NXC Series Wireless LAN Controller Versions: 2.25, 4.00 Edition 1, 06/2013 Quick Start Guide CLI Reference Guide Default Login Details IP Address https://192.168.1.1 User Name www.zyxel.
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products intended for people who want to configure the NXC via Command Line Interface (CLI). Some commands or command options in this guide may not be available in your product. See your product's User’s Guide for a list of supported features. Every effort has been made to ensure that the information in this guide is accurate.
Contents Overview Contents Overview Command Line Interface ........................................................................................................... 15 User and Privilege Modes ......................................................................................................... 31 Object Reference ....................................................................................................................... 35 Status ............................................................
Contents Overview Diagnostics .............................................................................................................................. 257 Packet Flow Explore ................................................................................................................ 259 Maintenance Tools ................................................................................................................... 261 Watchdog Timer ............................................................
Table of Contents Table of Contents Contents Overview ...............................................................................................................................3 Table of Contents .................................................................................................................................5 Chapter 1 Command Line Interface....................................................................................................................15 1.1 Overview ...............
Table of Contents Chapter 3 Object Reference ................................................................................................................................35 3.1 Object Reference Commands ...........................................................................................................35 3.1.1 Object Reference Command Example ....................................................................................36 Chapter 4 Status ...................................................
Table of Contents 7.4 Static Route Commands ...................................................................................................................70 7.4.1 Static Route Commands Example ...........................................................................................70 7.5 Learned Routing Information Commands .........................................................................................71 7.5.1 show ip route Command Example ..................................................
Table of Contents Chapter 13 Wireless Load Balancing ...................................................................................................................99 13.1 Wireless Load Balancing Overview .................................................................................................99 13.2 Wireless Load Balancing Commands .............................................................................................99 13.2.1 Wireless Load Balancing Examples ............................
Table of Contents Chapter 20 Application Patrol .............................................................................................................................127 20.1 Application Patrol Overview ..........................................................................................................127 20.2 Application Patrol Commands Summary ......................................................................................128 20.2.1 Pre-defined Application Commands ....................
Table of Contents Chapter 23 Device HA ..........................................................................................................................................163 23.1 Device HA Overview .....................................................................................................................163 23.1.1 Before You Begin .................................................................................................................164 23.2 General Device HA Commands ............
Table of Contents 28.1 AAA Server Overview ...................................................................................................................187 28.2 Authentication Server Command Summary ..................................................................................187 28.2.1 aaa group server ad Commands .........................................................................................188 28.2.2 aaa group server ldap Commands .....................................................
Table of Contents 33.6 DNS Overview .............................................................................................................................. 211 33.6.1 DNS Commands .................................................................................................................. 211 33.6.2 DNS Command Example ....................................................................................................212 Chapter 34 System Remote Management......................................
Table of Contents 35.6.2 Command Line FTP Configuration File Upload Example ....................................................229 35.6.3 Command Line FTP File Download .....................................................................................229 35.6.4 Command Line FTP Configuration File Download Example ...............................................230 35.7 NXC File Usage at Startup ............................................................................................................
Table of Contents Chapter 41 Maintenance Tools............................................................................................................................261 41.1 Maintenance Tools Commands .....................................................................................................261 41.1.1 Command Examples ...........................................................................................................263 Chapter 42 Watchdog Timer.......................................
C HA PT ER 1 Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your NXC, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the NXC and possibly render it unusable. 1.1.
Chapter 1 Command Line Interface The NXC might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See Chapter 24 on page 169 for more information about these settings. 1.2.1 Console Port The default settings for the console port are as follows.
Chapter 1 Command Line Interface Enter the user name and password at the prompts. The default login username is admin and password is 1234. The username and password are case-sensitive. 1.2.2 Web Configurator Console The Console allows you to use CLI commands from directly within the Web Configurator rather than having to use a separate terminal program. In addition to logging in directly to the NXC’s CLI, you can also log into other devices on the network through this Console.
Chapter 1 Command Line Interface The following table describes the elements in this screen. Table 2 Console LABEL DESCRIPTION Command Line Enter commands for the device that you are currently logged into here. If you are logged into the NXC, see the CLI Reference Guide for details on using the command line to configure it. Device IP Address This is the IP address of the device that you are currently logged into.
Chapter 1 Command Line Interface 2 Enter the IP address of the NXC and click OK. 3 Next, enter the user name of the account being used to log into your target device and then click OK. 4 You may be prompted to authenticate your account password, depending on the type of device that you are logging into. Enter the password and click OK.
Chapter 1 Command Line Interface 5 If your login is successful, the command line appears and the status bar at the bottom of the Console updates to reflect your connection state. 1.2.3 Telnet Use the following steps to Telnet into your NXC. 1 If your computer is connected to the NXC over the Internet, skip to the next step. Make sure your computer IP address and the NXC IP address are on the same subnet. 2 In Windows, click Start (usually in the bottom left corner) and Run.
Chapter 1 Command Line Interface Figure 4 SSH Login Example C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub host key for 192.168.1.
Chapter 1 Command Line Interface 1.4.3 Command Summary This section lists the commands for the feature in one or more tables. 1.4.4 Command Examples This section contains any examples for the commands in this feature. 1.4.5 Command Syntax The following conventions are used in this guide. • A command or keyword in courier new must be entered literally as shown. Do not abbreviate. • Values that you need to provide are in italics.
Chapter 1 Command Line Interface Table 3 CLI Modes (continued) USER PRIVILEGE CONFIGURATION SUB-COMMAND What LimitedAdmin users can do • Look at system information (like Status screen) Run basic diagnostics • Look at system information (like Status screen) Run basic diagnostics Unable to access Unable to access What Admin users can do • Look at system information (like Status screen) Run basic diagnostics • Look at system information (like Status screen) Run basic diagnostics • • • • •
Chapter 1 Command Line Interface Figure 5 Help: Available Commands Example 1 Router> ? apply atse clear configure ------------------[Snip]-------------------shutdown telnet test traceroute write Router> Figure 6 Help: Available Command Example 2 Router> show ? aaa access-page account ad-server address-object ------------------[Snip]-------------------wlan workspace zone Router> show 1.6.
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press [TAB] to have the NXC automatically display the full command. For example, if you enter config and press [TAB] , the full command of configure automatically displays. If you enter a partial command that is not unique and press [TAB], the NXC displays a list of commands that start with the partial command.
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen. For example, in the following example, the next input value is a string called .
Chapter 1 Command Line Interface Table 4 Input-Value Formats for Strings in CLI Commands (continued) TAG # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 8-32 “0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension 1-256 alphanumeric, spaces, or '()+,/:=?;!*#@$_%.- fqdn Used in ip dns server 1-253 alphanumeric or .
Chapter 1 Command Line Interface Table 4 Input-Value Formats for Strings in CLI Commands (continued) TAG # VALUES password Used in user and ip 1-63 LEGAL VALUES alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./ Used in device HA synchronization 1-63 alphanumeric or ~#%^*_-={}:,. Used in registration 6-20 alphanumeric or .
Chapter 1 Command Line Interface Table 4 Input-Value Formats for Strings in CLI Commands (continued) TAG # VALUES LEGAL VALUES username 1-31 alphanumeric or _first character: alphanumeric or _domain authorization username 6-20 alphanumeric or .@_registration user name 1+ alphanumeric or -_. logging commands user@domainname 1-80 alphanumeric or .@_- vrrp group name: less than 15 chars 1-15 alphanumeric or _- week-day sequence, i.e.
Chapter 1 Command Line Interface 30 NXC CLI Reference Guide
C HA PT ER 2 User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the NXC uses. See Chapter 24 on page 169 for more information about the user types. ‘User’ type accounts can only run ‘exit’ in this mode.
Chapter 2 User and Privilege Modes Table 5 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION diag-info P Has the NXC create a new diagnostic file. dir P Lists files in a directory. disable U/P Goes from privilege mode to user mode enable U/P Goes from user mode to privilege mode exit U/P Goes to a previous mode or logs out. htm U/P Goes to htm (hardware test module) mode for testing hardware components.
Chapter 2 User and Privilege Modes 2.1.1 Debug Commands Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for ZyXEL service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a Linux equivalent, it is displayed in this chapter for your reference. You must know a command listed here well before you use it. Otherwise, it may cause undesired results.
Chapter 2 User and Privilege Modes 34 NXC CLI Reference Guide
C HA PT ER 3 Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Chapter 3 Object Reference Table 7 show reference Commands (continued) COMMAND DESCRIPTION show reference object-group aaa radius [group_name] Displays which configuration settings reference the specified AAA RADIUS group object. show reference object [wlanradio-profile] Displays the specified radio profile object. show reference object [wlanmonitor-profile] Displays the specified monitor profile object. show reference object [wlanssid-profile] Displays the specified SSID profile object.
C HA PT ER 4 Status This chapter explains some commands you can use to display information about the NXC’s current operational state. 4.1 Status Show Commands The following table describes the commands available for NXC system status. Table 8 Status Show Commands COMMAND DESCRIPTION show boot status Displays details about the NXC’s startup state. show comport status Displays whether the console and auxiliary ports are on or off. show cpu status Displays the CPU utilization.
Chapter 4 Status Here are examples of the commands that display the CPU and disk utilization. Router(config)# show cpu status CPU utilization: 0 % CPU utilization for 1 min: 0 % CPU utilization for 5 min: 0 % Router(config)# show disk ; | Router(config)# show disk No.
Chapter 4 Status Here is an example of the command that displays the open ports. Router(config)# show socket open No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 172.16.13.240:22 172.16.13.10:1179 ESTABLISHED 2 udp 127.0.0.1:64002 0.0.0.0:0 3 udp 0.0.0.0:520 0.0.0.0:0 4 udp 0.0.0.0:138 0.0.0.0:0 5 udp 0.0.0.0:138 0.0.0.0:0 6 udp 0.0.0.0:138 0.0.0.0:0 7 udp 0.0.0.0:138 0.0.0.0:0 8 udp 0.0.0.0:138 0.0.0.0:0 9 udp 0.0.0.0:138 0.0.
