Page 2
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products intended for people who want to configure the NXC via Command Line Interface (CLI). Some commands or command options in this guide may not be available in your product.
Contents Overview Contents Overview Command Line Interface ......................15 User and Privilege Modes ......................31 Object Reference ........................35 Status ............................37 Registration ..........................41 Interfaces ........................... 47 Route ............................65 AP Management ........................73 AP Group ........................... 79 Wireless LAN Profiles ........................ 87 Rogue AP ..........................
Page 4
Contents Overview Packet Flow Explore ........................ 237 Maintenance Tools ........................239 Watchdog Timer ........................245 Managed AP Commands ......................249 List of Commands ........................255 NXC CLI Reference Guide...
Table of Contents Table of Contents Contents Overview ..........................3 Table of Contents ..........................5 Chapter 1 Command Line Interface........................15 1.1 Overview ............................15 1.1.1 The Configuration File ......................15 1.2 Accessing the CLI ..........................15 1.2.1 Console Port ..........................16 1.2.2 Web Configurator Console ......................17 1.2.3 Telnet ............................20 1.2.4 SSH (Secure SHell) .........................20 1.3 How to Find Commands in this Guide ....................21...
Page 6
Table of Contents Chapter 3 Object Reference ..........................35 3.1 Object Reference Commands ......................35 3.1.1 Object Reference Command Example ..................36 Chapter 4 Status ..............................37 4.1 Status Show Commands ........................37 Chapter 5 Registration............................41 5.1 myZyXEL.com overview ........................41 5.1.1 Subscription Services Available on the NXC ................41 5.2 Registration Commands ........................42 5.2.1 Command Examples .......................42 5.3 Country Code ............................43...
Page 7
Table of Contents 7.4.1 Static Route Commands Example ...................70 7.5 Learned Routing Information Commands ..................71 7.5.1 show ip route Command Example ...................71 Chapter 8 AP Management..........................73 8.1 AP Management Overview .......................73 8.2 AP Management Commands ......................74 8.2.1 AP Management Commands Example ...................78 Chapter 9 AP Group .............................79 9.1 Wireless Load Balancing Overview ....................79...
Page 10
Table of Contents Chapter 25 Schedules............................159 25.1 Schedule Overview ........................159 25.2 Schedule Commands Summary ....................159 25.2.1 Schedule Command Examples ...................160 Chapter 26 AAA Server............................161 26.1 AAA Server Overview ........................161 26.2 Authentication Server Command Summary ..................161 26.2.1 aaa group server ad Commands ..................162 26.2.2 aaa group server ldap Commands ..................163 26.2.3 aaa group server radius Commands ...................164 26.2.4 aaa group server Command Example .................166...
Page 11
Table of Contents Chapter 31 System ...............................181 31.1 System Overview ..........................181 31.2 Customizing the WWW Login Page ....................181 31.3 Host Name Commands .........................183 31.4 Time and Date ..........................183 31.4.1 Date/Time Commands ......................184 31.5 Console Port Speed ........................185 31.6 DNS Overview ..........................185 31.6.1 DNS Commands ........................185 31.6.2 DNS Command Example ....................186 Chapter 32...
Page 12
Table of Contents 33.1 DHCPv6 Object Commands Summary ..................199 33.1.1 DHCPv6 Object Commands ....................199 33.1.2 DHCPv6 Object Command Examples .................200 Chapter 34 File Manager............................201 34.1 File Directories ..........................201 34.2 Configuration Files and Shell Scripts Overview ................201 34.2.1 Comments in Configuration Files or Shell Scripts ...............202 34.2.2 Errors in Configuration Files or Shell Scripts ...............203 34.2.3 NXC Configuration File Details ....................203 34.2.4 Configuration File Flow at Restart ..................204...
HAP T ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your NXC, customer support may request that you issue some of these commands to assist them in troubleshooting. ...
Chapter 1 Command Line Interface The NXC might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See Chapter 22 on page 143 for more information about these settings. 1.2.1 Console Port The default settings for the console port are as follows.
Chapter 1 Command Line Interface Enter the user name and password at the prompts. The default login username is admin and password is 1234. The username and password are case-sensitive. 1.2.2 Web Configurator Console The Console allows you to use CLI commands from directly within the Web Configurator rather than having to use a separate terminal program.
Page 18
Chapter 1 Command Line Interface The following table describes the elements in this screen. Table 2 Console LABEL DESCRIPTION Command Line Enter commands for the device that you are currently logged into here. If you are logged into the NXC, see the CLI Reference Guide for details on using the command line to configure it.
Page 19
Chapter 1 Command Line Interface 2 Enter the IP address of the NXC and click OK. 3 Next, enter the user name of the account being used to log into your target device and then click OK. 4 You may be prompted to authenticate your account password, depending on the type of device that you are logging into.
Chapter 1 Command Line Interface 5 If your login is successful, the command line appears and the status bar at the bottom of the Console updates to reflect your connection state. 1.2.3 Telnet Use the following steps to Telnet into your NXC. 1 If your computer is connected to the NXC over the Internet, skip to the next step.
Chapter 1 Command Line Interface Figure 4 SSH Login Example C:\>ssh2 [email protected] Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub...
Chapter 1 Command Line Interface 1.4.3 Command Summary This section lists the commands for the feature in one or more tables. 1.4.4 Command Examples This section contains any examples for the commands in this feature. 1.4.5 Command Syntax The following conventions are used in this guide. •...
Chapter 1 Command Line Interface Table 3 CLI Modes (continued) USER PRIVILEGE CONFIGURATION SUB-COMMAND What Limited- • Look at system • Look at system Unable to access Unable to access information (like information (like Admin users can Status screen) Status screen) •...
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the NXC automatically display the full command. [TAB] For example, if you enter and press , the full command of config...
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 27
Chapter 1 Command Line Interface Table 4 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 “0x” or “0X” + 16-64 hexadecimal values 8-32 alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension...
Page 28
Chapter 1 Command Line Interface Table 4 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES password Used in user and ip 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./ Used in device HA synchronization 1-63 alphanumeric or ~#%^*_-={}:,.
Chapter 1 Command Line Interface Table 4 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES username 1-31 alphanumeric or _- first character: alphanumeric or _- domain authorization username 6-20 alphanumeric or .@_- registration user name alphanumeric or -_. logging commands user@domainname 1-80...
HAP T ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the NXC uses.
Page 32
Chapter 2 User and Privilege Modes Table 5 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Has the NXC create a new diagnostic file. diag-info Lists files in a directory. Goes from privilege mode to user mode disable Goes from user mode to privilege mode enable...
Chapter 2 User and Privilege Modes 2.1.1 Debug Commands Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for ZyXEL service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a Linux equivalent, it is displayed in this chapter for your reference.
Page 34
Chapter 2 User and Privilege Modes NXC CLI Reference Guide...
HAP T ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
HAP T ER Status This chapter explains some commands you can use to display information about the NXC’s current operational state. 4.1 Status Show Commands The following table describes the commands available for NXC system status. Table 8 Status Show Commands COMMAND DESCRIPTION Displays details about the NXC’s startup state.
