ZyXEL Communications Network Router NOT AVAILABLE User's Manual
Contents
1. t 267 22 T Hardware WU TIMET ura pen cha as 267 erac cR ires MU 267 ase PSA tant P aan ea eed 268 42 3 1 Application Watchdog Commands Example ccccccceseeeceeeeeeeeeeeaeeeeeeeeeeeneeeeeaeeeeeaaeeesenes 269 Chapter 43 Managed AP O a a E a aE a aaa aaa a A n 271 43 1 Managed Series AP Commands OVOrViIpW ds 271 AI A UL TS 271 Aa CAPWAP Client COMMAS e ER 272 43311 CAPWAP Client Gommands Example spas 273 AS A DNS Semer commanda acia ii 274 43 4 1 ONS Server Commands Example corr cdseevadanvess se sauhedueeriteandieeaieadaees 274 43 4 2 ONS Server commands and DAR sii lare esten dabat dead Ya x d 275 Bike LT 277 NXC CLI Reference Guide Command Line Interface This chapter describes how to access and use the CLI Command Line Interface 1 1 Overview If you have problems with your NXC customer support may request that you issue some of these commands to assist them in troubleshooting gt Use of undocumented commands or misconfiguration can damage the NXC and possibly render it unusable 1 1 1 The Configuration File When you configure the NXC using either the CLI Command Line Interface or the web configurator the settings are saved as a series of commands in a configuration file on the NXC You can store more than one configuration file on the NXC However only one configuration file is used at a time You can perform the following wit2. 147 dp signature profile signature all details 2 uke ia dawn ee E OR RACER A dob 9 146 IUD Signatures CUSLON CSIGHSture SIL detalla dusk e OR MUR CK ORO CR RC REOR Iob 156 idp signatures custom signature custom sid details contents non contents 156 idp Signatures cusbtom siqnaturs nau NbDBEI cross mex Rue doe Edu A le 156 Toe Seater eine ESL LISCE ariba qe repo dox RU Be OR RD pe bap oe Re reple Re 162 NXC CLI Reference Guide List of Commands show idp statistics ranking signature name source destination i nn 162 Show idp statistics SUNAY Qua kta coe ERR EG ARE ACER a She Rod AL KHER AH RC ie dU REOR QE Co UR CR 151 show interface ethernet wlan SESTUS sincera TORRES RR Se OEC AAA RRA AR 50 show interface interface name ethernet vlan all oooooooooooooooooo 50 Snow interface send Statistics IDLGPUSD asar aria Oe de Sade eee ae eX ee 50 show u berlecH sunmeary ALL Q1onskbaxo kd RR AA AA AAA coheed shave de RA Re 20 Show interface Summa all G BLUE exe exo i be heed Shaws Her E dog X a p UR EG So OE Sees 50 pw Terie sie arias Rowe ve dux eae Acn weg eee arde da qe dol ans eg qudd 51 Shov ip dhon Sinding el taps 4 3e d RUE Ue ER dak ote AAA AA dnd ea dp e de 55 Sct xp Dueh HBOSeBDDOGOMEB ara ASE m ers d i ad ee We adem 53 shov ip dhep pool DPOSIIlG Dame pois der Ec xe a Gh cioe Ro ee eder dede de pe em ae 53 pl ap dd ere OU cin A d edes ie S du acad qiie dard EOM IE
3. H 177 pol Address CUI IEE Loo usse qarideciasepiaiu s td a a 177 25 2 POON SS Commands SUMMA scenes 178 292 ARETES DD SC Commande Losssu przestradoessivi spo aupra NANA R 178 258 DUES IU Command di 179 Chapter 26 A 181 261 DaN ees OVON TT 181 dd SeNi Dommage SUNY rusa AGRA AAA da Dac a Ra 181 26 2 1 Semice Object COMINGS ab 181 28022 Service Grup mi ANNI sai 182 Chapter 27 cl j B 185 27 1 ICA LE IB diia 185 27 2 eed Gommande SORIIBE AA A 185 27 2 1 Schedule Command EXSIpIGS ira EdaRER a D EE aai LU Reb as iaai 186 Chapter 28 AAA SO Y 187 NXC CLI Reference Guide Table of Contents PET BAS Server CEE ooo pee o sani and gat oaa aao oti aaah aont 187 29 2 Authentication Server Command GUTIBFV iussus caccia ida Eie Dia 187 28 21 Sa ACUSA COMAS dee 188 282 2 aaa Group Server kap COmImalitds acusa 189 20 2 9 aaa group server radius Commands Less te ccsteduseinneiacesescnavaaseercussieaandpoeaianenasmersascetenliaaees 190 282 4 Bae group server Command EXSImBle cosmos 192 Chapter 29 Authentication es Y 193 29 1 A hentication Objects Overview cc ti A Ra Ru aaa 193 29 2 rcEp rie iig eem MP 193 29 2 1 aaa authentication Gommand Example eccentric A 194 eu TORE aaa LOBTEHIIOEotuseaieotib dab bec ui mE
4. leere 43 session timeout tcp close lt 1 300 gt tcp closewait lt 1 300 gt tcp established 1 4320005 tep finwalit 1 300 tep lsstack 1 300 tep syaregsv lt 1 300 gt tep synsent lt 1 300 gt Ecp timeWate 15 3006 seins dd 255 session timeout udp connect lt 1 300 gt udp deliver lt 1 300 gt icmp lt 1 300 gt 255 e BDDSH sredis See Ea Ec od CERE O 125 session limit delete Fule HEADS sia eh he SSA ESSE SSR TORE ESA AUR CE OE LORE COR OE REE 1295 SES LLE AUS dudbgoaok CE eu kde QUEE d d ede nee od AC ao ROM ACC Ede GN RANA eor 125 sessrapelrmet insert Jule DNHDOY msi e ore Be o CK ER CR ORT RR KR wea Gm we 125 Bessiuchnslrmopr Jamie lt 0 A ngukd3Aw kk EX AR HE AUACRRE doo eR RR or COR alae 125 sessron limrt move rule number to cule numDeF i cdbidedeadule vat CR OR UR ed RO E RR 125 sessropelimrt cule PEST ohne coeds Bed Dance d EA AAA aa E XA A 125 e or dM E E E AAA AAA E AAA A A AAA AAA 32 NXC CLI Reference Guide List of Commands Bobgnv stastus StoDpoOon BELDOE GEL Leg deuce se eek dhe bei cee AD Read 228 SOM nthe ide oh Shea bee ae oue a NL eee a eo do e oak EC Qi cai dod AR D DEC ee E EOS eae IIS BUD DES NAAA SS AES Ko bd Wd bie dedit Spot d eic apo E aria ait dr dod ue ecd oe d RIS 130 Cipro ae EA ASA RAS ee 131 SHOW Gh koe ee eb oes CRE ECE NO E dE edendi iid A d euni 133 corn Me Pcr A AA AA A AAN A
5. 22 2 General IDP Commands 22 2 1 IDP Activation BS You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 41 NXC CLI Reference Guide Chapter 22 IDP Commands This table shows the IDP signature anomaly and system protect activation commands Table 79 IDP Activation COMMAND DESCRIPTION no idp Enables IDP signatures anomaly detection and or system protect IDP signatures signature anomaly use requires IDP service registration If you don t have a standard license you can system protect register for a once off trial one Anomaly detection and the self protect feature do activate not require registration The no command disables the specified service idp system protect Disables system protect deactivate show idp Displays IDP signature anomaly detection or system protect service status signature anomaly system protect activation idp reload Recovers the IDP signatures You should only need to do this if instructed to do so by a support technician 22 2 1 1 Activate Deactivate IDP Example This example shows how to activate and deactivate signature based IDP on the NXC Router configure terminal Router config idp signature activate Router config show idp signature activation idp signature activation yes Router config no idp signature activate Router config show idp signat
6. NXC CLI Reference Guide Chapter 5 Registration 5 2 1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time and activate a trial service subscription Router configure terminal Router config device register username alexctsui password 123456 Router config f service register service type trial service idp The following command displays the account information and whether the device is registered Router configure terminal Router config show device register status username alexctsui password 123456 device register status yes expiration self check no The following command displays the service registration status and type and how many days remain before the service expires Router configure terminal Router config show service register status all Service Status Type Count Expiration IDP Signature Licensed Standard N A 698 Anti Virus Licensed Standard N A 698 MAPS Licensed Standard 240 N A 5 3 Country Code The following table displays the number for each country Table 11 Country Codes COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 001 Afghanistan 002 Albania 003 Algeria 004 American Samoa 005 Andorra 006 Angola 007 Anguilla 008 Antarctica 009 Antigua amp Barbuda 010 Argentina 011 Arm
7. Enter commands for the device that you are currently logged into here If you are logged into the NXC see the CLI Reference Guide for details on using the command line to configure it Device IP Address lO 152 168 1 1 22 This is the IP address of the device that you are currently logged into Logged In User admin 0 This displays the username of the account currently logged into the NXC through the Console Window You can log into the Web Configurator with a different account than used to log into the NXC through the Console Connection Status Connected This displays the connection status of the account currently logged in If you are logged in and connected then this displays Connected If you lose the connection get disconnected or logout then this displays Not Connected Tx RX Activity Monitor eo This displays the current upload download activity The faster and more frequently an LED flashes the faster the data connection Before you use the Console ensure that Your web browser of choice allows pop up windows from the IP address assigned to your NXC Your web browser allows Java programs e You are using the latest version of the Java program http www java com To login in through the Console 1 Click the Console button on the Web Configurator title bar fHelp Z About Fte Map Object Reference aJ c Show tonsole Window NXC CLI
8. service object rename object name object name Renames the specified service from the first object name to the second object name 26 2 1 1 Service Object Command Examples The following commands create one service and display information about it Router configure terminal Router config service object FTP tcp range 20 21 Router config show service object FTP Router config show service object FTP Object name Protocol Minmum port Maxmum port Ref FTP TCP 20 21 1 FTP References Category Rule Priority Rule Name Description Captive Portal 3 N A N A Router config 26 2 2 Service Group Commands The first table lists the commands for service groups Table 107 object group Commands Service Groups COMMAND DESCRIPTION show object group service group name Displays information about the specified service group no object group service group name Creates the specified service group if necessary and enters sub command mode The no command removes the specified service group no service object object nam Adds the specified service to the specified service group The no command removes the specified service from the specified group NXC CLI Reference Guide Chapter 26 Services Table 107 object group Commands Service Groups continued COMMAND DESCRIPTION no object group group name Adds the specified service group seco
