per access point radio in a given interval.
`interval`	Probe limit interval (from 100 to 10000 milliseconds).

Command Default

The default number of probe requests is 2. The default interval is 500 milliseconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to set the number of probes per access point per client to 5 and the probe interval to 800 milliseconds:

(Cisco Controller) >config advanced probe limit 5 800

config advanced timers

To configure an advanced system timer, use the config advanced timers command.

config advanced timers { ap-coverage-report seconds | ap-discovery-timeout discovery-timeout | ap-fast-heartbeat { local | flexconnect | all } { enable | disable } fast_heartbeat_seconds | ap-heartbeat-timeout heartbeat_seconds | ap-primary-discovery-timeout primary_discovery_timeout | ap-primed-join-timeout primed_join_timeout | auth-timeout auth_timeout | pkt-fwd-watchdog { enable | disable } { watchdog_timer | default } | eap-identity-request-delay eap_identity_request_delay | eap-timeout eap_timeout }

Syntax Description


ap-coverage-report	Configures RRM coverage report interval for all APs.
`seconds`	Configures the ap coverage report interval in seconds. The range is between 60 and 90 seconds. Default is 90 seconds.
ap-discovery-timeout	Configures the Cisco lightweight access point discovery timeout value.
`discovery-timeout`	Cisco lightweight access point discovery timeout value, in seconds. The range is from 1 to 10.
ap-fast-heartbeat	Configures the fast heartbeat timer, which reduces the amount of time it takes to detect a controller failure in access points.
local	Configures the fast heartbeat interval for access points in local mode.
flexconnect	Configures the fast heartbeat interval for access points in FlexConnect mode.
all	Configures the fast heartbeat interval for all the access points.
enable	Enables the fast heartbeat interval.
disable	Disables the fast heartbeat interval.
`fast_heartbeat_seconds`	Small heartbeat interval, which reduces the amount of time it takes to detect a controller failure, in seconds. The range is from 1 to 10.
ap-heartbeat-timeout	Configures Cisco lightweight access point heartbeat timeout value.
`heartbeat_seconds`	Cisco the Cisco lightweight access point heartbeat timeout value, in seconds. The range is from 1 to 30. This value should be at least three times larger than the fast heartbeat timer.
ap-primary-discovery-timeout	Configures the access point primary discovery request timer.
`primary_discovery_timeout`	Access point primary discovery request time, in seconds. The range is from 30 to 3600.
ap-primed-join-timeout	Configures the access point primed discovery timeout value.
`primed_join_timeout`	Access point primed discovery timeout value, in seconds. The range is from 120 to 43200.
auth-timeout	Configures the authentication timeout.
`auth_timeout`	Authentication response timeout value, in seconds. The range is from 10 to 600.
pkt-fwd-watchdog	Configures the packet forwarding watchdog timer to protect from fastpath deadlock.
`watchdog_timer`	Packet forwarding watchdog timer, in seconds. The range is from 60 to 300.
default	Configures the watchdog timer to the default value of 240 seconds.
eap-identity-request-delay	Configures the advanced Extensible Authentication Protocol (EAP) identity request delay, in seconds.
`eap_identity_request_delay`	Advanced EAP identity request delay, in seconds. The range is from 0 to 10.
eap-timeout	Configures the EAP expiration timeout.
`eap_timeout`	EAP timeout value, in seconds. The range is from 8 to 120.

Command Default

The default access point discovery timeout is 10 seconds.
The default access point heartbeat timeout is 30 seconds.
The default access point primary discovery request timer is 120 seconds.
The default authentication timeout is 10 seconds.
The default packet forwarding watchdog timer is 240 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.3	This command was enhanced.
8.6	This command was enhanced with new keyword in Release 8.6. The new keyword added is ap-coverage-report.

Usage Guidelines

The Cisco lightweight access point discovery timeout indicates how often a controller attempts to discover unconnected Cisco lightweight access points.

The Cisco lightweight access point heartbeat timeout controls how often the Cisco lightweight access point sends a heartbeat keepalive signal to the Cisco Wireless Controller.

Examples

The following example shows how to configure an access point discovery timeout with a timeout value of 20:

(Cisco Controller) >config advanced timers ap-discovery-timeout 20

The following example shows how to enable the fast heartbeat interval for an access point in FlexConnect mode:

(Cisco Controller) >config advanced timers ap-fast-heartbeat flexconnect enable 8

The following example shows how to configure the authentication timeout to 20 seconds:

(Cisco Controller) >config advanced timers auth-timeout 20

config advanced timers ap-fast-heartbeat

To configure the fast heartbeat timer which reduces the amount of time it takes to detect a controller failure for local, FlexConnect, or all access points, use the config advanced timers ap-fast-heartbeat command.

config advanced timers ap-fast-heartbeat { local |flexconnect |all} { enable |disable }interval

Syntax Description


local	Configures the fast heartbeat interval for access points in local mode only.
flexconnect	Configures the fast heartbeat interval for access points in FlexConnect mode only.
all	Configures the fast heartbeat interval for all access points.
enable	Enables the fast heartbeat interval.
disable	Disables the fast heartbeat interval.
`interval`	Small heartbeat interval (between 1 and 10 seconds, inclusive), which reduces the amount of time it takes to detect a controller failure.

Command Default

The default state of the command is disabled state.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the fast heartbeat interval for access point in local mode:

(Cisco Controller) >config advanced timers ap-fast-heartbeat local enable 5

The following example shows how to enable the fast heartbeat interval for access point in FlexConnect mode:

(Cisco Controller) >config advanced timers ap-fast-heartbeat flexconnect enable 8

The following example shows how to enable the fast heartbeat interval for all access points:

(Cisco Controller) >config advanced timers ap-fast-heartbeat all enable 6

The following example shows how to disable the fast heartbeat interval for all access point:

(Cisco Controller) >config advanced timers ap-fast-heartbeat all disable

config advanced timers ap-heartbeat-timeout

To configure the Cisco lightweight access point heartbeat timeout, use the config advanced timers ap-heartbeat-timeout command.

config advanced timers ap-heartbeat-timeout seconds

Syntax Description


`seconds`	Cisco lightweight access point heartbeat timeout value between 1 and 30 seconds.

Command Default

The default Cisco lightweight access point heartbeat timeout value is 30 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The Cisco lightweight access point heartbeat timeout controls how often the Cisco lightweight access point sends a heartbeat keep-alive signal to the Cisco wireless LAN controller.

This seconds value should be at least three times larger than the fast heartbeat timer.

Examples

The following example shows how to configure an access point heartbeat timeout to 20:

(Cisco Controller) >config advanced timers ap-heartbeat-timeout 20

config advanced timers ap-primary-discovery-timeout

To configure the access point primary discovery request timer, use the config advanced timers ap-primary-discovery-timeout command.

config advanced timers ap-primary-discovery-timeout interval

Syntax Description


`interval`	Access point primary discovery request timer between 30 and 3600 seconds.

Command Default

The default access point primary discovery request timer value is 120 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to configure the access point primary discovery request timer to 1200 seconds:

(Cisco Controller) >config advanced timers ap-primary-discovery-timeout 1200

config advanced timers auth-timeout

To configure the authentication timeout, use the config advanced timers auth-timeout command.

config advanced timers auth-timeout seconds

Syntax Description


`seconds`	Authentication response timeout value in seconds between 10 and 600.

Command Default

The default authentication timeout value is 10 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the authentication timeout to 20 seconds:

(Cisco Controller) >config advanced timers auth-timeout 20

config advanced timers eap-timeout

To configure the Extensible Authentication Protocol (EAP) expiration timeout, use the config advanced timers eap-timeout command.

config advanced timers eap-timeout seconds

Syntax Description


`seconds`	EAP timeout value in seconds between 8 and 120.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the EAP expiration timeout to 10 seconds:

(Cisco Controller) >config advanced timers eap-timeout 10

config advanced timers eap-identity-request-delay

To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.

config advanced timers eap-identity-request-delay seconds

Syntax Description


`seconds`	Advanced EAP identity request delay in number of seconds between 0 and 10.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the advanced EAP identity request delay to 8 seconds:

(Cisco Controller) >config advanced timers eap-identity-request-delay 8

Configure Access Point Commands

Use the config ap commands to configure access point settings.

config ap

To configure a Cisco lightweight access point or to add or delete a third-party (foreign) access point, use the config ap command.

config ap {{ enable|disable}cisco_ap | { add|delete}MAC port{ enable|disable}IP_address}

Syntax Description


enable	Enables the Cisco lightweight access point.
disable	Disables the Cisco lightweight access point.
`cisco_ap`	Name of the Cisco lightweight access point.
add	Adds foreign access points.
delete	Deletes foreign access points.
`MAC`	MAC address of a foreign access point.
`port`	Port number through which the foreign access point can be reached.
`IP_address`	IP address of the foreign access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6.

Examples

The following example shows how to disable lightweight access point AP1:

(Cisco Controller) >config ap disable AP1

The following example shows how to add a foreign access point with MAC address 12:12:12:12:12:12 and IP address 192.12.12.1 from port 2033:

(Cisco Controller) >config ap add 12:12:12:12:12:12 2033 enable 192.12.12.1

config ap bhrate

To configure the Cisco bridge backhaul Tx rate, use the config ap bhrate command.

config ap bhrate { rate|auto}cisco_ap

Syntax Description


`rate`	Cisco bridge backhaul Tx rate in kbps. The valid values are 6000, 12000, 18000, 24000, 36000, 48000, and 54000.
auto	Configures the auto data rate.
`cisco_ap`	Name of a Cisco lightweight access point.

Command Default

The default status of the command is set to Auto.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

In previous software releases, the default value for the bridge data rate was 24000 (24 Mbps). In Cisco WLC Release 6.0, the default value for the bridge data rate is auto . If you configured the default bridge data rate value (24000) in a previous Cisco WLC release, the bridge data rate is configured with the new default value (auto) when you upgrade to Cisco WLC Release 6.0. However, if you configured a non default value (for example, 18000) in a previous Cisco WLC software release, that configuration setting is preserved when you upgrade to software release 6.0.

When the bridge data rate is set to auto , the mesh backhaul chooses the highest rate where the next higher rate cannot be used due to unsuitable conditions for that specific rate (and not because of conditions that affect all rates).

Examples

The following example shows how to configure the Cisco bridge backhaul Tx rate to 54000 kbps:

(Cisco Controller) >config ap bhrate 54000 AP1

config ap autoconvert

To automatically convert all access points to FlexConnect mode or Monitor mode upon associating with the controller, use the config ap autoconvert command.

config ap autoconvert { flexconnect |monitor|disable}

Syntax Description


flexconnect	Configures all the access points automatically to FlexConnect mode.
monitor	Configures all the access points automatically to monitor mode.
disable	Disables the autoconvert option on the access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When access points in local mode connect to a Cisco 7500 Series Wireless Controller, they do not serve clients. The access point details are available in the controller. To enable access points to serve clients or perform monitoring related tasks when connected to the Cisco 7500 Series Wireless Controller, the access points must be in FlexConnect mode or Monitor mode.

The command can also be used for conversion of AP modes in Cisco 5520, 8540, and 8510 Series Wireless Controller platforms.

Examples

The following example shows how to automatically convert all access points to the FlexConnect mode:

(Cisco Controller) >config ap autoconvert flexconnect

The following example shows how to disable the autoconvert option on the APs:

(Cisco Controller) >config ap autoconvert disable

config ap bridgegroupname

To set or delete a bridge group name on a Cisco lightweight access point, use the config ap bridgegroupname command.

config ap bridgegroupname{set groupname|delete | { strict-matching { enable|disable}}} cisco_ap

Syntax Description


set	Sets a Cisco lightweight access point’s bridge group name.
`groupname`	Bridge group name.
delete	Deletes a Cisco lightweight access point’s bridge group name.
`cisco_ap`	Name of a Cisco lightweight access point.
strict-matching	Restricts the possible parent list, if the MAP has a non-default BGN, and the potential parent has a different BGN
enable	Enables a Cisco lightweight access point's group name.
disable	Disables a Cisco lightweight access point's group name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	The strict-matching parameter was added.

Usage Guidelines

Only access points with the same bridge group name can connect to each other. Changing the AP bridgegroupname may strand the bridge AP.

Examples

The following example shows how to delete a bridge group name on Cisco access point’s bridge group name AP02:

(Cisco Controller) >config ap bridgegroupname delete AP02
Changing the AP's bridgegroupname may strand the bridge AP. Please continue with caution.
Changing the AP's bridgegroupname will also cause the AP to reboot.
Are you sure you want to continue? (y/n)

config ap bridging

To configure Ethernet-to-Ethernet bridging on a Cisco lightweight access point, use the config ap bridging command.

config ap bridging { enable|disable}cisco_ap

Syntax Description


enable	Enables the Ethernet-to-Ethernet bridging on a Cisco lightweight access point.
disable	Disables Ethernet-to-Ethernet bridging.
`cisco_ap`	Name of a Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable bridging on an access point:

(Cisco Controller) >config ap bridging enable nyc04-44-1240

The following example shows hot to disable bridging on an access point:

(Cisco Controller) >config ap bridging disable nyc04-44-1240

config ap cdp

To configure the Cisco Discovery Protocol (CDP) on a Cisco lightweight access point, use the config ap cdp command.

config ap cdp { enable|disable|interface { ethernet interface_number|slot slot_id}} { cisco_ap|all}

Syntax Description


enable	Enables CDP on an access point.
disable	Disables CDP on an access point.
interface	Configures CDP in a specific interface.
ethernet	Configures CDP for an ethernet interface.
`interface_number`	Ethernet interface number between 0 and 3.
slot	Configures CDP for a radio interface.
`slot_id`	Slot number between 0 and 3.
`cisco_ap`	Name of a Cisco lightweight access point.
all	Specifies all access points.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

Enabled on radio interfaces of mesh APs and disabled on radio interfaces of non-mesh APs. Enabled on Ethernet interfaces of all APs.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The config ap cdp disable all command disables CDP on all access points that are joined to the controller and all access points that join in the future. CDP remains disabled on both current and future access points even after the controller or access point reboots. To enable CDP, enter the config ap cdp enable all command.

Note

CDP over Ethernet/radio interfaces is available only when CDP is enabled. After you enable CDP on all access points joined to the controller, you may disable and then reenable CDP on individual access points using the config ap cdp {enable | disable} cisco_ap command . After you disable CDP on all access points joined to the controller, you may not enable and then disable CDP on individual access points.

Examples

The following example shows how to enable CDP on all access points:

(Cisco Controller) >config ap cdp enable all

The following example shows how to disable CDP on ap02 access point:

(Cisco Controller) >config ap cdp disable ap02

The following example shows how to enable CDP for Ethernet interface number 2 on all access points:

(Cisco Controller) >config ap cdp ethernet 2 enable all

config ap core-dump

To configure a Cisco lightweight access point’s memory core dump, use the config ap core-dump command.

config ap core-dump{disable|enabletftp_server_ipaddress filename{compress|uncompress} { cisco_ap|all}

Syntax Description


enable	Enables the Cisco lightweight access point’s memory core dump setting.
disable	Disables the Cisco lightweight access point’s memory core dump setting.
`tftp_server_ipaddress`	IP address of the TFTP server to which the access point sends core dump files.
`filename`	Name that the access point uses to label the core file.
compress	Compresses the core dump file.
uncompress	Uncompresses the core dump file.
`cisco_ap`	Name of a Cisco lightweight access point.
all	Specifies all access points.

Note

If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6.

Usage Guidelines

The access point must be able to reach the TFTP server. This command is applicable for both IPv4 and IPv6 addresses.

Examples

The following example shows how to configure and compress the core dump file:

(Cisco Controller) >config ap core-dump enable 209.165.200.225 log compress AP02

config ap crash-file clear-all

To delete all crash and radio core dump files, use the config ap crash-file clear-all command.

config ap crash-file clear-all

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete all crash files:

(Cisco Controller) >config ap crash-file clear-all

config ap crash-file delete

To delete a single crash or radio core dump file, use the config ap crash-file delete command.

config ap crash-file delete filename

Syntax Description


`filename`	Name of the file to delete.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete crash file 1:

(Cisco Controller) >config ap crash-file delete crash_file_1

config ap crash-file get-crash-file

To collect the latest crash data for a Cisco lightweight access point, use the config ap crash-file get-crash-file command.

config ap crash-file get-crash-file cisco_ap

Syntax Description


`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the transfer upload datatype command to transfer the collected data to the Cisco wireless LAN controller.

Examples

The following example shows how to collect the latest crash data for access point AP3:

(Cisco Controller) >config ap crash-file get-crash-file AP3

config ap crash-file get-radio-core-dump

To get a Cisco lightweight access point’s radio core dump, use the config ap crash-file get-radio-core-dump command.

config ap crash-file get-radio-core-dump slot_idcisco_ap

Syntax Description


`slot_id`	Slot ID (either 0 or 1).
`cisco_ap`	Name of a Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to collect the radio core dump for access point AP02 and slot 0:

(Cisco Controller) >config ap crash-file get-radio-core-dump 0 AP02

config ap 802.1Xuser

To configure the global authentication username and password for all access points currently associated with the controller as well as any access points that associate with the controller in the future, use the config ap 802.1Xuser command.

config ap 802.1Xuser add username ap-username password ap-password{all|cisco_ap}

Syntax Description


add username	Specifies to add a username.
`ap-username`	Username on the Cisco AP.
password	Specifies to add a password.
`ap-password`	Password.
`cisco_ap`	Specific access point.
all	Specifies all access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must enter a strong password . Strong passwords have the following characteristics:

They are at least eight characters long.
They contain a combination of uppercase and lowercase letters, numbers, and symbols.
They are not a word in any language.

You can set the values for a specific access point.

Examples

This example shows how to configure the global authentication username and password for all access points:

(Cisco Controller) >config ap 802.1Xuser add username cisco123 password cisco2020 all

config ap 802.1Xuser delete

To force a specific access point to use the controller’s global authentication settings, use the config ap 802.1Xuser delete command.

config ap 802.1Xuser delete cisco_ap

Syntax Description


`cisco_ap`	Access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete access point AP01 to use the controller’s global authentication settings:

(Cisco Controller) >config ap 802.1Xuser delete AP01

config ap 802.1Xuser disable

To disable authentication for all access points or for a specific access point, use the config ap 802.1Xuser disable command.

config ap 802.1Xuser disable { all|cisco_ap}

Syntax Description


disable	Disables authentication.
all	Specifies all access points.
`cisco_ap`	Access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.

Examples

The following example shows how to disable the authentication for access point cisco_ap1:

(Cisco Controller) >config ap 802.1Xuser disable

config ap ethernet duplex

To configure the Ethernet port duplex and speed settings of the lightweight access points, use the config ap ethernet duplex command.

config ap ethernet duplex [ auto |half |full]speed [ auto |10 |100 |1000] {all |cisco_ap}

Syntax Description


auto	(Optional) Specifies the Ethernet port duplex auto settings.
half	(Optional) Specifies the Ethernet port duplex half settings.
full	(Optional) Specifies the Ethernet port duplex full settings.
speed	Specifies the Ethernet port speed settings.
auto	(Optional) Specifies the Ethernet port speed to auto.
10	(Optional) Specifies the Ethernet port speed to 10 Mbps.
100	(Optional) Specifies the Ethernet port speed to 100 Mbps.
1000	(Optional) Specifies the Ethernet port speed to 1000 Mbps.
all	Specifies the Ethernet port setting for all connected access points.
`cisco_ap`	Cisco access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the Ethernet port duplex half settings as 10 Mbps for all access points:

(Cisco Controller) >config ap ethernet duplex half speed 10 all

config ap ethernet tag

To configure VLAN tagging of the Control and Provisioning of Wireless Access Points protocol (CAPWAP) packets, use the config ap ethernet tag command.

config ap ethernet tag { id vlan_id|disable}{ cisco_ap|all}

Syntax Description


id	Specifies the VLAN id.
`vlan_id`	ID of the trunk VLAN.
disable	Disables the VLAN tag feature. When you disable VLAN tagging, the access point untags the CAPWAP packets.
`cisco_ap`	Name of the Cisco AP.
all	Configures VLAN tagging on all the Cisco access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

After you configure VLAN tagging, the configuration comes into effect only after the access point reboots.

You cannot configure VLAN tagging on mesh access points.

If the access point is unable to route traffic or reach the controller using the specified trunk VLAN, it falls back to the untagged configuration. If the access point joins the controller using this fallback configuration, the controller sends a trap to a trap server such as the Cisco Prime Infrastructure, which indicates the failure of the trunk VLAN. In this scenario, the "Failover to untagged" message appears in show command output.

Examples

The following example shows how to configure VLAN tagging on a trunk VLAN:

(Cisco Controller) >config ap ethernet tag 6 AP1

config ap group-name

To specify a descriptive group name for a Cisco lightweight access point, use the config ap group-name command.

config ap group-name groupnamecisco_ap

Syntax Description


`groupname`	Descriptive name for the access point group.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The Cisco lightweight access point must be disabled before changing this parameter.

Examples

The following example shows how to configure a descriptive name for access point AP01:

(Cisco Controller) >config ap group-name superusers AP01

config ap flexconnect central-dhcp

To enable central-DHCP on a FlexConnect access point in a WLAN, use the config ap flexconnect central-dhcp command.

config ap flexconnect central-dhcp wlan_idcisco_ap[ add |delete]{ enable |disable}override dns { enable |disable}nat-pat { enable |disable}

Syntax Description


`wlan_id`	Wireless LAN identifier from 1 to 512.
`cisco_ap`	Name of the Cisco lightweight access point.
add	(Optional) Adds a new WLAN DHCP mapping.
delete	(Optional) Deletes a WLAN DHCP mapping.
enable	Enables central-DHCP on a FlexConnect access point. When you enable this feature, the DHCP packets received from the access point are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID.
disable	Disables central-DHCP on a FlexConnect access point.
override dns	Overrides the DNS server address on the interface assigned by the controller. When you override DNS in centrally switched WLANs, the clients get their DNS server IP address from the AP and not from the controller.
enable	Enables the Override DNS feature on a FlexConnect access point.
disable	Disables the Override DNS feature on a FlexConnect access point.
nat-pat	Network Address Translation (NAT) and Port Address Translation (PAT) that you can enable or disable.
enable	Enables NAT-PAT on a FlexConnect access point.
disable	Deletes NAT-PAT on a FlexConnect access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable central-DHCP, Override DNS, and NAT-PAT on a FlexConnect access point:

(Cisco Controller) >config ap flexconnect central-dhcp 1 ap1250 enable override dns enable nat-pat enable

config ap flexconnect local-split

To configure a local-split tunnel on a FlexConnect access point, use the config ap flexconnect local-split command.

config ap flexconnect local-split wlan_idcisco_ap{ enable |disable}acl acl_name

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
`cisco_ap`	Name of the FlexConnect access point.
enable	Enables local-split tunnel on a FlexConnect access point.
disable	Disables local-split tunnel feature on a FlexConnect access point.
acl	Configures a FlexConnect local-split access control list.
`acl_name`	Name of the FlexConnect access control list.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command allows you to configure a local-split tunnel in a centrally switched WLAN using a FlexConnect ACL. A local split tunnel supports only for unicast Layer 4 IP traffic as NAT/PAT does not support multicast IP traffic.

Examples

The following example shows how to configure a local-split tunnel using a FlexConnect ACL:

(Cisco Controller) >config ap flexconnect local-split 6 AP2 enable acl flex6

config ap flexconnect radius auth set

To configure a primary or secondary RADIUS server for a specific FlexConnect access point, use the config ap flexconnect radius auth set command.

config ap flexconnect radius auth set { primary|secondary}ip_address auth_port secret

Syntax Description


primary	Specifies the primary RADIUS server for a specific FlexConnect access point
secondary	Specifies the secondary RADIUS server for a specific FlexConnect AP
`ip_address`	IP address of the RADIUS server
`auth_port secret`	Name of the port
`secret`	RADIUS server secret

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a primary RADIUS server for a specific access point:

(Cisco Controller) >config ap flexconnect radius auth set primary 192.12.12.1

config ap flexconnect vlan

To enable or disable VLAN tagging for a FlexConnect access, use the config ap flexconnect vlan command.

config ap flexconnect vlan { enable | disable } cisco_ap

Syntax Description


enable	Enables the access point’s VLAN tagging.
disable	Disables the access point’s VLAN tagging.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

Disabled. Once enabled, WLANs enabled for local switching inherit the VLAN assigned at the controller.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to enable the access point’s VLAN tagging for a FlexConnect access:

(Cisco Controller) >config ap flexconnect vlan enable AP02

config ap flexconnect vlan add

To add a VLAN to a FlexConnect access point, use the config ap flexconnect vlan add command.

config ap flexconnect vlan add vlan-id acl in-acl out-acl cisco_ap

Syntax Description


`vlan-id`	VLAN identifier.
`acl`	ACL name that contains up to 32 alphanumeric characters.
`in-acl`	Inbound ACL name that contains up to 32 alphanumeric characters.
`out-acl`	Outbound ACL name that contains up to 32 alphanumeric characters.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the FlexConnect access point:

(Cisco Controller) >config ap flexconnect vlan add 21 acl inacl1 outacl1 ap1

config ap flexconnect vlan native

To configure a native VLAN for a FlexConnect access point, use the config ap flexconnect vlan native command.

config ap flexconnect vlan native vlan-idcisco_ap

Syntax Description


`vlan-id`	VLAN identifier.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a native VLAN for a FlexConnect access point mode:

(Cisco Controller) >config ap flexconnect vlan native 6 AP02

config ap flexconnect web-auth

To configure a FlexConnect ACL for external web authentication in locally switched WLANs, use the config ap flexconnect web-auth command.

config ap flexconnect web-auth wlan wlan_idcisco_apacl_name{enable |disable }

Syntax Description


wlan	Specifies the wireless LAN to be configured with a FlexConnect ACL.
`wlan_id`	Wireless LAN identifier between 1 and 512 (inclusive).
`cisco_ap`	Name of the FlexConnect access point.
`acl_name`	Name of the FlexConnect ACL.
enable	Enables the FlexConnect ACL on the locally switched wireless LAN.
disable	Disables the FlexConnect ACL on the locally switched wireless LAN.

Command Default

FlexConnect ACL for external web authentication in locally switched WLANs is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The FlexConnect ACLs that are specific to an AP have the highest priority. The FlexConnect ACLs that are specific to WLANs have the lowest priority.

Examples

The following example shows how to enable FlexConnect ACL for external web authentication on WLAN 6:

(Cisco Controller) >config ap flexconnect web-auth wlan 6 AP2 flexacl2 enable

config ap flexconnect vlan wlan

To assign a VLAN ID to a FlexConnect access point, use the config ap flexconnect vlan wlan command.

config ap flexconnect vlan wlan wlan-id vlan-id cisco_ap

Syntax Description


`wlan-id`	WLAN identifier
`vlan-id`	VLAN identifier (1 - 4094).
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

VLAN ID associated to the WLAN.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to assign a VLAN ID to a FlexConnect access point:

(Cisco Controller) >config ap flexconnect vlan wlan 192.12.12.1 6 AP02

config ap flexconnect web-policy acl

To configure a Web Policy FlexConnect ACL on an access point, use the config ap flexconnect web-policy acl command.

config ap flexconnect web-policy acl { add |delete}acl_name

Syntax Description


add	Adds a Web Policy FlexConnect ACL on an access point.
delete	Deletes Web Policy FlexConnect ACL on an access point.
`acl_name`	Name of the Web Policy FlexConnect ACL.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a Web Policy FlexConnect ACL on an access point:

(Cisco Controller) >config ap flexconnect web-policy acl add flexacl2

config ap hotspot

To configure hotspot parameters on an access point, use the config ap hotspot command.

config ap hotspot venue { type group_codetype_code|name { add language_codevenue_name|delete}}cisco_ap 

Syntax Description


venue	Configures venue information for given AP group.
type	Configures the type of venue for given AP group.
`group_code`	Venue group information for given AP group. The following options are available: 0—UNSPECIFIED 1—ASSEMBLY 2—BUSINESS 3—EDUCATIONAL 4—FACTORY-INDUSTRIAL 5—INSTITUTIONAL 6—MERCANTILE 7—RESIDENTIAL 8—STORAGE 9—UTILITY-MISC 10—VEHICULAR 11—OUTDOOR
`type_code`	Venue type information for the AP group. For venue group 1 (ASSEMBLY), the following options are available: 0—UNSPECIFIED ASSEMBLY 1—ARENA 2—STADIUM 3—PASSENGER TERMINAL 4—AMPHITHEATER 5—AMUSEMENT PARK 6—PLACE OF WORSHIP 7—CONVENTION CENTER 8—LIBRARY 9—MUSEUM 10—RESTAURANT 11—THEATER 12—BAR 13—COFFEE SHOP 14—ZOO OR AQUARIUM 15—EMERGENCY COORDINATION CENTER For venue group 2 (BUSINESS), the following options are available: 0—UNSPECIFIED BUSINESS 1—DOCTOR OR DENTIST OFFICE 2—BANK 3—FIRE STATION 4—POLICE STATION 6—POST OFFICE 7—PROFESSIONAL OFFICE 8—RESEARCH AND DEVELOPMENT FACILITY 9—ATTORNEY OFFICE For venue group 3 (EDUCATIONAL), the following options are available: 0—UNSPECIFIED EDUCATIONAL 1—PRIMARY SCHOOL 2—SECONDARY SCHOOL 3—UNIVERSITY OR COLLEGE For venue group 4 (FACTORY-INDUSTRIAL), the following options are available: 0—UNSPECIFIED FACTORY AND INDUSTRIAL 1—FACTORY For venue group 5 (INSTITUTIONAL), the following options are available: 0—UNSPECIFIED INSTITUTIONAL 1—HOSPITAL 2—LONG-TERM CARE FACILITY 3—ALCOHOL AND DRUG RE-HABILITATION CENTER 4—GROUP HOME 5 :PRISON OR JAIL
`type_code`	For venue group 6 (MERCANTILE), the following options are available: 0—UNSPECIFIED MERCANTILE 1—RETAIL STORE 2—GROCERY MARKET 3—AUTOMOTIVE SERVICE STATION 4—SHOPPING MALL 5—GAS STATION For venue group 7 (RESIDENTIAL), the following options are available: 0—UNSPECIFIED RESIDENTIAL 1—PRIVATE RESIDENCE 2—HOTEL OR MOTEL 3—DORMITORY 4—BOARDING HOUSE For venue group 8 (STORAGE), the option is: 0—UNSPECIFIED STORAGE For venue group 9 (UTILITY-MISC), the option is: 0—UNSPECIFIED UTILITY AND MISCELLANEOUS For venue group 10 (VEHICULAR), the following options are available: 0—UNSPECIFIED VEHICULAR 1—AUTOMOBILE OR TRUCK 2—AIRPLANE 3—BUS 4—FERRY 5—SHIP OR BOAT 6—TRAIN 7—MOTOR BIKE For venue group 11 (OUTDOOR), the following options are available: 0—UNSPECIFIED OUTDOOR 1—MINI-MESH NETWORK 2—CITY PARK 3—REST AREA 4—TRAFFIC CONTROL 5—BUS STOP 6—KIOSK
name	Configures the name of venue for this access point.
`language_code`	ISO-639 encoded string defining the language used at the venue. This string is a three-character language code. For example, you can enter ENG for English.
`venue_name`	Venue name for this access point. This name is associated with the basic service set (BSS) and is used in cases where the SSID does not provide enough information about the venue. The venue name is case sensitive and can be up to 252 alphanumeric characters.
add	Adds the HotSpot venue name for this access point.
delete	Deletes the HotSpot venue name for this access point.
`cisco_ap`	Name of the Cisco access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the venue group as educational and venue type as university:

(Cisco Controller) >config ap hotspot venue type 3 3

config ap image predownload

To configure an image on a specified access point, use the config ap image predownload command.

config ap image predownload { abort|primary|backup} { cisco_ap|all}

Syntax Description


abort	Terminates the predownload image process.
primary	Predownloads an image to a Cisco access point from the controller's primary image.
`cisco_ap`	Name of a Cisco lightweight access point.
all (Cisco Controller) >	Specifies all access points to predownload an image.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to predownload an image to an access point from the primary image:

(Cisco Controller) >config ap image predownload primary all

config ap image swap

To swap an access point’s primary and backup images, use the config ap image swap command.

config ap image swap { cisco_ap|all}

Syntax Description


`cisco_ap`	Name of a Cisco lightweight access point.
all	Specifies all access points to interchange the boot images.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to swap an access point’s primary and secondary images:

(Cisco Controller) >config ap image swap all

config ap led-state

To configure the LED state of an access point or to configure the flashing of LEDs, use the config ap led-state command.

config ap led-state { enable|disable}{cisco_ap|all}

config ap led-state flash { seconds|indefinite|disable} { cisco_ap|dual-band}

Syntax Description


enable	Enables the LED state of an access point.
disable	Disables the LED state of an access point.
`cisco_ap`	Name of a Cisco lightweight access point.
flash	Configure the flashing of LEDs for an access point.
`seconds`	Duration that the LEDs have to flash. The range is from 1 to 3600 seconds.
indefinite	Configures indefinite flashing of the access point’s LED.
dual-band	Configures the LED state for all dual-band access points.

Usage Guidelines

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

LEDs on access points with dual-band radio module will flash green and blue when you execute the led state flash command.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the LED state for an access point:

(Cisco Controller) >config ap led-state enable AP02

The following example shows how to enable the flashing of LEDs for dual-band access points:

(Cisco Controller) >config ap led-state flash 20 dual-band

config ap link-encryption

To configure the Datagram Transport Layer Security (DTLS) data encryption for access points on the 5500 series controller, use the config ap link-encryption command.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

config ap link-encryption { enable | disable} { cisco_ap | all}

Syntax Description


enable	Enables the DTLS data encryption for access points.
disable	Disables the DTLS data encryption for access points.
`cisco_ap`	Name of a Cisco lightweight access point.
all	Specifies all access points.

Command Default

DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Only Cisco 5500 Series Controllers support DTLS data encryption. This feature is not available on other controller platforms. If an access point with data encryption enabled tries to join any other controller, the access point joins the controller, but data packets are sent unencrypted.

Only Cisco 1130, 1140, 1240, and 1250 series access points support DTLS data encryption, and data-encrypted access points can join a Cisco 5500 Series Controller only if the wplus license is installed on the controller. If the wplus license is not installed, the access points cannot join the controller.

Examples

The following example shows how to enable the data encryption for an access point:

(Cisco Controller) >config ap link-encryption enable AP02

config ap link-latency

To configure link latency for a specific access point or for all access points currently associated to the controller, use the config ap link-latency command:

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

config ap link-latency { enable | disable | reset} { cisco_ap | all}

Syntax Description


enable	Enables the link latency for an access point.
disable	Disables the link latency for an access point.
reset	Resets all link latency for all access points.
`cisco_ap`	Name of the Cisco lightweight access point.
all	Specifies all access points.

Command Default

By default, link latency is in disabled state.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command enables or disables link latency only for access points that are currently joined to the controller. It does not apply to access points that join in the future.

Examples

The following example shows how to enable the link latency for all access points:

(Cisco Controller) >config ap link-latency enable all

config ap location

To modify the descriptive location of a Cisco lightweight access point, use the config ap location command.

config ap location locationcisco_ap

Syntax Description


`location`	Location name of the access point (enclosed by double quotation marks).
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The Cisco lightweight access point must be disabled before changing this parameter.

Examples

The following example shows how to configure the descriptive location for access point AP1:

(Cisco Controller) >config ap location “Building 1” AP1

config ap logging syslog level

To set the severity level for filtering syslog messages for a particular access point or for all access points, use the config ap logging syslog level command.

config ap logging syslog level severity_level { cisco_ap|all}

Syntax Description


`severity_level`	Severity levels are as follows: emergencies—Severity level 0 alerts—Severity level 1 critical—Severity level 2 errors—Severity level 3 warnings—Severity level 4 notifications—Severity level 5 informational—Severity level 6 debugging—Severity level 7
`cisco_ap`	Cisco access point.
all	Specifies all access points.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the access point. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the access point.

Examples

This example shows how to set the severity for filtering syslog messages to 3:

(Cisco Controller) >config ap logging syslog level 3

config ap mgmtuser add

To configure username, password, and secret password for AP management, use the config ap mgmtuser add command.

config ap mgmtuser add username AP_usernamepassword AP_password secret secret  { all|cisco_ap}

Syntax Description


username	Configures the username for AP management.
`AP_username`	Management username.
password	Configures the password for AP management.
`AP_password`	AP management password.
secret	Configures the secret password for privileged AP management.
`secret`	AP managemetn secret password.
all	Applies configuration to every AP that does not have a specific username.
`cisco_ap`	Cisco access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The following requirements are enforced on the password:

The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.
No character in the password can be repeated more than three times consecutively.
The password sould not contain management username or reverse of usename.
The password should not contain words like Cisco, oscic, admin, nimda or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.

The following requirement is enforced on the secret password:
The secret password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, or special characters.

Examples

The following example shows how to add a username, password, and secret password for AP management:

(Cisco Controller) > config ap mgmtuser add username acd password Arc_1234 secret Mid_45 all

config ap mgmtuser delete

To force a specific access point to use the controller’s global credentials, use the config ap mgmtuser delete command.

config ap mgmtuser delete cisco_ap

Syntax Description


`cisco_ap`	Access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete the credentials of an access point:


(Cisco Controller) > config ap mgmtuser delete cisco_ap1

config ap mode

To change a controller communication option for an individual Cisco lightweight access point, use the config ap mode command.

config ap mode { bridge |flexconnect sensor submode { none|wips|pppoe-only|pppoe-wips} |local submode { none|wips} |reap|rogue|sniffer|se-connect |monitor submode { none|wips} | flex+bridge submode{ none|wips|pppoe-only|pppoe-wips}}cisco_ap

Syntax Description


bridge	Converts from a lightweight access point to a mesh access point (bridge mode).
flexconnect	Enables FlexConnect mode on an access point.
local	Converts from an indoor mesh access point (MAP or RAP) to a nonmesh lightweight access point (local mode).
reap	Enables remote edge access point mode on an access point.
rogue	Enables wired rogue detector mode on an access point.
sniffer	Enables wireless sniffer mode on an access point.
se-connect	Enables flex+bridge mode on an access point.
flex+bridge	Enables spectrum expert mode on an access point.
submode	(Optional) Configures wIPS submode on an access point.
none	Disables the wIPS on an access point.
wips	Enables the wIPS submode on an access point.
pppoe-only	Enables the PPPoE submode on an access point.
pppoe-wips	Enables the PPPoE-wIPS submode on an access point.
sensor	Enables sensor mode for the Cisco AP
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

Local

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	The flex+bridge keyword was added..
8.3	This command was modified. The sensor keyword was added.

Usage Guidelines

The sniffer mode captures and forwards all the packets from the clients on that channel to a remote machine that runs AiroPeek or other supported packet analyzer software. It includes information on the timestamp, signal strength, packet size and so on.

Examples

The following example shows how to set the controller to communicate with access point AP91 in bridge mode:


(Cisco Controller) > config ap mode bridge AP91

The following example shows how to set the controller to communicate with access point AP01 in local mode:


(Cisco Controller) > config ap mode local AP01

The following example shows how to set the controller to communicate with access point AP91 in remote office (REAP) mode:


(Cisco Controller) > config ap mode flexconnect AP91

The following example shows how to set the controller to communicate with access point AP91 in a wired rogue access point detector mode:


(Cisco Controller) > config ap mode rogue AP91

The following example shows how to set the controller to communicate with access point AP02 in wireless sniffer mode:

(Cisco Controller) > config ap mode sniffer AP02

config ap monitor-mode

To configure Cisco lightweight access point channel optimization, use the config ap monitor-mode command.

config ap monitor-mode{802.11b fast-channel|no-optimization|tracking-opt|wips-optimized}cisco_ap

Syntax Description


802.11b fast-channel	Configures 802.11b scanning channels for a monitor-mode access point.
no-optimization	Specifies no channel scanning optimization for the access point.
tracking-opt	Enables tracking optimized channel scanning for the access point.
wips-optimized	Enables wIPS optimized channel scanning for the access point.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a Cisco wireless intrusion prevention system (wIPS) monitor mode on access point AP01:

(Cisco Controller) > config ap monitor-mode wips-optimized AP01

config ap packet-dump

To configure the Packet Capture parameters on access points, use the config ap packet-dump command.

config ap packet-dump { buffer-size Size _in_KB|capture-time Time_in_Min|ftp serverip IP_addrpath path username usernamepassword password|start MAC_addressCisco_AP|stop |truncate Length_in_Bytes}

config ap packet-dump classifier {{ arp |broadcast |control|data |dot1x|iapp |ip|management|multicast}{ enable |disable} |tcp { enable |disable |port TCP_Port{ enable |disable} } |udp { enable |disable |port UDP_Port{enable |disable} } }

Syntax Description


buffer-size	Configures the buffer size for Packet Capture in the access point.
`Size _in_KB`	Size of the buffer. The range is from 1024 to 4096 KB.
capture-time	Configures the timer value for Packet Capture.
`Time_in_Min`	Timer value for Packet Capture. The range is from 1 to 60 minutes.
ftp	Configures FTP parameters for Packet Capture.
serverip	Configures the FTP server.
`IP_addr`	IP address of the FTP server.
path `path`	Configures FTP server path.
username `user_ID`	Configures the username for the FTP server.
password `password`	Configures the password for the FTP server.
start	Starts Packet Capture from the access point.
`MAC_address`	Client MAC Address for Packet Capture.
`Cisco_AP`	Name of the Cisco access point.
stop	Stops Packet Capture from the access point.
truncate	Truncates the packet to the specified length during Packet Capture.
`Length_in_Bytes`	Length of the packet after truncation. The range is from 20 to 1500.
classifier	Configures the classifier information for Packet Capture. You can specify the type of packets that needs to be captured.
arp	Captures ARP packets.
enable	Enables capture of ARP, broadcast, 802.11 control, 802.11 data, dot1x, Inter Access Point Protocol (IAPP), IP, 802.11 management, or multicast packets.
disable	Disables capture of ARP, broadcast, 802.11 control, 802.11 data, dot1x, IAPP, IP, 802.11management, or multicast packets.
broadcast	Captures broadcast packets.
control	Captures 802.11 control packets.
data	Captures 802.11 data packets.
dot1x	Captures dot1x packets.
iapp	Captures IAPP packets.
ip	Captures IP packets.
management	Captures 802.11 management packets.
multicast	Captures multicast packets.
tcp	Captures TCP packets.
`TCP_Port`	TCP port number. The range is from 1 to 65535.
udp	Captures TCP packets.
`UDP_Port`	UDP port number. The range is from 1 to 65535.
ftp	Configures FTP parameters for Packet Capture.
`server_ip`	FTP server IP address.

Command Default

The default buffer size is 2 MB. The default capture time is 10 minutes.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.
8.8	This command is not supported for Cisco Wave 2 APs. For more information, see CSCvj19314.

Usage Guidelines

Packet Capture does not work during intercontroller roaming.

The controller does not capture packets created in the radio firmware and sent out of the access point, such as a beacon or probe response. Only packets that flow through the Radio driver in the Tx path will be captured.

Use the command config ap packet-dump start to start the Packet Capture from the access point. When you start Packet Capture, the controller sends a Control and Provisioning of Wireless Access Points protocol (CAPWAP) message to the access point to which the client is associated and captures packets. You must configure the FTP server and ensure that the client is associated to the access point before you start Packet Capture. If the client is not associated to the access point, you must specify the name of the access point.

This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to start Packet Capture from an access point:


(Cisco Controller) >config ap packet-dump start 00:0d:28:f4:c0:45 AP1

The following example shows how to capture 802.11 control packets from an access point:


(Cisco Controller) >config ap packet-dump classifier control enable

config ap port

To configure the port for a foreign access point, use the config ap port command.

config ap port MACport

Syntax Description


`MAC`	Foreign access point MAC address.
`port`	Port number for accessing the foreign access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the port for a foreign access point MAC address:

(Cisco Controller) > config ap port 12:12:12:12:12:12 20

config ap power injector

To configure the power injector state for an access point, use the config ap power injector command.

config ap power injector{enable|disable} { cisco_ap|all} { installed|override|switch_MAC}

Syntax Description


enable	Enables the power injector state for an access point.
disable	Disables the power injector state for an access point.
`cisco_ap`	Name of the Cisco lightweight access point.
all	Specifies all Cisco lightweight access points connected to the controller.
installed	Detects the MAC address of the current switch port that has a power injector.
override	Overrides the safety checks and assumes a power injector is always installed.
`switch_MAC`	MAC address of the switch port with an installed power injector.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the power injector state for all access points:

(Cisco Controller) > config ap power injector enable all 12:12:12:12:12:12

config ap power pre-standard

To enable or disable the inline power Cisco pre-standard switch state for an access point, use the config ap power pre-standard command.

config ap power pre-standard { enable|disable}cisco_ap

Syntax Description


enable	Enables the inline power Cisco pre-standard switch state for an access point.
disable	Disables the inline power Cisco pre-standard switch state for an access point.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

Disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the inline power Cisco pre-standard switch state for access point AP02:


(Cisco Controller) > config ap power pre-standard enable AP02

config ap primary-base

To set the Cisco lightweight access point primary controller, use the config ap primary-base command.

config ap primary-base controller_name Cisco_AP [ controller_ip_address ]

Syntax Description

controller_name

Name of the controller.

Cisco_AP

Cisco lightweight access point name.

controller_ip_address

(Optional) If the backup controller is outside the mobility group to which the access point is connected, then you need to provide the IP address of the primary, secondary, or tertiary controller.

Note

For OfficeExtend access points, you must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

The Cisco lightweight access point associates with this controller for all network operations and in the event of a hardware reset.

OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.

This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to set an access point primary controller IPv4 address for an Cisco AP:

 (Cisco Controller) > config ap primary-base SW_1 AP2 10.0.0.0

The following example shows how to set an access point primary controller IPv6 address for an Cisco AP:

 (Cisco Controller) > config ap primary-base SW_1 AP2 2001:DB8:0:1::1

Related Commands

show ap config general

config ap priority

To assign a priority designation to an access point that allows it to reauthenticate after a controller failure by priority rather than on a first-come-until-full basis, use the config ap priority command.

config ap priority { 1|2 |3|4}cisco_ap

Syntax Description


1	Specifies low priority.
2	Specifies medium priority.
3	Specifies high priority.
4	Specifies the highest (critical) priority.
`cisco_ap`	Cisco lightweight access point name.

Command Default

1 - Low priority.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

In a failover situation, if the backup controller does not have enough ports to allow all the access points in the affected area to reauthenticate, it gives priority to higher-priority access points over lower-priority ones, even if it means replacing lower-priority access points.

Examples

The following example shows how to assign a priority designation to access point AP02 that allows it to reauthenticate after a controller failure by assigning a reauthentication priority 3:


(Cisco Controller) > config ap priority 3 AP02

config ap reset

To reset a Cisco lightweight access point, use the config ap reset command.

config ap reset cisco_ap

Syntax Description


`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to reset an access point:


(Cisco Controller) > config ap reset AP2

config ap reporting-period

To reset a Cisco lightweight access point, use the config ap reporting-period command.

config ap reporting-period period

Syntax Description


`period`	Time period in seconds between 10 and 120.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to reset an access point reporting period to 120 seconds:


> config ap reporting-period 120

config ap retransmit count

To configure the access point control packet retransmission count, use the config ap retransmit count command.

config ap retransmit count count{ all |cisco_ap}

Syntax Description


`count`	Number of times control packet will be retransmitted. The range is from 3 to 8.
all	Specifies all access points.
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the retransmission retry count for a specific access point:


(Cisco Controller) > config ap retransmit count 6 cisco_ap

config ap retransmit interval

To configure the access point control packet retransmission interval, use the config ap retransmit interval command.

config ap retransmit interval seconds{ all |cisco_ap}

Syntax Description


`seconds`	AP control packet retransmission timeout between 2 and 5 seconds.
all	Specifies all access points.
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the retransmission interval for all access points globally:


(Cisco Controller) > config ap retransmit interval 4 all

config ap role

To specify the role of an access point in a mesh network, use the config ap role command.

config ap role { rootAP|meshAP}cisco_ap

Syntax Description


rootAP	Designates the mesh access point as a root access point (RAP).
meshAP	Designates the mesh access point as a mesh access point (MAP).
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

meshAP .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the meshAP keyword if the access point has a wireless connection to the controller, or use the rootAP keyword if the access point has a wired connection to the controller. If you change the role of the AP, the AP will be rebooted.

Examples

The following example shows how to designate mesh access point AP02 as a root access point:


(Cisco Controller) > config ap role rootAP AP02
Changing the AP's role will cause the AP to reboot.
Are you sure you want to continue? (y/n)

config ap rst-button

To configure the Reset button for an access point, use the config ap rst-button command.

config ap rst-button{enable|disable}cisco_ap

Syntax Description


enable	Enables the Reset button for an access point.
disable	Disables the Reset button for an access point.
`cisco_ap`	Name of the Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the Reset button for access point AP03:


(Cisco Controller) > config ap rst-button enable AP03

config ap secondary-base

To set the Cisco lightweight access point secondary controller, use the config ap secondary-base command.

config ap secondary-base Controller_nameCisco_AP[ Controller_IP_address]

Syntax Description

controller_name

Name of the controller.

Cisco_AP

Cisco lightweight access point name.

Controller_IP_address

(Optional). If the backup controller is outside the mobility group to which the access point is connected, then you need to provide the IP address of the primary, secondary, or tertiary controller.

Note

For OfficeExtend access points, you must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

The Cisco lightweight access point associates with this controller for all network operations and in the event of a hardware reset.

This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to set an access point secondary controller:


(Cisco Controller) > config ap secondary-base SW_1 AP2 10.0.0.0

The following example shows how to set an access point primary controller IPv6 address for an Cisco AP:


(Cisco Controller) > config ap secondary-base SW_1 AP2 2001:DB8:0:1::1

Related Commands

show ap config general

config ap sniff

To enable or disable sniffing on an access point, use the config ap sniff command.

config ap sniff { 802.11a | 802.11b } { enable channel server_ip | disable } cisco_ap

Syntax Description


802.11a	Specifies the 802.11a network.
802.11b	Specifies the 802.11b network.
enable	Enables sniffing on an access point.
`channel`	Channel to be sniffed.
`server_ip`	IP address of the remote machine running Omnipeek, Airopeek,AirMagnet, or Wireshark software.
disable	Disables sniffing on an access point.
`cisco_ap`	Access point configured as the sniffer.

Command Default

Channel 36.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When the sniffer feature is enabled on an access point, it starts sniffing the signal on the given channel. It captures and forwards all the packets to the remote computer that runs Omnipeek, Airopeek, AirMagnet, or Wireshark software. It includes information on the timestamp, signal strength, packet size and so on.

Before an access point can act as a sniffer, a remote computer that runs one of the listed packet analyzers must be set up so that it can receive packets sent by the access point. After the Airopeek installation, copy the following .dll files to the location where airopeek is installed:

socket.dll file to the Plug-ins folder (for example, C:\Program Files\WildPackets\AiroPeek\Plugins)
socketres.dll file to the PluginRes folder (for example, C:\Program Files\WildPackets\AiroPeek\ 1033\PluginRes)

Examples

The following example shows how to enable the sniffing on the 802.11a an access point from the primary controller:

 (Cisco Controller) > config ap sniff 80211a enable 23 11.22.44.55 AP01

config ap ssh

To enable Secure Shell (SSH) connectivity on an access point, use the config ap ssh command.

config ap ssh {enable|disable|default}cisco_ap|all

Syntax Description


enable	Enables the SSH connectivity on an access point.
disable	Disables the SSH connectivity on an access point.
default	Replaces the specific SSH configuration of an access point with the global SSH configuration.
`cisco_ap`	Cisco access point name.
`all`	All access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operation and in the event of a hardware reset.

Examples

The following example shows how to enable SSH connectivity on access point Cisco_ap2:


> config ap ssh enable cisco_ap2

config ap static-ip

To configure Static IP address settings on Cisco lightweight access point , use the config ap static-ip command.

config ap static-ip{enable Cisco_AP AP_IP_addrIP_netmask /prefix_lengthgateway|disable Cisco_AP| add { domain { Cisco_AP|all}domain_name|nameserver { Cisco_AP|all}nameserver-ip} |delete { domain|nameserver} { Cisco_AP|all}}

Syntax Description


enable	Enables the Cisco lightweight access point static IP address.
disable	Disables the Cisco lightweight access point static IP address. The access point uses DHCP to get the IP address.
`Cisco_AP`	Cisco lightweight access point name.
`AP_IP_addr`	Cisco lightweight access point IP address
`IP_netmask/prefix_length`	Cisco lightweight access point network mask.
`gateway`	IP address of the Cisco lightweight access point gateway.
add	Adds a domain or DNS server.
domain	Specifies the domain to which a specific access point or all access points belong.
all	Specifies all access points.
`domain_name`	Specifies a domain name.
nameserver	Specifies a DNS server so that a specific access point or all access points can discover the controller using DNS resolution.
`nameserver-ip`	DNS server IP address.
delete	Deletes a domain or DNS server.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

An access point cannot discover the controller using Domain Name System (DNS) resolution if a static IP address is configured for the access point, unless you specify a DNS server and the domain to which the access point belongs.

After you enter the IPv6 address, Prefix-length and IPv6 gateway address, the CAPWAP tunnel will restart for access point. Changing the AP's IP address will cause the AP to disjoin. After the access point rejoins the controller, you can enter the domain and IPv6 DNS server information.

This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure static IP address on an access point:


(Cisco Controller) >config ap static-ip enable AP2 209.165.200.225 255.255.255.0 209.165.200.254

The following example shows how to configure static IPv6 address on an access point:


(Cisco Controller) > config ap static-ip enable AP2 2001:DB8:0:1::1

Related Commands

show ap config general

config ap stats-timer

To set the time in seconds that the Cisco lightweight access point sends its DOT11 statistics to the Cisco wireless LAN controller, use the config ap stats-timer command.

config ap stats-timer periodcisco_ap

Syntax Description


`period`	Time in seconds from 0 to 65535. A zero value disables the timer.
`cisco_ap`	Cisco lightweight access point name.

Command Default

The default value is 0 (disabled state).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

A value of 0 (zero) means that the Cisco lightweight access point does not send any DOT11 statistics. The acceptable range for the timer is from 0 to 65535 seconds, and the Cisco lightweight access point must be disabled to set this value.

Examples

The following example shows how to set the stats timer to 600 seconds for access point AP2:


(Cisco Controller) > config ap stats-timer 600 AP2

config ap syslog host global

To configure a global syslog server for all access points that join the controller, use the config ap syslog host global command.

config ap syslog host global ip_address

Syntax Description


`ip_address`	IPv4/IPv6 address of the syslog server.

Command Default

The default value of the IPv4 address of the syslog server is 255.255.255.255.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

By default, the global syslog server IP address for all access points is 255.255.255.255. Make sure that the access points can reach the subnet on which the syslog server resides before configuring the syslog server on the controller. If the access points cannot reach this subnet, the access points are unable to send out syslog messages.

This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure a global syslog server, using IPv4 address, for all access points:


(Cisco Controller) > config ap syslog host global 255.255.255.255

Examples

The following example shows how to configure a global syslog server, using IPv6 address, for all access points:


(Cisco Controller) > config ap syslog host global  2001:9:10:56::100

config ap syslog host specific

To configure a syslog server for a specific access point, use the config ap syslog host specific command.

config ap syslog host specific ap_nameip_address

Syntax Description


`ap_name`	Cisco lightweight access point.
`ip_address`	IPv4/IPv6 address of the syslog server.

Command Default

The default value of the syslog server IP address is 0.0.0.0.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

By default, the syslog server IP address for each access point is 0.0.0.0, indicating that it is not yet set. When the default value is used, the global access point syslog server IP address is pushed to the access point.

This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure a syslog server:


(Cisco Controller) >config ap syslog host specific 0.0.0.0

Examples

The following example shows how to configure a syslog server for a specific AP, using IPv6 address:


(Cisco Controller) > config ap syslog host specific AP3600 2001:9:10:56::100

config ap tcp-mss-adjust

To enable or disable the TCP maximum segment size (MSS) on a particular access point or on all access points, use the config ap tcp-mss-adjust command.

config ap tcp-mss-adjust{enable|disable} { cisco_ap|all}size

Syntax Description

enable

Enables the TCP maximum segment size on an access point.

disable

Disables the TCP maximum segment size on an access point.

cisco_ap

Cisco access point name.

all

Specifies all access points.

size

Maximum segment size.

IPv4—Specify a value between 536 and 1363.

IPv6—Specify a value between 1220 and 1331.

Note

Any TCP MSS value that is below 1220 and above 1331 will not be effective for CAPWAP v6 AP.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv6.

Usage Guidelines

When you enable this feature, the access point checks for TCP packets to and from wireless clients in its data path. If the MSS of these packets is greater than the value that you configured or greater than the default value for the CAPWAP tunnel, the access point changes the MSS to the new configured value.

Examples

This example shows how to enable the TCP MSS on access point cisco_ap1 with a segment size of 1200 bytes:


(Cisco Controller) > config ap tcp-mss-adjust enable cisco_ap1 1200

config ap telnet

To enable Telnet connectivity on an access point, use the config ap telnet command.

config ap telnet { enable | disable | default } cisco_ap | all

Syntax Description


enable	Enables the Telnet connectivity on an access point.
disable	Disables the Telnet connectivity on an access point.
default	Replaces the specific Telnet configuration of an access point with the global Telnet configuration.
`cisco_ap`	Cisco access point name.
`all`	All access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The Cisco lightweight access point associates with this controller for all network operation and in the event of a hardware reset.
Telnet is not supported on Cisco Aironet 1810 OEAP, 1810W, 1830, 1850, 2800, and 3800 Series APs.

Examples

The following example shows how to enable Telnet connectivity on access point cisco_ap1:

 (Cisco Controller) >config ap telnet enable cisco_ap1

The following example shows how to disable Telnet connectivity on access point cisco_ap1:

 (Cisco Controller) > config ap telnet disable cisco_ap1

config ap tertiary-base

To set the Cisco lightweight access point tertiary controller, use the config ap tertiary-base command.

config ap tertiary-base controller_nameCisco_AP[ controller_ip_address]

Syntax Description

controller_name

Name of the controller.