Chapter 4 Status Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : NXC5200 firmware version: 2.20(AQQ.0)b3 BM version : 1.08 build date : 2009-11-21 01:18:06 This example shows the current LED states on the NXC. The SYS LED lights on and green.
C HA PT ER 5 Registration This chapter introduces myzyxel.com and shows you how to register the NXC for IDP/ AppPatrol and anti-virus using commands. 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your NXC and manage subscription services available for the NXC. You need to create an account before you can register your device and activate the services at myZyXEL.com. You can directly create a myZyXEL.
Chapter 5 Registration When using the trial, you can switch from one engine to the other in the Registration screen. There is no limit on the number of times you can change the anti-virus engine selection during the trial, but you only get a total of one anti-virus trial period (not a separate trial period for each anti-virus engine). After the service is activated, the NXC can download the up-to-date signature files from the update server.
Chapter 5 Registration 5.2 Registration Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 9 Input Values for General Registration Commands LABEL DESCRIPTION user_name The user name of your myZyXEL.com account. You may use six to 20 alphanumeric characters (and the underscore). Spaces are not allowed. password The password for the myZyXEL.com account.
Chapter 5 Registration 5.2.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service idp The following command displays the account information and whether the device is registered.
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Cameroon 039 Canada 040 Cape Verde 041 Cayman Islands 042
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See (City Vatican State) 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Kenya 114 Kiribati 115 Korea, Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People’s Dem
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent and the Grenadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon I
Chapter 5 Registration 48 NXC CLI Reference Guide
C HA PT ER 6 Interfaces This chapter shows you how to use interface-related commands. 6.1 Interface Overview In general, an interface has the following characteristics. • • • • • • An interface is a logical entity through which (layer-3) packets pass. An interface is bound to a physical port or another interface. Many interfaces can share the same physical port. An interface is bound to one zone at most. Many interface can belong to the same zone.
Chapter 6 Interfaces Table 12 Input Values for General Interface Commands (continued) LABEL DESCRIPTION profile_name The name of the DHCP pool. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. domain_name Fully-qualified domain name. You may up to 254 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Chapter 6 Interfaces Table 13 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION [no] mss <536..1460> Specifies the maximum segment size (MSS) the interface is to use. MSS is the largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece. The no command has the interface use its default MSS. [no] mtu <576..
Chapter 6 Interfaces This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the NXC. Then change the name and display the result. Router> show interface-name No.
Chapter 6 Interfaces 6.2.2 DHCP Setting Commands This table lists DHCP setting commands. DHCP is based on DHCP pools. Create a DHCP pool if you want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients. There are different commands for each configuration. Afterwards, in either case, you have to bind the DHCP pool to the interface.
Chapter 6 Interfaces Table 14 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION [no] client-identifier mac_address Specifies the MAC address that appears in the DHCP client list. The no command clears this field. [no] client-name host_name Specifies the host name that appears in the DHCP client list. The no command clears this field. host_name: You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Chapter 6 Interfaces Table 14 interface Commands: DHCP Settings (continued) COMMAND [no] starting-address ip pool-size <1..65535> DESCRIPTION Sets the IP start address and maximum pool size of the specified DHCP pool. The final pool size is limited by the subnet mask. Note: You must specify the network number first, and the start address must be in the same subnet. The no command clears the IP start address and maximum pool size.
Chapter 6 Interfaces 6.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.
Chapter 6 Interfaces 6.2.3 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the NXC stops routing to the gateway.
Chapter 6 Interfaces 6.2.3.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check Interface: wan1 Check Method: tcp IP Address: 1.1.1.
Chapter 6 Interfaces Table 17 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION type {internal|external|general} Sets which type of network you will connect this interface. The NXC automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic. internal: Set this to connect to a local network. Other corresponding configuration options: DHCP server and DHCP relay.
Chapter 6 Interfaces 6.5 Port Role Commands The following table describes the commands available for port role identification. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 19 Command Summary: Port Role COMMAND DESCRIPTION show port type Displays the type of cable connection for each physical interface on the device. show module type Display the type of module for each physical interface on the device. 6.5.
Chapter 6 Interfaces For the NXC which supports more than one USB ports, these commands only apply to the USB storage device that is first attached to the NXC. Table 20 USB Storage General Commands COMMAND DESCRIPTION show usb-storage Displays the status of the connected USB storage device. [no] usb-storage activate Enables or disables the connected USB storage service.
Chapter 6 Interfaces 6.6.1 USB Storage General Commands Example This example shows how to display the status of the connected USB storage device. Router> show usb-storage USBStorage Configuration: Activation: enable Criterion Number: 100 Criterion Unit: megabyte USB Storage Status: Device description: N/A Usage: N/A Filesystem: N/A Speed: N/A Status: none Detail: none 6.7 VLAN Interface Specific Commands A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks.
Chapter 6 Interfaces Table 21 Input Values for VLAN Interface Commands (continued) LABEL DESCRIPTION description Sets the description of the interface. You may use 0 - 511 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. profile_name The DHCP pool name. The following table describes the commands available for VLAN interface management.
Chapter 6 Interfaces Table 22 Command Summary: VLAN Interface Profile (continued) COMMAND DESCRIPTION description description Sets the description of this interface. It is not used elsewhere. You can use alphanumeric and ()+/ :=?!*#@$_%- characters, and it can be up to 60 characters long. no description Removes the VLAN description. [no] shutdown Exits this sub-command mode, saving all changes but without enabling the VLAN. [no] ip dhcp-pool profile_name Sets the DHCP server pool.
C HA PT ER 7 Route This chapter shows you how to configure policies for IP routing and static routes on your NXC. 7.1 Policy Route Traditionally, routing is based on the destination address only and the NXC takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Chapter 7 Route The following table describes the commands available for policy route. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 24 Command Summary: Policy Route COMMAND DESCRIPTION [no] bwm activate Globally enables bandwidth management. You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management. The no command globally disables bandwidth management.
Chapter 7 Route Table 24 Command Summary: Policy Route (continued) COMMAND DESCRIPTION no dscp-marking Use this command to have the NXC not modify the DSCP value of the route’s outgoing packets. [no] interface {interface_name | EnterpriseWLAN} Sets the interface on which the incoming packets are received. The no command resets the incoming interface to the default (any). any means all interfaces. EnterpriseWLAN: the packets are coming from the NXC itself.
Chapter 7 Route Table 24 Command Summary: Policy Route (continued) COMMAND DESCRIPTION show policy-route begin policy_number end policy_number Displays the specified range of policy route settings. show policy-route override-direct-route Displays whether or not the NXC forwards packets that match a policy route according to the policy route instead of sending the packets to a directly connected network.
Chapter 7 Route 7.2.2 Policy Route Command Example The following commands create two address objects (TW_SUBNET and GW_1) and insert a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the interface ge1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’ source IP address. Router(config)# address-object TW_SUBNET 192.168.2.0 255.255.255.0 Router(config)# address-object GW_1 192.168.2.
Chapter 7 Route Figure 10 Example of Static Routing Topology 7.4 Static Route Commands The following table describes the commands available for static route. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 26 Command Summary: Static Route COMMAND DESCRIPTION [no] ip route {w.x.y.z} {w.x.y.z} {interface|w.x.y.z} [<0..127>] Sets a static route. The no command disables a static route. ip route replace {w.x.y.z} {w.x.y.z} {interface|w.x.
Chapter 7 Route 7.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 27 ip route Commands: Learned Routing Information COMMAND DESCRIPTION show ip route [kernel | connected | static] Displays learned routing and other routing information. 7.5.1 show ip route Command Example The following example shows learned routing information on the NXC.
Chapter 7 Route 72 NXC CLI Reference Guide
C HA PT ER 8 AP Management This chapter shows you how to configure wireless AP management options on your NXC. 8.1 AP Management Overview The NXC allows you to remotely manage all of the wireless station Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the NXC automatically handles basic configuration for you. The commands in this chapter allow you to add, delete, and edit the APs managed by the NXC by means of the CAPWAP protocol.
Chapter 8 AP Management 8.2 AP Management Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 28 Input Values for General AP Management Commands LABEL DESCRIPTION ap_mac The Ethernet MAC address of the managed AP. Enter 6 hexidecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
Chapter 8 AP Management Table 29 Command Summary: AP Management (continued) COMMAND DESCRIPTION slot_name monitor-profile profile_name Sets the specified radio (slot_name) to monitor mode and assigns a created profile to the radio. Monitor mode APs act as wireless monitors, which can detect rogue APs and help you in building a list of friendly ones. See also Section 9.2 on page 77. no slot_name monitor-profile Removes the monitor mode profile assignment for the specified radio (slot_name).
Chapter 8 AP Management 8.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.
C HA PT ER 9 Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your NXC. 9.1 Wireless LAN Profiles Overview The NWA5160N Access Points designed to work explicitly with your NXC do not have onboard configuration files, you must create “profiles” to manage them. Profiles are preset configurations that are uploaded to the APs and which manage them. They include: Radio and Monitor profiles, SSID profiles, Security profiles, and MAC Filter profiles.
Chapter 9 Wireless LAN Profiles Table 30 Input Values for General Radio and Monitor Profile Commands (continued) LABEL DESCRIPTION wlan_hctw Sets the HT channel width. Select either auto or 20m. wlan_htgi Sets the HT guard interval. Select either long or short. wlan_2g_basic_speed Sets the basic band rate for 2.4 GHz. The available band rates are 1.0, 2.0, 5.5, 11.0, 6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0. wlan_2g_support_speed Sets the support rate for the 2.4 GHz band.
Chapter 9 Wireless LAN Profiles Table 31 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION band {2.4G |5G} band-mode {11n | bg | a} Sets the radio band (2.4 GHz or 5 GHz) and band mode for this profile. Band mode details: For 2.4 GHz, 11n lets IEEE 802.11b, IEEE 802.11g, and IEEE 802.11n clients associate with the AP. For 2.4 GHz, bg lets IEEE 802.11b and IEEE 802.11g clients associate with the AP. For 5 GHz, 11n lets IEEE 802.11a and IEEE 802.11n clients associate with the AP.