Page 38
Chapter 4 Status Here are examples of the commands that display the CPU and disk utilization. Router(config)# show cpu status CPU utilization: 0 % CPU utilization for 1 min: 0 % CPU utilization for 5 min: 0 % Router(config)# show disk ...
Page 39
Chapter 4 Status Here is an example of the command that displays the open ports. Router(config)# show socket open Proto Local_Address Foreign_Address State =========================================================================== 172.16.13.240:22 172.16.13.10:1179 ESTABLISHED 127.0.0.1:64002 0.0.0.0:0 0.0.0.0:520 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0...
Page 40
Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : NXC5200 firmware version: 2.20(AQQ.0)b3 BM version : 1.08...
HAP T ER Registration This chapter introduces myzyxel.com and shows you how to register the NXC for IDP/ AppPatrol and anti-virus using commands. 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your NXC and manage subscription services available for the NXC. ...
Chapter 5 Registration To use a subscription service, you have to register the NXC and activate the corresponding service at myZyXEL.com (through the NXC). 5.2 Registration Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Chapter 5 Registration The following command displays the account information and whether the device is registered. Router# configure terminal Router(config)# show device-register status username : alexctsui password : 123456 device register status : yes expiration self check : no The following command displays the service registration status and type and how many days remain before the service expires.
Page 44
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo, Democratic Republic of the Congo, Republic of Cook Islands Costa Rica...
Page 45
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Jordan Kazakhstan Kenya Kiribati Korea, Republic of Kuwait Kyrgyzstan Lao People’s Democratic Republic Latvia Lebanon Lesotho Liberia Liechtenstein Lithuania Luxembourg Macau Macedonia, Former Yugoslav Madagascar Republic Malawi...
Page 46
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands Spain Sri Lanka St Pierre and Miquelon St.
HAP T ER Interfaces This chapter shows you how to use interface-related commands. 6.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Chapter 6 Interfaces Table 12 Input Values for General Interface Commands (continued) LABEL DESCRIPTION The name of the DHCP pool. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 49
Chapter 6 Interfaces Table 13 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Sets the IPv6 interface to be a DHCPv6 client. ipv6 dhcp6 [client] Shortens the DHCPv6 message exchange process [no] ipv6 dhcp6 rapid-commit from four to two steps to help reduce network traffic.
Page 50
Chapter 6 Interfaces Table 13 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Specifies a name for an Ethernet interface. It can interface-name ethernet_interface use alphanumeric characters, hyphens, and user_defined_name underscores, and it can be up to 11 characters long.
Page 51
Chapter 6 Interfaces This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the NXC. Then change the name and display the result. Router>...
Chapter 6 Interfaces 6.2.2 DHCP Setting Commands This table lists DHCP setting commands. DHCP is based on DHCP pools. Create a DHCP pool if you want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients.
Page 53
Chapter 6 Interfaces Table 14 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the MAC address that appears in the [no] client-identifier mac_address DHCP client list. The command clears this field. Specifies the host name that appears in the DHCP [no] client-name host_name client list.
Page 54
Chapter 6 Interfaces Table 14 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of [no] starting-address ip pool-size the specified DHCP pool. The final pool size is <1..65535> limited by the subnet mask. Note: You must specify the network first, and the start address...
Page 55
Chapter 6 Interfaces 6.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
Chapter 6 Interfaces 6.2.3 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the NXC stops routing to the gateway.
Chapter 6 Interfaces 6.2.3.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Chapter 6 Interfaces Table 17 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this type {internal|external|general} interface. The NXC automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic.
Chapter 6 Interfaces 6.5 Port Role Commands The following table describes the commands available for port role identification. You must use the command to enter the configuration mode before you can use configure terminal these commands. Table 19 Command Summary: Port Role COMMAND DESCRIPTION Displays the type of cable connection for each physical...
Page 60
Chapter 6 Interfaces For the NXC which supports more than one USB ports, these commands only apply to the USB storage device that is first attached to the NXC. Table 20 USB Storage General Commands COMMAND DESCRIPTION Displays the status of the connected USB storage device. show usb-storage Enables or disables the connected USB storage service.
Chapter 6 Interfaces 6.6.1 USB Storage General Commands Example This example shows how to display the status of the connected USB storage device. Router> show usb-storage USBStorage Configuration: Activation: enable Criterion Number: 100 Criterion Unit: megabyte USB Storage Status: Device description: N/A Usage: N/A Filesystem: N/A Speed: N/A...
Page 62
Chapter 6 Interfaces Table 21 Input Values for VLAN Interface Commands (continued) LABEL DESCRIPTION Sets the description of the interface. You may use 0 - 511 alphanumeric description characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Chapter 6 Interfaces Table 22 Command Summary: VLAN Interface Profile (continued) COMMAND DESCRIPTION Sets the description of this interface. It is not used description description elsewhere. You can use alphanumeric and ()+/ :=?!*#@$_%- characters, and it can be up to 60 characters long.
HAP T ER Route This chapter shows you how to configure policies for IP routing and static routes on your NXC. 7.1 Policy Route Traditionally, routing is based on the destination address only and the NXC takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 66
Chapter 7 Route The following table describes the commands available for policy route. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 24 Command Summary: Policy Route COMMAND DESCRIPTION Globally enables bandwidth management. You [no] bwm activate must globally activate bandwidth management to have individual policy routes or application patrol...
Page 67
Chapter 7 Route Table 24 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Use this command to have the NXC not modify no dscp-marking the DSCP value of the route’s outgoing packets. Sets the interface on which the incoming packets [no] interface {interface_name | are received.
Chapter 7 Route Table 24 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Displays the specified range of policy route show policy-route begin policy_number end settings. policy_number Displays whether or not the NXC forwards show policy-route override-direct-route packets that match a policy route according to the policy route instead of sending the packets to a directly connected network.
Chapter 7 Route 7.2.2 Policy Route Command Example The following commands create two address objects (TW_SUBNET and GW_1) and insert a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the interface ge1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’...
Chapter 7 Route Figure 10 Example of Static Routing Topology 7.4 Static Route Commands The following table describes the commands available for static route. You must use the command to enter the configuration mode before you can use these configure terminal commands.
Chapter 7 Route 7.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 27 ip route Commands: Learned Routing Information COMMAND DESCRIPTION show ip route [kernel | connected | static] Displays learned routing and other routing information. 7.5.1 show ip route Command Example The following example shows learned routing information on the NXC.
HAP T ER AP Management This chapter shows you how to configure wireless AP management options on your NXC. 8.1 AP Management Overview The NXC allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the NXC automatically handles basic configuration for you.
Chapter 8 AP Management 8.2 AP Management Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 28 Input Values for General AP Management Commands LABEL DESCRIPTION The Ethernet MAC address of the managed AP.
Page 75
Chapter 8 AP Management Table 29 Command Summary: AP Management (continued) COMMAND DESCRIPTION Sets whether or not the NXC changes the AP’s [no] force vlan management VLAN to match the one you configure using the vlan sub-command. The management VLAN on the NXC and AP must match for the NXC to manage the AP.