Cisco_AP

Cisco lightweight access point name.

controller_ip_address

(Optional) If the backup controller is outside the mobility group to which the access point is connected, then you need to provide the IP address of the primary, secondary, or tertiary controller.

Note

For OfficeExtend access points, you must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

The Cisco lightweight access point associates with this controller for all network operations and in the event of a hardware reset.

This command supports both IPv4 and IPv6 address formats.

Examples

This example shows how to set the access point tertiary controller:


(Cisco Controller) > config ap tertiary-base SW_1 AP02 10.0.0.0

The following example shows how to set an access point tertiary controller IPv6 address for an Cisco AP:


(Cisco Controller) > config ap tertiary-base SW_1 AP2 2001:DB8:0:1::1

Related Commands

show ap config general

config ap tftp-downgrade

To configure the settings used for downgrading a lightweight access point to an autonomous access point, use the config ap ftp-downgrade command.

config ap tftp-downgrade tftp_ip_addressfilename Cisco_AP

Syntax Description


`tftp_ip_address`	IP address of the TFTP server.
`filename`	Filename of the access point image file on the TFTP server.
`Cisco_AP`	Access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure the settings for downgrading access point ap1240_102301:


(Cisco Controller) >config ap ftp-downgrade 209.165.200.224 1238.tar ap1240_102301

config ap username

To assign a username and password to access either a specific access point or all access points, use the config ap username command.

config ap username user_idpassword passwd[all|ap_name]

Syntax Description


`user_id`	Administrator username.
`passwd`	Administrator password.
all	(Optional) Specifies all access points.
`ap_name`	Name of a specific access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to assign a username and password to a specific access point:


(Cisco Controller) > config ap username jack password blue la204

The following example shows how to assign the same username and password to a all access points:


(Cisco Controller) > config ap username jack password blue all

config ap venue

To configure the venue information for 802.11u network on an access point, use the config ap venue command.

config ap venue { addvenue_name venue-group venue-type lang-code cisco-ap|delete}

Syntax Description


add	Adds venue information.
`venue_name`	Venue name.
`venue_group`	Venue group category. See the table below for details on venue group mappings.
`venue_type`	Venue type. This value depends on the venue-group specified. See the table below for venue group mappings.
`lang_code`	Language used. An ISO-14962-1997 encoded string that defines the language. This string is a three character language code. Enter the first three letters of the language in English (for example, eng for English).
`cisco_ap`	Name of the access point.
deletes	Deletes venue information.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the venue details for an access point named cisco-ap1:

(Cisco Controller) > config ap venue add test 11 34 eng cisco-ap1

This table lists the different venue types for each venue group.

Table 2. Venue Group Mapping
Venue Group Name	Value	Venue Type for Group
UNSPECIFIED	0
ASSEMBLY	1	0—UNSPECIFIED ASSEMBLY 1—ARENA 2—STADIUM 3—PASSENGER TERMINAL (E.G., AIRPORT, BUS, FERRY, TRAIN STATION) 4—AMPHITHEATER 5—AMUSEMENT PARK 6—PLACE OF WORSHIP 7—CONVENTION CENTER 8—LIBRARY 9—MUSEUM 10—RESTAURANT 11—THEATER 12—BAR 13—COFFEE SHOP 14—ZOO OR AQUARIUM 15—EMERGENCY COORDINATION CENTER
BUSINESS	2	0—UNSPECIFIED BUSINESS 1—DOCTOR OR DENTIST OFFICE 2—BANK 3—FIRE STATION 4—POLICE STATION 6—POST OFFICE 7—PROFESSIONAL OFFICE 8—RESEARCH AND DEVELOPMENT FACILITY 9—ATTORNEY OFFICE
EDUCATIONAL	3	0—UNSPECIFIED EDUCATIONAL 1—SCHOOL, PRIMARY 2—SCHOOL, SECONDARY 3—UNIVERSITY OR COLLEGE
FACTORY-INDUSTRIAL	4	0—UNSPECIFIED FACTORY AND INDUSTRIAL 1—FACTORY
INSTITUTIONAL	5	0—UNSPECIFIED INSTITUTIONAL 1—HOSPITAL 2—LONG-TERM CARE FACILITY (E.G., NURSING HOME, HOSPICE, ETC.) 3—ALCOHOL AND DRUG RE-HABILITATION CENTER 4—GROUP HOME 5—PRISON OR JAIL
MERCANTILE	6	0—UNSPECIFIED MERCANTILE 1—RETAIL STORE 2—GROCERY MARKET 3—AUTOMOTIVE SERVICE STATION 4—SHOPPING MALL 5—GAS STATION
RESIDENTIAL	7	0—UNSPECIFIED RESIDENTIAL 1—PRIVATE RESIDENCE 2—HOTEL OR MOTEL 3—DORMITORY 4—BOARDING HOUSE
STORAGE	8	UNSPECIFIED STORAGE
UTILITY-MISC	9	0—UNSPECIFIED UTILITY AND MISCELLANEOUS
VEHICULAR	10	0—UNSPECIFIED VEHICULAR 1—AUTOMOBILE OR TRUCK 2—AIRPLANE 3—BUS 4—FERRY 5—SHIP OR BOAT 6—TRAIN 7—MOTOR BIKE
OUTDOOR	11	0—UNSPECIFIED OUTDOOR 1—MUNI-MESH NETWORK 2—CITY PARK 3—REST AREA 4—TRAFFIC CONTROL 5—BUS STOP 6—KIOSK

config ap wlan

To enable or disable wireless LAN override for a Cisco lightweight access point radio, use the config ap wlan command.

config ap wlan { enable|disable} { 802.11a|802.11b}wlan_idcisco_ap

Syntax Description


enable	Enables the wireless LAN override on an access point.
disable	Disables the wireless LAN override on an access point.
802.11a	Specifies the 802.11a network.
802.11b	Specifies the 802.11b network.
`wlan_id`	Cisco wireless LAN controller ID assigned to a wireless LAN.
`cisco_ap`	Cisco lightweight access point name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable wireless LAN override on the AP03 802.11a radio:


(Cisco Controller) > config ap wlan 802.11a AP03

Configure Band-Select Commands

Use the config band-select command to configure the band selection feature on the controller.

config band-select cycle-count

To set the band select probe cycle count, use the config band-select cycle-count command.

config band-select cycle-count count

Syntax Description


`count`	Value for the cycle count between 1 to 10.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the probe cycle count for band select to 8:


(Cisco Controller) > config band-select cycle-count 8

Related Commands

config band-select cycle-threshold 

config band-select expire

config band-select client-rssi

config band-select cycle-threshold

To set the time threshold for a new scanning cycle, use the config band-select cycle-threshold command.

config band-select cycle-threshold threshold

Syntax Description


`threshold`	Value for the cycle threshold between 1 and 1000 milliseconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the time threshold for a new scanning cycle with threshold value of 700 milliseconds:


(Cisco Controller) > config band-select cycle-threshold 700

Related Commands

config band-select cycle-count 

config band-select expire

config band-select client-rssi

config band-select expire

To set the entry expire for band select, use the config band-select expire command.

config band-select expire { suppression |dual-band}seconds

Syntax Description


suppression	Sets the suppression expire to the band select.
dual-band	Sets the dual band expire to the band select.
`seconds`	Value for suppression between 10 to 200 seconds. Value for a dual-band between 10 to 300 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the suppression expire to 70 seconds:


(Cisco Controller) > config band-select expire suppression 70

Related Commands

config band-select cycle-threshold 

config band-select client-rssi

config band-select cycle-count

config band-select client-rssi

To set the client received signal strength indicator (RSSI) threshold for band select, use the config band-select client-rssi command.

config band-select client-rssi rssi

Syntax Description


`rssi`	Minimum dBM of a client RSSI to respond to probe between 20 and 90.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the RSSI threshold for band select to 70:


(Cisco Controller) > config band-select client-rssi 70

Related Commands

config band-select cycle-threshold 

config band-select expire

config band-select cycle-count

Configure Client Commands

User the config client commands to configure client settings.

config client ccx clear-reports

To clear the client reporting information, use the config client ccx clear-reports command.

config client ccx clear-reports client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the reporting information of the client MAC address 00:1f:ca:cf:b6:60:

(Cisco Controller) >config client ccx clear-reports 00:1f:ca:cf:b6:60

config client ccx clear-results

To clear the test results on the controller, use the config client ccx clear-results command.

config client ccx clear-results client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the test results of the client MAC address 00:1f:ca:cf:b6:60:

(Cisco Controller) >config client ccx clear-results 00:1f:ca:cf:b6:60

config client ccx default-gw-ping

To send a request to the client to perform the default gateway ping test, use the config client ccx default-gw-ping command.

config client ccx default-gw-ping client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client00:0b:85:02:0d:20 to perform the default gateway ping test:

(Cisco Controller) >config client ccx default-gw-ping 00:0b:85:02:0d:20

config client ccx dhcp-test

To send a request to the client to perform the DHCP test, use the config client ccx dhcp-test command.

config client ccx dhcp-test client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DHCP test:

(Cisco Controller) >config client ccx dhcp-test 00:E0:77:31:A3:55

config client ccx dns-ping

To send a request to the client to perform the Domain Name System (DNS) server IP address ping test, use the config client ccx dns-ping command.

config client ccx dns-ping client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to a client to perform the DNS server IP address ping test:

(Cisco Controller) >config client ccx dns-ping 00:E0:77:31:A3:55

config client ccx dns-resolve

To send a request to the client to perform the Domain Name System (DNS) resolution test to the specified hostname, use the config client ccx dns-resolve command.

config client ccx dns-resolve client_mac_address host_name

Syntax Description


`client_mac_address`	MAC address of the client.
`host_name`	Hostname of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This test does not require the client to use the diagnostic channel.

Examples

The following example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DNS name resolution test to the specified hostname:

(Cisco Controller) >config client ccx dns-resolve 00:E0:77:31:A3:55 host_name

config client ccx get-client-capability

To send a request to the client to send its capability information, use the config client ccx get-client-capability command.

config client ccx get-client-capability client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send its capability information:

(Cisco Controller) >config client ccx get-client-capability 172.19.28.40

config client ccx get-manufacturer-info

To send a request to the client to send the manufacturer’s information, use the config client ccx get-manufacturer-info command.

config client ccx get-manufacturer-info client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send the manufacturer’s information:

(Cisco Controller) >config client ccx get-manufacturer-info 172.19.28.40

config client ccx get-operating-parameters

To send a request to the client to send its current operating parameters, use the config client ccx get-operating-parameters command.

config client ccx get-operating-parameters client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send its current operating parameters:

(Cisco Controller) >config client ccx get-operating-parameters 172.19.28.40

config client ccx get-profiles

To send a request to the client to send its profiles, use the config client ccx get-profiles command.

config client ccx get-profiles client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client 172.19.28.40 to send its profile details:

(Cisco Controller) >config client ccx get-profiles 172.19.28.40

config client ccx log-request

To configure a Cisco client eXtension (CCX) log request for a specified client device, use the config client ccx log-request command.

config client ccx log-request { roam | rsna | syslog} client_mac_address

Syntax Description


roam	(Optional) Specifies the request to specify the client CCX roaming log.
rsna	(Optional) Specifies the request to specify the client CCX RSNA log.
syslog	(Optional) Specifies the request to specify the client CCX system log.
`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the request to specify the client CCS system log:

(Cisco Controller) >config client ccx log-request syslog 00:40:96:a8:f7:98
Tue Oct 05 13:05:21 2006
SysLog Response LogID=1: Status=Successful
Event Timestamp=121212121212
Client SysLog = 'This is a test syslog 2'
Event Timestamp=121212121212
Client SysLog = 'This is a test syslog 1'
Tue Oct 05 13:04:04 2006
SysLog Request LogID=1

The following example shows how to specify the client CCX roaming log:

(Cisco Controller) >config client ccx log-request roam 00:40:96:a8:f7:98
Thu Jun 22 11:55:14 2006
Roaming Response LogID=20: Status=Successful
Event Timestamp=121212121212
Source BSSID=00:40:96:a8:f7:98, Target BSSID=00:0b:85:23:26:70,
Transition Time=100(ms)
Transition Reason: Unspecified Transition Result: Success
Thu Jun 22 11:55:04 2006
Roaming Request LogID=20
Thu Jun 22 11:54:54 2006
Roaming Response LogID=19: Status=Successful
Event Timestamp=121212121212
Source BSSID=00:40:96:a8:f7:98, Target BSSID=00:0b:85:23:26:70,
Transition Time=100(ms)
Transition Reason: Unspecified Transition Result: Success
Thu Jun 22 11:54:33 2006  Roaming Request LogID=19

The following example shows how to specify the client CCX RSNA log:

(Cisco Controller) >config client ccx log-request rsna 00:40:96:a8:f7:98
Tue Oct 05 11:06:48 2006
RSNA Response LogID=2: Status=Successful
Event Timestamp=242424242424
Target BSSID=00:0b:85:23:26:70
RSNA Version=1
Group Cipher Suite=00-x0f-ac-01
Pairwise Cipher Suite Count = 2
Pairwise Cipher Suite 0 = 00-0f-ac-02
Pairwise Cipher Suite 1 = 00-0f-ac-04
AKM Suite Count = 2
KM Suite 0 = 00-0f-ac-01
KM Suite 1 = 00-0f-ac-02
SN Capability = 0x1
PMKID Count = 2
PMKID 0 = 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16
PMKID 1 = 0a 0b 0c 0d 0e 0f 17 18 19 20 1a 1b 1c 1d 1e 1f
802.11i Auth Type: EAP_FAST
RSNA Result: Success

config client ccx send-message

To send a message to the client, use the config client ccx send-message command.

config client ccx send-message client_mac_address message_id

Syntax Description


`client_mac_address`	MAC address of the client.
`message_id`	Message type that involves one of the following: 1—The SSID is invalid. 2—The network settings are invalid. 3—There is a WLAN credibility mismatch. 4—The user credentials are incorrect. 5—Please call support. 6—The problem is resolved. 7—The problem has not been resolved. 8—Please try again later. 9—Please correct the indicated problem. 10—Troubleshooting is refused by the network. 11—Retrieving client reports. 12—Retrieving client logs. 13—Retrieval complete. 14—Beginning association test. 15—Beginning DHCP test. 16—Beginning network connectivity test. 17—Beginning DNS ping test. 18—Beginning name resolution test. 19—Beginning 802.1X authentication test. 20—Redirecting client to a specific profile. 21—Test complete. 22—Test passed. 23—Test failed. 24—Cancel diagnostic channel operation or select a WLAN profile to resume normal operation. 25—Log retrieval refused by the client. 26—Client report retrieval refused by the client. 27—Test request refused by the client. 28—Invalid network (IP) setting. 29—There is a known outage or problem with the network. 30—Scheduled maintenance period. (continued on next page)
`message_type (cont.)`	31—The WLAN security method is not correct. 32—The WLAN encryption method is not correct. 33—The WLAN authentication method is not correct.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a message to the client MAC address 172.19.28.40 with the message user-action-required:

(Cisco Controller) >config client ccx send-message 172.19.28.40 user-action-required

config client ccx stats-request

To send a request for statistics, use the config client ccx stats-request command.

config client ccx stats-request measurement_duration{dot11|security}client_mac_address

Syntax Description


`measurement_duration`	Measurement duration in seconds.
dot11	(Optional) Specifies dot11 counters.
security	(Optional) Specifies security counters.
`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify dot11 counter settings:

(Cisco Controller) >config client ccx stats-request 1 dot11 00:40:96:a8:f7:98
Measurement duration = 1
dot11TransmittedFragmentCount       = 1
dot11MulticastTransmittedFrameCount = 2
dot11FailedCount                    = 3
dot11RetryCount                     = 4
dot11MultipleRetryCount             = 5
dot11FrameDuplicateCount            = 6
dot11RTSSuccessCount                = 7
dot11RTSFailureCount                = 8
dot11ACKFailureCount                = 9
dot11ReceivedFragmentCount          = 10
dot11MulticastReceivedFrameCount    = 11
dot11FCSErrorCount                  = 12
dot11TransmittedFrameCount          = 13

config client ccx test-abort

To send a request to the client to terminate the current test, use the config client ccx test-abort command.

config client ccx test-abort client_mac_address

Syntax Description


`client_mac_address`	MAC address of the client.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Only one test can be pending at a time.

Examples

The following example shows how to send a request to a client to terminate the correct test settings:

(Cisco Controller) >config client ccx test-abort 11:11:11:11:11:11

config client ccx test-association

To send a request to the client to perform the association test, use the config client ccx test-association command.

config client ccx test-association client_mac_address ssid bssid 802.11{ a | b | g} channel

Syntax Description


`client_mac_address`	MAC address of the client.
`ssid`	Network name.
`bssid`	Basic SSID.
802.11a	Specifies the 802.11a network.
802.11b	Specifies the 802.11b network.
802.11g	Specifies the 802.11g network.
`channel`	Channel number.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client MAC address 00:0E:77:31:A3:55 to perform the basic SSID association test:

(Cisco Controller) >config client ccx test-association 00:E0:77:31:A3:55 ssid bssid 802.11a

config client ccx test-dot1x

To send a request to the client to perform the 802.1x test, use the config client ccx test-dot1x command.

config client ccx test-dot1x client_mac_address profile_id bssid 802.11 { a | b | g} channel

Syntax Description


`client_mac_address`	MAC address of the client.
`profile_id`	Test profile name.
`bssid`	Basic SSID.
802.11a	Specifies the 802.11a network.
802.11b	Specifies the 802.11b network.
802.11g	Specifies the 802.11g network.
`channel`	Channel number.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client to perform the 802.11b test with the profile name profile_01:

(Cisco Controller) >config client ccx test-dot1x 172.19.28.40 profile_01 bssid 802.11b

config client ccx test-profile

To send a request to the client to perform the profile redirect test, use the config client ccx test-profile command.

config client ccx test-profile client_mac_address profile_id

Syntax Description

client_mac_address

MAC address of the client.

profile_id

Test profile name.

Note

The profile_id should be from one of the client profiles for which client reporting is enabled.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send a request to the client to perform the profile redirect test with the profile name profile_01:

(Cisco Controller) >config client ccx test-profile 11:11:11:11:11:11 profile_01

config client deauthenticate

To disconnect a client, use the config client deauthenticate command.

config client deauthenticate { MAC | IPv4/v6_address | user_name}

Syntax Description


`MAC`	Client MAC address.
`IPv4/v6_address`	IPv4 or IPv6 address.
`user_name`	Client user name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to deauthenticate a client using its MAC address:


(Cisco Controller) >config client deauthenticate 11:11:11:11:11

config client location-calibration

To configure link aggregation, use the config client location-calibration command.

config client location-calibration { enable mac_address interval | disable mac_address}

Syntax Description


enable	(Optional) Specifies that client location calibration is enabled.
`mac_address`	MAC address of the client.
`interval`	Measurement interval in seconds.
disable	(Optional) Specifies that client location calibration is disabled.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the client location calibration for the client 37:15:85:2a with a measurement interval of 45 seconds:

(Cisco Controller) >config client location-calibration enable 37:15:86:2a:Bc:cf 45

Configure Guest-LAN Commands

Use the config guest-lan commands to create, delete, enable, and disable the wireless LAN commands.

config guest-lan

To create, delete, enable or disable a wireless LAN, use the config guest-lan command.

config guest-lan{create|delete}guest_lan_id interface_name| {enable|disable}guest_lan_id

Syntax Description


create	Creates a wired LAN settings.
delete	Deletes a wired LAN settings:
`guest_lan_id`	LAN identifier between 1 and 5 (inclusive).
`interface_name`	Interface name up to 32 alphanumeric characters.
enable	Enables a wireless LAN.
disable	Disables a wireless LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a wireless LAN with the LAN ID 16:


(Cisco Controller) > config guest-lan enable 16

Related Commands

show wlan

config guest-lan custom-web ext-webauth-url

To redirect guest users to an external server before accessing the web login page, use the config guest-lan custom-web ext-webauth-url command.

config guest-lan custom-web ext-webauth-url ext_web_urlguest_lan_id

Syntax Description


`ext_web_url`	URL for the external server.
`guest_lan_id`	Guest LAN identifier between 1 and 5 (inclusive).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a wireless LAN with the LAN ID 16:


(Cisco Controller) > config guest-lan custom-web ext-webauth-url http://www.AuthorizationURL.com/ 1

Related Commands

config guest-lan

config guest-lan create

config guest-lan custom-web login_page

config guest-lan custom-web global disable

To use a guest-LAN specific custom web configuration rather than a global custom web configuration, use the config guest-lan custom-web global disable command.

config guest-lan custom-web global disable guest_lan_id

Syntax Description


guest_lan_id	Guest LAN identifier between 1 and 5 (inclusive).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you enter the config guest-lan custom-web global enable guest_lan_id command, the custom web authentication configuration at the global level is used.

Examples

The following example shows how to disable the global web configuration for guest LAN ID 1:


(Cisco Controller) > config guest-lan custom-web global disable 1

Related Commands

config guest-lan 

config guest-lan create 

config guest-lan custom-web ext-webauth-url 

config guest-lan custom-web login_page

config guest-lan custom-web webauth-type

config guest-lan custom-web login_page

To enable wired guest users to log into a customized web login page, use the config guest-lan custom-web login_page command.

config guest-lan custom-web login_page page_nameguest_lan_id

Syntax Description


`page_name`	Name of the customized web login page.
`guest_lan_id`	Guest LAN identifier between 1 and 5 (inclusive).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to customize a web login page custompage1 for guest LAN ID 1:


(Cisco Controller) > config guest-lan custom-web login_page custompage1 1

Related Commands

config guest-lan

 config guest-lan create

config guest-lan custom-web ext-webauth-url

config guest-lan custom-web webauth-type

To define the web login page for wired guest users, use the config guest-lan custom-web webauth-type command.

config guest-lan custom-web webauth-type { internal|customized |external}guest_lan_id

Syntax Description


internal	Displays the default web login page for the controller. This is the default value.
customized	Displays the custom web login page that was previously configured.
external	Redirects users to the URL that was previously configured.
`guest_lan_id`	Guest LAN identifier between 1 and 5 (inclusive).

Command Default

The default web login page for the controller is internal.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the guest LAN with the webauth-type as internal for guest LAN ID 1:


(Cisco Controller) > config guest-lan custom-web webauth-type internal 1

Related Commands

config guest-lan

config guest-lan create

config guest-lan custom-web ext-webauth-url

config guest-lan ingress-interface

To configure the wired guest VLAN’s ingress interface that provides a path between the wired guest client and the controller through the Layer 2 access switch, use the config guest-lan ingress-interface command.

config guest-lan ingress-interface guest_lan_id interface_name

Syntax Description


`guest_lan_id`	Guest LAN identifier from 1 to 5 (inclusive).
`interface_name`	Interface name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to provide a path between the wired guest client and the controller with guest LAN ID 1 and the interface name guest01:


(Cisco Controller) > config guest-lan ingress-interface 1 guest01

Related Commands

config interface guest-lan

config guest-lan create

config guest-lan interface

To configure an egress interface to transmit wired guest traffic out of the controller, use the config guest-lan interface command.

config guest-lan interface guest_lan_id interface_name

Syntax Description


`guest_lan_id`	Guest LAN identifier between 1 and 5 (inclusive).
`interface_name`	Interface name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an egress interface to transmit guest traffic out of the controller for guest LAN ID 1 and interface name guest01:


(Cisco Controller) > config guest-lan interface 1 guest01

Related Commands

config ingress-interface guest-lan

config guest-lan create

config guest-lan mobility anchor

To add or delete mobility anchor, use the config guest-lan mobility anchor command.

config guest-lan mobility anchor{add|delete} Guest LAN Id IP addr

Syntax Description


add	Adds a mobility anchor to a WLAN.
delete	Deletes a mobility anchor from a WLAN.
`Guest LAN Id`	Guest LAN identifier between 1 and 5.
`IP addr`	Member switch IPv4 or IPv6 address to anchor WLAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to delete a mobility anchor for WAN ID 4 and the anchor IP 192.168.0.14 :


(Cisco Controller) > config guest-lan mobility anchor delete 4 192.168.0.14

config guest-lan nac

To enable or disable Network Admission Control (NAC) out-of-band support for a guest LAN, use the config guest-lan nac command:

config guest-lan nac {enable|disable}guest_lan_id

Syntax Description


enable	Enables the NAC out-of-band support.
disable	Disables the NAC out-of-band support.
`guest_lan_id`	Guest LAN identifier between 1 and 5 (inclusive).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the NAC out-of-band support for guest LAN ID 3:


(Cisco Controller) > config guest-lan nac enable 3

Related Commands

show nac statistics

 show nac summary  

config wlan nac

 debug nac

config guest-lan security

To configure the security policy for the wired guest LAN, use the config guest-lan security command.

config guest-lan security { web-auth { enable|disable |acl |server-precedence}guest_lan_id|web-passthrough { acl |email-input|disable |enable} guest_lan_id}

Syntax Description


web-auth	Specifies web authentication.
enable	Enables the web authentication settings.
disable	Disables the web authentication settings.
acl	Configures an access control list.
server-precedence	Configures the authentication server precedence order for web authentication users.
`guest_lan_id`	LAN identifier between 1 and 5 (inclusive).
web-passthrough	Specifies the web captive portal with no authentication required.
email-input	Configures the web captive portal using an e-mail address.

Command Default

The default security policy for the wired guest LAN is web authentication.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the security web authentication policy for guest LAN ID 1:


(Cisco Controller) > config guest-lan security web-auth enable 1

Related Commands

config ingress-interface guest-lan

config guest-lan create

config interface guest-lan

Configure IPv6 Commands

Use the config ipv6 commands to configure IPv6 settings.

config ipv6 disable

To disable IPv6 globally on the controller, use the config ipv6 disable command .

config ipv6 disable

Syntax Description

This command has no arguments or keywords.

Command Default

By default, the IPv6 configuration is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you use this command, the controller drops all IPv6 packets and the clients will not receive any IPv6 address.

Examples

The following example shows how to disable IPv6 on the controller:

(Cisco Controller) >config ipv6 disable

config ipv6 enable

To enable IPv6 globally on the controller, use the config ipv6 enable command.

config ipv6 enable

Syntax Description

This command has no arguments or keywords.

Command Default

By default, the IPv6 configuration is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable IPv6 on the controller:

(Cisco Controller) >config ipv6 enable

config ipv6 acl

To create or delete an IPv6 ACL on the Cisco wireless LAN controller, apply ACL to data path, and configure rules in the IPv6 ACL, use the config ipv6 acl command.

config ipv6 acl [ apply | cpu | create | delete | rule]

config ipv6 acl apply name

config ipv6 acl cpu { name | none}

config ipv6 acl create name

config ipv6 acl delete name

config ipv6 acl rule action name index { permit | deny}

config ipv6 acl rule add nameindex

config ipv6 acl rule change index nameold_indexnew_index

config ipv6 acl rule delete nameindex

config ipv6 acl rule destination { address nameindexip_addressprefix-len|port range nameindex}

config ipv6 acl rule direction nameindex{ in|out|any}

config ipv6 acl rule dscp namedscp

config ipv6 acl rule protocol nameindexprotocol

config ipv6 acl rule source { address nameindexip_addressprefix-len| port range nameindexstart_portend_port}

config ipv6 acl rule swap index nameindex_1index_2

Syntax Description


apply `name`	Applies an IPv6 ACL. An IPv6 ACL can contain up to 32 alphanumeric characters.
cpu `name`	Applies the IPv6 ACL to the CPU.
cpu none	Configure none if you wish not to have a IPV6 ACL.
create	Creates an IPv6 ACL.
delete	Deletes an IPv6 ACL.
rule `(` action`)(` `name)` `(index)`	Configures rules in the IPv6 ACL to either permit or deny access. IPv6 ACL name can contains up to 32 alphanumeric characters and IPv6 ACL rule index can be between 1 and 32.
`{` permit`\|` deny`}`	Permit or deny the IPv6 rule action.
add `nameindex`	Adds a new rule and rule index.
change `nameold_index` `new_index`	Changes a rule’s index.
delete `nameindex`	Deletes a rule and rule index.
destination address`nameindexip_addrprefix-len`	Configures a rule’s destination IP address and prefix length (between 0 and 128).
destination port `nameindex`	Configure a rule's destination port range. Enter IPv6 ACL name and set an rule index for it.
direction `nameindex{` in`\|` out`\|` any`}`	Configures a rule’s direction to in, out, or any.
dscp `nameindexdscp`	Configures a rule’s DSCP. For rule index of DSCP, select a number between 0 and 63, or any .
protocol `nameindexprotocol`	Configures a rule’s protocol. Enter a name and set an index between 0 and 255 or any
source address `nameindexip_address` `prefix-len`	Configures a rule’s source IP address and netmask.
source port range `nameindexstart_port` `end_port`	Configures a rule’s source port range.
swap index `name` `index_1` `index_2`	Swap’s two rules’ indices.

Command Default

After adding an ACL, the config ipv6 acl cpu is by default configured as enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6..
8.0	This command was updated by adding cpu and none keywords and the `ipv6_acl_name` variable.

Usage Guidelines

For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.

Examples

The following example shows how to configure an IPv6 ACL to permit access:

(Cisco Controller) >config ipv6 acl rule action lab1 4 permit

Examples

The following example shows how to configure an interface ACL:

(Cisco Controller) > config ipv6 interface acl management IPv6-Acl

Related Commands

show ipv6 acl detailed

show ipv6 acl cpu

config ipv6 neighbor-binding

To configure the Neighbor Binding table on the Cisco wireless LAN controller, use the config ipv6 neighbor-binding command.

config ipv6 neighbor-binding { timers { down-lifetimedown_time|reachable-lifetimereachable_time|stale-lifetimestale_time} | {ra-throttle { allow at-least at_least_value} |enable|disable|interval-option{ignore|passthrough|throttle} |max-through { no_mcast_RA|no-limit} |throttle-period throttle_period}}

Syntax Description


timers	Configures the neighbor binding table timeout timers.
down-lifetime	Configures the down lifetime.
`down_time`	Down lifetime in seconds. The range is from 0 to 86400. The default is 30 seconds.
reachable-lifetime	Configures the reachable lifetime.
`reachable_time`	Reachable lifetime in seconds. The range is from 0 to 86400. The default is 300 seconds.
stale-lifetime	Configures the stale lifetime.
`stale_time`	Stale lifetime in seconds. The range is from 0 to 86400. The default is 86400 seconds.
ra-throttle	Configures IPv6 RA throttling options.
allow	Specifies the number of multicast RAs per router per throttle period.
`at_least_value`	Number of multicast RAs from router before throttling. The range is from 0 to 32. The default is 1.
enable	Enables IPv6 RA throttling.
disable	Disables IPv6 RA throttling.
interval-option	Adjusts the behavior on RA with RFC3775 interval option.
ignore	Indicates interval option has no influence on throttling.
passthrough	Indicates all RAs with RFC3775 interval option will be forwarded (default).
throttle	Indicates all RAs with RFC3775 interval option will be throttled.
max-through	Specifies unthrottled multicast RAs per VLAN per throttle period.
`no_mcast_RA`	Number of multicast RAs on VLAN by which throttling is enforced. The default multicast RAs on vlan is 10.
no-limit	Configures no upper bound at the VLAN level.
throttle-period	Configures the throttle period.
`throttle_period`	Duration of the throttle period in seconds. The range is from 10 to 86400 seconds. The default is 600 seconds.

Command Default

This command is disabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the Neighbor Binding table:

(Cisco Controller) >config ipv6 neighbor-binding ra-throttle enable

Related Commands

show ipv6 neighbor-binding

config ipv6 ns-mcast-fwd

To configure the nonstop multicast cache miss forwarding, use the config ipv6 ns-mcast-fwd command.

config ipv6 ns-mcast-fwd { enable | disable}

Syntax Description


enable	Enables nonstop multicast forwarding on a cache miss.
disable	Disables nonstop multicast forwarding on a cache miss.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an nonstop multicast forwarding:

(Cisco Controller) >config ipv6 ns-mcast-fwd enable

config ipv6 ra-guard

To configure the filter for Router Advertisement (RA) packets that originate from a client on an AP, use the config ipv6 ra-guard command.

config ipv6 ra-guard ap { enable|disable}

Syntax Description


enable	Enables RA guard on an AP.
disable	Disables RA guard on an AP.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable IPv6 RA guard:


(Cisco Controller) >config ipv6 ra-guard enable

Related Commands

show ipv6 ra-guard

Configure Interface Group Commands

Use the config interface group to create and delete an interface group.

config interface group

To add an interface to the existing interface group, use the config interface group command.

config interface group  { create interface-group-name interface-group-description} | { delete interface-group-name} | { interface { add|delete} interface-group-name interface-name} |  { descriptioninterface-group-name interface-group-description}

Syntax Description


create	Adds a new interface group.
`interface-group-name`	Interface group’s name.
`interface-group-description`	Interface group’s description to be entered within double quotation marks. You can enter up to 32 characters.
delete	Deletes an interface group.
interface	Edits the list of interface represented by the interface group.
add	Adds a new interface to the interface group.
delete	Deletes an interface from the interface group.
description	Configures the description for an interface group.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a new interface group with the name int-grp-10:

(Cisco Controller) > config interface group create int-grp-10 “for wlan1”

Configure Macfilter Commands

Use the config macfilter commands to configure macfilter settings.

config macfilter

To create or delete a MAC filter entry on the Cisco wireless LAN controller, use the config macfilter { add| delete} command.

config macfilter{addclient_MACwlan_id[ interface_name] [ description] [ macfilter_IP] |delete client_MAC}

Syntax Description

add

Adds a MAC filter entry on the controller.

delete

Deletes a MAC filter entry on the controller.

MAC_addr

Client MAC address.

wlan_id

Wireless LAN identifier with which the MAC filter entry should associate. A zero value associates the entry with any wireless LAN.

interface_name

(Optional) Name of the interface. Enter 0 to specify no interface.

description

(Optional) Short description of the interface (up to 32 characters) in double quotes.

Note

A description is mandatory if macfilterIP is specified.

IP Address

(Optional) IPv4 address of the local MAC filter database.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the config macfilter add command to add a client locally to a wireless LAN on the Cisco wireless LAN controller. This filter bypasses the RADIUS authentication process.

As on release 7.6, the optional macfilter_IP supports only IPv4 address.

Examples

The following example shows how to add a MAC filter entry 00:E0:77:31:A3:55 with the wireless LAN ID 1, interface name labconnect, and MAC filter IP 10.92.125.51 on the controller:

(Cisco Controller) > config macfilter add 00:E0:77:31:A3:55 1 lab02 “labconnect” 10.92.125.51

Related Commands

show macfilter  

config macfilter ip-address

config macfilter description

To add a description to a MAC filter, use the config macfilter description command.

config macfilter description MAC addrdescription

Syntax Description


`MAC addr`	Client MAC address.
`description`	(Optional) Description within double quotes (up to 32 characters).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the description MAC filter 01 to MAC address 11:11:11:11:11:11:

(Cisco Controller) > config macfilter description 11:11:11:11:11:11 “MAC Filter 01”

Related Commands

show macfilter

config macfilter interface

To create a MAC filter client interface, use the config macfilter interface command.

config macfilter interface MAC_addrinterface

Syntax Description


`MAC addr`	Client MAC address.
`interface`	Interface name. A value of zero is equivalent to no name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a MAC filer interface Lab01 on client 11:11:11:11:11:11:


(Cisco Controller) > config macfilter interface 11:11:11:11:11:11 Lab01

Related Commands

show macfilter

config macfilter ip-address

To assign an IP address to an existing MAC filter entry if one was not assigned using the config macfilter add command, use the config macfilter ip-address command.

config macfilter ip-address MAC_addressIP_address

Syntax Description


`MAC_address`	Client MAC address.
IP_address	IPv4 address for a specific MAC address in the local MAC filter database.

Command Default

None

Usage Guidelines

As on release 7.6, IP_address supports only IPv4 addresses.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Examples

The following example shows how to configure IP address 10.92.125.51 for a MAC 00:E0:77:31:A3:55 in the local MAC filter database:

(Cisco Controller) > config macfilter ip-address 00:E0:77:31:A3:55 10.92.125.51

Related Commands

show macfilter

 config macfilter

config macfilter mac-delimiter

To set the MAC delimiter (colon, hyphen, none, and single-hyphen) for MAC addresses sent to RADIUS servers, use the config macfilter mac-delimiter command.

config macfilter mac-delimiter{none|colon|hyphen|single-hyphen}

Syntax Description


none	Disables the delimiters (for example, xxxxxxxxxx).
colon	Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
hyphen	Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
single-hyphen	Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

Command Default

The default delimiter is hyphen.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to have the operating system send MAC addresses to the RADIUS server in the form aa:bb:cc:dd:ee:ff:

(Cisco Controller) > config macfilter mac-delimiter colon

The following example shows how to have the operating system send MAC addresses to the RADIUS server in the form aa-bb-cc-dd-ee-ff:

(Cisco Controller) > config macfilter mac-delimiter hyphen

The following example shows how to have the operating system send MAC addresses to the RADIUS server in the form aabbccddeeff:

(Cisco Controller) > config macfilter mac-delimiter none

Related Commands

show macfilter

config macfilter radius-compat

To configure the Cisco wireless LAN controller for compatibility with selected RADIUS servers, use the config macfilter radius-compat command.

config macfilter radius-compat{cisco|free|other}

Syntax Description


cisco	Configures the Cisco ACS compatibility mode (password is the MAC address of the server).
free	Configures the Free RADIUS server compatibility mode (password is secret).
other	Configures for other server behaviors (no password is necessary).

Command Default

Other

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4.

Examples

The following example shows how to configure the Cisco ACS compatibility mode to “other”:


(Cisco Controller) > config macfilter radius-compat other

Related Commands

show macfilter

config macfilter wlan-id

To modify a wireless LAN ID for a MAC filter, use the config macfilter wlan-id command.

config macfilter wlan-id MAC_addrWLAN_id

Syntax Description


`MAC addr`	Client MAC address.
`WLAN_id`	Wireless LAN identifier to associate with. A value of zero is not allowed.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to modify client wireless LAN ID 2 for a MAC filter 11:11:11:11:11:11:


(Cisco Controller) > config macfilter wlan-id 11:11:11:11:11:11 2

Related Commands

show macfilter

show wlan

Config Remote LAN Commands

Use the config remote-lan commands to configure remote LANs.

config remote-lan

To configure a remote LAN, use the config remote-lan command.

config remote-lan { enable | disable} { remote-lan-id | all}

Syntax Description


enable	Enables a remote LAN.
disable	Disables a remote LAN.
`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
all	Configures all wireless LANs.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a remote LAN with ID 2:

(Cisco Controller) >config remote-lan enable 2

config remote-lan aaa-override

To configure user policy override through AAA on a remote LAN, use the config remote-lan aaa-override command.

config remote-lan aaa-override { enable | disable} remote-lan-id

Syntax Description


enable	Enables user policy override through AAA on a remote LAN.
disable	Disables user policy override through AAA on a remote LAN.
`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable user policy override through AAA on a remote LAN where the remote LAN ID is 2:

(Cisco Controller) >config remote-lan aaa-override enable 2

config remote-lan acl

To specify an access control list (ACL) for a remote LAN, use the config remote-lan acl command.

config remote-lan acl remote-lan-id acl_name

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

acl_name

ACL name.

Note

Use the show acl summary command to know the ACLs available.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify ACL1 for a remote LAN whose ID is 2:

(Cisco Controller) >config remote-lan acl 2 ACL1

config remote-lan create

To configure a new remote LAN connection, use the config remote-lan create command.

config remote-lan create remote-lan-id name

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
name	Remote LAN name. Valid values are up to 32 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a new remote LAN, MyRemoteLAN, with the LAN ID as 3:

(Cisco Controller) >config remote-lan create 3 MyRemoteLAN

config remote-lan custom-web

To configure web authentication for a remote LAN, use the config remote-lan custom-web command.

config remote-lan custom-web { ext-webauth-url URL } | global { enable | disable } | login-page page-name | loginfailure-page { page-name | none} | logout-page { page-name | none} | webauth-type { internal | customized | external} } remote-lan-id

Syntax Description


ext-webauth-url	Configures an external web authentication URL.
`URL`	Web authentication URL for the Login page.
global	Configures the global status for the remote LAN.
enable	Enables the global status for the remote LAN.
disable	Disables the global status for the remote LAN.
login-page	Configures a login page.
`page-name`	Login page name.
none	Configures no login page.
logout-page	Configures a logout page.
none	Configures no logout page.
webauth-type	Configures the web authentication type for the remote LAN.
internal	Displays the default login page.
customized	Displays a downloaded login page.
external	Displays a login page that is on an external server.
`name`	Remote LAN name. Valid values are up to 32 alphanumeric characters.
`remote-lan-id`	Remote LAN identifier. Valid values are from 1 to 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Follow these guidelines when you use the config remote-lan custom-web command:

When you configure the external Web-Auth URL, do the following:
- Ensure that Web-Auth or Web-Passthrough Security is in enabled state. To enable Web-Auth, use the config remote-lan security web-auth enable command. To enable Web-Passthrough, use the config remote-lan security web-passthrough enable command.
- Ensure that the global status of the remote LAN is in disabled state. To enable the global status of the remote LAN, use the config remote-lan custom-web global disable command.
- Ensure that the remote LAN is in disabled state. To disable a remote LAN, use the config remote-lan disable command.
When you configure the Web-Auth type for the remote LAN, do the following:
- When you configure a customized login page, ensure that you have a login page configured. To configure a login page, use the config remote-lan custom-web login-page command.
- When you configure an external login page, ensure that you have configured preauthentication ACL for external web authentication to function.

Examples

The following example shows how to configure an external web authentication URL for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web ext-webauth-url http://www.AuthorizationURL.com/ 3

The following example shows how to enable the global status of a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web global enable 3

The following example shows how to configure the login page for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web login-page custompage1 3

The following example shows how to configure a web authentication type with the default login page for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan custom-web webauth-type internal 3

config remote-lan delete

To delete a remote LAN connection, use the config remote-lan delete command.

config remote-lan delete remote-lan-id

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a remote LAN with ID 3:

(Cisco Controller) >config remote-lan delete 3

config remote-lan dhcp_server

To configure a dynamic host configuration protocol (DHCP) server for a remote LAN, use the config remote-lan dhcp_server command.

config remote-lan dhcp_server remote-lan-idip_address

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
`ip_addr`	IPv4 address of the override DHCP server.

Command Default

0.0.0.0 is set as the default interface value.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Examples

The following example shows how to configure a DHCP server for a remote LAN with ID 3:

(Cisco Controller) >config remote-lan dhcp_server 3 209.165.200.225

Related Commands

show remote-lan

config remote-lan exclusionlist

To configure the exclusion list timeout on a remote LAN, use the config remote-lan exclusionlist command.

config remote-lan exclusionlist remote-lan-id { seconds | disabled | enabled}

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
`seconds`	Exclusion list timeout in seconds. A value of 0 requires an administrator override.
disabled	Disables exclusion listing.
enabled	Enables exclusion listing.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the exclusion list timeout to 20 seconds on a remote LAN with ID 3:

(Cisco Controller) >config remote-lan exclusionlist 3 20

config remote-lan interface

To configure an interface for a remote LAN, use the config remote-lan interface command.

config remote-lan interface remote-lan-id interface_name

Syntax Description

remote-lan-id

Remote LAN identifier. Valid values are between 1 and 512.

interface_name

Interface name.

Note

Interface name should not be in upper case characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an interface myinterface for a remote LAN with ID 3:

(Cisco Controller) >config remote-lan interface 3 myinterface

config remote-lan ldap

To configure a remote LAN’s LDAP servers, use the config remote-lan ldap command.

config remote-lan ldap { add | delete} remote-lan-id index

Syntax Description


add	Adds a link to a configured LDAP server (maximum of three).
delete	Deletes a link to a configured LDAP server.
`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
`index`	LDAP server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add an LDAP server with the index number 10 for a remote LAN with ID 3:


(Cisco Controller) >config remote-lan ldap add 3 10

config remote-lan mac-filtering

To configure MAC filtering on a remote LAN, use the config remote-lan mac-filtering command.

config remote-lan mac-filtering { enable | disable} remote-lan-id

Syntax Description


enable	Enables MAC filtering on a remote LAN.
disable	Disables MAC filtering on a remote LAN.
`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.

Command Default

MAC filtering on a remote LAN is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable MAC filtering on a remote LAN with ID 3:

(Cisco Controller) >config remote-lan mac-filtering disable 3

config remote-lan max-associated-clients

To configure the maximum number of client connections on a remote LAN, use the config remote-lan max-associated-clients command.

config remote-lan max-associated-clients remote-lan-id max-clients

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
`max-clients`	Configures the maximum number of client connections on a remote LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure 10 client connections on a remote LAN with ID 3:

(Cisco Controller) >config remote-lan max-associated-clients 3 10

config remote-lan radius_server

To configure the RADIUS servers on a remote LAN, use the config remote-lan radius_server command.

config remote-lan radius_server { acct {{ add | delete} server-index | { enable | disable} | interim-update { interval | enable | disable}} | auth {{ add | delete} server-index | { enable | disable } } | overwrite-interface { enable | disable} } remote-lan-id

Syntax Description


acct	Configures a RADIUS accounting server.
add	Adds a link to a configured RADIUS server.
delete	Deletes a link to a configured RADIUS server.
`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
`server-index`	RADIUS server index.
enable	Enables RADIUS accounting for this remote LAN.
disable	Disables RADIUS accounting for this remote LAN.
interim-update	Enables RADIUS accounting for this remote LAN.
`interval`	Accounting interim interval. The range is from 180 to 3600 seconds.
enable	Enables accounting interim update.
disable	Disables accounting interim update.
auth	Configures a RADIUS authentication server.
enable	Enables RADIUS authentication for this remote LAN.
disable	Disables RADIUS authentication for this remote LAN.
overwrite-interface	Configures a RADIUS dynamic interface for the remote LAN.
enable	Enables a RADIUS dynamic interface for the remote LAN.
disable	Disables a RADIUS dynamic interface for the remote LAN.

Command Default

The interim update interval is set to 600 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable RADIUS accounting for a remote LAN with ID 3:

(Cisco Controller) >config remote-lan radius_server acct enable 3

config remote-lan security

To configure security policy for a remote LAN, use the config remote-lan security command.

config remote-lan security {{ sgt| 802.1X| web-auth { enable | disable | acl | server-precedence} remote-lan-id | { web-passthrough { enable | disable | acl | email-input} remote-lan-id}}

Syntax Description


sgt	Configures Secure Group Tag for the WLAN.
802.1X	Configures 802.1X.
web-auth	Specifies web authentication.
enable	Enables the web authentication settings.
disable	Disables the web authentication settings.
acl	Configures an access control list.
server-precedence	Configures the authentication server precedence order for web authentication users.
`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
email-input	Configures the web captive portal using an e-mail address.
web-passthrough	Specifies the web captive portal with no authentication required.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.4	The 802.1X keyword was added.

Examples

The following example shows how to configure the security web authentication policy for remote LAN ID 1:

(Cisco Controller) >config remote-lan security web-auth enable 1

config remote-lan session-timeout

To configure client session timeout, use the config remote-lan session-timeout command.

config remote-lan session-timeout remote-lan-id seconds

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
`seconds`	Timeout or session duration in seconds. A value of zero is equivalent to no timeout.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the client session timeout to 6000 seconds for a remote LAN with ID 1:

(Cisco Controller) >config remote-lan session-timeout 1 6000

config remote-lan webauth-exclude

To configure web authentication exclusion on a remote LAN, use the config remote-lan webauth-exclude command.

config remote-lan webauth-exclude remote-lan-id { enable | disable}

Syntax Description


`remote-lan-id`	Remote LAN identifier. Valid values are between 1 and 512.
enable	Enables web authentication exclusion on the remote LAN.
disable	Disables web authentication exclusion on the remote LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable web authentication exclusion on a remote LAN with ID 1:


(Cisco Controller) >config remote-lan webauth-exclude 1 enable

Configure Memory Monitor Commands

To troubleshoot hard-to-solve or hard-to-reproduce memory problems, use the config memory monitor commands.

Note

The commands in this section can be disruptive to your system and should be run only when you are advised to do so by the Cisco Technical Assistance Center (TAC).

config memory monitor errors

To enable or disable monitoring for memory errors and leaks, use the config memory monitor errors command.

config memory monitor errors{enable|disable}

Caution

The config memory monitor commands can be disruptive to your system and should be run only when you are advised to do so by the Cisco TAC.

Syntax Description


enable	Enables the monitoring for memory settings.
disable	Disables the monitoring for memory settings.

Command Default

Monitoring for memory errors and leaks is disabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Be cautious about changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.

Examples

The following example shows how to enable monitoring for memory errors and leaks for a controller:


(Cisco Controller) > config memory monitor errors enable

Related Commands

config memory monitor leaks  

debug memory  

show memory monitor

config memory monitor leaks

To configure the controller to perform an auto-leak analysis between two memory thresholds, use the config memory monitor leaks command.

config memory monitor leaks low_threshhigh_thresh

Caution

The config memory monitor commands can be disruptive to your system and should be run only when you are advised to do so by the Cisco TAC.

Syntax Description


`low_thresh`	Value below which free memory cannot fall without crashing. This value cannot be set lower than 10000 KB.
`high_thresh`	Value below which the controller enters auto-leak-analysis mode. See the “Usage Guidelines” section.

Command Default

The default value for low_thresh is 10000 KB; the default value for high_thresh is 30000 KB.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Note

Be cautious about changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.

Use this command if you suspect that a memory leak has occurred.

If the free memory is lower than the low_thresh threshold, the system crashes, generating a crash file. The default value for this parameter is 10000 KB, and you cannot set it below this value.

Set the high_thresh threshold to the current free memory level or higher so that the system enters auto-leak-analysis mode. After the free memory reaches a level lower than the specified high_thresh threshold, the process of tracking and freeing memory allocation begins. As a result, the debug memory events enable command shows all allocations and frees, and the show memory monitor detail command starts to detect any suspected memory leaks.

Examples

The following example shows how to set the threshold values for auto-leak-analysis mode to 12000 KB for the low threshold and 35000 KB for the high threshold:


(Cisco Controller) > config memory monitor leaks 12000 35000

Related Commands

config memory monitor leaks  

debug memory  

show memory monitor

Configure Mesh Commands

Use the configure mesh commands to set mesh access point settings.

config mesh alarm

To configure alarm settings for outdoor mesh access points, use the config mesh alarm command.

config mesh alarm { max-hop|max-children|low-snr|high-snr|association |   parent-change count}value

Syntax Description


max-hop	Sets the maximum number of hops before triggering an alarm for traffic over the mesh network. The valid values are 1 to 16 (inclusive).
max-children	Sets the maximum number of mesh access points (MAPs) that can be assigned to a mesh router access point (RAP) before triggering an alarm. The valid values are 1to 16 (inclusive).
low-snr	Sets the low-end signal-to-noise ratio (SNR) value before triggering an alarm. The valid values are 1 to 30 (inclusive).
high-snr	Sets the high-end SNR value before triggering an alarm. The valid values are 1 to 30 (inclusive).
association	Sets the mesh alarm association count value before triggering an alarm. The valid values are 1 to 30 (inclusive).
parent-change count	Sets the number of times a MAP can change its RAP association before triggering an alarm. The valid values are 1 to 30 (inclusive).
`value`	Value above or below which an alarm is generated. The valid values vary for each command.

Command Default

See the “Syntax Description” section for command and argument value ranges.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the maximum hops threshold to 8:

(Cisco Controller) >config mesh alarm max-hop 8

The following example shows how to set the upper SNR threshold to 25:

(Cisco Controller) >config mesh alarm high-snr 25

config mesh astools

To globally enable or disable the anti-stranding feature for outdoor mesh access points, use the config mesh astools command.

config mesh astools{enable|disable}

Syntax Description


enable	Enables this feature for all outdoor mesh access points.
disable	Disables this feature for all outdoor mesh access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable anti-stranding on all outdoor mesh access points:

(Cisco Controller) >config mesh astools enable

config mesh backhaul rate-adapt

To globally configure the backhaul Tx rate adaptation (universal access) settings for indoor and outdoor mesh access points, use the config mesh backhaul rate-adapt command.

config mesh backhaul rate-adapt [ all|bronze|silver|gold|platinum] { enable|disable}

Syntax Description


all	(Optional) Grants universal access privileges on mesh access points.
bronze	(Optional) Grants background-level client access privileges on mesh access points.
silver	(Optional) Grants best effort-level client access privileges on mesh access points.
gold	(Optional) Grants video-level client access privileges on mesh access points.
platinum	(Optional) Grants voice-level client access privileges on mesh access points.
enable	Enables this backhaul access level for mesh access points.
disable	Disables this backhaul access level for mesh access points.

Command Default

Backhaul access level for mesh access points is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

To use this command, mesh backhaul with client access must be enabled by using the config mesh client-access command.

Note

After this feature is enabled, all mesh access points reboot.

Examples

The following example shows how to set the backhaul client access to the best-effort level:

(Cisco Controller) >config mesh backhaul rate-adapt silver

config mesh backhaul slot

To configure the slot radio as a downlink backhaul, use the config mesh backhaul slot command.

config mesh backhaul slot slot_id { enable|disable}cisco_ap

Syntax Description


`slot_id`	Slot number between 0 and 2.
enable	Enables the entered slot radio as a downlink backhaul.
disable	Disables the entered slot radio as a downlink backhaul.
`cisco_ap`	Name of the Root AP of the sector on which the backhaul needs to be enabled or disabled.

Command Default

The entered slot radio as a downlink backhaul is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For 2.4 GHz, only slot 0 and 1 are valid. If slot 0 is enabled, slot 1 is automatically be disabled. If slot 0 is disabled, slot 1 is automatically enabled.

Examples

The following example shows how to enable slot 1 as the preferred backhaul for the root AP myrootap1:

(Cisco Controller) >config mesh backhaul slot 1 enable myrootap1

config mesh battery-state

To configure the battery state for Cisco mesh access points, use the config mesh battery-state command.

config mesh battery-state disable { all | cisco_ap}

Syntax Description


disable	Disables the battery-state for mesh access points.
all	Applies this command to all mesh access points.
`cisco_ap`	Specific mesh access point.

Command Default

Battery state is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable battery state for all mesh APs:

(Cisco Controller) >config mesh battery-state disable all

config mesh client-access

To enable or disable client access to the mesh backhaul on indoor and outdoor mesh access points, use the config mesh client-access command.

config mesh client-access{enable [ extended] |disable}

Syntax Description


enable	Allows wireless client association over the mesh access point backhaul 802.11a radio.
extended	(Optional) Enables client access over both the backhaul radios for backhaul access points.
disable	Restricts the 802.11a radio to backhaul traffic, and allows client association only over the 802.11b/g radio.

Command Default

Client access is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Backhaul interfaces (802.11a radios) act as primary Ethernet interfaces. Backhauls function as trunks in the network and carry all VLAN traffic between the wireless and wired network. No configuration of primary Ethernet interfaces is required.

When this feature is enabled, the mesh access points allow wireless client association over the 802.11a radio, which implies that a 152x mesh access point can carry both backhaul traffic and 802.11a client traffic over the same 802.11a radio.

When this feature is disabled, the mesh access points carry backhaul traffic over the 802.11a radio and allows client association only over the 802.11b/g radio.

Examples

The following example shows how to enable client access extended to allow a wireless client association over the 802.11a radio:

(Cisco Controller) >config mesh client-access enable extended
Enabling client access on both backhaul slots
 Same BSSIDs will be used on both slots
 All Mesh AP will be rebooted
 Are you sure you want to start? (y/N)Y

The following example shows how to restrict a wireless client association to the 802.11b/g radio:

(Cisco Controller) >config mesh client-access disable
All Mesh AP will be rebooted
Are you sure you want to start? (Y/N) Y
Backhaul with client access is canceled.

config mesh ethernet-bridging vlan-transparent

To configure how a mesh access point handles VLAN tags for Ethernet bridged traffic, use the config mesh ethernet-bridging vlan-transparent command.

config mesh ethernet-bridging vlan-transparent { enable|disable}

Syntax Description


enable	Bridges packets as if they are untagged.
disable	Drops all tagged packets.

Command Default

Bridges packets as if they are untagged.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure Ethernet packets as untagged:

(Cisco Controller) >config mesh ethernet-bridging vlan-transparent enable

The following example shows how to drop tagged Ethernet packets:

(Cisco Controller) >config mesh ethernet-bridging vlan-transparent disable

config mesh full-sector-dfs

To globally enable or disable full-sector Dynamic Frequency Selection (DFS) on mesh access points, use the config mesh full-sector-dfs command.

config mesh full-sector-dfs{enable|disable}

Syntax Description


enable	Enables DFS for mesh access points.
disable	Disables DFS for mesh access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command instructs the mesh sector to make a coordinated channel change on the detection of a radar signal. For example, if a mesh access point (MAP) detects a radar signal, the MAP will notify the root access point (RAP), and the RAP will initiate a sector change.

All MAPs and the RAP that belong to that sector go to a new channel, which lowers the probability of MAPs stranding when radar is detected on the current backhaul channel, and no other valid parent is available as backup.

Each sector change causes the network to be silent for 60 seconds (as dictated by the DFS standard).

It is expected that after a half hour, the RAP will go back to the previously configured channel, which means that if radar is frequently observed on a RAP's channel, it is important that you configure a different channel for that RAP to exclude the radar affected channel at the controller.

Examples

This example shows to enable full-sector DFS on mesh access points:

(Cisco Controller) >config mesh full-sector-dfs enable

config mesh linkdata

To enable external MAC filtering of access points, use the config mesh linkdata command.

config mesh linkdata destination_ap_name

Syntax Description


`destination_ap_name`	Destination access point name for MAC address filtering.

Command Default

External MAC filtering is disabled.

Usage Guidelines

Note

The config mesh linktest and config mesh linkdata commands are designed to be used together to verify information between a source and a destination access point. To get this information, first execute the config mesh linktest command with the access point that you want link data from in the dest_ap argument. When the command completes, enter the config mesh linkdata command and list the same destination access point, to display the link data will display (see example).

MAC filtering uses the local MAC filter on the controller by default.

When external MAC filter authorization is enabled, if the MAC address is not found in the local MAC filter, then the MAC address in the external RADIUS server is used.