9. 120 toca detection Dilgek periag Ue AQUOS Lg edEdorbd REG Rn RO E dee bu E REX pus Pa du d EE rf 150 Pramsecapip te CON Ure abarca dd BOL eid ERE SOLE Ad AA AR 94 CESS SrO PRANS iaa aie ane qe o RRR Rae gr olde dq ace d doe Gok Fg ne dos pep a 104 ALA Sup AA Rupe iu Madras qa are Dh pd wd eh quee 104 qroummsme LENAMS GrouDmame grOoOHDIBH nr AA NAAA AAA A ROO CR ICI nogrd unmbervsal GA Stade shi de dS SE PAS RSLS Oe NAE d RA du A aed addu d d RES 80 hucdwareewatoudegerimer SEALE ake mare wd x DE gei dol Rot e dn de ic e eae aOR UR pq DR Bd pol vie dig 267 haste ipaddress profile name 99 ascii AAA PARAR AN C RUE ees 262 host bOorsk UI EL EAa 0s RR UAR URGERE Re oe CRESS de X GORGE CAS COE OE CAD ACA e RE 262 LEE nah ae eek AAA eh Pug qoa ee ee SH p eode dam ASA dodi OA DAA 32 Hetp inspection Ihttp xxw1 dog alert aerae x ne Rksdpdcudo e RO KORR Rhee A 150 icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject receiver reject both i151 icmp decoder truncated header truncated timestamp header truncated address header Zen eU tsk eda er Edo QE een do Rd eee we eee eee eee ee wa ee a eee 151 idp fsxgnature systemepretsot update dally lt 0 299 rad yx Rex RR RR RR RR 160 idp signature system Protecti update BOUEIY iidaezdpds ex RUE doe OR UP ORO QR A AAA 160 idp signature system protect update sighHL UPS ense geo ox ii 160 idp s
10. no outbound dscp mark lt 0 63 gt class This is how the NXC handles the DSCP value of default dscp class the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the NXC apply that DSCP value Set this to the class default to have the NXC set the DSCP value to 0 port 0 65535 Specifies the destination port 0 means any no schedule schedule nam Adds the specified schedule to the rule show Displays the rule s configuration no source address object Adds the specified source address to the rule no to zone name Specifies the destination zone no user username Adds the specified user to the rule 20 2 4 Other Application Commands This table lists the commands for other applications in application patrol Table 67 app Commands Other Applications COMMAND DESCRIPTION app other del forward drop reject Specifies the default action for other applications NXC CLI Reference Guide 131 Chapter 20 Application Patrol 20 2 5 Rule Commands for Other Applications This table lists the commands for rules in other applications Table 68 app Commands Rules in Other Applications COMMAND DESCRIPTION app other insert rule_number Creates a new rule at the specified row and enters sub command mode app other append Creates a new rule appends it to the end of the list and ent
11. 28 2 1 aaa group server ad Commands The following table lists the aaa group server ad commands you use to configure a group of AD servers Table 110 aaa group server ad Commands COMMAND DESCRIPTION clear aaa group server ad group name Deletes all AD server groups or the specified AD server group Note You can NOT delete a server group that is currently in use show aaa group server ad group name Displays the specified AD server group settings no aaa group server ad group name Sets a descriptive name for an AD server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ad rename group name group name aaa group server ad group name Changes the descriptive name for an AD server group Enter the sub command mode to configure an AD server group no server alternative cn identifier uid Sets the second type of identifier that the users can use to log in if any For example name or e mail address The no command clears this setting no server basedn basedn Sets a base distinguished name DN to point to the AD directory on the AD server group The no command clears this setting no server binddn binddn Sets the user name the NXC uses to log into the AD server group The no command clears this setting no server cn identifier uid no server description description
12. Type enable to go to privilege mode No password is required All commands can be run from here except those marked with an asterisk Many of these commands are for trouble shooting purposes for example the htm hardware test module and debug commands Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands can be run in privilege mode The htm and psm commands are for ZyXEL s internal manufacturing process Table 5 User U and Privilege P Mode Commands COMMAND MODE DESCRIPTION apply P Applies a configuration file atse U P Displays the seed code clear U P Clears system or debug logs or DHCP binding configure U P Use configure terminal to enter configuration mode copy P Copies configuration files debug U P For support personnel only The device needs to have the debug flag enabled delete P Deletes configuration files details P Performs diagnostic commands diag P Provided for support personnel to collect internal system information It is not recommended that you use these NXC CLI Reference Guide Est Chapter 2 User and Privilege Modes Table 5 User U and Privilege P
13. 1 The boot module performs a basic hardware test You cannot restore the boot module if it is damaged The boot module also checks and loads the recovery image The NXC notifies you if the recovery image is damaged 2 The recovery image checks and loads the firmware The NXC notifies you if the firmware is damaged NXC CLI Reference Guide Chapter 35 File Manager 35 8 Notification of a Damaged Recovery Image or Firmware The NXC s recovery image and or firmware could be damaged for example by the power going off during a firmware upgrade This section describes how the NXC notifies you of a damaged recovery image or firmware file Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it Note that the NXC does not respond while starting up It takes less than five minutes to start up with the default configuration but the start up time increases with the complexity of your configuration 1 Usea console cable and connect to the NXC via a terminal emulation program such as HyperTerminal Your console session displays the NXC s startup messages If you cannot see any messages check the terminal emulation program s settings see Section 1 2 1 on page 16 and restart the NXC 2 The system startup messages display followed by Press any key to enter debug mode within 3 seconds BS Do not press any keys at this point Wait to see what displays next Figure 21
14. but the first character cannot be a number This value is case sensitive ap_description The AP description This is strictly used for reference purposes and has no effect on any other settings You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive sta_mac The MAC address of the wireless client Enter 6 hexidecimal pairs separated by colons You can use 0 9 a z and A Z The following table describes the commands available for AP management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 29 Command Summary AP Management COMMAND DESCRIPTION capwap manual add enable disable Allows the NXC to either automatically add new APs to the network disable or wait until you manually confirm them enable show capwap manual add Displays the current manual add option capwap ap add ap mac ap model Adds the specified AP to the NXC for management If manual add is disabled this command can still be used if you add an AP before it connects to the network then this command simply preconfigures the management list with that AP s information capwap ap kick all ap mac Removes the specified AP ap mac or all connected APs a11 from the management list Doing this removes the AP s from the management list If the NXC is s
15. client show auth server trusted Displays all RADIUS client profile settings show auth server trusted client profile name Displays the specified RADIUS client profile settings 30 2 1 Authentication Server Command Examples The following example shows you how to enable the authentication server feature on the NXC and sets a trusted RADIUS client profile This example also shows you the authentication server and client profile settings Router configure Router config au Router config au terminal th server activate th server trusted client AP 1 Router config trus d ela nt AP 1 activate cli nt AP 1 f ip address 10 10 1 2 255 255 255 0 Router config trus Router config trus d d d GL nt AP 1 4 secret 12345678 Router config trus Router config sh activation yes authentication met Client AP 1 Activation yes Description IP 10 10 1 2 Router config eli Netmask 255 255 255 0 Secret VQEq907jWB8 nt AP 1 4 exit ow auth server status hod default certificate default Router config show auth server trusted client AP 1 NXC CLI Reference Guide ENC This chapter shows you how to configure the NXC as an ENC agent and allow it to be managed by the ENC server or an ACS Auto Configuration Server via TR 069 over HTTP or HTTPs 31 1 ENC Overview ENC Enterprise Network Center is a bro
16. show ip telnet server status Displays Telnet settings 34 6 1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service Router configure terminal Router config ip telnet server rul accept 11 access group RD zone LAN action This command displays Telnet settings Router configure terminal Router config active yes port 23 service control No Zone Address show ip telnet server status Action Router config NXC CLI Reference Guide Chapter 34 System Remote Management 34 7 Configuring FTP You can upload and download the NXC s firmware and configuration files using FTP To use this feature your computer must have an FTP client 34 7 1 FTP Commands The following table describes the commands available for FTP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 129 Command Summary FTP COMMAND DESCRIPTION no ip ftp server Allows FTP access to the NXC The no command disables FTP access to the NXC no ip ftp server cert certificate_name Sets a certificate to be used to identify the NXC The no command resets the certificate used by the FTP server to the factory default no ip ftp server port lt 1 65535 gt Sets the FT
17. Figure 42 FTP Default System Database Transfer Complete 206 PORT command successful 158 Connecting to port 3789 226 248 5 Mbytes free disk space 226 File successfully transferred 226 B 008 seconds measured here gt 13 31 Mbytes per second ftp 112398 bytes sent in 02Seconds 7624 88Kbytes sec ftp gt m 11 The console session displays done after the default system database is recovered Figure 43 Default System Database Received and Recovery Complete Default System Database received Update Filesystem Updating Database done 12 The username prompt displays after the NXC starts up successfully The default system database recovery process is now complete and the NXC IDP and anti virus features are ready to use again NXC CLI Reference Guide Chapter 35 File Manager Figure 44 Startup Complete nothing was mounted Hostname localhost Setting the System Clock using the Hardware Clock as reference Systen Clock set Local time Wed May 9 03 26 53 UTC 200 Cleaning tmp zvarz lock var run Initializing random number generator done Initializing Debug Account Authentication Seed DAAS Lionic device init successfully caviun nitrox device CN505 init complete INIT Entering runlevel 3 Starting zylog daemon zylogd zylog starts Starting syslog ng Starting uan daenon Starting app patrol daemon Starting periodic comnand scheduler cron Start system daenon Got LINK CHANGE
