Archive download-sw /force-reload /overwrite
Right now we use 2 WLCs for this. The main one is running all the APs and the other one is for testing and for the process to get the bridges autonoum. You can convert the access point from a lightweight unit back to an autonomous unit by loading a Cisco IOS release that supports autonomous mode.
If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. Log on to the CLI on the controller to which the access point is associated. Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry capwap capwap exec commands cd Change current directory clear Reset functions clock Manage the system clock crypto Encryption related commands.
JD16" Last reload reason: Invalid image opcode. This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U. By using this product you agree to comply with applicable laws and regulations.
If you are unable to comply with U. A summary of U. Buy or Renew. Find A Community. Network address translation NAT is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device. In the previous article, I illustrated what are the dot1x and the benefits related to it.
Just to remember that How to upgrade a Cisco stack Tutorial May 23, One of the task of a good Network engineer is to update the Cisco IOS to avoid bugs and to have new features; but In the last article, I explained how to configure DMVPN phase3, but what are the most useful commands to troubleshoot this type of network Traceroute is a tool for measuring the route path and transit times of packets across an Internet Protocol IP network.
Traceroute sends a sequence of IEEE It defines the What is that? Tutorial July 22, The intention is to consume the Before uploading the image file, you might need to create an empty file on the TFTP server.
To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server. During upload operations, if you are overwriting an existing file including an empty file, if you had to create one on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write.
Caution For the download and upload algorithms to operate properly, do not rename image names. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
The username set by the ip ftp username username global configuration command if the command is configured. The switch sends the first valid password in this list: The password specified in the archive download-sw or archive upload-sw privileged EXEC command if a password is specified. The password set by the ip ftp password password global configuration command if the command is configured.
The switch creates a password named username switchname. The username variable is the username associated with the current session, switchname is the configured hostname, and domain is the domain of the switch.
Before you begin downloading or uploading an image file by using FTP, complete these tasks: Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command. If you are accessing the switch through the console or a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download.
You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command. This new name will be used during all archive operations. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username.
Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username for that operation only. When you upload an image file to the FTP server, it must be properly configured to accept the write request from the user on the switch. Command Purpose Step 1 configure terminal Example: Switch configure terminal Optional Enters global configuration mode on the switch.
When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
The username set by the ip rcmd remote-username username global configuration command if the command is entered. The remote username associated with the current TTY terminal process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the switch software sends the Telnet username as the remote username.
The switch hostname. Before you begin downloading or uploading an image file by using RCP, do these tasks: Ensure that the workstation acting as the RCP server supports the remote shell rsh. Ensure that the switch has a route to the RCP server. The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the RCP server by using the ping command.
If you are accessing the switch through the console or a Telnet session and you do not have a valid username, make sure that the current RCP username is the one that you want to use for the RCP download.
If you do not want to use this username, create a new RCP username by using the ip rcmd remote-username username global configuration command to be used during all archive operations. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username.
When you upload an image to the RCP to the server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the. For example, suppose the switch contains these configuration lines: hostname Switch1 ip rcmd remote-username User0 If the switch IP address translates to Switch1. The holdtime is typically set as a multiple of the heartbeat interval timer cluster timer.
This example shows how to change the heartbeat interval timer and the duration on the cluster command switch:. Use the copy logging onboard privileged EXEC command on the switch stack or on a standalone switch to copy on-board failure logging OBFL data to the local network or a specific file system. Specify the stack member number. If the switch is a standalone switch, the switch number is 1. If the switch is in a stack, the range is 1 to 4, depending on the switch member numbers in the stack.
Specify the location on the local network or file system to which the system messages are copied. For destination, specify t he destination on the local or network file system and the filename. Use the number parameter to specify the stack member number of the stack master.
The range for number is 1 to 4. For information about OBFL, see the hw-module command. Use the define interface-range global configuration command to create an interface-range macro.
Use the no form of this command to delete the defined macro. Name of the interface-range macro; up to 32 characters. The macro name is a character maximum character string. All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro. When entering the interface-range , use this format:. Valid values for type and interface :.
VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges. When you define a range, you must enter a space before the hyphen - , for example:. You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma ,. The space after the comma is optional, for example:. This example shows how to create a multiple-interface macro:. Executes a command on multiple ports at the same time.
Displays the current operating configuration, including defined macros. Use the delete privileged EXEC command to delete a file or directory on the flash memory device. Optional Suppress the prompt that confirms the deletion. Optional Delete the named directory and all subdirectories and the files contained in it.
The syntax for the local flash file system on the stack member or the stack master: flash:. From the stack master, the syntax for the local flash file system on a stack member: flash member number :.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. This example shows how to remove the directory that contains the old software image after a successful download of a new image:.