MAC filtering protects your network against rogue mesh access points by preventing access points that are not defined on the external server from joining.

Before employing external authentication within the mesh network, the following configuration is required:

The RADUIS server to be used as an AAA server must be configured on the controller.
The controller must also be configured on the RADIUS server.
The mesh access point configured for external authorization and authentication must be added to the user list of the RADIUS server.

Examples

The following example shows how to enable external MAC address filtering on access point AP001d.710d.e300:

(Cisco Controller) >config mesh linkdata MAP2-1-1522.7400 AP001d.710d.e300 18 100 1000 30
LinkTest started on source AP, test ID: 0
[00:1D:71:0E:74:00]->[00:1D:71:0D:E3:0F]
Test config:  1000 byte packets at 100  pps for 30 seconds, a-link rate 18 Mb/s
In progress: | || || || || || || || || || || || || |
LinkTest complete
Results
=======
txPkts:             2977
txBuffAllocErr:        0
txQFullErrs:           0
Total rx pkts heard at destination:      2977
rx pkts decoded correctly:               2977
  err pkts: Total         0 (PHY 0 + CRC 0 + Unknown 0), TooBig 0, TooSmall 0
  rx lost packets:        0 (incr for each pkt seq missed or out of order)
  rx dup pkts:            0
  rx out of order:        0
avgSNR:    30, high:   33, low:    3
SNR profile         [0dB...60dB]
          0            6            0            0            0
          0            0            1            2           77
       2888            3            0            0            0
          0            0            0            0            0
    (>60dB)            0
avgNf:    -95, high:  -67, low:  -97
Noise Floor profile [-100dB...-40dB]
          0         2948           19            3            1
          0            0            0            0            0
          3            3            0            0            0
          0            0            0            0            0
    (>-40dB)           0
avgRssi:   64, high:   68, low:   63
RSSI profile        [-100dB...-40dB]
          0            0            0            0            0
          0            0            0            0            0
          0            0            0            0            0
          0            0            0            0            0
    (>-40dB)        2977
Summary PktFailedRate (Total pkts sent/recvd):                       0.000%
Physical layer Error rate (Total pkts with errors/Total pkts heard): 0.000%

This example shows how to enable external MAC filtering on access point AP001d.71d.e300:

(Cisco Controller) >config mesh linkdata AP001d.710d.e300
[SD:0,0,0(0,0,0), 0,0, 0,0]
[SD:1,105,0(0,0,0),30,704,95,707]
[SD:2,103,0(0,0,0),30,46,95,25]
[SD:3,105,0(0,0,0),30,73,95,29]
[SD:4,82,0(0,0,0),30,39,95,24]
[SD:5,82,0(0,0,0),30,60,95,26]
[SD:6,105,0(0,0,0),30,47,95,23]
[SD:7,103,0(0,0,0),30,51,95,24]
[SD:8,105,0(0,0,0),30,55,95,24]
[SD:9,103,0(0,0,0),30,740,95,749]
[SD:10,105,0(0,0,0),30,39,95,20]
[SD:11,104,0(0,0,0),30,58,95,23]
[SD:12,105,0(0,0,0),30,53,95,24]
[SD:13,103,0(0,0,0),30,64,95,43]
[SD:14,105,0(0,0,0),30,54,95,27]
[SD:15,103,0(0,0,0),31,51,95,24]
[SD:16,105,0(0,0,0),30,59,95,23]
[SD:17,104,0(0,0,0),30,53,95,25]
[SD:18,105,0(0,0,0),30,773,95,777]
[SD:19,103,0(0,0,0),30,745,95,736]
[SD:20,105,0(0,0,0),30,64,95,54]
[SD:21,103,0(0,0,0),30,747,95,751]
[SD:22,105,0(0,0,0),30,55,95,25]
[SD:23,104,0(0,0,0),30,52,95,35]
[SD:24,105,0(0,0,0),30,134,95,23]
[SD:25,103,0(0,0,0),30,110,95,76]
[SD:26,105,0(0,0,0),30,791,95,788]
[SD:27,103,0(0,0,0),30,53,95,23]
[SD:28,105,0(0,0,0),30,128,95,25]
[SD:29,104,0(0,0,0),30,49,95,24]
[SD:30,0,0(0,0,0), 0,0, 0,0]

config mesh linktest

To verify client access between mesh access points, use the config mesh linktest command.

config mesh linktest source_ap { dest_ap|MAC addr}datarate packet_rate packet_size duration

Syntax Description


`source_ap`	Source access point.
`dest_ap`	Destination access point.
`MAC addr`	MAC address.
`datarate`	Data rate for 802.11a radios. Valid values are 6, 9, 11, 12, 18, 24, 36, 48 and 54 Mbps. Data rate for 802.11b radios. Valid values are 6, 12, 18, 24, 36, 54, or 100 Mbps. Data rate for 802.11n radios. Valid values are MCS rates between m0 to m15.
`packet_rate`	Number of packets per second. Valid range is 1 through 3000, but the recommended default is 100.
`packet_size`	(Optional) Packet size in bytes. If not specified, packet size defaults to 1500 bytes.
`duration`	(Optional) Duration of the test in seconds. Valid values are 10-300 seconds, inclusive. If not specified, duration defaults to 30 seconds.

Command Default

100 packets per second, 1500 bytes, 30-second duration.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The config mesh linktest and config mesh linkdata commands are designed to be used together to verify information between a source and a destination access point. To get this information, first enter the config mesh linktest command with the access point that you want link data from in the dest_ap argument. When the command completes, enter the config mesh linkdata command and list the same destination access point, to display the link data.

The following warning message appears when you run a linktest that might oversubscribe the link:

Warning! Data Rate (100 Mbps) is not enough to perform this link test on packet size (2000bytes) and (1000) packets per second. This may cause AP to disconnect or reboot. Are you sure you want to continue?

Examples

The following example shows how to verify client access between mesh access points SB_MAP1 and SB_RAP2 at 36 Mbps , 20 fps , 100 frame size , and 15 -second duration:

(Cisco Controller) >config mesh linktest SB_MAP1 SB_RAP1 36 20 100 15
LinkTest started on source AP, test ID: 0
[00:1D:71:0E:85:00]->[00:1D:71:0E:D0:0F]
Test config:  100 byte packets at 20  pps for 15 seconds, a-link rate 36 Mb/s
In progress: | || || || || || |
LinkTest complete
Results
=======
txPkts:              290
txBuffAllocErr:        0
txQFullErrs:           0
Total rx pkts heard at destination:       290
rx pkts decoded correctly:
  err pkts: Total         0 (PHY 0 + CRC 0 + Unknown 0), TooBig 0, TooSmall 0
  rx lost packets:        0 (incr for each pkt seq missed or out of order)
  rx dup pkts:            0
  rx out of order:        0
avgSNR:    37, high:   40, low:    5
SNR profile         [0dB...60dB]
          0            1            0            0            1
          3            0            1            0            2
          8           27          243            4            0
          0            0            0            0            0
    (>60dB)            0
avgNf:    -89, high:  -58, low:  -90
Noise Floor profile [-100dB...-40dB]
          0            0            0          145          126
         11            2            0            1            0
          3            0            1            0            1
          0            0            0            0            0
    (>-40dB)           0
avgRssi:   51, high:   53, low:   50
RSSI profile        [-100dB...-40dB]
          0            0            0            0            0
          0            0            0            0            0
          0            0            0            0            0
          0            7          283            0            0
    (>-40dB)           0
Summary PktFailedRate (Total pkts sent/recvd):                       0.000%
Physical layer Error rate (Total pkts with errors/Total pkts heard): 0.000%

The following table lists the output flags displayed for the config mesh linktest command.

Table 3. Output Flags for the Config Mesh Linktest Command
Output Flag	Description
txPkts	Number of packets sent by the source.
txBuffAllocErr	Number of linktest buffer allocation errors at the source (expected to be zero).
txQFullErrs	Number of linktest queue full errors at the source (expected to be zero).
Total rx pkts heard at destination	Number of linktest packets received at the destination (expected to be same as or close to the txPkts).
rx pkts decoded correctly	Number of linktest packets received and decoded correctly at the destination (expected to be same as close to txPkts).
err pkts: Total	Packet error statistics for linktest packets with errors.
rx lost packets	Total number of linktest packets not received at the destination.
rx dup pkts	Total number of duplicate linktest packets received at the destination.
rx out of order	Total number of linktest packets received out of order at the destination.
avgNF	Average noise floor.
Noise Floor profile	Noise floor profile in dB and are negative numbers.
avgSNR	Average SNR values.
SNR profile [odb...60dB]	Histogram samples received between 0 to 60 dB. The different colums in the SNR profile is the number of packets falling under the bucket 0-3, 3-6, 6-9, up to 57-60.
avgRSSI	Average RSSI values. The average high and low RSSI values are positive numbers.
RSSI profile [-100dB...-40dB]	The RSSI profile in dB and are negative numbers.

config mesh lsc

To configure a locally significant certificate (LSC) on mesh access points, use the config mesh lsc command.

config mesh lsc { enable|disable}

Syntax Description


enable	Enables an LSC on mesh access points.
disable	Disables an LSC on mesh access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable LSC on mesh access points:

(Cisco Controller) >config mesh lsc enable

config mesh multicast

To configure multicast mode settings to manage multicast transmissions within the mesh network, use the config mesh multicast command.

config mesh multicast{regular|in|in-out}

Syntax Description


regular	Multicasts the video across the entire mesh network and all its segments by bridging-enabled root access points (RAPs) and mesh access points (MAPs).
in	Forwards the multicast video received from the Ethernet by a MAP to the RAP’s Ethernet network. No additional forwarding occurs, which ensures that non-LWAPP multicasts received by the RAP are not sent back to the MAP Ethernet networks within the mesh network (their point of origin), and MAP-to-MAP multicasts do not occur because they are filtered out
in-out	Configures the RAP and MAP to multicast, but each in a different manner: If multicast packets are received at a MAP over Ethernet, they are sent to the RAP; however, they are not sent to other MAP Ethernets, and the MAP-to-MAP packets are filtered out of the multicast. If multicast packets are received at a RAP over Ethernet, they are sent to all the MAPs and their respective Ethernet networks. See the Usage Guidelines section for more information.

Command Default

In-out mode

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Multicast for mesh networks cannot be enabled using the controller GUI.

Mesh multicast modes determine how bridging-enabled access points mesh access points (MAPs) and root access points (RAPs) send multicasts among Ethernet LANs within a mesh network. Mesh multicast modes manage non-LWAPP multicast traffic only. LWAPP multicast traffic is governed by a different mechanism.

You can use the controller CLI to configure three mesh multicast modes to manage video camera broadcasts on all mesh access points. When enabled, these modes reduce unnecessary multicast transmissions within the mesh network and conserve backhaul bandwidth.

When using in-out mode, it is important to properly partition your network to ensure that a multicast sent by one RAP is not received by another RAP on the same Ethernet segment and then sent back into the network.

Note

If 802.11b clients need to receive CAPWAP multicasts, then multicast must be enabled globally on the controller as well as on the mesh network (by using the config network multicast global command). If multicast does not need to extend to 802.11b clients beyond the mesh network, you should disable the global multicast parameter.

Examples

The following example shows how to multicast video across the entire mesh network and all its segments by bridging-enabled RAPs and MAPs:

(Cisco Controller) >config mesh multicast regular

config mesh parent preferred

To configure a preferred parent for a mesh access point, use the config mesh parent preferred command.

config mesh parent preferred cisco_ap{ mac_address|none}

Syntax Description


`cisco_ap`	Name of the child access point.
`mac_address`	MAC address of the preferred parent.
none	Clears the configured parent.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

A child AP selects the preferred parent based on the following conditions:

The preferred parent is the best parent.
The preferred parent has a link SNR of at least 20 dB (other parents, however good, are ignored).
The preferred parent has a link SNR in the range of 12 dB and 20 dB, but no other parent is significantly better (that is, the SNR is more than 20 percent better). For an SNR lower than 12 dB, the configuration is ignored.
The preferred parent is not in a blocked list.
The preferred parent is not in silent mode because of dynamic frequency selection (DFS).
The preferred parent is in the same bridge group name (BGN). If the configured preferred parent is not in the same BGN and no other parent is available, the child joins the parent AP using the default BGN.

Examples

The following example shows how to configure a preferred parent with the MAC address 00:21:1b:ea:36:60 for a mesh access point myap1:

(Cisco Controller) >config mesh parent preferred myap1 00:21:1b:ea:36:60

The following example shows how to clear a preferred parent with the MAC address 00:21:1b:ea:36:60 for a mesh access point myap1, by using the keyword none:

(Cisco Controller) >config mesh parent preferred myap1 00:21:1b:ea:36:60 none

config mesh public-safety

To enable or disable the 4.9-GHz public safety band for mesh access points, use the config mesh public-safety command.

config mesh public-safety{enable|disable} { all|cisco_ap}

Syntax Description


enable	Enables the 4.9-GHz public safety band.
disable	Disables the 4.9-GHz public safety band.
all	Applies the command to all mesh access points.
`cisco_ap`	Specific mesh access point.

Command Default

The 4.9-GHz public safety band is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

4.9 GHz is a licensed frequency band restricted to public-safety personnel.

Examples

The following example shows how to enable the 4.9-GHz public safety band for all mesh access points:

(Cisco Controller) >config mesh public-safety enable all
4.9GHz is a licensed frequency band in -A domain for public-safety usage
 Are you sure you want to continue? (y/N) y

config mesh radius-server

To enable or disable external authentication for mesh access points, use the config mesh radius-server command.

config mesh radius-server index{ enable|disable}

Syntax Description


`index`	RADIUS authentication method. Options are as follows: Enter eap to designate Extensible Authentication Protocol (EAP) for the mesh RADIUS server setting. Enter psk to designate Preshared Keys (PSKs) for the mesh RADIUS server setting.
enable	Enables the external authentication for mesh access points.
disable	Disables the external authentication for mesh access points.

Command Default

EAP is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable external authentication for mesh access points:

(Cisco Controller) >config mesh radius-server eap enable

config mesh range

To globally set the maximum range between outdoor root access points (RAPs) and mesh access points (MAPs), use the config mesh range command.

config mesh range [ distance]

Syntax Description


`distance`	(Optional) Maximum operating range (150 to 132000 ft) of the mesh access point.

Command Default

12,000 feet.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

After this command is enabled, all outdoor mesh access points reboot. This command does not affect indoor access points.

Examples

The following example shows how to set the range between an outdoor mesh RAP and a MAP:

(Cisco Controller) >config mesh range 300
Command not applicable for indoor mesh. All outdoor Mesh APs will be rebooted Are you sure you want to start? (y/N) y

config mesh secondary-backhaul

To configure a secondary backhaul on the mesh network, use the config mesh secondary-backhaul command.

config mesh secondary-backhaul{enable [ force-same-secondary-channel] |   disable [ rll-retransmit|rll-transmit]}

Syntax Description


enable	Enables the secondary backhaul configuration.
force-same-secondary- channel	(Optional) Enables secondary-backhaul mesh capability. Forces all access points rooted at the first hop node to have the same secondary channel and ignores the automatic or manual channel assignments for the mesh access points (MAPs) at the second hop and beyond.
disable	Specifies the secondary backhaul configuration is disabled.
rll-transmit	(Optional) Uses reliable link layer (RLL) at the second hop and beyond.
rll-retransmit	(Optional) Extends the number of RLL retry attempts in an effort to improve reliability.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command uses a secondary backhaul radio as a temporary path for traffic that cannot be sent on the primary backhaul due to intermittent interference.

Examples

The following example shows ho to enable a secondary backhaul radio and force all access points rooted at the first hop node to have the same secondary channel:

(Cisco Controller) >config mesh secondary-backhaul enable force-same-secondary-channel

config mesh security

To configure the security settings for mesh networks, use the config mesh security command.

config mesh security {{rad-mac-filter | force-ext-auth | lsc-only-auth} {enable | disable}} | {{eap | psk provisioning | provisioning window} | {enable | disable}} | {delete_psk | key}

Syntax Description


rad-mac-filter	Enables a Remote Authentication Dial-In User Service (RADIUS) MAC address filter for the mesh security setting.
force-ext-auth	Disables forced external authentication for the mesh security setting.
lsc-only-auth	Enables Locally Significant Certificate only authentication for the mesh security setting.
enable	Enables the mesh security setting.
disable	Disables the mesh security setting.
eap	Designates the Extensible Authentication Protocol (EAP) for the mesh security setting by default.
psk	Designates a preshared key(PSK) for the mesh security setting.
provisioning	Encrypts provisioning for the PSK in the controller.
provisioning window	Encrypts provisioning window for the PSK in controller.
enable	Enables provisioning of the PSK.
disable	Disables provisioning of the PSK.
key	Specifies the key for the PSK.

Command Default

The EAP is designated as default for the mesh security.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.2	This command was modified, the psk provisioning and psk provisioning keywords are added.

Examples

The following example shows how to configure EAP as the security option for all mesh access points:

(Cisco Controller) config mesh security eap

The following example shows how to configure PSK as the security option for all mesh access points:

(Cisco Controller) config mesh security psk

The following example shows how to enable PSK provisioning as the security option for all mesh access points:

(Cisco Controller)> config mesh security psk provisioning enable

The following example shows how to configure a PSK provisioning key as the security option for all mesh access points:

(Cisco Controller)> config mesh security psk provisioning key 5

The following example shows how to enable a PSK provisioning window as the security option for all mesh access points:

(Cisco Controller)> config mesh security psk provisioning window enable

The following example shows how to delete the PSK provisioning for controller :

(Cisco Controller)> config mesh security psk provisioning delete_psk wlc

The following example shows how to delete the PSK provisioning for all mesh access points:

(Cisco Controller)> config mesh security psk provisioning delete_psk ap

The following example shows how to delete PSK provisioning for all configurations in controller :

(Cisco Controller)> config mesh security psk provisioning delete_psk wlc all

config mesh slot-bias

To enable or disable slot bias for serial backhaul mesh access points, use the config mesh slot-bias command.

config mesh slot-bias{enable|disable}

Syntax Description


enable	Enables slot bias for serial backhaul mesh APs.
disable	Disables slot bias for serial backhaul mesh APs.

Command Default

By default, slot bias is in enabled state.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Follow these guidelines when using this command:

The config mesh slot-bias command is a global command and therefore applicable to all 1524SB APs associated with the same controller.
Slot bias is applicable only when both slot 1 and slot 2 are available. If a slot radio does not have a channel that is available because of dynamic frequency selection (DFS), the other slot takes up both the uplink and downlink roles.
If slot 2 is not available because of hardware issues, slot bias functions normally. Corrective action should be taken by disabling the slot bias or fixing the antenna.

Examples

The following example shows how to disable slot bias for serial backhaul mesh APs:

(Cisco Controller) >config mesh slot-bias disable

Configure Management-User Commands

Use the config mgmtuser commands to configure management user settings.

config mgmtuser add

To add a local management user to the controller, use the config mgmtuser add command.

config mgmtuser add username password { lobby-admin | read-write | read-only} [ description]

Syntax Description


`username`	Account username. The username can be up to 24 alphanumeric characters.
`password`	Account password. The password can be up to 24 alphanumeric characters.
lobby-admin	Creates a management user with lobby ambassador privileges.
read-write	Creates a management user with read-write access.
read-only	Creates a management user with read-only access.
`description`	(Optional) Description of the account. The description can be up to 32 alphanumeric characters within double quotes.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.4	This command creates lobby-admin user .

Examples

The following example shows how to create a management user account with read-write access.


(Cisco Controller) > config mgmtuser add admin admin read-write “Main account“

Related Commands

show mgmtuser

config mgmtuser delete

To delete a management user from the controller, use the config mgmtuser delete command.

config mgmtuser delete username

Syntax Description


`username`	Account username. The username can be up to 24 alphanumeric characters.

Command Default

The management user is not deleted by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a management user account admin from the controller.


(Cisco Controller) > config mgmtuser delete admin

Deleted user admin

Related Commands

show mgmtuser

config mgmtuser description

To add a description to an existing management user login to the controller, use the config mgmtuser description command.

config mgmtuser description usernamedescription

Syntax Description


`username`	Account username. The username can be up to 24 alphanumeric characters.
`description`	Description of the account. The description can be up to 32 alphanumeric characters within double quotes.

Command Default

No description is added to the management user.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a description “primary-user” to the management user “admin”:


(Cisco Controller) > config mgmtuser description admin "primary-user"

Related Commands

config mgmtuser add

config mgmtuser delete

config mgmtuser password

show mgmtuser

config mgmtuser password

To configure a management user password, use the config mgmtuser password command.

config mgmtuser password usernamepassword

Syntax Description


`username`	Account username. The username can be up to 24 alphanumeric characters.
`password`	Account password. The password can be up to 24 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to change the password of the management user “admin” with the new password 5rTfm:


(Cisco Controller) > config mgmtuser password admin 5rTfm

Related Commands

show mgmtuser

config mgmtuser termination-interval

To configure the user re-authentication terminal interval in seconds, use the config mgmtuser termination-interval command.

config mgmtuser termination-interval { seconds}

Syntax Description


`seconds`	Re-authentication terminal interval in seconds for a user before being logged out. Default value is 0, the valid range is 0 to 300 seconds.

Command History


Release	Modification
8.2	This command was introduced in this release.

Examples

The following example shows how to set the interval in seconds before the user is logged out:


 (Cisco Controller) > config mgmtuser termination-interval 180

Configure Mobility Commands

Use the config mobility commands to configure mobility (roaming) settings.

config mobility dscp

To configure the mobility intercontroller DSCP value, use the config mobility dscp command.

config mobility dscp dscp_value

Syntax Description


`dscp_value`	DSCP value ranging from 0 to 63.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the mobility intercontroller DSCP value to 40:

(Cisco Controller) >config mobility dscp 40

config mobility group anchor

To create a new mobility anchor for the WLAN or wired guest LAN, enter, use the config mobility group anchor command.

config mobility group anchor{add|delete} { wlan wlan_id|guest-lan guest_lan_id}anchor_ip

Syntax Description


add	Adds or changes a mobility anchor to a wireless LAN.
delete	Deletes a mobility anchor from a wireless LAN.
wlan	Specifies the wireless LAN anchor settings.
`wlan_id`	Wireless LAN identifier between 1 and 512 (inclusive).
guest-lan	Specifies the guest LAN anchor settings.
`guest_lan_id`	Guest LAN identifier between 1 and 5 (inclusive).
`anchor_ip`	IP address of the anchor controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The wlan_id or guest_lan_id must exist and be disabled.

Auto-anchor mobility is enabled for the WLAN or wired guest LAN when you configure the first mobility anchor. Deleting the last anchor disables the auto-anchor mobility feature and resumes normal mobility for new associations.

Examples

The following example shows how to add a mobility anchor with the IP address 192.12.1.5 to a wireless LAN ID 2:

(Cisco Controller) >config mobility group anchor add wlan 2 192.12.1.5

The following example shows how to delete a mobility anchor with the IP address 193.13.1.15 from a wireless LAN:

(Cisco Controller) >config mobility group anchor delete wlan 5 193.13.1.5

config mobility group domain

To configure the mobility domain name, use the config mobility group domain command.

config mobility group domain domain_name

Syntax Description


`domain_name`	Domain name. The domain name can be up to 31 case-sensitive characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a mobility domain name lab1:

(Cisco Controller) >config mobility group domain lab1

config mobility group keepalive count

To configure the controller to detect failed mobility group members (including anchor controllers), use the config mobility group keepalive count command.

config mobility group keepalive count count

Syntax Description


`count`	Number of times that a ping request is sent to a mobility group member before the member is considered unreachable. The range is from 3 to 20. The default is 3.

Command Default

The default number of times that a ping request is sent to a mobility group member is 3.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the number of times a ping request is sent to a mobility group member before the member is considered unreachable to three counts:

(Cisco Controller) >config mobility group keepalive count 3

config mobility group keepalive interval

To configure the controller to detect failed mobility group members (including anchor controllers), use the config mobility group keepalive command.

config mobility group keepalive interval

Syntax Description


`interval`	Interval of time between each ping request sent to a mobility group member. The range is from 1 to 30 seconds. The default value is 10 seconds.

Command Default

The default interval of time between each ping request is 10 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the amount of time between each ping request sent to a mobility group member to 10 seconds:

(Cisco Controller) >config mobility group keepalive 10

config mobility group member

To add or delete users from the mobility group member list, use the config mobility group member command.

config mobility group member { add MAC-addr IP-addr [ group_name] [ encrypt{ enable | disable] | [ data-dtls mac-addr { enable | disable} | delete MAC-addr | hash IP-addr { key | none}}

Syntax Description


add	Adds or changes a mobility group member to the list.
`MAC-addr`	Member switch MAC address.
`IP-addr`	Member switch IP address.
`group_name`	(Optional) Member switch group name (if different from the default group name).
encrypt	(Optional) Secure communication to peer. Default value is disabled
data-dtls	(Optional) Configure data-dtls for mobility peer. Default value is enabled
delete	(Optional) Deletes a mobility group member from the list.
hash	Configures the hash key for authorization. You can configure the hash key only if the member is a virtual controller in the same domain.
`key`	Hash key of the virtual controller. For example, a819d479dcfeb3e0974421b6e8335582263d9169
none	Clears the previous hash key of the virtual controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.
8.8.111.0	This command was updated by adding encrypt , data-dtls keywords to support IRCM functionality.

Examples

The following example shows how to add a mobility group member with an IPv4 address to the list:

(Cisco Controller) >config mobility group member add 11:11:11:11:11:11 209.165.200.225

The following example shows how to add a mobility group member with an IPv6 address to the list:

(Cisco Controller) >config mobility group member add 11:11:11:11:11:11 2001:DB8::1

The following example shows how to configure the hash key of a virtual controller in the same domain:

Note

The IP address in this example can be in either IPv4 or IPv6 format.

(Cisco Controller) >config mobility group member hash 209.165.201.1 
a819d479dcfeb3e0974421b6e8335582263d9169

config mobility group multicast-address

To configure the multicast group IP address for nonlocal groups within the mobility list, use the config mobility group multicast-address command.

config mobility group multicast-address group_nameip_address

Syntax Description


`group_name`	Member switch group name (if different from the default group name).
`ip_address`	Member switch IP address.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure the multicast group IP address 10.10.10.1 for a group named test:

(Cisco Controller) >config mobility group multicast-address test 10.10.10.1

The following example shows how to configure the multicast group IP address 2001:DB8::1 for a group named test:

(Cisco Controller) >config mobility group multicast-address test 2001:DB8::1

config mobility multicast-mode

To enable or disable mobility multicast mode, use the config mobility multicast-mode command.

config mobility multicast-mode{enable|disable}local_group_multicast_address

Syntax Description


enable	Enables the multicast mode; the controller uses multicast mode to send Mobile Announce messages to the local group.
disable	Disables the multicast mode; the controller uses unicast mode to send the Mobile Announce messages to the local group.
`local_group_multicast_address`	IP address for the local mobility group.

Command Default

The mobility multicast mode is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the multicast mobility mode for the local mobility group IP address 157.168.20.0:

(Cisco Controller) >config mobility multicast-mode enable 157.168.20.0

config mobility secure-mode

To configure the secure mode for mobility messages between controllers, use the config mobility secure-mode command.

config mobility secure-mode{enable|disable}

Syntax Description


enable	Enables the mobility group message security.
disable	Disables mobility group message security.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the secure mode for mobility messages:

(Cisco Controller) >config mobility secure-mode enable

config mobility statistics reset

To reset the mobility statistics, use the config mobility statistics reset command.

config mobility statistics reset

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to reset the mobility group statistics:

(Cisco Controller) >config mobility statistics reset

Configure Message Log Level Commands

Use the config msglog commands to configure msglog level settings.

config msglog level critical

To reset the message log so that it collects and displays only critical (highest-level) messages, use the config msglog level critical command.

config msglog level critical

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The message log always collects and displays critical messages, regardless of the message log level setting.

Examples

The following example shows how to configure the message log severity level and display critical messages:


(Cisco Controller) > config msglog level critical

Related Commands

show msglog

config msglog level error

To reset the message log so that it collects and displays both critical (highest-level) and error (second-highest) messages, use the config msglog level error command.

config msglog level error

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to reset the message log to collect and display critical and noncritical error messages:

 (Cisco Controller) > config msglog level error

Related Commands

show msglog

config msglog level security

To reset the message log so that it collects and displays critical (highest-level), error (second-highest), and security (third-highest) messages, use the config msglog level security command.

config msglog level security

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to reset the message log so that it collects and display critical, noncritical, and authentication or security-related errors:


(Cisco Controller) > config msglog level security

Related Commands

show msglog

config msglog level verbose

To reset the message log so that it collects and displays all messages, use the config msglog level verbose command.

config msglog level verbose

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to reset the message logs so that it collects and display all messages:


(Cisco Controller) > config msglog level verbose

Related Commands

show msglog

config msglog level warning

To reset the message log so that it collects and displays critical (highest-level), error (second-highest), security (third-highest), and warning (fourth-highest) messages, use the config msglog level warning command.

config msglog level warning

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to reset the message log so that it collects and displays warning messages in addition to critical, noncritical, and authentication or security-related errors:


(Cisco Controller) > config msglog level warning

Related Commands

show msglog

Configure Media-Stream Commands

Use the config media-stream commands to configure media stream settings.

config 802.11 media-stream multicast-direct

To configure the media stream multicast-direct parameters for the 802.11 networks, use the config 802.11 media-stream multicast-direct command.

config 802.11{ a | b} media-stream multicast-direct { admission-besteffort { enable | disable} | { client-maximum | radio-maximum} { value | no-limit } | enable | disable}

Syntax Description


802.11a	Specifies the 802.11a network.
802.11b	Specifies the 802.11b/g network.
admission-besteffort	Admits media stream to best-effort queue.
enable	Enables multicast-direct on a 2.4-GHz or a 5-GHz band.
disable	Disables multicast-direct on a 2.4-GHz or a 5-GHz band.
client-maximum	Specifies the maximum number of streams allowed on a client.
radio-maximum	Specifies the maximum number of streams allowed on a 2.4-GHz or a 5-GHz band.
`value`	Number of streams allowed on a client or on a 2.4-GHz or a 5-GHz band, between 1 to 20.
no-limit	Specifies the unlimited number of streams allowed on a client or on a 2.4-GHz or a 5-GHz band.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Before you configure the media stream multicast-direct parameters on a 802.11 network, ensure that the network is nonoperational.

Examples

This example shows how to enable a media stream multicast-direct settings on an 802.11a network:


> config 802.11a media-stream multicast-direct enable

This example shows how to admit the media stream to the best-effort queue:


> config 802.11a media-stream multicast-direct admission-besteffort enable

This example shows how to set the maximum number of streams allowed on a client:


> config 802.11a media-stream multicast-direct client-maximum 10

Related Commands

config 802.11 media-stream video-redirect

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config 802.11 media-stream video-redirect

To configure the media stream video-redirect for the 802.11 networks, use the config 802.11 media-stream video-redirect command.

config 802.11{ a | b} media-stream video-redirect { enable | disable}

Syntax Description


802.11a	Specifies the 802.11a network.
802.11b	Specifies the 802.11b/g network.
enable	Enables traffic redirection.
disable	Disables traffic redirection.

Command Default

None.

Usage Guidelines

Before you configure the media stream video-redirect on a 802.11 network, ensure that the network is nonoperational.

Examples

This example shows how to enable media stream traffic redirection on an 802.11a network:


> config 802.11a media-stream video-redirect enable

Related Commands

config 802.11 media-stream multicast-redirect

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config media-stream multicast-direct

To configure the media-stream multicast direct, use the config media-stream multicast direct command.

config media-stream multicast-direct { enable | disable}

Syntax Description


enable	Enables a media stream.
disable	Disables a media stream.

Command Default

None.

Usage Guidelines

Media-stream multicast-direct requires load based Call Admission Control (CAC) to run.

Examples

This example shows how to enable media-stream multicast-direct settings:


> config media-stream multicast-direct enable

This example shows how to disable media-stream multicast-direct settings:


> config media-stream multicast-direct disable

Related Commands

config 802.11 media-stream video-redirect

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config media-stream message

To configure various parameters of message configuration, use the config media-stream message command.

config media-stream message { state [ enable | disable] | url url | email email | phone phone_number | note note}

Syntax Description


state	Specifies the media stream message state.
enable	(Optional) Enables the session announcement message state.
disable	(Optional) Disables the session announcement message state.
url	Configures the URL.
`url`	Session announcement URL.
email	Configures the email ID.
`email`	Specifies the session announcement e-mail.
phone	Configures the phone number.
`phone_number`	Session announcement phone number.
note	Configures the notes.
`note`	Session announcement notes.

Command Default

Disabled.

Usage Guidelines

Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.

Examples

This example shows how to enable the session announcement message state:


> config media-stream message state enable

This example shows how to configure the session announcement e-mail address:


> config media-stream message mail abc@co.com

Related Commands

config media-stream

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config media-stream add

To configure the various global media-stream configurations, use the config media-stream add command.

config media-stream add multicast-direct media_stream_name start-IP end-IP [ template { very coarse | coarse | ordinary | low-resolution | med-resolution | high-resolution} | detail { bandwidth packet-size { periodic| initial}} qos priority { drop | fallback}

Syntax Description


multicast-direct	Specifies the media stream for the multicast-direct setting.
`media_stream_name`	Media-stream name.
`start-IP`	IP multicast destination start address.
`end-IP`	IP multicast destination end address.
template	(Optional) Configures the media stream from templates.
very coarse	Applies a very-coarse template.
coarse	Applies a coarse template.
ordinary	Applies an ordinary template.
low-resolution	Applies a low-resolution template.
med-resolution	Applies a medium-resolution template.
high-resolution	Applies a high-resolution template.
detail	Configures the media stream with specific parameters.
`bandwidth`	Maximum expected stream bandwidth.
`packet-size`	Average packet size.
periodic	Specifies the periodic admission evaluation.
initial	Specifies the Initial admission evaluation.
`qos`	AIR QoS class (video only).
`priority`	Media-stream priority.
drop	Specifies that the stream is dropped on a periodic reevaluation.
fallback	Specifies if the stream is demoted to the best-effort class on a periodic reevaluation.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.

Examples

This example shows how to configure a new media stream:

> config media-stream add multicast-direct abc 227.8.8.8 227.9.9.9 detail 2 150 periodic video 1 drop

Related Commands

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config media-stream admit

To allow traffic for a media stream group, use the config media-stream admit command.

config media-stream admit media_stream_name

Syntax Description


`media_stream_name`	Media-stream group name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you try to allow traffic for the media stream group, you will be prompted that IGMP snooping will be disabled and enabled again, and all clients might observe a glitch on the multicast traffic.

Examples

This example shows how to allow traffic for a media stream group:


(Cisco Controller) > config media-stream admit MymediaStream

Related Commands

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config media-stream deny

To block traffic for a media stream group, use the config media-stream deny command.

Syntax Description


`media_stream_name`	Media-stream group name.

config media-stream deny media_stream_name

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you try to block traffic for the media stream group, you will be prompted that IGMP snooping will be disabled and enabled again, and all clients might observe a glitch on the multicast traffic.

Examples

This example shows how to block traffic for a media stream group:


(Cisco Controller) > config media-stream deny MymediaStream

Related Commands

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

config media-stream delete

To configure the various global media-stream configurations, use the config media-stream delete command.

config media-stream delete media_stream_name

Syntax Description


`media_stream_name`	Media-stream name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.

Examples

This example shows how to delete the media stream named abc:


(Cisco Controller) > config media-stream delete abc

Related Commands

show 802.11a media-stream name

show media-stream group summary

show media-stream group detail

Configure Net User Commands

Use the config netuser commands to configure netuser settings.

config netuser add

To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.

config netuser add usernamepassword{wlan wlan_id|guestlan guestlan_id}userType guest lifetime lifetimedescription description

Syntax Description

username

Guest username. The username can be up to 50 alphanumeric characters.

password

User password. The password can be up to 24 alphanumeric characters.

wlan

Specifies the wireless LAN identifier to associate with or zero for any wireless LAN.

wlan_id

Wireless LAN identifier assigned to the user. A zero value associates the user with any wireless LAN.

guestlan

Specifies the guest LAN identifier to associate with or zero for any wireless LAN.

guestlan_id

Guest LAN ID.

userType

Specifies the user type.

guest

Specifies the guest for the guest user.

lifetime

Specifies the lifetime.

lifetime

Lifetime value (60 to 259200 or 0) in seconds for the guest user.

Note

A value of 0 indicates an unlimited lifetime.

description

Short description of user. The description can be up to 32 characters enclosed in double-quotes.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Local network usernames must be unique because they are stored in the same database.

Examples

The following example shows how to add a permanent username Jane to the wireless network for 1 hour:


(Cisco Controller) > config netuser add jane able2 1 wlan_id 1 userType permanent

The following example shows how to add a guest username George to the wireless network for 1 hour:


(Cisco Controller) > config netuser add george able1 guestlan 1 3600

Related Commands

show netuser

config netuser delete

To delete an existing user from the local network, use the config netuser delete command.

config netuser delete { username username | wlan-id wlan-id}

Syntax Description


`username`	Network username. The username can be up to 24 alphanumeric characters.
`wlan-id`	WLAN identification number.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Local network usernames must be unique because they are stored in the same database.

Note

When a WLAN associated with network users is deleted, the system prompts to delete all network users associated with the WLAN first. After deleting the network users, you can delete the WLAN.

Examples

The following example shows how to delete an existing username named able1 from the network:


(Cisco Controller) > config netuser delete able1
Deleted user able1

Related Commands

show netuser

config netuser guest-lan-id

To configure a wired guest LAN ID for a network user, use the config netuser guest-lan-id command.

config netuser guest-lan-id usernamelan_id

Syntax Description


`username`	Network username. The username can be 24 alphanumeric characters.
`lan_id`	Wired guest LAN identifier to associate with the user. A zero value associates the user with any wired LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a wired LAN ID 2 to associate with the user named aire1:


(Cisco Controller) > config netuser guest- lan-id aire1 2

Related Commands

show netuser

show wlan summary

config netuser description

To add a description to an existing net user, use the config netuser description command.

config netuser description usernamedescription

Syntax Description


`username`	Network username. The username can contain up to 24 alphanumeric characters.
`description`	(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a user description “HQ1 Contact” to an existing network user named able 1:


(Cisco Controller) > config netuser description able1 “HQ1 Contact”

Related Commands

show netuser

config netuser guest-role apply

To apply a quality of service (QoS) role to a guest user, use the config netuser guest-role apply command.

config netuser guest-role apply usernamerole_name

Syntax Description


`username`	Name of the user.
`role_name`	QoS guest role name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you do not assign a QoS role to a guest user, the Role field in the User Details shows the role as default. The bandwidth contracts for this user are defined in the QoS profile for the WLAN.

If you want to unassign a QoS role from a guest user, use the config netuser guest-role apply username default . This user now uses the bandwidth contracts defined in the QoS profile for the WLAN.

Examples

The following example shows how to apply a QoS role to a guest user jsmith with the QoS guest role named Contractor:


(Cisco Controller) > config netuser guest-role apply jsmith Contractor

Related Commands

config netuser guest-role create

config netuser guest-role delete

config netuser guest-role create

To create a quality of service (QoS) role for a guest user, use the config netuser guest-role create command.

config netuser guest-role create role_name

Syntax Description


`role name`	QoS guest role name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

To delete a QoS role, use the config netuser guest-role delete role-name .

Examples

The following example shows how to create a QoS role for the guest user named guestuser1:


(Cisco Controller) > config netuser guest-role create guestuser1

Related Commands

config netuser guest-role delete

To delete a quality of service (QoS) role for a guest user, use the config netuser guest-role delete command.

config netuser guest-role delete role_name

Syntax Description


`role name`	Quality of service (QoS) guest role name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a quality of service (QoS) role for guestuser1:


(Cisco Controller) > config netuser guest-role delete guestuser1

Related Commands

config netuser guest-role create

config netuser guest-role qos data-rate average-data-rate

To configure the average data rate for TCP traffic on a per user basis, use the config netuser guest-role qos data-rate average-data-rate command.

config netuser guest-role qos data-rate average-data-rate role_name rate

Syntax Description


`role_name`	Quality of service (QoS) guest role name.
`rate`	Rate for TCP traffic on a per user basis.

Command Default

None

Usage Guidelines

For the role_name parameter in each of these commands, enter a name for the new QoS role. The name uniquely identifies the role of the QoS user (such as contractor, vendor, and so on.). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Examples

The following example shows how to configure an average rate for the QoS guest named guestuser1:


(Cisco Controller) > config netuser guest-role qos data-rate average-data-rate guestuser1 0

Related Commands

config netuser guest-role create

config netuser guest-role delete

config netuser guest-role qos data-rate burst-data-rate

config netuser guest-role qos data-rate average-realtime-rate

To configure the average data rate for TCP traffic on a per user basis, use the config netuser guest-role qos data-rate average-realtime-rate command.

config netuser guest-role qos data-rate average-realtime-rate role_name rate

Syntax Description


`role_name`	Quality of service (QoS) guest role name.
`rate`	Rate for TCP traffic on a per user basis.

Command Default

None

Usage Guidelines

Examples

The following example shows how to configure an average data rate for the QoS guest user named guestuser1 with the rate for TCP traffic of 0 Kbps:


(Cisco Controller) > config netuser guest-role qos data-rate average-realtime-rate guestuser1 0

Related Commands

config netuser guest-role 

config netuser guest-role qos data-rate average-data-rate

config netuser guest-role qos data-rate burst-data-rate

To configure the peak data rate for TCP traffic on a per user basis, use the config netuser guest-role qos data-rate burst-data-rate command.

config netuser guest-role qos data-rate burst-data-rate role_name rate

Syntax Description


`role_name`	Quality of service (QoS) guest role name.
`rate`	Rate for TCP traffic on a per user basis.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Examples

The following example shows how to configure the peak data rate for the QoS guest named guestuser1 with the rate for TCP traffic of 0 Kbps:


(Cisco Controller) > config netuser guest-role qos data-rate burst-data-rate guestuser1 0

Related Commands

config netuser guest-role create 

config netuser guest-role delete 

config netuser guest-role qos data-rate average-data-rate

config netuser guest-role qos data-rate burst-realtime-rate

To configure the burst real-time data rate for UDP traffic on a per user basis, use the config netuser guest-role qos data-rate burst-realtime-rate command.

config netuser guest-role qos data-rate burst-realtime-rate role_name rate

Syntax Description


`role_name`	Quality of service (QoS) guest role name.
`rate`	Rate for TCP traffic on a per user basis.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the quality of service (QoS) policy may block traffic to and from the wireless client.

Examples

The following example shows how to configure a burst real-time rate for the QoS guest user named guestuser1 with the rate for TCP traffic of 0 Kbps:


(Cisco Controller) > config netuser guest-role qos data-rate burst-realtime-rate guestuser1 0

Related Commands

config netuser guest-role

config netuser guest-role qos data-rate average-data-rate

config netuser guest-role qos data-rate burst-data-rate

config netuser lifetime

To configure the lifetime for a guest network user, use the config netuser lifetime command.

config netuser lifetime usernametime

Syntax Description


`username`	Network username. The username can be up to 50 alphanumeric characters.
`time`	Llifetime between 60 to 31536000 seconds or 0 for no limit.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure lifetime for a guest network user:


(Cisco Controller) > config netuser lifetime guestuser1 22450

Related Commands

show netuser

show wlan summary

config netuser maxUserLogin

To configure the maximum number of login sessions allowed for a network user, use the config netuser maxUserLogin command.

config netuser maxUserLogin count

Syntax Description


`count`	Maximum number of login sessions for a single user. The allowed values are from 0 (unlimited) to 8.

Command Default

By default, the maximum number of login sessions for a single user is 0 (unlimited).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the maximum number of login sessions for a single user to 8:


(Cisco Controller) > config netuser maxUserLogin 8

Related Commands

show netuser

config netuser password

To change a local network user password, use the config netuser password command.

config netuser password usernamepassword

Syntax Description


`username`	Network username. The username can be up to 24 alphanumeric characters.
`password`	Network user password. The password can contain up to 24 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to change the network user password from aire1 to aire2:


(Cisco Controller) > config netuser password aire1 aire2

Related Commands

show netuser

config netuser wlan-id

To configure a wireless LAN ID for a network user, use the config netuser wlan-id command.

config netuser wlan-id usernamewlan_id

Syntax Description


`username`	Network username. The username can be 24 alphanumeric characters.
`wlan_id`	Wireless LAN identifier to associate with the user. A zero value associates the user with any wireless LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a wireless LAN ID 2 to associate with the user named aire1:


(Cisco Controller) > config netuser wlan-id aire1 2

Related Commands

show netuser

show wlan summary

Configure Network Commands

Use the config network commands to configure network settings.

config network 802.3-bridging

To enable or disable 802.3 bridging on a controller, use the config network 802.3-bridging command.

config network 802.3-bridging {enable|disable}

Syntax Description


enable	Enables the 802.3 bridging.
disable	Disables the 802.3 bridging.

Command Default

By default, 802.3 bridging on the controller is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

In controller software release 5.2, the software-based forwarding architecture for Cisco 2100 Series Controllers is being replaced with a new forwarding plane architecture. As a result, Cisco 2100 Series Controllers and the Cisco wireless LAN controller Network Module for Cisco Integrated Services Routers bridge 802.3 packets by default. Therefore, 802.3 bridging can now be disabled only on Cisco 4400 Series Controllers, the Cisco WiSM, and the Catalyst 3750G Wireless LAN Controller Switch.

To determine the status of 802.3 bridging, enter the show netuser guest-roles command.

Examples

The following example shows how to enable the 802.3 bridging:


(Cisco Controller) > config network 802.3-bridging enable

Related Commands

show netuser guest-roles  

show network

config network allow-old-bridge-aps

To configure an old bridge access point’s ability to associate with a switch, use the config network allow-old-bridge-aps command.

config network allow-old-bridge-aps { enable|disable}

Syntax Description


enable	Enables the switch association.
disable	Disables the switch association.

Command Default

Switch association is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an old bridge access point to associate with the switch:


(Cisco Controller) > config network allow-old-bridge-aps enable

config network ap-discovery

To enable or disable NAT IP in an AP discovery response, use the config network ap-discovery command.

config network ap-discovery nat-ip-only { enable|disable}

Syntax Description


enable	Enables use of NAT IP only in discovery response.
disable	Enables use of both NAT IP and non NAT IP in discovery response.

Command Default

The use of NAT IP only in discovery response is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If the config interface nat-address management command is set, this command controls which address(es) are sent in the CAPWAP discovery responses.
If all APs are on the outside of the NAT gateway of the controller, enter the config network ap-discovery nat-ip-only enable command, and only the management NAT address is sent.
If the controller has both APs on the outside and the inside of its NAT gateway, enter the config network ap-discovery nat-ip-only disable command, and both the management NAT address and the management inside address are sent. Ensure that you have entered the config ap link-latency disable all command to avoid stranding APs.
If you disable nat-ip-only , the controller sends all active AP-Manager interfaces with their non-NAT IP in discovery response to APs.

If you enable nat-ip-only , the controller sends all active AP-Manager interfaces with NAT IP if configured for the interface, else non-NAT IP.

We recommend that you configure the interface as AP-Manager interface with NAT IP or non-NAT IP keeping these scenarios in mind because the AP chooses the least loaded AP-Manager interface received in the discovery response.

Examples

The following example shows how to enable NAT IP in an AP discovery response:


(Cisco Controller) > config network ap-discovery nat-ip-only enable

config network ap-fallback

To configure Cisco lightweight access point fallback, use the config network ap-fallback command.

config network ap-fallback{enable|disable}

Syntax Description


enable	Enables the Cisco lightweight access point fallback.
disable	Disables the Cisco lightweight access point fallback.

Command Default

The Cisco lightweight access point fallback is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the Cisco lightweight access point fallback:


(Cisco Controller) > config network ap-fallback enable

config network ap-priority

To enable or disable the option to prioritize lightweight access points so that after a controller failure they reauthenticate by priority rather than on a first-come-until-full basis, use the config network ap-priority command.

config network ap-priority{enable|disable}

Syntax Description


enable	Enables the lightweight access point priority reauthentication.
disable	Disables the lightweight access point priority reauthentication.

Command Default

The lightweight access point priority reauthentication is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the lightweight access point priority reauthorization:


(Cisco Controller) > config network ap-priority enable

config network apple-talk

To configure AppleTalk bridging, use the config network apple-talk command.

config network apple-talk{enable|disable}

Syntax Description


enable	Enables the AppleTalk bridging.
disable	Disables the AppleTalk bridging.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure AppleTalk bridging:


(Cisco Controller) > config network apple-talk enable

config network bridging-shared-secret

To configure the bridging shared secret, use the config network bridging-shared-secret command.

config network bridging-shared-secretshared_secret

Syntax Description


`shared_secret`	Bridging shared secret string. The string can contain up to 10 bytes.

Command Default

The bridging shared secret is enabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command creates a secret that encrypts backhaul user data for the mesh access points that connect to the switch.

The zero-touch configuration must be enabled for this command to work.

Examples

The following example shows how to configure the bridging shared secret string “shhh1”:


(Cisco Controller) > config network bridging-shared-secret shhh1

Related Commands

show network summary

config network arptimeout

To set the Address Resolution Protocol (ARP) entry timeout value, use the config network arptimeout command.

config network arptimeout seconds

Syntax Description


`seconds`	Timeout in seconds. The minimum value is 10 seconds. The default value is 300 seconds.

Command Default

The default ARP entry timeout value is 300 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to set the ARP entry timeout value to 240 seconds:


(Cisco Controller) > config network arptimeout 240

Related Commands

show network summary

config network broadcast

To enable or disable broadcast packet forwarding, use the config network broadcast command.

config network broadcast {enable|disable}

Syntax Description


enable	Enables the broadcast packet forwarding.
disable	Disables the broadcast packet forwarding.

Command Default

The broadcast packet forwarding is disabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command allows you to enable or disable broadcasting. You must enable multicast mode before enabling broadcast forwarding. Use the config network multicast mode command to configure multicast mode on the controller.

Note

The default multicast mode is unicast in case of all controllers except for Cisco 2106 Controllers.  The broadcast packets and multicast packets can be independently controlled. If multicast is off and broadcast is on, broadcast packets still reach the access points, based on the configured multicast mode.

Examples

The following example shows how to enable broadcast packet forwarding:


(Cisco Controller) > config network broadcast enable

Related Commands

show network summary 

config network multicast global 

config network multicast mode

config network fast-ssid-change

To enable or disable fast Service Set Identifier (SSID) changing for mobile stations, use the config network fast-ssid-change command.

config network fast-ssid-change{enable|disable}

Syntax Description


enable	Enables the fast SSID changing for mobile stations
disable	Disables the fast SSID changing for mobile stations.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable the Fast SSID Change feature, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

When you disable the FastSSID Change feature, the controller enforces a delay before clients are allowed to move to a new SSID.

Examples

The following example shows how to enable the fast SSID changing for mobile stations:


(Cisco Controller) > config network fast-ssid-change enable

Related Commands

show network summary

config network ip-mac-binding

To validate the source IP address and MAC address binding within client packets, use the config network ip-mac-binding command.

config network ip-network-binding{enable|disable}

Syntax Description


enable	Enables the validation of the source IP address to MAC address binding in clients packets.
disable	Disables the validation of the source IP address to MAC address binding in clients packets.

Command Default

The validation of the source IP address to MAC address binding in clients packets is enabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

In controller software release 5.2, the controller enforces strict IP address-to-MAC address binding in client packets. The controller checks the IP address and MAC address in a packet, compares them to the addresses that are registered with the controller, and forwards the packet only if they both match. In previous releases, the controller checks only the MAC address of the client and ignores the IP address.

Note

You might want to disable this binding check if you have a routed network behind a workgroup bridge (WGB).

Examples

The following example shows how to validate the source IP and MAC address within client packets:


(Cisco Controller) > config network ip-mac-binding enable

config network master-base

To enable or disable the Cisco wireless LAN controller as an access point default primary, use the config network master-base command.

config network master-base{enable|disable}

Syntax Description


enable	Enables the Cisco wireless LAN controller acting as a Cisco lightweight access point default primary.
disable	Disables the Cisco wireless LAN controller acting as a Cisco lightweight access point default primary.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This setting is only used upon network installation and should be disabled after the initial network configuration. Because the primary Cisco wireless LAN controller is normally not used in a deployed network, the primary Cisco wireless LAN controller setting can be saved from 6.0.199.0 or later releases.

Examples

The following example shows how to enable the Cisco wireless LAN controller as a default primary:


(Cisco Controller) > config network master-base enable

config network mgmt-via-wireless

To enable Cisco wireless LAN controller management from an associated wireless client, use the config network mgmt-via-wireless command.

config network mgmt-via-wireless{enable|disable}

Syntax Description


enable	Enables the switch management from a wireless interface.
disable	Disables the switch management from a wireless interface.

Command Default

The switch management from a wireless interface is disabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This feature allows wireless clients to manage only the Cisco wireless LAN controller associated with the client and the associated Cisco lightweight access point. That is, clients cannot manage another Cisco wireless LAN controller with which they are not associated.

Examples

This example shows how to configure switch management from a wireless interface:


(Cisco Controller) > config network mgmt-via-wireless enable

Related Commands

show network summary

config network multicast global

To enable or disable multicasting on the controller, use the config network multicast global command.

config network multicast global { enable|disable}

Syntax Description


enable	Enables the multicast global support.
disable	Disables the multicast global support.

Command Default

Multicasting on the controller is disabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The config network broadcast {enable | disable} command allows you to enable or disable broadcasting without enabling or disabling multicasting as well. This command uses the multicast mode configured on the controller (by using the config network multicast mode command) to operate.

Examples

The following example shows how to enable the global multicast support:


(Cisco Controller) > config network multicast global enable

Related Commands

show network summary

config network broadcast

config network multicast mode

config network multicast igmp query interval

To configure the IGMP query interval, use the config network multicast igmp query interval command.

config network multicast igmp query interval value

Syntax Description


`value`	Frequency at which controller sends IGMP query messages. The range is from 15 to 2400 seconds.

Command Default

The default IGMP query interval is 20 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

To configure IGMP query interval, ensure that you do the following:

Enable the global multicast by entering the config network multicast global enable command.
Enable IGMP snooping by entering the config network multicast igmp snooping enable command.

Examples

The following example shows how to configure the IGMP query interval at 20 seconds:


(Cisco Controller) > config network multicast igmp query interval 20

Related Commands

config network multicast global  

config network multicast igmp snooping  

config network multicast igmp timeout  

config network multicast igmp snooping

To enable or disable IGMP snooping, use the config network multicast igmp snooping command.

config network multicast igmp snooping {enable|disable}

Syntax Description


enable	Enables IGMP snooping.
disable	Disables IGMP snooping.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable internet IGMP snooping settings:


(Cisco Controller) > config network multicast igmp snooping enable

Related Commands

config network multicast global  

config network multicast igmp query interval  

config network multicast igmp timeout  

To set the IGMP timeout value, use the config network multicast igmp timeout command.

config network multicast igmp timeout value

Syntax Description


`value`	Timeout range from 30 to 7200 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can enter a timeout value between 30 and 7200 seconds. The controller sends three queries in one timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group. If the controller does not receive a response through an IGMP report from the client, the controller times out the client entry from the MGID table. When no clients are left for a particular multicast group, the controller waits for the IGMP timeout value to expire and then deletes the MGID entry from the controller. The controller always generates a general IGMP query (to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.

Examples

The following example shows how to configure the timeout value 50 for IGMP network settings:


(Cisco Controller) > config network multicast igmp timeout 50

Related Commands

config network multicast global  

config network igmp snooping

 config network multicast igmp query interval

config network multicast l2mcast

To configure the Layer 2 multicast on an interface or all interfaces, use the config network multicast l2mcast command.

config network multicast l2mcast { enable|disable { all |interface-name}

Syntax Description


enable	Enables Layer 2 multicast.
disable	Disables Layer 2 multicast.
all	Applies to all interfaces.
`interface-name`	Interface name for which the Layer 2 multicast is to enabled or disabled.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable Layer 2 multicast for all interfaces:


(Cisco Controller) > config network multicast l2mcast enable all

Related Commands

config network multicast global 

config network multicast igmp snooping 

config network multicast igmp query interval

config network multicast mld

To configure the Multicast Listener Discovery (MLD) parameters, use the config network multicast mld command.

config network multicast mld { query intervalinterval-value|snooping { enable |disable} |timeout timeout-value}

Syntax Description


query interval	Configures query interval to send MLD query messages.
`interval-value`	Query interval in seconds. The range is from 15 to 2400 seconds.
snooping	Configures MLD snooping.
enable	Enables MLD snooping.
disable	Disables MLD snooping.
timeout	Configures MLD timeout.
`timeout-value`	Timeout value in seconds. The range is from 30 seconds to 7200 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set a query interval of 20 seconds for MLD query messages:


(Cisco Controller) > config network multicast mld query interval 20

Related Commands

config network multicast global 

config network multicast igmp snooping 

config network multicast igmp query interval

config network multicast l2mcast

config network multicast mode multicast

To configure the controller to use the multicast method to send broadcast or multicast packets to an access point, use the config network multicast mode multicast command.

config network multicast mode multicast

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the multicast mode to send a single copy of data to multiple receivers:


(Cisco Controller) > config network multicast mode multicast

Related Commands

config network multicast global

config network broadcast

config network multicast mode unicast

To configure the controller to use the unicast method to send broadcast or multicast packets to an access point, use the config network multicast mode unicast command.

config network multicast mode unicast

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the controller to use the unicast mode:


(Cisco Controller) > config network multicast mode unicast

Related Commands

config network multicast global

config network broadcast

config network multicast mode multicast

config network oeap-600 dual-rlan-ports

To configure the Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port in addition to port 4, use the config network oeap-600 dual-rlan-ports command.

config network oeap-600 dual-rlan-ports { enable|disable}

Syntax Description


enable	Enables Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port in addition to port 4.
disable	Resets the Ethernet port 3 Cisco OfficeExtend 600 Series access points to function as a local LAN port.