18. ip dns server zone forwarder 1 32 append insert lt 1 32 gt domain zone name user defined w x y z privat interface interface name auto Sets a domain zone forwarder record that specifies a DNS server s IP address private interface Use private if the NXC connects to the DNS server through a VPN tunnel Otherwise use the interface command to set the interface through which the NXC sends DNS queries to a DNS server The auto means any interface that the NXC uses to send DNS queries to a DNS server according to the routing rule ip dns server zone forwarder move lt 1 32 gt to lt 1 32 gt Changes the index number of a zone forwarder record no ip dns server rule lt 1 64 gt Deletes a service control rule show ip dns server database show ip dns server status Displays all configured records Displays whether this service is enabled or not show ip dns server cache Displays all DNS records show ip dns server tcp listen Displays whether TCP listen is enabled to allow an application to accept incoming TCP connections 33 6 2 DNS Command Example This command sets an A record that specifies the mapping of a fully qualified domain name www abc com to an IP address 210 17 2 13 Router configure terminal Router config ip dns server a record www abc com 210 17 2 13 NXC CLI Reference Guide System Remote Management
19. 13 2 1 Wireless Load Balancing Examples The following example shows you how to configure AP load balancing in by station mode The maximum number of stations is set to 1 Router config load balancing mode station Router config load balancing max sta 1 Router config show load balancing config load balancing config Activate yes Kickout no ode station ax sta 1 Traffic level high Alpha 5 Beta 10 Sigma 60 Timeout 20 LIInterval 10 KickoutInterval 20 The following example shows you how to configure AP load balancing in by traffic mode The traffic level is set to low and disassociate station is enabled Router config load balancing mode traffic Router config load balancing traffic level low Router config load balancing kickout Router config show load balancing config load balancing config Activate yes Kickout yes ode traffic ax sta 1 Traffic level low Alpha 5 Beta 10 Sigma 60 Timeout 20 LIInterval 10 KickoutInterval 20 NXC CLI Reference Guide Chapter 13 Wireless Load Balancing NXC CLI Reference Guide Dynamic Guest This chapter shows you how to configure dynamic guest accounts 14 1 Dynamic Guest Overview Dynamic guest accounts are guest accounts but are created dynamically with the guest manager account and stored in the NXC s local user database A dynamic guest account user can access the NX
20. Address HWtype HWaddress Flags Mask Iface 192 168 1 10 ether 01 02 03 04 05 06 CM gel 172 23 19 254 ether 00 04 80 9B 78 00 C ge2 Router no arp 192 168 1 10 Router show arp table Address HWtype HWaddress Flags Mask Iface 192 168 1 10 incomplete gel 172 23 19 254 ether 00 04 80 9B 78 00 C ge2 The following examples show how to configure packet capture settings and perform a packet capture First you have to check whether a packet capture is running This example shows no other packet capture is running Then you can also check the current packet capture settings Router config show packet capture status capture status off Router config Router config show packet capture config iface wanl lan2 wan2 ip type any host port 0 host ip any file suffix Example snaplen 1500 duration 150 file size 10000 NXC CLI Reference Guide Chapter 41 Maintenance Tools Then configure the following settings to capture packets going through the NXC s WANI interface only this means you have to remove LAN2 and WAN2 from the iface list P address any Host IP any Host port any then you do not need to configure this setting File suffix Example File size 10000 byes Duration 150 seconds Router config packet capture configure Router packet capture iface add wanl Router packet capture iface del lan2 Router
21. Address objects can represent a single IP address or a range of IP addresses Address groups are composed of address objects and other address groups You can create IP address objects based on an interface s IP address subnet or gateway The NXC automatically updates these objects whenever the interface s IP address settings change This way every rule or setting that uses the object uses the updated IP address settings For example if you change the LANI interface s IP address the NXC automatically updates the corresponding interface based LANI subnet address object So any configuration that uses the LANI subnet address object is also updated Address objects and address groups are used in dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important NXC CLI Reference Guide Chapter 25 Addresses 25 2 Address Commands Summary The following table describes the values required for many address object and address group commands Other values are discussed with the corresponding commands Table 102 Input Values for Address Commands LA
22. Exits configuration mode for this profile NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles 9 2 1 AP amp Monitor Profile Commands Example The following example shows you how to set up the radio profile named RADIOOT activate it and configure it to use the following settings 2 4G band with channel 6 channel width of 20MHz a DTIM period of 2 a beacon interval of 100ms AMPDU frame aggregation enabled an AMPDU buffer limit of 65535 bytes an AMPDU subframe limit of 64 frames AMSDU frame aggregation enabled an AMSDU buffer limit of 4096 block acknowledgement enabled e a short guard interval anoutput power of 10096 It will also assign the SSID profile labeled default in order to create WLAN VAP wlan 1 1 functionality within the radio profile RADIOO1 Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config profile radio Router config wlan radio profil activate band 2 4G 2g channel 6 ch width
23. NXC CLI Reference Guide 21 7 Chapter 34 System Remote Management 34 6 Telnet Commands The following table describes the commands available for Telnet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 128 Command Summary Telnet COMMAND DESCRIPTION no ip telnet server Allows Telnet access to the NXC CLI The no command disables Telnet access to the NXC CLI no ip telnet server port lt 1 65535 gt Sets the Telnet service port number The no command resets the Telnet service port number back to the factory default 23 ip telnet server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for Telnet service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive You can also use pre defined zone names like LAN and WLAN ip telnet server rul rule number to rule number mov Changes the index number of a service control rule no ip telnet server rule rule number Deletes a service control rule for Telnet service
24. Port 1 is up gt Group 1 is up Got LINK_CHANGE Port 0 is up gt Group 0 is up Applying system configuration file please wait System is configured successfully with startup conf ig conf NXC CLI Reference Guide Logs This chapter provides information about the NXC s logs BS When the system log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first See the User s Guide for the maximum number of system log messages in the NXC 36 1 Log Commands Summary The following table describes the values required for many log commands Other values are discussed with the corresponding commands Table 137 Input Values for Log Commands LABEL DESCRIPTION module_name The name of the category kernel syslog The default category includes debugging messages generated by open source software The all category includes all messages in all categories ap mac The Ethernet MAC address for the specified Access Point pri The log priority Enter one of the following values alert crit debug emerg error info notice or warn ipv4 The standard version 4 IP address such as 192 168 1 1 service The service object name keyword The keyword search string You may use up to 63 alphanumeric characters log proto accept The log protocol Enter one of the following
25. Router config show idp signatures custom signature number signatures 1 22 5 Update IDP Signatures BES Use these commands to update new signatures You register for IDP service before you can update IDP signatures although you do not have to register in order to update system protect signatures You must use the web configurator to import a custom signature file Table 90 Update Signatures COMMAND DESCRIPTION signature idp signature system protect update Immediately downloads IDP or system protect S signatures from an update server no auto idp signature system protect update Enables disables automatic signature downloads at regular times and days idp signature system protect update hourly Enables automatic signature download every hour 0 23 idp signature system protect update daily Enables automatic signature download every day at the time specified sun 0 23 idp signature mon system protect update weekly tue wed thu fri sat Enables automatic signature download once a week at the time and day specified NXC CLI Reference Guide Chapter 22 IDP Commands Table 90 Update Signatures COMMAND DESCRIPTION show idp signature system protect update Displays signature update schedule show idp signature system protect update Displays signature update status s
26. default gateway fail tolerance lt 1 10 gt 57 ping check domain name ip default gateway method icmp tcp 57 ping check domain name ip default gateway period lt 5 30 gt l l o caucus oF ping check domain name ip default lt gateway port 1 055359 sie ERAT 57 ping check domain name ip default gateway timeout lt 1 10 gt ay policy policy number append insert policy number ascensiones ewan wen 66 policy ders lE PDUDDS setas E E E KC RED SAREE e RR KORR eR eR KLAR Lass AA AA 67 policy delete BOLLO DURBSE 25a had ected XR A AA AA A AA A UR Rc d e noA EC pe Roe 67 porey SUED IS II PASS Ss dg oes ea RI E NR dd uh tui ddu S Edd Sea sad 67 polity TS E c do A se pve ah tt hom ep eee co A enn ah AAA RA eh ove dah nga sa oe ee ab a ae 67 NXC CLI Reference Guide List of Commands peliey more policy Famer fo POLIO Sube cosh asses A DUES De kee et RR ORC cR 67 DE XU UR ES ua add ea vM der dr e Nieder Ra dodo d pq caked Red RACE eons dox dE Reo 130 Det LUIS OR AAN AE AAA AA AA EIA cee ARANA Ele wl port Status POLEAL B AREA AAA AA dex RO AAA AR ARA A AR RRA ART OE HAS 59 proto type icmp igup ore pim sh esp vrro udp tcp any e 262 DEM oz dk LORD Rd ER GG XN KA RAR AA ERD CAR CARA EORR HAE OUR ORO Mee ES RENEE A Re RC SE ES Sea we 32 jo 22 6664s REN SE REE ESRC TEMOS BERR ESE OEE SOAS HO Se
27. nc agent usernam Specifies the NXC s user name for authentication with the ENC username Server username You may use up to 254 alphanumeric characters underscores or dashes This value is case sensitive enc agent password Specifies the NXC s password for authentication with the ENC password Server password You may use up to 254 alphanumeric characters underscores or dashes This value is case sensitive nc agent server type enc Specifies the type of the management server tr069 enc agent my ip auto Sets the NXC to allow management sessions to connect to any of the NXC s IP addresses enc agent my ip custom ipv4 address enc agent trigger inform 0 8640 Specify the NXC s IP address that allows management sessions The NXC can connect to the server automatically by sending an Inform message Specifies after how many seconds the NXC sends an Inform message to initiate a TRO69 connection to the ENC or ACS server no enc agent manager Disables the ENC agent feature on the NXC no enc agent authentication Sets the NXC to not authenticate the ENC or ACS server s certificate when you are using HTTPs no enc agent server certificate Removes the certificate of the ENC or ACS server no enc agent acs username Removes the user name used to authenticate the ENC or ACS server when the server makes a connection request no enc agent acs password no enc agent usern