Chapter 9 Wireless LAN Profiles Table 31 Command Summary: Radio Profile (continued) COMMAND 80 DESCRIPTION beacon-interval <40..1000> Sets the beacon interval for this profile. When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon.
Chapter 9 Wireless LAN Profiles Table 31 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION 2g-support-speed {disable | wlan_2g_support_speed} Disables or sets the 2.4 GHz support rate. The default is 1.0~54.0. 2g-mcs-speed {disable | wlan_mcs_speed} Disables or sets the 2.4 GHz HT MCS rate. The default is 0~15. 2g-multicast-speed wlan_2g_support_speed When you disable multicast to unicast, use this command to set the data rate { 1.0 | 2.0 | … } in Mbps for 2.4 GHz multicast traffic.
Chapter 9 Wireless LAN Profiles 9.2.1 AP & Monitor Profile Commands Example The following example shows you how to set up the radio profile named ‘RADIO01’, activate it, and configure it to use the following settings: • • • • • • • • • • • • 2.
Chapter 9 Wireless LAN Profiles 9.3 SSID Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 32 Input Values for General SSID Profile Commands LABEL DESCRIPTION ssid_profile_name The SSID profile name. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ssid The SSID broadcast name.
Chapter 9 Wireless LAN Profiles Table 33 Command Summary: SSID Profile (continued) COMMAND DESCRIPTION [no] hide Prevents the SSID from being publicly broadcast. Use the no parameter to re-enable public broadcast of the SSID in this profile. By default this is disabled. ssid Sets the SSID. This is the name visible on the network to wireless clients. Enter up to 32 characters, spaces and underscores are allowed. The default SSID is ‘ZyXEL’. qos wlan_qos Sets the type of QoS used by this SSID.
Chapter 9 Wireless LAN Profiles Table 34 Input Values for General Security Profile Commands (continued) LABEL DESCRIPTION wpa_key Sets the WPA/WPA2 pre-shared key in ASCII. You may use 8~63 alphanumeric characters. This value is case-sensitive. wpa_key_64 Sets the WPA/WPA2 pre-shared key in HEX. You muse use 64 alphanumeric characters. secret Sets the shared secret used by your network’s RADIUS server. auth_method The authentication method used by the security profile.
Chapter 9 Wireless LAN Profiles Table 35 Command Summary: Security Profile (continued) COMMAND 86 DESCRIPTION mac-auth delimiter calling-station-id {colon | dash | none} Select the separator the external server uses for the pairs in MAC addresses in the Calling Station ID RADIUS attribute. mode {none | wep | wpa | wpa2 | wpa2mix} Sets the security mode for this profile. wep <64 | 128> default-key <1..4> Sets the WEP encryption strength (64 or 128) and the default key value (1 ~ 4).
Chapter 9 Wireless LAN Profiles Table 35 Command Summary: Security Profile (continued) COMMAND DESCRIPTION eap {external | internal auth_method} Sets the 802.1x authentication method. [no] server-auth <1..2> activate Activates server authentication. Use the no parameter to deactivate. server-auth <1..2> ip address ipv4_address port <1..65535> secret secret Sets the IPv4 address, port number and shared secret of the RADIUS server to be used for authentication. [no] server-auth <1..
Chapter 9 Wireless LAN Profiles The following table describes the commands available for security profile management. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 37 Command Summary: MAC Filter Profile COMMAND DESCRIPTION show wlan-macfilter-profile {all | macfilter_profile_name} Displays the security profile(s). all: Displays all profiles for the selected operating mode.
C HA PT ER 10 Rogue AP This chapter shows you how to set up Rogue Access Point (AP) detection and containment. 10.1 Rogue AP Detection Overview Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security.
Chapter 10 Rogue AP Table 39 Command Summary: Rogue AP Detection (continued) COMMAND DESCRIPTION rogue-ap ap_mac description2 Sets the device that owns the specified MAC address as a rogue AP. You can also assign a description to this entry on the rogue AP list. no rogue-ap ap_mac Removes the device that owns the specified MAC address from the rogue AP list. friendly-ap ap_mac description2 Sets the device that owns the specified MAC address as a friendly AP.
Chapter 10 Rogue AP This example shows the friendly AP detection list. Router(config)# show rogue-ap detection list friendly no. mac description =========================================================================== 1 11:11:11:11:11:11 third floor 2 00:13:49:11:22:33 3 00:13:49:00:00:05 4 00:13:49:00:00:01 5 00:0D:0B:CB:39:33 dept1 This example shows the combined rogue and friendly AP detection list. Router(config)# show rogue-ap detection list all no.
Chapter 10 Rogue AP Containing a rogue AP means broadcasting unviable login data at it, preventing legitimate wireless clients from connecting to it. This is a kind of Denial of Service attack. 10.4 Rogue AP Containment Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
C HA PT ER 11 Wireless Frame Capture This chapter shows you how to configure and use wireless frame capture on the NXC. 11.1 Wireless Frame Capture Overview Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging.
Chapter 11 Wireless Frame Capture The following table describes the commands available for wireless frame capture. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 43 Command Summary: Wireless Frame Capture COMMAND DESCRIPTION frame-capture configure Enters sub-command mode for wireless frame capture. src-ip {add|del} {ipv4_address | local} Sets or removes the IPv4 address of an AP controlled by the NXC that you want to monitor.
C HA PT ER 12 Dynamic Channel Selection This chapter shows you how to configure and use dynamic channel selection on the NXC. 12.1 DCS Overview Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
Chapter 12 Dynamic Channel Selection Table 45 Command Summary: DCS (continued) COMMAND DESCRIPTION dcs 5g-selected-channel 5g_channels Sets the channels that are available in the 5 GHz band when you manually configure the channels an AP can use. dcs dcs-2g-method {auto|manual} Sets the AP to automatically search for available channels or manually configures the channels the AP uses in the 2.4 GHz band.
Chapter 12 Dynamic Channel Selection This example displays the DCS configuration created in the previous example. Router(config)# show dcs config dcs activate: no dcs time interval: 720 dcs sensitivity level: high dcs client-aware: enable dcs 2.4-ghz selection method: auto dcs 2.4-ghz selected channels: none dcs 2.
Chapter 12 Dynamic Channel Selection 98 NXC CLI Reference Guide
C HA PT ER 13 Wireless Load Balancing This chapter shows you how to configure wireless load balancing. 13.1 Wireless Load Balancing Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Chapter 13 Wireless Load Balancing Table 46 Command Summary: Load Balancing (continued) COMMAND DESCRIPTION load-balancing beta <1..255> Sets the load balancing beta value. When the AP is overloaded, then this setting delays a client’s association with it by this number of seconds. Note: This parameter has been optimized for the NXC and should not be changed unless you have been specifically directed to do so by ZyXEL support. load-balancing sigma <51..100> Sets the load balancing sigma value.
Chapter 13 Wireless Load Balancing 13.2.1 Wireless Load Balancing Examples The following example shows you how to configure AP load balancing in "by station" mode. The maximum number of stations is set to 1.
Chapter 13 Wireless Load Balancing 102 NXC CLI Reference Guide
C HA PT ER 14 Dynamic Guest This chapter shows you how to configure dynamic guest accounts. 14.1 Dynamic Guest Overview Dynamic guest accounts are guest accounts, but are created dynamically with the guest manager account and stored in the NXC’s local user database. A dynamic guest account user can access the NXC’s services only within a given period of time and will become invalid after the expiration date/time. A dynamic guest account has a dynamically-created user name and password.
Chapter 14 Dynamic Guest Table 47 Command Summary: Dynamic Guest (continued) COMMAND DESCRIPTION [no] description description Sets the description for the specified user group. The no command clears the description for the specified user group. dynamic-guest group Sets this group as a dynamic guest group. dynamic-guest enable expired-account deleted Sets the NXC to remove the dynamic guest accounts from the NXC’s local database when they expire.
Chapter 14 Dynamic Guest 14.2.1 Dynamic Guest Examples This example creates a guest-manager user account and a dynamic-guest user group, then sets the NXC to generate two dynamic-guest accounts automatically. This also shows the dynamic guest users information.
Chapter 14 Dynamic Guest 106 NXC CLI Reference Guide
C HA PT ER 15 Zones Set up zones to configure network security and network policies in the NXC. Use the configure terminal command to enter Configuration mode in order to use the commands described in this chapter. 15.1 Zones Overview A zone is a group of interfaces. The NXC uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap. Each Ethernet interface or VLAN interface can be assigned to at most one zone.
Chapter 15 Zones 15.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands. Table 48 Input Values for Zone Commands LABEL DESCRIPTION profile_name The name of a zone. Use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive. This table lists the zone commands.
Chapter 15 Zones 15.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No. Name Block Member =========================================================================== 1 A yes ge1,ge2 Router(config)# show zone A blocking intra-zone traffic: yes No.
Chapter 15 Zones 110 NXC CLI Reference Guide
C HA PT ER 16 ALG This chapter covers how to use the NXC’s ALG feature to allow certain applications to pass through the NXC. 16.1 ALG Introduction The NXC can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the NXC’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload.
Chapter 16 ALG 16.2 ALG Commands The following table lists the alg commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 50 alg Commands COMMAND DESCRIPTION [no] alg sip [inactivity-timeout | signal-port <1025..65535> | signal-extra-port <1025..65535> | media-timeout <1..86400> | signal-timeout <1..86400> | transformation] Turns on or configures the ALG.
C HA PT ER 17 Captive Portal This chapter describes how to configure which HTTP-based network services default to the captive portal page when client makes an initial network connection. 17.1 Captive Portal Overview A captive portal can intercept all network traffic, regardless of address or port, until the user authenticates his or her connection, usually through a specifically designated login Web page. 17.1.