You can verify that the directory was removed by entering the dir filesystem : privileged EXEC command. Downloads a new image to the switch and overwrites or keeps the existing image. Use the no form of this command to remove the specified access control entry ACE from the access list. Optional Define a match for the ARP request. When request is not specified, matching is performed against all ARP packets.
Deny the specified range of sender MAC addresses. Deny the specified range of target MAC addresses. There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command. You can add deny clauses to drop ARP packets based on matching criteria. Use the deny MAC access-list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched.
Use the no form of this command to remove a deny condition from the named MAC access list. Keyword to specify to deny any source or destination MAC address. Define a host MAC address and optional subnet mask.
If the source address for a packet matches the defined address, non-IP traffic from that address is denied. Define a destination MAC address and optional subnet mask.
If the destination address for a packet matches the defined address, non-IP traffic to that address is denied. The type is 0 to , specified in hexadecimal. Optional Select a class of service CoS number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured. Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. This command has no defaults.
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command. If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry ACE is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets. For more information about named MAC extended access lists, see the software configuration guide for this release. Traffic matching this list is denied. This example shows how to remove the deny condition from the named MAC extended access list:.
This example denies all packets with Ethertype 0x You can verify your settings by entering the show access-lists privileged EXEC command. Permits non-IP traffic to be forwarded if conditions are matched. Displays access control lists configured on a switch. Use the diagnostic monitor global configuration command to configure the health-monitoring diagnostic testing. Use the no form of this command to disable testing and return to the default settings.
Specify the module number. Specify the time in milliseconds; valid values are 0 to Enable the generation of a syslog message when a health-monitoring test fails. Note If you are running a diagnostic test that has the reload attribute on a switch in a stack, you could potentially partition the stack depending on your cabling configuration.
To avoid partitioning your stack, you should enter the show switch detail privileged EXEC command to verify the stack configuration. This example shows how to configure the specified test to run every 2 minutes:.
This example shows how to run the test on the specified switch if health monitoring has not previously been enabled:. This example shows how to set the failure threshold for test monitoring on a switch:.
This example shows how to enable generating a syslog message when any health monitoring test fails:. Use the diagnostic schedule privileged EXEC command to configure the scheduling of diagnostic testing. Use the no form of this command to remove the scheduling and return to the default setting.
Specify the switch number. This command has no default settings. This example shows how to schedule diagnostic testing on a specific date and time for a specific switch:. This example shows how to schedule diagnostic testing to occur weekly at a certain time for a specific switch:. Use the diagnostic start user command to run the specified diagnostic test. Enter the show diagnostic content command to display the test ID list.
Enter the test-id-range as integers separated by a comma and a hyphen for example, 1, specifies test IDs 1, 3, 4, 5, and 6. This example shows how to start a diagnostic test on a specific switch:. This example shows how to start diagnostics test 2 on a switch that will disrupt normal system operation:. This message appears if the test can cause the switch to lose stack connectivity:.
This message appears if the test will cause a stack partition:. Use the dot1x global configuration command to globally enable IEEE Note Though visible in the command-line help strings, the credentials name keywords are not supported.
Configure the inaccessible authentication bypass parameters. For more information, see the dot1x critical global configuration command. Enable optional guest VLAN behavior globally on the switch. IEEE You must enable authentication, authorization, and accounting AAA and specify the authentication method list before globally enabling IEEE A method list describes the sequence and authentication methods to be used to authenticate a user.
Before globally enabling IEEE You can use the guest-vlan supplicant keywords to enable the optional IEEE For more information, see the dot1x guest-vlan command.
This example shows how to globally enable IEEE This example shows how to globally enable the optional guest VLAN behavior on a switch:. You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command. Configures the parameters for the inaccessible authentication bypass feature on the switch.
Enables manual control of the authorization state of the port. Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN. Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3. If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change takes effect after the re-authentication timer expires.
This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state. Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port.
You can configure a restricted VLAN on ports configured as follows:. You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled.
If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access.
An EAP success message is sent for these reasons:. A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication.
Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN. If you do this, a syslog message is generated. When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly re-authenticated, all IEEE The authenticator does not wait in a held state because the restricted VLAN configuration still exists.
This example shows how to configure a restricted VLAN on port You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command. Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN. Use the dot1x control-direction interface configuration command to enable the IEEE Use the both keyword or the no form of this command to return to the default setting, bidirectional mode.
This example shows how to enable unidirectional control:. This example shows how to enable bidirectional control:. You can verify your settings by entering the show dot1x all privileged EXEC command. The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:.
If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:. If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:.
Displays control-direction port setting status for the specified interface. Use the dot1x credentials global configuration command to configure a profile on a supplicant switch.
You must have another switch set up as the authenticator for this switch to be the supplicant. This example shows how to configure a switch as a supplicant:. Use the dot1x critical global configuration command to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting AAA fail policy.