28. no tcp decoder tcp xxx action drop reject sender reject receiver reject both Sets tcp decoder action no udp decoder truncated header undersize len oversize len activate Activates or deactivates udp decoder options NXC CLI Reference Guide Chapter 22 IDP Commands Table 84 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION udp decoder truncated header undersize len oversize len log alert Sets udp decoder log or alert options no udp decoder truncated header undersize len oversize len log Deactivates udp decoder log options udp decoder truncated header undersize len oversize len action drop reject sender reject receiver reject both Sets udp decoder action no udp decoder truncated header undersize len oversize len action Deactivates udp decoder actions no icmp decoder truncated header truncated timestamp header truncated address header activate Activates or deactivates icmp decoder options icmp decoder truncated header truncated timestamp header truncated address header log alert Sets icmp decoder log or alert options no icmp decoder truncated header truncated timestamp header truncated address header log Deactivates icmp decoder log options icmp decoder truncated header truncated timestamp header truncated address head
29. 1 Connect your computer to the NXC s port 1 only port 1 can be used 2 The NXC s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 3 Usean FTP client on your computer to connect to the NXC For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the firmware recovery finishes 4 Hit enter to log in anonymously al Set the transfer mode to binary type bin 6 Transfer the firmware file from your computer to the NXC Type put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW 1 01 XL 0 C0 bin Figure 30 FTP Firmware Transfer Command C gt ftp 192 168 1 1 Connected to 192 168 1 1 2290 lt x gt gt 2 CC Welcome to PureFTPd 1 0 11 gt gt lt x gt gt 226 You are user number 1 of 58 allowed 226 Local time is now 21 33 and the load is 0 81 Server port 21 2258 0n1y anonymous FTP is allowed here 228 You vill be disconnected after 15 minutes of inactivity User 192 168 1 1 none gt gt 238 Anonymous user logged in ftp bi 266 TYPE is now 8 bit binary ftp put E ftproot ZLD_FWMBBXLOCAM BBCXL B gt CB bin 7 Wait for the file transfer to complete Figure 31 FTP Firmware Transfer Complete 266 PORT command successful 156 Connecting to port 1564 226 87 0 Mbytes free disk space 226 File su
30. 6500 limit lo 1400 max 6809 min 6783 avg 6795 FAN3 F02 ju limit hi 6500 limit 10 1400 max 6683 min 6666 avg 6674 FAN4 F03 rpm limit hi 6500 limit 1lo 1400 max 6633 min 6617 avg 6627 on show mac MAC address 28 61 32 89 37 61 28 61 32 89 37 67 Router config show mem status memory usage 39 Router config show ram size ram size 1024MB Router config show serial number serial number S132L06160030 Here is an example of the command that displays the listening ports Router config show socket listen No Proto Local_Address Foreign_Address State 1 tcp 0 0 0 0 2601 0 0 0 0 0 IS 2 tcp 0 0 0 0 2602 0 20740 0 50 IS 3 tcp 127 0 0 1 10443 0 0 0 0 0 IS 4 tcp 0 0 0 0 2604 0 0 0 0 0 IS 5 tcp 0 0 0 0 80 0 0 0 0 0 IS 6 tcp 127 0 0 1 8085 0 0 0 0 370 IS 7 tcp L 1 1 1 53 0 0 0 0 50 IS 8 tcp 172 164132205 53 0 0 0 0 0 IS 9 tcp 10 0 0 9 253 0 0 0 0 0 IS 10 tcp 172 16 13 240 53 0 0 0 0 0 IS 11 tcp 192 168 1 1 53 0 0 0 0 0 IS 12 tcp ALTOS 0 0 0 0 0 IS 13 tcp 0 0 0 0 21 0 0 0 0 0 IS 14 tcp 0 0 0 0 22 0 0 0 0 0 IS 15 tcp 1271 020 T72953 0 0 0 0 0 IS 16 tcp 0 0 0 0 443 0 0 0 0 0 IS 17 tcp 12720 0 121723 0 205 0 0 50 ISTE NXC CLI Reference Guide Chapter 4 Status Here is an example of the command that displays the open ports Router config show socket open No Proto Loc
31. Always copy the file into the same directory copy running config startup config Saves your configuration changes to the flash non volatile or long term memory The NXC immediately uses configuration changes made via commands but if you do not use this command or the write command the changes will be lost when the NXC restarts copy running config conf file name conf Saves a duplicate of the configuration file that the NXC is currently using You specify the file name to which to copy delete cert conf idp packet_trace Removes a file Specify the directory and file name of script tmp file_name the file that you want to delete dir cert conf idp packet trace Displays the list of files saved in the specified directory script tmp rename cert conf idp packet_trace script tmp old file_name cert conf idp packet_trace script tmp new file name Changes the name of a file Specify the directory and file name of the file that you want to rename Then specify the directory again followed by the new file name run script file name zysh Has the NXC execute a specific shell script file You must still use the wr ite command to save your configuration changes to the flash non volatile or long term memory NXC CLI Reference Guide 227 Chapter 35 File Manager Table 136 File Manager Commands Su
32. COMMAND DESCRIPTION idp anomaly newpro base all none Creates a new IDP anomaly profile called newpro newpro Uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode scan detection sensitivity low medium Sets scan detection sensitivity high no scan detection sensitivity Clears scan detection sensitivity The default sensitivity is medium scan detection block period 1 3600 Sets for how many seconds the NXC blocks all packets from being sent to the victim destination of a detected anomaly attack no scan detection tcp xxx activate log Activates TCP scan detection options where alert block tcp xxx tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep Also sets TCP scan detection logs or alerts and blocking no deactivates TCP scan detection its logs alerts or blocking no scan detection udp xxx activate log Activates or deactivates UDP scan detection alert block options where udp xxx udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan udp filtered portsweep Also sets UDP scan detection logs or alerts and blocki
33. Displays services that users can access without user authentication show web auth policy 1 1024 Displays details about the policies for forcing user authentication all show web auth status Displays the web portal page settings 17 1 1 1 web auth login setting Sub commands The following table describes the sub commands for the web auth login setting command Table 52 web auth login setting Sub commands COMMAND DESCRIPTION exit Leaves the sub command mode type external Sets which login page appears whenever the web portal intercepts network internal traffic preventing unauthorized users from gaining access to the network internal Use the default login page built into the NXC external Use a custom login page from an external web portal You can configure the look and feel of the web portal page no error url url Sets the error page s URL for example http 192 168 1 1 error cgi 192 168 1 1 is the web server on which the web portal files are installed no no login url url logout url url Sets the login page s URL for example http 192 168 1 1 login cgi 192 168 1 1 is the web server on which the web portal files are installed Sets the logout page s URL for example http 192 168 1 1 logout cgi 192 168 1 1 is the web server on which the web portal files are installed NXC CLI Reference Guide Chapter 17 Captive Portal T
34. Enables an overloaded AP to disconnect kick idle clients or clients with noticeably weak connections load bal ancing mode station traffic Enables load balancing based on either number of stations also known as wireless clients or wireless traffic on an AP load bal ancing max sta lt 1 127 gt If load balancing by the number of stations wireless clients this sets the maximum number of devices allowed to connect to a load balanced AP medium load bal ancing traffic level high low If load balancing by traffic threshold this sets the traffic threshold level load bal ancing alpha lt 1 255 gt Sets the load balancing alpha value When the AP is balanced then this setting delays a client s association with it by this number of seconds Note This parameter has been optimized for the NXC and should not be changed unless you have been specifically directed to do so by ZyXEL support NXC CLI Reference Guide Chapter 13 Wireless Load Balancing Table 46 Command Summary Load Balancing continued COMMAND DESCRIPTION load balancing beta lt 1 255 gt Sets the load balancing beta value When the AP is overloaded then this setting delays a client s association with it by this number of seconds Note This parameter has been optimized for the NXC and should not be changed unless you have been specifically directed to do so by ZyXE
35. adhoc 4 unclassified ap 0 total devices 0 10 3 Rogue AP Containment Overview These commands enable rogue AP containment You can use them to isolate a device that is flagged as a rogue AP They are global in that they apply to all managed APs on the network all APs utilize the same containment list but only APs set to monitor mode can actively engage in containment of rogue APs This means if we add a MAC address of a device to the containment list then every AP on the network will respect it NXC CLI Reference Guide Chapter 10 Rogue AP BS Containing a rogue AP means broadcasting unviable login data at it preventing legitimate wireless clients from connecting to it This is a kind of Denial of Service attack 10 4 Rogue AP Containment Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 40 Input Values for Rogue AP Containment Commands LABEL DESCRIPTION ap_mac Specifies the MAC address in XX XX XX XX XX XX format of the AP to be contained The no command removes the entry The following table describes the commands available for rogue AP containment You must use the configure terminal command to enter the configuration mode before you can use these commands Table 41 Command Summary Rogue AP Containment COMMAND DESCRIPTION rogue ap containme
36. continued LABEL DESCRIPTION description Sets the description of the interface You may use 0 511 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive profile_name The DHCP pool name The following table describes the commands available for VLAN interface management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 22 Command Summary VLAN Interface Profile COMMAND DESCRIPTION no interface virtual interface Enters configuration mode for the specified interface Use the no command to remove the specified VLAN interface vlanid 1 4094 Sets the interface s VLAN identification number no ip address ip address netmask Sets the interface s IP address and netmask address Use the no command to remove these values from this interface no ip address dhcp metric lt 0 15 gt Sets the interface to use the DHCP to acquire an IP address Enter the metric priority of the gateway if any on this interface The NXC decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the NXC uses the one that was configured first mtu 576 1500 Sets the maximum size of each data packet in bytes that can move through this interface If a larger packet
