Filter
Top Products
440 Configuring and managing security ACLs
NN47250-500 (320657-F Version 02.01)
WSS# set security acl map SVP vlan v1 in
WSS# set security acl map SVP vlan v1 out
WSS# commit security acl SVP
The first ACE is needed only if the active-scan feature is enabled in the radio profile. The ACE ensures that active-scan
reduces its off-channel time in the presence of FTP traffic from the TFTP server, by setting the CoS of the server traffic
to 7. This ACE gives CoS 7 to UDP traffic from TFTP server 10.2.4.69 to any IP address, to or from any UDP port other
than 0. (For more information, see “RF detection scans” (page 629).)
The second ACE sets CoS to 7 for all SVP traffic.
The third ACE matches on all traffic that does not match on either of the previous ACEs.
Reason the ACL needs to be mapped to both traffic directions
If the ACL is not also mapped to the inbound direction on the voice VLAN, CoS will not be marked in the traffic if the
path to the SVP handset is over a tunnel. WSS Software does not support mapping an ACL to a tunneled VLAN.
When configured in a Mobility Domain, WSSs dynamically create tunnels to bridge clients to non-local VLANs. A
non-local VLAN is a VLAN that is not configured on the WSS that is forwarding the client's traffic. WSS Software does
not support mapping an ACL to a non-local VLAN. The CLI accepts the configuration command but the command is
not saved in the configuration.
Consider switch-1 with VLAN_A and switch-2 with VLAN_B. If a handset connected to switch-2 is placed in
VLAN_A, a tunnel is created between switch-1 and switch-2. If an ACL is mapped to VLAN_A-out on switch-1, it will
affect local clients but not clients using the same VLAN on switch-2. Also, if an ACL is mapped to VLAN_A-in on
switch-1, it will affect remote clients on switch-2, but not local clients. Nortel recommends mapping ACLs both vlan-in
and vlan-out to ensure proper CoS marking in both directions.
Setting 802.11b/g radios to 802.11b (for Siemens SpectraLink VoIP phones only)
If you plan to use Siemens SpectraLink Voice over IP (VoIP) phones, you must change the AP radios that will support
the phones to operate in 802.11b mode only. This type of phone expects the AP to operate at 802.11b rates only, not at
802.11g rates. To change a radio to support 802.11b mode only, use the radiotype 11b option with the set port type ap
or set ap command.
Disabling Auto-RF before upgrading a SpectraLink phone
If you plan to upgrade a SpectraLink phone using TFTP over an AP, Nortel recommends that you disable Auto-RF
before you begin the upgrade. This feature can increase the length of time required for the upgrade. You can disable
Auto-RF on a radio-profile basis. Use the following commands:
set radio-profile name auto-tune channel-config disable
set radio-profile name auto-tune power-config disable