Command Default

The Ethernet port 3 Cisco 600 Series OEAP is reset.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the Ethernet port 3 of Cisco OfficeExtend 600 Series access points to operate as a remote LAN port:


(Cisco Controller) > config network oeap-600 dual-rlan-ports enable

config network oeap-600 local-network

To configure access to the local network for the Cisco 600 Series OfficeExtend access points, use the config network oeap-600 local-network command.

config network oeap-600 local-network { enable|disable}

Syntax Description


enable	Enables access to the local network for the Cisco 600 Series OfficeExtend access points.
disable	Disables access to the local network for the Cisco 600 Series OfficeExtend access points.

Command Default

Access to the local network for the Cisco 600 Series OEAPs is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable access to the local network for the Cisco 600 Series OfficeExtend access points:


(Cisco Controller) > config network oeap-600 local-network enable

config network otap-mode

To enable or disable over-the-air provisioning (OTAP) of Cisco lightweight access points, use the config network otap-mode command.

config network otap-mode{enable|disable}

Syntax Description


enable	Enables the OTAP provisioning.
disable	Disables the OTAP provisioning.

Command Default

The OTAP provisioning is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the OTAP provisioning:


(Cisco Controller) >config network otap-mode disable

config network profiling

To profile http port for a specific port, use the config network profiling http-port command.

config network profiling http-port port number

Syntax Description


`port number`	Interface port number. Default value is 80.

Command History


Release	Modification
8.2	This command was introduced

Examples

The following example shows how to configure the http port in a network:


(Cisco Controller) > config network profiling http-port 80

config network rf-network-name

To set the RF-Network name, use the config network rf-network-name command.

config network rf-network-name name

Syntax Description


`name`	RF-Network name. The name can contain up to 19 characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the RF-network name to travelers:


(Cisco Controller) > config network rf-network-name travelers

Related Commands

show network summary

config network secureweb

To change the state of the secure web (https is http and SSL) interface for management users, use the config network secureweb command.

config network secureweb{enable|disable}

Syntax Description


enable	Enables the secure web interface for management users.
disable	Disables the secure web interface for management users.

Command Default

The secure web interface for management users is enabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command allows management users to access the controller GUI using an http://ip-address. Web mode is not a secure connection.

Examples

The following example shows how to enable the secure web interface settings for management users:


(Cisco Controller) > config network secureweb enable
You must reboot for the change to take effect.

Related Commands

config network secureweb cipher-option

show network summary  

config network secureweb cipher-option

To enable or disable secure web mode with increased security, or to enable or disable Secure Sockets Layer (SSL v2) for web administration and web authentication, use the config network secureweb cipher-option command.

config network secureweb cipher-option { high|sslv2|rc4-preference}{ enable|disable}

Syntax Description


high	Configures whether or not 128-bit ciphers are required for web administration and web authentication.
sslv2	Configures SSLv2 for both web administration and web authentication.
rc4-preference	Configures preference for RC4-SHA (Rivest Cipher 4-Secure Hash Algorithm) cipher suites (over CBC cipher suites) for web authentication and web administration.
enable	Enables the secure web interface.
disable	Disables the secure web interface.

Command Default

The default is disable for secure web mode with increased security and enable for SSL v2.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Note

The config network secureweb cipher-option command allows users to access the controller GUI using an http://ip-address but only from browsers that support 128-bit (or larger) ciphers.

When cipher-option sslv2 is disabled, users cannot connect using a browser configured with SSLv2 only. They must use a browser that is configured to use a more secure protocol such as SSLv3 or later.

In RC4-SHA based cipher suites, RC4 is used for encryption and SHA is used for message authentication.

Examples

The following example shows how to enable secure web mode with increased security:


(Cisco Controller) > config network secureweb cipher-option

The following example shows how to disable SSL v2:


(Cisco Controller) > config network secureweb cipher-option sslv2 disable

Related Commands

config network secureweb

show network summary  

config network ssh

To allow or disallow new Secure Shell (SSH) sessions, use the config network ssh command.

config network ssh { enable|disable}

Syntax Description


enable	Allows the new SSH sessions.
disable	Disallows the new SSH sessions.

Command Default

The default value for the new SSH session is disable .

Examples

The following example shows how to enable the new SSH session:


(Cisco Controller) > config network ssh enable

Related Commands

show network summary

config network telnet

To allow or disallow new Telnet sessions, use the config network telnet command.

config network telnet { enable|disable}

Syntax Description


enable	Allows new Telnet sessions.
disable	Disallows new Telnet sessions.

Command Default

By default, the new Telnet session is disallowed and the value is disable .

Usage Guidelines

Telnet is not supported on Cisco Aironet 1830 and 1850 Series Access Points.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the new Telnet sessions:


(Cisco Controller) > config network telnet enable

Related Commands

config ap telnet

show network summary  

config network usertimeout

To change the timeout for idle client sessions, use the config network usertimeout command.

config network usertimeout seconds

Syntax Description


`seconds`	Timeout duration in seconds. The minimum value is 90 seconds. The default value is 300 seconds.

Command Default

The default timeout value for idle client session is 300 seconds.

Usage Guidelines

Use this command to set the idle client session duration on the Cisco wireless LAN controller. The minimum duration is 90 seconds.

Examples

The following example shows how to configure the idle session timeout to 1200 seconds:


(Cisco Controller) > config network usertimeout 1200

Related Commands

show network summary

config network web-auth captive-bypass

To configure the controller to support bypass of captive portals at the network level, use the config network web-auth captive-bypass command.

config network web-auth captive-bypass { enable|disable}

Syntax Description


enable	Allows the controller to support bypass of captive portals.
disable	Disallows the controller to support bypass of captive portals.

Command Default

None

Examples

The following example shows how to configure the controller to support bypass of captive portals:


(Cisco Controller) > config network web-auth captive-bypass enable

Related Commands

show network summary

config network web-auth cmcc-support

To configure eWalk on the controller, use the config network web-auth cmcc-support command.

config network web-auth cmcc-support { enable|disable}

Syntax Description


enable	Enables eWalk on the controller.
disable	Disables eWalk on the controller.

Command Default

None

Examples

The following example shows how to enable eWalk on the controller:


(Cisco Controller) > config network web-auth cmcc-support enable

Related Commands

show network summary

config network web-auth captive-bypass

config network web-auth port

To configure an additional port to be redirected for web authentication at the network level, use the config network web-auth port command.

config network web-auth port port

Syntax Description


`port`	Port number. The valid range is from 0 to 65535.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an additional port number 1200 to be redirected for web authentication:


(Cisco Controller) > config network web-auth port 1200

Related Commands

show network summary

config network web-auth proxy-redirect

To configure proxy redirect support for web authentication clients, use the config network web-auth proxy-redirect command.

config network web-auth proxy-redirect { enable|disable}

Syntax Description


enable	Allows proxy redirect support for web authentication clients.
disable	Disallows proxy redirect support for web authentication clients.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable proxy redirect support for web authentication clients:


(Cisco Controller) > config network web-auth proxy-redirect enable

Related Commands

show network summary

config network web-auth secureweb

To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.

config network web-auth secureweb { enable | disable }

Syntax Description


enable	Allows secure web (https) authentication for clients.
disable	Disallows secure web (https) authentication for clients. Enables http web authentication for clients.

Command Default

The default secure web (https) authentication for clients is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you configure the secure web (https) authentication for clients using the config network web-auth secureweb disable command, then you must reboot the controller to implement the change.

Examples

The following example shows how to enable the secure web (https) authentication for clients:

 (Cisco Controller) > config network web-auth secureweb enable

Related Commands

show network summary

config network webmode

To enable or disable the web mode, use the config network webmode command.

config network webmode{enable|disable}

Syntax Description


enable	Enables the web interface.
disable	Disables the web interface.

Command Default

The default value for the web mode is enable .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the web interface mode:


(Cisco Controller) > config network webmode disable

Related Commands

show network summary

config network web-auth

To configure the network-level web authentication options, use the config network web-auth command.

config network web-auth{port port-number} | { proxy-redirect { enable|disable}}

Syntax Description

port

Configures additional ports for web authentication redirection.

port-number

Port number (between 0 and 65535).

proxy-redirect

Configures proxy redirect support for web authentication clients.

enable

Enables proxy redirect support for web authentication clients.

Note

Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.

disable

Disables proxy redirect support for web authentication clients.

Command Default

The default network-level web authentication value is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must reset the system for the configuration to take effect.

Examples

The following example shows how to enable proxy redirect support for web authentication clients:


(Cisco Controller) > config network web-auth proxy-redirect enable

Related Commands

show network summary 

show run-config

config qos protocol-type

config network zero-config

To configure bridge access point ZeroConfig support, use the config network zero-config command.

config network zero-config{enable|disable}

Syntax Description


enable	Enables the bridge access point ZeroConfig support.
disable	Disables the bridge access point ZeroConfig support.

Command Default

The bridge access point ZeroConfig support is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the bridge access point ZeroConfig support:


(Cisco Controller) >config network zero-config enable

Configure Port Commands

Use the config port commands to configure port settings.

config port adminmode

To enable or disable the administrative mode for a specific controller port or for all ports, use the config port adminmode command.

config port adminmode{all | port} { enable|disable}

Syntax Description


all	Configures all ports.
`port`	Number of the port.
enable	Enables the specified ports.
disable	Disables the specified ports.

Command Default

Enabled

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable port 8:


(Cisco Controller) > config port adminmode 8 disable

The following example shows how to enable all ports:


(Cisco Controller) > config port adminmode all enable

config qos average-realtime-rate

To define the average real-time data rate in Kbps for UDP traffic per user or per service set identifier (SSID), use the config qos average-realtime-rate command.

config qos average-realtime-rate { bronze|silver|gold|platinum}{ per-ssid |per-client}{ downstream |upstream}rate

Syntax Description


bronze	Specifies the average real-time data rate for the queue bronze.
silver	Specifies the average real-time data rate for the queue silver.
gold	Specifies the average real-time data rate for the queue gold.
platinum	Specifies the average real-time data rate for the queue platinum.
per-ssid	Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client	Configures the rate limit for each client associated with the SSID.
downstream	Configures the rate limit for downstream traffic.
upstream	Configures the rate limit for upstream traffic.
`rate`	Average real-time data rate for UDP traffic per user. A value between 0 and 51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the average real-time actual rate for queue gold:


(Cisco Controller) > config qos average-realtime-rate gold per ssid downstream 10

Related Commands

config qos average-data-rate

config qos burst-data-rate

config qos burst-realtime-rate

config wlan override-rate-limit

config port autoneg

To configure 10/100BASE-T Ethernet ports for physical port autonegotiation, use the config port autoneg command.

config port autoneg{all | port} { enable|disable}

Syntax Description


all	Configures all ports.
`port`	Number of the port.
enable	Enables the specified ports.
disable	Disables the specified ports.

Command Default

The default for all ports is that auto-negotiation is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Example

Examples

The following example shows how to turn on physical port autonegotiation for all front-panel Ethernet ports:


(Cisco Controller) > config port autoneg all enable

The following example shows how to disable physical port autonegotiation for front-panel Ethernet port 19:


(Cisco Controller) > config port autoneg 19 disable

config pmipv6 add profile

To create a Proxy Mobility IPv6 (PMIPv6) profile for the WLAN, use the config pmipv6 add profile command. You can configure PMIPv6 profiles based on a realm or a service set identifier (SSID).

config pmipv6 add profile profile_namenai { user@realm|@realm|*}lma lma_nameapn apn_name

Syntax Description


`profile_name`	Name of the profile. The profile name is case sensitive and can be up to 127 alphanumeric characters.
nai	Specifies the Network Access Identifier of the client.
`user@realm`	Network Access Identifier of the client in the format user@realm. The NAI name is case sensitive and can be up to 127 alphanumeric characters.
`@realm`	Network Access Identifier of the client in the format @realm.
*	All Network Access Identifiers. You can have profiles based on an SSID for all users.
lma	Specifies the Local Mobility Anchor (LMA).
`lma_name`	Name of LMA. The LMA name is case sensitive and can be up to 127 alphanumeric characters.
apn	Specifies the access point.
`ap_name`	Name of the access point. The access point name is case sensitive and can be up to 127 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command is a prerequisite for using PMIPv6 configuration commands if the controller uses open authentication.

Examples

The following example shows how to create a PMIPv6 profile:

(Cisco Controller) >config pmipv6 add profile profile1 nai @vodfone.com lma vodfonelma apn vodafoneapn

config port linktrap

To enable or disable the up and down link traps for a specific controller port or for all ports, use the config port linktrap command.

config port linktrap{all | port} { enable|disable}

Syntax Description


all	Configures all ports.
`port`	Number of the port.
enable	Enables the specified ports.
disable	Disables the specified ports.

Command Default

The default value for down link traps for a specific controller port or for all ports is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable port 8 traps:


(Cisco Controller) > config port linktrap 8 disable

The following example shows how to enable all port traps:


(Cisco Controller) > config port linktrap all enable

config port multicast appliance

To enable or disable the multicast appliance service for a specific controller port or for all ports, use the config port multicast appliance commands.

config port multicast appliance { all | port} { enable|disable}

Syntax Description


all	Configures all ports.
`port`	Number of the port.
enable	Enables the specified ports.
disable	Disables the specified ports.

Command Default

The default multicast appliance service for a specific controller port or for all ports is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable multicast appliance service on all ports:


(Cisco Controller) > config port multicast appliance all enable

The following example shows how to disable multicast appliance service on port 8:


(Cisco Controller) > config port multicast appliance 8 disable

config port power

To enable or disable Power over Ethernet (PoE) for a specific controller port or for all ports, use the config port power command.

config port power { all| port} { enable|disable}

Syntax Description


all	Configures all ports.
`port`	Port number.
enable	Enables the specified ports.
disable	Disables the specified ports.

Command Default

Enabled

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable PoE on all ports:


(Cisco Controller) > config port power all enable

The following example shows how to disable PoE on port 8:


(Cisco Controller) > config port power 8 disable

Configure PMIPv6 Commands

Use the config pmipv6 commands to configure PMIPv6 parameters on the Mobile Access Gateway (MAG) module of the controller. To enable the MAG module on the controller and to configure the PMIPv6 commands, you must configure the following prerequisite commands:

config pmipv6 domain —Enables MAG functionality on the controller and configures a PMIPv6 domain.
config pmipv6 mag lma —Configures a Local Mobility Anchor (LMA) with the MAG.
config pmipv6 add profile —Creates a PMIPv6 profile. This command is a prerequisite only when open authentication is used.

config pmipv6 domain

To configure PMIPv6 and to enable Mobile Access Gateway (MAG) functionality on controller, use the config pmipv6 domain command.

config pmipv6 domain domain_name

Syntax Description


`domain_name`	Name of the PMIPv6 domain. The domain name can be up to 127 case-sensitive, alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a domain name for a PMIPv6 WLAN:

(Cisco Controller) >config pmipv6 domain floor1

config pmipv6 add profile

To create a Proxy Mobility IPv6 (PMIPv6) profile for the WLAN, use the config pmipv6 add profile command. You can configure PMIPv6 profiles based on a realm or a service set identifier (SSID).

config pmipv6 add profile profile_namenai { user@realm|@realm|*}lma lma_nameapn apn_name

Syntax Description


`profile_name`	Name of the profile. The profile name is case sensitive and can be up to 127 alphanumeric characters.
nai	Specifies the Network Access Identifier of the client.
`user@realm`	Network Access Identifier of the client in the format user@realm. The NAI name is case sensitive and can be up to 127 alphanumeric characters.
`@realm`	Network Access Identifier of the client in the format @realm.
*	All Network Access Identifiers. You can have profiles based on an SSID for all users.
lma	Specifies the Local Mobility Anchor (LMA).
`lma_name`	Name of LMA. The LMA name is case sensitive and can be up to 127 alphanumeric characters.
apn	Specifies the access point.
`ap_name`	Name of the access point. The access point name is case sensitive and can be up to 127 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command is a prerequisite for using PMIPv6 configuration commands if the controller uses open authentication.

Examples

The following example shows how to create a PMIPv6 profile:

(Cisco Controller) >config pmipv6 add profile profile1 nai @vodfone.com lma vodfonelma apn vodafoneapn

config pmipv6 delete

To delete a Proxy Mobility IPv6 (PMIPv6) profile, domain, or Local Mobility Anchor (LMA), use the config pmipv6 delete command.

config pmipv6 delete { profile profile_namenai {nai_id|all }|domain domain_name|lma lma_name}

Syntax Description


profile	Specifies the PMIPv6 profile.
`profile_name`	Name of the PMIPv6 profile. The profile name is case sensitive and can be up to 127 alphanumeric characters.
nai	Specifies the Network Access Identifier (NAI) of a mobile client.
`nai_id`	Network Access Identifier of a mobile client. The NAI is case sensitive and can be up to 127 alphanumeric characters.
all	Specifies all NAIs. When you delete all NAIs, the profile is deleted.
domain	Specifies the PMIPv6 domain.
`domain_name`	Name of the PMIPv6 domain. The domain name is case sensitive and can be up to 127 alphanumeric characters.
lma	Specifies the LMA.
`lma_name`	Name of the LMA. The LMA name is case sensitive and can be up to 127 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a domain:

(Cisco Controller) >config pmipv6 delete lab1

config pmipv6 mag binding init-retx-time

To configure the initial timeout between the proxy binding updates (PBUs) when the Mobile Access Gateway (MAG) does not receive the proxy binding acknowledgements (PBAs), use the config pmipv6 mag binding init-retx-time command.

config pmipv6 mag binding init-retx-time units

Syntax Description


`units`	Initial timeout between the PBUs when the MAG does not receive the PBAs. The range is from 100 to 65535 seconds.

Command Default

The default initial timeout is 1000 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the initial timeout between the PBUs when the MAG does not receive the PBAs:

(Cisco Controller) >config pmipv6 mag binding init-retx-time 500

config pmipv6 mag binding lifetime

To configure the lifetime of the binding entries in the Mobile Access Gateway (MAG), use the config pmipv6 mag binding lifetime command.

config pmipv6 mag binding lifetime units

Syntax Description


`units`	Lifetime of the binding entries in the MAG. The binding lifetime must be a multiple of 4 seconds. The range is from 10 to 65535 seconds.

Command Default

The default lifetime of the binding entries is 65535 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must configure a Proxy Mobility IPv6 (PMIPv6) domain before you configure the lifetime of the binding entries in the controller.

Examples

The following example shows how to configure the lifetime of the binding entries in the controller:


(Cisco Controller) >config pmipv6 mag binding lifetime 5000

config pmipv6 mag binding max-retx-time

To configure the maximum timeout between the proxy binding updates (PBUs) when the Mobility Access Gateway (MAG) does not receive the proxy binding acknowledgments (PBAs), use the config pmipv6 mag binding max-retx-time command.

config pmipv6 mag binding max-retx-time units

Syntax Description


`units`	Maximum timeout between the PBUs when the MAG does not receive the PBAs. The range is from 100 to 65535 seconds.

Command Default

The default maximum timeout is 32000 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the maximum timeout between the PBUs when the MAG does not receive the PBAs:


(Cisco Controller) >config pmipv6 mag binding max-retx-time 50

config pmipv6 mag binding maximum

To configure the maximum number of binding entries in the Mobile Access Gateway (MAG), use the config pmipv6 mag binding maximum command.

config pmipv6 mag binding maximum units

Syntax Description


`units`	Maximum number of binding entries in the MAG. This number indicates the maximum number of users connected to the MAG. The range is from 0 to 40000.

Command Default

The default maximum number of binding entries in the MAG is 10000.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must configure a Proxy Mobility IPv6 (PMIPv6) domain before you configure the maximum number of binding entries in the MAG.

Examples

The following example shows how to configure the maximum number of binding entries in the MAG:


(Cisco Controller) >config pmipv6 mag binding maximum 20000

config pmipv6 mag binding refresh-time

To configure the refresh time of the binding entries in the MAG, use the config pmipv6 mag binding refresh-time command.

config pmipv6 mag binding refresh-time units

Syntax Description


`units`	Refresh time of the binding entries in the MAG. The binding refresh time must be a multiple of 4. The range is from 4 to 65535 seconds.

Command Default

The default refresh time of the binding entries in the MAG is 300 seconds.

Usage Guidelines

You must configure a PMIPv6 domain before you configure the refresh time of the binding entries in the MAG.

Examples

The following example shows how to configure the refresh time of the binding entries in the MAG:

(Cisco Controller) >config pmipv6 mag binding refresh-time 500

config pmipv6 mag bri delay

To configure the maximum or minimum amount of time that the MAG waits before retransmitting a Binding Revocation Indication (BRI) message, use the config pmipv6 mag bri delay command.

config pmipv6 mag bri delay { min |max}time

Syntax Description


min	Specifies the minimum amount of time that the MAG waits before retransmitting a BRI message.
max	Specifies the maximum amount of time that the MAG waits before retransmitting a BRI message.
`time`	Maximum or minimum amount of time that the controller waits before retransmitting a BRI message. The range is from 500 to 65535 milliseconds.

Command Default

The default value of the maximum amount of time that the MAG waits before retransmitting a BRI message is 2 seconds.

The default value of the minimum amount of time that the MAG waits before retransmitting a BRI message is 1 second.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the minimum amount of time that the MAG waits before retransmitting a BRI message:

(Cisco Controller) >config pmipv6 mag bri delay min 500

config pmipv6 mag bri retries

To configure the maximum number of times that the MAG retransmits the Binding Revocation Indication (BRI) message before receiving the Binding Revocation Acknowledgment (BRA) message, use the config pmipv6 mag bri retries command.

config pmipv6 mag bri retries retries

Syntax Description


`retries`	Maximum number of times that the MAG retransmits the BRI message before receiving the BRA message. The range is from 1 to 10 retries.

Command Default

The default is 1 retry.

Examples

The following example shows how to configure the maximum number of times that the MAG retries:

(Cisco Controller) >config pmipv6 mag bri retries 5

config pmipv6 mag lma

To configure a local mobility anchor (LMA) with the mobile access gateway (MAG), use the config pmipv6 mag lma command.

config pmipv6 mag lma lma_nameipv4-address address

Syntax Description


`lma_name`	Name of the LMA. The LMA name can be a NAI or a string that uniquely identifies the LMA.
ipv4-address	Specifies the IP address of the LMA.
`address`	IP address of the LMA.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command is a prerequisite to configure PMIPv6 parameters on the MAG.

Examples

The following example shows how to configure an LMA with the MAG:

(Cisco Controller) >config pmipv6 mag lma vodafonelma ipv4-address 209.165.200.254

config pmipv6 mag replay-protection

To configure the maximum amount of time difference between the timestamp in the received proxy binding acknowledgment (PBA) and the current time of the day for replay protection, use the config pmipv6 mag replay-protection command.

config pmipv6 mag replay-protection {timestamp window time|sequence-no sequence|mobile-node-timestamp mobile_node_timestamp}

Syntax Description


timestamp	Specifies the time stamp of the PBA message.
window	Specifies the maximum time difference between the time stamp in the received PBA message and the current time of day.
`time`	Maximum time difference between the time stamp in the received PBA message and the current time of day. The range is from 1 to 300 milliseconds.
sequence-no	(Optional) Specifies the sequence number in a Proxy Binding Update message.
`sequence`	(Optional) Sequence number in the Proxy Binding Update message.
mobile_node_timestamp	(Optional) Specifies the time stamp of the mobile node.
`mobile_node_timestamp`	(Optional) Time stamp of the mobile node.

Command Default

The default maximum time difference is 300 milliseconds.

Usage Guidelines

Only the timestamp option is supported.

Examples

The following example shows how to configure the maximum amount of time difference in milliseconds between the time stamp in the received PBA message and the current time of day:

(Cisco Controller) >config pmipv6 mag replay-protection timestamp window 200

Configure QoS Commands

Use the config qos commands to configure Quality of Service (QoS) settings.

config qos average-realtime-rate

To define the average real-time data rate in Kbps for UDP traffic per user or per service set identifier (SSID), use the config qos average-realtime-rate command.

config qos average-realtime-rate { bronze|silver|gold|platinum}{ per-ssid |per-client}{ downstream |upstream}rate

Syntax Description


bronze	Specifies the average real-time data rate for the queue bronze.
silver	Specifies the average real-time data rate for the queue silver.
gold	Specifies the average real-time data rate for the queue gold.
platinum	Specifies the average real-time data rate for the queue platinum.
per-ssid	Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client	Configures the rate limit for each client associated with the SSID.
downstream	Configures the rate limit for downstream traffic.
upstream	Configures the rate limit for upstream traffic.
`rate`	Average real-time data rate for UDP traffic per user. A value between 0 and 51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the average real-time actual rate for queue gold:


(Cisco Controller) > config qos average-realtime-rate gold per ssid downstream 10

Related Commands

config qos average-data-rate

config qos burst-data-rate

config qos burst-realtime-rate

config wlan override-rate-limit

config qos average-data-rate

To define the average data rate in Kbps for TCP traffic per user or per service set identifier (SSID), use the config qos average-data-rate command.

config qos average-data-rate{bronze|silver|gold|platinum}{ per-ssid |per-client}{ downstream |upstream}rate

Syntax Description


bronze	Specifies the average data rate for the queue bronze.
silver	Specifies the average data rate for the queue silver.
gold	Specifies the average data rate for the queue gold.
platinum	Specifies the average data rate for the queue platinum.
per-ssid	Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client	Configures the rate limit for each client associated with the SSID.
downstream	Configures the rate limit for downstream traffic.
upstream	Configures the rate limit for upstream traffic.
`rate`	Average data rate for TCP traffic per user. A value between 0 and 51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the average data rate 0 Kbps for the queue gold per SSID:


(Cisco Controller) > config qos average-data-rate gold per ssid downstream 0

Related Commands

config qos burst-data-rate

config qos average-realtime-rate

config qos burst-realtime-rate

config wlan override-rate-limit

config qos burst-data-rate

To define the peak data rate in Kbps for TCP traffic per user or per service set identifier (SSID), use the config qos burst-data-rate command.

config qos burst-data-rate{bronze|silver|gold|platinum}{ per-ssid |per-client}{ downstream |upstream}rate

Syntax Description


bronze	Specifies the peak data rate for the queue bronze.
silver	Specifies the peak data rate for the queue silver.
gold	Specifies the peak data rate for the queue gold.
platinum	Specifies the peak data rate for the queue platinum.
per-ssid	Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client	Configures the rate limit for each client associated with the SSID.
downstream	Configures the rate limit for downstream traffic.
upstream	Configures the rate limit for upstream traffic.
`rate`	Peak data rate for TCP traffic per user. A value between 0 and 51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the peak rate 30000 Kbps for the queue gold:


(Cisco Controller) > config qos burst-data-rate gold per ssid downstream 30000

Related Commands

config qos average-data-rate

config qos average-realtime-rate

config qos burst-realtime-rate

config wlan override-rate-limit

config qos burst-realtime-rate

To define the burst real-time data rate in Kbps for UDP traffic per user or per service set identifier (SSID), use the config qos burst-realtime-rate command.

config qos burst-realtime-rate { bronze|silver|gold|platinum}{per-ssid |per-client }{downstream |upstream }rate

Syntax Description


bronze	Specifies the burst real-time data rate for the queue bronze.
silver	Specifies the burst real-time data rate for the queue silver.
gold	Specifies the burst real-time data rate for the queue gold.
platinum	Specifies the burst real-time data rate for the queue platinum.
per-ssid	Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client	Configures the rate limit for each client associated with the SSID.
downstream	Configures the rate limit for downstream traffic.
upstream	Configures the rate limit for upstream traffic.
`rate`	Burst real-time data rate for UDP traffic per user. A value between 0 and 51,2000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the burst real-time actual rate 2000 Kbps for the queue gold:


(Cisco Controller) > config qos burst-realtime-rate gold per ssid downstream  2000

Related Commands

config qos average-data-rate

config qos burst-data-rate

config qos average-realtime-rate

config wlan override-rate-limit

config qos description

To change the profile description, use the config qos description command.

config qos description{bronze|silver|gold|platinum}description

Syntax Description


bronze	Specifies the QoS profile description for the queue bronze.
silver	Specifies the QoS profile description for the queue silver.
gold	Specifies the QoS profile description for the queue gold.
platinum	Specifies the QoS profile description for the queue platinum.
`description`	QoS profile description.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the QoS profile description “description” for the queue gold:


(Cisco Controller) > config qos description gold abc

Related Commands

show qos average-data-rate

config qos burst-data-rate

config qos average-realtime-rate

config qos burst-realtime-rate

config qos max-rf-usage

To specify the maximum percentage of RF usage per access point, use the config qos max-rf-usage command.

config qos max-rf-usage{bronze|silver|gold|platinum}usage_percentage

Syntax Description


bronze	Specifies the maximum percentage of RF usage for the queue bronze.
silver	Specifies the maximum percentage of RF usage for the queue silver.
gold	Specifies the maximum percentage of RF usage for the queue gold.
platinum	Specifies the maximum percentage of RF usage for the queue platinum.
`usage-percentage`	Maximum percentage of RF usage.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the maximum percentage of RF usage for the queue gold:


(Cisco Controller) > config qos max-rf-usage gold 20

Related Commands

show qos description

config qos average-data-rate

config qos burst-data-rate

config qos average-realtime-rate

config qos burst-realtime-rate

config qos dot1p-tag

To define the maximum value (0 to 7) for the priority tag associated with packets that fall within the profile, use the config qos dot1p-tag command.

config qos dot1p-tag{bronze|silver|gold|platinum}dot1p_tag

Syntax Description


bronze	Specifies the QoS 802.1p tag for the queue bronze.
silver	Specifies the QoS 802.1p tag for the queue silver.
gold	Specifies the QoS 802.1p tag for the queue gold.
platinum	Specifies the QoS 802.1p tag for the queue platinum.
`dot1p_tag`	Dot1p tag value between 1 and 7.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the a QoS 802.1p tag for the queue gold with the dot1p tag value of 5:


(Cisco Controller) > config qos dot1p-tag gold 5

Related Commands

show qos queue_length all

config qos protocol-type

config qos priority

To define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN, use the config qos priority command.

config qos priority{bronze|silver|gold|platinum} { maximum-priority|default-unicast-priority|default-multicast-priority}

Syntax Description


bronze	Specifies a Bronze profile of the WLAN.
silver	Specifies a Silver profile of the WLAN.
gold	Specifies a Gold profile of the WLAN.
platinum	Specifies a Platinum profile of the WLAN.
`maximum-priority`	Maximum QoS priority as one of the following: besteffort background video voice
`default-unicast-priority`	Default unicast priority as one of the following: besteffort background video voice
`default-multicast-priority`	Default multicast priority as one of the following: besteffort background video voice

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The maximum priority level should not be lower than the default unicast and multicast priority levels.

Examples

The following example shows how to configure the QoS priority for a gold profile of the WLAN with voice as the maximum priority, video as the default unicast priority, and besteffort as the default multicast priority.


(Cisco Controller) > config qos priority gold voice video besteffort

Related Commands

config qos protocol-type

To define the maximum value (0 to 7) for the priority tag associated with packets that fall within the profile, use the config qos protocol-type command.

config qos protocol-type{bronze|silver|gold|platinum} { none|dot1p}

Syntax Description


bronze	Specifies the QoS 802.1p tag for the queue bronze.
silver	Specifies the QoS 802.1p tag for the queue silver.
gold	Specifies the QoS 802.1p tag for the queue gold.
platinum	Specifies the QoS 802.1p tag for the queue platinum.
none	Specifies when no specific protocol is assigned.
`dot1p`	Specifies when dot1p type protocol is assigned.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the QoS protocol type silver:


(Cisco Controller) > config qos protocol-type silver dot1p

Related Commands

show qos queue_length all

config qos dot1p-tag

config qos queue_length

To specify the maximum number of packets that access points keep in their queues, use the config qos queue_length command.

config qos queue_length{bronze|silver|gold|platinum}queue_length

Syntax Description


bronze	Specifies the QoS length for the queue bronze.
silver	Specifies the QoS length for the queue silver.
gold	Specifies the QoS length for the queue gold.
platinum	Specifies the QoS length for the queue platinum.
`queue_length`	Maximum queue length values (10 to 255).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the QoS length for the queue “gold” with the maximum queue length value as 12:


(Cisco Controller) > config qos queue_length gold 12

Related Commands

show qos

Configure RADIUS Account Commands

Use the config radius acct commands to configure RADIUS account server settings.

config radius acct

To configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.

config radius acct{ { add index IP addr port { ascii | hex} secret} | delete index | disable index | enable index | disable index | enable index | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { network index { disable | enable} } | { region { group | none | provincial} } | retransmit-timeout index seconds | realm { add | delete} index realm-string}

Syntax Description


add	Adds a RADIUS accounting server (IPv4 or IPv6).
`index`	RADIUS server index (1 to 17).
`IP addr`	RADIUS server IP address (IPv4 or IPv6).
`port`	RADIUS server’s UDP port number for the interface protocols.
ascii	Specifies the RADIUS server’s secret type: ascii .
hex	Specifies the RADIUS server’s secret type: hex .
`secret`	RADIUS server’s secret.
enable	Enables a RADIUS accounting server.
disable	Disables a RADIUS accounting server.
delete	Deletes a RADIUS accounting server.
disable	Disables IPSec support for an accounting server.
enable	Enables IPSec support for an accounting server.
mac-delimiter	Configures MAC delimiter for caller station ID and calling station ID.
colon	Sets the delimiter to colon (For example: xx:xx:xx:xx:xx:xx).
hyphen	Sets the delimiter to hyphen (For example: xx-xx-xx-xx-xx-xx).
none	Disables delimiters (For example: xxxxxxxxxx).
single-hyphen	Sets the delimiters to single hyphen (For example: xxxxxx-xxxxxx).
network	Configures a default RADIUS server for network users.
group	Specifies RADIUS server type group.
none	Specifies RADIUS server type none.
provincial	Specifies RADIUS server type provincial.
retransmit-timeout	Changes the default retransmit timeout for the server.
`seconds`	The number of seconds between retransmissions.
realm	Specifies radius acct realm.
add	Adds radius acct realm.
delete	Deletes radius acct realm.

Command Default

When adding a RADIUS server, the port number defaults to 1813 and the state is enabled .

Usage Guidelines

IPSec is not supported for IPv6.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure a priority 1 RADIUS accounting server at 10.10.10.10 using port 1813 with a login password of admin :


(Cisco Controller) > config radius acct add 1 10.10.10.10 1813 ascii admin

The following example shows how to configure a priority 1 RADIUS accounting server at 2001:9:6:40::623 using port 1813 with a login password of admin :


(Cisco Controller) > config radius acct add 1 2001:9:6:40::623 1813 ascii admin

config radius acct ipsec authentication

To configure IPsec authentication for the Cisco wireless LAN controller, use the  config radius acct ipsec authentication command.

config radius acct ipsec authentication { hmac-md5|hmac-sha1}index

Syntax Description


hmac-md5	Enables IPsec HMAC-MD5 authentication.
hmac-sha1	Enables IPsec HMAC-SHA1 authentication.
`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the IPsec hmac-md5 authentication service on the RADIUS accounting server index 1:


(Cisco Controller) > config radius acct ipsec authentication hmac-md5 1

Related Commands

show radius acct statistics

config radius acct ipsec enable

To enable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec enable command.

config radius acct ipsec enable index

Syntax Description


`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the IPsec support for RADIUS accounting server index 1:


(Cisco Controller) > config radius acct ipsec enable 1

Related Commands

show radius acct statistics

config radius acct ipsec disable

To disable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec disable command.

config radius acct ipsec disable index

Syntax Description


`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the IPsec support for RADIUS accounting server index 1:


(Cisco Controller) > config radius acct ipsec disable 1

Related Commands

show radius acct statistics

config radius acct ipsec encryption

To configure IPsec encryption for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec encryption command.

config radius acct ipsec encryption { 3des |aes |des}index

Syntax Description


256-aes	Enables IPSec AES-256 encryption.
3des	Enables IPsec 3DES encryption.
aes	Enables IPsec AES encryption.
des	Enables IPsec DES encryption.
`index`	RADIUS server index value of between 1 and 17.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the IPsec 3DES encryption for RADIUS server index value 3:


(Cisco Controller) > config radius acct ipsec encryption 3des 3

config radius auth

To configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.

config radius auth { add index IP addr portascii/hexsecret} | | delete index |   disable index | enable index | framed-mtu mtu | { ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index ascii/hex shared_secret | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { { keywrap{ add ascii/hex kek mack index } | delete index |   disable | enable} } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { { management index { enable | disable} } | { mgmt-retransmit-timeout index Retransmit Timeout } | { network index { enable | disable} } | { realm { add | delete} radius-index realm-string} } | { region { group | none | provincial} } | { retransmit-timeout index Retransmit Timeout} | { rfc3576 { enable | disable} index }

Syntax Description

enable

Enables a RADIUS authentication server.

disable

Disables a RADIUS authentication server.

delete

Deletes a RADIUS authentication server.

index

RADIUS server index. The controller begins the search with 1. The server index range is from 1 to 17.

add

Adds a RADIUS authentication server. See the “Defaults” section.

IP addr

IP address (IPv4 or IPv6) of the RADIUS server.

port

RADIUS server’s UDP port number for the interface protocols.

ascii/hex

Specifies RADIUS server’s secret type: ascii or hex .

secret

RADIUS server’s secret.

callStationIdType

Configures Called Station Id information sent in RADIUS authentication messages.

framed-mtu

Configures the Framed-MTU for all the RADIUS servers. The framed-mtu range is from 64 to 1300 bytes.

ipsec

Enables or disables IPSEC support for an authentication server.

Note

IPSec is not supported for IPv6.

keywrap

Configures RADIUS keywrap.

ascii/hex

Specifies the input format of the keywrap keys.

kek

Enters the 16-byte key-encryption-key.

mack

Enters the 20-byte message-authenticator-code-key.

mac-delimiter

Configures MAC delimiter for caller station ID and calling station ID.

management

Configures a RADIUS Server for management users.

mgmt-retransmit-timeout

Changes the default management login retransmission timeout for the server.

network

Configures a default RADIUS server for network users.

realm

Configures radius auth realm.

region

Configures RADIUS region property.

retransmit-timeout

Changes the default network login retransmission timeout for the server.

rfc3576

Enables or disables RFC-3576 support for an authentication server.

Command Default

When adding a RADIUS server, the port number defaults to 1812 and the state is enabled .

Usage Guidelines

IPSec is not supported for IPv6.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure a priority 3 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin :


(Cisco Controller) > config radius auth add 3 10.10.10.10 1812 ascii admin

The following example shows how to configure a priority 3 RADIUS authentication server at 2001:9:6:40::623 using port 1812 with a login password of admin :


(Cisco Controller) > config radius auth add 3 2001:9:6:40::623 1812 ascii admin

config radius acct ipsec ike

To configure Internet Key Exchange (IKE) for the controller, use the  config radius acct ipsec ike command.

config radius acct ipsec ike dh-group { group-1|group-2|group-5|group-14} |   lifetime seconds|phase1 { aggressive|main}}index

Syntax Description


dh-group	Specifies the Dixie-Hellman (DH) group.
group-1	Configures the DH Group 1 (768 bits).
group-2	Configures the DH Group 2 (1024 bits).
group-5	Configures the DH Group 5 (1024 bits).
group-5	Configures the DH Group 14 (2048 bits).
lifetime	Configures the IKE lifetime.
`seconds`	IKE lifetime in seconds.
phase1	Configures the IKE phase1 node.
aggressive	Enables the aggressive mode.
main	Enables the main mode.
`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an IKE lifetime of 23 seconds for RADIUS server index 1:


(Cisco Controller) > config radius acct ipsec ike lifetime 23 1

Related Commands

show radius acct statistics

config radius acct mac-delimiter

To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.

config radius acct mac-delimiter{colon|hyphen |single-hyphen|none}

Syntax Description


colon	Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
hyphen	Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
single-hyphen	Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).
none	Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the delimiter hyphen to be used in the MAC addresses that are sent to the RADIUS accounting server for the network users:


(Cisco Controller) > config radius acct mac-delimiter hyphen

Related Commands

show radius acct statistics

config radius acct network

To configure a default RADIUS server for network users, use the config radius acct network command.

config radius acct network index{ enable|disable}

Syntax Description


`index`	RADIUS server index.
enable	Enables the server as a network user’s default RADIUS server.
disable	Disables the server as a network user’s default RADIUS server.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default RADIUS accounting server for the network users with RADIUS server index1:


(Cisco Controller) > config radius acct network 1 enable

Related Commands

show radius acct statistics

config radius acct retransmit-timeout

To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.

config radius acct retransmit-timeout indextimeout

Syntax Description


`index`	RADIUS server index.
`timeout`	Number of seconds (from 2 to 30) between retransmissions.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure retransmission timeout value 5 seconds between the retransmission:


(Cisco Controller) > config radius acct retransmit-timeout 5

Related Commands

show radius acct statistics

Configure RADIUS Authentication Server Commands

Use the config radius auth commands to configure RADIUS authentication server settings.

config radius auth

To configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.

Syntax Description

enable

Enables a RADIUS authentication server.

disable

Disables a RADIUS authentication server.

delete

Deletes a RADIUS authentication server.

index

RADIUS server index. The controller begins the search with 1. The server index range is from 1 to 17.

add

Adds a RADIUS authentication server. See the “Defaults” section.

IP addr

IP address (IPv4 or IPv6) of the RADIUS server.

port

RADIUS server’s UDP port number for the interface protocols.

ascii/hex

Specifies RADIUS server’s secret type: ascii or hex .

secret

RADIUS server’s secret.

callStationIdType

Configures Called Station Id information sent in RADIUS authentication messages.

framed-mtu

Configures the Framed-MTU for all the RADIUS servers. The framed-mtu range is from 64 to 1300 bytes.

ipsec

Enables or disables IPSEC support for an authentication server.

Note

IPSec is not supported for IPv6.

keywrap

Configures RADIUS keywrap.

ascii/hex

Specifies the input format of the keywrap keys.

kek

Enters the 16-byte key-encryption-key.

mack

Enters the 20-byte message-authenticator-code-key.

mac-delimiter

Configures MAC delimiter for caller station ID and calling station ID.

management

Configures a RADIUS Server for management users.

mgmt-retransmit-timeout

Changes the default management login retransmission timeout for the server.

network

Configures a default RADIUS server for network users.

realm

Configures radius auth realm.

region

Configures RADIUS region property.

retransmit-timeout

Changes the default network login retransmission timeout for the server.

rfc3576

Enables or disables RFC-3576 support for an authentication server.

Command Default

When adding a RADIUS server, the port number defaults to 1812 and the state is enabled .

Usage Guidelines

IPSec is not supported for IPv6.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure a priority 3 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin :


(Cisco Controller) > config radius auth add 3 10.10.10.10 1812 ascii admin

The following example shows how to configure a priority 3 RADIUS authentication server at 2001:9:6:40::623 using port 1812 with a login password of admin :


(Cisco Controller) > config radius auth add 3 2001:9:6:40::623 1812 ascii admin

config radius auth callStationIdType

To configure the RADIUS authentication server, use the config radius auth callStationIdType command.

config radius auth callStationIdType{ap-ethmac-only |ap-ethmac-ssid |ap-group-name |ap-label-address|ap-label-address-ssid|ap-location|ap-mac-ssid-ap-group|ap-macaddr-only |ap-macaddr-ssid |ap-name |ap-name-ssid |flex-group-name |ipaddr|macaddr|vlan-id}

Syntax Description


ipaddr	Configures the Call Station ID type to use the IP address (only Layer 3).
macaddr	Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).
ap-macaddr-only	Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).
ap-macaddr-ssid	Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID.
ap-ethmac-only	Configures the Called Station ID type to use the access point’s Ethernet MAC address.
ap-ethmac-ssid	Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP Ethernet MAC address:SSID.
ap-group-name	Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.
flex-group-name	Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.
ap-name	Configures the Call Station ID type to use the access point’s name.
ap-name-ssid	Configures the Call Station ID type to use the access point’s name in the format AP name:SSID
ap-location	Configures the Call Station ID type to use the access point’s location.
ap-mac-ssid-ap-group	Sets Called Station ID type to the format <AP MAC address>:<SSID>:<AP Group>
vlan-id	Configures the Call Station ID type to use the system’s VLAN-ID.
ap-label-address	Configures the Call Station ID type to the AP MAC address that is printed on the AP label, for the accounting messages.
ap-label-address-ssid	Configures the Call Station ID type to the AP MAC address:SSID format.

Command Default

The MAC address of the system.

Usage Guidelines

The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
7.6	The ap-ethmac-only and ap-ethmac-ssid keywords were added to support the access point’s Ethernet MAC address. The ap-label-address and ap-label-address-ssid keywords were added.
8.0	This command supports both IPv4 and IPv6 address formats.
8.3	The ap-mac-ssid-ap-group keyword was added.

Examples

The following example shows how to configure the call station ID type to use the IP address:


(Cisco Controller) > config radius auth callStationIdType ipAddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


(Cisco Controller) > config radius auth callStationIdType macAddr

The following example shows how to configure the call station ID type to use the access point’s MAC address:


(Cisco Controller) > config radius auth callStationIdType ap-macAddr

config radius auth IPsec authentication

To configure IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec authentication command.

config radius auth IPsec authentication { hmac-md5|hmac-sha1}index

Syntax Description


hmac-md5	Enables IPsec HMAC-MD5 authentication.
hmac-shal	Enables IPsec HMAC-SHA1 authentication.
`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the IPsec hmac-md5 support for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth IPsec authentication hmac-md5 1

Related Commands

show radius acct statistics

config radius auth ipsec disable

To disable IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec disable command.

config radius auth ipsec { enable |disable}index

Syntax Description


enable	Enables the IPsec support for an authentication server.
disable	Disables the IPsec support for an authentication server.
`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to enable the IPsec support for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth ipsec enable 1

This example shows how to disable the IPsec support for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth ipsec disable 1

Related Commands

show radius acct statistics

config radius auth ipsec encryption

To configure IPsec encryption support for an authentication server for the Cisco wireless LAN controller, use the config radius auth ipsec encryption command.

config radius auth IPsec encryption { 256-aes|3des|aes|des}index

Syntax Description


256-aes	Enables the IPsec 256 AES encryption.
3des	Enables the IPsec 3DES encryption.
aes	Enables the IPsec AES encryption.
des	Enables the IPsec DES encryption.
`index`	RADIUS server index.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	The keyword 256-aes was added.

Examples

The following example shows how to configure IPsec 3dec encryption RADIUS authentication server index 3:


(Cisco Controller) > config radius auth ipsec encryption 3des 3

Related Commands

show radius acct statistics

config radius auth ipsec ike

To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius auth IPsec ike command.

config radius auth ipsec ike{auth-mode { pre-shared-keyindex{ ascii|hex shared-secret} |certificateindex}dh-group{2048bit-group-14|group-1|group-2|group-5} |   lifetime seconds|phase1 { aggressive|main}}index

Syntax Description


auth-mode	Configures the IKE authentication method.
pre-shared-key	Configures the preshared key for IKE authentication method.
`index`	RADIUS server index between 1 and 17.
ascii	Configures RADIUS IPsec IKE secret in an ASCII format.
hex	Configures RADIUS IPsec IKE secret in a hexadecimal format.
`shared-secret`	Configures the shared RADIUS IPsec secret.
certificate	Configures the certificate for IKE authentication.
dh-group	Configures the IKE Diffe-Hellman group.
2048bit-group-14	Configures the DH Group14 (2048 bits).
group-1	Configures the DH Group 1 (768 bits).
group-2	Configures the DH Group 2 (1024 bits).
group-5	Configures the DH Group 2 (1024 bits).
lifetime	Configures the IKE lifetime.
`seconds`	IKE lifetime in seconds. The range is from 1800 to 57600 seconds.
phase1	Configures the IKE phase1 mode.
aggressive	Enables the aggressive mode.
main	Enables the main mode.
`index`	RADIUS server index.

Command Default

By default, preshared key is used for IPsec sessions and IKE lifetime is 28800 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure IKE lifetime of 23 seconds for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth ipsec ike lifetime 23 1

Related Commands

show radius acct statistics

config radius auth keywrap

To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.

config radius auth keywrap{enable|disable|add{ascii|hex}kek mack|delete} index

Syntax Description


enable	Enables AES key wrap.
disable	Disables AES key wrap.
add	Configures AES key wrap attributes.
ascii	Configures key wrap in an ASCII format.
hex	Configures key wrap in a hexadecimal format.
`kek`	16-byte Key Encryption Key (KEK).
`mack`	20-byte Message Authentication Code Key (MACK).
delete	Deletes AES key wrap attributes.
`index`	Index of the RADIUS authentication server on which to configure the AES key wrap.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the AES key wrap for a RADIUS authentication server:


(Cisco Controller) > config radius auth keywrap enable

Related Commands

show radius auth statistics

config radius auth mac-delimiter

To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.

config radius auth mac-delimiter{colon|hyphen |single-hyphen|none}

Syntax Description


colon	Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
hyphen	Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
single-hyphen	Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx).
none	Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify a delimiter hyphen to be used for a RADIUS authentication server:


(Cisco Controller) > config radius auth mac-delimiter hyphen

Related Commands

show radius auth statistics

config radius auth management

To configure a default RADIUS server for management users, use the config radius auth management command.

config radius auth management index { enable|disable}

Syntax Description


`index`	RADIUS server index.
enable	Enables the server as a management user’s default RADIUS server.
disable	Disables the server as a management user’s default RADIUS server.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a RADIUS server for management users:


(Cisco Controller) > config radius auth management 1 enable

Related Commands

show radius acct statistics

config radius acct network

config radius auth mgmt-retransmit-timeout

To configure a default RADIUS server retransmission timeout for management users, use the config radius auth mgmt-retransmit-timeout command.

config radius auth mgmt-retransmit-timeout indexretransmit-timeout

Syntax Description


`index`	RADIUS server index.
`retransmit-timeout`	Timeout value. The range is from 1 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default RADIUS server retransmission timeout for management users:


(Cisco Controller) > config radius auth mgmt-retransmit-timeout 1 10

Related Commands

config radius auth management

config radius auth network

To configure a default RADIUS server for network users, use the config radius auth network command.

config radius auth network index { enable|disable}

Syntax Description


`index`	RADIUS server index.
enable	Enables the server as a network user default RADIUS server.
disable	Disables the server as a network user default RADIUS server.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default RADIUS server for network users:


(Cisco Controller) > config radius auth network 1 enable

Related Commands

show radius acct statistics

config radius acct network

config radius auth mgmt-retransmit-timeout

To configure a default RADIUS server retransmission timeout for management users, use the config radius auth mgmt-retransmit-timeout command.

config radius auth mgmt-retransmit-timeout indexretransmit-timeout

Syntax Description


`index`	RADIUS server index.
`retransmit-timeout`	Timeout value. The range is from 1 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default RADIUS server retransmission timeout for management users:


(Cisco Controller) > config radius auth mgmt-retransmit-timeout 1 10

Related Commands

config radius auth management

config radius auth rfc3576

To configure RADIUS RFC-3576 support for the authentication server for the controller, use the config radius auth rfc3576 command.

config radius auth rfc3576 { enable | disable } index

Syntax Description


enable	Enables RFC-3576 support for an authentication server.
disable	Disables RFC-3576 support for an authentication server.
`index`	RADIUS server index.

Command Default

Disabled

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session. Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.

Examples

The following example shows how to enable the RADIUS RFC-3576 support for a RADIUS authentication server:

 (Cisco Controller) > config radius auth rfc3576 enable 2

Related Commands

show radius auth statistics

show radius summary

show radius rfc3576

config radius aggressive-failover disabled

To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.

config radius aggressive-failover disabled

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the controller to mark a RADIUS server as down:


(Cisco Controller) > config radius aggressive-failover disabled

Related Commands

show radius summary

config radius backward compatibility

To configure RADIUS backward compatibility for the controller, use the config radius backward compatibility command.

config radius backward compatibility { enable|disable}

Syntax Description


enable	Enables RADIUS vendor ID backward compatibility.
disable	Disables RADIUS vendor ID backward compatibility.

Command Default

Enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the RADIUS backward compatibility settings:


(Cisco Controller) > config radius backward compatibility disable

Related Commands

show radius summary

config radius callStationIdCase

To configure callStationIdCase information sent in RADIUS messages for the controller, use the config radius callStationIdCase command.

config radius callStationIdCase { legacy | lower | upper }

Syntax Description


legacy	Configures Call Station IDs for Layer 2 authentication to RADIUS in uppercase.
lower	Configures all Call Station IDs to RADIUS in lowercase.
upper	Configures all Call Station IDs to RADIUS in uppercase.

Command Default

Enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to send the call station ID in lowercase:

 (Cisco Controller) > config radius callStationIdCase lower

Related Commands

show radius summary

config radius auth callStationIdType

To configure the RADIUS authentication server, use the config radius auth callStationIdType command.

Syntax Description


ipaddr	Configures the Call Station ID type to use the IP address (only Layer 3).
macaddr	Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).
ap-macaddr-only	Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).
ap-macaddr-ssid	Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID.
ap-ethmac-only	Configures the Called Station ID type to use the access point’s Ethernet MAC address.
ap-ethmac-ssid	Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP Ethernet MAC address:SSID.
ap-group-name	Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.
flex-group-name	Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.
ap-name	Configures the Call Station ID type to use the access point’s name.
ap-name-ssid	Configures the Call Station ID type to use the access point’s name in the format AP name:SSID
ap-location	Configures the Call Station ID type to use the access point’s location.
ap-mac-ssid-ap-group	Sets Called Station ID type to the format <AP MAC address>:<SSID>:<AP Group>
vlan-id	Configures the Call Station ID type to use the system’s VLAN-ID.
ap-label-address	Configures the Call Station ID type to the AP MAC address that is printed on the AP label, for the accounting messages.
ap-label-address-ssid	Configures the Call Station ID type to the AP MAC address:SSID format.

Command Default

The MAC address of the system.

Usage Guidelines

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
7.6	The ap-ethmac-only and ap-ethmac-ssid keywords were added to support the access point’s Ethernet MAC address. The ap-label-address and ap-label-address-ssid keywords were added.
8.0	This command supports both IPv4 and IPv6 address formats.
8.3	The ap-mac-ssid-ap-group keyword was added.

Examples

The following example shows how to configure the call station ID type to use the IP address:


(Cisco Controller) > config radius auth callStationIdType ipAddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


(Cisco Controller) > config radius auth callStationIdType macAddr

The following example shows how to configure the call station ID type to use the access point’s MAC address:


(Cisco Controller) > config radius auth callStationIdType ap-macAddr

config radius fallback-test

To configure the RADIUS server fallback behavior, use the config radius fallback-test command.

config radius fallback-test mode {off|passive|active} |username username} | { interval interval}

Syntax Description


mode	Specifies the mode.
off	Disables RADIUS server fallback.
passive	Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
active	Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests.
username	Specifies the username.
`username`	Username. The username can be up to 16 alphanumeric characters.
interval	Specifies the probe interval value.
`interval`	Probe interval. The range is 180 to 3600.

Command Default

The default probe interval is 300.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the RADIUS accounting server fallback behavior:


(Cisco Controller) > config radius fallback-test mode off

The following example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:


(Cisco Controller) > config radius fallback-test mode passive

The following example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:


(Cisco Controller) > config radius fallback-test mode active

Related Commands

config advanced probe filter  

config advanced probe limit

 show advanced probe

 show radius acct statistics

Configure Redundancy Commands

Use the config redundancy commands to configure High Availability parameters on the Active and Standby controllers.

config redundancy interface address peer-service-port

To configure the service port IP and netmask of the peer or standby controller, use the config redundancy interface address peer-service-port command.

config redundancy interface address peer-service-port ip_addressnetmask

Syntax Description


`ip_address`	IP address of the peer service port.
`netmask`	Netmask of the peer service port.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can configure this command only from the Active controller. For the HA feature, the service port configurations are made per controller. You will loose these configurations if you change the mode from HA to non-HA and vice-versa.

Examples

The following example shows how to configure the service port IP and netmask of the peer or standby controller:

(Cisco Controller) >config redundancy interface address peer-service-port 11.22.44.55

config redundancy mobilitymac

To configure the High Availability mobility MAC address to be used as an identifier, use the config redundancy mobilitymac command.

config redundancy mobilitymac mac_address

Syntax Description


`mac_address`	MAC address that is an identifier for the active and standby controller pair.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

From Release 8.0.132.0 onwards, mobility MAC configuration is no longer present in the uploaded configuration. Therefore, if you download this configuration file back to the controller, you must add the config redundancy mobilitymac mac_address command in the config file before download.

Examples

The following example shows how to configure the High Availability mobility MAC address:

(Cisco Controller) >config redundancy mobilitymac ff:ff:ff:ff:ff:ff

config redundancy mode

To enable or disable redundancy or High Availability (HA), use the config redundancy mode command.

config redundancy mode { sso |none}

Syntax Description


sso	Enables a stateful switch over (SSO) or hot standby redundancy mode.
none	Disables redundancy mode.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must configure local and peer redundancy management IP addresses before you configure redundancy.

Examples

The following example shows how to enable redundancy:

(Cisco Controller) >config redundancy mode sso

config redundancy peer-route

To configure the route configurations of the peer or standby controller, use the config redundancy peer-route command.

config redundancy peer-route { add|delete}network_ip_addressnetmaskgateway

Syntax Description


add	Adds a network route.
delete	Deletes a network route specific to standby controller.
`network_ip_address`	Network IP address.
`netmask`	Subnet mask of the network.
`gateway`	IP address of the gateway for the route network.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can configure this command only from the Active controller. For the HA feature, the service port configurations are made per controller. You will lose these configurations if you change the mode from HA to non-HA and vice-versa.

Examples

The following example shows how to configure route configurations of a peer or standby controller.

(Cisco Controller) >config redundancy peer-route add 10.1.1.0 255.255.255.0 10.1.1.1

config redundancy timer peer-search-timer

To configure the peer search timer, use the config redundancy timer peer-search-timer command.

config redundancy timer peer-search-timer seconds

Syntax Description


`seconds`	Value of the peer search timer in seconds. The range is from 60 to 180 secs.

Command Default

The default value of the peer search timer is 120 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use this command to configure the boot up role negotiation timeout value in seconds.

Examples

The following example shows how to configure the redundancy peer search timer:

(Cisco Controller) >config redundancy timer peer-search-timer 100

config redundancy timer keep-alive-timer

To configure the keep-alive timeout value, use the config redundancy timer keep-alive-timer command.

config redundancy timer keep-alive-timer milliseconds

Syntax Description


`milliseconds`	Keep-alive timeout value in milliseconds. The range is from 100 to 400 milliseconds.