37. frestarting the NXC does not get anything to display contact your local customer support Figure 1 Console Port Power on Display Flash 8 MiB BootModule Version DRAM Size v0 9 1 2012 12 28 13 01 22 1024 Mbytes DRAM POST Testing 262144K After the initialization the login screen displays Figure 2 Login Screen Welcome to NXC Username NXC CLI Reference Guide Chapter 1 Command Line Interface Enter the user name and password at the prompts BS The default login username is admin and password is 1234 The username and password are case sensitive 1 2 2 Web Configurator Console The Console allows you to use CLI commands from directly within the Web Configurator rather than having to use a separate terminal program In addition to logging in directly to the NXC s CLI you can also log into other devices on the network through this Console It uses SSH to establish a connection BS To view the functions in the Web Configurator user interface that correspond directly to specific NXC CLI commands use the CLI Messages window described in the User s Guide in tandem with this one Figure 3 Console 192 168 1 1 22 Done NXC CLI Reference Guide Chapter 1 Command Line Interface The following table describes the elements in this screen Table 2 Console LABEL DESCRIPTION Command Line Router gt configure terminal Router config
38. idp packet trace script tmp file name 227 descrip unum CSL ara Gaines eee ee AP S edic RA ner ade deb 64 Halm IA A E QUEUE SN ee ea oe eS EX COUR de do ao Bo GR o Reda a d Na BJ Hewiosshe ap moda BACKS Syne HOW seis AE IE rad dpud bs 166 dewice h sp Wode Clitster 10 AL ES cee bed bebe A o xe Se dee RAS ME ewe 155 HewlcasMe gp Tone Priority EL ES S datos AAA ARA ICE OE CUR eee E CR AR 155 devipe hs sp dmode role 1moesters bOOCEkUD niece daveededen E Yo Ae xk RJ OG E eave CRUCE EROR 165 devigs ha mode active passive 3cdB 39 x Ace BOR XR a AAA deua e ER EROR UR RR 164 deuicas reuister gheckumBBr User Heme uiloaeqiRkess9RaA GRO EGG A dd dd d qr ad ex Rd de 43 device register username user name password password e mail user domainname country code country code reseller name reseller name reseller mail user domainname reseller phone reseller phonenumber vat vat number 43 dhop option lt 1 254 gt option name boolean lt 0 1 gt uinte lt 0 255 gt mintile lt 0 65535 gt 54 HX Aud dd pdeR P ee nee qd dud Se ee ees PIE de d eek FREE dascexbd m e ed TRE Pd owed ee 2 CAG wens PA b bed ae d eei Edid xac Sd bic dE RR Wd NCC CORR CQ aded E e o tes ad 32 dean OLEE ouesecIAR RIXA u eee p In E r ee OS E 257 diad bafo Copy USDA REI AS OU RC NC GE CR AR E hee o c 297 dir rr os A AAA oa aaa AAA AA dede ed 32 dir cert gonf Jrdp J packet trace S
39. in percentage for storing system logs on the connected USB storage device no diag info copy usb Storage no corefile copy usb storage Sets to have the NXC save or stop saving the current system diagnostics information to the connected USB storage device You may need to send this file to customer support for troubleshooting Sets to have the NXC save or not save a process s core dump to the connected USB storage device if the process terminates abnormally crashes You may need to send this file to customer support for troubleshooting show corefile copy usb storage show diag info copy usb storage Displays whether enable or disable the NXC saves core dump files to the connected USB storage device Displays whether enable or disable the NXC saves the current system diagnostics information to the connected USB storage device show logging status usb storage Displays the logging settings for the connected USB storage device NXC CLI Reference Guide Chapter 6 Interfaces 6 6 1 USB Storage General Commands Example This example shows how to display the status of the connected USB storage device Router gt show usb storage USBStorage Configuration Activation enable Criterion Number 100 Criterion Unit megabyte USB Storage Status Device description N A Usage N A Filesystem N A Speed N A Status none Detail none 6 7 VLAN Interface Specific Command
40. no Solaris no SGI no other Unix no network device no service outbreak no NXC CLI Reference Guide Chapter 22 IDP Commands This example shows you how to display custom signature contents Router config show idp signatures custom signature 9000000 contents sid 9000000 Router config show idp signatures custom signature 9000000 non contents sid 9000000 ack dport 0 dsize dsize rel flow direction flow state flow stream fragbits reserve fragbits dontfrag fragbits morefrag fragoffset fragoffset rel icmp id icmp seq icode icode rel id ipopt itype itype rel sameip seq sport O0 tcp flag ack tcp flag fin tcp flag push tcp flag r1 tcp flag r2 tcp flag rst tcp flag syn tcp flag urg threshold type threshold track threshold count threshold second tos tos rel transport tcp UL ttl rel window window rel NXC CLI Reference Guide Chapter 22 IDP Commands This example shows you how to display all details of a custom signature Router config show idp signatures custom signature all details sid 9000000 message test policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI no other Unix no network device service outbreak dit no no no no no This example shows you how to display the number of custom signatures on the NXC
41. or the details of a specified certificate show ca validation name name Displays the validation configuration for the specified remote trusted certificate show ca spaceusage Displays the storage space in use by certificates NXC CLI Reference Guide Chapter 32 Certificates 32 5 Certificates Commands Examples The following example creates a self signed X 509 certificate with IP address 10 0 0 58 as the common name It uses the RSA key type with a 512 bit key Then it displays the list of local certificates Finally it deletes the pkcs12request certification request Router configure terminal type rsa key len 512 Router config show ca category local certificate default type SELF subject CN nxc2500_BOB2DC6EA897 issuer CN nxc2500_BOB2DC6EA8 97 status VALID ID nxc2500_BOB2DC6EA897 type EMAIL valid from 2012 12 07 10 49 31 GMT valid to 2032 12 02 10 49 31 GMT certificate MyCertificate type SELF subject CN Mydevice example com issuer CN Mydevice example com status VALID ID Mydevice example com type EMAIL valid from 2013 04 09 10 44 04 GMT valid to 2016 04 08 10 44 04 GMT certificate pkcsl2request type REQ subject CN 1 1 1 2 issuer none status VALID IDs des diets 2 type IP valid from none valid to none certificate test_x509 type SELF subject CN 10 0 0 58 issuer CN 10 0 0 58 status VALID ED 101 000 058 type IP valid from 2013 06 07 15 52 52 GMT va
42. show ip dhcp dhcp options Shows the DHCP extended option settings show ip dhcp pool profile_name Shows information about the specified DHCP pool or about all DHCP pools ip dhcp pool rename profile_name profile_name Renames the specified DHCP pool from the first profile_name to the second profile_name no ip dhcp pool profile_name Creates a DHCP pool if necessary and enters sub command mode You can use the DHCP pool to create a static entry or to set up a range of IP addresses to assign dynamically About the sub command settings e If you use the host command the NXC treats this DHCP pool as a static DHCP entry e If you do not use the host command and use the network command the NXC treats this DHCP pool as a pool of IP addresses e If you do not use the host command or the network command the DHCP pool is not properly configured and cannot be bound to any interface The no command removes the specified DHCP pool show Shows information about the specified DHCP pool no host ip Use the following commands if you want to create a static DHCP entry If you do not use the host command the commands that are not in this section have no effect but you can still set them Specifies the static IP address the NXC should assign Use this command along with hardware address to create a static DHCP entry Note The IP address must be in the same subnet as the interface to which you pla
43. show system snat order snat order Policy Route SNAT 1 1 SNAT Loopback SNAT Default SNAT The following example shows all activated policy routes Router show system route policy route No PR NO Source Destination In coming DSCP Service Source Port Ne xthop Type Nexthop Info The following example shows all activated 1 to 1 SNAT rules Router show system route nat 1 1 No VS Name Source Destinati on Outgoing Gateway The following example shows all activated policy routes which use SNAT Router show system snat policy route No PR NO Outgoing SNAT Router The following example shows all activated 1 to 1 NAT rules Router show system snat nat 1 1 No VS Name Source Destinati on Outgoing SNAT NXC CLI Reference Guide Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the NXC The maintenance tools can help you to troubleshoot network problems 41 1 Maintenance Tools Commands Here are maintenance tool commands that you can use in privilege mode Table 152 Maintenance Tools Commands in Privilege Mode DESCRIPTION COMMAND packet trace interface interface name ip proto lt 0 255 gt protocol name any src host ip hostname any dst host ip hostname any port lt 1 65535 gt any file duration lt 1 3600 gt extension fi
44. sicion ti quw odo e ERG RUE RR EEEE ERE SS 166 device ha ap mode Master SYNO xix 4 3 d atit esa eed ob RCM EE WR CR AA ERR CR 157 dewicse Ha Spenge SOSLES std wwe Vox der IER eae Eee RA eR Seek ue Mole pc SS 166 devices BEACUS ugar d edd d EX WE AN EON RU b o I de ER OD Ke pe ORC RR AC GRE UR OR I d RN 164 Usulcperedigber SEALE Quy es Id X eR RE REE ege eee Ee E A ARA AAA 43 ELS eM edt che dd ea RC ROO RUE Ue kee dS Oe eee bee daa 257 draqelnfbo copy XN ELSE deiade ee eae Rc ok eon dete deh Roca po OR d e RM RR aoe 257 mlgg 2300 Goes ngbebbeoludgO 4344 e wd d Puede aor dca cba qui owes ed a S d 61 BIS AAA oe UE ed OE e ood dod Rl p c ok Ae d ak Roo eR RR S dea E dcm i Rod ERS Rn SIMI CUBE pes ean at age Rod A AE ees d qe sedes dq RE 104 duynamicegusst SUSQUE rra RR Reo Rep eae ee n cedo an eb Cen eae ered ee a ah deum educ 104 pda HE SOUPOTUPHLUEDEP dona dde e ix d edad ed didus aoe Que e e re weed dd FADEN PNUGIOAONHSRBIGL ab Meee CARS Kia AA RR OR AA NALEAN SE SEE aa NS kF Lashes A E Ge Sec Ree eed ee Oe oe E SESE SSR eee E TRE REIER 31 Lirowaldl ir AAA SAA CEU RARA RARA Re a AAA AA 121 f2rewgll LVS THOS iii AA AAA AAA AA ARA l2 EXESHADI status ceras A AAN ARA ATRAS REN E E OR DOR XC ALI dox 121 firewall zone object zone object EnterpriseWLAN eee ee eee 121 firewall zone object zone object EnterpriseWLAN rule number 121 CION dec kd4x egens Ba E D A Aa e dida eO C ees Deas Je eee es eee 209 no o a