To return to default settings, use the no form of this command. Specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state. Set the recovery delay period in milliseconds. The range is from 1 to milliseconds. The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state.
The recovery delay period is milliseconds 1 second. Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available.
The default recovery delay period is milliseconds. A port can be re-initialized every second. To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command. This example shows how to set as the recovery delay period on the switch:.
You can verify your configuration by entering the show dot1x privileged EXEC command. Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature. Use the dot1x critical interface configuration command to enable the inaccessible-authentication-bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting AAA fail policy. You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state.
To disable the feature or return to default, use the no form of this command. Enable the inaccessible-authentication-bypass recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available. Specify the access VLAN to which the switch can assign a critical port.
The range is from 1 to The inaccessible-authentication-bypass feature is disabled. To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords. The specified type of VLAN must match the type of port, as follows:.
If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.
You can configure the inaccessible bypass feature and port security on the same switch port. This example shows how to enable the inaccessible authentication bypass feature on a port:. Use the dot1x default interface configuration command to reset the IEEE This example shows how to reset the IEEE Use the dot1xfallback interface configuration command to configure a port to use web authentication as a fallback method for clients that do not support IEEE Specify a fallback profile for clients that do not support IEEE You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.
This example shows how to specify a fallback profile to a switch port that has been configured for IEEE You can configure a guest VLAN on one of these switch ports:. For each IEEE These users might be upgrading their systems for IEEE If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts.
Any number of non-IEEE If an IEEE The guest VLAN feature is not supported on trunk ports; it is supported only on access ports. You can change the settings for restarting the IEEE Decrease the settings for the IEEE The amount to decrease the settings depends on the connected IEEE The switch supports MAC authentication bypass.
When it is enabled on an IEEE After detecting a client on an IEEE If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified. Enables the optional guest VLAN supplicant feature.
Use the dot1x host-mode interface configuration command to allow a single host client or multiple hosts on an IEEE Enable MDA on a switch port. This keyword is available only when the switch is running the LAN Base image. Use this command to limit an IEEE In multiple-hosts mode, only one of the attached hosts needs to be successfully authorized for all hosts to be granted network access.
Use the multi-domain keyword to enable MDA on a port. MDA divides the port into both a data domain and a voice domain. Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.
This example shows how to enable IEEE Use this command to initialize the IEEE After you enter this command, the port status becomes unauthorized. There is not a no form of this command. This example shows how to manually initialize a port:. You can verify the unauthorized port status by entering the show dot1x [ interface interface-id ] privileged EXEC command. Use the dot1x mac-auth-bypass interface configuration command to enable the MAC authentication bypass feature.
Use the no form of this command to disable MAC authentication bypass feature. Optional Configure the number of seconds that a connected host can be inactive before it is placed in an unauthorized state.
The timeout inactivity value keywords were added. If you disable MAC authentication bypass from a port after the port has been authenticated with its MAC address, the port state is not affected. If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state.
However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port. If the port is in the authorized state, the port remains in this state until re-authorization occurs.
Clients that were authorized with MAC authentication bypass can be re-authenticated. This example shows how to enable MAC authentication bypass and to configure the switch to use EAP for authentication:. This example shows how to enable MAC authentication bypass and to configure the timeout if the connected host is inactive for 30 seconds:. Use the dot1x max-reauth-req interface configuration command to set the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.
Sets the number of times that switch retransmits EAPOL-Identity-Request frames to start the authentication process before the port changes to the unauthorized state. If a non If a guest VLAN is configured on the port, after two re-authentication attempts, the port is authorized on the guest vlan by default. The default is 2. The count range was changed. You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:. Sets the maximum number of times that the switch forwards an EAP frame assuming that no response is received to the authentication server before restarting the authentication process.
Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol EAP frame from the authentication server assuming that no response is received to the client before restarting the authentication process. For example, if you have a supplicant in the middle of authentication process and a problem occurs, the authenticator will re-transmit data requests two times before stopping the process.
The range is 1 to 10; the default is 2. This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server to the client before restarting the authentication process:. Use the dot1x pae interface configuration command to configure the port as an IEEE The port is not an IEEE Use the no dot1x pae interface configuration command to disable IEEE When you configure IEEE After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.
This example shows how to disable IEEE You can verify your settings by entering the show dot1x or show eap privileged EXEC command. Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port.
Deny all access through this port by forcing the port to change to the unauthorized state, ignoring all attempts by the client to authenticate. You must globally enable IEEE The IEEE You can use the auto keyword only if the port is not configured as one of these:. Optional Stack switch number, module, and port number of the interface to re-authenticate. You can use this command to re-authenticate a client without waiting for the configured number of seconds between re-authentication attempts re-authperiod and automatic re-authentication.
This example shows how to manually re-authenticate the device connected to a port:. Enables periodic re-authentication of the client.
0コメント