Page 76
Chapter 8 AP Management Table 29 Command Summary: AP Management (continued) COMMAND DESCRIPTION Removes the specified AP (ap_mac) or all connected capwap ap kick {all | ap_mac} APs (all) from the management list. Doing this removes the AP(s) from the management list. If the NXC is set to automatically add new APs to the AP management list, then any kicked APs are added back to the management list as soon as they reconnect.
Page 77
Chapter 8 AP Management Table 29 Command Summary: AP Management (continued) COMMAND DESCRIPTION Displays whether the managed AP(s) will change back to show capwap ap fallback associate with the primary AP controller when the primary AP controller is available. Displays the interval for how often the managed AP(s) show capwap ap fallback interval check whether the primary AP controller is available.
Chapter 8 AP Management 8.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03...
HAP T ER AP Group This chapter shows you how to configure AP groups, which define the radio, port, VLAN and load balancing settings and apply the settings to all APs in the group. An AP can belong to one AP group at a time.
Page 80
Chapter 9 AP Group Table 31 Command Summary: AP Group (continued) COMMAND DESCRIPTION Specifies the MAC address of the AP that you want to ap-group-member ap_group_profile_name apply the specified AP group profile and add to the group. [no] member mac_address Use the no command to remove the specified AP from this group.
Page 81
Chapter 9 AP Group Table 31 Command Summary: AP Group (continued) COMMAND DESCRIPTION Sets the model of the managed AP and disable the [no] lan-provision model {nwa5301-nj | model-specific LAN port and configure the port VLAN ID. wac6502d-e | wac6502d-s | wac6503d-s | Use the no command to remove the specified port and wac6553d-e} ap_lan_port inactivate VLAN settings.
Page 82
Chapter 9 AP Group Table 31 Command Summary: AP Group (continued) COMMAND DESCRIPTION Sets the interval in seconds that each AP communicates load-balancing liInterval <1..255> with the other APs in its range for calculating the load balancing algorithm. Note: This parameter has been optimized for the NXC and should not be changed unless you have been specifically directed to do so by ZyXEL support.
Chapter 9 AP Group Table 31 Command Summary: AP Group (continued) COMMAND DESCRIPTION Displays the LAN port and/or VLAN settings on the show ap-group-profile managed AP which is in the specified AP group and of ap_group_profile_name model {nwa5301-nj | the specified model. wac6502d-e | wac6502d-s | wac6503d-s | vlan_interface: the name of the VLAN, such as wac6553d-e} interface {all | vlan |...
Page 84
Chapter 9 AP Group The following example shows you how to create an AP group profile (named GP1) and configure AP load balancing in "by station" mode. The maximum number of stations is set to Router(config)# ap-group-profile GP1 Router(config-ap-group GP1)# load-balancing mode station Router(config-ap-group GP1)# load-balancing max sta 1 Router(config-ap-group GP1)# exit Router(config)# show ap-group-profile GP1 load-balancing config...
Page 85
Chapter 9 AP Group The following example shows the settings and status of the VLAN(s) configured for the managed APs (NWA5301-NJ) in the default AP group. Router(config)# show ap-group-profile default lan-provision model nwa5301-nj interface vlan No. Name Active VID Member =========================================================================== vlan0 lan1,lan2,lan3...
Page 86
Chapter 9 AP Group NXC CLI Reference Guide...
HAP T ER Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your NXC. 10.1 Wireless LAN Profiles Overview The managed Access Points designed to work explicitly with your NXC do not have on-board configuration files, you must create “profiles” to manage them. Profiles are preset configurations that are uploaded to the APs and which manage them.
Page 88
Chapter 10 Wireless LAN Profiles Table 32 Input Values for General Radio and Monitor Profile Commands (continued) LABEL DESCRIPTION Sets the 5 GHz channel used by this radio profile. The channel range is wireless_channel_5g 36 ~ 165. Note: Your choice of channel may be restricted by regional regulations.
Page 89
Chapter 10 Wireless LAN Profiles Table 33 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Sets the radio band (2.4 GHz or 5 GHz) and band mode band {2.4G |5G} band-mode for this profile. Band mode details: {bg | bgn | a | ac | an} For 2.4 GHz, bg lets IEEE 802.11b and IEEE 802.11g clients associate with the AP.
Page 90
Chapter 10 Wireless LAN Profiles Table 33 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Enables this to allow an AP to avoid phase DFS channels dcs dfs-aware {enable|disable} below the 5 GHz spectrum. Sets how sensitive DCS is to radio channel changes in dcs sensitivity-level {high| medium the vicinity of the AP running the scan.
Page 91
Chapter 10 Wireless LAN Profiles Table 33 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Activates MPDU frame aggregation for this profile. Use [no] amsdu the no parameter to disable it. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Chapter 10 Wireless LAN Profiles Table 33 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Assigns an SSID profile to this radio profile. Requires an [no] ssid-profile existing SSID profile. Use the no parameter to disable it. wlan_interface_index ssid_profile Sets the outgoing chain mask rate. tx-mask chain_mask Sets the incoming chain mask rate.
Chapter 10 Wireless LAN Profiles • block acknowledgement enabled • a short guard interval • an output power of 100% It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile. Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G band-mode bgn...
Page 94
Chapter 10 Wireless LAN Profiles Table 34 Input Values for General SSID Profile Commands (continued) LABEL DESCRIPTION Assigns an existing security profile to the SSID profile. You may use 1- securityprofile 31 alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Chapter 10 Wireless LAN Profiles Table 35 Command Summary: SSID Profile (continued) COMMAND DESCRIPTION Applies to each SSID profile that uses localbridge. If vlan-id <1..4094> the VLAN ID is equal to the AP’s native VLAN ID then traffic originating from the SSID is not tagged. The default VLAN ID is 1.
Page 96
Chapter 10 Wireless LAN Profiles The following table describes the commands available for security profile management. You must use the command to enter the configuration mode before you configure terminal can use these commands. Table 37 Command Summary: Security Profile COMMAND DESCRIPTION Displays the security profile(s).
Page 97
Chapter 10 Wireless LAN Profiles Table 37 Command Summary: Security Profile (continued) COMMAND DESCRIPTION MAC authentication has the AP use an external server to [no] mac-auth activate authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.
Chapter 10 Wireless LAN Profiles Table 37 Command Summary: Security Profile (continued) COMMAND DESCRIPTION Sets the WPA/WPA2 encryption cipher type. wpa-encrypt {tkip | aes | auto} auto: This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
Chapter 10 Wireless LAN Profiles 10.5 MAC Filter Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 38 Input Values for General MAC Filter Profile Commands LABEL DESCRIPTION The MAC filter profile name.
Chapter 10 Wireless LAN Profiles 10.6 Layer-2 Isolation Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 40 Input Values for General Layer-2 Isolation Profile Commands LABEL DESCRIPTION The layer-2 isolation profile name.