Chapter 17 Captive Portal Table 51 Web Authentication Policy Commands (continued) COMMAND DESCRIPTION web-auth login setting Sets the login web page through which the user authenticate their connections before connecting to the rest of the network or Internet. See Table 52 on page 114 for the sub-commands. web-auth policy <1..1024> Creates the specified condition for forcing user authentication, if necessary, and enters sub-command mode. The NXC checks the conditions in sequence, starting at 1.
Chapter 17 Captive Portal Table 52 web-auth login setting Sub-commands (continued) COMMAND DESCRIPTION [no] session-url Sets the session page’s URL; for example: http://192.168.1.1/session.cgi. 192.168.1.1 is the web server on which the web portal files are installed. [no] welcome-url Sets the welcome page’s URL; for example: http://192.168.1.1/welcome.cgi. 192.168.1.1 is the web server on which the web portal files are installed 17.1.1.
Chapter 17 Captive Portal • Set web-auth policy 1 to use the SSID profile named SSIDprofile1 • Set web-auth policy 1 to require user authentication • Have the NXC automatically display the login screen when unauthenticated users try to send HTTP traffic • Turn on web-auth policy 1 Router(config)# web-auth activate Router(config)# web-auth authentication AuthProfile1 Router(config)# web-auth login setting Router(web-auth)# login-url http://www.login.
C HA PT ER 18 RTLS Use the RTLS commands to use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi-Fi tags. 18.1 RTLS Introduction Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the NXC to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements.
Chapter 18 RTLS 118 NXC CLI Reference Guide
C HA PT ER 19 Firewall This chapter introduces the NXC’s firewall and shows you how to configure your NXC’s firewall. 19.1 Firewall Overview The NXC’s firewall is a stateful inspection firewall. The NXC restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. A zone is a group of interfaces.
Chapter 19 Firewall Your customized rules take precedence and override the NXC’s default settings. The NXC checks the schedule, user name (user’s login name on the NXC), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the NXC takes the action specified in the rule.
Chapter 19 Firewall Table 57 Command Summary: Firewall (continued) COMMAND DESCRIPTION firewall zone_object {zone_object|EnterpriseWLAN} append Enters the firewall sub-command mode to add a direction specific through-EnterpriseWLAN rule or to-EnterpriseWLAN rule to the end of the global rule list. firewall zone_object {zone_object|EnterpriseWLAN} delete rule_number Removes a direction specific throughEnterpriseWLAN rule or to-EnterpriseWLAN rule. <1..
Chapter 19 Firewall 19.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 58 firewall Sub-commands COMMAND DESCRIPTION action {allow|deny|reject} Sets the action the NXC takes when packets match this rule. [no] activate Enables a firewall rule. The no command disables the firewall rule.
Chapter 19 Firewall 19.2.2 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WLAN zone to the IP addresses Dest_1 in the LAN zone. • • • • • • • • Enter configuration command mode. Create an IP address object. Create a service object. Enter the firewall sub-command mode to add a firewall rule. Set the direction of travel of packets to which the rule applies. Set the destination IP address(es).
Chapter 19 Firewall The following command displays the firewall rule(s) (including the default firewall rule) that applies to the packet direction from WAN to LAN. The firewall rule numbers in the menu are the firewall rules’ priority numbers in the global rule list.
Chapter 19 Firewall The following table describes the session-limit commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 60 Command Summary: Session Limit COMMAND DESCRIPTION [no] session-limit activate Turns the session-limit feature on or off. session-limit limit <0..8192> Sets the default number of concurrent NAT/ firewall sessions per host.
Chapter 19 Firewall 126 NXC CLI Reference Guide
C HA PT ER 20 Application Patrol This chapter describes how to set up application patrol for the NXC. 20.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Chapter 20 Application Patrol 20.2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands. Other values are discussed with the corresponding commands. Table 61 Input Values for Application Patrol Commands LABEL DESCRIPTION protocol_name The name of a pre-defined application. These are listed by category.
Chapter 20 Application Patrol Table 63 app Commands: Rules in Pre-Defined Applications (continued) COMMAND DESCRIPTION app protocol_name rule rule_number or app protocol_name rule modify rule_number Enters sub-command mode for editing the rule at the specified row. app protocol_name rule default or app protocol_name rule modify default Enters sub-command mode for editing the default rule for the application. no app protocol_name rule rule_number Deletes the specified rule. 20.2.2.
Chapter 20 Application Patrol Table 64 app protocol rule Sub-commands (continued) COMMAND DESCRIPTION [no] outbound-dscp-mark {<0..63> | class {default | dscp_class}} This is how the NXC handles the DSCP value of the outgoing packets from a connection’s initiator that match this policy. Enter a DSCP value to have the NXC apply that DSCP value. Set this to the class default to have the NXC set the DSCP value to 0.
Chapter 20 Application Patrol 20.2.3.1 Exception Rule Sub-commands The following table describes the sub-commands for several application patrol exception rule commands. Note that not all rule commands use all the sub-commands listed here. Table 66 app patrol exception rule Sub-commands COMMAND DESCRIPTION access {forward | drop | reject} Specifies the action when traffic matches the rule. [no] action-block {login|message|audio|video|file-transfer} Blocks use of a specific feature.
Chapter 20 Application Patrol 20.2.5 Rule Commands for Other Applications This table lists the commands for rules in other applications. Table 68 app Commands: Rules in Other Applications COMMAND DESCRIPTION app other insert rule_number Creates a new rule at the specified row and enters sub-command mode. app other append Creates a new rule, appends it to the end of the list, and enters sub-command mode. app other <1..64> Enters sub-command mode for editing the rule at the specified row.
Chapter 20 Application Patrol Table 69 app patrol other rule Sub-commands (continued) COMMAND DESCRIPTION [no] inbound-dscp-mark {<0..63> | class {default | dscp_class}} This is how the NXC handles the DSCP value of the outgoing packets to a connection’s initiator that match this policy. Enter a DSCP value to have the NXC apply that DSCP value. Set this to the class default to have the NXC set the DSCP value to 0. [no] log [alert] Creates log entries (and alerts) for traffic that matches the rule.
Chapter 20 Application Patrol Table 70 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION show app all defaultport Displays the default port settings for all applications. show app all statistics Displays statistics for all applications. show app {general|im|p2p|stream} Displays protocols by category. show app im support action Displays the supported actions of each Instant Messenger application.
Chapter 20 Application Patrol Router# configure terminal Router(config)# show app http config application: http active: yes mode: portless default access: forward bandwidth graph: yes Router# configure terminal Router(config)# show app http defaultport No.
Chapter 20 Application Patrol Router# configure terminal Router(config)# show app other rule all index: 1 activate: yes port: 5963 schedule: none user: any from zone: any to zone: any source address: any destination address: any protocol: tcp access: forward DSCP inbound marking: preserve DSCP outbound marking: preserve bandwidth excess-usage: no bandwidth priority: 1 bandwidth inbound: 0 bandwidth outbound: 0 log: no index: default activate: yes port: 0 schedule: none user: any from zone: any to zone: any
C HA PT ER 21 Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 21.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Chapter 21 Anti-Virus 21.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. You must register for the ant-virus service before you can use it (see Chapter 5 on page 41). Table 72 General Anti-virus Commands COMMAND DESCRIPTION [no] anti-virus activate Enables anti-virus service. Anti-virus service also depends on antivirus service registration.
Chapter 21 Anti-Virus Table 73 Commands for Zone to Zone Anti-Virus Rules (continued) COMMAND DESCRIPTION anti-virus rule <1..64> Enters the anti-virus sub-command mode to edit the specified direction specific rule. [no] activate Turns a direction specific anti-virus rule on or off. [no] log [alert] Sets the NXC to create a log (and optionally an alert) when packets match this rule and are found to be virus-infected.
Chapter 21 Anti-Virus 21.2.2.1 Zone to Zone Anti-virus Rule Example This example shows how to configure (and display) a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files. The white and black lists are ignored and zipped files are decompressed. Any zipped files that cannot be decompressed are not destroyed.
Chapter 21 Anti-Virus Table 74 Commands for Anti-virus White and Black Lists (continued) COMMAND DESCRIPTION [no] anti-virus black-list activate Turn on the black list to log and delete files with names that match the black list patterns. [no] anti-virus black-list file-pattern av_file_pattern {activate|deactivate} Adds or removes a black list file pattern. Turns a file pattern on or off.
Chapter 21 Anti-Virus 21.2.4 Signature Search Anti-virus Command The following table describes the command for searching for signatures. You must use the configure terminal command to enter the configuration mode before you can use this command. Table 75 Command for Anti-virus Signature Search COMMAND DESCRIPTION anti-virus search signature {all | category category | id id | name name | severity severity [{from id to id}] Search for signatures by their ID, name, severity, or category.
Chapter 21 Anti-Virus 21.3.1 Update Signature Examples These examples show how to enable/disable automatic anti-virus downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created. Router# configure terminal Router(config)# anti-virus update signatures ANTI-VIRUS signature update in progress. Please check system log for future information.
Chapter 21 Anti-Virus 21.4.1 Anti-virus Statistics Example This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses.
C HA PT ER 22 IDP Commands This chapter introduces IDP-related commands. 22.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature. Some web configurator terms may differ from the command-line equivalent. The “no” command negates the action or returns it to the default value.
Chapter 22 IDP Commands This table shows the IDP signature, anomaly, and system-protect activation commands. Table 79 IDP Activation COMMAND DESCRIPTION [no] idp {signature | anomaly | system-protect} activate Enables IDP signatures, anomaly detection, and/or system-protect. IDP signatures use requires IDP service registration. If you don’t have a standard license, you can register for a once-off trial one. Anomaly detection and the self-protect feature do not require registration.
Chapter 22 IDP Commands Table 80 Global Profile Commands COMMAND DESCRIPTION show idp signature base profile {all|none|wan|lan|dmz} settings Lists the specified signature base profile’s settings. Use |more to display the settings page by page. show idp profiles Displays all IDP signature profiles. 22.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile” to “new_profile”, delete the “bye_profile” and show all base profiles available.
Chapter 22 IDP Commands 22.3.2.1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one. The rule applies the LAN_IDP profile to all traffic going to the LAN zone.