Command Default

The default keep-alive timeout value is 100 milliseconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the keep-alive timeout value:

(Cisco Controller) >config redundancy timer keep-alive-timer 200

config redundancy unit

To configure a controller as a primary or secondary controller, use the config redundancy unit command.

config redundancy unit { primary | secondary }

Syntax Description


primary	Configures the controller as the primary controller.
secondary	Configures the controller as the secondary controller.

Command Default

The default state is as the primary controller.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you configure a controller as the secondary controller, it becomes the High Availability Stackable Unit (SKU) without any valid AP licenses.

Examples

The following example shows how to configure a controller as the primary controller:

(Cisco Controller) >config redundancy unit primary

redundancy force-switchover

To trigger a manual switch over on the active Cisco WLC, use the redundancy force-switchover command.

redundancy force-switchover

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When a manual switchover occurs, the active Cisco WLC reboots and the standby Cisco WLC takes over the network. A stateful switchover of access points (AP SSO) is supported. AP SSO ensures that the AP sessions are maintained after the standby Cisco WLC takes over and the APs switch over to the standby Cisco WLC. The clients on the active Cisco WLC deauthenticate and join the new active Cisco WLC.

Examples

The following example shows how to trigger a forceful switchover on the Cisco WLC:

(Cisco Controller) >redundancy force-switchover

config interface address redundancy-management

To configure the management interface IP address, subnet and gateway of the controller, use the config interface address redundancy-management command.

config interface address redundancy-management IP_address netmask gateway

Syntax Description


`IP_address`	Management interface IP address of the active controller.
`netmask`	Network mask.
`gateway`	IP address of the gateway.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use this command to check the Active-Standby reachability when the keep-alive fails.

Examples

The following example shows how to configure the management IP addresses of the controller:

 
(Cisco Controller) > config interface address redundancy-management 209.165.201.31 255.255.0.0 209.165.201.30

Related Commands

config redundancy mobilitymac

config redundancy interface address peer-service-port

config redundancy peer-route

config redundancy unit

config redundancy timer

show redundancy timers

show redundancy summary

debug rmgr

debug rsyncmgr

Configure RF-Profile commands

Use the configure rf-profile commands to configure RF profiles.

config rf-profile band-select

To configure the RF profile band selection parameters, use the config rf-profile band-select command.

config rf-profile band-select { client-rssi rssi | cycle-count cycles | cycle-threshold value | expire { dual-band value | suppression value} | probe-response { enable | disable}} profile_name

Syntax Description


client-rssi	Configures the client Received Signal Strength Indicator (RSSI) threshold for the RF profile.
`rssi`	Minimum RSSI for a client to respond to a probe. The range is from -20 to -90 dBm.
cycle-count	Configures the probe cycle count for the RF profile. The cycle count sets the number of suppression cycles for a new client.
`cycles`	Value of the cycle count. The range is from 1 to 10.
cycle-threshold	Configures the time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle.
`value`	Value of the cycle threshold for the RF profile. The range is from 1 to 1000 milliseconds.
expire	Configures the expiration time of clients for band select.
dual-band	Configures the expiration time for pruning previously known dual-band clients. After this time elapses, clients become new and are subject to probe response suppression.
`value`	Value for a dual band. The range is from 10 to 300 seconds.
suppression	Configures the expiration time for pruning previously known 802.11b/g clients. After this time elapses, clients become new and are subject to probe response suppression.
`value`	Value for suppression. The range is from 10 to 200 seconds.
probe-response	Configures the probe response for a RF profile.
enable	Enables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.
disable	Disables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.
`profile name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

The default value for client RSSI is –80 dBm.

The default cycle count is 2.

The default cycle threshold is 200 milliseconds.

The default value for dual-band expiration is 60 seconds.

The default value for suppression expiration is 20 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040, 1140, and 1250 Series and the 3500 series access points.

Examples

The following example shows how to configure the client RSSI:

(Cisco Controller) >config rf-profile band-select client-rssi -70

config rf-profile client-trap-threshold

To configure the threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller, use the config rf-profile client-trap-threshold command.

config rf-profile client-trap-threshold threshold profile_name

Syntax Description


`threshold`	Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller. The range is from 0 to 200. Traps are disabled if the threshold value is configured as zero.
`profile_name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the threshold value of the number of clients that associate with an access point:

(Cisco Controller) >config rf-profile client-trap-threshold 150

config rf-profile create

To create a RF profile, use the config rf-profile create command.

config rf-profile create { 802.11a | 802.11b/g} profile-name

Syntax Description


802.11a	Configures the RF profile for the 2.4GHz band.
802.11b/g	Configures the RF profile for the 5GHz band.
`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a new RF profile:

(Cisco Controller) >config rf-profile create 802.11a RFtestgroup1

config rf-profile fra client-aware

To configure the RF profile client-aware FRA feature, use the config rf-profile fra client-aware command.

config rf-profile fra client-aware { client-reset percent rf-profile-name | client-select percent rf-profile-name | disable rf-profile-name | enable rf-profile-name}

Syntax Description


client-reset	Configures the RF profile AP utilization threshold for radio to switch back to Monitor mode.
`percent`	Utilization percentage value ranges from 0 to 100. The default is 5%.
`rf-profile-name`	Name of the RF Profile.
client-select	Configures the RF profile utilization threshold for radio to switch to 5GHz.
`percent`	Utilization percentage value ranges from 0 to 100. The default is 50%.
disable	Disables the RF profile client-aware FRA feature.
enable	Enables the RF profile client-aware FRA feature.

Command Default

The default percent value for client-select and client-reset is 50% and 5% respectively.

Command History


Release	Modification
8.5	This command was introduced.

Examples

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch back from 5GHz client-serving role to Monitor mode:

(Cisco Controller) >config rf-profile fra client-aware client-reset 15 profile1

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch from Monitor mode to 5GHz client-serving role:

(Cisco Controller) >config rf-profile fra client-aware client-select 20 profile1

The following example shows how to disable the RF profile client-aware FRA feature:

(Cisco Controller) >config rf-profile fra client-aware disable profile1

The following example shows how to enable the RF profile client-aware FRA feature:

(Cisco Controller) >config rf-profile fra client-aware enable profile1

config rf-profile data-rates

To configure the data rate on a RF profile, use the config rf-profile data-rates command.

config rf-profile data-rates { 802.11a | 802.11b } { disabled | mandatory | supported} data-rate profile-name

Syntax Description


802.11a	Specifies 802.11a as the radio policy of the RF profile.
802.11b	Specifies 802.11b as the radio policy of the RF profile.
disabled	Disables a rate.
mandatory	Sets a rate to mandatory.
supported	Sets a rate to supported.
`data-rate`	802.11 operational rates, which are 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48 and 54, where * denotes 802.11b only rates.
`profile-name`	Name of the RF profile.

Command Default

Default data rates for RF profiles are derived from the controller system defaults, the global data rate configurations. For example, if the RF profile's radio policy is mapped to 802.11a then the global 802.11a data rates are copied into the RF profiles at the time of creation.

The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the 802.11b transmission of an RF profile at a mandatory rate at 12 Mbps:

(Cisco Controller) >config rf-profile 802.11b data-rates mandatory 12 RFGroup1

config rf-profile delete

To delete a RF profile, use the config rf-profile delete command.

config rf-profile delete profile-name

Syntax Description


`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a RF profile:


(Cisco Controller) >config rf-profile delete RFGroup1

config rf-profile description

To provide a description to a RF profile, use the config rf-profile description command.

config rf-profile description description profile-name

Syntax Description


`description`	Description of the RF profile.
`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a description to a RF profile:

(Cisco Controller) >config rf-profile description This is a demo desciption RFGroup1

config rf-profile load-balancing

To configure load balancing on an RF profile, use the config rf-profile load-balancing command.

config rf-profile load-balancing { window clients | denial value} profile_name

Syntax Description


window	Configures the client window for load balancing of an RF profile.
`clients`	Client window size that limits the number of client associations with an access point. The range is from 0 to 20. The default value is 5. The window size is part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations: load-balancing window + client associations on AP with lightest load = load-balancing threshold Access points with more client associations than this threshold are considered busy, and clients can associate only to access points with client counts lower than the threshold. This window also helps to disassociate sticky clients.
denial	Configures the client denial count for load balancing of an RF profile.
`value`	Maximum number of association denials during load balancing. The range is from 1 to 10. The default value is 3. When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again. After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association. The default is 3.
`profile_name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the client window size for an RF profile:

(Cisco Controller) >config rf-profile load-balancing window 15

config rf-profile max-clients

To configure the maximum number of client connections per access point of an RF profile, use the config rf-profile max-clients commands.

config rf-profile max-clients clients

Syntax Description


`clients`	Maximum number of client connections per access point of an RF profile. The range is from 1 to 200.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use this command to configure the maximum number of clients on access points that are in client dense areas, or serving high bandwidth video or mission critical voice applications.

Examples

The following example shows how to set the maximum number of clients at 50:

(Cisco Controller) >config rf-profile max-clients 50

config rf-profile multicast data-rate

To configure the minimum RF profile multicast data rate, use the config rf-profile multicast data-rate command.

config rf-profile multicast data-rate value profile_name

Syntax Description


`value`	Minimum RF profile multicast data rate. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter 0 to specify that access points will dynamically adjust the data rate.
`profile_name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

The minimum RF profile multicast data rate is 0.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the multicast data rate for an RF profile:

(Cisco Controller) >config rf-profile multicast data-rate 24

config rf-profile out-of-box

To create an out-of-box AP group consisting of newly installed access points, use the config rf-profile out-of-box command.

config rf-profile out-of-box { enable | disable}

Syntax Description


enable	Enables the creation of an out-of-box AP group. When you enable this command, the following occurs: Newly installed access points that are part of the default AP group will be part of the out-of-box AP group and their radios will be switched off, which eliminates any RF instability caused by the new access points. All access points that do not have a group name become part of the out-of-box AP group. Special RF profiles are created per 802.11 band. These RF profiles have default-settings for all the existing RF parameters and additional new configurations.
disable	Disables the out-of-box AP group. When you disable this feature, only the subscription of new APs to the out-of-box AP group stops. All APs that are subscribed to the out-of-box AP group remain in this AP group. You can move APs to the default group or a custom AP group upon network convergence.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When an out-of-box AP associates with the controller for the first time, it will be redirected to a special AP group and the RF profiles applicable to this AP Group will control the radio admin state configuration of the AP. You can move APs to the default group or a custom group upon network convergence.

Examples

The following example shows how to enable the creation of an out-of-box AP group:

(Cisco Controller) >config rf-profile out-of-box enable

config rf-profile trap-threshold

To configure the RF profile trap threshold, use the config rf-profile trap-threshold command.

config rf-profile trap-threshold { clients clients profile name|interferencepercent profile name|noise dBm profile name|utilization percent profile name}

Syntax Description


clients	Configures the RF profile trap threshold for clients.
`clients`	The number of clients on an access point's radio for the trap is between 1 and 200. The default is 12 clients.
`profile name`	Specifies the name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
interference	Configures the RF profile trap threshold for interference.
`percent`	The percentage of interference threshold for the trap is from 0 to 100 %. The default is 10 %.
noise	Configures the RF profile trap threshold for noise.
`dBM`	The level of noise threshold for the trap is from -127 to 0 dBm. The default is -17 dBm.
utilization	Configures the RF profile trap threshold for utilization.
`percent`	The percentage of bandwidth being used by an access point threshold for the trap is from 0 to 100 %. The default is 80 %.

Command Default

None

Command History


Release	Modification
8.0	This command was introduced.

Examples

The following example shows how to configure the RF profile trap threshold for clients:

(Cisco Controller) >config rf-profile trap-threshold clients 50 admin1

config rf-profile tx-power-control-thresh-v1

To configure Transmit Power Control version1 (TPCv1) to an RF profile, use the config rf-profile tx-power-control-thresh-v1 command.

config rf-profile tx-power-control-thresh-v1 tpc-threshold profile_name

Syntax Description


`tpc-threshold`	TPC threshold.
`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure TPCv1 on an RF profile:

(Cisco Controller) >config rf-profile tx-power-control-thresh-v1 RFGroup1

config rf-profile tx-power-control-thresh-v2

To configure Transmit Power Control version 2 (TPCv2) to an RF profile, use the config rf-profile tx-power-control-thresh-v2 command.

config rf-profile tx-power-control-thresh-v2 tpc-threshold profile-name

Syntax Description


`tpc-threshold`	TPC threshold.
`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure TPCv2 on an RF profile:

(Cisco Controller) >config rf-profile tx-power-control-thresh-v2 RFGroup1

config rf-profile tx-power-max

To configure maximum auto-rf to an RF profile, use the config rf-profile tx-power-max command.

config rf-profile tx-power-max profile-name

Syntax Description


`tx-power-max`	Maximum auto-rf tx power.
`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure tx-power-max on an RF profile:

(Cisco Controller) >config rf-profile tx-power-max RFGroup1

config rf-profile tx-power-min

To configure minimum auto-rf to an RF profile, use the config rf-profile tx-power-min command.

config rf-profile tx-power-min tx-power-min profile-name

Syntax Description


`tx-power-min`	Minimum auto-rf tx power.
`profile-name`	Name of the RF profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure tx-power-min on an RF profile:


(Cisco Controller) >config rf-profile tx-power-min RFGroup1

Configure Rogue Commands

Use the configure rogue commands to configure policy settings for unidentified (rogue) clients.

config rogue adhoc

To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc ) rogue access point, use the config rogue adhoc command.

config rogue adhoc { enable|disable|external rogue_MAC|alert { rogue_MAC|all} |  auto-contain [ monitor_ap] |contain rogue_MAC 1234_aps|}

config rogue adhoc { delete { all|mac-address mac-address} |classify { friendly state { external |internal}mac-address|malicious state { alert|contain}mac-address |  unclassified state{alert|contain } mac-address}

Syntax Description


enable	Globally enables detection and reporting of ad-hoc rogues.
disable	Globally disables detection and reporting of ad-hoc rogues.
external	Configure external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.
`rogue_MAC`	MAC address of the ad-hoc rogue access point.
alert	Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action.
all	Enables alerts for all ad-hoc rogue access points.
auto-contain	Contains all wired ad-hoc rogues detected by the controller.
`monitor_ap`	(Optional) IP address of the ad-hoc rogue access point.
contain	Contains the offending device so that its signals no longer interfere with authorized clients.
`1234_aps`	Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).
delete	Deletes ad-hoc rogue access points.
all	Deletes all ad-hoc rogue access points.
mac-address	Deletes ad-hoc rogue access point with the specified MAC address.
`mac-address`	MAC address of the ad-hoc rogue access point.
classify	Configures ad-hoc rogue access point classification.
friendly state	Classifies ad-hoc rogue access points as friendly.
internal	Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.
malicious state	Classifies ad-hoc rogue access points as malicious.
alert	Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.
contain	Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.
unclassified state	Classifies ad-hoc rogue access points as unclassified.

Command Default

The default for this command is enabled and is set to alert . The default for auto-containment is disabled .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Note

RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).

When you enter any of the containment commands, the following warning appears:


Using this feature may have legal consequences. Do you want to continue? (y/n) :

The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Enter the auto-contain command with the monitor_ap argument to monitor the rogue access point without containing it. Enter the auto-contain command without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.

Examples

The following example shows how to enable the detection and reporting of ad-hoc rogues:


(Cisco Controller) > config rogue adhoc enable

The following example shows how to enable alerts for all ad-hoc rogue access points:


(Cisco Controller) > config rogue adhoc alert all

The following example shows how to classify an ad-hoc rogue access point as friendly and configure external state on it:


(Cisco Controller) > config rogue adhoc classify friendly state internal 11:11:11:11:11:11

Related Commands

config rogue auto-contain level  

show rogue ignore-list

show rogue rule detailed  

show rogue rule summary

config rogue ap classify

To classify the status of a rogue access point, use the config rogue ap classify command.

config rogue ap classify{friendly state { internal|external} ap_mac }

config rogue ap classify{malicious|unclassified} state { alert|contain} ap_mac

Syntax Description


friendly	Classifies a rogue access point as friendly.
state	Specifies a response to classification.
internal	Configures the controller to trust this rogue access point.
external	Configures the controller to acknowledge the presence of this access point.
`ap_mac`	MAC address of the rogue access point.
malicious	Classifies a rogue access point as potentially malicious.
unclassified	Classifies a rogue access point as unknown.
alert	Configures the controller to forward an immediate alert to the system administrator for further action.
contain	Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.

Command Default

These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

A rogue access point cannot be moved to the unclassified class if its current state is contain.

When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to classify a rogue access point as friendly and can be trusted:


(Cisco Controller) > config rogue ap classify friendly state internal 11:11:11:11:11:11

The following example shows how to classify a rogue access point as malicious and to send an alert:


(Cisco Controller) > config rogue ap classify malicious state alert 11:11:11:11:11:11

The following example shows how to classify a rogue access point as unclassified and to contain it:


(Cisco Controller) > config rogue ap classify unclassified state contain 11:11:11:11:11:11

Related Commands

config rogue adhoc  

config rogue ap friendly  

config rogue ap rldp

 config rogue ap ssid

 config rogue ap timeout  

config rogue ap valid-client

 config rogue client

 config trapflags rogueap  

show rogue ap clients  

show rogue ap detailed  

show rogue ap summary  

show rogue ap friendly summary

 show rogue ap malicious summary

 show rogue ap unclassified summary  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue ap friendly

To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.

config rogue ap friendly{add|delete}ap_mac

Syntax Description


add	Adds this rogue access point from the friendly MAC address list.
delete	Deletes this rogue access point from the friendly MAC address list.
`ap_mac`	MAC address of the rogue access point that you want to add or delete.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list.


(Cisco Controller) > config rogue ap friendly add 11:11:11:11:11:11

Related Commands

config rogue adhoc  

config rogue ap classify  

config rogue ap rldp

 config rogue ap ssid

 config rogue ap timeout  

config rogue ap valid-client

 config rogue client

 config trapflags rogueap  

show rogue ap clients  

show rogue ap detailed  

show rogue ap summary  

show rogue ap friendly summary

 show rogue ap malicious summary

 show rogue ap unclassified summary  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue ap rldp

To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.

config rogue ap rldp enable { alarm-only |auto-contain} [ monitor_ap_only]

config rogue ap rldp initiate rogue_mac_address 

config rogue ap rldp disable

Syntax Description


alarm-only	When entered without the optional argument `monitor_ap_only` , enables RLDP on all access points.
auto-contain	When entered without the optional argument `monitor_ap_only` , automatically contains all rogue access points.
`monitor_ap_only`	(Optional) RLDP is enabled (when used with alarm-only keyword), or automatically contained (when used with auto-contain keyword) is enabled only on the designated monitor access point.
initiate	Initiates RLDP on a specific rogue access point.
`rogue_mac_address`	MAC address of specific rogue access point.
disable	Disables RLDP on all access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to enable RLDP on all access points:


(Cisco Controller) > config rogue ap rldp enable alarm-only

The following example shows how to enable RLDP on monitor-mode access point ap_1:


(Cisco Controller) > config rogue ap rldp enable alarm-only ap_1

The following example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:


(Cisco Controller) > config rogue ap rldp initiate 123.456.789.000

The following example shows how to disable RLDP on all access points:


(Cisco Controller) > config rogue ap rldp disable

Related Commands

config rogue adhoc  

config rogue ap classify  

config rogue ap friendly  

 config rogue ap ssid

 config rogue ap timeout  

config rogue ap valid-client

 config rogue client

 config trapflags rogueap  

show rogue ap clients  

show rogue ap detailed  

show rogue ap summary  

show rogue ap friendly summary

 show rogue ap malicious summary

 show rogue ap unclassified summary  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue ap ssid

To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.

config rogue ap ssid { alarm|auto-contain}

Syntax Description


alarm	Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID.
auto-contain	Automatically contains the rogue access point that is advertising your network’s SSID.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to automatically contain a rogue access point that is advertising your network’s SSID:


(Cisco Controller) > config rogue ap ssid auto-contain

Related Commands

config rogue adhoc  

config rogue ap classify  

config rogue ap friendly  

config rogue ap rldp

 config rogue ap timeout  

config rogue ap valid-client

 config rogue client

 config trapflags rogueap  

show rogue ap clients  

show rogue ap detailed  

show rogue ap summary  

show rogue ap friendly summary

 show rogue ap malicious summary

 show rogue ap unclassified summary  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue ap timeout

To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.

config rogue ap timeout seconds

Syntax Description


`seconds`	Value of 240 to 3600 seconds (inclusive), with a default value of 1200 seconds.

Command Default

The default number of seconds after which the rogue access point and client entries expire is 1200 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:


(Cisco Controller) > config rogue ap timeout 2400

Related Commands

config rogue ap classify  

config rogue ap friendly  

config rogue ap rldp  

 config rogue ap ssid

 config rogue rule  

config trapflags rogueap  

show rogue ap clients

 show rogue ap detailed  

show rogue ap summary  

show rogue ap friendly summary

 show rogue ap malicious summary  

show rogue ap unclassified summary

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue auto-contain level

To configure rogue the auto-containment level, use the config rogue auto-contain level command.

config rogue auto-contain level level[ monitor_ap_only]

Syntax Description

level

Rogue auto-containment level in the range of 1 to 4. You can enter a value of 0 to enable the controller to automatically select the number of APs used for auto containment. The controller chooses the required number of APs based on the RSSI for effective containment.

Note

Up to four APs can be used to auto-contain when a rogue AP is moved to contained state through any of the auto-containment policies.

monitor_ap_only

(Optional) Configures auto-containment using only monitor AP mode.

Command Default

The default auto-containment level is 1.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses any of the configured auto-containment policies to start autocontainment. The policies for initiating autocontainment are rogue on wire (detected through RLDP or rogue detector AP), rogue using managed SSID, Valid client on Rogue AP, and AdHoc Rogue.

This table lists the RSSI value associated with each containment level.

Table 4. RSSI Associated with Each Containment Level
Auto-containment Level	RSSI
1	0 to –55 dBm
2	–75 to –55 dBm
3	–85 to –75 dBm
4	Less than –85 dBm

Note

When you enter any of the containment commands, the following warning appears:


Using this feature may have legal consequences. Do you want to continue? (y/n) :

The 2.4-GHz and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to configure the auto-contain level to 3:


(Cisco Controller) > config rogue auto-contain level 3

Related Commands

config rogue adhoc  

show rogue adhoc summary  

show rogue client summary  

show rogue ignore-list  

show rogue rule summary

config rogue ap valid-client

To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.

config rogue ap valid-client{alarm|auto-contain}

Syntax Description


alarm	Generates only an alarm when a rogue access point is discovered to be associated with a valid client.
auto-contain	Automatically contains a rogue access point to which a trusted client is associated.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to automatically contain a rogue access point that is associated with a valid client:


(Cisco Controller) > config rogue ap valid-client auto-contain

Related Commands

config rogue ap classify  

config rogue ap friendly  

config rogue ap rldp  

config rogue ap timeout

 config rogue ap ssid

 config rogue rule  

config trapflags rogueap  

show rogue ap clients

 show rogue ap detailed  

show rogue ap summary  

show rogue ap friendly summary

 show rogue ap malicious summary  

show rogue ap unclassified summary

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue client

To configure rogue clients, use the config rogue client command.

config rogue client { aaa{enable|disable} |alert ap_mac|contain client_mac|delete { state { alert|any|contained|contained-pending} |all|mac-address client_mac} |mse{ enable|disable} }}

Syntax Description


aaa	Configures AAA server or local database to validate whether rogue clients are valid clients. The default is disabled.
enable	Enables the AAA server or local database to check rogue client MAC addresses for validity.
disable	Disables the AAA server or local database to check rogue client MAC addresses for validity.
alert	Configures the controller to forward an immediate alert to the system administrator for further action.
`ap_mac`	Access point MAC address.
contain	Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.
`client_mac`	MAC address of the rogue client.
delete	Deletes the rogue client.
state	Deletes the rogue clients according to their state.
alert	Deletes the rogue clients in alert state.
any	Deletes the rogue clients in any state.
contained	Deletes all rogue clients that are in contained state.
contained-pending	Deletes all rogue clients that are in contained pending state.
all	Deletes all rogue clients.
mac-address	Deletes a rogue client with the configured MAC address.
mse	Validates if the rogue clients are valid clients using MSE. The default is disabled.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You cannot validate rogue clients against MSE and AAA at the same time.

Examples

The following example shows how to enable the AAA server or local database to check MAC addresses:


(Cisco Controller) > config rogue client aaa enable

The following example shows how to disable the AAA server or local database from checking MAC addresses:


(Cisco Controller) > config rogue client aaa disable

Related Commands

 config rogue rule  

config trapflags rogueap  

show rogue ap clients

 show rogue ap detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue detection

To enable or disable rogue detection, use the config rogue detection command.

Note

If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.

config rogue detection {enable|disable}{cisco_ap|all}

Syntax Description


enable	Enables rogue detection on this access point.
disable	Disables rogue detection on this access point.
`cisco_ap`	Cisco access point.
all	Specifies all access points.

Command Default

The default rogue detection value is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.

Examples

The following example shows how to enable rogue detection on the access point Cisco_AP:


(Cisco Controller) > config rogue detection enable Cisco_AP

Related Commands

 config rogue rule  

config trapflags rogueap  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue detection min-rssi

To configure the minimum Received Signal Strength Indicator (RSSI) value at which APs can detect rogues and create a rogue entry in the controller, use the config rogue detection min-rssi command.

config rogue detection min-rssi rssi-in-dBm

Syntax Description


`rssi-in-dBm`	Minimum RSSI value. The valid range is from –70 dBm to –128 dBm, and the default value is –128 dBm.

Command Default

The default RSSI value to detect rogues in APs is -128 dBm.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This feature is applicable to all the AP modes.

There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.

Examples

The following example shows how to configure the minimum RSSI value:


(Cisco Controller) > config rogue detection min-rssi –80

Related Commands

 config rogue detection  

 show rogue ap clients  

 config rogue rule  

config trapflags rogueap  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue detection monitor-ap

To configure the rogue report interval for all monitor mode Cisco APs, use the config rogue detection monitor-ap command.

config rogue detection monitor-ap{report-interval|transient-rogue-interval}time-in-seconds

Syntax Description


report-interval	Specifies the interval at which rogue reports are sent.
transient-rogue-interval	Specifies the interval at which rogues are consistently scanned for by APs after the first time the rogues are scanned.
`time-in-seconds`	Time in seconds. The valid range is as follows: 10 to 300 for report-interval 120 to 1800 for transient-rogue-interval

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This feature is applicable to APs that are in monitor mode only.

Using the transient interval values, you can control the time interval at which APs should scan for rogues. APs can also filter the rogues based on their transient interval values.

This feature has the following advantages:

Rogue reports from APs to the controller are shorter.
Transient rogue entries are avoided in the controller.
Unnecessary memory allocation for transient rogues are avoided.

Examples

The following example shows how to configure the rogue report interval to 60 seconds:


(Cisco Controller) > config rogue detection monitor-ap report-interval 60

The following example shows how to configure the transient rogue interval to 300 seconds:


(Cisco Controller) > config rogue detection monitor-ap transient-rogue-interval 300

Related Commands

 config rogue detection  

 config rogue detection min-rssi  

 config rogue rule  

config trapflags rogueap  

 show rogue ap clients  

 show rogue client detailed  

show rogue client summary  

show rogue ignore-list  

show rogue rule detailed

show rogue rule summary  

config rogue rule

To add and configure rogue classification rules, use the config rogue rule command.

config rogue rule { add ap priority priority classify { custom severity-scoreclassification-name| friendly |malicious}notify { all |global |none | local}state { alert |contain |delete |internal |external}rule_name|  classify { custom severity-scoreclassification-name|friendly|malicious}rule_name |   condition ap { set|delete}condition_type condition_value rule_name |  { enable|delete|disable} { all|rule_name} |   match { all|any} |   priority priority|notify { all |global |none |local}rule_name| state { alert |contain |internal |external} rule_name}

Syntax Description


add ap priority	Adds a rule with match any criteria and the priority that you specify.
`priority`	Priority of this rule within the list of rules.
classify	Specifies the classification of a rule.
custom	Classifies devices matching the rule as custom.
`severity-score`	Custom classification severity score of the rule. The range is from 1 to 100.
`classification-name`	Custom classification name. The name can be up to 32 case-sensitive, alphanumeric characters.
friendly	Classifies a rule as friendly.
malicious	Classifies a rule as malicious.
notify	Configures type of notification upon rule match.
all	Notifies the controller and a trap receiver such as Cisco Prime Infrastructure.
global	Notifies only a trap receiver such as Cisco Prime Infrastructure.
local	Notifies only the controller.
none	Notifies neither the controller nor a trap receiver such as Cisco Prime Infrastructure.
state	Configures state of the rogue access point after a rule match.
alert	Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.
contain	Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.
delete	Configures delete state on the rogue access point.
external	Configures external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.
internal	Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.
`rule_name`	Rule to which the command applies, or the name of a new rule.
condition ap	Specifies the conditions for a rule that the rogue access point must meet.
set	Adds conditions to a rule that the rogue access point must meet.
delete	Removes conditions to a rule that the rogue access point must meet.
`condition_type`	Type of the condition to be configured. The condition types are listed below: client-count—Requires that a minimum number of clients be associated to a rogue access point. The valid range is 1 to 10 (inclusive). duration—Requires that a rogue access point be detected for a minimum period of time. The valid range is 0 to 3600 seconds (inclusive). managed-ssid—Requires that a rogue access point’s SSID be known to the controller. no-encryption—Requires that a rogue access point’s advertised WLAN does not have encryption enabled. rssi—Requires that a rogue access point have a minimum RSSI value. The range is from –95 to –50 dBm (inclusive). ssid—Requires that a rogue access point have a specific SSID. substring-ssid—Requires that a rogue access point have a substring of a user-configured SSID.
`condition_value`	Value of the condition. This value is dependent upon the condition_type. For instance, if the condition type is ssid, then the condition value is either the SSID name or all.
enable	Enables all rules or a single specific rule.
delete	Deletes all rules or a single specific rule.
disable	Deletes all rules or a single specific rule.
match	Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for the rule to be matched and the rogue access point to adopt the classification type of the rule.
all	Specifies all rules defined.
any	Specifies any rule meeting certain criteria.
priority	Changes the priority of a specific rule and shifts others in the list accordingly.

Command Default

No rogue rules are configured.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For your changes to be effective, you must enable the rule. You can configure up to 64 rules.

Reclassification of rogue APs according to the RSSI condition of the rogue rule occurs only when the RSSI changes more than +/- 2 dBm of the configured RSSI value. Manual and automatic classification override custom rogue rules. Rules are applied to manually changed rogues if their class type changes to unclassified and state changes to alert. Adhoc rogues are classified and do not go to the pending state. You can have up to 50 classification types.

Examples

The following example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly.


(Cisco Controller) > config rogue rule add ap priority 1 classify friendly rule_1

The following example shows how to enable rule_1.


(Cisco Controller) > config rogue rule enable rule_1

The following example shows how to change the priority of the last command.


(Cisco Controller) > config rogue rule priority 2 rule_1

The following example shows how to change the classification of the last command.


(Cisco Controller) > config rogue rule classify malicious rule_1

The following example shows how to disable the last command.


(Cisco Controller) > config rogue rule disable rule_1

The following example shows how to delete SSID_2 from the user-configured SSID list in rule-5.


(Cisco Controller) > config rogue rule condition ap delete ssid ssid_2 rule-5

The following example shows how to create a custom rogue rule.


(Cisco Controller) > config rogue rule classify custom 1 VeryMalicious rule6

Configure SNMP Commands

Use the config snmp commands to configure Simple Network Management Protocol (SNMP) settings.

config snmp community accessmode

To modify the access mode (read only or read/write) of an SNMP community, use the config snmp community accessmode command.

config snmp community accessmode { ro|rw}name

Syntax Description


ro	Specifies a read-only mode.
rw	Specifies a read/write mode.
`name`	SNMP community name.

Command Default

Two communities are provided by default with the following settings:


SNMP Community Name Client IP Address Client IP Mask   Access Mode Status
------------------- ----------------- ---------------- ----------- ------
public              0.0.0.0           0.0.0.0          Read Only   Enable
private             0.0.0.0           0.0.0.0          Read/Write  Enable

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure read/write access mode for SNMP community:


(Cisco Controller) > config snmp community accessmode rw private

Related Commands

show snmp community 

config snmp community mode 

config snmp community create 

config snmp community delete

 config snmp community ipaddr

config snmp community create

To create a new SNMP community, use the config snmp community create command.

config snmp community create name

Syntax Description


`name`	SNMP community name of up to 16 characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use this command to create a new community with the default configuration.

Examples

The following example shows how to create a new SNMP community named test:


(Cisco Controller) > config snmp community create test

Related Commands

show snmp community 

config snmp community mode 

config snmp community accessmode 

config snmp community delete 

config snmp community ipaddr

config snmp community delete

To delete an SNMP community, use the config snmp community delete command.

config snmp community delete name

Syntax Description


`name`	SNMP community name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete an SNMP community named test:


(Cisco Controller) > config snmp community delete test

Related Commands

show snmp community 

config snmp community mode 

config snmp community accessmode

 config snmp community create

config snmp community ipaddr

To configure the IPv4 or IPv6 address of an SNMP community, use the config snmp community ipaddr command.

config snmp community ipaddr IP addrIPv4 mask/IPv6 Prefix lengthname

Syntax Description


`IP addr`	SNMP community IPv4 or IPv6 address.
`IPv4 mask/IPv6 Prefix length`	SNMP community IP mask (IPv4 mask or IPv6 Prefix length). The IPv6 prefix length is from 0 to 128.
`name`	SNMP community name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

This command is applicable for both IPv4 and IPv6 addresses.
This command is not applicable for default SNMP community (public, private).

Examples

The following example shows how to configure an SNMP community with the IPv4 address 10.10.10.10, IPv4 mask 255.255.255.0, and SNMP community named comaccess:


(Cisco Controller) > config snmp community ipaddr 10.10.10.10 255.255.255.0 comaccess

The following example shows how to configure an SNMP community with the IPv6 address 2001:9:2:16::1, IPv6 prefix length 64, and SNMP community named comaccess:


(Cisco Controller) > config snmp community ipaddr 2001:9:2:16::1 64 comaccess

config snmp community mode

To enable or disable an SNMP community, use the config snmp community mode command.

config snmp community mode{enable|disable}name

Syntax Description


enable	Enables the community.
disable	Disables the community.
`name`	SNMP community name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the SNMP community named public:


(Cisco Controller) > config snmp community mode disable public

Related Commands

show snmp community 

config snmp community delete

config snmp community accessmode

 config snmp community create

config snmp community ipaddr

config snmp engineID

To configure the SNMP engine ID, use the config snmp engineID command.

config snmp engineID { engine_id|default}

Syntax Description


`engine_id`	Engine ID in hexadecimal characters (a minimum of 10 and a maximum of 24 characters are allowed).
default	Restores the default engine ID.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The SNMP engine ID is a unique string used to identify the device for administration purposes. You do need to specify an engine ID for the device because a default string is automatically generated using Cisco’s enterprise number and the MAC address of the first interface on the device.

If you change the engine ID, then a reboot is required for the change to take effect.

Caution If you change the value of the SNMP engine ID, then the password of the user entered on the command line is converted to an MD5 (Message-Digest algorithm 5) or SHA (Secure Hash Algorithm) security digest. This digest is based on both the password and the local engine ID. The command line password is then deleted. Because of this deletion, if the local value of the engine ID changes, the security digests of the SNMP users will become invalid, and the users will have to be reconfigured.

Examples

The following example shows how to configure the SNMP engine ID with the value fffffffffff:


(Cisco Controller) > config snmp engineID fffffffffff

Related Commands

show snmpengineID  

config snmp syscontact

To set the SNMP system contact name, use the config snmp syscontact command.

config snmp syscontact contact

Syntax Description


`contact`	SNMP system contact name. Valid value can be up to 255 printable characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the SMNP system contact named Cisco WLAN Solution_administrator:


(Cisco Controller) > config snmp syscontact Cisco WLAN Solution_administrator

config snmp syslocation

To configure the SNMP system location name, use the config snmp syslocation command.

config snmp syslocation location

Syntax Description


`location`	SNMP system location name. Valid value can be up to 255 printable characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the SNMP system location name to Building_2a:


(Cisco Controller) > config snmp syslocation Building_2a

config snmp trapreceiver create

To configure a server to receive SNMP traps, use the config snmp trapreceiver create command.

config snmp trapreceiver create nameIP addr

Syntax Description


`name`	SNMP community name. The name contain up to 31 characters.
`IP addr`	Configure the IPv4 or IPv6 address of where to send SNMP traps.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

The IPv4 or IPv6 address must be valid for the command to add the new server.

Examples

The following example shows how to add a new SNMP trap receiver with the SNMP trap receiver named test and IP address 10.1.1.1:


(Cisco Controller) > config snmp trapreceiver create test 10.1.1.1

The following example shows how to add a new SNMP trap receiver with the SNMP trap receiver named test and IP address 2001:10:1:1::1:


(Cisco Controller) > config snmp trapreceiver create test 2001:10:1:1::1

config snmp trapreceiver delete

To delete a server from the trap receiver list, use the config snmp trapreceiver delete command.

config snmp trapreceiver delete name

Syntax Description


`name`	SNMP community name. The name can contain up to 16 characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a server named test from the SNMP trap receiver list:


(Cisco Controller) > config snmp trapreceiver delete test

Related Commands

show snmp trap

config snmp trapreceiver mode

To send or disable sending traps to a selected server, use the config snmp trapreceiver mode command.

config snmp trapreceiver mode{enable|disable}name

Syntax Description


enable	Enables an SNMP trap receiver.
disable	Disables an SNMP trap receiver.
`name`	SNMP community name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command enables or disables the Cisco wireless LAN controller from sending the traps to the selected server.

Examples

The following example shows how to disable an SNMP trap receiver from sending traps to a server named server1:


(Cisco Controller) > config snmp trapreceiver mode disable server1

Related Commands

show snmp trap

config snmp v3user create

To create a version 3 SNMP user, use the config snmp v3user create command.

config snmp v3user create username { ro|rw} { none|hmacmd5|hmacsha} { none|des|aescfb128} [ auth_key] [ encrypt_key]

Syntax Description


`username`	Version 3 SNMP username.
ro	Specifies a read-only user privilege.
rw	Specifies a read-write user privilege.
none	Specifies if no authentication is required.
hmacmd5	Specifies Hashed Message Authentication Coding Message Digest 5 (HMAC-MD5) for authentication.
hmacsha	Specifies Hashed Message Authentication Coding-Secure Hashing Algorithm (HMAC-SHA) for authentication.
none	Specifies if no encryption is required.
des	Specifies to use Cipher Block Chaining-Digital Encryption Standard (CBC-DES) encryption.
aescfb128	Specifies to use Cipher Feedback Mode-Advanced Encryption Standard-128 (CFB-AES-128) encryption.
`auth_key`	(Optional) Authentication key for the HMAC-MD5 or HMAC-SHA authentication protocol.
`encrypt_key`	(Optional) Encryption key for the CBC-DES or CFB-AES-128 encryption protocol.

Command Default

SNMP v3 username AccessMode Authentication Encryption


-------------------- ------------- -------------- -----------
default              Read/Write  		HMAC-SHA       CFB-AES

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add an SNMP username named test with read-only privileges and no encryption or authentication:


(Cisco Controller) > config snmp v3user create test ro none none

Related Commands

show snmpv3user

config snmp v3user delete

To delete a version 3 SNMP user, use the config snmp v3user delete command.

config snmp v3user delete username

Syntax Description


`username`	Username to delete.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to remove an SNMP user named test:


(Cisco Controller) > config snmp v3user delete test

Related Commands

show snmp v3user

config snmp version

To enable or disable selected SNMP versions, use the config snmp version command.

config snmp version{v1|v2|v3} { enable|disable}

Syntax Description


v1	Specifies an SNMP version to enable or disable.
v2	Specifies an SNMP version to enable or disable.
v3	Specifies an SNMP version to enable or disable.
enable	Enables a specified version.
disable	Disables a specified version.

Command Default

By default, all the SNMP versions are enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable SNMP version v1:


(Cisco Controller) > config snmp version v1 enable

Related Commands

show snmpversion

Configure Spanning Tree Protocol Commands

Use the config spanningtree commands to configure Spanning Tree Protocol settings.

config spanningtree port mode

To turn fast or 802.1D Spanning Tree Protocol (STP) on or off for one or all Cisco wireless LAN controller ports, use the config spanningtree port mode command.

config spanningtree port mode { off|802.1d|fast} { port|all}

Syntax Description


off	Disables STP for the specified ports.
802.1d	Specifies a supported port mode as 802.1D.
fast	Specifies a supported port mode as fast.
`port`	Port number (1 through 12 or 1 through 24).
all	Configures all ports.

Command Default

The default is that port STP is off.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When the Cisco 4400 Series Wireless LAN Controller is configured for port redundancy, STP must be disabled for all ports on the controller. STP can remain enabled on the switch connected to the controller.

Entering this command allows the controller to set up STP, detect logical network loops, place redundant ports on standby, and build a network with the most efficient pathways.

Examples

The following example shows how to disable STP for all Ethernet ports:


(Cisco Controller) > config spanningtree port mode off all

The following example shows how to turn on STP 802.1D mode for Ethernet port 24:


(Cisco Controller) > config spanningtree port mode 802.1d 24

The following example shows how to turn on fast STP mode for Ethernet port 2:


(Cisco Controller) > config spanningtree port mode fast 2

config spanningtree port pathcost

To set the Spanning Tree Protocol (STP) path cost for an Ethernet port, use the config spanningtree port pathcost command.

config spanningtree port pathcost { cost|auto} { port|all}

Syntax Description


`cost`	Cost in decimal as determined by the network planner.
auto	Specifies the default cost.
`port`	Port number (1 through 12 or 1 through 24), or all to configure all ports.
all	Specifies to configure all ports.

Command Default

The default STP path cost for an Ethernet port is auto.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When the Cisco 4400 Series Wireless LAN Controller is configured for port redundancy, STP must be disabled for all ports on the controller. STP can remain enabled on the switch that is connected to the controller.

Examples

The following example shows how to have the STP algorithm automatically assign a path cost for all ports:


(Cisco Controller) > config spanningtree port pathcost auto all

The following example shows how to have the STP algorithm use a port cost of 200 for port 22:


(Cisco Controller) > config spanningtree port pathcost 200 22

config spanningtree port priority

To configure the Spanning Tree Protocol (STP) port priority, use the config spanningtree port priority command.

config spanningtree port priority priority_numport

Syntax Description


`priority_num`	Priority number from 0 to 255.
`port`	Port number (1 through 12 or 1 through 24).

Command Default

The default STP priority value is 128.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to set Ethernet port 2 to STP priority 100:


(Cisco Controller) > config spanningtree port priority 100 2

config spanningtree switch bridgepriority

To set the bridge ID, use the config spanningtree switch bridgepriority command.

config spanningtree switch bridgepriority priority_num

Syntax Description


`priority_num`	Priority number between 0 and 65535.

Command Default

The default priority number value to set the bridge ID is 32768.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Note

The value of the writable portion of the Bridge ID, that is, the first two octets of the (8 octet long) Bridge ID. The other (last) 6 octets of the Bridge ID are given by the value of Bridge MAC address. The value may be specified as a number between 0 and 65535.

Examples

The following example shows how to configure spanning tree values on a per switch basis with the bridge priority 40230:


(Cisco Controller) > config spanningtree switch bridgepriority 40230

config spanningtree switch forwarddelay

To set the bridge timeout, use the config spanningtree switch forwarddelay command.

config spanningtree switch forwarddelay seconds

Syntax Description


`seconds`	Timeout in seconds (between 4 and 30).

Command Default

The default value to set a bridge timeout is 15 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The value that all bridges use for forward delay when this bridge is acting as the root. 802.1D-1990 specifies that the range for this setting is related to the value of the STP bridge maximum age. The granularity of this timer is specified by 802.1D-1990 to be 1 second. An agent may return a badValue error if a set is attempted to a value that is not a whole number of seconds. The default is 15. Valid values are 4 through 30 seconds.

Examples

The following example shows how to configure spanning tree values on a per switch basis with the bridge timeout as 20 seconds:


(Cisco Controller) > config spanningtree switch forwarddelay 20

config spanningtree switch hellotime

To set the hello time, use the config spanningtree switch hellotime command.

config spanningtree switch hellotime seconds

Syntax Description


`seconds`	STP hello time in seconds.

Command Default

The default hello time value is 15.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

All bridges use this value for HelloTime when this bridge is acting as the root. The granularity of this timer is specified by 802.1D- 1990 to be 1 second. Valid values are 1 through 10 seconds.

Examples

The following example shows how to configure the STP hello time to 4 seconds:


(Cisco Controller) > config spanningtree switch hellotime 4

Related Commands

show spanningtree switch

show spanningtree switch bridgepriority 

config spanningtree switch forwarddelay

config spanningtree switch maxage 

config spanningtree switch mode

config spanningtree switch maxage

To set the maximum age, use the config spanningtree switch maxage command.

config spanningtree switch maxage seconds

Syntax Description


`seconds`	STP bridge maximum age in seconds.

Command Default

The default value for maximum age is 20.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

All bridges use this value for MaxAge when this bridge is acting as the root. 802.1D-1990 specifies that the range for this parameter is related to the value of Stp Bridge Hello Time. The granularity of this timer is specified by 802.1D-1990 to be 1 second. Valid values are 6 through 40 seconds.

Examples

The following example shows how to configure the STP bridge maximum age to 30 seconds:


(Cisco Controller) > config spanningtree switch maxage 30

config spanningtree switch mode

To turn the Cisco wireless LAN controller Spanning Tree Protocol (STP) on or off, use the config spanningtree switch mode command.

config spanningtree switch mode { enable|disable}

Syntax Description


enable	Enables STP on the switch.
disable	Disables STP on the switch.

Command Default

The default is that STP is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Using this command allows the controller to set up STP, detect logical network loops, place redundant ports on standby, and build a network with the most efficient pathways.

Examples

The following example shows how to support STP on all Cisco wireless LAN controller ports:


(Cisco Controller) > config spanningtree switch mode enable

Configure TACACS Commands

Use the config tacacs commands to configure TACACS+ settings.

config tacacs acct

To configure TACACS+ accounting server settings, use the config tacacs acct command.

config tacacs acct { add1-3IP addrportascii/hexsecret|delete 1-3|disable 1-3|enable 1-3| server-timeout 1-3 seconds}

Syntax Description


add	Adds a new TACACS+ accounting server.
`1-3`	Specifies TACACS+ accounting server index from 1 to 3.
`IP addr`	Specifies IPv4 or IPv6 address of the TACACS+ accounting server.
`port`	Specifies TACACS+ Server's TCP port.
`ascii/hex`	Specifies type of TACACS+ server's secret being used (ASCII or HEX).
`secret`	Specifies secret key in ASCII or hexadecimal characters.
delete	Deletes a TACACS+ server.
disable	Disables a TACACS+ server.
enable	Enables a TACACS+ server.
server-timeout	Changes the default server timeout for the TACACS+ server.
`seconds`	Specifies the number of seconds before the TACACS+ server times out. The server timeout range is from 5 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to add a new TACACS+ accounting server index 1 with the IPv4 address 10.0.0.0, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs acct add 1 10.0.0.0 10 ascii 12345678

The following example shows how to add a new TACACS+ accounting server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs acct add 1  2001:9:6:40::623 10 ascii 12345678

The following example shows how to configure the server timeout of 5 seconds for the TACACS+ accounting server:


(Cisco Controller) > config tacacs acct server-timeout 1 5

config tacacs athr

To configure TACACS+ authorization server settings, use the config tacacs athr command.

config tacacs athr { add1-3IP addrportascii/hexsecret|delete 1-3|disable 1-3|enable 1-3 | mgmt-server-timeout 1-3 seconds | server-timeout 1-3 seconds}

Syntax Description


add	Adds a new TACACS+ authorization server (IPv4 or IPv6).
`1-3`	TACACS+ server index from 1 to 3.
`IP addr`	TACACS+ authorization server IP address (IPv4 or IPv6).
`port`	TACACS+ server TCP port.
`ascii/hex`	Type of secret key being used (ASCII or HEX).
`secret`	Secret key in ASCII or hexadecimal characters.
delete	Deletes a TACACS+ server.
disable	Disables a TACACS+ server.
enable	Enables a TACACS+ server.
mgmt-server-timeout `1-3seconds`	Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds.
server-timeout `1-3` `seconds`	Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to add a new TACACS+ authorization server index 1 with the IPv4 address 10.0.0.0, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs athr add 1 10.0.0.0 49 ascii 12345678

The following example shows how to add a new TACACS+ authorization server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs athr add 1 2001:9:6:40::623 49 ascii 12345678

The following example shows how to configure the retransmit timeout of 5 seconds for the TACACS+ authorization server:


(Cisco Controller) > config tacacs athr server-timeout 1 5

config tacacs athr mgmt-server-timeout

To configure a default TACACS+ authorization server timeout for management users, use the config tacacs athr mgmt-server-timeout command.

config tacacs athr mgmt-server-timeout indextimeout

Syntax Description


`index`	TACACS+ authorization server index.
`timeout`	Timeout value. The range is 1 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default TACACS+ authorization server timeout for management users:


(Cisco Controller) > config tacacs athr mgmt-server-timeout 1 10

Related Commands

config tacacs athr

config tacacs auth mgmt-server-timeout

To configure a default TACACS+ authentication server timeout for management users, use the config tacacs auth mgmt-server-timeout command.

config tacacs auth mgmt-server-timeout indextimeout

Syntax Description


`index`	TACACS+ authentication server index.
`timeout`	Timeout value. The range is 1 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default TACACS+ authentication server timeout for management users:


(Cisco Controller) > config tacacs auth mgmt-server-timeout 1 10

Related Commands

config tacacs auth

To configure TACACS+ authentication server settings, use the config tacacs auth command.

config tacacs auth{ add1-3IP addrportascii/hexsecret|delete 1-3|disable 1-3|enable 1-3 | mgmt-server-timeout 1-3 seconds | server-timeout 1-3seconds}

Syntax Description


add	Adds a new TACACS+ accounting server.
`1-3`	TACACS+ accounting server index from 1 to 3.
`IP addr`	IP address for the TACACS+ accounting server.
`port`	Controller port used for the TACACS+ accounting server.
`ascii/hex`	Type of secret key being used (ASCII or HEX).
`secret`	Secret key in ASCII or hexadecimal characters.
delete	Deletes a TACACS+ server.
disable	Disables a TACACS+ server.
enable	Enables a TACACS+ server.
mgmt-server-timeout `1-3` `seconds`	Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds.
server-timeout `1-3seconds`	Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to add a new TACACS+ authentication server index 1 with the IPv4 address 10.0.0.3, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs auth add 1 10.0.0.3 49 ascii 12345678

The following example shows how to add a new TACACS+ authentication server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs auth add 1 2001:9:6:40::623 49 ascii 12345678

The following example shows how to configure the server timeout for TACACS+ authentication server:


(Cisco Controller) > config tacacs auth server-timeout 1 5

config tacacs dns

To retrieve the TACACS IP information from a DNS server, use the config radius dns command.

config radius dns { global port { ascii | hex } secret | query url timeout | serverip ip_address | disable | enable }

Syntax Description


global	Configures the global port and secret to retrieve the TACACS IP information from a DNS server.
`port`	Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.
`ascii`	Format of the shared secret that you should set to ASCII.
`hex`	Format of the shared secret that you should set to hexadecimal.
`secret`	TACACS server login secret.
query	Configures the fully qualified domain name (FQDN) of the TACACS server and DNS timeout.
`url`	FQDN of the TACACS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.
`timeout`	Maximum time that the controller waits for, in days, before timing out a request and resending it. The range is from 1 to 180.
serverip	Configures the DNS server IP address.
`ip_address`	DNS server IP address.
disable	Disables the TACACS DNS feature. The default is disabled.
enable	Enables the controller to retrieve the TACACS IP information from a DNS server.

Command Default

You cannot retrieve the TACACS IP information from a DNS server.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The accounting port is derived from the authentication port. All the DNS servers should use the same secret. When you enable a DNS query, the static configurations will be overridden. The DNS list overrides the static AAA list.

Examples

The following example shows how to enable the TACACS DNS feature on the controller:

(Cisco Controller) > config tacacs dns enable

Configure Trap Flag Commands

Use the config trapflags commands to configure trap flags settings.

config trapflags 802.11-Security

To enable or disable sending 802.11 security-related traps, use the config trapflags 802.11-Security command.

config trapflags 802.11-Security wepDecryptError { enable | disable }

Syntax Description


enable	Enables sending 802.11 security-related traps.
disable	Disables sending 802.11 security-related traps.

Command Default

By default, sending the 802.11 security-related traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the 802.11 security related traps:


(Cisco Controller) >
config trapflags 802.11-Security wepDecryptError disable

Related Commands

show trapflags

config trapflags aaa

To enable or disable the sending of AAA server-related traps, use the config trapflags aaa command.

config trapflags aaa { auth|servers} { enable|disable}

Syntax Description


auth	Enables trap sending when an AAA authentication failure occurs for management user, net user, or MAC filter.
servers	Enables trap sending when no RADIUS servers are responding.
enable	Enables the sending of AAA server-related traps.
disable	Disables the sending of AAA server-related traps.

Command Default

By default, the sending of AAA server-related traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the sending of AAA server-related traps:


(Cisco Controller) > config trapflags aaa auth enable

Related Commands

show watchlist

config trapflags ap

To enable or disable the sending of Cisco lightweight access point traps, use the config trapflags ap command.

config trapflags ap { register|interfaceUp} { enable|disable}

Syntax Description


register	Enables sending a trap when a Cisco lightweight access point registers with Cisco switch.
interfaceUp	Enables sending a trap when a Cisco lightweight access point interface (A or B) comes up.
enable	Enables sending access point-related traps.
disable	Disables sending access point-related traps.

Command Default

By default, the sending of Cisco lightweight access point traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to prevent traps from sending access point-related traps:


(Cisco Controller) > config trapflags ap register disable

Related Commands

show trapflags

config trapflags authentication

To enable or disable sending traps with invalid SNMP access, use the config trapflags authentication command.

config trapflags authentication{enable|disable}

Syntax Description


enable	Enables sending traps with invalid SNMP access.
disable	Disables sending traps with invalid SNMP access.

Command Default

By default, the sending traps with invalid SNMP access is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to prevent sending traps on invalid SNMP access:


(Cisco Controller) > config trapflags authentication disable

Related Commands

show trapflags

config trapflags client

To enable or disable the sending of client-related DOT11 traps, use the config trapflags client command.

config trapflags client { 802.11-associate 802.11-disassociate|802.11-deauthenticate|802.11-authfail|802.11-assocfail|authentication |excluded} { enable|disable}

Syntax Description


802.11-associate	Enables the sending of Dot11 association traps to clients.
802.11-disassociate	Enables the sending of Dot11 disassociation traps to clients.
802.11-deauthenticate	Enables the sending of Dot11 deauthentication traps to clients.
802.11-authfail	Enables the sending of Dot11 authentication fail traps to clients.
802.11-assocfail	Enables the sending of Dot11 association fail traps to clients.
authentication	Enables the sending of authentication success traps to clients.
excluded	Enables the sending of excluded trap to clients.
enable	Enables sending of client-related DOT11 traps.
disable	Disables sending of client-related DOT11 traps.

Command Default

By default, the sending of client-related DOT11 traps is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the sending of Dot11 disassociation trap to clients:


(Cisco Controller) > config trapflags client 802.11-disassociate enable

Related Commands

show trapflags

config trapflags configsave

To enable or disable the sending of configuration-saved traps, use the config trapflags configsave command.

config trapflags configsave{enable|disable}

Syntax Description


enable	Enables sending of configuration-saved traps.
disable	Disables the sending of configuration-saved traps.

Command Default

By default, the sending of configuration-saved traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the sending of configuration-saved traps:


(Cisco Controller) > config trapflags configsave enable

Related Commands

show trapflags

config trapflags IPsec

To enable or disable the sending of IPsec traps, use the config trapflags IPsec command.

config trapflags IPsec { esp-auth|esp-reply|invalidSPI|ike-neg|suite-neg|invalid-cookie} { enable|disable}

Syntax Description


esp-auth	Enables the sending of IPsec traps when an ESP authentication failure occurs.
esp-reply	Enables the sending of IPsec traps when an ESP replay failure occurs.
invalidSPI	Enables the sending of IPsec traps when an ESP invalid SPI is detected.
ike-neg	Enables the sending of IPsec traps when an IKE negotiation failure occurs.
suite-neg	Enables the sending of IPsec traps when a suite negotiation failure occurs.
invalid-cookie	Enables the sending of IPsec traps when a Isakamp invalid cookie is detected.
enable	Enables sending of IPsec traps.
disable	Disables sending of IPsec traps.

Command Default

By default, the sending of IPsec traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the sending of IPsec traps when ESP authentication failure occurs:


(Cisco Controller) > config trapflags IPsec esp-auth enable

Related Commands

show trapflags

config trapflags linkmode

To enable or disable the controller level link up/down trap flags, use the config trapflags linkmode command.

config trapflags linkmode{enable|disable}

Syntax Description


enable	Enables the controller level link up/down trap flags.
disable	Disables Cisco wireless LAN controller level link up/down trap flags.

Command Default

By default, the controller level link up/down trap flags are enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the Cisco wireless LAN controller level link up/down trap:


(Cisco Controller) > config trapflags linkmode disable

Related Commands

show trapflags

config trapflags multiusers

To enable or disable the sending of traps when multiple logins are active, use the config trapflags multiusers command.

config trapflags multiusers{enable|disable}

Syntax Description


enable	Enables the sending of traps when multiple logins are active.
disable	Disables the sending of traps when multiple logins are active.

Command Default

By default, the sending of traps when multiple logins are active is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the sending of traps when multiple logins are active:


(Cisco Controller) > config trapflags multiusers disable

Related Commands

show trapflags

config trapflags rogueap

To enable or disable sending rogue access point detection traps, use the config trapflags rogueap command.

config trapflags rogueap{enable|disable}

Syntax Description


enable	Enables the sending of rogue access point detection traps.
disable	Disables the sending of rogue access point detection traps.