Chapter 10 Wireless LAN Profiles 10.6.1 Layer-2 Isolation Profile Example The following example creates a layer-2 isolation profile with the name ‘L2-Isolate-example’. In this profile, you allow the device with the MAC addresss of 00:a0:c5:01:23:45 to be accessed by other devices in the SSID to which the layer-2 isolation profile is applied. It also displays the profile settings.
Page 102
Chapter 10 Wireless LAN Profiles The maximum number of hops (the repeaters beteen a wireless client and the root AP) you can have in a ZyMesh varies according to how many wireless clients a managed AP can support. A ZyMesh/WDS link with more hops has lower throughput. ...
Page 103
Chapter 10 Wireless LAN Profiles Table 43 Command Summary: ZyMesh Profile (continued) COMMAND DESCRIPTION Sets a pre-shared key of between 8 and 63 case- psk psk sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.The key is used to encrypt the wireless traffic between the APs.
HAP T ER Rogue AP This chapter shows you how to set up Rogue Access Point (AP) detection and containment. 11.1 Rogue AP Detection Overview Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security.
Chapter 11 Rogue AP Table 45 Command Summary: Rogue AP Detection (continued) COMMAND DESCRIPTION Sets the device that owns the specified MAC address as rogue-ap ap_mac description2 a rogue AP. You can also assign a description to this entry on the rogue AP list. Removes the device that owns the specified MAC no rogue-ap ap_mac address from the rogue AP list.
Chapter 11 Rogue AP This example shows the friendly AP detection list. Router(config)# show rogue-ap detection list friendly description =========================================================================== 11:11:11:11:11:11 third floor 00:13:49:11:22:33 00:13:49:00:00:05 00:13:49:00:00:01 00:0D:0B:CB:39:33 dept1 This example shows the combined rogue and friendly AP detection list. Router(config)# show rogue-ap detection list all role description ===========================================================================...
Chapter 11 Rogue AP Containing a rogue AP means broadcasting unviable login data at it, preventing legitimate wireless clients from connecting to it. This is a kind of Denial of Service attack. 11.4 Rogue AP Containment Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
HAP T ER Wireless Frame Capture This chapter shows you how to configure and use wireless frame capture on the NXC. 12.1 Wireless Frame Capture Overview Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging.
Chapter 12 Wireless Frame Capture The following table describes the commands available for wireless frame capture. You must use the command to enter the configuration mode before you can use configure terminal these commands. Table 49 Command Summary: Wireless Frame Capture COMMAND DESCRIPTION Enters sub-command mode for wireless frame capture.
HAP T ER Dynamic Channel Selection This chapter shows you how to configure and use dynamic channel selection on the NXC. 13.1 DCS Overview Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
HAP T ER Auto-Healing This chapter shows you how to configure auto-healing settings. 14.1 Auto-Healing Overview Auto-healing allows you to extend the wireless service coverage area of the managed APs when one of the managed APs fails. 14.2 Auto-Healing Commands The following table identifies the values required for many of these commands.
Chapter 14 Auto-Healing Table 52 Command Summary: Auto-Healing (continued) COMMAND DESCRIPTION Enters a number from 0 to 9. This value is used to auto-healing margin calculate the power level (power-threshold + margin) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
HAP T ER Dynamic Guest This chapter shows you how to configure dynamic guest accounts. 15.1 Dynamic Guest Overview Dynamic guest accounts are guest accounts, but are created dynamically with the guest manager account and stored in the NXC’s local user database. A dynamic guest account user can access the NXC’s services only within a given period of time and will become invalid after the expiration date/time.
Page 116
Chapter 15 Dynamic Guest Table 53 Command Summary: Dynamic Guest (continued) COMMAND DESCRIPTION Sets the description for the specified user group. The [no] description description command clears the description for the specified user group. Sets this group as a dynamic guest group. dynamic-guest group Sets the NXC to remove the dynamic guest accounts dynamic-guest enable expired-account...
Chapter 15 Dynamic Guest 15.2.1 Dynamic Guest Examples This example creates a guest-manager user account and a dynamic-guest user group, then sets the NXC to generate two dynamic-guest accounts automatically. This also shows the dynamic guest users information. Router(config)# username GuestMaster password 4321 user-type guest-manager Router(config)# groupname dynamic-guest Router(group-user)# dynamic-guest group Router(group-user)# exit...
HAP T ER LEDs This chapter describes two features that controls the LEDs of the managed APs connected to your NXC - Locator and Suppression. 16.1 LED Suppression Mode The LED Suppression feature allows you to control how the LEDs of the AP behave after it’s ready.
Chapter 16 LEDs 16.2.1 LED Suppression Commands Example The following example activates LED suppression mode on the AP with the MAC address 00:a0:c5:01:23:45 and displays the settings. Router(config)# led_suppress 00:a0:c5:01:23:45 enable Router(config)# show led_suppress 00:a0:c5:01:23:45 status Suppress Mode Status : Enable Router(config)# 16.3 LED Locator The LED locator feature identifies the location of the WAC AP among several devices in the...
HAP T ER Zones Set up zones to configure network security and network policies in the NXC. Use the configure terminal command to enter Configuration mode in order to use the commands described in this chapter. 17.1 Zones Overview A zone is a group of interfaces.
Chapter 17 Zones 17.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands. Table 56 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone. profile_name Use up to 31 characters (a-zA-Z0-9_-).
Chapter 17 Zones 17.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
Page 124
Chapter 17 Zones NXC CLI Reference Guide...
HAP T ER This chapter covers how to use the NXC’s ALG feature to allow certain applications to pass through the NXC. 18.1 ALG Introduction The NXC can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the NXC’s NAT.
Chapter 18 ALG 18.2 ALG Commands The following table lists the commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 58 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity-timeout | signal-port <1025..65535>...
HAP T ER Captive Portal This chapter describes how to configure which HTTP-based network services default to the captive portal page when client makes an initial network connection. 19.1 Captive Portal Overview A captive portal can intercept all network traffic, regardless of address or port, until the user authenticates his or her connection, usually through a specifically designated login Web page.
Page 128
Chapter 19 Captive Portal Table 59 Web Authentication Policy Commands (continued) COMMAND DESCRIPTION Sets the login web page through which the user authenticate their web-auth login setting connections before connecting to the rest of the network or Internet. Table 60 on page 128 for the sub-commands.
Page 129
Chapter 19 Captive Portal Table 60 web-auth login setting Sub-commands (continued) COMMAND DESCRIPTION Sets the session page’s URL; for example: http://192.168.1.1/session.cgi. [no] session-url 192.168.1.1 is the web server on which the web portal files are installed. Sets the URL of the page from which users can terminate their sessions; for [no] userlogout-url example, http://192.168.1.1/userlogout.asp.
Chapter 19 Captive Portal • Have the NXC use a custom login page from an external web portal instead of the default one built into the NXC • Create web-auth policy 1 • Set web-auth policy 1 to use the SSID profile named SSIDprofile1 •...