Chapter 22 IDP Commands Table 83 Editing/Creating IDP Signature Profiles (continued) COMMAND DESCRIPTION signature sid action {drop | reject-sender | reject-receiver | reject-both} Sets an action for an IDP signature no signature sid action Deactivates an action for an IDP signature. show idp profile signature sid details Shows signature ID details of the specified profile. show idp profile signature {all | customsignature} details Shows the signature details of the specified profile. 22.3.
Chapter 22 IDP Commands Table 84 Editing/Creating Anomaly Profiles (continued) COMMAND 150 DESCRIPTION [no] scan-detection {ip-xxx} {activate | log [alert] | block} Activates or deactivates IP scan detection options where {ip-xxx} = {ip-protocol-scan | ipdecoy-protocol-scan | ip-protocol-sweep | ipdistributed-protocol-scan | ip-filtered-protocolscan | ip-filtered-decoy-protocol-scan | ipfiltered-distributed-protocol-scan | ip-filteredprotocol-sweep}.
Chapter 22 IDP Commands Table 84 Editing/Creating Anomaly Profiles (continued) COMMAND udp-decoder {truncated-header | undersize-len | oversize-len} log [alert] DESCRIPTION Sets udp decoder log or alert options. no udp-decoder {truncated-header | undersize- Deactivates udp decoder log options.
Chapter 22 IDP Commands Table 84 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION show idp anomaly profile flood-detection [all details] Shows all flood-detection settings for the specified IDP profile. show idp anomaly profile flood-detection {tcpflood | udp-flood | ip-flood | icmp-flood} details Shows flood-detection settings for the specified IDP profile. show idp anomaly profile http-inspection all details Shows http-inspection settings for the specified IDP profile.
Chapter 22 IDP Commands 22.3.4.1 Creating an Anomaly Profile Example In this example we create a profile named “test”, configure some settings, display them, and then return to global command mode.
Chapter 22 IDP Commands It is recommended you use the web configurator to search for signatures. Table 86 Signature Search Command COMMAND DESCRIPTION idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask Searches for signature(s) in a profile by the parameters specified.
Chapter 22 IDP Commands 22.3.6.1 Search Parameter Tables The following table displays the command line severity, platform and policy type equivalent values. If you want to combine platforms in a search, then add their respective numbers together. For example, to search for signatures for Windows NT, Windows XP and Windows 2000 computers, then type “12” as the platform parameter.
Chapter 22 IDP Commands • Is a scan policy type, DNS service • Is enabled • Generates logs. Router# configure terminal Router(config)# Router(config)# idp search signature LAN_IDP name “worm” sid 12345 severity -> 1 platform 4 policytype 4 service 1 activate yes log log action 2 22.4 IDP Custom Signatures Use these commands to create a new signature or edit an existing one.
Chapter 22 IDP Commands 22.4.1 Custom Signature Examples These examples show how to create a custom signature, edit one, display details of one, all and show the total number of custom signatures.
Chapter 22 IDP Commands This example shows you how to display custom signature details.
Chapter 22 IDP Commands This example shows you how to display custom signature contents.
Chapter 22 IDP Commands This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no network-device: no service: outbreak: no This example shows you how to display the number of custom signatures on the NXC.
Chapter 22 IDP Commands Table 90 Update Signatures COMMAND DESCRIPTION show idp {signature | system-protect} update Displays signature update schedule. show idp {signature | system-protect} update status Displays signature update status. 22.5.
Chapter 22 IDP Commands Table 91 Commands for IDP Statistics (continued) COMMAND DESCRIPTION show idp statistics collect Displays whether the collection of IDP statistics is turned on or off. show idp statistics ranking {signaturename | source | destination} Query and sort the IDP statistics entries by signature name, source IP address, or destination IP address. signature-name: lists the most commonly detected signatures.
C HA PT ER 23 Device HA Device HA lets a backup NXC automatically take over if the master NXC fails. Figure 14 Device HA Backup Taking Over for the Master A B In this example, device B is the backup for device A in the event something happens to it and prevents it from managing the wireless network. 23.1 Device HA Overview Management Access You can configure a separate management IP address for each interface. You can use it to access the NXC for management whether the NXC is the master or a backup.
Chapter 23 Device HA 23.1.1 Before You Begin • Configure a static IP address for each interface that you will have device HA monitor. Subscribe to services on the backup NXC before synchronizing it with the master NXC. • Synchronization includes updates for services to which the master and backup NXCs are both subscribed. For example, a backup subscribed to IDP/AppPatrol, but not anti-virus, gets IDP/AppPatrol updates from the master, but not anti-virus updates.
Chapter 23 Device HA Virtual Router and Management IP Addresses • If a backup takes over for the master, it uses the master’s IP addresses. These IP addresses are know as the virtual router IP addresses. • Each interface can also have a management IP address. You can connect to this IP address to manage the NXC regardless of whether it is the master or the backup. 23.4 Active-Passive Mode Device HA Commands The following table identifies the values required for many of these commands.
Chapter 23 Device HA Table 94 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION [no] device-ha ap-mode authentication {string key | ah-md5 key} Sets the authentication method the virtual router uses. Every interface in a virtual router must use the same authentication method and password. The no command disables authentication. string: Use a plain text password for authentication.
Chapter 23 Device HA Table 94 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION show device-ha ap-mode master sync Displays the master NXC’s synchronization settings. show device-ha ap-mode backup sync Displays the backup NXC’s synchronization settings. show device-ha ap-mode backup sync status Displays the backup NXC’s current synchronization status. show device-ha ap-mode backup sync summary Displays the backup NXC’s synchronization settings.
Chapter 23 Device HA 168 NXC CLI Reference Guide
C HA PT ER 24 User/Group This chapter describes how to set up user accounts, user groups, and user settings for the NXC. You can also set up rules that control when users have to log in to the NXC before the NXC routes traffic for them. 24.1 User Account Overview A user account defines the privileges of a user logged into the NXC. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the NXC. 24.1.
Chapter 24 User/Group 24.2 User/Group Commands Summary The following table identifies the values required for many username/groupname commands. Other input values are discussed with the corresponding commands. Table 96 username/groupname Command Input Values LABEL DESCRIPTION username The name of the user (account). You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. groupname The name of the user group.
Chapter 24 User/Group Table 97 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION username username [no] logon-lease-time <0..1440> Sets the lease time for the specified user. Set it to zero to set unlimited lease time. The no command sets the lease time to five minutes (regardless of the current default setting for new users). username username [no] logon-re-auth-time <0..1440> Sets the reauthorization time for the specified user.
Chapter 24 User/Group Table 99 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION users default-setting [no] user-type Sets the default user type for each new user. The no command sets the default user type to user. show users retry-settings Displays the current retry limit settings for users. [no] users retry-limit Enables the retry limit for users. The no command disables the retry limit. [no] users retry-count <1..
Chapter 24 User/Group 24.2.4 MAC Auth Commands This table lists the commands for mappings MAC addresses to MAC address user accounts. Table 100 mac-auth Commands Summary COMMAND DESCRIPTION [no] mac-auth database mac mac address type ext-mac-address mac-role username description description Maps the specified MAC address authenticated by an external server to the specified MAC role (MAC address user account). The no command deletes the mapping between the MAC address and the MAC role.
Chapter 24 User/Group • Use upper case letters in the account MAC addresses Router(config)# username ZyXEL-mac user-type mac-address Router(config)# mac-auth database mac 00:13:49:11:a0:c4 type ext-mac-address mac-role ZyXEL-mac description zyxel mac 3.
Chapter 24 User/Group 24.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the NXC and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all No. Name Role Type MAC Service From Session Time Idle Time Lease Timeout Re-Auth. Timeout Acct.
Chapter 24 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users No. Username Tried From Lockout Time Remaining =========================================================================== No. From Failed Login Attempt Record Expired Timer =========================================================================== 1 192.168.1.60 2 46 Router(config)# unlock lockout-users 192.
C HA PT ER 25 Addresses This chapter describes how to set up addresses and address groups for the NXC. Use the configure terminal command to enter Configuration mode in order to use the commands described in this chapter. 25.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
Chapter 25 Addresses 25.2 Address Commands Summary The following table describes the values required for many address object and address group commands. Other values are discussed with the corresponding commands. Table 102 Input Values for Address Commands LABEL DESCRIPTION object_name The name of the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. group_name The name of the address group.
Chapter 25 Addresses 25.2.1.1 Address Object Command Examples The following example creates three address objects and then deletes one. Router# configure terminal Router(config)# address-object A0 10.1.1.1 Router(config)# address-object A1 10.1.1.1-10.1.1.20 Router(config)# address-object A2 10.1.1.0/24 Router(config)# show address-object Object name Type Address Note Ref. =========================================================================== ==== LAN_SUBNET INTERFACE SUBNET 192.168.1.
Chapter 25 Addresses Table 104 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The no command clears the description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. [no] description description Renames the specified address group from the first group_name to the second group_name. object-group address rename group_name group_name 25.2.2.
C HA PT ER 26 Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 26.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 26.2 Services Commands Summary The following table describes the values required for many service object and service group commands. Other values are discussed with the corresponding commands.
Chapter 26 Services Table 106 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION service-object object_name icmp icmp_value Creates the specified ICMP message using the specified parameters. icmp_value: <0..
Chapter 26 Services Table 107 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION [no] object-group group_name Adds the specified service group (second group_name) to the specified service group (first group_name). The no command removes the specified service group from the specified service group. [no] description description Sets the description to the specified value. The no command removes the description.
Chapter 26 Services 184 NXC CLI Reference Guide
C HA PT ER 27 Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 27.1 Schedule Overview The NXC supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the NXC. Schedules are based on the current date and time in the NXC.
Chapter 27 Schedules The following table lists the schedule commands. Table 109 schedule Commands COMMAND DESCRIPTION show schedule-object Displays information about the schedules in the NXC. no schedule-object object_name Deletes the schedule object. schedule-object list Lists all schedules configured on the NXC. schedule-object object_name date time date time Creates or updates a one-time schedule. date: yyyy-mm-dd date format; yyyy-<01..12><01..