45. tue wed thu fri sat logging mail sending now Sends mail immediately according to the current settings 36 1 4 1 E mail Profile Command Examples The following commands set up e mail log 1 Router configure terminal Router config logging mail Router config logging mail Router config logging mail XXXXXX Router config logging mail Router config logging mail Router config logging mail Router config logging mail Router config logging mail l address mail zyxel com tw subject AAA L authentication username lachang li password send log to lachang liGzyxel com tw send alerts to lachang liGzyxel com tw from lachang li8zyxel com tw schedule weekly day mon hour 3 minute 3 NXC CLI Reference Guide Chapter 36 Logs 36 1 5 Console Port Log Commands This table lists the commands for the console port settings Table 143 logging Commands Console Port Settings COMMAND DESCRIPTION show logging status console Displays the current settings for the console log This log is not discussed above no logging console Enables the console log The no command disables the console log logging console category module_name level alert crit debug emerg rror info notice warn Controls whether or not debugging information for the specified priority is displayed in the console log if logging for this category is enabled
46. underscores or dashes but the first character cannot be a number This value is case sensitive zone object rule number The name of the zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive You can also use pre defined zone names like LAN and WLAN The priority number of a firewall rule 1 X where X is the highest number of rules the NXC model supports See the NXC s User s Guide for details schedule object The name of the schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive service name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for the firewall You must use the configure terminal command to enter the configuration mode before you can use these commands Table 57 Command Summary Firewall COMMAND DESCRIPTION no connlimit max per host lt 1 8192 gt Sets the highest number of sessions that the NXC will permit a host to have at one time The no command removes the settings firewall rule number Enters the firewall sub command mode to set a firewall rule rule number firewall zone object zone object EnterpriseWLA
47. usbo oth policy aly TUS LI A See eee awe Shed cate Ve dea Un C 114 webssUth polis GODS nuroa Stee eee wd eee A ee EEE hae RC CR C Eo ee one 114 webssuth policy delete lt 1 DIAS aclaxxke 393490399 4 3 RR EORR poe ole eR RR eee a MC 114 webesuth policy TERE lt anteees shader ed A a aea ure dte 3 RR qa dg A d RU dee E 114 web auth Policy Insert xl l1 4 2243244292399 934 BJG 8A um AA 114 webeagth policy move 1 10229 bm LL LULES uad uec e ed Hdl anew eR I Bae ag 114 NXC CLI Reference Guide List of Commands wlan macfilter profile rename macfilter_profile_namel macfilter profile name2 88 wlan monitor profile rename monitor profile namel monitor profile name2 81 wlan radio profile rename radio profile namel radio profile name2 78 wlan security profile rename security profile namel security profile name2 85 wlan ssid profile rename ssid profile namel ssid profile name2 83 SS GORGE G RUCXC ERAT RMN SO De ON COD ERR CUR CACN KER SEES QE CODEC RC REY ENAA REA i RAE OR eR 229 WETES DEFENSA AAA Eee HOE GE ee er he ee eee Shaws 32 APIS PEDO Nae ARCET 108 NXC CLI Reference Guide
48. 1024 1536 2048 license key 25 S 6 upper case letters or numbers 16 upper case letters or numbers mac address aa bb cc dd ee ff hexadecimal mail server fqdn lower case letters numbers or name 1 31 alphanumeric or _ notification message 1 81 alphanumeric spaces or _ password less than 15 1 15 alphanumeric or GQ amp N t 2 V 5 chars password less than 8 1 8 alphanumeric or amp _ NXC CLI Reference Guide 27 Chapter 1 Command Line Interface Table 4 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES password Used in user and ip 1 63 alphanumeric or amp _ t lt gt Used in e mail log profile SMTP authentication 1 63 alphanumeric or amp _ 1 j 2 lt gt Used in device HA synchronization 1 63 alphanumeric or _ Used in registration 6 20 alphanumeric or _ phone number 1 20 numbers or preshared key 16 64 Ox or OX 16 64 hexadecimal values alphanumeric or G4 amp N profile name 1 31 alphanumeric or _ first character letters or proto name 1 16 lower case letters numbers or protocol name t 31 alphanumeric or first character letters or quoted string less 1 255 alphanumeric spaces or amp _ tha
49. 186 NXC CLI Reference Guide AAA Server This chapter introduces and shows you how to configure the NXC to use external authentication servers 28 1 AAA Server Overview You can use an AAA Authentication Authorization Accounting server to provide access control to your network The following lists the types of authentication server the NXC supports Local user database The NXC uses the built in local user database to authenticate administrative users logging into the NXC s web configurator or network access users logging into the network through the NXC You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS server RADIUS authentication allows you to validate a large number of users from a central location 28 2 Authentication Server Command Summary This section describes the commands for authentication server settings NXC CLI Reference Guide Chapter 28 AAA Server
50. 2 250 Router config address objec Router config address objec Router config policy insert 1 Router policy route description example Router policy route destination any Router policy rout interface gel ct ct Router policy rout next hop gateway GW_1 Router policy route snat outgoing interface Router policy route source TW_SUBNET Router policy route exit Router config show policy route 1 index 1 active yes description example user any schedule none interface gel tunnel none sslvpn none source TW_SUBNET destination any DSCP code any service any nexthop type Gateway nexthop GW 1 nexthop state Not support auto destination no bandwidth 0 bandwidth priority 0 maximize bandwidth usage no SNAT outgoing interface DSCP marking preserve amount of port trigger 0 Router config 7 3 IP Static Route The NXC has no knowledge of the networks beyond the network that is directly connected to the NXC For instance the NXC knows about network N2 in the following figure through gateway R1 However the NXC is unable to route a packet to network N3 because it doesn t know that there is a route through the same gateway R1 via gateway R2 The static routes are for you to tell the NXC about the networks beyond the network connected to the NXC directly NXC CLI Reference Guide Chapter 7 Route Figure 10 Exam
51. 20m dtim period 2 beacon interval 100 ampdu limit ampdu 65535 subframe ampdu 64 amsdu limit amsdu 4096 block ack guard interval short tx mask 5 rx mask 7 output power 100 ssid profile 1 default NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles 9 3 SSID Profile Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 32 Input Values for General SSID Profile Commands LABEL DESCRIPTION ssid_profile_name The SSID profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ssid The SSID broadcast name You may use 1 32 alphanumeric characters underscores _ or dashes This value is case sensitive wlan qos Sets the type of QoS the SSID should use disable Turns off QoS for this SSID wmm Turns on QoS for this SSID It automatically assigns Access Categories to packets as the device inspects them in transit wmm be Assigns the best effort Access Category to all traffic moving through the SSID regardless of origin wmm bk Assigns the background Access Category to all traffic moving through the SSID regardless of origin wmm vi Assigns the video Access Category to all traffic moving through the SSID regardless of origin wmm vo Assigns the voice Access Category to all
52. 243 show logging entries priority pri category module name srcip ip dstip ip service service name begin lt 1 512 gt end lt 1 512 gt keyword keyword 242 show logging entries field ielo begin 1 512 end Le BLZF csdleedbeadeae caus 242 show logging Status Console gugqe4dse4 3 6 Re RRA AA aca de Ace SKE E eR 246 popu Beech Seotus tel 2 324252 230094 AR eu edd fade Edad d e EE 244 Show ogsrnu status Syslog sao aces cq omo cp Red er dne de Ui ace o RUP AR A pe IC oie cg 244 show Dogging status Systran log qaad ta Sides ee eee OK UE PPP e aC d pud eod 242 Show Lagging Stratus gsD sSbOESOS 2aaddqerkXeded ed dare A qx du RE E RA Eq da ak dX WE 61 shov Ledin page deLsslTeLuLlB sete y DEOR oe ease A BR ee AR Rr E Rc eR e 209 Show Lagin pens SetLITS aaa ee 94x ox X UE e EE do adde MR dol dea e Re RC R RR ED UO M d Rod 209 Snow Lago BeLLIBOQS 244 ieee X E One E bed em Pede d EE Pd e EE edid d died SR eee dug pss 209 SROV MAG pada rhea rinsi eee COREE ERE ORE EE eee ACCORD Qe p Re EY Shon men SESCUS PD 37 Shey MEUS EYES eaters oennner AR AAA A AS hoes eee 60 eHow Nem SENSE oes eave kad bahar eae ib hese eek dae er dk QUPD HER C Ioa CD ee ewan eae ee 210 Shov oObjeco QvrgUb address orou nemel sir nkosi ib acas honed DANA RR Rc CRY ea 179 Show Gbgesteqraup Service SIQUID MANE ra adie eared eG oe Gre ain eaves E ane me She 192 Se Parres Cape COR
53. 37 240 255 255 255 0 ip gateway 172 16 37 254 metric 1 exit create address objects for remote management to NXC firewall rules use the address group in case we want to open up remote management later address object TW SUBNET 172 16 37 0 24 object group address TW TEAM address object TW SUBNE exit enable Telnet access not enabled by default unlike other services ip telnet server open WLAN to NXC firewall for TW TEAM for remote management firewall WLAN NXC insert 4 sourceip TW TEAM service TELNET action allow exit write While configuration files and shell scripts have the same syntax the NXC applies configuration files differently than it runs shell scripts This is explained below Table 134 Configuration Files and Shell Scripts in the NXC Configuration Files conf Shell Scripts zysh Resets to default configuration Goes into CLI Privilege mode e Goes into CLI Configuration mode Runs the commands in the shell script Runs the commands in the configuration file You have to run the example in Table 17 on page 224 as a shell script because the first command is run in Privilege mode If you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode See Section 1 5 on page 22 for more information about CLI modes 35 2 1 Commen
54. 4 GHz frequency range The default is 6 5g channel wireless channel 5g Sets the broadcast band for this profile in the 5 GHz frequency range The default is 36 no disable dfs switch Makes the DFS switch active or inactive By default this is inactive no dotlin disable coexistenc Fixes the channel bandwidth as 40 MHz The no command has the AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz no ctsrts 0 2347 Sets or removes the RTS CTS value for this profile Use RTS CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another When enabled a wireless client sends an RTS Request To Send and then waits for a CTS Clear To Send before it transmits This stops wireless clients from transmitting packets at the same time and causing data collisions A wireless client sends an RTS for all packets larger than the number of bytes that you enter here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off The default is 2347 no frag lt 256 2346 gt Sets or removes the fragmentation value for this profile The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent The default is 2346 dtim period 1 255 Sets the DTIM period for this profile D