Chapter 19 Captive Portal Table 62 qrcode-auth-profile Commands (continued) COMMAND DESCRIPTION Sets the VLAN interface on the NXC, through which the client is [no] auth-assisted-vlan allowed to access the NXC. vlan_iface Use the no command to remove the specified VLAN interface. Sets how the clients authenticate with a QR code to log into the web [no] auth-type {all | auth- site.
Chapter 19 Captive Portal Table 63 page-customization Commands (continued) COMMAND DESCRIPTION Goes to configuration mode. exit Displays the custom login page settings. show page-customization 19.1.4 Customizing the User Logout Page Use these commands to customize the user logout screen. You must use the command to enter the configuration mode before configure terminal you can use these commands.
HAP T ER RTLS Use the RTLS commands to use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi-Fi tags. 20.1 RTLS Introduction Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the NXC to create maps, alerts, and reports.
HAP T ER Firewall This chapter introduces the NXC’s firewall and shows you how to configure your NXC’s firewall. 21.1 Firewall Overview The NXC’s firewall is a stateful inspection firewall. The NXC restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Chapter 21 Firewall Your customized rules take precedence and override the NXC’s default settings. The NXC checks the schedule, user name (user’s login name on the NXC), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 137
Chapter 21 Firewall Table 67 Command Summary: Firewall (continued) COMMAND DESCRIPTION Enters the firewall sub-command mode to add firewall zone_object {zone_object|EnterpriseWLAN} a direction specific through-EnterpriseWLAN append rule or to-EnterpriseWLAN rule to the end of the global rule list. Removes a direction specific through- firewall zone_object {zone_object|EnterpriseWLAN} EnterpriseWLAN rule or to-EnterpriseWLAN delete rule_number...
Chapter 21 Firewall 21.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 68 firewall Sub-commands COMMAND DESCRIPTION Sets the action the NXC takes when packets match action {allow|deny|reject} this rule. Enables a firewall rule. The command disables [no] activate the firewall rule.
Chapter 21 Firewall 21.2.2 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WLAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. •...
Chapter 21 Firewall The following command displays the firewall rule(s) (including the default firewall rule) that applies to the packet direction from WAN to LAN. The firewall rule numbers in the menu are the firewall rules’ priority numbers in the global rule list. Router# configure terminal Router(config)# show firewall WAN LAN firewall rule: 3...
Page 141
Chapter 21 Firewall The following table describes the session-limit commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 70 Command Summary: Session Limit COMMAND DESCRIPTION Turns the session-limit feature on or off. [no] session-limit activate Sets the default number of concurrent NAT/ session-limit limit <0..8192>...
HAP T ER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the NXC. You can also set up rules that control when users have to log in to the NXC before the NXC routes traffic for them.
Chapter 22 User/Group 22.2 User/Group Commands Summary The following table identifies the values required for many username/groupname commands. Other input values are discussed with the corresponding commands. Table 72 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, username underscores( ), or dashes (-), but the first character cannot be a number.
Chapter 22 User/Group Table 73 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the lease time for the specified user. Set it to username username [no] logon-lease-time zero to set unlimited lease time. The command <0..1440> sets the lease time to five minutes (regardless of the current default setting for new users).
Page 146
Chapter 22 User/Group Table 75 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Sets the default user type for each new user. The users default-setting [no] user-type Displays the current retry limit settings for users. show users retry-settings Enables the retry limit for users.
Chapter 22 User/Group 22.2.4 MAC Auth Commands This table lists the commands for mappings MAC addresses to MAC address user accounts. Table 76 mac-auth Commands Summary COMMAND DESCRIPTION Maps the specified MAC address authenticated by [no] mac-auth database mac mac address type an external server to the specified MAC role (MAC ext-mac-address mac-role username description address user account).
Chapter 22 User/Group • Use upper case letters in the account MAC addresses Router(config)# username ZyXEL-mac user-type mac-address Router(config)# mac-auth database mac 00:13:49:11:a0:c4 type ext-mac-address mac-role ZyXEL-mac description zyxel mac 3. Modify wlan-security-profile Router(config)# wlan-security-profile secureWLAN1 Router(config-wlan-security default)# mac-auth activate Router(config-wlan-security default)# mac-auth auth-method Auth1 Router(config-wlan-security default)# mac-auth delimiter account colon Router(config-wlan-security default)# mac-auth case account upper...
Page 149
Chapter 22 User/Group 22.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the NXC and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all Name Role Type...
Page 150
Chapter 22 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer =========================================================================== 192.168.1.60 Router(config)# unlock lockout-users 192.168.1.60...
HAP T ER Addresses This chapter describes how to set up addresses and address groups for the NXC. Use the configure terminal command to enter Configuration mode in order to use the commands described in this chapter. 23.1 Address Overview Address objects can represent a single IP address or a range of IP addresses.
Chapter 23 Addresses 23.2 Address Commands Summary The following table describes the values required for many address object and address group commands. Other values are discussed with the corresponding commands. Table 78 Input Values for Address Commands LABEL DESCRIPTION The name of the address. You may use 1-31 alphanumeric characters, object_name underscores( ), or dashes (-), but the first character cannot be a number.
Chapter 23 Addresses 23.2.1.1 Address Object Command Examples The following example creates three address objects and then deletes one. Router# configure terminal Router(config)# address-object A0 10.1.1.1 Router(config)# address-object A1 10.1.1.1-10.1.1.20 Router(config)# address-object A2 10.1.1.0/24 Router(config)# show address-object Object name Type Address Note Ref.
Page 154
Chapter 23 Addresses Table 80 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The [no] description description command clears the description. description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%- to 60 characters long.
HAP T ER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 24.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 24.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 157
Chapter 24 Services Table 83 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Adds the specified service group (second [no] object-group group_name group_name) to the specified service group (first group_name). The command removes the specified service group from the specified service group.
HAP T ER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 25.1 Schedule Overview The NXC supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the NXC.
Chapter 25 Schedules The following table lists the schedule commands. Table 85 schedule Commands COMMAND DESCRIPTION Displays information about the schedules in the show schedule-object NXC. Deletes the schedule object. no schedule-object object_name Lists all schedules configured on the NXC. schedule-object list Creates or updates a one-time schedule.
HAP T ER AAA Server This chapter introduces and shows you how to configure the NXC to use external authentication servers. 26.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the NXC supports.
Chapter 26 AAA Server 26.2.1 aaa group server ad Commands The following table lists the commands you use to configure a aaa group server ad group of AD servers. Table 86 aaa group server ad Commands COMMAND DESCRIPTION Deletes all AD server groups or the specified AD clear aaa group server ad [group- server group.
Chapter 26 AAA Server Table 86 aaa group server ad Commands (continued) COMMAND DESCRIPTION Activates server domain authentication. The no [no] server domain-auth parameter deactivates it. activate Adds the NetBIOS name of the AD server. The NXC server domain-auth domain- uses it with the user name in the format name ...
Chapter 26 AAA Server Table 87 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Sets the user name the NXC uses to log into the LDAP [no] server binddn binddn server group. The command clears this setting. Sets the unique common name (cn) to identify a [no] server cn-identifier uid record.