C HA PT ER 28 AAA Server This chapter introduces and shows you how to configure the NXC to use external authentication servers. 28.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the NXC supports.
Chapter 28 AAA Server 28.2.1 aaa group server ad Commands The following table lists the aaa group server ad commands you use to configure a group of AD servers. Table 110 aaa group server ad Commands COMMAND DESCRIPTION clear aaa group server ad [groupname] Deletes all AD server groups or the specified AD server group. Note: You can NOT delete a server group that is currently in use. 188 show aaa group server ad groupname Displays the specified AD server group settings.
Chapter 28 AAA Server Table 110 aaa group server ad Commands (continued) COMMAND DESCRIPTION [no] server domain-auth activate Activates server domain authentication. The no parameter deactivates it. server domain-auth domainname Adds the NetBIOS name of the AD server. The NXC uses it with the user name in the format NetBIOS\USERNAME to do authentication. The NXC uses the format USERNAME@realm if you do not configure the NetBIOS name.
Chapter 28 AAA Server Table 111 aaa group server ldap Commands (continued) COMMAND DESCRIPTION [no] server binddn binddn Sets the user name the NXC uses to log into the LDAP server group. The no command clears this setting. [no] server cn-identifier uid Sets the unique common name (cn) to identify a record. The no command clears this setting. [no] server description description Sets the descriptive information for the LDAP server group. You can use up to 60 printable ASCII characters.
Chapter 28 AAA Server Table 112 aaa group server radius Commands (continued) COMMAND DESCRIPTION [no] aaa group server radius group-name Sets a descriptive name for the RADIUS server group. The no command deletes the specified server group. aaa group server radius rename {group-name-old} group-name-new Changes the descriptive name for a RADIUS server group. aaa group server radius group-name Enter the sub-command mode.
Chapter 28 AAA Server Table 112 aaa group server radius Commands (continued) COMMAND DESCRIPTION [no] server nas-ip Specifies the Network Access Server IP address attribute value if the RADIUS server requires it. The no command clears this setting. [no] server acct-interim activate Enable this to have the NXC send subscriber status updates to the RADIUS server. The no command has the NXC not send subscriber status updates to the RADIUS server. 28.2.
C HA PT ER 29 Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 29.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the NXC uses to authenticate users (such as managing through HTTP/HTTPS or Captive Portal). 29.
Chapter 29 Authentication Objects Table 113 aaa authentication Commands (continued) COMMAND DESCRIPTION [no] aaa authentication default member1 [member2] [member3] [member4] Sets the default profile to use the authentication method(s) in the order specified. member = group ad, group ldap, group radius, or local. Note: You must specify at least one member for each profile. Each type of member can only be used once in a profile.
Chapter 29 Authentication Objects 29.3 test aaa Command The following table lists the test aaa command you use to teat a user account on an authentication server. Table 114 test aaa Command COMMAND DESCRIPTION test aaa {server|secureserver} {ad|ldap} host {hostname|ipv4-address} [host {hostname|ipv4address}] port <1..
Chapter 29 Authentication Objects 196 NXC CLI Reference Guide
C HA PT ER 30 Authentication Server This chapter shows you how to configure the NXC as an authentication server for access points. 30.1 Authentication Server Overview The NXC can also work as a RADIUS server to exchange messages with other APs for user authentication and authorization. 30.2 Authentication Server Commands The following table lists the authentication server commands you use to configure the NXC’s built-in authentication server settings.
Chapter 30 Authentication Server Table 115 Command Summary: Authentication Server (continued) COMMAND [no] description description DESCRIPTION Sets the description for the profile. The no command clears this setting. description: You can use alphanumeric and ()+/ :=?!*#@$_%- characters, and it can be up to 60 characters long. show auth-server status Displays the NXC’s authentication server settings. show auth-server trustedclient Displays all RADIUS client profile settings.
C HA PT ER 31 ENC This chapter shows you how to configure the NXC as an ENC agent and allow it to be managed by the ENC server or an ACS (Auto Configuration Server) via TR-069 over HTTP or HTTPs. 31.1 ENC Overview ENC (Enterprise Network Center) is a browser-based network management system that allows a network administrators from any location to manage and monitor multiple ZyXEL devices. See the ENC User's Guide for details.
Chapter 31 ENC Table 116 Command Summary: ENC-Agent (continued) 200 COMMAND DESCRIPTION enc-agent periodic-inform interval <10..86400> Sets how often (in seconds) the NXC sends Inform messages to initiate connections to the ENC or ACS server. enc-agent authentication enable Sets the NXC to authenticate the ENC or ACS server’s certificate when you are using HTTPs. In order to do this you need to import the ENC or ACS server’s public key (certificate) into the NXC’s trusted certificates.
Chapter 31 ENC Table 116 Command Summary: ENC-Agent (continued) COMMAND DESCRIPTION no enc-agent periodicinform Sets the NXC to not periodically send “Inform” messages to the ENC or ACS server. [no] debug enc-agent activate Enables ENC-agent debug logging. The no command disables ENC-agent debug logging. [no] debug enc-agent stderr Shows ENC-agent debug messages on the console. The no command sets the NXC to not ENC-agent debug messages on the console.
Chapter 31 ENC 202 NXC CLI Reference Guide
C HA PT ER 32 Certificates This chapter explains how to use the Certificates. 32.1 Certificates Overview The NXC can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner.
Chapter 32 Certificates Table 117 Certificates Commands Input Values (continued) LABEL DESCRIPTION organizational_unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Chapter 32 Certificates Table 118 ca Commands Summary (continued) COMMAND DESCRIPTION ca generate pkcs10 name certificate_name cntype {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] [usr-def certificate_name] key-type {rsa|dsa} key-len key_length Generates a PKCS#10 certification request. ca generate pkcs12 name name password password Generates a PKCS#12 certificate.
Chapter 32 Certificates 32.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates. Finally it deletes the pkcs12request certification request. Router# configure terminal Router(config)# ca generate x509 name test_x509 cn-type ip cn 10.0.0.
C HA PT ER 33 System This chapter provides information on the commands that correspond to what you can configure in the system screens. 33.1 System Overview Use these commands to configure general NXC information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which NXC zones (if any) from which computers. 33.
Chapter 33 System Figure 16 Access Page Customization Logo Title Message Color (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. • color-name: Enter the name of the desired color. • color-number: Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color.
Chapter 33 System Table 119 Command Summary: Customization (continued) COMMAND DESCRIPTION login-page title title Sets the title for the top of the login screen. Use up to 64 printable ASCII characters. Spaces are allowed. login-page title-color {color-rgb | color-name | color-number} Sets the title text color of the login page. logo background-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and access page.
Chapter 33 System 33.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 121 Command Summary: Date/Time COMMAND DESCRIPTION clock date time Sets the new date in year, month and day format manually and the new time in hour, minute and second format. [no] clock daylight-saving Enables daylight saving.
Chapter 33 System 33.5 Console Port Speed This section shows you how to set the console port speed when you connect to the NXC via the console port using a terminal emulation program. The following table describes the console port commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 122 Command Summary: Console Port Speed COMMAND DESCRIPTION [no] console baud baud_rate Sets the speed of the console port.
Chapter 33 System Table 124 Command Summary: DNS (continued) COMMAND DESCRIPTION ip dns server rule {<1..64>|append|insert <1..64>} access-group {ALL|profile_name} zone {ALL|profile_name} action {accept|deny} Sets a service control rule for DNS requests. ip dns server rule move <1..64> to <1..64> Changes the number of a service control rule. ip dns server zone-forwarder {<1..32>|append|insert <1..32>} {domain_zone_name|*} user-defined w.x.y.
C HA PT ER 34 System Remote Management This chapter shows you how to determine which services/protocols can access which NXC zones (if any) from which computers. To allow the NXC to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-NXC rule to block that traffic. 34.
Chapter 34 System Remote Management 34.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 125 Input Values for General System Commands LABEL DESCRIPTION address_object The name of the IP address (group) object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 34 System Remote Management Table 126 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION [no] ip http secure-server force-redirect Redirects all HTTP connection requests to a HTTPS URL. The no command disables forwarding HTTP connection requests to a HTTPS URL. ip http secure-server table {admin|user} rule {rule_number|append|insert rule_number} accessgroup {ALL|address_object} zone {ALL|zone_object} action {accept|deny} Sets a service control rule for HTTPS service.
Chapter 34 System Remote Management This command sets an authentication method used by the HTTP/HTTPS server to authenticate the client(s). Router# configure terminal Router(config)# ip http authentication Example This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL client. Router# configure terminal Router(config)# ip http secure-server cert MyCert 34.
Chapter 34 System Remote Management Table 127 Command Summary: SSH (continued) COMMAND DESCRIPTION [no] ip ssh server port <1..65535> Sets the SSH service port number. The no command resets the SSH service port number to the factory default (22). ip ssh server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} Sets a service control rule for SSH service. address_object: The name of the IP address (group) object.
Chapter 34 System Remote Management 34.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 128 Command Summary: Telnet COMMAND DESCRIPTION [no] ip telnet server Allows Telnet access to the NXC CLI. The no command disables Telnet access to the NXC CLI. [no] ip telnet server port <1..65535> Sets the Telnet service port number.
Chapter 34 System Remote Management 34.7 Configuring FTP You can upload and download the NXC’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 34.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 129 Command Summary: FTP COMMAND DESCRIPTION [no] ip ftp server Allows FTP access to the NXC.
Chapter 34 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default TLS : no service control: No. Zone Address Action ======================================================================== 34.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Chapter 34 System Remote Management 34.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 131 Command Summary: SNMP COMMAND DESCRIPTION [no] snmp-server Allows SNMP access to the NXC. The no command disables SNMP access to the NXC.
Chapter 34 System Remote Management 34.8.4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service. Router# configure terminal Router(config)# snmp-server rule 11 access-group Example zone WAN action accept The following command sets the password (secret) for read-write (rw) access.