Command Default

By default, the sending of rogue access point detection traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the sending of rogue access point detection traps:


(Cisco Controller) > config trapflags rogueap disable

Related Commands

config rogue ap classify

 config rogue ap friendly

 config rogue ap rldp  

config rogue ap ssid

 config rogue ap timeout  

config rogue ap valid-client  

show rogue ap clients

 show rogue ap detailed

show rogue ap summary  

 show rogue ap friendly summary

show rogue ap malicious summary   

show rogue ap unclassified summary  

show trapflags

config trapflags rrm-params

To enable or disable the sending of Radio Resource Management (RRM) parameters traps, use the config trapflags rrm-params command.

config trapflags rrm-params{tx-power|channel|antenna} { enable|disable}

Syntax Description


tx-power	Enables trap sending when the RF manager automatically changes the tx-power level for the Cisco lightweight access point interface.
channel	Enables trap sending when the RF manager automatically changes the channel for the Cisco lightweight access point interface.
antenna	Enables trap sending when the RF manager automatically changes the antenna for the Cisco lightweight access point interface.
enable	Enables the sending of RRM parameter-related traps.
disable	Disables the sending of RRM parameter-related traps.

Command Default

By default, the sending of RRM parameters traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the sending of RRM parameter-related traps:


(Cisco Controller) > config trapflags rrm-params tx-power enable

Related Commands

show trapflags

config trapflags rrm-profile

To enable or disable the sending of Radio Resource Management (RRM) profile-related traps, use the config trapflags rrm-profile command.

config trapflags rrm-profile{load|noise|interference|coverage} { enable|disable}

Syntax Description


load	Enables trap sending when the load profile maintained by the RF manager fails.
noise	Enables trap sending when the noise profile maintained by the RF manager fails.
interference	Enables trap sending when the interference profile maintained by the RF manager fails.
coverage	Enables trap sending when the coverage profile maintained by the RF manager fails.
enable	Enables the sending of RRM profile-related traps.
disable	Disables the sending of RRM profile-related traps.

Command Default

By default, the sending of RRM profile-related traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the sending of RRM profile-related traps:


(Cisco Controller) > config trapflags rrm-profile load disable

Related Commands

show trapflags

config trapflags stpmode

To enable or disable the sending of spanning tree traps, use the config trapflags stpmode command.

config trapflags stpmode{enable|disable}

Syntax Description


enable	Enables the sending of spanning tree traps.
disable	Disables the sending of spanning tree traps.

Command Default

By default, the sending of spanning tree traps is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the sending of spanning tree traps:


(Cisco Controller) > config trapflags stpmode disable

Related Commands

show trapflags

config trapflags wps

To enable or disable Wireless Protection System (WPS) trap sending, use the config trapflags wps command.

config trapflags wps { enable|disable}

Syntax Description


enable	Enables WPS trap sending.
disable	Disables WPS trap sending.

Command Default

By default, the WPS trap sending is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the WPS traps sending:


(Cisco Controller) > config trapflags wps disable

Related Commands

show trapflags

Configure Watchlist Commands

Use the config watchlist commands to configure watchlist settings.

config watchlist add

To add a watchlist entry for a wireless LAN, use the config watchlist add command.

config watchlist add { mac MAC | username username}

Syntax Description


mac `MAC`	Specifies the MAC address of the wireless LAN.
username `username`	Specifies the name of the user to watch.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


(Cisco Controller) >config watchlist add mac a5:6b:ac:10:01:6b

config watchlist delete

To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.

config watchlist delete { mac MAC | username username}

Syntax Description


mac `MAC`	Specifies the MAC address of the wireless LAN to delete from the list.
username `username`	Specifies the name of the user to delete from the list.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


(Cisco Controller) >config watchlist delete mac a5:6b:ac:10:01:6b

config watchlist enable

To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.

config watchlist enable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a watchlist entry:


(Cisco Controller) >config watchlist enable

config watchlist disable

To disable the client watchlist, use the config watchlist disable command.

config watchlist disable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the client watchlist:


(Cisco Controller) >config watchlist disable

Configure Wireless LAN Commands

Use the config wlan commands to configure wireless LAN command settings.

config wlan

To create, delete, enable, or disable a wireless LAN, use the config wlan command.

config wlan { enable|disable|create|delete}wlan_id[ name|foreignAp name ssid|all]

Syntax Description


enable	Enables a wireless LAN.
disable	Disables a wireless LAN.
create	Creates a wireless LAN.
delete	Deletes a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.
`name`	(Optional) WLAN profile name up to 32 alphanumeric characters.
foreignAp	(Optional) Specifies the third-party access point settings.
`ssid`	SSID (network name) up to 32 alphanumeric characters.
all	(Optional) Specifies all wireless LANs.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.

If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.

If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.

An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.

Examples

The following example shows how to enable wireless LAN identifier 16:

(Cisco Controller) >config wlan enable 16

config wlan 7920-support

To configure support for phones, use the config wlan 7920-support command.

config wlan 7920-support { client-cac-limit | ap-cac-limit} { enable | disable} wlan_id

Syntax Description


ap-cac-limit	Supports phones that require client-controlled Call Admission Control (CAC) that expect the Cisco vendor-specific information element (IE).
client-cac-limit	Supports phones that require access point-controlled CAC that expect the IEEE 802.11e Draft 6 QBSS-load.
enable	Enables phone support.
disable	Disables phone support.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.

Examples

The following example shows how to enable the phone support that requires client-controlled CAC with wireless LAN ID 8:

(Cisco Controller) >config wlan 7920-support ap-cac-limit enable 8

config wlan 802.11e

To configure 802.11e support on a wireless LAN, use the config wlan 802.11e command.

config wlan 802.11e { allow | disable | require} wlan_id

Syntax Description


allow	Allows 802.11e-enabled clients on the wireless LAN.
disable	Disables 802.11e on the wireless LAN.
require	Requires 802.11e-enabled clients on the wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).

802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.

Examples

The following example shows how to allow 802.11e on the wireless LAN with LAN ID 1:

(Cisco Controller) >config wlan 802.11e allow 1

config wlan aaa-override

To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.

config wlan aaa-override { enable | disable} { wlan_id | foreignAp}

Syntax Description


enable	Enables a policy override.
disable	Disables a policy override.
`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.

Command Default

AAA is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When AAA override is enabled and a client has conflicting AAA and Cisco wireless LAN controller wireless LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity Networking.)

If the corporate wireless LAN uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.

The AAA override values might come from a RADIUS server.

Examples

The following example shows how to configure user policy override via AAA on WLAN ID 1:


(Cisco Controller) >config wlan aaa-override enable 1

config wlan acl

To configure a wireless LAN access control list (ACL), use the config wlan acl command.

config wlan acl [ acl_name | none]

Syntax Description


`wlan_id`	Wireless LAN identifier (1 to 512).
`acl_name`	(Optional) ACL name.
none	(Optional) Clears the ACL settings for the specified wireless LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a WLAN access control list with WLAN ID 1 and ACL named office_1:

(Cisco Controller) >config wlan acl 1 office_1

config wlan apgroup

To manage access point group VLAN features, use the config wlan apgroup command.

config wlan apgroup { add apgroup_name [ description] |   delete apgroup_name |   description apgroup_name description |   interface-mapping { add | delete} apgroup_name wlan_id interface_name |  nac-snmp { enable | disable} apgroup_name wlan_id | nasid NAS-ID apgroup_name | profile-mapping { add | delete} apgroup_name profile_name | wlan-radio-policy apgroup_name wlan-id { 802.11a-only | 802.11bg | 802.11g-only | all} | hotspot { venue { type apgroup_name group_codetype_code| name apgroup_name language_codevenue_name } | operating-class { add | delete} apgroup_name operating_class_value}}

Syntax Description


add	Creates a new access point group (AP group).
`apgroup_name`	Access point group name.
`wlan_id`	Wireless LAN identifier from 1 to 512.
delete	Removes a wireless LAN from an AP group.
description	Describes an AP group.
`description`	Description of the AP group.
interface-mapping	(Optional) Assigns or removes a Wireless LAN from an AP group.
`interface_name`	(Optional) Interface to which you want to map an AP group.
nac-snmp	Configures NAC SNMP functionality on given AP group. Enables or disables Network Admission Control (NAC) out-of-band support on an access point group.
enable	Enables NAC out-of-band support on an AP group.
disable	Disables NAC out-of-band support on an AP group.
`NAS-ID`	Network Access Server identifier (NAS-ID) for the AP group. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters. Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP group NAS-ID > WLAN NAS-ID > Interface NAS-ID.
none	Configures the controller system name as the NAS-ID.
profile-mapping	Configures RF profile mapping on an AP group.
`profile_name`	RF profile name for a specified AP group.
wlan-radio-policy	Configures WLAN radio policy on an AP group.
802.11a-only	Configures WLAN radio policy on an AP group.
802.11bg	Configures WLAN radio policy on an AP group.
802.11g-only	Configures WLAN radio policy on an AP group.
all	Configures WLAN radio policy on an AP group.
hotspot	Configures a HotSpot on an AP group.
venue	Configures venue information for an AP group.
type	Configures the type of venue for an AP group.
`group_code`	Venue group information for an AP group. The following options are available: 0 : UNSPECIFIED 1 : ASSEMBLY 2 : BUSINESS 3 : EDUCATIONAL 4 : FACTORY-INDUSTRIAL 5 : INSTITUTIONAL 6 : MERCANTILE 7 : RESIDENTIAL 8 : STORAGE 9 : UTILITY-MISC 10 : VEHICULAR 11 : OUTDOOR
`type_code`	Venue type information for an AP group. For venue group 1 (ASSEMBLY), the following options are available: 0 : UNSPECIFIED ASSEMBLY 1 : ARENA 2 : STADIUM 3 : PASSENGER TERMINAL 4 : AMPHITHEATER 5 : AMUSEMENT PARK 6 : PLACE OF WORSHIP 7 : CONVENTION CENTER 8 : LIBRARY 9 : MUSEUM 10 : RESTAURANT 11 : THEATER 12 : BAR 13 : COFFEE SHOP 14 : ZOO OR AQUARIUM 15 : EMERGENCY COORDINATION CENTER For venue group 2 (BUSINESS), the following options are available: 0 : UNSPECIFIED BUSINESS 1 : DOCTOR OR DENTIST OFFICE 2 : BANK 3 : FIRE STATION 4 : POLICE STATION 6 : POST OFFICE 7 : PROFESSIONAL OFFICE 8 : RESEARCH AND DEVELOPMENT FACILITY 9 : ATTORNEY OFFICE For venue group 3 (EDUCATIONAL), the following options are available: 0 : UNSPECIFIED EDUCATIONAL 1 : PRIMARY SCHOOL 2 : SECONDARY SCHOOL 3 : UNIVERSITY OR COLLEGE For venue group 4 (FACTORY-INDUSTRIAL), the following options are available: 0 : UNSPECIFIED FACTORY AND INDUSTRIAL 1 : FACTORY For venue group 5 (INSTITUTIONAL), the following options are available: 0 : UNSPECIFIED INSTITUTIONAL 1 : HOSPITAL 2 : LONG-TERM CARE FACILITY 3 : ALCOHOL AND DRUG RE-HABILITATION CENTER 4 :GROUP HOME 5 :PRISON OR JAIL For venue group 6 (MERCANTILE), the following options are available: 0 : UNSPECIFIED MERCANTILE 1 : RETAIL STORE 2 : GROCERY MARKET 3 : AUTOMOTIVE SERVICE STATION 4 : SHOPPING MALL 5 : GAS STATION For venue group 7 (RESIDENTIAL), the following options are available: 0 : UNSPECIFIED RESIDENTIAL 1 : PRIVATE RESIDENCE 2 : HOTEL OR MOTEL 3 : DORMITORY 4 : BOARDING HOUSE For venue group 8 (STORAGE), the following options are available: 0 : UNSPECIFIED STORAGE For venue group 9 (UTILITY-MISC), the following options are available: 0 : UNSPECIFIED UTILITY AND MISCELLANEOUS For venue group 10 (VEHICULAR), the following options are available: 0 : UNSPECIFIED VEHICULAR 1 : AUTOMOBILE OR TRUCK 2 : AIRPLANE 3 : BUS 4 : FERRY 5 : SHIP OR BOAT 6 : TRAIN 7 : MOTOR BIKE For venue group 11 (OUTDOOR), the following options are available: 0 : UNSPECIFIED OUTDOOR 1 : MINI-MESH NETWORK 2 : CITY PARK 3 : REST AREA 4 : TRAFFIC CONTROL 5 : BUS STOP 6 : KIOSK
name	Configures the name of venue for an AP group.
`language_code`	An ISO-639 encoded string defining the language used at the venue. This string is a three character language code. For example, you can enter ENG for English.
`venue_name`	Venue name for this AP group. This name is associated with the basic service set (BSS) and is used in cases where the SSID does not provide enough information about the venue. The venue name is case-sensitive and can be up to 252 alphanumeric characters.
add	Adds an operating class for an AP group.
delete	Deletes an operating class for an AP group.
`operating_class_value`	Operating class for an AP group. The available operating classes are 81, 83, 84, 112, 113, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127.

Command Default

AP Group VLAN is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

An error message appears if you try to delete an access point group that is used by at least one access point. Before you can delete an AP group in controller software release 6.0, move all APs in this group to another group. The access points are not moved to the default-group access point group as in previous releases. To see the APs, enter the show wlan apgroups command. To move APs, enter the config ap group-name groupname cisco_ap command.

The NAS-ID configured on the controller for AP group or WLAN or interface is used for authentication. The NAS-ID is not propagated across controllers.

Examples

The following example shows how to enable the NAC out-of band support on access point group 4:

(Cisco Controller) >config wlan apgroup nac enable apgroup 4

config wlan band-select allow

To configure band selection on a WLAN, use the config wlan band-select allow command.

config wlan band-select allow { enable | disable} wlan_id

Syntax Description


enable	Enables band selection on a WLAN.
disable	Disables band selection on a WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to enable band selection on a WLAN:

(Cisco Controller) >config wlan band-select allow enable 6

config wlan broadcast-ssid

To configure an Service Set Identifier (SSID) broadcast on a wireless LAN, use the config wlan broadcast-ssid command.

config wlan broadcast-ssid { enable | disable} wlan_id

Syntax Description


enable	Enables SSID broadcasts on a wireless LAN.
disable	Disables SSID broadcasts on a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Broadcasting of SSID is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an SSID broadcast on wireless LAN ID 1:

(Cisco Controller) >config wlan broadcast-ssid enable 1

config wlan call-snoop

To enable or disable Voice-over-IP (VoIP) snooping for a particular WLAN, use the config wlan call-snoop command.

config wlan call-snoop { enable | disable} wlan_id

Syntax Description


enable	Enables VoIP snooping on a wireless LAN.
disable	Disables VoIP snooping on a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

WLAN should be with Platinum QoS and it needs to be disabled while invoking this CLI

Examples

The following example shows how to enable VoIP snooping for WLAN 3:

(Cisco Controller) >config wlan call-snoop 3 enable

config wlan chd

To enable or disable Coverage Hole Detection (CHD) for a wireless LAN, use the config wlan chd command.

config wlan chd wlan_id { enable | disable}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
enable	Enables SSID broadcasts on a wireless LAN.
disable	Disables SSID broadcasts on a wireless LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable CHD for WLAN 3:


(Cisco Controller) >config wlan chd 3 enable

config wlan ccx aironet-ie

To enable or disable Aironet information elements (IEs) for a WLAN, use the config wlan ccx aironet-ie command.

config wlan ccx aironet-ie { enable | disable}

Syntax Description


enable	Enables the Aironet information elements.
disable	Disables the Aironet information elements.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable Aironet information elements for a WLAN:

(Cisco Controller) >config wlan ccx aironet-ie enable

config wlan channel-scan defer-priority

To configure the controller to defer priority markings for packets that can defer off channel scanning, use the config wlan channel-scan defer-priority command.

config wlan channel-scan defer-priority priority [ enable | disable] wlan_id

Syntax Description


`priority`	User priority value (0 to 7).
enable	(Optional) Enables packet at given priority to defer off channel scanning.
disable	(Optional) Disables packet at gven priority to defer off channel scanning.
`wlan_id`	Wireless LAN identifier (1 to 512).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The priority value should be set to 6 on the client and on the WLAN.

Examples

The following example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:

(Cisco Controller) >config wlan channel-scan defer-priority 6 enable 30

config wlan channel-scan defer-time

To assign the channel scan defer time in milliseconds, use the config wlan channel-scan defer-time command.

config wlan channel-scan defer-time msecs wlan_id

Syntax Description


`msecs`	Deferral time in milliseconds (0 to 60000 milliseconds).
`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The time value in milliseconds should match the requirements of the equipment on your WLAN.

Examples

The following example shows how to assign the scan defer time to 40 milliseconds for WLAN with ID 50:


(Cisco Controller) >config wlan channel-scan defer-time 40 50

config wlan dhcp_server

To configure the internal DHCP server for a wireless LAN, use the config wlan dhcp_server command.

config wlan dhcp_server { wlan_id | foreignAp} ip_address [ required]

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.
`ip_address`	IP address of the internal DHCP server (this parameter is required).
required	(Optional) Specifies whether DHCP address assignment is required.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override. If you enable the override, you can use the show wlan command to verify that the DHCP server has been assigned to the WLAN.

Examples

The following example shows how to configure an IP address 10.10.2.1 of the internal DHCP server for wireless LAN ID 16:


(Cisco Controller) >config wlan dhcp_server 16 10.10.2.1

config wlan diag-channel

To enable the diagnostic channel troubleshooting on a particular WLAN, use the config wlan diag-channel command.

config wlan diag-channel [ enable | disable] wlan_id

Syntax Description


enable	(Optional) Enables the wireless LAN diagnostic channel.
disable	(Optional) Disables the wireless LAN diagnostic channel.
`wlan_id`	Wireless LAN identifier (1 to 512).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the wireless LAN diagnostic channel for WLAN ID 1:


(Cisco Controller) >config wlan diag-channel enable 1

config wlan dtim

To configure a Delivery Traffic Indicator Message (DTIM) for 802.11 radio network config wlan dtim command.

config wlan dtim { 802.11a | 802.11b} dtim wlan_id

Syntax Description


802.11a	Configures DTIM for the 802.11a radio network.
802.11b	Configures DTIM for the 802.11b radio network.
`dtim`	Value for DTIM (between 1 to 255 inclusive).
`wlan_id`	Number of the WLAN to be configured.

Command Default

The default is DTIM 1.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure DTIM for 802.11a radio network with DTIM value 128 and WLAN ID 1:


(Cisco Controller) >config wlan dtim 802.11a 128 1

config wlan exclusionlist

To configure the wireless LAN exclusion list, use the config wlan exclusionlist command.

config wlan exclusionlist { wlan_id [ enabled | disabled | time] |  foreignAp [ enabled | disabled | time]}

Syntax Description


`wlan_id`	Wireless LAN identifier (1 to 512).
enabled	(Optional) Enables the exclusion list for the specified wireless LAN or foreign access point.
disabled	(Optional) Disables the exclusion list for the specified wireless LAN or a foreign access point.
`time`	(Optional) Exclusion list timeout in seconds. A value of zero (0) specifies infinite time.
foreignAp	Specifies a third-party access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command replaces the config wlan blacklist command.

Examples

The following example shows how to enable the exclusion list for WLAN ID 1:


(Cisco Controller) >config wlan exclusionlist 1 enabled

config wlan flexconnect ap-auth

To configure local authentication of clients associated with FlexConnect on a locally switched WLAN, use the config wlan flexconnect ap-auth command.

config wlan flexconnect ap-auth wlan_id { enable | disable}

Syntax Description


ap-auth	Configures local authentication of clients associated with an FlexConnect on a locally switched WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.
enable	Enables AP authentication on a WLAN.
disable	Disables AP authentication on a WLAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Local switching must be enabled on the WLAN where you want to configure local authentication of clients associated with FlexConnect.

Examples

The following example shows how to enable authentication of clients associated with FlexConnect on a specified WLAN:


(Cisco Controller) >config wlan flexconnect ap-auth 6 enable

config wlan flexconnect learn-ipaddr

To enable or disable client IP address learning for the Cisco WLAN controller, use the config wlan flexconnect learn-ipaddr command.

config wlan flexconnect learn-ipaddr wlan_id { enable|disable}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
enable	Enables client IPv4 address learning on a wireless LAN.
disable	Disables client IPv4 address learning on a wireless LAN.

Command Default

Disabled when the config wlan flexconnect local-switching command is disabled.  Enabled when the config wlan flexconnect local-switching command is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Usage Guidelines

If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.

Note

This command is valid only for IPv4.

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

Examples

The following example shows how to disable client IP address learning for WLAN 6:


(Cisco Controller) >config wlan flexconnect learn-ipaddr disable 6

Related Commands

show wlan

config wlan flexconnect vlan-central-switching

To configure central switching on a locally switched WLAN, use the config wlan flexconnect vlan-central-switching command.

config wlan flexconnect vlan-central-switching wlan_id { enable | disable }

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
enable	Enables central switching on a locally switched wireless LAN.
disable	Disables central switching on a locally switched wireless LAN.

Command Default

Central switching is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must enable Flexconnect local switching to enable VLAN central switching. When you enable WLAN central switching, the access point bridges the traffic locally if the WLAN is configured on the local IEEE 802.1Q link. If the VLAN is not configured on the access point, the AP tunnels the traffic back to the controller and the controller bridges the traffic to the corresponding VLAN.

WLAN central switching does not support:

FlexConnect local authentication.
Layer 3 roaming of local switching client.

Examples

The following example shows how to enable WLAN 6 for central switching:

(Cisco Controller) >config wlan flexconnect vlan-central-switching 6 enable

config wlan flexconnect local-switching

To configure local switching, central DHCP, NAT-PAT, or the override DNS option on a FlexConnect WLAN, use the config wlan flexconnect local switching command.

config wlan flexconnect local-switching wlan_id{ enable |disable}{{ central-dhcp { enable |disable}nat-pat { enable |disable}}|{ override option dns {enable |disable}}}

Syntax Description


`wlan_id`	Wireless LAN identifier from 1 to 512.
enable	Enables local switching on a FlexConnect WLAN.
disable	Disables local switching on a FlexConnect WLAN.
central-dhcp	Configures central switching of DHCP packets on the local switching FlexConnect WLAN. When you enable this feature, the DHCP packets received from the AP are centrally switched to the controller and forwarded to the corresponding VLAN based on the AP and the SSID.
enable	Enables central DHCP on a FlexConnect WLAN.
disable	Disables central DHCP on a FlexConnect WLAN.
nat-pat	Configures Network Address Translation (NAT) and Port Address Translation (PAT) on the local switching FlexConnect WLAN.
enable	Enables NAT-PAT on the FlexConnect WLAN.
disable	Disables NAT-PAT on the FlexConnect WLAN.
override	Specifies the DHCP override options on the FlexConnect WLAN.
option dns	Specifies the override DNS option on the FlexConnect WLAN. When you override this option, the clients get their DNS server IP address from the AP, not from the controller.
enable	Enables the override DNS option on the FlexConnect WLAN.
disable	Disables the override DNS option on the FlexConnect WLAN.

Command Default

This feature is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Usage Guidelines

When you enable the config wlan flexconnect local-switching command, the config wlan flexconnect learn-ipaddr command is enabled by default.

Note

This command is valid only for IPv4.

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

Examples

The following example shows how to enable WLAN 6 for local switching and enable central DHCP and NAT-PAT:


(Cisco Controller) >config wlan flexconnect local-switching 6 enable central-dhcp enable nat-pat enable

The following example shows how to enable the override DNS option on WLAN 6:


(Cisco Controller) >config wlan flexconnect local-switching 6 override option dns enable

config wlan override-rate-limit

To override the bandwidth limits for upstream and downstream traffic per user and per service set identifier (SSID) defined in the QoS profile, use the config wlan override-rate-limit command.

config wlan override-rate-limit wlan_id { average-data-rate | average-realtime-rate | burst-data-rate | burst-realtime-rate } { per-ssid | per-client } { downstream | upstream } rate

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
average-data-rate	Specifies the average data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
average-realtime-rate	Specifies the average real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
burst-data-rate	Specifies the peak data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
burst-realtime-rate	Specifies the peak real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
per-ssid	Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client	Configures the rate limit for each client associated with the SSID.
downstream	Configures the rate limit for downstream traffic.
upstream	Configures the rate limit for upstream traffic.
`rate`	Data rate for TCP or UDP traffic per user or per SSID. The range is form 0 to 51,2000 Kbps. A value of 0 imposes no bandwidth restriction on the QoS profile.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The rate limits are enforced by the controller and the AP. For central switching, the controller handles the downstream enforcement of per-client rate limit and the AP handles the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic. When the AP enters standalone mode it handles the downstream enforcement of per-client rate limits too.

In FlexConnect local switching and standalone modes, per-client and per-SSID rate limiting is done by the AP for downstream and upstream traffic. However, in FlexConnect standalone mode, the configuration is not saved on the AP, so when the AP reloads, the configuration is lost and rate limiting does not happen after reboot.

For roaming clients, if the client roams between the APs on the same controller, same rate limit parameters are applied on the client. However, if the client roams from an anchor to a foreign controller, the per-client downstream rate limiting uses the parameters configured on the anchor controller while upstream rate limiting uses the parameters of the foreign controller.

Examples

The following example shows how to configure the burst real-time actual rate 2000 Kbps for the upstream traffic per SSID:

(Cisco Controller) >config wlan override-rate-limit 2 burst-realtime-rate per-ssid upstream 2000

config wlan interface

To configure a wireless LAN interface or an interface group, use the config wlan interface command.

config wlan interface { wlan_id | foreignAp} { interface-name | interface-group-name}

Syntax Description


`wlan_id`	(Optional) Wireless LAN identifier (1 to 512).
foreignAp	Specifies third-party access points.
`interface-name`	Interface name.
`interface-group-name`	Interface group name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an interface named VLAN901:


(Cisco Controller) >config wlan interface 16 VLAN901

config wlan ipv6 acl

To configure IPv6 access control list (ACL) on a wireless LAN, use the config wlan ipv6 acl command.

config wlan ipv6 acl wlan_id acl_name

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
`acl_name`	IPv6 ACL name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an IPv6 ACL for local switching:


(Cisco Controller) >config wlan ipv6 acl 22 acl_sample

config wlan kts-cac

To configure the Key Telephone System-based CAC policy for a WLAN, use the config wlan kts-cac command.

config wlan kts-cac { enable | disable} wlan_id

Syntax Description


enable	Enables the KTS-based CAC policy.
disable	Disables the KTS-based CAC policy.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

To enable the KTS-based CAC policy for a WLAN, ensure that you do the following:

Configure the QoS profile for the WLAN to Platinum by entering the following command:

config wlan qos wlan-id platinum
Disable the WLAN by entering the following command:

config wlan disable wlan-id
Disable FlexConnect local switching for the WLAN by entering the following command:

config wlan flexconnect local-switching wlan-id disable

Examples

The following example shows how to enable the KTS-based CAC policy for a WLAN with the ID 4:


(Cisco Controller) >config wlan kts-cac enable 4

config wlan ldap

To add or delete a link to a configured Lightweight Directory Access Protocol (LDAP) server, use the config wlan ldap command.

config wlan ldap { add wlan_id server_id | delete wlan_id { all | server_id}}

Syntax Description


add	Adds a link to a configured LDAP server.
`wlan_id`	Wireless LAN identifier between 1 and 512.
`server_id`	LDAP server index.
delete	Removes the link to a configured LDAP server.
all	Specifies all LDAP servers.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use this command to specify the LDAP server priority for the WLAN.

To specify the LDAP server priority, one of the following must be configured and enabled:

802.1X authentication and Local EAP

Web authentication and LDAP

Note

Local EAP was introduced in controller software release 4.1; LDAP support on Web authentication was introduced in controller software release 4.2.

Examples

The following example shows how to add a link to a configured LDAP server with the WLAN ID 100 and server ID 4:


(Cisco Controller) >config wlan ldap add 100 4

config wlan load-balance

To override the global load balance configuration and enable or disable load balancing on a particular WLAN, use the config wlan load-balance command.

config wlan load-balance allow { enable | disable} wlan_id

Syntax Description


enable	Enables band selection on a wireless LAN.
disable	Disables band selection on a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Load balancing is enabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable band selection on a wireless LAN with WLAN ID 3:


(Cisco Controller) >config wlan load-balance allow enable 3

config wlan mac-filtering

To change the state of MAC filtering on a wireless LAN, use the config wlan mac-filtering command.

config wlan mac-filtering { enable | disable} { wlan_id | foreignAp}

Syntax Description


enable	Enables MAC filtering on a wireless LAN.
disable	Disables MAC filtering on a wireless LAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.
foreignAp	Specifies third-party access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the MAC filtering on WLAN ID 1:


(Cisco Controller) >config wlan mac-filtering enable 1

config wlan max-associated-clients

To configure the maximum number of client connections on a wireless LAN, guest LAN, or remote LAN, use the config wlan max-associated-clients command.

config wlan max-associated-clients max_clients wlan_id

Syntax Description


`max_clients`	Maximum number of client connections to be accepted.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the maximum number of client connections on WLAN ID 2:


(Cisco Controller) >config wlan max-associated-clients 25 2

config wlan max-radio-clients

To configure the maximum number of WLAN client per access point, use the config wlan max-radio-clients command.

config wlan max-radio-clients max_radio_clients wlan_id

Syntax Description


`max_radio_clients`	Maximum number of client connections to be accepted per access point radio. The valid range is from 1 to 200.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the maximum number of client connections per access point radio on WLAN ID 2:


(Cisco Controller) >config wlan max-radio-clients 25 2

config wlan media-stream

To configure multicast-direct for a wireless LAN media stream, use the config wlan media-stream command.

config wlan media-stream multicast-direct { wlan_id | all} { enable | disable}

Syntax Description


multicast-direct	Configures multicast-direct for a wireless LAN media stream.
`wlan_id`	Wireless LAN identifier between 1 and 512.
all	Configures the wireless LAN on all media streams.
enable	Enables global multicast to unicast conversion.
disable	Disables global multicast to unicast conversion.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.

Examples

The following example shows how to enable the global multicast-direct media stream with WLAN ID 2:


(Cisco Controller) >config wlan media-stream multicast-direct 2 enable

config wlan mfp

To configure management frame protection (MFP) options for the wireless LAN, use the config wlan mfp command.

config wlan mfp { client [ enable | disable] wlan_id | infrastructure protection [ enable | disable] wlan_id}

Syntax Description


client	Configures client MFP for the wireless LAN.
enable	(Optional) Enables the feature.
disable	(Optional) Disables the feature.
`wlan_id`	Wireless LAN identifier (1 to 512).
infrastructure protection	(Optional) Configures the infrastructure MFP for the wireless LAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure client management frame protection for WLAN ID 1:


(Cisco Controller) >config wlan mfp client enable 1

config wlan mobility anchor

To change the state of MAC filtering on a wireless LAN, use the config wlan mobility anchor command.

config wlan mobility anchor{add|delete}wlan_idip_addrpriority priority-number

Syntax Description


add	Enables MAC filtering on a wireless LAN.
delete	Disables MAC filtering on a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.
`ip_addr`	Member switch IPv4 address for anchoring the wireless LAN.
priority	Sets priority to the anchored wireless LAN IP address.
`priority-number`	Range between 1 to 3.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.
8.1	priority`priority number` parameter introduced.

Examples

The following example shows how to configure and set priority to the mobility wireless LAN anchor list with WLAN ID 4 and IPv4 address 192.168.0.14


(Cisco Controller) >config wlan mobility anchor add 4 192.168.0.14 priority 1

Related Commands

show wlan

config wlan mobility foreign-map

To configure interfaces or interface groups for foreign controllers, use the config wlan mobility foreign-map command.

config wlan mobility foreign-map { add | delete} wlan_id foreign_mac_address { interface_name | interface_group_name}

Syntax Description


add	Adds an interface or interface group to the map of foreign controllers.
delete	Deletes an interface or interface group from the map of foreign controllers.
`wlan_id`	Wireless LAN identifier from 1 to 512.
`foreign_mac_address`	Foreign switch MAC address on a WLAN.
`interface_name`	Interface name up to 32 alphanumeric characters.
`interface_group_name`	Interface group name up to 32 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add an interface group for foreign controllers with WLAN ID 4 and a foreign switch MAC address on WLAN 00:21:1b:ea:36:60:


(Cisco Controller) >config wlan mobility foreign-map add 4 00:21:1b:ea:36:60 mygroup1

config wlan multicast buffer

To configure the radio multicast packet buffer size, use the config wlan multicast buffer command.

config wlan multicast buffer { enable | disable} buffer-size

Syntax Description


enable	Enables the multicast interface feature for a wireless LAN.
disable	Disables the multicast interface feature on a wireless LAN.
`buffer-size`	Radio multicast packet buffer size. The range is from 30 to 60. Enter 0 to indicate APs will dynamically adjust the number of buffers allocated for multicast.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

The default buffer size is 30

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure radio multicast buffer settings:


(Cisco Controller) >config wlan multicast buffer enable 45 222

config wlan multicast interface

To configure a multicast interface for a wireless LAN, use the config wlan multicast interface command.

config wlan multicast interface wlan_id { enable | disable} interface_name

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

enable

Enables multicast interface feature for a wireless LAN.

delete

Disables multicast interface feature on a wireless LAN.

interface_name

Interface name.

Note

The interface name can only be specified in lower case characters.

Command Default

Multicast is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the multicast interface feature for a wireless LAN with WLAN ID 4 and interface name myinterface1:


(Cisco Controller) >config wlan multicast interface 4 enable myinterface1

config wlan nac

To enable or disable Network Admission Control (NAC) out-of-band support for a WLAN, use the config wlan nac command.

config wlan nac { snmp | radius} { enable | disable} wlan_id

Syntax Description


snmp	Configures SNMP NAC support.
radius	Configures RADIUS NAC support.
enable	Enables NAC for the WLAN.
disable	Disables NAC for the WLAN.
`wlan_id`	WLAN identifier from 1 to 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You should enable AAA override before you enable the RADIUS NAC state. You also should disable FlexConnect local switching before you enable the RADIUS NAC state.

Examples

The following example shows how to configure SNMP NAC support for WLAN 13:

(Cisco Controller) >config wlan nac snmp enable 13

The following example shows how to configure RADIUS NAC support for WLAN 34:


(Cisco Controller) >config wlan nac radius enable 20

config wlan passive-client

To configure passive-client feature on a wireless LAN, use the config wlan passive-client command.

config wlan passive-client { enable | disable} wlan_id

Syntax Description


enable	Enables the passive-client feature on a WLAN.
disable	Disables the passive-client feature on a WLAN.
`wlan_id`	WLAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You need to enable the global multicast mode and multicast-multicast mode by using the config network multicast global and config network multicast mode commands before entering this command.

Note

You should configure the multicast in multicast-multicast mode only not in unicast mode. The passive client feature does not work with multicast-unicast mode in this release.

Examples

The following example shows how to configure the passive client on wireless LAN ID 2:


(Cisco Controller) >config wlan passive-client enable 2

config wlan peer-blocking

To configure peer-to-peer blocking on a WLAN, use the config wlan peer-blocking command.

config wlan peer-blocking { disable | drop | forward-upstream} wlan_id

Syntax Description


disable	Disables peer-to-peer blocking and bridge traffic locally within the controller whenever possible.
drop	Causes the controller to discard the packets.
forward-upstream	Causes the packets to be forwarded on the upstream VLAN. The device above the controller decides what action to take regarding the packets.
`wlan_id`	WLAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the peer-to-peer blocking for WLAN ID 1:


(Cisco Controller) >config wlan peer-blocking disable 1

config wlan profiling

To configure client profiling on a WLAN, use the config wlan profiling command.

config wlan profiling { local | radius } { all | dhcp | http } { enable | disable } wlan_id

Syntax Description


local	Configures client profiling in Local mode for a WLAN.
radius	Configures client profiling in RADIUS mode on a WLAN.
all	Configures DHCP and HTTP client profiling in a WLAN.
dhcp	Configures DHCP client profiling alone in a WLAN.
http	Configures HTTP client profiling in a WLAN.
enable	Enables the specific type of client profiling in a WLAN. When you enable HTTP profiling, the controller collects the HTTP attributes of clients for profiling. When you enable DHCP profiling, the controller collects the DHCP attributes of clients for profiling.
disable	Disables the specific type of client profiling in a WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.

Usage Guidelines

Ensure that you have disabled the WLAN before configuring client profiling on the WLAN.

Command Default

Client profiling is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Only clients connected to port 80 for HTTP can be profiled. IPv6 only clients are not profiled.

If a session timeout is configured for a WLAN, clients must send the HTTP traffic before the configured timeout to get profiled.

This feature is not supported on the following:

FlexConnect Standalone mode
FlexConnect Local Authentication

Examples

The following example shows how to enable both DHCP and HTTP profiling on a WLAN:

(Cisco Controller) >config wlan profiling radius all enable 6
                                        HTTP Profiling successfully enabled.
                                        DHCP Profiling successfully enabled.

config wlan qos

To change the quality of service (QoS) for a wireless LAN, use the config wlan qos command.

config wlan qos wlan_id { bronze | silver | gold | platinum}

config wlan qos foreignAp { bronze | silver | gold | platinum}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
bronze	Specifies the bronze QoS policy.
silver	Specifies the silver QoS policy.
gold	Specifies the gold QoS policy.
platinum	Specifies the platinum QoS policy.
foreignAp	Specifies third-party access points.

Command Default

The default QoS policy is silver.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the highest level of service on wireless LAN 1:


(Cisco Controller) >config wlan qos 1 gold

config wlan radio

To set the Cisco radio policy on a wireless LAN, use the config wlan radio command.

config wlan radio wlan_id { all | 802.11a | 802.11bg | 802.11g | 802.11ag}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
all	Configures the wireless LAN on all radio bands.
802.11a	Configures the wireless LAN on only 802.11a.
802.11b g	Configures the wireless LAN on only 802.11b/g (only 802.11b if 802.11g is disabled).
802.11g	Configures the wireless LAN on 802.11g only.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the wireless LAN on all radio bands:


(Cisco Controller) >config wlan radio 1 all

config wlan radius_server acct

To configure RADIUS accounting servers of a WLAN, use the config wlan radius_server acct command.

config wlan radius_server acct { enable | disable} wlan_id | add wlan_id server_id | delete wlan_id { all | server_id} | framed-ipv6 { address | both | prefix } wlan_id}

Syntax Description


enable	Enables RADIUS accounting for the WLAN.
disable	Disables RADIUS accounting for the WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.
add	Adds a link to a configured RADIUS accounting server.
`server_id`	RADIUS server index.
delete	Deletes a link to a configured RADIUS accounting server.
address	Configures an accounting framed IPv6 attribute to an IPv6 address.
both	Configures the accounting framed IPv6 attribute to an IPv6 address and prefix.
prefix	Configures the accounting framed IPv6 attribute to an IPv6 prefix.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable RADIUS accounting for the WLAN 2:


(Cisco Controller) >config wlan radius_server acct enable 2

The following example shows how to add a link to a configured RADIUS accounting server:


(Cisco Controller) > config wlan radius_server acct add 2 5

config wlan radius_server acct interim-update

To configure the interim update of a RADIUS accounting server of a WLAN, use the config wlan radius_server acct interim-update command.

config wlan radius_server acct interim-update { enable | disable | interval } wlan_id

Syntax Description


interim-update	Configures the interim update of the RADIUS accounting server.
enable	Enables interim update of the RADIUS accounting server for the WLAN.
disable	Disables interim update of the RADIUS accounting server for the WLAN.
`interval`	Interim update interval that you specify. The valid range is 60 to 3600 seconds.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Interim update of a RADIUS accounting sever is set at 600 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify an interim update of 200 seconds to a RADIUS accounting server of WLAN 2:


(Cisco Controller) >config wlan radius_server acct interim-update 200 2

config wlan radius_server auth

To configure RADIUS authentication servers of a WLAN, use the config wlan radius_server auth command.

config wlan radius_server auth { enable wlan_id | disable wlan_id} { add wlan_id server_id | delete wlan_id { all | server_id}}

Syntax Description


auth	Configures a RADIUS authentication
enable	Enables RADIUS authentication for this WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.
disable	Disables RADIUS authentication for this WLAN.
add	Adds a link to a configured RADIUS server.
`server_id`	RADIUS server index.
delete	Deletes a link to a configured RADIUS server.
all	Deletes all links to configured RADIUS servers.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a link to a configured RADIUS authentication server with WLAN ID 1 and Server ID 1:


(Cisco Controller) >config wlan radius_server auth add 1 1

config wlan radius_server overwrite-interface

To configure a wireless LAN’s RADIUS dynamic interface, use the config wlan radius_server overwrite-interface command.

config wlan radius_server overwrite-interface { apgroup | enable | disable | wlan} wlan_id

Syntax Description


apgroup	Enables AP group's interface for all RADIUS traffic on the WLAN.
enable	Enables RADIUS dynamic interface for this WLAN.
disable	Disables RADIUS dynamic interface for this WLAN.
wlan	Enables WLAN's interface for all RADIUS traffic on the WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The controller uses the management interface as identity. If the RADIUS server is on a directly connected dynamic interface, the traffic is sourced from the dynamic interface. Otherwise, the management IP address is used.

If the feature is enabled, controller uses the interface specified on the WLAN configuration as identity and source for all RADIUS related traffic on the WLAN.

Examples

The following example shows how to enable RADIUS dynamic interface for a WLAN with an ID 1:


(Cisco Controller) >config wlan radius_server overwrite-interface enable 1

config wlan roamed-voice-client re-anchor

To configure a roamed voice client’s reanchor policy, use the config wlan roamed-voice-client re-anchor command.

config wlan roamed-voice-client re-anchor { enable | disable} wlan_id

Syntax Description


enable	Enables the roamed client’s reanchor policy.
disable	Disables the roamed client’s reanchor policy.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

The roamed client reanchor policy is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a roamed voice client’s reanchor policy where WLAN ID is 1:


(Cisco Controller) >config wlan roamed-voice-client re-anchor enable 1

config wlan sip-cac disassoc-client

To enable client disassociation in case of session initiation protocol (SIP) call admission control (CAC) failure, use the config wlan sip-cac disassoc-client command.

config wlan sip-cac disassoc-client { enable | disable} wlan_id

Syntax Description


enable	Enables a client disassociation on a SIP CAC failure.
disable	Disables a client disassociation on a SIP CAC failure.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Client disassociation for SIP CAC is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable a client disassociation on a SIP CAC failure where the WLAN ID is 1:


(Cisco Controller) >config wlan sip-cac disassoc-client enable 1

config wlan sip-cac send-486busy

To configure sending session initiation protocol (SIP) 486 busy message if a SIP call admission control (CAC) failure occurs, use the config wlan sip-cac send-486busy command:

config wlan sip-cac send-486busy { enable | disable} wlan_id

Syntax Description


enable	Enables sending a SIP 486 busy message upon a SIP CAC failure.
disable	Disables sending a SIP 486 busy message upon a SIP CAC failure.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Session initiation protocol is enabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable sending a SIP 486 busy message upon a SIP CAC failure where the WLAN ID is 1:

(Cisco Controller) >config wlan sip-cac send-busy486 enable 1

config wlan security wpa3

To configure WPA3 on a WLAN, use the config wlan security wpa wpa3 command.

config wlan security wpa wpa3 {enable | disable} wlan-id

Syntax Description


enable	Enables WPA3 on a WLAN.
disable	Disables WPA3 on a WLAN.
`wlan-id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
8.10	This command was introduced.

Examples

The following example shows you how to enable WPA3 on a WLAN whose ID is 4:


(Cisco Controller) > config wlan security wpa wpa3 enable 4

config wlan session-timeout

To change the timeout of wireless LAN clients, use the config wlan session-timeout command.

config wlan session-timeout{wlan_id|foreignAp}seconds

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

foreignAp

Specifies third-party access points.

seconds

Timeout or session duration in seconds. A value of zero is equivalent to no timeout.

Note

The range of session timeout depends on the security type:

Open system: 0-65535 (sec)
802.1x: 300-86400 (sec)
static wep: 0-65535 (sec)
cranite: 0-65535 (sec)
fortress: 0-65535 (sec)
CKIP: 0-65535 (sec)
open+web auth: 0-65535 (sec)
web pass-thru: 0-65535 (sec)
wpa-psk: 0-65535 (sec)
disable: To disable reauth/session-timeout timers.

Command Default

None

Usage Guidelines

For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the client timeout to 6000 seconds for WLAN ID 1:


(Cisco Controller) >config wlan session-timeout 1 6000

config wlan user-idle-threshold

To configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN, use the config wlan user-idle-threshold command.

config wlan user-idle-threshold byteswlan_id

Syntax Description


`bytes`	Threshold data sent by the client during the idle timeout for the client session for a WLAN. If the client send traffic less than the defined threshold, the client is removed on timeout. The range is from 0 to 10000000 bytes.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

The default timeout for threshold data sent by client during the idle timeout is 0 bytes.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN:

(Cisco Controller) >config wlan user-idle-threshold 100 1

config wlan usertimeout

To configure the timeout for idle client sessions for a WLAN, use the config wlan usertimeout command.

config wlan usertimeout timeoutwlan_id

Syntax Description


`timeout`	Timeout for idle client sessions for a WLAN. If the client sends traffic less than the threshold, the client is removed on timeout. The range is from 15 to 100000 seconds.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

The default client session idle timeout is 300 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The timeout value that you configure here overrides the global timeout that you define using the command config network usertimeout .

Examples

The following example shows how to configure the idle client sessions for a WLAN:

(Cisco Controller) >config wlan usertimeout 100 1

config wlan webauth-exclude

To release the guest user IP address when the web authentication policy time expires and exclude the guest user from acquiring an IP address for three minutes, use the config wlan webauth-exclude command.

config wlan webauth-exclude wlan_id { enable|disable}

Syntax Description


`wlan_id`	Wireless LAN identifier (1 to 512).
enable	Enables web authentication exclusion.
disable	Disables web authentication exclusion.

Command Default

Disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use this command for guest WLANs that are configured with web authentication.

This command is applicable when you configure the internal DHCP scope on the controller.

By default, when the web authentication timer expires for a guest user, the guest user can immediately reassociate with the same IP address before another guest user can acquire the IP address. If there are many guest users or limited IP address in the DHCP pool, some guest users might not be able to acquire an IP address.

When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web authentication policy time expires and the guest user is excluded from acquiring an IP address for three minutes. The IP address is available for another guest user to use. After three minutes, the excluded guest user can reassociate and acquire an IP address, if available.

Examples

The following example shows how to enable the web authentication exclusion for WLAN ID 5:


(Cisco Controller) >config wlan webauth-exclude 5 enable

config wlan wmm

To configure Wi-Fi Multimedia (WMM) mode on a wireless LAN, use the config wlan wmm command.

config wlan wmm { allow|disable|require}wlan_id

Syntax Description


allow	Allows WMM on the wireless LAN.
disable	Disables WMM on the wireless LAN.
require	Specifies that clients use WMM on the specified wireless LAN.
`wlan_id`	Wireless LAN identifier (1 to 512).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.

Examples

The following example shows how to configure wireless LAN ID 1 to allow WMM:


(Cisco Controller) >config wlan wmm allow 1

The following example shows how to configure wireless LAN ID 1 to specify that clients use WMM:


(Cisco Controller) >config wlan wmm require 1

Configure Wireless LAN HotSpot Commands

Use the config wlan hotspot commands to configure HotSpot and 802.11u parameters on a WLAN.

config wlan hotspot

To configure a HotSpot on a WLAN, use the config wlan hotspot command.

config wlan hotspot { clear-all wlan_id | dot11u | hs2 | msap}

Syntax Description


clear-all	Clears the HotSpot configurations on a WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.
dot11u	Configures an 802.11u HotSpot on a WLAN.
hs2	Configures HotSpot2 on a WLAN.
msap	Configures the Mobility Services Advertisement Protocol (MSAP) on a WLAN.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can configure up to 32 HotSpot WLANs.

Examples

The following example shows how to configure HotSpot2 for a WLAN:

(Cisco Controller) >config wlan hotspot hs2 enable 2

config wlan hotspot dot11u

To configure an 802.11u HotSpot on a WLAN, use the config wlan hotspot dot11u command.

config wlan hotspot dot11u { 3gpp-info |auth-type |enable |disable |domain |hessid |ipaddr-type |nai-realm |network-type |roam-oi}

Syntax Description


3gpp-info	Configures 3GPP cellular network information.
auth-type	Configures the network authentication type.
disable	Disables 802.11u on the HotSpot profile.
domain	Configures a domain.
enable	Enables 802.11u on the HotSpot profile. IEEE 802.11u enables automatic WLAN offload for 802.1X devices at the HotSpot of mobile or roaming partners.
hessid	Configures the Homogenous Extended Service Set Identifier (HESSID). The HESSID is a 6-octet MAC address that uniquely identifies the network.
ipaddr-type	Configures the IPv4 address availability type.
nai-realm	Configures a realm for 802.11u enabled WLANs.
network-type	Configures the 802.11u network type and Internet access.
roam-oi	Configures the roaming consortium Organizational Identifier (OI) list.

Command Default

None.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Examples

The following example shows how to enable 802.11u on a HotSpot profile:

(Cisco Controller) >config wlan hotspot dot11u enable 6

config wlan hotspot dot11u ipaddr-type

To configure the type of IP address available on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u ipaddr-type command.

config wlan hotspot dot11u ipaddr-type IPv4Type{ 0 - 7}IPv6Type{ 0 - 2} wlan_id

Syntax Description


`IPv4Type`	IPv4 type address. Enter one of the following values: 0—IPv4 address not available. 1—Public IPv4 address available. 2—Port restricted IPv4 address available. 3—Single NAT enabled private IPv4 address available. 4—Double NAT enabled private IPv4 address available. 5—Port restricted IPv4 address and single NAT enabled IPv4 address available. 6—Port restricted IPv4 address and double NAT enabled IPv4 address available. 7— Availability of the IPv4 address is not known.
`IPv6Type`	IPv6 type address. Enter one of the following values: 0—IPv6 address not available. 1—IPv6 address available. 2—Availability of the IPv6 address is not known.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

The default values for IPv4 type address is 1.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Examples

The following example shows how to configure the IP address availability type on an 802.11u HotSpot WLAN:

(Cisco Controller) >config wlan hotspot dot11u ipaddr-type 6 2 6

Related Commands

show wlan

config wlan hotspot dot11u 3gpp-info

To configure 3GPP cellular network information on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u 3gpp-info command.

config wlan hotspot dot11u 3gpp-info { add | delete} index country_code network_code wlan_id

Syntax Description


add	Adds mobile cellular network information.
delete	Deletes mobile cellular network information.
`index`	Cellular index. The range is from 1 to 32.
`country_code`	Mobile Country Code (MCC) in Binary Coded Decimal (BCD) format. The country code can be up to 3 characters. For example, the MCC for USA is 310.
`network_code`	Mobile Network Code (MNC) in BCD format. An MNC is used in combination with a Mobile Country Code (MCC) to uniquely identify a mobile phone operator or carrier. The network code can be up to 3 characters. For example, the MNC for T- Mobile is 026.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Number of mobile network codes supported is 32 per WLAN.

Examples

The following example shows how to configure 3GPP cellular network information on a WLAN:

(Cisco Controller) >config wlan hotspot dot11u 3gpp-info add

config wlan hotspot dot11u auth-type

To configure the network authentication type on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u auth-type command.

config wlan hotspot dot11u auth-type network-auth wlan_id

Syntax Description


`network-auth`	Network authentication that you would like to configure on the WLAN. The available values are as follows: 0—Acceptance of terms and conditions 1—On-line enrollment 2—HTTP/HTTPS redirection 3—DNS Redirection 4—Not Applicable
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The DNS redirection option is not supported in Release 7.3.

Examples

The following example shows how to configure HTTP/HTTPS redirection as the network authentication type on an 802.11u HotSpot WLAN:

(Cisco Controller) >config wlan hotspot dot11u auth-type 2 1

config wlan hotspot dot11u disable

To disable an 802.11u HotSpot on a WLAN, use the config wlan hotspot dot11u disable command.

config wlan hotspot dot11u disable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable an 802.11u HotSpot on a WLAN:

(Cisco Controller) >config wlan hotspot dot11u disable 6

config wlan hotspot dot11u domain

To configure a domain operating in the 802.11 access network, use the config wlan hotspot dot11u domain command.

config wlan hotspot dot11u domain { add wlan_id domain-index domain_name | delete wlan_id domain-index | modify wlan_id domain-index domain_name}

Syntax Description


add	Adds a domain.
`wlan_id`	Wireless LAN identifier between 1 and 512.
`domain-index`	Domain index in the range 1 to 32.
`domain_name`	Domain name. The domain name is case sensitive and can be up to 255 alphanumeric characters.
delete	Deletes a domain.
modify	Modifies a domain.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a domain in the 802.11 access network:

(Cisco Controller) >config wlan hotspot dot11u domain add 6 30 domain1

config wlan hotspot dot11u enable

To enable an 802.11u HotSpot on a WLAN, use the config wlan hotspot dot11u enable command.

config wlan hotspot dot11u enable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable an 802.11u HotSpot on a WLAN:

(Cisco Controller) >config wlan hotspot dot11u enable 6

config wlan hotspot dot11u hessid

To configure a Homogenous Extended Service Set Identifier (HESSID) on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u hessid command.

config wlan hotspot dot11u hessid hessid wlan_id

Syntax Description


`hessid`	MAC address that can be configured as an HESSID. The HESSID is a 6-octet MAC address that uniquely identifies the network. For example, Basic Service Set Identification (BSSID) of the WLAN can be used as the HESSID.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an HESSID on an 802.11u HotSpot WLAN:

(Cisco Controller) >config wlan hotspot dot11u hessid 00:21:1b:ea:36:60 6

config wlan hotspot dot11u nai-realm

To configure realms for an 802.11u HotSpot WLANs, use the config wlan hotspot dot11u nai-realm command.

config wlan hotspot dot11u nai-realm { add | delete | modify} { auth-method wlan_id realm-index eap-index auth-index auth-method auth-parameter | eap-method wlan_id realm-index eap-index eap-method | realm-name wlan_id realm-index realm}

Syntax Description


add	Adds a realm.
delete	Deletes a realm.
modify	Modifies a realm.
auth-method	Specifies the authentication method used.
`wlan_id`	Wireless LAN identifier from 1 to 512.
`realm-index`	Realm index. The range is from 1 to 32.
`eap-index`	EAP index. The range is from 1 to 4.
`auth-index`	Authentication index value. The range is from 1 to 10.
`auth-method`	Authentication method to be used. The range is from 1 to 4. The following options are available: 1—Non-EAP Inner Auth Method 2—Inner Auth Type 3—Credential Type 4—Tunneled EAP Method Credential Type
`auth-parameter`	Authentication parameter to use. This value depends on the authentication method used. See the following table for more details.
eap-method	Specifies the Extensible Authentication Protocol (EAP) method used.
`eap-method`	EAP Method. The range is from 0 to 7. The following options are available: 0—Not Applicable 1—Lightweight Extensible Authentication Protocol (LEAP) 2—Protected EAP (PEAP) 3—EAP-Transport Layer Security (EAP-TLS) 4—EAP-FAST (Flexible Authentication via Secure Tunneling) 5—EAP for GSM Subscriber Identity Module (EAP-SIM) 6—EAP-Tunneled Transport Layer Security (EAP-TTLS) 7—EAP for UMTS Authentication and Key Agreement (EAP-AKA)
realm-name	Specifies the name of the realm.
`realm`	Name of the realm. The realm name should be RFC 4282 compliant. For example, Cisco. The realm name is case-sensitive and can be up to 255 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This table lists the authentication parameters.

Table 5. Authentication Parameters
Non-EAP Inner Method(1)	Inner Authentication EAP Method Type(2)	Credential Type(3)/Tunneled EAP Credential Type(4)
0—Reserved 1—Password authentication protocol (PAP) 2—Challenge-Handshake Authentication Protocol (CHAP) 3—Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) 4—MSCHAPV2	1—LEAP 2—PEAP 3—EAP-TLS 4—EAP-FAST 5—EAP-SIM 6—EAP-TTLS 7—EAP-AKA	1—SIM 2—USIM 3—NFC Secure Element 4—Hardware Token 5—Soft Token 6—Certificate 7—Username/Password 8—Reserver 9—Anonymous 10—Vendor Specific

Examples

The following example shows how to add the Tunneled EAP Method Credential authentication method on WLAN 4:

(Cisco Controller) >config wlan hotspot dot11u nai-realm add auth-method 4 10 3 5 4 6

config wlan hotspot dot11u network-type

To configure the network type and internet availability on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u network-type command.

config wlan hotspot dot11u network-type wlan_id network-type internet-access

Syntax Description


`wlan_id`	Wireless LAN identifier from 1 to 512.
`network-type`	Network type. The available options are as follows: 0—Private Network 1—Private Network with Guest Access 2—Chargeable Public Network 3—Free Public Network 4—Personal Device Network 5—Emergency Services Only Network 14—Test or Experimental 15—Wildcard
`internet-access`	Internet availability status. A value of zero indicates no Internet availability and 1 indicates Internet availability.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the network type and Internet availability on an 802.11u HotSpot WLAN:

(Cisco Controller) >config wlan hotspot dot11u network-type 2 1

config wlan hotspot dot11u roam-oi

To configure a roaming consortium Organizational Identifier (OI) list on a 802.11u HotSpot WLAN, use the config wlan hotspot dot11u roam-oi command.

config wlan hotspot dot11u roam-oi { add wlan_id oi-index oi is-beacon | modify wlan_id oi-index oi is-beacon | delete wlan_id oi-index}

Syntax Description


add	Adds an OI.
`wlan-id`	Wireless LAN identifier from 1 to 512.
`oi-index`	Index in the range 1 to 32.
`oi`	Number that must be a valid 6 digit hexadecimal number and 6 bytes in length. For example, 004096 or AABBDF.
`is-beacon`	Beacon flag used to add an OI to the beacon. 0 indicates disable and 1 indicates enable. You can add a maximum of 3 OIs for a WLAN with this flag set.
modify	Modifies an OI.
delete	Deletes an OI.