Page 165
Chapter 26 AAA Server Table 88 aaa group server radius Commands (continued) COMMAND DESCRIPTION Sets a descriptive name for the RADIUS server group. [no] aaa group server radius command deletes the specified server group. group-name Changes the descriptive name for a RADIUS server aaa group server radius rename group.
Chapter 26 AAA Server Table 88 aaa group server radius Commands (continued) COMMAND DESCRIPTION Specifies the Network Access Server IP address [no] server nas-ip attribute value if the RADIUS server requires it. The no command clears this setting. Enable this to have the NXC send subscriber status [no] server acct-interim updates to the RADIUS server.
HAP T ER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 27.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the NXC uses to authenticate users (such as managing through HTTP/HTTPS or Captive Portal).
Chapter 27 Authentication Objects Table 89 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the default profile to use the authentication method(s) in [no] aaa authentication the order specified. default member1 [member2] member = group ad, group ldap, group radius, or local. [member3] [member4] Note: You must specify at least one member for each profile.
Chapter 27 Authentication Objects 27.3 test aaa Command The following table lists the command you use to teat a user account on an test aaa authentication server. Table 90 test aaa Command COMMAND DESCRIPTION Tests whether a user account exists on the specified test aaa {server|secure- authentication server.
HAP T ER Authentication Server This chapter shows you how to configure the NXC as an authentication server for access points. 28.1 Authentication Server Overview The NXC can also work as a RADIUS server to exchange messages with other APs for user authentication and authorization.
Chapter 28 Authentication Server Table 91 Command Summary: Authentication Server (continued) COMMAND DESCRIPTION Sets the description for the profile. The command clears this [no] description setting. description description: You can use alphanumeric and ()+/ characters, and it can be up to 60 characters :=?!*#@$_%- long.
HAP T ER This chapter shows you how to configure the NXC as an ENC agent and allow it to be managed by the ENC server or an ACS (Auto Configuration Server) via TR-069 over HTTP or HTTPs. 29.1 ENC Overview ENC (Enterprise Network Center) is a browser-based network management system that allows a network administrators from any location to manage and monitor multiple ZyXEL devices.
Page 174
Chapter 29 ENC Table 92 Command Summary: ENC-Agent (continued) COMMAND DESCRIPTION Sets how often (in seconds) the NXC sends Inform messages to enc-agent periodic-inform initiate connections to the ENC or ACS server. interval <10..86400> Sets the NXC to authenticate the ENC or ACS server’s enc-agent authentication certificate when you are using HTTPs.
HAP T ER Certificates This chapter explains how to use the Certificates. 30.1 Certificates Overview The NXC can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Chapter 30 Certificates Table 93 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the organizational unit or department to which the certificate organizational_unit owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Identify the company or group to which the certificate owner belongs.
Page 179
Chapter 30 Certificates Table 94 ca Commands Summary (continued) COMMAND DESCRIPTION Generates a PKCS#10 certification request. ca generate pkcs10 name certificate_name cn- type {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] [usr-def certificate_name] key-type {rsa|dsa} key-len key_length ca generate pkcs12 name name password password Generates a PKCS#12 certificate.
Chapter 30 Certificates 30.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
HAP T ER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 31.1 System Overview Use these commands to configure general NXC information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which NXC zones (if any) from which computers.
Page 182
Chapter 31 System Figure 15 Access Page Customization Logo Title Message Color (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Chapter 31 System Table 95 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the title for the top of the login screen. Use up to 64 login-page title title printable ASCII characters. Spaces are allowed. Sets the title text color of the login page. login-page title-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login...
Chapter 31 System 31.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use command to enter the configuration mode before you can use configure terminal these commands. Table 97 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Chapter 31 System 31.5 Console Port Speed This section shows you how to set the console port speed when you connect to the NXC via the console port using a terminal emulation program. The following table describes the console port commands. You must use the command to enter the configure terminal configuration mode before you can use these commands.
Chapter 31 System Table 100 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a service control rule for DNS requests. ip dns server rule {<1..64>|append|insert <1..64>} access-group {ALL|profile_name} zone {ALL|profile_name} action {accept|deny} Changes the number of a service control rule. ip dns server rule move <1..64> to <1..64> Sets a domain zone forwarder record that ip dns server zone-forwarder specifies a DNS server’s IP address.
HAP T ER System Remote Management This chapter shows you how to determine which services/protocols can access which NXC zones (if any) from which computers. To allow the NXC to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-NXC rule to block that traffic.
Chapter 32 System Remote Management 32.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 101 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Chapter 32 System Remote Management Table 102 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Redirects all HTTP connection requests to a [no] ip http secure-server force-redirect HTTPS URL. The command disables forwarding HTTP connection requests to a HTTPS URL. Sets a service control rule for HTTPS service. ip http secure-server table {admin|user} rule {rule_number|append|insert rule_number} access- group {ALL|address_object} zone...
Chapter 32 System Remote Management This command sets an authentication method used by the HTTP/HTTPS server to authenticate the client(s). Router# configure terminal Router(config)# ip http authentication Example This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL client.
Chapter 32 System Remote Management Table 103 Command Summary: SSH (continued) COMMAND DESCRIPTION Sets the SSH service port number. The [no] ip ssh server port <1..65535> command resets the SSH service port number to the factory default (22). Sets a service control rule for SSH service. ip ssh server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address...
Chapter 32 System Remote Management 32.6 Telnet Commands The following table describes the commands available for Telnet. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 104 Command Summary: Telnet COMMAND DESCRIPTION Allows Telnet access to the NXC CLI.
Chapter 32 System Remote Management 32.7 Configuring FTP You can upload and download the NXC’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 32.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Chapter 32 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 32.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Chapter 32 System Remote Management 32.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 107 Command Summary: SNMP COMMAND DESCRIPTION Allows SNMP access to the NXC.
Chapter 32 System Remote Management Table 107 Command Summary: SNMP (continued) COMMAND DESCRIPTION Displays SNMP Settings. show snmp status Displays SNMPv3 user status. show snmp-server v3user status 32.8.4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service.
Chapter 32 System Remote Management 32.9.1 TR-069 Commands The following table describes the commands available for TR-069. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 108 Command Summary: TR-069 COMMAND DESCRIPTION Enters up to 255 characters to set the password...
Chapter 32 System Remote Management Table 108 Command Summary: TR-069 (continued) COMMAND DESCRIPTION Enters up to 255 characters to set the user name [no] tr069-agent username username used to authenticate the management server when connecting to the NXC. The command removes the password.
HAP T ER DHCPv6 Objects This chapter describes how to configure and view DHCPv6 request objects. 33.1 DHCPv6 Object Commands Summary The following table identifies the values required for many DHCPv6 object commands. Other input values are discussed with the corresponding commands. Table 110 DHCPv6 Object Command Input Values LABEL DESCRIPTION...