C HA PT ER 35 File Manager This chapter covers how to work with the NXC’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 35.1 File Directories The NXC stores files in the following directories.
Chapter 35 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 17 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.16.37.240 255.255.255.0 ip gateway 172.16.37.
Chapter 35 File Manager “exit” or “!'” must follow sub commands if it is to make the NXC exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. ! interface ge1 # this interface is a DHCP client ! Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2006/06/05 interface ge1 ip address dhcp ! 35.2.
Chapter 35 File Manager • When you change the configuration, the NXC creates a startup-config.conf file of the current configuration. • The NXC checks the startup-config.conf file for errors when it restarts. If there is an error in the startup-config.conf file, the NXC copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file. • When the NXC reboots, if the startup-config.
Chapter 35 File Manager 35.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 136 File Manager Commands Summary COMMAND DESCRIPTION apply /conf/file_name.conf [ignore-error] [rollback] Has the NXC use a specific configuration file. You must still use the write command to save your configuration changes to the flash (“non-volatile” or “long term”) memory.
Chapter 35 File Manager Table 136 File Manager Commands Summary (continued) COMMAND DESCRIPTION show running-config Displays the settings of the configuration file that the system is using. setenv-startup stop-on-error off Has the NXC ignore any errors in the startupconfig.conf file and apply all of the valid commands. show setenv-startup Displays whether or not the NXC is set to ignore any errors in the startup-config.conf file and apply all of the valid commands.
Chapter 35 File Manager The firmware update can take up to five minutes. Do not turn off or reset the NXC while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 35.8 on page 231 to recover the firmware. 35.6.2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow.conf from the computer and saves it on the NXC as next.conf.
Chapter 35 File Manager 35.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the NXC and saves it on the computer as current.conf. Figure 19 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 FTP Server [192.168.1.1] User (192.168.1.1:(none)): admin 331 Password required for admin. Password: 230 User admin logged in.
Chapter 35 File Manager 35.8 Notification of a Damaged Recovery Image or Firmware The NXC’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the NXC notifies you of a damaged recovery image or firmware file. Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it. Note that the NXC does not respond while starting up.
Chapter 35 File Manager Figure 23 Firmware Damaged 35.9 Restoring the Recovery Image (NXC5200 Only) This procedure requires the NXC’s recovery image. Download the firmware package from www.zyxel.com and unzip it. The recovery image uses a .ri extension, for example, "1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file. You only need to use this section if you need to restore the recovery image. 1 Restart the NXC.
Chapter 35 File Manager Figure 25 atuk Command for Restoring the Recovery Image 4 Enter Y and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal. Figure 26 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer, then Send File to display the following screen. Figure 27 Example Xmodem Upload Type the firmware file's location, or click Browse to search for it. Choose the 1K Xmodem protocol. Then click Send.
Chapter 35 File Manager Figure 29 atgo Debug Command 35.10 Restoring the Firmware This procedure requires the NXC’s firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "1.01(XL.0)C0.bin". Do the following after you have obtained the firmware file. This section is not for normal firmware uploads. You only need to use this section if you need to recover the firmware.
Chapter 35 File Manager 8 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the NXC recovers the firmware. Figure 32 Firmware Received and Recovery Started 9 The console session displays “done” when the firmware recovery is complete. Then the NXC automatically restarts. Figure 33 Firmware Recovery Complete and Restart 10 The username prompt displays after the NXC starts up successfully.
Chapter 35 File Manager Figure 34 Restart Complete 35.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The NXC can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Chapter 35 File Manager Figure 35 Default System Database Console Session Warning at Startup: Anti-virus Figure 36 Default System Database Console Session Warning When Reloading IDP Figure 37 Default System Database Missing Log: Anti-virus This procedure requires the NXC’s default system database file. Download the firmware package from www.zyxel.com and unzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db".
Chapter 35 File Manager 35.11.1 Using the atkz -u Debug Command (NXC5200 Only) You only need to use the atkz -u command if the default system database is damaged. 1 Restart the NXC. 2 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode. Figure 38 Enter Debug Mode 3 Enter atkz -u to start the recovery process. Figure 39 atkz -u Command for Restoring the Default System Database 4 “Connect a computer to port 1 and FTP to 192.168.1.
Chapter 35 File Manager 8 Set the transfer mode to binary (type bin). 9 Transfer the firmware file from your computer to the NXC. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db. Figure 41 FTP Default System Database Transfer Command 10 Wait for the file transfer to complete. Figure 42 FTP Default System Database Transfer Complete 11 The console session displays “done” after the default system database is recovered.
Chapter 35 File Manager Figure 44 Startup Complete 240 NXC CLI Reference Guide
C HA PT ER 36 Logs This chapter provides information about the NXC’s logs. When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the NXC. 36.1 Log Commands Summary The following table describes the values required for many log commands. Other values are discussed with the corresponding commands.
Chapter 36 Logs 36.1.1 Log Entries Commands This table lists the commands to look at log entries. Table 138 logging Commands: Log Entries COMMAND DESCRIPTION show logging entries [priority pri] [category module_name] [srcip ip] [dstip ip] [service service_name] [begin <1..512> end <1..512>] [keyword keyword] Displays the selected entries in the system log.
Chapter 36 Logs 36.1.2.1 System Log Command Examples The following command displays the current status of the system log. Router# configure terminal Router(config)# show logging status system-log 512 events logged suppression active : yes suppression interval: 10 category settings : content-filter : normal , forward-web-sites : no blocked-web-sites : normal , user : normal myZyXEL.
Chapter 36 Logs This table lists the commands for the remote syslog server settings. Table 141 logging Commands: Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers. [no] logging syslog <1..4> Enables the specified remote server. The no command disables the specified remote server. [no] logging syslog <1..4> address {ip | hostname} Sets the URL or IP address of the specified remote server. The no command clears this field.
Chapter 36 Logs Table 142 logging Commands: E-mail Profile Settings (continued) COMMAND DESCRIPTION [no] logging mail <1..2> {send-log-to | sendalerts-to} e_mail Sets the e-mail address for logs or alerts. The no command clears the specified field. e_mail: You can use up to 63 alphanumeric characters, underscores (_), or dashes (-), and you must use the @ character. [no] logging mail <1..2> subject subject Sets the subject line when the NXC mails to the specified e-mail profile.
Chapter 36 Logs 36.1.5 Console Port Log Commands This table lists the commands for the console port settings. Table 143 logging Commands: Console Port Settings COMMAND DESCRIPTION show logging status console Displays the current settings for the console log. (This log is not discussed above.) [no] logging console Enables the console log. The no command disables the console log.
Chapter 36 Logs Table 144 logging Commands: Access Point Settings (continued) COMMAND DESCRIPTION show wtp-logging status mail [ap_mac] Displays the logging status for the specified AP’s mail log. show wtp-logging query-log ap_mac Displays the specified AP’s query log. show wtp-logging query-dbg-log ap_mac Displays the specified AP’s query debug log. show wtp-logging result-status Displays the AP logging result status.
Chapter 36 Logs 248 NXC CLI Reference Guide
C HA PT ER 37 Reports and Reboot This chapter provides information about the report associated commands and how to restart the NXC using commands. It also covers the daily report e-mail feature. 37.1 Report Commands Summary The following sections list the report and session commands. 37.1.1 Report Commands This table lists the commands for reports. Table 145 report Commands COMMAND DESCRIPTION [no] report Begins data collection. The no command stops data collection.
Chapter 37 Reports and Reboot 37.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 1 192.168.1.4 admin 1273(bytes) Outgoing 2 192.168.1.4 admin 711(bytes) Incoming Router(config)# show report ge1 service No.
Chapter 37 Reports and Reboot 37.2 Email Daily Report Commands The following table identifies the values used in some of these commands. Other input values are discussed with the corresponding commands. Table 147 Input Values for Email Daily Report Commands LABEL DESCRIPTION e_mail An e-mail address. You can use up to 80 alphanumeric characters, underscores (_), periods (.), or dashes (-), and you must use the @ character. Use these commands to have the NXC e-mail you system statistics every day.
Chapter 37 Reports and Reboot Table 148 Email Daily Report Commands (continued) COMMAND DESCRIPTION smtp-port <1..65535> Sets the SMTP service port. no smtp-port Resets the SMTP service port configuration. daily-report [no] item station-count Determines whether or not the station statistics are included in the report e-mails. daily-report [no] item wtp-tx Determines whether or not the NXC’s outgoing traffic statistics are included in the report e-mails.
Chapter 37 Reports and Reboot 37.2.1 Email Daily Report Example This example sets the NXC to send a daily report e-mail.
Chapter 37 Reports and Reboot This displays the email daily report settings and has the NXC send the report now. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp auth: yes smtp username: 12345 smtp password: pass12345 mail subject: test subject append system name: no append date time: yes mail from: my-email@example.com mail-to-1: example-administrator@example.
C HA PT ER 38 Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 149 Session Timeout Commands COMMAND DESCRIPTION session timeout {udp-connect <1..300> | udpdeliver <1..300> | icmp <1..300>} Sets the timeout for UDP sessions to connect or deliver and for ICMP sessions. session timeout { tcp-close <1..300> | tcpclosewait <1..300> | tcp-established <1..432000> | tcp-finwait <1..
Chapter 38 Session Timeout 256 NXC CLI Reference Guide
C HA PT ER 39 Diagnostics This chapter covers how to use the diagnostics feature. 39.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the NXC’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. 39.2 Diagnosis Commands The following table lists the commands that you can use to have the NXC collect diagnostics information.
Chapter 39 Diagnostics 258 NXC CLI Reference Guide
C HA PT ER 40 Packet Flow Explore This chapter covers how to use the packet flow explore feature. 40.1 Packet Flow Explore Use this to get a clear picture on how the NXC determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems. 40.
Chapter 40 Packet Flow Explore 40.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, 1-1 SNAT, Main Route The following example shows all SNAT related functions and their order. Router> show system snat order snat order: Policy Route SNAT, 1-1 SNAT, Loopback SNAT, Default SNAT The following example shows all activated policy routes. Router> show system route policy-route No.