Command Default

None.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the roaming consortium OI list:

(Cisco Controller) >config wlan hotspot dot11u roam-oi add 4 10 004096 1

config wlan hotspot hs2

To configure the HotSpot2 parameters, use the config wlan hotspot hs2 command.

config wlan hotspot hs2 { disable wlan_id |  enable wlan_id |  operator-name { add wlan_id index operator_name language-code | delete wlan_id index | modify wlan_id index operator-name language-code} |  port-config { add wlan_id port_config_index ip-protocol port-number status | delete wlan_id port-config-index | modify wlan_id port-config-index ip-protocol port-number status} |  wan-metrics wlan_id link-status symet-link downlink-speed uplink-speed }

Syntax Description


disable	Disables HotSpot2.
`wlan-id`	Wireless LAN identifier from 1 to 512.
enable	Enables HotSpot2.
operator-name	Specifies the name of the 802.11 operator.
add	Adds the operator name, port configuration, or WAN metrics parameters to the WLAN configuration.
`index`	Index of the operator. The range is from 1 to 32.
`operator-name`	Name of the operator.
`language-code`	Language used. An ISO-14962-1997 encoded string that defines the language. This string is a three character language code. Enter the first three letters of the language in English. For example, eng for English.
delete	Deletes the operator name, port configuration, or WAN metrics parameters from the WLAN.
modify	Modifies the operator name, port configuration, or WAN metrics parameters of the WLAN.
port-config	Configures the port configuration values.
`port_config_index`	Port configuration index. The range is from 1 to 32. The default value is 1.
`ip-protocol`	Protocol to use. This parameter provides information on the connection status of the most commonly used communication protocols and ports. The following options are available: 1—ICMP 6—FTP/SSH/TLS/PPTP-VPN/VoIP 17—IKEv2 (IPSec-VPN/VoIP/ESP) 50—ESP (IPSec-VPN)
`port-number`	Port number. The following options are available: 0—ICMP/ESP (IPSec-VPN) 20—FTP 22—SSH 443—TLS-VPN 500—IKEv2 1723—PPTP-VPN 4500—IKEv2 5060—VoIP
`status`	Status of the IP port. The following options are available: 0—Closed 1—Open 2—Unknown
wan-metrics	Configures the WAN metrics.
`link-status`	Link status. The following options are available: 0—Unknown 1—Link up 2—Link down 3—Link in test state
`symet-link`	Symmetric link status. The following options are available: 0—Link speed is different for uplink and downlink. For example: ADSL 1—Link speed is the same for uplink and downlink. For example: DS1
`downlink-speed`	Downlink speed of the WAN backhaul link in kbps. Maximum value is 4,194,304 kbps.
`uplink-speed`	Uplink speed of the WAN backhaul link in kbps. The maximum value is 4,194,304 kbps.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the WAN metrics parameters:

(Cisco Controller) >config wlan hotspot hs2 wan-metrics add 345 1 0 3333

config wlan hotspot msap

To configure the Mobility Service Advertisement Protocol (MSAP) parameters on a WLAN, use the config wlan hotspot msap command.

config wlan hotspot msap { enable | disable | server-id server_id} wlan_id

Syntax Description


enable	Enables MSAP on the WLAN.
disable	Disables MSAP on the WLAN.
server-id	Specifies the MSAP server id.
`server_id`	MSAP server ID. The range is from 1 to 10.
`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable MSAP on a WLAN:

(Cisco Controller) >config wlan hotspot msap enable 4

Configure Wireless LAN Mobile Concierge Commands

Use the config wlan mobile-concierge commands to enable 802.11u on a WLAN and configure the 802.11u parameters.

config wlan mobile-concierge dot11u

To enable or disable 802.11u on a WLAN, use the config wlan mobile-concierge dot11u command.

config wlan mobile-concierge dot11u { 3gpp-info { add index country_code network_code wlan_id | delete index wlan_id} | disable wlan_id domain { add wlan_id domain-index domain-name | delete wlan_id | modify wlan_id domain-index domain-name}  enable wlan_id  hessid  ip-addr-type { add ipv4_type ipv6_type wlan_id | delete wlan_id | net-auth-type network_auth_type_value wlan_id oui { add wlan_id | delete wlan_id | modify wlan_id oui-index oui-name is-beacon | params wlan_id network-type internet-bit  realm { add | delete | modify}}

Syntax Description


3gpp-info	Configures 3GPP cellular information on the network.
add	Adds mobile cellular network information.
`index`	3GPP index in the range 1 to 32.
`country_code`	Mobile country code (BCD format).
`network_code`	Mobile network code (BCD format).
`wlan_id`	WLAN id.
delete	Deletes mobile cellular network information.
disable	Disables 802.11u.
domain	Configures a domain.
add	Adds a domain.
delete	Deletes a domain.
modify	Modifies a domain.
`domain-index`	Domain index in the range 1 to 32.
`domain-name`	Domain name.
enable	Enables 802.11u.
hessid	Configures HESSID
ip-addr-type	Configures IP address availability type.
add	Adds IP address available type information.
`ipv4_type`	IPv4 type address. Enter one of the following values: 0—IPv4 address not available 1—Public IPv4 address available 2—Port-restricted IPv4 address available 3—Single NAT enabled private IPv4 address available 4—Double NAT enabled private IPv4 address available 5—Port-restricted IPv4 address and single NAT enabled IPv4 address available 6—Port-restricted IPv4 address and double NAT enabled IPv4 address available 7— Availability of the IPv4 address is not known
`ipv6_type`	IPv6 type address. Enter one of the following values: 0—IPv6 address not available 1—IPv6 address available 2—Availability of the IPv6 address is not known
delete	Deletes the IP address available type information.
net-auth-type	Configures the Network authentication type.
`network-auth-type-value`	Network authentication that you would like to configure for this WLAN. Enter one of the following values: 0—Acceptance of terms and conditions 1—On-line enrollment 2—HTTP/HTTPS redirection
oui	Configures the Organizational Unique Identifier (OUI).
add	Adds an OUI.
delete	Deletes an OUI.
modify	Modifies an OUI.
`oui-index`	OUI index in the range 1–32.
`oui-name`	OUI name. The OUI must be a valid 6 digit number.
`is-beacon`	OUI presence that should contain the beacon. Valid values are 0 (disable) and 1 (enable).
params	Configures 802.11u parameters.
`network-type`	Network type. Enter one of the following values: 0—Private Network 1—Private Network with Guest Access 2—Chargeable Public Network 3—Free Public Network 4—Personal Device Network 5—Emergency Services Only Network 14—Test or Experimental 15—Wildcard
`internet-bit`	If Internet is available. Valid values are 0 (no) and 1 (yes).
realm	Configures the realm.

Command Default

None.

Examples

This example shows how to configure client management frame protection for WLAN ID 1:


> config wlan mobile-concierge dot11u enable 1

Related Commands

config wlan mobile-concierge dot11u realm

config wlan mobile-concierge hotspot2

config wlan mobile-concierge msap

config wlan mobile-concierge dot11u realm

To configure realms for your 802.11u enabled WLANs, use the config wlan mobile-concierge dot11u realm command.

config wlan mobile-concierge dot11u realm { add | delete | modify} { auth-method wlan_id realm-index eap-index auth-index auth-method auth-parameter | eap-method wlan_id realm-index eap-index eap-method | realm-name wlan_id realm-index realm}

Syntax Description


add	Adds a realm.
delete	Deletes a realm.
modify	Modifies a realm.
auth-method	Specifies the authentication method used.
eap-method	Specifies the EAP method used.
realm-name	Specifies the name of the realm to add, delete, or modify.
`wlan_id`	WLAN ID.
`realm-index`	Realm index. The range is 1-32
`eap-index`	EAP index. The range is 1-4.
`auth-index`	Authentication index value. The range is 1-10.
`auth-method`	Authentication method to be used. The range is 1-4. The following options are available: 1—Non-Eap Inner Auth Method 2—Inner Auth Type 3—Credential Type 4—Tunneled EAP Method Credential Type
`auth-parameter`	Authentication parameter to use. This value depends on the auth-method used.

Command Default

None.

Examples

This example shows how to add a new realm with EAP-Method and inner authentication type as EAP-TLS for WLAN ID 3:


> config wlan mobile-concierge dot11u realm add eap-method 3 22 2 3

Related Commands

config wlan mobile-concierge dot11u

config wlan mobile-concierge hotspot2

config wlan mobile-concierge msap

config wlan mobile-concierge hotspot2

To configure the hotspot2 parameters, use the config wlan mobile-concierge hotspot2 command.

config wlan mobile-concierge hotspot2   { disable |  enable |  operator-name { add wlan_id index operator_name language-code| delete wlan_id index-name | modify wlan_id index operator-name language-code} |  port-config { add wlan_id index ip-protocol port-number status | delete wlan_id port-config-index | modify wlan_id port-config-index ip-protocol port-number status} |  wan-metrics { add wlan_id link-status symet-link downlink-speed uplink-speed | delete wlan_id}}

Syntax Description


disable	Disables HotSpot2.
enable	Enables HotSpot2.
operator-name	Specifies the name of the 802.11an operator.
add	Adds the operator-name, port-config, or wan-metrics parameters on the WLAN.
`wlan-id`	WLAN identifier.
`index`	Index of the operator. The range is 1-32.
`operator-name`	Name of the operator.
`language-code`	Language used. An ISO-14962-1997 encoded string that defines the language. This string is a three character language code. Enter the first three letters of the language in English (for example, eng for English).
delete	Deletes the operator-name, port-config, or wan-metrics parameters on the WLAN.
modify	Modifies the operator-name, port-config, or wan-metrics parameters on the WLAN.
port-config	Configures the port configuration values.
`ip-protocol`	Protocol to use. The following options are available: 1—ICMP 6—FTP/SSH/TLS/PPTP-VPN/VoIP 17—IKEv2 (IPSec-VPN/VoIP/ESP) 50—ESP (IPSec-VPN)
`port-number`	Port number. The following options are available: 0—ICMP/ESP (IPSec-VPN) 20—FTP 22—SSH 443—TLS-VPN 500—IKEv2 1723—PPTP-VPN 4500—IKEv2 5060—VoIP
`status`	Sets the status. The following options are available: 0—Closed 1—Open 2—Unknown
`port-config-index`	Port config index. The range is 1–10.
wan-metrics	Configures the WAN metrics.
`link-status`	Link status. The following options are available: Link up Link down Link in test state
`symet-link`	Specifies the symmetric link status. The following options are available: 0—link speed is different for the uplink and downlink. For example: ADSL 1—link speed for the same in uplink and downlink. For example: DS1
`downlink-speed`	Speed of the WAN backhaul link in kbps. Maximum value is 4,194,304 kbps.
`uplink-speed`	Speed of the WAN backhaul link in kbps. The maximum value is 4,194,304 kbps.

Examples

This example shows how to configure the WAN metrics parameters:


> config wlan mobile-concierge hotspot2 wan-metrics add 345 1 0 3333

Related Commands

config wlan mobile-concierge dot11u

config wlan mobile-concierge msap

To configure the Mobility Service Advertisment Protocol (MSAP) parameters on a WLAN, use the config wlan mobile-concierge msap command.

config wlan mobile-concierge msap { enable | disable | server-id server-id} wlan-id

Syntax Description


enable	Enables MSAP on the WLAN.
disable	Disables MSAP on the WLAN.
`server-id`	Server ID to assign.
`wlan-id`	WLAN identifier.

Command Default

None.

Examples

This example show how to configure an MSAP server ID for WLAN 331.


> config wlan mobile-concierge msap server-id 32 331

Related Commands

config wlan mobile-concierge dot11u

config wlan mobile-concierge hotspot2

Configure Wireless LAN Proxy Mobility IPv6 (PMIPv6) Commands

Use the config wlan pmipv6 commands to configure PMIPv6 on WLANs.

config wlan pmipv6 default-realm

To configure a default realm for a PMIPv6 WLAN, use the config wlan pmipv6 default-realm command.

config wlan pmipv6 default-realm { default-realm-name | none } wlan_id

Syntax Description


`default-realm-name`	Default realm name for the WLAN.
none	Clears the realm name for the WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default realm name on a PMIPv6 WLAN:

(Cisco Controller) >config wlan pmipv6 default-realm XYZ 6

config wlan pmipv6 mobility-type

To configure the mobility type on a WLAN, use the config wlan pmipv6 mobility-type command.

config wlan pmipv6 mobility-type { none | pmipv6 } { wlan_id | all }

Syntax Description


none	Configures a WLAN with Simple IP mobility.
pmipv6	Configures a WLAN with PMIPv6 mobility.
all	Enables the specified type of mobility for all WLANs.
`wlan_id`	WLAN identifier between 1 and 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must disable the WLAN when you configure the mobility type.

Examples

The following example shows how to configure the mobility type as PMIPv6 on a WLAN:

(Cisco Controller) >config wlan pmipv6 mobility-type pmipv6 16

config wlan pmipv6 profile_name

To configure a profile name for the PMIPv6 WLAN, use the config wlan pmipv6 profile_name command.

config wlan pmipv6 profile_name profile_name wlan_id

Syntax Description


`profile_name`	Profile name for the PMIPv6 WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command binds a profile name to the PMIPv6 WLAN or SSID. Each time that a mobile node associates with the controller, it uses the profile name and NAI in the trigger to the PMIPV6 module. The PMIPV6 module extracts all the profile specific parameters such as LMA IP, APN, and NAI and sends the PBU to the ASR5K.

Examples

The following example shows how to create a profile named ABC01 on a PMIPv6 WLAN:

(Cisco Controller) >config wlan pmipv6 profile_name ABC01 16

Configure WPS Commands

Use the config wps commands to configure Wireless Protection System (WPS) settings.

config wps ap-authentication

To configure access point neighbor authentication, use the config wps ap-authentication command.

config wps ap-authentication [enable|disable threshold threshold_value]

Syntax Description


enable	(Optional) Enables WMM on the wireless LAN.
disable	(Optional) Disables WMM on the wireless LAN.
threshold	(Optional) Specifies that WMM-enabled clients are on the wireless LAN.
`threshold_value`	Threshold value (1 to 255).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the access point neighbor authentication:


(Cisco Controller) > config wps ap-authentication threshold 25

Related Commands

show wps ap-authentication summary

config wps auto-immune

To enable or disable protection from Denial of Service (DoS) attacks, use the config wps auto-immune command.

config wps auto-immune { enable|disable|stop}

Syntax Description


enable	Enables the auto-immune feature.
disable	Disables the auto-immune feature.
stop	Stops dynamic auto-immune feature.

Command Default

Disabled

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.

Examples

The following example shows how to configure the auto-immune mode:


(Cisco Controller) > config wps auto-immune enable

The following example shows how to stop the auto-immune mode:


(Cisco Controller) > config wps auto-immune stop 
Dynamic Auto Immune by WIPS is stopped

Related Commands

show wps summary

config wps cids-sensor

To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the config wps cids-sensor command.

config wps cids-sensor{ [add indexip_addressusername password] | [ delete index] | [ enable index] | [ disable index] | [ port indexport] | [ interval index query_interval] | [ fingerprint sha1 fingerprint] }

Syntax Description


add	(Optional) Configures a new IDS sensor.
`index`	IDS sensor internal index.
`ip_address`	IDS sensor IP address.
`username`	IDS sensor username.
`password`	IDS sensor password.
delete	(Optional) Deletes an IDS sensor.
enable	(Optional) Enables an IDS sensor.
disable	(Optional) Disables an IDS sensor.
port	(Optional) Configures the IDS sensor’s port number.
`port`	Port number.
interval	(Optional) Specifies the IDS sensor’s query interval.
`query_interval`	Query interval setting.
fingerprint	(Optional) Specifies the IDS sensor’s TLS fingerprint.
sha1	(Optional) Specifies the TLS fingerprint.
`fingerprint`	TLS fingerprint.

Command Default

Command defaults are listed below as follows:


Port	443
Query interval	60
Certification fingerprint	00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Query state	Disabled

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the intrusion detection system with the IDS index 1, IDS sensor IP address 10.0.0.51, IDS username Sensor_user0doc1, and IDS password passowrd01:


(Cisco Controller) > config wps cids-sensor add 1 10.0.0.51 Sensor_user0doc1 password01

Related Commands

show wps cids-sensor detail

config wps client-exclusion

To configure client exclusion policies, use the config wps client-exclusion command.

config wps client-exclusion {802.11-assoc|802.11-auth|802.11x-auth|ip-theft|web-auth|all}{enable|disable}

Syntax Description


802.11-assoc	Specifies that the controller excludes clients on the sixth 802.11 association attempt, after five consecutive failures.
802.11-auth	Specifies that the controller excludes clients on the sixth 802.11 authentication attempt, after five consecutive failures.
802.1x-auth	Specifies that the controller excludes clients on the sixth 802.11X authentication attempt, after five consecutive failures.
ip-theft	Specifies that the control excludes clients if the IP address is already assigned to another device.
web-auth	Specifies that the controller excludes clients on the fourth web authentication attempt, after three consecutive failures.
all	Specifies that the controller excludes clients for all of the above reasons.
enable	Enables client exclusion policies.
disable	Disables client exclusion policies.

Command Default

All policies are enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable clients on the 802.11 association attempt after five consecutive failures:


(Cisco Controller) > config wps client-exclusion 802.11-assoc disable

Related Commands

show wps summary

config wps client-exclusion 802.1x-auth

To configure client exclusion policies, use the config wps client-exclusion 802.1x-auth command.

config wps client-exclusion 802.11x-auth { enable|disable| max-1x-aaa-fail-attempts}

Syntax Description


802.1x-auth	Specifies that the controller excludes clients on the fourth 802.11X authentication attempt, after five three failures.
enable	Enables client exclusion policies.
disable	Disables client exclusion policies.
max-1x-aaa-fail-attempts	Specifies the controller to exclude clients that reaches the maximum failure 802.1X authentication attempt with the RADIUS server. The maximum failure 802.1X authentication attempt is from 1 to 3 and the default value is 3.

Command Default

All policies are enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable clients on the 802.11 association attempt after five consecutive failures:


(Cisco Controller) > config wps client-exclusion 802.1x-auth max-1x-aaa-fail-attempts 2

Related Commands

show wps summary

config wps mfp

To configure Management Frame Protection (MFP), use the config wps mfp command.

config wps mfp { infrastructure| ap-impersonation} {enable|disable}

Syntax Description


infrastructure	Configures the MFP infrastructure.
ap-impersonation	Configures ap impersonation detection by MFP.
enable	Enables the MFP feature.
disable	Disables the MFP feature.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the infrastructure MFP:


(Cisco Controller) > config wps mfp infrastructure enable

Related Commands

show wps mfp

config wps shun-list re-sync

To force the controller to synchronization with other controllers in the mobility group for the shun list, use the config wps shun-list re-sync command.

config wps shun-list re-sync

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the controller to synchronize with other controllers for the shun list:


(Cisco Controller) > config wps shun-list re-sync

Related Commands

show wps shun-list

config wps signature

To enable or disable Intrusion Detection System (IDS) signature processing, or to enable or disable a specific IDS signature, use the config wps signature command.

config wps signature{standard|custom}state signature_id { enable|disable}

Syntax Description


standard	Configures a standard IDS signature.
custom	Configures a standard IDS signature.
state	Specifies the state of the IDS signature.
`signature_id`	Identifier for the signature to be enabled or disabled.
enable	Enables the IDS signature processing or a specific IDS signature.
disable	Disables IDS signature processing or a specific IDS signature.

Command Default

IDS signature processing is enabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to enable IDS signature processing, which enables the processing of all IDS signatures:


(Cisco Controller) >config wps signature enable

The following example shows how to disable a standard individual IDS signature:


(Cisco Controller) > config wps signature standard state 15 disable

Related Commands

config wps signature frequency

 config wps signature interval  

config wps signature mac-frequency  

config wps signature quiet-time  

config wps signature reset  

show wps signature events  

show wps signature summary  

show wps summary

config wps signature frequency

To specify the number of matching packets per interval that must be identified at the individual access point level before an attack is detected, use the config wps signature frequency command.

config wps signature frequency signature_idfrequency

Syntax Description


`signature_id`	Identifier for the signature to be configured.
`frequency`	Number of matching packets per interval that must be at the individual access point level before an attack is detected. The range is 1 to 32,000 packets per interval.

Command Default

The frequency default value varies per signature.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to set the number of matching packets per interval per access point before an attack is detected to 1800 for signature ID 4:


(Cisco Controller) > config wps signature frequency 4 1800

Related Commands

config wps signature frequency

 config wps signature interval  

config wps signature quiet-time  

config wps signature reset  

show wps signature events  

show wps signature summary  

show wps summary

config wps signature interval

To specify the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval, use the config wps signature interval command.

config wps signature interval signature_idinterval

Syntax Description


`signature_id`	Identifier for the signature to be configured.
`interval`	Number of seconds that must elapse before the signature frequency threshold is reached. The range is 1 to 3,600 seconds.

Command Default

The default value of interval varies per signature.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to set the number of seconds to elapse before reaching the signature frequency threshold to 200 for signature ID 1:


(Cisco Controller) > config wps signature interval 1 200

Related Commands

config wps signature frequency

 config wps signature  

config wps signature mac-frequency  

config wps signature quiet-time  

config wps signature reset  

show wps signature events  

show wps signature summary  

show wps summary

config wps signature mac-frequency

To specify the number of matching packets per interval that must be identified per client per access point before an attack is detected, use the config wps signature mac-frequency command.

config wps signature mac-frequency signature_idmac_frequency

Syntax Description


`signature_id`	Identifier for the signature to be configured.
`mac_frequency`	Number of matching packets per interval that must be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per interval.

Command Default

The mac_frequency default value varies per signature.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to set the number of matching packets per interval per client before an attack is detected to 50 for signature ID 3:


(Cisco Controller) > config wps signature mac-frequency 3 50

Related Commands

config wps signature frequency

 config wps signature interval  

config wps signature  

config wps signature quiet-time  

config wps signature reset  

show wps signature events  

show wps signature summary  

show wps summary

config wps signature quiet-time

To specify the length of time after which no attacks have been detected at the individual access point level and the alarm can stop, use the config wps signature quiet-time command.

config wps signature quiet-time signature_idquiet_time

Syntax Description


`signature_id`	Identifier for the signature to be configured.
`quiet_time`	Length of time after which no attacks have been detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds.

Command Default

The default value of quiet_time varies per signature.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to set the number of seconds after which no attacks have been detected per access point to 60 for signature ID 1:


(Cisco Controller) > config wps signature quiet-time 1 60

Related Commands

config wps signature

 config wps signature frequency

 config wps signature interval  

config wps signature mac-frequency

 config wps signature reset  

show wps signature events  

show wps signature summary

show wps summary  

config wps signature reset

To reset a specific Intrusion Detection System (IDS) signature or all IDS signatures to default values, use the config wps signature reset command.

config wps signature reset{signature_id|all}

Syntax Description


`signature_id`	Identifier for the specific IDS signature to be reset.
all	Resets all IDS signatures.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.

Examples

The following example shows how to reset the IDS signature 1 to default values:


(Cisco Controller) > config wps signature reset 1

Related Commands

config wps signature

 config wps signature frequency

 config wps signature interval  

config wps signature mac-frequency

 config wps signature quiet-time  

show wps signature events  

show wps signature summary

show wps summary  

Other Config Commands

This section lists the other config commands to configure the controller settings.

config aaa auth

To configure the AAA authentication search order for management users, use the config aaa auth command.

config aaa auth mgmt [ aaa_server_type1|aaa_server_type2]

Syntax Description


mgmt	Configures the AAA authentication search order for controller management users by specifying up to three AAA authentication server types. The order that the server types are entered specifies the AAA authentication search order.
`aaa_server_type`	(Optional) AAA authentication server type (local , radius , or tacacs ). The local setting specifies the local database, the radius setting specifies the RADIUS server, and the tacacs setting specifies the TACACS+ server.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can enter two AAA server types as long as one of the server types is local . You cannot enter radius and tacacs together.

Examples

The following example shows how to configure the AAA authentication search order for controller management users by the authentication server type local:

(Cisco Controller) > config aaa auth radius local

Related Commands

show aaa auth

config aaa auth mgmt

To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.

config aaa auth mgmt [ radius |tacacs]

Syntax Description


radius	(Optional) Configures the order of authentication for RADIUS servers.
tacacs	(Optional) Configures the order of authentication for TACACS servers.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the order of authentication for the RADIUS server:

(Cisco Controller) > config aaa auth mgmt radius

The following example shows how to configure the order of authentication for the TACACS server:

(Cisco Controller) > config aaa auth mgmt tacacs

Related Commands

show aaa auth order

config acl apply

To apply an access control list (ACL) to the data path, use the config acl apply command.

config acl apply rule_name

Syntax Description


`rule_name`	ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Example

Examples

The following example shows how to apply an ACL to the data path:


(Cisco Controller) > config acl apply acl01

config acl counter

To see if packets are hitting any of the access control lists (ACLs) configured on your controller, use the config acl counter command.

config acl counter { start |stop}

Syntax Description


start	Enables ACL counters on your controller.
stop	Disables ACL counters on your controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

ACL counters are available only on the following controllers: 4400 series, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.

Examples

The following example shows how to enable ACL counters on your controller:


(Cisco Controller) > config acl counter start

Related Commands

clear acl counters

show acl detailed

config acl cpu

To create a new access control list (ACL) rule that restricts the traffic reaching the CPU, use the config acl cpu command.

config acl cpu rule_name { wired|wireless|both}

Syntax Description


`rule_name`	Specifies the ACL name.
wired	Specifies an ACL on wired traffic.
wireless	Specifies an ACL on wireless traffic.
both	Specifies an ACL on both wired and wireless traffic.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command allows you to control the type of packets reaching the CPU.

Examples

The following example shows how to create an ACL named acl101 on the CPU and apply it to wired traffic:

(Cisco Controller) > config acl cpu acl01 wired

Related Commands

show acl cpu

config acl create

To create a new access control list (ACL), use the config acl create command.

config acl create rule_name

Syntax Description


`rule_name`	ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to create a new ACL:


(Cisco Controller) > config acl create acl01

Related Commands

show acl

config acl delete

To delete an access control list (ACL), use the config acl delete command.

config acl delete rule_name

Syntax Description


`rule_name`	ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to delete an ACL named acl101 on the CPU:

(Cisco Controller) > config acl delete acl01

Related Commands

show acl

config acl rule

To configure ACL rules, use the config acl rule command.

config acl rule { action rule_name rule_index { permit|deny} |   add rule_name rule_index |   change index rule_name old_indexnew_index |   delete rule_name rule_index |   destination address rule_name rule_index ip_address netmask |   destination port range rule_name rule_indexstart_port end_port| directionrule_namerule_index{in|out|any} |   dscp rule_namerule_index dscp|  protocol rule_namerule_index protocol |   source address rule_name rule_indexip_address netmask |   source port range rule_name rule_indexstart_port end_port| swap index rule_name index_1index_2}

Syntax Description


action	Configures whether to permit or deny access.
`rule_name`	ACL name that contains up to 32 alphanumeric characters.
`rule_index`	Rule index between 1 and 32.
permit	Permits the rule action.
deny	Denies the rule action.
add	Adds a new rule.
change	Changes a rule’s index.
index	Specifies a rule index.
delete	Deletes a rule.
destination address	Configures a rule’s destination IP address and netmask.
destination port range	Configure a rule's destination port range.
`ip_address`	IP address of the rule.
`netmask`	Netmask of the rule.
`start_port`	Start port number (between 0 and 65535).
`end_port`	End port number (between 0 and 65535).
direction	Configures a rule’s direction to in, out, or any.
in	Configures a rule’s direction to in.
out	Configures a rule’s direction to out.
any	Configures a rule’s direction to any.
dscp	Configures a rule’s DSCP.
`dscp`	Number between 0 and 63, or any .
protocol	Configures a rule’s DSCP.
`protocol`	Number between 0 and 255, or any .
source address	Configures a rule’s source IP address and netmask.
source port range	Configures a rule’s source port range.
swap	Swaps two rules’ indices.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN pre-authentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.

Examples

The following example shows how to configure an ACL to permit access:

(Cisco Controller) > config acl rule action lab1 4 permit

Related Commands

show acl

config auth-list add

To create an authorized access point entry, use the config auth-list add command.

config auth-list add { mic|ssc}AP_MAC[ AP_key]

Syntax Description


mic	Specifies that the access point has a manufacture-installed certificate.
ssc	Specifies that the access point has a self-signed certificate.
`AP_MAC`	MAC address of a Cisco lightweight access point.
`AP_key`	(Optional) Key hash value that is equal to 20 bytes or 40 digits.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create an authorized access point entry with a manufacturer-installed certificate on MAC address 00:0b:85:02:0d:20:


(Cisco Controller) > config auth-list add 00:0b:85:02:0d:20

Related Commands

config auth-list delete

config auth-list ap-policy

config auth-list delete

To delete an access point entry, use the config auth-list delete command.

config auth-list delete AP_MAC

Syntax Description


`AP_MAC`	MAC address of a Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete an access point entry for MAC address 00:1f:ca:cf:b6:60:


(Cisco Controller) > config auth-list delete 00:1f:ca:cf:b6:60

Related Commands

config auth-list delete

config auth-list add

config auth-list ap-policy

To configure an access point authorization policy, use the config auth-list ap-policy command.

config auth-list ap-policy{authorize-ap { enable|disable} |ssc { enable|disable}}

Syntax Description


authorize-ap enable	Enables the authorization policy.
authorize-ap disable	Disables the AP authorization policy.
ssc enable	Allows the APs with self-signed certificates to connect.
ssc disable	Disallows the APs with self-signed certificates to connect.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable an access point authorization policy:


(Cisco Controller) > config auth-list ap-policy authorize-ap enable

The following example shows how to enable an access point with a self-signed certificate to connect:


(Cisco Controller) > config auth-list ap-policy ssc disable

Related Commands

config auth-list delete

config auth-list add

config boot

To change a Cisco wireless LAN controller boot option, use the config boot command.

config boot { primary|backup}

Syntax Description


primary	Sets the primary image as active.
backup	Sets the backup image as active.

Command Default

The default boot option is primary .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Each Cisco wireless LAN controller can boot off the primary, last-loaded operating system image (OS) or boot off the backup, earlier-loaded OS image.

Examples

The following example shows how to set the primary image as active so that the LAN controller can boot off the primary, last loaded image:


(Cisco Controller) > config boot primary

The following example shows how to set the backup image as active so that the LAN controller can boot off the backup, earlier loaded OS image:


(Cisco Controller) > config boot backup

Related Commands

show boot

config cdp

To configure the Cisco Discovery Protocol (CDP) on the controller, use the config cdp command.

config cdp {enable|disable|advertise-v2 {enable|disable}|timerseconds|holdtime holdtime_interval}

Syntax Description


enable	Enables CDP on the controller.
disable	Disables CDP on the controller.
advertise-v2	Configures CDP version 2 advertisements.
timer	Configures the interval at which CDP messages are to be generated.
`seconds`	Time interval at which CDP messages are to be generated. The range is from 5 to 254 seconds.
holdtime	Configures the amount of time to be advertised as the time-to-live value in generated CDP packets.
`holdtime_interval`	Maximum hold timer value. The range is from 10 to 255 seconds.

Command Default

The default value for CDP timer is 60 seconds.

The default value for CDP holdtime is 180 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the CDP maximum hold timer to 150 seconds:


(Cisco Controller) > config cdp timer 150

Related Commands

config ap cdp

show cdp

show ap cdp

config certificate

To configure Secure Sockets Layer (SSL) certificates, use the config certificate command.

config certificate{generate { webadmin|webauth} |compatibility { on|off}}

Syntax Description


generate	Specifies authentication certificate generation settings.
webadmin	Generates a new web administration certificate.
webauth	Generates a new web authentication certificate.
compatibility	Specifies the compatibility mode for inter-Cisco wireless LAN controller IPsec settings.
on	Enables the compatibility mode.
off	Disables the compatibility mode.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to generate a new web administration SSL certificate:


(Cisco Controller) > config certificate generate webadmin
Creating a certificate may take some time. Do you wish to continue? (y/n)

The following example shows how to configure the compatibility mode for inter-Cisco wireless LAN controller IPsec settings:


(Cisco Controller) > config certificate compatibility

Related Commands

config certificate lsc

 show certificate compatibility

 show certificate lsc

 show certificate summary  

show local-auth certificates

config certificate lsc

To configure Locally Significant Certificate (LSC) certificates, use the config certificate lsc command.

config certificate lsc{enable|disable|ca-server http://url:port/path|ca-cert { add|delete} |   subject-params country state city orgn dept email|other-params keysize} |  ap-provision { auth-list { add|delete}ap_mac|revert-cert retries}

Syntax Description

enable

Enables LSC certificates on the controller.

disable

Disables LSC certificates on the controller.

ca-server

Specifies the Certificate Authority (CA) server settings.

http://url:port/path

Domain name or IP address of the CA server.

ca-cert

Specifies CA certificate database settings.

add

Obtains a CA certificate from the CA server and adds it to the controller’s certificate database.

delete

Deletes a CA certificate from the controller’s certificate database.

subject-params

Specifies the device certificate settings.

country state city orgn dept email

Country, state, city, organization, department, and email of the certificate authority.

Note

The common name (CN) is generated automatically on the access point using the current MIC/SSC format Cxxxx-MacAddr , where xxxx is the product number.

other-params

Specifies the device certificate key size settings.

keysize

Value from 384 to 2048 (in bits); the default value is 2048.

ap-provision

Specifies the access point provision list settings.

auth-list

Specifies the provision list authorization settings.

ap_mac

MAC address of access point to be added or deleted from the provision list.

revert-cert

Specifies the number of times the access point attempts to join the controller using an LSC before reverting to the default certificate.

retries

Value from 0 to 255; the default value is 3.

Note

If you set the number of retries to 0 and the access point fails to join the controller using an LSC, the access point does not attempt to join the controller using the default certificate. If you are configuring LSC for the first time, we recommend that you configure a nonzero value.

Command Default

The default value of keysize is 2048 bits.  The default value of retries is 3.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can configure only one CA server. To configure a different CA server, delete the configured CA server by using the config certificate lsc ca-server delete command, and then configure a different CA server.

If you configure an access point provision list, only the access points in the provision list are provisioned when you enable AP provisioning (in Step 8). If you do not configure an access point provision list, all access points with an MIC or SSC certificate that join the controller are LSC provisioned.

Examples

The following example shows how to enable the LSC settings:

(Cisco Controller) >config certificate lsc enable

This example shows how to enable the LSC settings for Certificate Authority (CA) server settings:

(Cisco Controller) >config certificate lsc ca-server http://10.0.0.1:8080/caserver

The following example shows how to add a CA certificate from the CA server and add it to the controller’s certificate database:

(Cisco Controller) >config certificate lsc ca-cert add

The following example shows how to configure an LSC certificate with the keysize of 2048 bits:

(Cisco Controller) >config certificate lsc keysize 2048

config certificate ssc

To configure Self Signed Certificates (SSC) certificates, use the config certificate ssc command.

config certificate ssc hash validation { enable |disable}

Syntax Description


hash	Configures the SSC hash key.
validation	Configures hash validation of the SSC certificate.
enable	Enables hash validation of the SSC certificate.
disable	Disables hash validation of the SSC certificate.

Command Default

The SSC certificate is enabled by default..

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable the SSC hash validation, an AP validates the SSC certificate of the virtual controller. When an AP validates the SSC certificate, it checks if the hash key of the virtual controller matches the hash key stored in its flash. If a match is found, the validation passes and the AP moves to the Run state. If a match is not found, the validation fails and the AP disconnects from the controller and restarts the discovery process. By default, hash validation is enabled. Hence, an AP must have the virtual controller hash key in its flash before associating with the virtual controller. If you disable hash validation of the SSC certificate, the AP bypasses the hash validation and directly moves to the Run state.

APs can associate with a physical controller, download the hash keys and then associate with a virtual controller. If the AP is associated to a physical controller and if hash validation is disabled, it joins any virtual controller without hash validation.

Examples

The following example shows how to enable hash validation of the SSC certificate:


(Cisco Controller) > config certificate ssc hash validation enable

Related Commands

show certificate ssc

show mobility group member

config mobility group member hash

config certificate

 show certificate compatibility

 show certificate lsc

 show certificate summary  

show local-auth certificates

config certificate use-device-certificate webadmin

To use a device certificate for web administration, use the config certificate use-device-certificate webadmin command.

config certificate use-device-certificate webadmin

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to use a device certificate for web administration:


(Cisco Controller) > config certificate use-device-certificate webadmin
Use device certificate for web administration. Do you wish to continue? (y/n) y
Using device certificate for web administration.
Save configuration and restart controller to use new certificate.

Related Commands

config certificate

 show certificate compatibility

 show certificate lsc

 show certificate ssc

 show certificate summary  

show local-auth certificates

config coredump

To enable or disable the controller to generate a core dump file following a crash, use the config cordump command.

config coredump {enable|disable}

Syntax Description


enable	Enables the controller to generate a core dump file.
disable	Disables the controller to generate a core dump file.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the controller to generate a core dump file following a crash:


(Cisco Controller) > config coredump enable

Related Commands

config coredump ftp

 config coredump username  

show coredump summary

config coredump ftp

To automatically upload a controller core dump file to an FTP server after experiencing a crash, use the config coredump ftp command.

config coredump ftp server_ip_addressfilename

Syntax Description


`server_ip_address`	IP address of the FTP server to which the controller sends its core dump file.
`filename`	Name given to the controller core dump file.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Usage Guidelines

The controller must be able to reach the FTP server to use this command.

Examples

The following example shows how to configure the controller to upload a core dump file named core_dump_controller to an FTP server at network address 192.168.0.13 :


(Cisco Controller) > config coredump ftp 192.168.0.13 core_dump_controller

Related Commands

config coredump

 config coredump username  

show coredump summary

config coredump username

To specify the FTP server username and password when uploading a controller core dump file after experiencing a crash, use the config coredump username command.

config coredump username ftp_usernamepassword ftp_password

Syntax Description


`ftp_username`	FTP server login username.
`ftp_password`	FTP server login password.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The controller must be able to reach the FTP server to use this command.

Examples

The following example shows how to specify a FTP server username of admin and password adminpassword for the core dump file upload:


(Cisco Controller) > config coredump username admin password adminpassword

Related Commands

config coredump ftp

 config coredump  

show coredump summary

config country

To configure the controller’s country code, use the config country command.

config country country_code

Syntax Description


`country_code`	Two-letter or three-letter country code.

Command Default

us (country code of the United States of America).

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Controllers must be installed by a network administrator or qualified IT professional and the installer must select the proper country code. Following installation, access to the unit should be password-protected by the installer to maintain compliance with regulatory requirements and ensure proper unit functionality. See the related product guide for the most recent country codes and regulatory domains.

You can use the show country command to display a list of supported countries.

Examples

The following example shows how to configure the controller’s country code to DE:

(Cisco Controller) >config country DE

config cts sxp

To configure Cisco TrustSec SXP (CTS) connections on the controller, use the config cts sxp command.

config cts sxp { enable|disable|connection { delete|peer} |default password password|retry period time-in-seconds}

Syntax Description


enable	Enables CTS connections on the controller.
disable	Disables CTS connections on the controller.
connection	Configures CTS connection on the controller.
delete	Deletes the CTS connection on the controller.
peer	Configures the next hop switch with which the controller is connected.
`ip-address`	Only IPv4 address of the peer.
default password	Configures the default password for MD5 authentication of SXP messages.
`password`	Default password for MD5 Authentication of SXP messages. The password should contain a minimum of six characters.
retry period	Configures the SXP retry period.
`time-in-seconds`	Time after which a CTS connection should be again tried for after a failure to connect.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For release 8.0, only IPv4 is supported for TrustSec SXP configuration.

Examples

The following example shows how to enable CTS on the controller:


(Cisco Controller) > config cts sxp enable

The following example shows how to configure a peer for a CTS connection:

> config cts sxp connection peer 209.165.200.224

Related Commands

debug cts sxp

config cts sxp connection

To configure the CTS SXP connection on the controller, use the config cts sxp connection command.

config cts sxp connection { delete | peer} ipv4-addr

Syntax Description


delete	Deletes the SXP connection
peer	Configures the next hop switch with which the controller is connected
`ipv4-addr`	IPv4 address of the SXP connection

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

config cts sxp default password

To configure the default password for CTS SXP, use the config cts sxp default password command.

config cts sxp default password password

Syntax Description


`password`	Default password for MD5 Authentication of SXP messages. The password should contain a minimum of six characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

config cts sxp retry period

To configure the interval between CTS SXP connection reattempts, use the config cts sxp retry period command.

config cts sxp retry period time-in-seconds

Syntax Description


`time-in-seconds`	Time after which a CTS SXP connection should be attempted again for after a failure to connect. Valid range is between 0 and 64000 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

config custom-web ext-webauth-mode

To configure external URL web-based client authorization for the custom-web authentication page, use the config custom-web ext-webauth-mode command.

config custom-web ext-webauth-mode { enable|disable}

Syntax Description


enable	Enables the external URL web-based client authorization.
disable	Disables the external URL we-based client authentication.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the external URL web-based client authorization:


(Cisco Controller) > config custom-web ext-webauth-mode enable

Related Commands

config custom-web redirectUrl 

config custom-web weblogo 

config custom-web webmessage 

config custom-web webtitle 

config custom-web ext-webauth-url show custom-web

config custom-web ext-webauth-url

To configure the complete external web authentication URL for the custom-web authentication page, use the config custom-web ext-webauth-url command.

config custom-web ext-webauth-url URL

Syntax Description


`URL`	URL used for web-based client authorization.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the complete external web authentication URL http://www.AuthorizationURL.com/ for the web-based client authorization:


(Cisco Controller) > config custom-web ext-webauth-url http://www.AuthorizationURL.com/

Related Commands

config custom-web redirectUrl 

config custom-web weblogo 

config custom-web webmessage

 config custom-web webtitle

config custom-web ext-webauth-mode show custom-web

config custom-web ext-webserver

To configure an external web server, use the config custom-web ext-webserver command.

config custom-web ext-webserver { add indexIP_address|delete index}

Syntax Description


add	Adds an external web server.
`index`	Index of the external web server in the list of external web server. The index must be a number between 1 and 20.
`IP_address`	IP address of the external web server.
delete	Deletes an external web server.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv4 address format.

Examples

The following example shows how to add the index of the external web server 2 to the IP address of the external web server 192.23.32.19:


(Cisco Controller) > config custom-web ext-webserver add 2 192.23.32.19

Related Commands

config custom-web redirectUrl

config custom-web weblogo

config custom-web webmessage

config custom-web webtitle

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config custom-web logout-popup

To enable or disable the custom web authentication logout popup, use the config custom-web logout-popup command.

config custom-web logout-popup { enable|disable}

Syntax Description


enable	Enables the custom web authentication logout popup. This page appears after a successful login or a redirect of the custom web authentication page.
disable	Disables the custom web authentication logout popup.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the custom web authentication logout popup:


(Cisco Controller) > config custom-web logout-popup disable

Related Commands

config custom-web redirectUrl 

config custom-web weblogo 

config custom-web webmessage 

config custom-web webtitle 

config custom-web ext-webauth-url show custom-web

config custom-web radiusauth

To configure the RADIUS web authentication method, use the config custom-web radiusauth command.

config custom-web radiusauth {chap|md5chap |pap}

Syntax Description


chap	Configures the RADIUS web authentication method as Challenge Handshake Authentication Protocol (CHAP).
md5chap	Configures the RADIUS web authentication method as Message Digest 5 CHAP (MD5-CHAP).
pap	Configures the RADIUS web authentication method as Password Authentication Protocol (PAP).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the RADIUS web authentication method as MD5-CHAP:


(Cisco Controller) > config custom-web radiusauth md5chap

Related Commands

config custom-web redirectUrl

config custom-web webmessage

config custom-web webtitle

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config custom-web redirectUrl

To configure the redirect URL for the custom-web authentication page, use the config custom-web redirectUrl command.

config custom-web redirectUrl URL

Syntax Description


`URL`	URL that is redirected to the specified address.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the URL that is redirected to abc.com:


(Cisco Controller) > config custom-web redirectUrl abc.com

Related Commands

config custom-web weblogo

config custom-web webmessage

config custom-web webtitle

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config custom-web sleep-client

To delete a web-authenticated sleeping client, use the config custom-web sleep-client command.

config custom-web sleep-client delete mac_address

Syntax Description


delete	Deletes a web-authenticated sleeping client with the help of the client MAC address.
`mac_address`	MAC address of the sleeping client.

Command Default

The web-authenticated sleeping client is not deleted.

Command History


Release	Modification
7.5	This command was introduced.

Examples

The following example shows how to delete a web-authenticated sleeping client:


(Cisco Controller) > config custom-web sleep-client delete 0:18:74:c7:c0:90

config custom-web webauth-type

To configure the type of web authentication, use the config custom-web webauth-type command.

config custom-web webauth-type { internal|customized |external}

Syntax Description


internal	Configures the web authentication type to internal.
customized	Configures the web authentication type to customized.
external	Configures the web authentication type to external.

Command Default

The default web authentication type is internal .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the type of the web authentication type to internal:


(Cisco Controller) > config custom-web webauth-type internal

Related Commands

config custom-web redirectUrl

config custom-web webmessage

config custom-web webtitle

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config custom-web weblogo

To configure the web authentication logo for the custom-web authentication page, use the config custom-web weblogo command.

config custom-web weblogo {enable|disable}

Syntax Description


enable	Enables the web authentication logo settings.
disable	Enable or disable the web authentication logo settings.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the web authentication logo:


(Cisco Controller) > config custom-web weblogo enable

Related Commands

config custom-web redirectUrl

config custom-web webmessage

config custom-web webtitle

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config custom-web webmessage

To configure the custom web authentication message text for the custom-web authentication page, use the config custom-web webmessage command.

config custom-web webmessage message

Syntax Description


`message`	Message text for web authentication.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the message text Thisistheplace for webauthentication:


(Cisco Controller) > config custom-web webmessage Thisistheplace

Related Commands

config custom-web redirectUrl

config custom-web weblogo

config custom-web webtitle

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config custom-web webtitle

To configure the web authentication title text for the custom-web authentication page, use the config custom-web webtitle command.

config custom-web webtitle title

Syntax Description


`title`	Custom title text for web authentication.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the custom title text Helpdesk for web authentication:


(Cisco Controller) > config custom-web webtitle Helpdesk

Related Commands

config custom-web redirectUrl

config custom-web weblogo

config custom-web webmessage

config custom-web ext-webauth-mode

config custom-web ext-webauth-url

show custom-web

config database size

To configure the local database, use the config database size command.

config database size count

Syntax Description


`count`	Database size value between 512 and 2040

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the show database command to display local database configuration.

Examples

The following example shows how to configure the size of the local database:


(Cisco Controller) > config database size 1024

Related Commands

show database

config dhcp

To configure the internal DHCP, use the config dhcp command.

config dhcp { address-pool scope start end | create-scope scope |   default-router scope router_1 [ router_2] [ router_3] | delete-scope scope | disable scope |   dns-servers scope dns1 [ dns2] [ dns3] | domain scope domain |   enable scope | lease scope lease_duration |   netbios-name-server scope wins1 [ wins2] [ wins3] |   networkscope network netmask}

config dhcpopt-82 remote-id { ap_mac | ap_mac:ssid | ap-ethmac | apname:ssid | ap-group-name | flex-group-name | ap-location | apmac-vlan_id | apname-vlan_id | ap-ethmac-ssid }

Syntax Description


address-pool `scope` `start end`	Configures an address range to allocate. You must specify the scope name and the first and last addresses of the address range.
create-scope `name`	Creates a new DHCP scope. You must specify the scope name.
default-router `scope` `router_1` [`router_2`] [`router_3`]	Configures the default routers for the specified scope and specify the IP address of a router. Optionally, you can specify the IP addresses of secondary and tertiary routers.
delete-scope `scope`	Deletes the specified DHCP scope.
disable `scope`	Disables the specified DHCP scope.
dns-servers `scope` `dns1` [`dns2`] [`dns3`]	Configures the name servers for the given scope. You must also specify at least one name server. Optionally, you can specify secondary and tertiary name servers.
domain `scope` `domain`	Configures the DNS domain name. You must specify the scope and domain names.
enable `scope`	Enables the specified dhcp scope.
lease `scope` `lease_duration`	Configures the lease duration (in seconds) for the specified scope.
netbios-name-server `scope wins1` [`wins2`] [`wins3`]	Configures the netbios name servers. You must specify the scope name and the IP address of a name server. Optionally, you can specify the IP addresses of secondary and tertiary name servers.
network `scope` `network netmask`	Configures the network and netmask. You must specify the scope name, the network address, and the network mask.
opt-82 remote-id	Configures the DHCP option 82 remote ID field format. DHCP option 82 provides additional security when DHCP is used to allocate network addresses. The controller acts as a DHCP relay agent to prevent DHCP client requests from untrusted sources. The controller adds option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.
`ap_mac`	MAC address of the access point to the DHCP option 82 payload.
`ap_mac`:`ssid`	MAC address and SSID of the access point to the DHCP option 82 payload.
`ap-ethmac`	Remote ID format as AP Ethernet MAC address.
`apname:ssid`	Remote ID format as AP name:SSID.
`ap-group-name`	Remote ID format as AP group name.
`flex-group-name`	Remote ID format as FlexConnect group name .
`ap-location`	Remote ID format as AP location.
`apmac-vlan_id`	Remote ID format as AP radio MAC address:VLAN_ID.
`apname-vlan_id`	Remote ID format as AP Name:VLAN_ID.
`ap-ethmac-ssid`	Remote ID format as AP Ethernet MAC:SSID address.

Command Default

The default value for ap-group-name is default-group, and for ap-location, the default value is default location.

If ap-group-name and flex-group-name are null, the system MAC is sent as the remote ID field.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the show dhcp command to display the internal DHCP configuration.

Examples

The following example shows how to configure the DHCP lease for the scope 003:


(Cisco Controller) >config dhcp lease 003

config dhcp proxy

To specify the level at which DHCP packets are modified, use the config dhcp proxy command.

config dhcp proxy { enable | disable { bootp-broadcast [ enable | disable]}

Syntax Description


enable	Allows the controller to modify the DHCP packets without a limit.
disable	Reduces the DHCP packet modification to the level of a relay.
bootp-broadcast	Configures DHCP BootP broadcast option.

Command Default

DHCP is enabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the show dhcp proxy command to display the status of DHCP proxy handling.

To enable third-party WGB support, you must enable the passive-client feature on the wirless LAN by entering the config wlan passive-client enable command.

Examples

The following example shows how to disable the DHCP packet modification:


(Cisco Controller) >config dhcp proxy disable

The following example shows how to enable the DHCP BootP broadcast option:

(Cisco Controller) >config dhcp proxy disable bootp-broadcast enable

config dhcp timeout

To configure a DHCP timeout value, use the config dhcp timeout command. If you have configured a WLAN to be in DHCP required state, this timer controls how long the controller will wait for a client to get a DHCP lease through DHCP.

config dhcp timeout timeout-value

Syntax Description


`timeout-value`	Timeout value in the range of 5 to 120 seconds.

Command Default

The default timeout value is 120 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the DHCP timeout to 10 seconds:

(Cisco Controller) >config dhcp timeout 10

config exclusionlist

To create or delete an exclusion list entry, use the config exclusionlist command.

config exclusionlist{add MAC [ description] |delete MAC|description MAC [ description]}

Syntax Description


config exclusionlist	Configures the exclusion list.
add	Creates a local exclusion-list entry.
delete	Deletes a local exclusion-list entry
description	Specifies the description for an exclusion-list entry.
`MAC`	MAC address of the local Excluded entry.
`description`	(Optional) Description, up to 32 characters, for an excluded entry.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:

(Cisco Controller) > config exclusionlist add xx:xx:xx:xx:xx:xx lab

The following example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:

(Cisco Controller) > config exclusionlist delete xx:xx:xx:xx:xx:xx lab

Related Commands

show exclusionlist

config flexconnect [ipv6] acl

To apply access control lists that are configured on a FlexConnect access point, use the config flexconnect [ipv6] acl command. Use the ipv6 keyword to configure IPv6 FlexConnect ACLs .

config flexconnect [ ipv6] acl { apply | create | delete} acl_name

Syntax Description


ipv6	Use this option to configure IPv6 FlexConnect ACLs. If you don't use this option, then IPv4 FlexConnect ACLs will be configured.
apply	Applies an ACL to the data path.
create	Creates an ACL.
delete	Deletes an ACL.
`acl_name`	ACL name that contains up to 32 alphanumeric characters.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.8	IPv6 ACL option was introduced.

Examples

The following example shows how to apply the IPv4 ACL configured on a FlexConnect access point:

(Cisco Controller) >config flexconnect acl apply acl1

config flexconnect [ipv6] acl rule

To configure access control list (ACL) rules on a FlexConnect access point, use the config flexconnect [ipv6] acl rule command.

config flexconnect [ ipv6] acl rule { action rule_name rule_index { permit | deny} |   add rule_name rule_index |   change index rule_name old_index new_index |   delete rule_name rule_index |   destination address rule_name rule_index ip_address netmask |   destination port range rule_name rule_index start_port end_port |  direction rule_name rule_index { in | out | any} |   dscp rule_name rule_index dscp |   protocol rule_name rule_index protocol |   source address rule_name rule_index ip_address netmask |   source port range rule_name rule_index start_port end_port |  swap index rule_name index_1 index_2}

Syntax Description


ipv6	Use this option to configure IPv6 FlexConnect ACL rules. If you don't use this option, then IPv4 FlexConnect ACL rules will be configured.
action	Configures whether to permit or deny access.
`rule_name`	ACL name that contains up to 32 alphanumeric characters.
`rule_index`	Rule index between 1 and 32.
permit	Permits the rule action.
deny	Denies the rule action.
add	Adds a new rule.
change	Changes a rule’s index.
index	Specifies a rule index.
delete	Deletes a rule.
destination address	Configures a rule’s destination IP address and netmask.
`ip_address`	IP address of the rule.
`netmask`	Netmask of the rule.
`start_port`	Start port number (between 0 and 65535).
`end_port`	End port number (between 0 and 65535).
direction	Configures a rule’s direction to in, out, or any.
in	Configures a rule’s direction to in.
out	Configures a rule’s direction to out.
any	Configures a rule’s direction to any.
dscp	Configures a rule’s DSCP.
`dscp`	Number between 0 and 63, or any .
protocol	Configures a rule’s DSCP.
`protocol`	Number between 0 and 255, or any .
source address	Configures a rule’s source IP address and netmask.
source port range	Configures a rule’s source port range.
swap	Swaps two rules’ indices.
`index_1`	The rule first index to swap.
`index_2`	The rule index to swap the first index with.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.8	IPv6 ACL option was introduced.

Examples

This example shows how to configure an ACL to permit access:

(Cisco Controller) >config flexconnect acl rule action lab1 4 permit

config flexconnect [ipv6] acl url-domain

To configure a URL domain-based rule for a FlexConnect ACL, use the config flexconnect acl [ipv6] url-domain command.

config flexconnect [ ipv6]acl url-domain {action acl-name index action | add acl-name index | delete acl-name index | url acl-name index url-name}

Syntax Description


ipv6	Use this option to configure URL domain-based rules for IPv6 FlexConnect ACLs. If you don't use this option, then IPv4 FlexConnect ACL rules will be configured.
action `acl-name index action`	Configures the action for the FlexConnect ACL rule, whether to permit or deny access.
add `acl-name index`	Adds URL domain to the FlexConnect ACL.
delete `acl-name index`	Deletes the URL domain from the FlexConnect ACL.
url `acl-name index url-name`	Configures the URL name in the FlexConnect ACL.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.8	IPv6 ACL option was introduced.

Examples

This example shows how to configure URL-based rule for an IPv6 FlexConnect ACL:

(Cisco Controller) >config flexconnect ipv6 acl url-domain action acls-to-allow 2 permit

config flexconnect group vlan

To configure VLAN for a FlexConnect group, use the config flexconnect group vlan command.

config flexconnect group group_namevlan { add vlan-id acl in-aclnameout-aclname|delete vlan-id}

Syntax Description


`group_name`	FlexConnect group name.
add	Adds a VLAN for the FlexConnect group.
`vlan-id`	VLAN ID.
acl	Specifies an access control list.
`in-aclname`	In-bound ACL name.
`out-aclname`	Out-bound ACL name.
delete	Deletes a VLAN from the FlexConnect group.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add VLAN ID 1 for the FlexConnect group myflexacl where the in-bound ACL name is in-acl and the out-bound ACL is out-acl:

(Cisco Controller) >config flexconnect group vlan myflexacl vlan add 1 acl in-acl out-acl

config flexconnect group web-auth

To configure Web-Auth ACL for a FlexConnect group, use the config flexconnect group web-auth command.

config flexconnect group group_name web-auth wlan wlan-idacl acl-name{ enable |disable}

Syntax Description


`group_name`	FlexConnect group name.
`wlan-id`	WLAN ID.
`acl-name`	ACL name.
enable	Enables the Web-Auth ACL for a FlexConnect group.
disable	Disables the Web-Auth ACL for a FlexConnect group.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable Web-Auth ACL webauthacl for the FlexConnect group myflexacl on WLAN ID 1:

(Cisco Controller) >config flexconnect group myflexacl web-auth wlan 1 acl webauthacl enable

config flexconnect group web-policy

To configure Web Policy ACL for a FlexConnect group, use the config flexconnect group web-policy command.

config flexconnect group group_nameweb-policy acl { add |delete}acl-name

Syntax Description


`group_name`	FlexConnect group name.
add	Adds the Web Policy ACL.
delete	Deletes the Web Policy ACL.
`acl-name`	Name of the Web Policy ACL.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add the Web Policy ACL mywebpolicyacl to the FlexConnect group myflexacl:

(Cisco Controller) >config flexconnect group myflexacl web-policy acl add mywebpolicyacl

config flexconnect join min-latency

To enable or disable the access point to choose the controller with the least latency when joining, use the config flexconnect join min-latency command.

config flexconnect join min-latency { enable|disable}cisco_ap

Syntax Description


enable	Enables the access point to choose the controller with the least latency when joining.
disable	Disables the access point to choose the controller with the least latency when joining.
`cisco_ap`	Cisco lightweight access point.