HAP T ER File Manager This chapter covers how to work with the NXC’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 34.1 File Directories The NXC stores files in the following directories. Table 112 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Chapter 34 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 16 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Chapter 34 File Manager “exit” or “!'” must follow sub commands if it is to make the NXC exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Chapter 34 File Manager • When you change the configuration, the NXC creates a startup-config.conf file of the current configuration. • The NXC checks the startup-config.conf file for errors when it restarts. If there is an error in the startup-config.conf file, the NXC copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file.
Chapter 34 File Manager 34.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 115 File Manager Commands Summary COMMAND DESCRIPTION Has the NXC use a specific configuration file. You must apply /conf/file_name.conf [ignore-error] still use the command to save your...
Chapter 34 File Manager Table 115 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the show running-config system is using. Has the NXC ignore any errors in the startup- setenv-startup stop-on-error off config.conf file and apply all of the valid commands. Displays whether or not the NXC is set to ignore any show setenv-startup errors in the startup-config.conf file and apply all of the...
Chapter 34 File Manager The firmware update can take up to five minutes. Do not turn off or reset the NXC while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 34.9 on page 209 to recover the firmware.
Chapter 34 File Manager 34.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the NXC and saves it on the computer as current.conf. Figure 18 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Chapter 34 File Manager Figure 19 NXC File Usage at Startup 1. Boot Module 2. Recovery Image 3. Firmware 1 The boot module performs a basic hardware test. You cannot restore the boot module if it is damaged. The boot module also checks and loads the recovery image. The NXC notifies you if the recovery image is damaged.
Chapter 34 File Manager 3 If the console session displays “Invalid Firmware”, or “Invalid Recovery Image”, or the console freezes at "Press any key to enter debug mode within 3 seconds" for more than one minute, go to Section 34.10 on page 210 to restore the recovery image.
Page 211
Chapter 34 File Manager Figure 23 Enter Debug Mode 3 Enter atuk to initialize the recovery process. If the screen displays “ERROR”, enter atur to initialize the recovery process. You only need to use the atuk or atur command if the recovery image is damaged.
Chapter 34 File Manager Figure 26 Example Xmodem Upload Type the firmware file's location, or click Browse to search for it. Choose the 1K Xmodem protocol. Then click Send. 6 Wait for about three and a half minutes for the Xmodem upload to finish. Figure 27 Recovery Image Upload Complete 7 Enter atgo.
Page 213
Chapter 34 File Manager 3 Use an FTP client on your computer to connect to the NXC. For example, in the Windows command prompt, type ftp 192.168.1.1. Keep the console session connected in order to see when the firmware recovery finishes. 4 Hit enter to log in anonymously.
Page 214
Chapter 34 File Manager Figure 32 Firmware Recovery Complete and Restart 10 The username prompt displays after the NXC starts up successfully. The firmware recovery process is now complete and the NXC is ready to use. Figure 33 Restart Complete NXC CLI Reference Guide...
Chapter 34 File Manager 34.12 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The NXC can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly. If the default system database file is not valid, the NXC displays a warning message in your console session at startup or when reloading the anti-virus or IDP signatures.
Chapter 34 File Manager Figure 36 Default System Database Missing Log: Anti-virus This procedure requires the NXC’s default system database file. Download the firmware package from www.zyxel.com and unzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file.
Page 217
Chapter 34 File Manager Figure 38 atkz -u Command for Restoring the Default System Database 4 “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen. Connect your computer to the NXC’s port 1 (only port 1 can be used). Figure 39 Use FTP with Port 1 and IP 192.168.1.1 to Upload File 5 The NXC’s FTP server IP address for firmware recovery is 192.168.1.1, so set your computer to use a static IP address from 192.168.1.2 ~192.168.1.254.
Page 218
Chapter 34 File Manager Figure 42 Default System Database Received and Recovery Complete 12 The username prompt displays after the NXC starts up successfully. The default system database recovery process is now complete and the NXC IDP and anti-virus features are ready to use again.
HAP T ER Logs This chapter provides information about the NXC’s logs. When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the NXC.
Chapter 35 Logs 35.1.2.1 System Log Command Examples The following command displays the current status of the system log. Router# configure terminal Router(config)# show logging status system-log 512 events logged suppression active : yes suppression interval: 10 category settings content-filter : normal , forward-web-sites : no blocked-web-sites : normal , user : normal ,...
Chapter 35 Logs This table lists the commands for the remote syslog server settings. Table 121 logging Commands: Remote Syslog Server Settings COMMAND DESCRIPTION Displays the current settings for the remote show logging status syslog servers. Enables the specified remote server. The [no] logging syslog <1..4>...
Page 223
Chapter 35 Logs Table 122 logging Commands: E-mail Profile Settings (continued) COMMAND DESCRIPTION Sets the e-mail address for logs or alerts. The [no] logging mail <1..2> {send-log-to | send- command clears the specified field. alerts-to} e_mail e_mail: You can use up to 63 alphanumeric characters, underscores (_), or dashes (-), and you must use the @ character.
Chapter 35 Logs 35.1.5 Console Port Log Commands This table lists the commands for the console port settings. Table 123 logging Commands: Console Port Settings COMMAND DESCRIPTION Displays the current settings for the console log. show logging status console (This log is not discussed above.) Enables the console log.
Page 225
Chapter 35 Logs Table 124 logging Commands: Access Point Settings (continued) COMMAND DESCRIPTION Displays the logging status for the specified AP’s show wtp-logging status mail [ap_mac] mail log. Displays the specified AP’s query log. show wtp-logging query-log ap_mac Displays the specified AP’s query debug log. show wtp-logging query-dbg-log ap_mac Displays the AP logging result status.
HAP T ER Reports and Reboot This chapter provides information about the report associated commands and how to restart the NXC using commands. It also covers the daily report e-mail feature. 36.1 Report Commands Summary The following sections list the report and session commands. 36.1.1 Report Commands This table lists the commands for reports.
Chapter 36 Reports and Reboot 36.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Chapter 36 Reports and Reboot 36.2 Email Daily Report Commands The following table identifies the values used in some of these commands. Other input values are discussed with the corresponding commands. Table 127 Input Values for Email Daily Report Commands LABEL DESCRIPTION An e-mail address.
Page 230
Chapter 36 Reports and Reboot Table 128 Email Daily Report Commands (continued) COMMAND DESCRIPTION Sets the SMTP service port. smtp-port <1..65535> Resets the SMTP service port configuration. no smtp-port Determines whether or not the station statistics daily-report [no] item station-count are included in the report e-mails.
Chapter 36 Reports and Reboot 36.2.1 Email Daily Report Example This example sets the NXC to send a daily report e-mail. Router(config)# daily-report Router(config-daily-report)# smtp-address example-SMTP-mail-server.com Router(config-daily-report)# mail-subject set test subject Router(config-daily-report)# no mail-subject append system-name Router(config-daily-report)# mail-subject append date-time Router(config-daily-report)# mail-from [email protected] Router(config-daily-report)# [email protected] Router(config-daily-report)# no mail-to-2...