C HA PT ER 41 Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the NXC. The maintenance tools can help you to troubleshoot network problems. 41.1 Maintenance Tools Commands Here are maintenance tool commands that you can use in privilege mode. Table 152 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION packet-trace [interface interface_name] [ipproto {<0..
Chapter 41 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 153 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION [no] packet-capture activate Performs a packet capture that captures network traffic going through the set NXC’s interface(s). Studying these packet captures may help you identify network problems. The no command stops the running packet capture on the NXC.
Chapter 41 Maintenance Tools Table 153 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION snaplen <68..1512> Specifies the maximum number of bytes to capture per packet. The NXC automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets. arp ip_address mac_address Edits or creates an ARP table entry.
Chapter 41 Maintenance Tools Router# packet-trace interface ge2 ip-proto icmp file extension-filter -> and src host 192.168.105.133 and dst host 192.168.105.40 -s 500 -n tcpdump: listening on eth1 07:26:51.731558 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 07:26:52.742666 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 07:26:53.752774 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 07:26:54.762887 192.168.105.133 > 192.168.105.
Chapter 41 Maintenance Tools Then configure the following settings to capture packets going through the NXC’s WAN1 interface only (this means you have to remove LAN2 and WAN2 from the iface list).
Chapter 41 Maintenance Tools 266 NXC CLI Reference Guide
C HA PT ER 42 Watchdog Timer This chapter provides information about the NXC’s watchdog timers. 42.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings. Table 154 hardware-watchdog-timer Commands COMMAND DESCRIPTION [no] hardware-watchdog-timer <4..
Chapter 42 Watchdog Timer The software-watchdog-timer commands are for support engineers. It is recommended that you not modify the software watchdog timer settings. Table 155 software-watchdog-timer Commands COMMAND DESCRIPTION [no] software-watchdog-timer timer Sets how long the system’s core firmware can be unresponsive before resetting. The no command turns the timer off. timer: 10 to 600 (NXC5200) or 10 to 60 (NXC2500).
Chapter 42 Watchdog Timer Table 156 app-watchdog Commands COMMAND DESCRIPTION [no] app-watch-dog memthreshold min <1..100> max <1..100> Sets the percentage thresholds for sending a memory usage alert. The NXC starts sending alerts when memory usage exceeds the maximum (the second threshold you enter). The NXC stops sending alerts when the memory usage drops back below the minimum threshold (the first threshold you enter). The no command changes the setting back to the default.
Chapter 42 Watchdog Timer The following example lists the processes that the application watchdog is monitoring.
C HA PT ER 43 Managed AP Commands Connect directly to a managed AP’s CLI (Command Line Interface) to configure the managed AP’s CAPWAP (Control And Provisioning of Wireless Access Points) client and DNS server settings. 43.1 Managed Series AP Commands Overview Log into an AP’s CLI and use the commands in this chapter if the AP does not automatically connect to the NXC or you need to configure the AP’s DNS server. Use the CAPWAP client commands to configure settings to let the AP connect to the NXC.
Chapter 43 Managed AP Commands 43.3 CAPWAP Client Commands Use the CAPWAP client commands to configure the AP’s IP address and other related management interface settings. Do not use the original interface commands to configure the IP address and related settings on the AP, because the AP does not save interface command settings after rebooting. The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Chapter 43 Managed AP Commands 43.3.1 CAPWAP Client Commands Example This example shows how to configure the AP’s management interface and how it connects to the AP controller (the NXC), and check the connecting status. The following commands: • • • • • Display how the AP finds the NXC Set the AP’s management IP address to 192.168.1.37 and netmask 255.255.255.0 Set the AP’s default gateway IP address to 192.168.1.
Chapter 43 Managed AP Commands 43.4 DNS Server Commands The following table describes commands for configuring the AP’s DNS server. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 159 Command Summary: DNS Server COMMAND DESCRIPTION ip dns server zone-forwarder {<1..32>|append|insert <1..
Chapter 43 Managed AP Commands 43.4.2 DNS Server Commands and DHCP The AP in the example in Section 43.4.1 on page 274 uses a static IP address. If the AP uses DHCP instead, you do not need to configure the DNS server’s IP address on the AP when you configure DHCP option 6 on the DHCP server. For the example in Section 43.4.1 on page 274, you would just need to configure the management interface’s VLAN ID (capwap ap vlan vlan-id 3).
Chapter 43 Managed AP Commands 276 NXC CLI Reference Guide
List of Commands List of Commands This section lists the root commands in alphabetical order. [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] 2g-scan-channel wireless_channel_2g ......................................... 81 5g-scan-channel wireless_channel_5g .........................................
List of Commands [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] 278 app-watch-dog auto-recover ................................................. 268 app-watch-dog console-print {always|once} .................................. 268 app-watch-dog cpu-threshold min <1..
List of Commands [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] destinationip address_object ............................................... 122 device-ha activate .........................................................
List of Commands [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] 280 interface {interface_name | EnterpriseWLAN} ................................. 67 interface interface_name ................................................... 108 interface interface_name ......
List of Commands [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] logging mail <1..2> schedule {full | hourly} ............................... 245 logging mail <1..2> subject subject ........................................ 245 logging syslog <1..4> ............................................
List of Commands [no] second-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | EnterpriseWLAN} ...................................................................... 55 [no] second-wins-server ip ....................................................... 55 [no] secret secret .............................................................. 197 [no] server acct-address radius_server acct-port port ........................... 191 [no] server acct-interim activate ....................................
List of Commands [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] source {address_object|any} ................................................. 67 source address_object ...................................................... 115 source address_object ........................
List of Commands [no] zone profile_name .......................................................... 108 {11n | bg | a} ................................................................... 79 {signature | anomaly | system-protect} activate ................................. 146 {signature | anomaly | system-protect} activation ............................... 146 | uint32 <0..
List of Commands app other insert rule_number .................................................... 132 app other move rule_number to rule_number ....................................... 132 app protocol_name exception append .............................................. 130 app protocol_name exception default or app protocol_name exception modify default 130 app protocol_name exception insert rule_number .................................. 130 app protocol_name exception modify rule_number .................
List of Commands ch-width wlan_htcw ............................................................... 80 clear ............................................................................ 31 clear aaa authentication profile-name ........................................... 193 clear aaa group server ad [group-name] .......................................... 188 clear aaa group server ldap [group-name] ........................................ 189 clear aaa group server radius group-name .......................
List of Commands debug ip dns ..................................................................... 33 debug ip virtual-server .......................................................... 33 debug logging .................................................................... 33 debug manufacture ................................................................ 33 debug network arpignore (*) ...................................................... 33 debug no registration server (*) ...............................
List of Commands exit ............................................................................ 114 exit ............................................................................ 116 exit ............................................................................ 125 exit ............................................................................. 32 exit ............................................................................. 50 exit ...........................................................
List of Commands | yes | no} log {any | no | log | log-alert} action action_mask .......... 154 idp search system-protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask ..... 154 idp signature newpro [base {all | lan | wan | dmz | none}] ...................... 148 idp statistics flush ............................................................
List of Commands load-balancing sigma <51..100> .................................................. 100 load-balancing timeout <1..255> ................................................. 100 load-balancing traffic level {high | low | medium} ............................... 99 logging console category module_name level {alert | crit | debug | emerg | error | info | notice | warn} ......................................................... 246 logging mail <1..2> schedule daily hour <0..23> minute <0..59> ......
List of Commands no ip dns server rule <1..64> ................................................... 212 no ip dns server zone-forwarder <1..4> .......................................... 274 no ip ftp server rule rule_number ............................................... 219 no ip http secure-server cipher-suite {cipher_algorithm} ........................ 215 no ip http secure-server table {admin|user} rule rule_number .................... 215 no ip http server table {admin|user} rule rule_number ..........
List of Commands policy move policy_number to policy_number ....................................... 67 port <0..65535> ................................................................. 130 port <0..65535> ................................................................. 131 port status Port<1..x> ........................................................... 59 proto-type {icmp | igmp | igrp | pim | ah | esp | vrrp | udp | tcp | any} ....... 262 psm ............................................................
List of Commands setenv-startup stop-on-error off ................................................ 228 show ............................................................................ 115 show ............................................................................ 130 show ............................................................................ 131 show ............................................................................ 133 show ...........................................................
List of Commands show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show 294 bwm activation .............................................................. 68 bwm-usage < [policy-route policy_number] | [interface interface_name] ......
List of Commands show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show groupname [groupname] ...................................................... 171 hardware-watchdog-timer status ............................................. 267 idp ........................................................................ 146 idp {signature | anomaly} base profile ..................................
List of Commands show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show 296 idp statistics ranking {signature-name | source | destination} ............. 162 idp statistics summary ..................................................... 161 interface {ethernet | vlan} status ......
List of Commands show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show port setting ................................................................ 59 port status ................................................................. 59 port type ..........................
List of Commands show username [username] ........................................................ 170 show users {username | all | current} ........................................... 174 show users default-setting {all | user-type {admin|user|guest|limited-admin|ext-groupuser}} ................................................................... 171 show users idle-detection-settings .............................................. 172 show users retry-settings ..............................................
List of Commands test aaa ......................................................................... 32 test aaa {server|secure-server} {ad|ldap} host {hostname|ipv4-address} [host {hostname|ipv4-address}] port <1..65535> base-dn base-dn-string [bind-dn bind-dnstring password password] login-name-attribute attribute [alternative-login-nameattribute attribute] account account-name ................................ 195 traceroute .......................................................................
List of Commands wlan-macfilter-profile rename macfilter_profile_name1 macfilter_profile_name2 .... 88 wlan-monitor-profile rename monitor_profile_name1 monitor_profile_name2 .......... 81 wlan-radio-profile rename radio_profile_name1 radio_profile_name2 ................ 78 wlan-security-profile rename security_profile_name1 security_profile_name2 ....... 85 wlan-ssid-profile rename ssid_profile_name1 ssid_profile_name2 ................... 83 write ..........................................................