55. 50000 subframe ampdu 2 64 Sets the maximum number of frames to be aggregated each time By default this is 32 no amsdu Activates MPDU frame aggregation for this profile Use the no parameter to disable it Mac Service Data Unit MSDU aggregation collects Ethernet frames without any of their 802 11n headers and wraps the header less payload in a single 802 11n MAC header This method is useful for increasing bandwidth throughput It is also more efficient than A MPDU except in environments that are prone to high error rates By default this is enabled limit amsdu lt 2290 4096 gt Sets the maximum frame size to be aggregated The default is 4096 no multicast to unicast Multicast to unicast broadcasts wireless multicast traffic to all wireless clients as unicast traffic to provide more reliable transmission The data rate changes dynamically based on the application s bandwidth requirements Although unicast provides more reliable transmission of the multicast traffic it also produces duplicate packets The no command turns multicast to unicast off to send wireless multicast traffic at the rate you specify with the 2g multicast speed or 5g multicast speed command no block ack Makes block ack active or inactive Use the no parameter to disable it ch width wlan_htcw Sets the channel width for this profile guard interval wlan_htgi Sets the guard interval for this profil
56. A 213 show ip duse Server MACADASS ri eres P EON Rad DO E Re E e eR PAGE AR PE A de ala Show adp dna Server SLOTSS sana Ai AAA a eee eee eee EAS 212 show MEM De server BRODeDSSUBNR desni Erak EXE eek X ACRUEKE ROLE Go E RA Bae eee Shaw e ees kad 212 BOW ip IU Server SDGLUS Sissi A AAA S REC IER Pedes ded E t 219 show rp MECO Server Secure SEARS ers di RE RUE ON dod LACK ESE CR RRS Sea DE AA 215 shov xp NICE PERO Sta ie an ati A IR AA ORC Mog eee ee AA Ss alg show ip route kernel connected Static o Laae eR x kee oe chad eo dered base Bae maw FA show ip route c ntrol yirtunl p6rVer ruleS coria ed eR XO RR AO RO Fo e RAURUR A PO Sada Ip POpceHSeL Ings sichnds ea Nase ida AAA AAA AAA AE 70 shov ip 65 Server ELSLUS 44420022 62de AAA ARA ERR S Hee ARAN dads 2L stow Xp Celine SePDcUHI ORe EUS Quee d peg AI AA Aduiet neues A 218 shaw language Seteana LIP daakexeessdk A a AA A RUE RU QUE m de A P ego eds 222 plu Led ASTUR A here AA A AAA AAA A 37 show Losd Delancina CONEA ar A A AA BES ee eel o 100 Snow LOACELOUE USDES 4 54 ii ENGR TONES SOLES A ARANA A 174 show logging debug entries priority pri category module name srcip ip dstip ip service service name begin lt 1 1024 gt end lt 1 1024 gt keyword keyword 243 show logging debug entries field field begin lt 1 1024 gt end lt 1 1024 gt 243 shov Poggtnog debug JSUODLEUS 644420080064 dba SPEC d d SAXA dd Redes bu be ee eee e eas
57. Displays current packet capture settings NXC CLI Reference Guide Chapter 41 Maintenance Tools Here are maintenance tool commands that you can use in configure mode Table 153 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION packet capture activate Performs a packet capture that captures network traffic going through the set NXC s interface s Studying these packet captures may help you identify network problems The no command stops the running packet capture on the NXC Note Use the packet capture configure command to configure the packet capture settings before using this command packet capture configure Enters the sub command mode duration lt 0 300 gt Sets a time limit in seconds for the capture The NXC stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified using the iles size command below 0 means there is no time limit file suffix lt profile_name gt Specifies text to add to the end of the file name before the dot and filename extension to help you identify the packet capture files Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name The file name format is interface name file suffix cap for example vlan2 packet capture cap files size 1 1000000000 Specify a maximum size limit in kilobyt
58. E Hae ake AR any aee Shoe wh 179 Po PSSS Aea E AAA 183 AS ebgect egrouUp Service group TOMS AAA ADA A AA AN A CED 182 nol eutbound dsecbp mark 1 0 52 class default dscp class asscrnisncsisnaciada 130 no Gotbpuound dscp mark 0 53 elass default dscp elHss eeu 131 no eucbound dscop mark lt 0 63 gt class default asco class eee 9 ri 133 ho psgket capt re SOLIS Co keke death 4X 4dockedgdd LA Qd eR Edd Ede d doux ap Soe 262 hel Bages cto MISCO forsor See AA AAA ESAS ARA ee Oe SS 116 Ho pingecheck activae ac wed dae E dub EQ ER ED EASELS OU Re AR o deae eee eee dana ak 57 nol policy oyerride direct route activate keds dhe tard EE eda RHEE eH EOS 67 Beo DOEE lt U 2555558 La EGO AR UE B made eRe SANE OO COR ACA RURAL CN EERE ORY ERES OH ER ER ES RE 132 He protocol Esp LU Cot AAA a A A ape AE A hele A AR 132 Ee PESE er et bar db nee ee dox WS uie heu wig Bug d gend Rep ddr dot pica cal wees 249 BO XEBIebrEemS genes wed E d RR bb4 636 eG a ei deir ea elici e d E ace d PUR es RRS ES qu 78 Bol seam bees tp imapa Smt BERS adrian AA Vigne segues HERR 139 no scan detection icmp sweep icmp filtered sweep activate log alert block 150 no sean detection ip xx activate log alert Block raa RR Rm ee 150 nol scanedetection Lep xxx activate log alert Bloskt scsi 149 no sean detection udp xxx activate log alert Block 4x nas 149 no s an detection open port activate
59. Gibraltar 085 Great Britain 086 Greece 087 Greenland 088 Grenada 089 Guadeloupe 090 Guam 091 Guatemala 092 Guernsey 093 Guinea 094 Guinea Bissau NXC CLI Reference Guide Chapter 5 Registration Table 11 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See City Vatican State 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Kenya 114 Kiribati 115 Korea Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People s Democratic Republic 119 Latvia 120 Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia Former Yugoslav 128 Madagascar Republic 129 Malawi 130 Malaysia 131 Maldives 132 Mali 133 Malta 134 Marshall Islands 135 Martinique 136 Mauritania 137 Mauritius 138 Mayotte 139 Mexico 140 Micronesia Federal State of 141 Moldova Republic of 142 Monaco 143 Mongolia 144 Montserrat 145 Morocco 146 Mozambique 147 Namibia 148 Nauru 149 Nepal 150 Netherlands 151 Netherlands Antilles 152 New Caledonia 153 New Zealand 154 Nicaragua 155 Niger 156 Nigeria 157 Niue 158 Norfolk Island 159 Norther
60. Gr Ea I d dea e I aq dr eae 147 no ca category Jlocal rsm ote certificate nale uilksealgs x Ru AUR SOROR e a RC XC ORA 205 te cca Vali E A RE a A 205 Hd Ce Gripin dar A AI A See ee ee aa eh de Basen eee eee 64 00 ANOTA 12 253 seen cured k d EX ded ue iba aqq dede 2400s AA A EO qoi RR eee Bd 54 RN CONSTE LEAN is AAA SA PCT 63 e a v6 A EA IA 67 tid dyramic qguest expl sdescOOUHE deleted sh bese 68 RC ERE E ii 104 NO AYALA USE USES LIA AR A dE RR RR Re AAA AA A ALTA A AS ed URN 104 na enc agent SSS PASSWDOT rar a A we Re Hw Ghee en OR Ue a ee 200 noe Siegert ANE DE ITANE coco ed een Vox S doe hac uo go On S QU cer AAA dog ata a ea ee eye 200 Ho enocesuegL AULRERELCALIOR 64 4 en2 cho a Gene a Ra Ru os e e d E ee xx Rr pde ed 200 yo NO ASAS MANAGE rubaes5SSA So EG d Gr ee PN ES DEM E du Rr Ede Sd Dawes Ra Ned Nd ea xU d 200 no ome mqenb PASSO causada pda A A d de A aeo Geb Roe bod acd eg ae a ep e ari m 200 no ana den DEETOOISeIHEDEN x1 5 pu ES iE pores gud Sukcis d og er a ew dae ees Rowse we eae 201 NO Smnmo agenL Server Certificate Gas bedi neds Met Se Sons A C KOC Y A UR OED RENE S CA A 200 tid Gnopsaggdnt USOIDANQ GeaskocaeRdGe SOROS FERPA SAAS ERS ORO RO V RO RECO A A Ad P AAA AA 200 no hbrtp ssespectson IBBEDSENXI DO aaa as Rex e Xe x E DAC se REPRE eRe RU e o eee 150 no icmp decoder truncated header truncated timestamp header truncated address head Ser Set eid bbe ee OR A TUM IT 151 no icmp decoder truncated heade
61. IDP Signature Profiles COMMAND DESCRIPTION idp signature newpro base all lan wan dmz Creates a new IDP signature profile called none newpro newpro Uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature NXC CLI Reference Guide Chapter 22 IDP Commands Table 83 Editing Creating IDP Signature Profiles continued COMMAND DESCRIPTION signature sid action drop reject sender Sets an action for an IDP signature reject receiver reject both no signature sid action Deactivates an action for an IDP signature show idp profile signature sid details Shows signature ID details of the specified profile show idp profile signature all custom Shows the signature details of the specified signature details profile 22 3 4 Editing Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none BS You CANNOT change the base profile later Table 84 Editing Creating Anomaly Profiles
62. Reference Guide Chapter 6 Interfaces Table 14 interface Commands DHCP Settings continued COMMAND DESCRIPTION no starting address ip pool size 1 65535 Sets the IP start address and maximum pool size of the specified DHCP pool The final pool size is limited by the subnet mask Note You must specify the network number first and the start address must be in the same subnet The no command clears the IP start address and maximum pool size no no 1st dns EnterpriseWLAN first dns server ip interface name 2nd dns 3rd dns second dns server ip Sets the first DNS server to the specified IP address the specified interface s first second or third DNS server or the NXC itself The no command resets the setting to its default value Sets the second DNS server to the specified IP interface name lst dns 2nd dns 3rd address the specified interface s first second or dns EnterpriseWLAN third DNS server or the NXC itself The no command resets the setting to its default value no third dns server ip interface_name Sets the third DNS server to the specified IP 1st dns 2nd dns 3rd dns address the specified interface s first second or EnterpriseWLAN third DNS server or the NXC itself The no command resets the setting to its default value no first wins server ip Specifies the first WINS server IP address to assi
63. SM edbcot uia earl Maa be qu bee er De wiedeenamasadegud mee ud bei ar obe 195 28 3 1 Tesla User Account Command Example ciui corto ptm bmp pe ccu ee reed abo S eser ag uui epe 195 Chapter 30 Authentication Sery P 197 30 1 POEUN Server CIV EPUB rr eA dca i aaa dtu pud a D 197 30 2 Authenticadon Server Commaldle 1 euis cac ere pnter eese nter iaaa doari 197 30 2 1 Authentication Server Command Examples ri sem vend ane ee X EI egi 198 Chapter 31 ENE H 199 A EI o Jeep TUE 199 She ch aci p Ew prole mue P 199 31 2 1 ENG Agent Command Examples ucc edt orte ia Ranae Eon bx ua Lao das a co Gu ud 201 Chapter 32 Lr gll eii AAA 203 COMM uei CES ER 203 vaca Peri zu Br gs NE NETT TT DO 203 32 0 Wernicates Commands Input Vallas pH 203 224 Gerilicales Commands SUMMAI 5 pcc aao ta bbc a Hora ia 204 32 5 Ceniicates Commands EXOMDIBES uaccdaaicas anda ii 206 Chapter 33 A 207 LIN ETI n 207 aot CMSA mana the WWW Login PAJE rei as Feb t ap ago ede 207 pos Host Name Commande sad 209 234 DB and DIE coe RD DR RR REP S EROR PURO PEREAT DIN EP addis 209 Sou Dae TINO DO aV IE ooussoncusd xao da basedida Os 210 229 EI I POM Speed 211 NXC CLI Reference Guide EN Table of Contents RIXA Es I ME EET pepe uate ta 211 o ME ey Rapp A D ES 211 33 0 2 DNS Command EXAMP ge EN 212 Chapter 34 System Re