Chapter 36 Reports and Reboot This displays the email daily report settings and has the NXC send the report now. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp auth: yes smtp username: 12345 smtp password: pass12345...
HAP T ER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 129 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or session timeout {udp-connect <1..300>...
HAP T ER Diagnostics This chapter covers how to use the diagnostics feature. 38.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the NXC’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
HAP T ER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 39.1 Packet Flow Explore Use this to get a clear picture on how the NXC determines where to forward a packet and how to change the source IP address of the packet according to your current settings.
Chapter 39 Packet Flow Explore 39.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, 1-1 SNAT, Main Route The following example shows all SNAT related functions and their order. Router>...
HAP T ER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the NXC. The maintenance tools can help you to troubleshoot network problems. 40.1 Maintenance Tools Commands Here are maintenance tool commands that you can use in privilege mode. Table 132 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 240
Chapter 40 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 133 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION Performs a packet capture that captures network traffic [no] packet-capture activate going through the set NXC’s interface(s). Studying these packet captures may help you identify network problems.
Chapter 40 Maintenance Tools Table 133 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION Specifies the maximum number of bytes to capture per snaplen <68..1512> packet. The NXC automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets.
Page 243
Chapter 40 Maintenance Tools Then configure the following settings to capture packets going through the NXC’s WAN1 interface only (this means you have to remove LAN2 and WAN2 from the iface list). • IP address: any • Host IP: any •...
HAP T ER Watchdog Timer This chapter provides information about the NXC’s watchdog timers. 41.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings. Table 134 hardware-watchdog-timer Commands COMMAND DESCRIPTION...
Chapter 41 Watchdog Timer The software-watchdog-timer commands are for support engineers. It is recommended that you not modify the software watchdog timer settings. Table 135 software-watchdog-timer Commands COMMAND DESCRIPTION Sets how long the system’s core firmware can be [no] software-watchdog-timer timer unresponsive before resetting.
Chapter 41 Watchdog Timer Table 136 app-watchdog Commands COMMAND DESCRIPTION Sets the percentage thresholds for sending a memory usage alert. The [no] app-watch-dog mem- NXC starts sending alerts when memory usage exceeds the maximum threshold min <1..100> max (the second threshold you enter). The NXC stops sending alerts when <1..100>...
Page 248
Chapter 41 Watchdog Timer The following example lists the processes that the application watchdog is monitoring. Router# configure terminal Router(config)# show app-watch-dog monitor-list #app_name min_process_count max_process_count(-1 unlimited) recover_enable recover_reboot recover_always recover_max_try_count ecover_max_fail_count uamd firewalld policyd classify resd zyshd_wd zyshd httpd httpd dhcpd zylogd...
HAP T ER Managed AP Commands Connect directly to a managed AP’s CLI (Command Line Interface) to configure the managed AP’s CAPWAP (Control And Provisioning of Wireless Access Points) client and DNS server settings. 42.1 Managed Series AP Commands Overview Log into an AP’s CLI and use the commands in this chapter if the AP does not automatically connect to the NXC or you need to configure the AP’s DNS server.
Chapter 42 Managed AP Commands 42.3 CAPWAP Client Commands Use the CAPWAP client commands to configure the AP’s IP address and other related management interface settings. Do not use the original interface commands to configure the IP address and related settings on the AP, because the AP does not save interface command settings after rebooting.
Chapter 42 Managed AP Commands 42.3.1 CAPWAP Client Commands Example This example shows how to configure the AP’s management interface and how it connects to the AP controller (the NXC), and check the connecting status. The following commands: • Display how the AP finds the NXC •...
Chapter 42 Managed AP Commands 42.4 DNS Server Commands The following table describes commands for configuring the AP’s DNS server. You must use command to enter the configuration mode before you can use configure terminal these commands. Table 139 Command Summary: DNS Server COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully...
Chapter 42 Managed AP Commands 42.4.2 DNS Server Commands and DHCP The AP in the example in Section 42.4.1 on page 252 uses a static IP address. If the AP uses DHCP instead, you do not need to configure the DNS server’s IP address on the AP when you configure DHCP option 6 on the DHCP server.
Page 266
List of Commands join ..........62 language ....198 lan_port {activate | inactivate} pvid <1..4094> ........76 lan-provision ap ap_mac ............76 lan-provision lan_port {activate | inactivate} pvid <1..4094> ....75 lan-provision vlan_interface {activate | inactivate} vid <1..4094> join lan_port {tag | untag} [lan_port {tag | untag}] [lan_port {tag | untag}] ....
Page 267
List of Commands no dynamic-guest expired-account deleted ........116 no dynamic-guest username ............116 no enc-agent acs password ............174 no enc-agent acs username ............174 no enc-agent authentication ............. 174 no enc-agent manager ............174 no enc-agent password ............174 no enc-agent periodic-inform ............
Page 268
List of Commands policy default-route ............. 67 policy delete policy_number ............67 policy flush ..............67 policy list table ..............67 policy move policy_number to policy_number ........67 port status Port<1..x> ............58 proto-type {icmp | igmp | igrp | pim | ah | esp | vrrp | udp | tcp | any} ..240 psk psk .................
Page 269
List of Commands setenv-startup stop-on-error off ..........206 show ................129 show ................145 show ................32 show ................52 show aaa authentication {group-name|default} ........167 show aaa group server ad group-name ..........162 show aaa group server ldap group-name ........... 163 show aaa group server radius group-name .........
Page 270
List of Commands show connlimit max-per-host ............. 137 show console ..............185 show corefile copy usb-storage ........... 60 show country-code list ............77 show cpu status ..............37 show daily-report status ............229 show default country-code ............77 show device-register status ............42 show dhcp6 interface ............
Page 271
List of Commands show led status ..............37 show led_locator ap_mac_address status .......... 120 show led_suppress ap_mac_address status ......... 119 show lockout-users .............. 148 show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] [service service_name] [begin <1..1024> end <1..1024>] [keyword keyword] .
Page 272
List of Commands show reference object-group username [username] ........35 show report [interface_name {ip | service | url}] ....... 227 show report status .............. 227 show rogue-ap containment config ..........108 show rogue-ap containment list ..........108 show rogue-ap detection info ............ 106 show rogue-ap detection list {rogue | friendly| all} ......
Page 273
List of Commands show wlan-radio-profile {all | radio_profile_name} ....... 88 show wlan-security-profile {all | security_profile_name} ......96 show wlan-ssid-profile {all | ssid_profile_name} ......... 94 show wtp-logging dbg-result-status ..........225 show wtp-logging debug entries [priority pri] [category module_name] [srcip ipv4] [dstip ipv4] [service service] [srciface config_interface] [dstiface config_interface] [protocol log_proto_accept ] [begin <1..512>...
Page 274
List of Commands trigger move <1..8> to <1..8> ............ 67 tx-mask chain_mask ............... 92 type {external | internal} ............128 type {internal|external|general} ..........58 unlock lockout-users ip | console ..........148 upstream <0..1048576> ............62 usb-storage mount ..............60 usb-storage umount ............... 60 usb-storage warn number ...