Command Default

The access point cannot choose the controller with the least latency when joining.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

When you enable this feature, the access point calculates the time between the discovery request and discovery response and joins the controller that responds first. This command is supported only on the following controller releases:

Cisco 2500 Series Controller
Cisco 5500 Series Controller
Cisco Flex 7500 Series Controllers
Cisco 8500 Series Controllers
Cisco Wireless Services Module 2

This configuration overrides the HA setting on the controller, and is applicable only for OEAP access points.

Examples

The following example shows how to enable the access point to choose the controller with the least latency when joining:

(Cisco Controller) >config flexconnect join min-latency enable CISCO_AP

config flexconnect office-extend

To configure FlexConnect mode for an OfficeExtend access point, use the config flexconnect office-extend command.

config flexconnect office-extend {{ enable|disable}cisco_ap|clear-personalssid-config cisco_ap}

Syntax Description


enable	Enables the OfficeExtend mode for an access point.
disable	Disables the OfficeExtend mode for an access point.
clear-personalssid-config	Clears only the access point’s personal SSID.
`cisco_ap`	Cisco lightweight access point.

Command Default

OfficeExtend mode is enabled automatically when you enable FlexConnect mode on the access point.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Currently, only Cisco Aironet 1130 series and 1140 series access points that are joined to a Cisco 5500 Series Controller with a WPlus license can be configured to operate as OfficeExtend access points.

Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point. OfficeExtend access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. You can enable or disable rogue detection for a specific access point or for all access points by using the config rogue detection command.

DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point or for all access points by using the config ap link-encryption command.

Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point by using the config ap telnet or config ap ssh command.

Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point or for all access points currently associated to the controller by using the config ap link-latency command.

Examples

The following example shows how to enable the office-extend mode for the access point Cisco_ap:

(Cisco Controller) >config flexconnect office-extend enable Cisco_ap

The following example shows how to clear only the access point’s personal SSID for the access point Cisco_ap:

(Cisco Controller) >config flexconnect office-extend clear-personalssid-config Cisco_ap

config interface acl

To configure access control list of an interface, use the config interface acl command.

config interface acl { ap-manager|management|interface_name} { ACL|none}

Syntax Description


ap-manager	Configures the access point manager interface.
management	Configures the management interface.
`interface_name`	Interface name.
`ACL`	ACL name up to 32 alphanumeric characters.
none	Specifies none.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Examples

The following example shows how to configure an access control list with a value None:


(Cisco Controller) > config interface acl management none

config interface create

To create a dynamic interface (VLAN) for wired guest user access, use the config interface create command.

config interface create interface_namevlan-id

Syntax Description


`interface_name`	Interface name.
`vlan-id`	VLAN identifier.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a dynamic interface with the interface named lab2 and VLAN ID 6:


(Cisco Controller) > config interface create lab2 6

config interface delete

To delete a dynamic interface, use the config interface delete command.

config interface delete interface-name

Syntax Description


`interface-name`	`interface-name` Interface name.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete a dynamic interface named VLAN501:


(Cisco Controller) > config interface delete VLAN501

config interface address

To configure interface addresses, use the config interface address command.

config interface address { dynamic-interface dynamic_interfacenetmaskgateway|management |redundancy-management IP_addresspeer-redundancy-management |service-port netmask|virtual}IP_address

Syntax Description


dynamic-interface	Configures the dynamic interface of the controller.
`dynamic_interface`	Dynamic interface of the controller.
`IP_address`	IP address of the interface.
`netmask`	Netmask of the interface.
`gateway`	Gateway of the interface.
management	Configures the management interface IP address.
redundancy-management	Configures redundancy management interface IP address.
peer-redundancy-management	Configures the peer redundancy management interface IP address.
service-port	Configures the out-of-band service port.
virtual	Configures the virtual gateway interface.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Ensure that the management interfaces of both controllers are in the same subnet. Ensure that the redundant management IP address for both controllers is the same and that the peer redundant management IP address for both the controllers is the same.

Examples

The following example shows how to configure a redundancy management interface on the controller:

 (Cisco Controller) >config interface address redundancy-management 209.4.120.5 peer-redundancy-management 209.4.120.6

The following example shows how to configure a virtual interface:

(Cisco Controller) > config interface address virtual 10.10.10.1

Related Commands

show interface group summary 

show interface summary 

config interface ap-manager

To enable or disable access point manager features on the management or dynamic interface, use the config interface ap-manager command.

config interface ap-manager { management|interface_name} { enable|disable}

Syntax Description


management	Specifies the management interface.
`interface_name`	Dynamic interface name.
enable	Enables access point manager features on a dynamic interface.
disable	Disables access point manager features on a dynamic interface.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the management option to enable or disable dynamic AP management for the management interface. For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.

When you enable this feature for a dynamic interface, the dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.

Examples

The following example shows how to disable an access point manager myinterface:


(Cisco Controller) > config interface ap-manager myinterface disable

config interface group

To add an interface to the existing interface group, use the config interface group command.

Syntax Description


create	Adds a new interface group.
`interface-group-name`	Interface group’s name.
`interface-group-description`	Interface group’s description to be entered within double quotation marks. You can enter up to 32 characters.
delete	Deletes an interface group.
interface	Edits the list of interface represented by the interface group.
add	Adds a new interface to the interface group.
delete	Deletes an interface from the interface group.
description	Configures the description for an interface group.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a new interface group with the name int-grp-10:

(Cisco Controller) > config interface group create int-grp-10 “for wlan1”

config interface group

To add an interface to the existing interface group, use the config interface group command.

Syntax Description


create	Adds a new interface group.
`interface-group-name`	Interface group’s name.
`interface-group-description`	Interface group’s description to be entered within double quotation marks. You can enter up to 32 characters.
delete	Deletes an interface group.
interface	Edits the list of interface represented by the interface group.
add	Adds a new interface to the interface group.
delete	Deletes an interface from the interface group.
description	Configures the description for an interface group.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a new interface group with the name int-grp-10:

(Cisco Controller) > config interface group create int-grp-10 “for wlan1”

config interface hostname

To configure the Domain Name System (DNS) hostname of the virtual gateway interface, use the config interface hostname command.

config interface hostname virtual DNS_host

Syntax Description


virtual	Specifies the virtual gateway interface to use the specified virtual address of the fully qualified DNS name. The virtual gateway IP address is any fictitious, unassigned IP address, such as 192.0.2.1, to be used by Layer 3 security and mobility managers.
`DNS_host`	DNS hostname.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure virtual gateway interface to use the specified virtual address of the fully qualified DNS hostname DNS_Host:


(Cisco Controller) > config interface hostname virtual DNS_Host

config interface nat-address

To deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT), use the config interface nat-address command.

config interface nat-address{management|dynamic-interface interface_name} {{ enable|disable} | { set public_IP_address}}

Syntax Description


management	Specifies the management interface.
dynamic-interface `interface_name`	Specifies the dynamic interface name.
enable	Enables one-to-one mapping NAT on the interface.
disable	Disables one-to-one mapping NAT on the interface.
`public_IP_address`	External NAT IP address.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

These NAT commands can be used only on Cisco 5500 Series Controllers and only if the management interface is configured for dynamic AP management.

These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. They do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.

Examples

The following example shows how to enable one-to-one mapping NAT on the management interface:


(Cisco Controller) > config interface nat-address management enable

The following example shows how to set the external NAP IP address 10.10.10.10 on the management interface:


(Cisco Controller) > config interface nat-address management set 10.10.10.10

config interface port

To map a physical port to the interface (if a link aggregation trunk is not configured), use the config interface port command.

config interface port { management|interface_name|redundancy-management} primary_port [ secondary_port]

Syntax Description


management	Specifies the management interface.
`interface_name`	Interface name.
redundancy-management	Specifies the redundancy management interface.
`primary_port`	Primary physical port number.
`secondary_port`	(Optional) Secondary physical port number.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can use the management option for all controllers except the Cisco 5500 Series Controllers.

Examples

The following example shows how to configure the primary port number of the LAb02 interface to 3:


(Cisco Controller) > config interface port lab02 3

config interface quarantine vlan

To configure a quarantine VLAN on any dynamic interface, use the config interface quarantine vlan command.

config interface quarantine vlan interface-namevlan_id

Syntax Description

interface-name

Interface’s name.

vlan_id

VLAN identifier.

Note

Enter 0 to disable quarantine processing.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a quarantine VLAN on the quarantine interface with the VLAN ID 10:


(Cisco Controller) > config interface quarantine vlan quarantine 10

config interface vlan

To configure an interface VLAN identifier, use the config interface vlan command.

config interface vlan { ap-manager|management|interface-name|redundancy-management}vlan

Syntax Description


ap-manager	Configures the access point manager interface.
management	Configures the management interface.
`interface_name`	Interface name.
`vlan`	VLAN identifier.
redundancy-management	Specifies the redundancy management interface.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You cannot change the redundancy management VLAN when the system redundancy management interface is mapped to the redundancy port. You must configure the redundancy management port first.

Examples

The following example shows how to configure VLAN ID 10 on the management interface:


(Cisco Controller) > config interface vlan management 10

config known ap

To configure a known Cisco lightweight access point, use the config known ap command.

config known ap { add|alert|delete}MAC

Syntax Description


add	Adds a new known access point entry.
alert	Generates a trap upon detection of the access point.
delete	Deletes an existing known access point entry.
`MAC`	MAC address of the known Cisco lightweight access point.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a new access point entry ac:10:02:72:2f:bf on a known access point:

(Cisco Controller) >config known ap add ac:10:02:72:2f:bf 12

config lag

To enable or disable link aggregation (LAG), use the config lag command.

config lag { enable|disable}

Syntax Description


enable	Enables the link aggregation (LAG) settings.
disable	Disables the link aggregation (LAG) settings.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable LAG settings:


(Cisco Controller) > config lag enable
Enabling LAG will map your current interfaces setting to LAG interface,
All dynamic AP Manager interfaces and Untagged interfaces will be deleted
All WLANs will be disabled and mapped to Mgmt interface
Are you sure you want to continue? (y/n)
You must now reboot for the settings to take effect.

The following example shows how to disable LAG settings:


(Cisco Controller) > config lag disable
Disabling LAG will map all existing interfaces to port 1.
Are you sure you want to continue? (y/n)
You must now reboot for the settings to take effect.

config ldap

To configure the Lightweight Directory Access Protocol (LDAP) server settings, use the config ldap command.

config ldap {add |delete|enable|disable|retransmit-timeout|retry|user|security-mode|simple-bind}index

config ldap add indexserver_ip_addressportuser_baseuser_attruser_type[ secure]

config ldap retransmit-timeout index retransmit-timeout

config ldap retry attempts

config ldap user { attr index user-attr|base index user-base|typeindex user-type}

config ldap security-mode { enable|disable} index

config ldap simple-bind { anonymous index|authenticatedindexusernamepassword}

Syntax Description


add	Specifies that an LDAP server is being added.
delete	Specifies that an LDAP server is being deleted.
enable	Specifies that an LDAP serve is enabled.
disable	Specifies that an LDAP server is disabled.
retransmit-timeout	Changes the default retransmit timeout for an LDAP server.
retry	Configures the retry attempts for an LDAP server.
user	Configures the user search parameters.
security-mode	Configures the security mode.
simple-bind	Configures the local authentication bind method.
anonymous	Allows anonymous access to the LDAP server.
authenticated	Specifies that a username and password be entered to secure access to the LDAP server.
`index`	LDAP server index. The range is from 1 to 17.
`server_ip_address`	IP address of the LDAP server.
`port`	Port number.
`user_base`	Distinguished name for the subtree that contains all of the users.
`user_attr`	Attribute that contains the username.
`user_type`	ObjectType that identifies the user.
secure	(Optional) Specifies that Transport Layer Security (TLS) is used.
`retransmit-timeout`	Retransmit timeout for an LDAP server. The range is from 2 to 30.
`attempts`	Number of attempts that each LDAP server is retried.
attr	Configures the attribute that contains the username.
base	Configures the distinguished name of the subtree that contains all the users.
type	Configures the user type.
`username`	Username for the authenticated bind method.
`password`	Password for the authenticated bind method.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
7.6	The secure keyword was added to support secure LDAP.

Usage Guidelines

When you enable secure LDAP, the controller does not validate the server certificate.

Examples

The following example shows how to enable LDAP server index 10:


(Cisco Controller) > config ldap enable 10

Related Commands

config ldap add

 config ldap simple-bind

 show ldap summary

config ldap add

To configure a Lightweight Directory Access Protocol (LDAP) server, use the config ldap add command.

config lap add indexserver_ip_addressportuser_baseuser_attruser_type secure

Syntax Description


`index`	LDAP server index.
`server_ip_address`	IP address of the LDAP server.
`port`	Port number.
`user_base`	Distinguished name for the subtree that contains all of the users.
`user_attr`	Attribute that contains the username.
`user_type`	ObjectType that identifies the user.
secure	Secure mode.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
7.6	The secure keyword was added to support secure LDAP.

Examples

The following example shows how to configure a LDAP server with the index10, server IP address 209.165.201.30, port number 2:


(Cisco Controller) > config ldap add 10 209.165.201.30 2 base_name attr_name type_name

The following example shows how to configure a LDAP server with the index10, server IP address 209.165.201.30, port number 2 with secure mode:


(Cisco Controller) > config ldap add 10 209.165.201.30 2 base_name attr_name type_name secure

Related Commands

config ldap

 config ldap simple-bind

 show ldap summary

config ldap simple-bind

To configure the local authentication bind method for the Lightweight Directory Access Protocol (LDAP) server, use the config ldap simple-bind command.

config ldap simple-bind { anonymous index|authenticatedindexusername password}

Syntax Description


anonymous	Allows anonymous access to the LDAP server.
`index`	LDAP server index.
authenticated	Specifies that a username and password be entered to secure access to the LDAP server.
`username`	Username for the authenticated bind method.
`password`	Password for the authenticated bind method.

Command Default

The default bind method is anonymous .

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the local authentication bind method that allows anonymous access to the LDAP server:


(Cisco Controller) > config ldap simple-bind anonymous

Related Commands

config ldap add

 config ldap

 show ldap summary

config license agent

To configure the license agent on the Cisco 5500 Series Controller, use the config license agent command.

config license agent { default { disable |authenticate [ none]}} { listener http { disable | {plaintext |encrypt}url authenticate [ acl acl_name] { max-message size [ none]}} { max-session sessions} { notify { disable |url}username password}

Syntax Description


default	Specifies the default license agent.
disable	Disables the feature.
authenticate	Enables authentication.
none	(Optional) Disables authentication.
listener http	Configures the license agent to receive license requests from the Cisco License Manager (CLM).
plaintext	Disables encryption (HTTP).
encrypt	Enables encryption (HTTPS).
`url`	URL where the license agent receives the requests.
acl	(Optional) Specifies the access control list.
`acl_name`	Specifies the access control list for license requests.
max-message	Specifies the maximum message size for license requests.
`size`	Maximum message size for license request is from 0 to 65535.
max-session	Specifies the maximum number of sessions allowed.
`sessions`	Maximum number of sessions allowed for the license agent is from 1 to 25.
notify	Configures the license agent to send license notifications to the CLM.
`username`	Username used in license agent notification.
`password`	Password used in license agent notification.

Command Default

The license agent is disabled by default.

The listener is disabled by default.

Notify is disabled by default.

The default maximum number of sessions is 9.

The default maximum message size is 0.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If your network contains various Cisco licensed devices, you might consider using the CLM to manage all of the licenses using a single application. CLM is a secure client/server application that manages Cisco software licenses network wide.

The license agent is an interface module that runs on the controller and mediates between CLM and the controller’s licensing infrastructure. CLM can communicate with the controller using various channels, such as HTTP, Telnet, and so on. If you want to use HTTP as the communication method, you must enable the license agent on the controller.

The license agent receives requests from the CLM and translates them into license commands. It also sends notifications to the CLM. It uses XML messages over HTTP or HTTPS to receive the requests and send the notifications. For example, if the CLM sends a license clear command, the agent notifies the CLM after the license expires.

Note

You can download the CLM software and access user documentation at this URL: http://www.cisco.com/c/en/us/products/cloud-systems-management/license-manager/index.html

Examples

The following example shows how to authenticate the default license agent settings:


(Cisco Controller) > config license agent default authenticate

The following example shows how to configure the license agent with the number of maximum sessions allowed as 5:


(Cisco Controller) > config license agent max-session 5

Related Commands

license install  

show license agent

clear license agent  

config license boot

To specify the license level to be used on the next reboot of the Cisco 5500 Series Controller, use the config license boot command.

config license boot {base|wplus|auto}

Syntax Description


base	Specifies the base boot level.
wplus	Specifies the wplus boot level.
auto	Specifies the auto boot level.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you enter auto , the licensing software automatically chooses the license level to use on the next reboot. It generally chooses permanent licenses over evaluation licenses and wplus licenses over base licenses.

Note

If you are considering upgrading from a base license to a wplus license, you can try an evaluation wplus license before upgrading to a permanent wplus license. To activate the evaluation license, you need to set the image level to wplus in order for the controller to use the wplus evaluation license instead of the base permanent license.

Note

To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the controller defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation license.

Examples

The following example shows how to set the license boot settings to wplus:


(Cisco Controller) > config license boot wplus

Related Commands

license install  

show license in-use

license modify priority  

config load-balancing

To globally configure aggressive load balancing on the controller, use the config load-balancing command.

config load-balancing{window client_count|status { enable|disable} |denial denial_count}

config load-balancing uplink-threshold traffic_threshold

Syntax Description


window	Specifies the aggressive load balancing client window.
`client_count`	Aggressive load balancing client window with the number of clients from 1 to 20.
status	Sets the load balancing status.
enable	Enables load balancing feature.
disable	Disables load balancing feature.
denial	Specifies the number of association denials during load balancing.
`denial_count`	Maximum number of association denials during load balancing. from 0 to 10.
uplink-threshold	Specifies the threshold traffic for an access point to deny new associations.
`traffic_threshold`	Threshold traffic for an access point to deny new associations. This value is a percentage of the WAN utilization measured over a 90 second interval. For example, the default threshold value of 50 triggers the load balancing upon detecting an utilization of 50% or more on an access point WAN interface.

Command Default

By default, the aggressive load balancing is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Load-balancing-enabled WLANs do not support time-sensitive applications like voice and video because of roaming delays.

When you use Cisco 7921 and 7920 Wireless IP Phones with controllers, make sure that aggressive load balancing is disabled on the voice WLANs for each controller. Otherwise, the initial roam attempt by the phone might fail, causing a disruption in the audio path.

Clients can only be load balanced across access points joined to the same controller. The WAN utilization is calculated as a percentage using the following formula: (Transmitted Data Rate (per second) + Received Data Rate (per second))/(1000Mbps TX + 1000Mbps RX) * 100

Examples

The following example shows how to enable the aggressive load-balancing settings:


(Cisco Controller) > config load-balancing aggressive enable

Related Commands

show load-balancing

config wlan load-balance

config local-auth active-timeout

To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.

config local-auth active-timeout timeout

Syntax Description


`timeout`	Timeout measured in seconds. The range is from 1 to 3600.

Command Default

The default timeout value is 100 seconds.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the active timeout to authenticate wireless clients using EAP to 500 seconds:


(Cisco Controller) > config local-auth active-timeout 500

Related Commands

clear stats local-auth

config local-auth eap-profile  

config local-auth method fast  

config local-auth user-credentials  

debug aaa local-auth  

show local-auth certificates   

show local-auth config

show local-auth statistics

config local-auth eap-profile

To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.

config local-auth eap-profile {[add|delete]profile_name|cert-issuer { cisco|vendor} |method method local-cert { enable|disable}profile_name|method methodclient-cert { enable |disable}profile_name|method method peer-verify ca-issuer { enable |disable}|method method peer-verify cn-verify{ enable |disable}|method method peer-verify date-valid { enable |disable}

Syntax Description


add	(Optional) Specifies that an EAP profile or method is being added.
delete	(Optional) Specifies that an EAP profile or method is being deleted.
`profile_name`	EAP profile name (up to 63 alphanumeric characters). Do not include spaces within a profile name.
cert-issuer	(For use with EAP-TLS, PEAP, or EAP-FAST with certificates) Specifies the issuer of the certificates that will be sent to the client. The supported certificate issuers are Cisco or a third-party vendor.
cisco	Specifies the Cisco certificate issuer.
vendor	Specifies the third-party vendor.
method	Configures an EAP profile method.
`method`	EAP profile method name. The supported methods are leap, fast, tls, and peap.
local-cert	(For use with EAP-FAST) Specifies whether the device certificate on the controller is required for authentication.
enable	Specifies that the parameter is enabled.
disable	Specifies that the parameter is disabled.
client-cert	(For use with EAP-FAST) Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.
peer-verify	Configures the peer certificate verification options.
ca-issuer	(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the incoming certificate from the client is to be validated against the Certificate Authority (CA) certificates on the controller.
cn-verify	(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the common name (CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.
date-valid	(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a local EAP profile named FAST01:


(Cisco Controller) > config local-auth eap-profile add FAST01

The following example shows how to add the EAP-FAST method to a local EAP profile:

(Cisco Controller) > config local-auth eap-profile method add fast FAST01

The following example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:

(Cisco Controller) > config local-auth eap-profile method fast cert-issuer cisco

The following example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:

(Cisco Controller) > config local-auth eap-profile method fast peer-verify ca-issuer enable

Related Commands

config local-auth active-timeout

config local-auth method fast  

config local-auth user-credentials  

debug aaa local-auth  

show local-auth certificates   

show local-auth config

show local-auth statistics

config local-auth method fast

To configure an EAP-FAST profile, use the config local-auth method fast command.

config local-auth method fast {anon-prov [ enable|disable] |authority-id auth_id pac-ttl days|server-key key_value}

Syntax Description


anon-prov	Configures the controller to allow anonymous provisioning, which allows PACs to be sent automatically to clients that do not have one during Protected Access Credentials (PAC) provisioning.
enable	(Optional) Specifies that the parameter is enabled.
disable	(Optional) Specifies that the parameter is disabled.
authority-id	Configures the authority identifier of the local EAP-FAST server.
`auth_id`	Authority identifier of the local EAP-FAST server (2 to 32 hexadecimal digits).
pac-ttl	Configures the number of days for the Protected Access Credentials (PAC) to remain viable (also known as the time-to-live [TTL] value).
`days`	Time-to-live value (TTL) value (1 to 1000 days).
server-key	Configures the server key to encrypt or decrypt PACs.
`key_value`	Encryption key value (2 to 32 hexadecimal digits).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the controller to allows anonymous provisioning:

(Cisco Controller) > config local-auth method fast anon-prov disable

The following example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:

(Cisco Controller) > config local-auth method fast authority-id 0125631177

The following example shows how to configure the number of days to 10 for the PAC to remain viable:

(Cisco Controller) > config local-auth method fast pac-ttl 10

Related Commands

clear stats local-auth

config local-auth eap-profile  

config local-auth active-timeout  

config local-auth user-credentials  

debug aaa local-auth  

show local-auth certificates   

show local-auth config

show local-auth statistics

config local-auth user-credentials

To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.

config local-auth user-credentials {local [ ldap] |ldap [ local] }

Syntax Description


local	Specifies that the local database is searched for the user credentials.
ldap	(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The order of the specified database parameters indicate the database search order.

Examples

The following example shows how to specify the order in which the local EAP authentication database is searched:

(Cisco Controller) > config local-auth user credentials local lda

In the above example, the local database is searched first and then the LDAP database.

Related Commands

clear stats local-auth

config local-auth eap-profile  

config local-auth method fast  

config local-auth active-timeout  

debug aaa local-auth  

show local-auth certificates   

show local-auth config

show local-auth statistics

config location

To configure a location-based system, use the config location command.

config location{algorithm { simple|rssi-average} | { rssi-half-life|expiry} [ client|calibrating-client|tags|rogue-aps]seconds |  notify-threshold [ client|tags|rogue-aps]threshold |   interface-mapping { add|delete}location wlan_id interface_name|  plm { client { enable|disable}burst_interval|calibrating { enable|disable} { uniband|multiband}}}

Syntax Description

algorithm

Note

We recommend that you do not use or modify the config location algorithm command. It is set to optimal default values.

Configures the algorithm used to average RSSI and SNR values.

simple

Specifies a faster algorithm that requires low CPU overhead but provides less accuracy.

rssi-average

Specifies a more accurate algorithm but requires more CPU overhead.

rssi-half-life

Note

We recommend that you do not use or modify the config location rssi-half-life command. It is set to optimal default values.

Configures the half-life when averaging two RSSI readings.

expiry

Note

We recommend that you do not use or modify the config location expiry command. It is set to optimal default values.

Configures the timeout for RSSI values.

client

(Optional) Specifies the parameter applies to client devices.

calibrating-client

(Optional) Specifies the parameter is used for calibrating client devices.

Command Default

See the “Syntax Description” section for default values of individual arguments and keywords.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the simple algorithm for averaging RSSI and SNR values on a location-based controller:


(Cisco Controller) > config location algorithm simple

Related Commands

config location info rogue

clear location rfid

 clear location statistics rfid  

show location  

show location statistics rfid

config logging buffered

To set the severity level for logging messages to the controller buffer, use the config logging buffered command.

config logging bufferedsecurity_level

Syntax Description


`security_level`	Security level. Choose one of the following: emergencies—Severity level 0 alerts—Severity level 1 critical—Severity level 2 errors—Severity level 3 warnings—Severity level 4 notifications—Severity level 5 informational—Severity level 6 debugging—Severity level 7

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the controller buffer severity level for logging messages to 4:


(Cisco Controller) > config logging buffered 4

Related Commands

config logging syslog facility  

config logging syslog level

 show logging

config logging console

To set the severity level for logging messages to the controller console, use the config logging console command.

config logging console security_level

Syntax Description


`security_level`	Severity level. Choose one of the following: emergencies—Severity level 0 alerts—Severity level 1 critical—Severity level 2 errors—Severity level 3 warnings—Severity level 4 notifications—Severity level 5 informational—Severity level 6 debugging—Severity level 7

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the controller console severity level for logging messages to 3:


(Cisco Controller) > config logging console 3

Related Commands

config logging syslog facility 

config logging syslog level

show logging

config logging debug

To save debug messages to the controller buffer, the controller console, or a syslog server, use the config logging debug command.

config logging debug { buffered|console|syslog} { enable|disable}

Syntax Description


buffered	Saves debug messages to the controller buffer.
console	Saves debug messages to the controller console.
syslog	Saves debug messages to the syslog server.
enable	Enables logging of debug messages.
disable	Disables logging of debug messages.

Command Default

The console command is enabled and the buffered and syslog commands are disabled by default.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to save the debug messages to the controller console:


(Cisco Controller) > config logging debug console enable

Related Commands

show logging

config logging fileinfo

To cause the controller to include information about the source file in the message logs or to prevent the controller from displaying this information, use the config logging fileinfo command.

config logging fileinfo {enable|disable}

Syntax Description


enable	Includes information about the source file in the message logs.
disable	Prevents the controller from displaying information about the source file in the message logs.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the controller to include information about the source file in the message logs:


(Cisco Controller) > config logging fileinfo enable

Related Commands

show logging

config logging procinfo

To cause the controller to include process information in the message logs or to prevent the controller from displaying this information, use the config logging procinfo command.

config logging procinfo {enable|disable}

Syntax Description


enable	Includes process information in the message logs.
disable	Prevents the controller from displaying process information in the message logs.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the controller to include the process information in the message logs:


(Cisco Controller) > config logging procinfo enable

Related Commands

show logging

config logging syslog facility ap

To configure the syslog facility to AP, use the config logging syslog facility ap{ associate | disassociate}{ enable | disable} command.

config logging syslog facility AP

Syntax Description


`AP`	Facility AP. Has the following functions: associate—Association syslog for AP disassociate—Disassociation syslog for AP

Command Default

None

Command History


Release	Modification
7.5	This command was introduced in a release earlier than Release 7.5.

Examples

The following example shows how to configure syslog facility for AP:


cisco controller config logging syslog facility ap

Related Commands

show logging flags ap

config logging syslog host

To configure a remote host for sending syslog messages, use the config logging syslog host command.

config logging syslog host ip_addr

Syntax Description


`ip_addr`	IP address for the remote host.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.

Usage Guidelines

To configure a remote host for sending syslog messages, use the config logging syslog host ip_addr command.
To remove a remote host that was configured for sending syslog messages, use the config logging syslog host ip_addr delete command.
To display the configured syslog servers on the controller, use the show logging command.

Examples

The following example shows how to configure two remote hosts 10.92.125.52 and 2001:9:6:40::623 for sending the syslog messages and displaying the configured syslog servers on the controller:


(Cisco Controller) > config logging syslog host 10.92.125.52
System logs will be sent to 10.92.125.52 from now on

(Cisco Controller) > config logging syslog host 2001:9:6:40::623
System logs will be sent to 2001:9:6:40::623 from now on

(Cisco Controller) > show logging
Logging to buffer :
- Logging of system messages to buffer :
 - Logging filter level.......................... errors
 - Number of system messages logged.............. 1316
 - Number of system messages dropped............. 6892
- Logging of debug messages to buffer ........... Disabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
- Cache of logging  ............................. Disabled
- Cache of logging time(mins) ................... 10080
- Number of over cache time log dropped  ........ 0
Logging to console :
- Logging of system messages to console :
 - Logging filter level.......................... disabled
 - Number of system messages logged.............. 0
 - Number of system messages dropped............. 8243
- Logging of debug messages to console .......... Enabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
Logging to syslog :
- Syslog facility................................ local0
- Logging of system messages to console :
 - Logging filter level.......................... disabled
 - Number of system messages logged.............. 0
 - Number of system messages dropped............. 8208
- Logging of debug messages to console .......... Enabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
- Logging of system messages to syslog :
 - Logging filter level.......................... errors
 - Number of system messages logged.............. 1316
 - Number of system messages dropped............. 6892
- Logging of debug messages to syslog ........... Disabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
- Number of remote syslog hosts.................. 2
- syslog over tls................................ Disabled
  - Host 0....................................... 10.92.125.52
  - Host 1....................................... 2001:9:6:40::623
  - Host 2.......................................
Logging of RFC 5424.............................. Disabled
Logging of Debug messages to file :
- Logging of Debug messages to file.............. Disabled
- Number of debug messages logged................ 0
- Number of debug messages dropped............... 0
Logging of traceback............................. Enabled

The following example shows how to remove two remote hosts 10.92.125.52 and 2001:9:6:40::623 that were configured for sending syslog messages and displaying that the configured syslog servers were removed from the controller:


(Cisco Controller) > config logging syslog host 10.92.125.52 delete
System logs will not be sent to 10.92.125.52 anymore

(Cisco Controller) > config logging syslog host 2001:9:6:40::623 delete
System logs will not be sent to 2001:9:6:40::623 anymore

(Cisco Controller) > show logging

Logging to buffer :
- Logging of system messages to buffer :
 - Logging filter level.......................... errors
 - Number of system messages logged.............. 1316
 - Number of system messages dropped............. 6895
- Logging of debug messages to buffer ........... Disabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
- Cache of logging  ............................. Disabled
- Cache of logging time(mins) ................... 10080
- Number of over cache time log dropped  ........ 0
Logging to console :
- Logging of system messages to console :
 - Logging filter level.......................... disabled
 - Number of system messages logged.............. 0
 - Number of system messages dropped............. 8211
- Logging of debug messages to console .......... Enabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
Logging to syslog :
- Syslog facility................................ local0
- Logging of system messages to syslog :
 - Logging filter level.......................... errors
 - Number of system messages logged.............. 1316
 - Number of system messages dropped............. 6895
- Logging of debug messages to syslog ........... Disabled
 - Number of debug messages logged............... 0
 - Number of debug messages dropped.............. 0
- Number of remote syslog hosts.................. 0
- syslog over tls................................ Disabled
  - Host 0.......................................
  - Host 1.......................................
  - Host 2.......................................
Logging of RFC 5424.............................. Disabled
Logging of Debug messages to file :
- Logging of Debug messages to file.............. Disabled
- Number of debug messages logged................ 0
- Number of debug messages dropped............... 0
Logging of traceback............................. Enabled
- Traceback logging level........................ errors
Logging of source file informational............. Enabled
Timestamping of messages.........................
- Timestamping of system messages................ Enabled
 - Timestamp format.............................. Date and Time

config logging syslog level

To set the severity level for filtering syslog messages to the remote host, use the config logging syslog level command.

config logging syslog level severity_level

Syntax Description


`severity_level`	Severity level. Choose one of the following: emergencies—Severity level 0 alerts—Severity level 1 critical—Severity level 2 errors—Severity level 3 warnings—Severity level 4 notifications—Severity level 5 informational—Severity level 6 debugging—Severity level 7

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the severity level for syslog messages to 3:


(Cisco Controller) > config logging syslog level 3

Related Commands

config logging syslog host 

config logging syslog facility 

show logging

config loginsession close

To close all active Telnet sessions, use the config loginsession close command.

config loginsession close{session_id|all}

Syntax Description


`session_id`	ID of the session to close.
all	Closes all Telnet sessions.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to close all active Telnet sessions:


(Cisco Controller) > config loginsession close all

Related Commands

show loginsession

config lsc mesh

To enable the locally significant certificate (LSC) on mesh access points, use the config lsc mesh command.

config lsc mesh { enable|disable}

Syntax Description


enable	Enables LSC on mesh access points.
disable	Disabes LSC on mesh access points.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable LSC on mesh access point:

(Cisco Controller) >config lsc mesh enable

config nmsp notify-interval measurement

To modify the Network Mobility Services Protocol (NMSP) notification interval value on the controller to address latency in the network, use the config nmsp notify-interval measurement command.

config nmsp notify-interval measurement { client|rfid|rogue}interval

Syntax Description


client	Modifies the interval for clients.
rfid	Modifies the interval for active radio frequency identification (RFID) tags.
rogue	Modifies the interval for rogue access points and rogue clients.
`interval`	Time interval. The range is from 1 to 30 seconds.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The TCP port (16113) that the controller and location appliance communicate over must be open (not blocked) on any firewall that exists between the controller and the location appliance for NMSP to function.

Examples

The following example shows how to modify the NMSP notification interval for the active RFID tags to 25 seconds:


(Cisco Controller) > config nmsp notify-interval measurement rfid 25

Related Commands

clear locp statistics

 clear nmsp statistics  

show nmsp notify-interval summary

 show nmsp statistics

 show nmsp status  

config paging

To enable or disable scrolling of the page, use the config paging command.

config paging { enable|disable}

Syntax Description


enable	Enables the scrolling of the page.
disable	Disables the scrolling of the page.

Command Default

By default, scrolling of the page is enabled.

Usage Guidelines

Commands that produce a huge number of lines of output with the scrolling of the page disabled might result in the termination of SSH/Telnet connection or user session on the console.

Examples

The following example shows how to enable scrolling of the page:


(Cisco Controller) > config paging enable

Related Commands

show run-config

config passwd-cleartext

To enable or disable temporary display of passwords in plain text, use the config passwd-cleartext command.

config passwd-cleartext{enable|disable}

Syntax Description


enable	Enables the display of passwords in plain text.
disable	Disables the display of passwords in plain text.

Command Default

By default, temporary display of passwords in plain text is disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command must be enabled if you want to see user-assigned passwords displayed in clear text when using the show run-config command.

To execute this command, you must enter an admin password. This command is valid only for this particular session. It is not saved following a reboot.

Examples

The following example shows how to enable display of passwords in plain text:


(Cisco Controller) > config passwd-cleartext enable
The way you see your passwds will be changed
You are being warned.
Enter admin password:

Related Commands

show run-config

config prompt

To change the CLI system prompt, use the config prompt command.

config prompt prompt

Syntax Description


`prompt`	New CLI system prompt enclosed in double quotes. The prompt can be up to 31 alphanumeric characters and is case sensitive.

Command Default

The system prompt is configured using the startup wizard.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Because the system prompt is a user-defined variable, it is omitted from the rest of this documentation.

Examples

The following example shows how to change the CLI system prompt to Cisco 4400:


(Cisco Controller) > config prompt “Cisco 4400”

config rfid auto-timeout

To configure an automatic timeout of radio frequency identification (RFID) tags, use the config rfid auto-timeout command.

config rfid auto-timeout{enable|disable}

Syntax Description


enable	Enables an automatic timeout.
disable	Disables an automatic timeout.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable an automatic timeout of RFID tags:


(Cisco Controller) > config rfid auto-timeout enable

Related Commands

show rfid summary

config rfid status

config rfid timeout

config rfid status

To configure radio frequency identification (RFID) tag data tracking, use the config rfid status command.

config rfid status { enable|disable}

Syntax Description


enable	Enables RFID tag tracking.
disable	Enables RFID tag tracking.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure RFID tag tracking settings:


(Cisco Controller) > config rfid status enable

Related Commands

show rfid summary

config rfid auto-timeout

config rfid timeout

To configure a static radio frequency identification (RFID) tag data timeout, use the config rfid timeout command.

config rfid timeout seconds

Syntax Description


`seconds`	Timeout in seconds (from 60 to 7200).

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a static RFID tag data timeout of 60 seconds:


(Cisco Controller) > config rfid timeout 60

Related Commands

show rfid summary

config rfid statistics

config route add

To configure a network route from the service port to a dedicated workstation IP address range, use the config route add command.

config route add ip_addressnetmaskgateway

Syntax Description


`ip_address`	Network IP address.
`netmask`	Subnet mask for the network.
`gateway`	IP address of the gateway for the route network.

Command Default

None

Usage Guidelines

As on release 7.6, IP_address supports only IPv4 addresses.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6. This command supports only IPv4 address format.

Examples

The following example shows how to configure a network route to a dedicated workstation IP address 10.1.1.0, subnet mask 255.255.255.0, and gateway 10.1.1.1:


(Cisco Controller) > config route add 10.1.1.0 255.255.255.0 10.1.1.1

config route delete

To remove a network route from the service port, use the config route delete command.

config route delete ip_address

Syntax Description


`ip_address`	Network IP address.

Command Default

None

Usage Guidelines

As on release 7.6, IP_address supports only IPv4 addresses.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports only IPv6 address format.

Examples

The following example shows how to delete a route from the network IP address 10.1.1.0:


(Cisco Controller) > config route delete 10.1.1.0

config serial baudrate

To set the serial port baud rate, use the config serial baudrate command.

config serial baudrate{1200|2400|4800|9600|19200|38400|57600}

Syntax Description


1200	Specifies the supported connection speeds to 1200.
2400	Specifies the supported connection speeds to 2400.
4800	Specifies the supported connection speeds to 4800.
9600	Specifies the supported connection speeds to 9600.
19200	Specifies the supported connection speeds to 19200.
38400	Specifies the supported connection speeds to 38400.
57600	Specifies the supported connection speeds to 57600.

Command Default

The default serial port baud rate is 9600.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a serial baud rate with the default connection speed of 9600:


(Cisco Controller) > config serial baudrate 9600

config serial timeout

To set the timeout of a serial port session, use the config serial timeout command.

config serial timeout minutes

Syntax Description


`minutes`	Timeout in minutes from 0 to 160. A value of 0 indicates no timeout.

Command Default

0 (no timeout)

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use this command to set the timeout for a serial connection to the front of the Cisco wireless LAN controller from 0 to 160 minutes where 0 is no timeout.

Examples

The following example shows how to configure the timeout of a serial port session to 10 minutes:


(Cisco Controller) > config serial timeout 10

config service timestamps

To enable or disable time stamps in message logs, use the config service timestamps command.

config service timestamps {debug|log} { datetime|disable}

Syntax Description


debug	Configures time stamps in debug messages.
log	Configures time stamps in log messages.
datetime	Specifies to time-stamp message logs with the standard date and time.
disable	Specifies to prevent message logs being time-stamped.

Command Default

By default, the time stamps in message logs are disabled.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure time-stamp message logs with the standard date and time:


(Cisco Controller) > config service timestamps log datetime

The following example shows how to prevent message logs being time-stamped:


(Cisco Controller) > config service timestamps debug disable

Related Commands

show logging

config sessions maxsessions

To configure the number of Telnet CLI sessions allowed by the controller, use the config sessions maxsessions command.

config sessions maxsessions session_num

Syntax Description


`session_num`	Number of sessions from 0 to 5.

Command Default

The default number of Telnet CLI sessions allowed by the controller is 5.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Up to five sessions are possible while a setting of zero prohibits any Telnet CLI sessions.

Examples

The following example shows how to configure the number of allowed CLI sessions to 2:

 (Cisco Controller) > config sessions maxsessions 2

Related Commands

show sessions

config slot

To configure various slot parameters, use the config slot command.

config slot slot_id { enable|disable|channel ap |chan_width|txpower ap|antenna extAntGain antenna_gain|rts}cisco_ap

Syntax Description


`slot_id`	Slot downlink radio to which the channel is assigned. Beginning in Release 7.5 and later releases, you can configure 802.11a on slot 1 and 802.11ac/ax on slot 2.
enable	Enables the slot.
disable	Disables the slot.
channel	Configures the channel for the slot.
ap	Configures one 802.11a Cisco access point.
chan_width	Configures channel width for the slot.
txpower	Configures Tx power for the slot.
antenna	Configures the 802.11a antenna.
extAntGain	Configures the 802.11a external antenna gain.
`antenna_gain`	External antenna gain value in .5 dBi units (such as 2.5 dBi = 5).
rts	Configures RTS/CTS for an access point.
`cisco_ap`	Name of the Cisco access point on which the channel is configured.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable slot 3 for the access point abc:

(Cisco Controller) >config slot 3 enable abc

The following example shows how to configure RTS for the access point abc:

(Cisco Controller) >config slot 2 rts abc

config switchconfig boot-break

To enable or disable the breaking into boot prompt by pressing the Esc key at system startup, use the config switchconfig boot-break command.

config switchconfig boot-break { enable|disable}

Syntax Description


enable	Enables the breaking into boot prompt by pressing the Esc key at system startup.
disable	Disables the breaking into boot prompt by pressing the Esc key at system startup.

Command Default

By default, the breaking into boot prompt by pressing the Esc key at system startup is disabled.

Usage Guidelines

You must enable the features that are prerequisites for the Federal Information Processing Standard (FIPS) mode before enabling or disabling the breaking into boot prompt.

Examples

The following example shows how to enable the breaking into boot prompt by pressing the Esc key at system startup:


(Cisco Controller) > config switchconfig boot-break enable

Related Commands

show switchconfig  

config switchconfig flowcontrol  

config switchconfig mode

 config switchconfig secret-obfuscation

config switchconfig fips-prerequisite   

config switchconfig strong-pwd

config switchconfig fips-prerequisite

To configure Federal Information Processing Standard (FIPS) on the controller, use the config switchconfig wlancc command.

config switchconfig fips-prerequisite { enable|disable}

Syntax Description


enable	Enables FIPS on the controller.
disable	Disables FIPS on the controller.

Command Default

None

Command History


Release	Modification
8.0	This command was introduced.

Examples

The following example shows how to enable FIPS on the controller:


(Cisco Controller) > config switchconfig fips-prerequisite enable

config switchconfig flowcontrol

To enable or disable 802.3x flow control, use the config switchconfig flowcontrol command.

config switchconfig flowcontrol { enable|disable}

Syntax Description


enable	Enables 802.3x flow control.
disable	Disables 802.3x flow control.

Command Default

By default, 802.3x flow control is disabled.

Examples

The following example shows how to enable 802.3x flow control on Cisco wireless LAN controller parameters:


(Cisco Controller) > config switchconfig flowcontrol enable

Related Commands

show switchconfig

config switchconfig mode

To configure Lightweight Access Port Protocol (LWAPP) transport mode for Layer 2 or Layer 3, use the config switchconfig mode command.

config switchconfig mode{L2|L3}

Syntax Description


L2	Specifies Layer 2 as the transport mode.
L3	Specifies Layer 3 as the transport mode.

Command Default

The default transport mode is L3.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure LWAPP transport mode to Layer 3:


(Cisco Controller) > config switchconfig mode L3

Related Commands

show switchconfig

config switchconfig secret-obfuscation

To enable or disable secret obfuscation, use the config switchconfig secret-obfuscation command.

config switchconfig secret-obfuscation { enable|disable}

Syntax Description


enable	Enables secret obfuscation.
disable	Disables secret obfuscation.

Command Default

Secrets and user passwords are obfuscated in the exported XML configuration file.

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

To keep the secret contents of your configuration file secure, do not disable secret obfuscation. To further enhance the security of the configuration file, enable configuration file encryption.

Examples

The following example shows how to enable secret obfuscation:


(Cisco Controller) > config switchconfig secret-obfuscation enable

Related Commands

show switchconfig

config switchconfig ucapl

To configure US Department of Defense (DoD) Unified Capabilities Approved Product List (APL) certification on the controller, use the config switchconfig wlancc command.

config switchconfig ucapl { enable|disable}

Syntax Description


enable	Enables UCAPL on the controller.
disable	Disables UCAPL on the controller.

Command Default

None

Command History


Release	Modification
8.0	This command was introduced.

Examples

The following example shows how to enable UCAPL on the controller:


(Cisco Controller) > config switchconfig ucapl enable

config switchconfig ucapl

To configure US Department of Defense (DoD) Unified Capabilities Approved Product List (APL) certification on the controller, use the config switchconfig wlancc command.

config switchconfig ucapl { enable|disable}

Syntax Description


enable	Enables UCAPL on the controller.
disable	Disables UCAPL on the controller.

Command Default

None

Command History


Release	Modification
8.0	This command was introduced.

Examples

The following example shows how to enable UCAPL on the controller:


(Cisco Controller) > config switchconfig ucapl enable

config switchconfig wlancc

To configure WLAN Common Criteria (CC) on the controller, use the config switchconfig wlancc command.

config switchconfig wlancc { enable|disable}

Syntax Description


enable	Enables WLAN CC on the controller.
disable	Disables WLAN CC on the controller.

Command Default

None

Command History


Release	Modification
8.0	This command was introduced.

Examples

The following example shows how to enable WLAN CC on the controller:


(Cisco Controller) > config switchconfig wlancc enable

config switchconfig password-encryption

To configure type-6 password encryption with a master key, use the config switchconfig password-encryption command.

config switchconfig password-encryption { enable | disable}

Syntax Description


enable	Enables type-6 password encryption with a master key.
disable	Disables type-6 password encryption with a master key.

Command Default

Disabled

Usage Guidelines

Ensure that you have configured a master key before you enable password encryption.

Command History


Release	Modification
8.10	This command was introduced.

Examples

The following example shows how to enable type-6 password encryption with a master key:


(Cisco Controller) > config switchconfig password-encryption enable

config switchconfig password-encryption key

To configure the master key that is used to encrypt all secrets, use the config switchconfig password-encryption key command.

config switchconfig password-encryption key master-key-value

Syntax Description


`master-key-value`	Enables type-6 password encryption with a master key. Use at least three of the following four classes in the password: letters, uppercase letters, digits, or special characters. The master key length should be between 16 to 127 alphanumeric characters.

Command Default

None

Command History


Release	Modification
8.10	This command was introduced.

Examples

The following example shows how to configure the master key that is used to encrypt all secrets:


(Cisco Controller) > config switchconfig password-encryption key Te5tPa$$w0rd123456

config switchconfig strong-pwd

To enable or disable your controller to check the strength of newly created passwords, use the config switchconfig strong-pwd command.

config switchconfig strong-pwd { case-check | consecutive-check | default-check | username-check | position-check | case-digit-check | minimum { upper-case | lower-case | digits | special-chars } no._of_characters | min-length | password_length | lockout { mgmtuser | snmpv3user | time | attempts } | lifetime { mgmtuser | snmpv3user } lifetime | all-checks } { enable | disable }

Syntax Description


case-check	Checks at least three combinations: lowercase characters, uppercase characters, digits, or special characters.
consecutive-check	Checks the occurrence of the same character three times.
default-check	Checks for default values or use of their variants.
username-check	Checks whether the username is specified or not.
position-check	Checks whether the password has a four-character change from the old password.
case-digit-check	Checks whether the password has all the four combinations: lower, upper, digits, or special characters.
minimum	Checks whether the password has a minimum number of upper case and lower case characters, digits, or special characters.
upper-case	Checks whether the password has a minimum number of upper case characters.
lower-case	Checks whether the password has a minimum number of lower case characters.
digits	Checks whether the password has a minimum number of digits.
special-chars	Checks whether the password has a minimum number of special characters.
min-length	Configures the minimum length for the password.
`password_length`	Minimum length for the password. The range is from 3 to 24 case-sensitive characters.
lockout	Configures the lockout feature for a management user or Simple Network Management Protocol version 3 (SNMPv3) user.
mgmtuser	Locks out a management user when the number of successive failed attempts exceed the management user lockout attempts.
snmpv3user	Locks out a SNMPv3 user when the number of successive failed attempts exceeds the SNMPv3 user lockout attempts.
time	Configures the time duration after the lockout attempts when the management user or SNMPv3 user is locked.
attempts	Configures the number of successive incorrect password attempts after which the management user or SNMPv3 user is locked.
lifetime	Configures the number of days before the management user or SNMPv3 user requires a change of password due to the age of the password.
mgmtuser	Configures the number of days before the management user requires a change of password due to the password age.
snmpv3user	Configures the number of days before the SNMPv3 user requires a change of password due to the age of the password.
`lifetime`	Number of days before the management user or SNMPv3 user requir`lifetime` es a change of password due to the age of the password.
all-checks	Checks all the cases.
enable	Enables a strong password check for the access point and controller.
disable	Disables a strong password check for the access point and controller.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the Strong Password Check feature:

 (Cisco Controller) > config switchconfig strong-pwd case-check enable

Related Commands

show switchconfig

config switchconfig flowcontrol

config switchconfig mode

config switchconfig secret-obfuscation

config switchconfig fips-prerequisite

config switchconfig boot-break

config switchconfig restore-password

To configure restore password option for management users, use the config switchconfig restore-password command.

config switchconfig restore-password { enable | disable }

Syntax Description


enable	Enables password of management users to be restored.
disable	Disables password of management users from being restored.

Command Default

By default, this feature is in enabled state.

Usage Guidelines

Before Release 8.10, this feature was enabled by default and was nonconfigurable. In 8.10 and later releases, you are given the option to enable or disable it.

Command History


Release	Modification
8.10	This command was introduced.

Examples

The following example shows how to disable password of management users from being restored:


(Cisco Controller) > config switchconfig restore-password disable

Warning! By disabling this option, there would be no way to 
restore the access to the box without clearing the configuration. 
Are you sure you want to continue? (y/n)

config sysname

To set the Cisco wireless LAN controller system name, use the config sysname command.

config sysname name

Syntax Description


`name`	System name. The name can contain up to 24 alphanumeric characters.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the system named Ent_01:


(Cisco Controller) > config sysname Ent_01

Related Commands

show sysinfo

config time manual

To set the system time, use the config time manual command.

config time manual MM | DD|YYHH: MM: SS

Syntax Description


`MM`/`DD`/`YY`	Date.
`HH`:`MM`:`SS`	Time.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the system date to 04/04/2010 and time to 15:29:00:


(Cisco Controller) > config time manual 04/04/2010 15:29:00

Related Commands

show time

config time ntp

To set the Network Time Protocol (NTP), use the config time ntp command.

config time ntp { auth { enable server-index key-index | disable server-index} | interval interval | key-auth { add key-index md5 { ascii | hex} key} | delete key-index} | pollinterval maxpoll minpollserver-index | server index IP Address}

Syntax Description


auth	Configures the NTP authentication.
enable	Enables the NTP authentication.
`server-index`	NTP server index.
`key-index`	Key index between 1 and 4294967295.
disable	Disables the NTP authentication.
interval	Configures the NTP version 3 polling interval.
`interval`	NTP polling interval in seconds. The range is from 3600 and 604800 seconds.
key-auth	Configures the NTP authentication key.
add	Adds an NTP authentication key.
md5	Specifies the authentication protocol.
ascii	Specifies the ASCII key type.
hex	Specifies the hexadecimal key type.
`key`	Specifies the ASCII key format with a maximum of 16 characters or the hexadecimal key format with a maximum of 32 digits.
delete	Deletes an NTP server.
pollinterval	Configures the Network Time Protocol version 4 Polling Interval.
`maxpoll \| minpoll`	Enter maximum and minimum NTP polling interval in (power of 2) seconds.
`server-index`	Enter the NTP server index number.
server	Configures the NTP servers.
`IP Address`	NTP server's IP address. Use 0.0.0.0 or :: to delete entry.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.
8.0	This command supports both IPv4 and IPv6 address formats.
8.6	This command was enhanced in this release. The new keywords added are pollinterval, maxpoll, minpoll.
8.6	The NTP server delete option is available with config time ntp delete `server-index`

Usage Guidelines

To add the NTP server to the controller, use the config time ntp server index IP Address command.
To display configured NTP server on the controller, use the show time command.

Examples

The following example shows how to configure the NTP polling interval to 7000 seconds:


(Cisco Controller) > config time ntp interval 7000

The following example shows how to enable NTP authentication where the server index is 4 and the key index is 1:


(Cisco Controller) > config time ntp auth enable 4 1

The following example shows how to add an NTP authentication key of value ff where the key format is in hexadecimal characters and the key index is 1:


(Cisco Controller) > config time ntp key-auth add 1 md5 hex ff

The following example shows how to add an NTP authentication key of value ff where the key format is in ASCII characters and the key index is 1:


(Cisco Controller) > config time ntp key-auth add 1 md5 ascii ciscokey

The following example shows how to add NTP servers and display the servers configured to controllers:


(Cisco Controller) > config time ntp server  1 10.92.125.52
(Cisco Controller) > config time ntp server  2 2001:9:6:40::623
(Cisco Controller) > show time
Time............................................. Fri May 23 12:04:18 2014

Timezone delta................................... 0:0
Timezone location................................ (GMT +5:30) Colombo, New Delhi, Chennai, Kolkata

NTP Servers
NTP Polling Interval......................... 3600

Index NTP Key Index  NTP Server NTP    Msg Auth Status
------- -------------------------------------------------- 
1            1      10.92.125.52       AUTH SUCCESS
2            1      2001:9:6:40::623   AUTH SUCCESS

The following example shows how to delete an NTP server:


(Cisco Controller) > config time ntp delete 1

config time timezone

To configure the system time zone, use the config time timezone command.

config time timezone{enable|disable}delta_hours delta_mins

Syntax Description


enable	Enables daylight saving time.
disable	Disables daylight saving time.
`delta_hours`	Local hour difference from the Universal Coordinated Time (UCT).
`delta_mins`	Local minute difference from UCT.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the daylight saving time:


(Cisco Controller) > config time timezone enable 2 0

Related Commands

show time

config time timezone location

To set the location of the time zone in order to have daylight saving time set automatically when it occurs, use the config time timezone location command.

config time timezone location location_index

Syntax Description


`location_index`	Number representing the time zone required. The time zones are as follows: (GMT-12:00) International Date Line West (GMT-11:00) Samoa (GMT-10:00) Hawaii (GMT-9:00) Alaska (GMT-8:00) Pacific Time (US and Canada) (GMT-7:00) Mountain Time (US and Canada) (GMT-6:00) Central Time (US and Canada) (GMT-5:00) Eastern Time (US and Canada) (GMT-4:00) Atlantic Time (Canada) (GMT-3:00) Buenos Aires (Argentina) (GMT-2:00) Mid-Atlantic (GMT-1:00) Azores (GMT) London, Lisbon, Dublin, Edinburgh (default value) (GMT +1:00) Amsterdam, Berlin, Rome, Vienna (GMT +2:00) Jerusalem (GMT +3:00) Baghdad (GMT +4:00) Muscat, Abu Dhabi (GMT +4:30) Kabul (GMT +5:00) Karachi, Islamabad, Tashkent (GMT +5:30) Colombo, Kolkata, Mumbai, New Delhi (GMT +5:45) Katmandu (GMT +6:00) Almaty, Novosibirsk (GMT +6:30) Rangoon (GMT +7:00) Saigon, Hanoi, Bangkok, Jakatar (GMT +8:00) Hong Kong, Bejing, Chongquing (GMT +9:00) Tokyo, Osaka, Sapporo (GMT +9:30) Darwin (GMT+10:00) Sydney, Melbourne, Canberra (GMT+11:00) Magadan, Solomon Is., New Caledonia (GMT+12:00) Kamchatka, Marshall Is., Fiji (GMT+12:00) Auckland (New Zealand)

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the location of the time zone in order to set the daylight saving time to location index 10 automatically:


(Cisco Controller) > config time timezone location 10

Related Commands

show time

config wgb vlan

To configure the Workgroup Bridge (WGB) VLAN client support, use the config wgb vlan command.

config wgb vlan { enable|disable}

Syntax Description


enable	Enables wired clients behind a WGB to connect to an anchor controller in a Data Management Zone (DMZ).
disable	Disables wired clients behind a WGB from connecting to an anchor controller in a DMZ.

Command Default

None

Command History


Release	Modification
7.6	This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable WGB VLAN client support:

(Cisco Controller) >config wgb vlan enable

Cisco Wireless LAN Controller Command Reference, Release 7.3

Bias-Free Language

Results

Chapter: Config Commands

Config Commands

Config 802.11-a Commands

config 802.11-a

Syntax Description

Command Default

Command History

Examples

config 802.11-a antenna extAntGain

Syntax Description

Command Default

Command History

Usage Guidelines

Examples

config 802.11-a channel ap

Syntax Description

Command Default

Command History

Examples

config 802.11-a txpower ap

Syntax Description

Command Default

Command History

Examples

Configure 802.11b Commands

config 802.11b 11gSupport

Syntax Description

Command Default

Command History

Usage Guidelines

Examples

config 802.11b preamble

Syntax Description

Command Default

Command History

Usage Guidelines

Examples

Configure 802.11h Commands

config 802.11h channelswitch

Syntax Description

Command Default

Command History

Examples

config 802.11h powerconstraint

Syntax Description

Command Default

Command History

Examples

config 802.11h setchannel

Syntax Description

Command Default

Command History

Examples

Configure 802.11 11n Support Commands

config 802.11 11nsupport

Syntax Description

Command Default

Command History

Examples

config 802.11 11nsupport a-mpdu tx priority

Syntax Description

Command Default

Usage Guidelines

Command History

Examples

config 802.11 11nsupport a-mpdu tx scheduler

Syntax Description

Command Default

Usage Guidelines

Command History

Examples

config 802.11 11nsupport antenna

Syntax Description

Command Default

Usage Guidelines

Command History

Examples