64. SS ODIO AA SA Eq GM GEORG RR A E ORS CRO OY RR RE QC CR on OR Bl DaBSeDDUIQOt OD eO DAMES sos id AAA do deu Ede v eens edes alg n323 ftp signal port 1025 555355 signal extra port 1025 555355 branstcrmsbtqosdl uuoksGQy 45434 d Reg dice n Kos ONCE AER RU S SOR d de AD RC OK d cation BEE AS HSM serra rka ded ha med a acwane adios a kde cation default memberl member2 member3 member4 cation profile name memberl member2 member3 member4 Ius ub Xe GihiduosxodadlopdgexiAcSdeu ed Bue dd bead xd eS EN Eve MOS groun oE apa A ii td ic Ad e a alg sip lina lt 1025 65535 gt media timeout lt 1 86400 gt signal timeout lt 1 86400 gt transfor mation alg su3p detsultport Ls OSA a end ee EE dur e Ee ER ERN ER e dde eS ESR ampdu an ti virus a bi virus L5 Li virusS p ti virus e anti virus s an an an Ei virus s Ei virus Y ti virus w anti virus w app activate app highest app app app app ctivity timeout signal port 1025 65535 signal extra port a dGuoheddeeeueExi tup idque dE RIVERS be I Eu ee aeons ee es lsgE 9uSE ASLIMEDE Cote Oe Seba ede EN ecw sae edad eee BES CO lack list file pattern av_file_pattern activate deactivate On SObrWuedie aria qui x Roe eee EOE Ra Aa ae deae Ond eol RC kip uhRkHown fllsB type amp QCIWVEDE sisri id e xe eeee ROM UR Ra eked PECES COLS Sas boas eh nad AE SAA Owes bee EE Pease soos haben eet h
65. Sa qued ger iuge d dude d E eas 139 CESE 200e DIQOTITS Ll dq X334 4 3 EQ a EO e ded RR RC Ro Ve AA da e E be ae C dedo den 147 gtoubpnane GEOHOBAEIE quad WAdcoS A OEE TSE COR AA CR SORES OEE AAA 103 grouprhames ESUDASTS cago nie ka E ae E RRA OUR EDA RR EASE CREASE C ORC OO ee 171 ro pneme QEON d ueusedmQe E E dd esa dede ESE pese xd eue bd OO G ATI hargdwabe addrese mac SOOS osea eR ARRAS AAR RES RES ERNST RO ORR RC CN 53 hardyare patehdog tEimner BASIS ba ee eed ee aw a decree a EAA depone qi a 267 ROM GM Air A A ice ur door Qo E 53 kostnane SUPUSIERON 209 ALPES Dira ARICA ARAS IES AAA AAA Shain s B1 http inspection http xxx action drop reject sender reject receiver reject Docu A eq E P BE UNES d eed REI Sed dex epee wow eqq ud T1528 Htcpe anspection http SGCLUWADS eliana ba 150 icmp decoder truncated header truncated timestamp header truncated address Pea or Gu ONES aokx pd d AS e ACE Ge ed CE EO AR T3 DUM Frias eed reek rend EAR e quae Re E d eee ETE SORES See eq AA ded ean 146 ade f ssOseture systemprotecE update AULO cerormscimsa den edd dada ON A 160 ojo APARICIO Colles icd wosdqodpuodb EUER ee Ree bee MAR he rdc dod eee a osos 1517 inbound dscp mark 0 53 class default dscp o elesss lcs x ea acme 129 inbound dacpemark 1 lt 0 64 gt Glass default dscp eisss cosido 131 inbouna Asop mark 0 63 class default dsc ctas saves deeacnaetawa 133 infepted action Tdestrov SEDO WIRCHEUQ sicko nkad
66. Set the direction of travel of packets to which the rule applies Set the destination IP address es e Set the service to which this rule applies Set the action the NXC is to take on packets which match this rule Router configure terminal Router config f service object MyService tcp eq 1234 Router config address object Dest 1 10 0 0 10 10 0 0 15 Router config firewall insert 3 Router firewall from WLAN Router firewall to LAN Router firewall destinationip Dest 1 Router firewall service MyServic Router firewall action allow NXC CLI Reference Guide Chapter 19 Firewall The following command displays the firewall rule s including the default firewall rule that applies to the packet direction from WAN to LAN The firewall rule numbers in the menu are the firewall rules priority numbers in the global rule list firewall rule description firewall rule description firewall rule description Router configure terminal Router config show firewall WAN LAN 3 user any schedule none from WAN to LAN source IP any source port any destination IP Dest 1 service MyServic log no action allow status yes 4 user any schedule none from WAN to LAN source IP any source port any destination IP any service any log log action deny status yes Router config show firewall WAN LAN 2 4 user any schedul
67. Sets the unique common name cn to identify a record The no command clears this setting Sets the descriptive information for the AD server group You can use up to 60 printable ASCII characters The no command clears the setting no server group attribute group attribute Sets the name of the attribute that the NXC is to check to determine to which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ad_server no server password password Enter the IP address in dotted decimal notation or the domain name of an AD server to add to this group The no command clears this setting Sets the bind password up to 15 alphanumerical characters The no command clears this setting NXC CLI Reference Guide Chapter 28 AAA Server Table 110 aaa group server ad Commands continued COMMAND DESCRIPTION no server domain auth activate Activates server domain authentication The no paramet
68. Statistics Example This example shows how to collect and display anti virus statistics It also shows how to sort the display by the most common destination IP addresses Router config anti virus statistics collect Router config show anti virus statistics collect collect statistics yes Router config show anti virus statistics summary file scanned 0 virus detected 0 Router config show anti virus statistics ranking destination NXC CLI Reference Guide IDP Commands This chapter introduces IDP related commands 22 1 Overview Commands mostly mirror web configurator features It is recommended you use the web configurator for IDP features such as searching for web signatures creating editing an IDP profile or creating editing a custom signature Some web configurator terms may differ from the command line equivalent BS The no command negates the action or returns it to the default value The following table lists valid input for IDP commands Table 78 Input Values for IDP Commands LABEL DESCRIPTION zone_profile The name of a zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive You can also use pre defined zone names like LAN and WLAN idp profile The name of an IDP profile It can consist of alohanumeric characters the underscore and the dash and it is 1 31 characters long Spaces are not allowed
69. The range is 10 1440 minutes The following table describes the commands available for dynamic channel selection You must use the configure terminal command to enter the configuration mode before you can use these commands Table 45 Command Summary DCS COMMAND DESCRIPTION no des activate Starts dynamic channel selection Use the no parameter to turn it off dcs 2g selected channel 2 4g channels Sets the channels that are available in the 2 4 GHz band when you manually configure the channels an AP can use NXC CLI Reference Guide Chapter 12 Dynamic Channel Selection Table 45 Command Summary DCS continued COMMAND DESCRIPTION dcs 5g selected channel 5g channels Sets the channels that are available in the 5 GHz band when you manually configure the channels an AP can use dcs dcs 2g method auto manual Sets the AP to automatically search for available channels or manually configures the channels the AP uses in the 2 4 GHz band dcs dcs 5g method auto manual Sets the AP to automatically search for available channels or manually configures the channels the AP uses in the 5 GHz band dcs time interval interval Sets the interval that specifies how often DCS should run dcs sensitivity level high medium low Sets how sensitive DCS is to radio channel changes in the vicinity of the AP running the scan dcs client aware enable disable When
70. action destroy yes send windows message to zone LAN scan http infected action destroy bypass white list no bypass black list file decompression no file decompression unsupported exit Router config show anti virus rule 1 yes bypass white list yes bypass black list no file decompression yes destroy unsupported compressed file 21 2 3 White and Black Lists The following table describes the commands for configuring the white list and black list You must use the configure terminal command to enter the configuration mode before you can use these commands Table 74 Commands for Anti virus White and Black Lists COMMAND DESCRIPTION no anti virus white list activate Turn on the white list to have the NXC not perform the anti virus check on files with names that match the white list patterns no anti virus white list file pattern Adds or removes a white list file pattern Turns a file pattern av_file_pattern activate deactivate on or off anti virus white list replac old av file pattern new av file pattern pattern factivate deactivate Replaces the specified white list file pattern with a new file NXC CLI Reference Guide Chapter 21 Anti Virus Table 74 Commands for Anti virus White and Black Lists continued COMMAND DESCRIPTION no anti virus black list activate Turn on the black list to log and delete files with names
71. address or for all IP addresses Removes the DHCP bindings for the specified IP address or for all IP addresses NXC CLI Reference Guide Chapter 6 Interfaces 6 2 2 1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST Router configure terminal Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config interface gel Router config if exit binding interface gel binding pool DHCP_TEST Router config ip dhcp pool DHCP TEST network 192 168 1 0 24 domain name zyxel com first dns server 10 1 5 1 second dns server gel 1st dns third dns server 10 1 5 2 default router 192 168 1 1 lease 0 1 30 starting address 192 168 1 10 pool size 30 hardware address 00 0F 20 74 B8 18 client identifier 00 0F 20 74 B8 18 client name TWtesterl exit Router config if ip dhcp pool DHCP TEST Router config show ip dhcp server status NXC CLI Reference Guide Chapter 6 Interfaces 6 2 3 Connectivity Check Ping check Commands Use these commands to have an interface regularly check the conn
72. ak d 104 UBBOTPOSLISD qUOBOTIIEISEr wqgue Gu aeur de c aa acad wd fup qb aeree Boo Qo wares ae E ed 13 description description i434 444152 id eee AA AA A AR A AA 122 describe Llon HSA ri AAA DE d Dd est ba AREAS 125 desgcrlqcptrgn SOBEZTIEDIONR ais exor Repo Roo Se nce on ep NOE ic ce ede d noie i aah a l T1 ESCAPE MESSI DUO AA AEREA ARANA 180 HGSOPIDIION GSOSOEIDLIONM is AA DAR AAA AS AA RR A S aS 183 description desorption EA A RENA AAA AA b E oO eo AR 198 description CESE PELO cue ved twee Ed AS ADA AA Ba RC ACE MOS cane hears 50 HBsEETOLLQD GOeSCHIDLION sarro 934 d Se RS 4 quey E Red e ew ER CoN AA 54 doscrcobicH ABRES PELO a da eS eee Ede Re We ACE QC ROME CR EORR ERS 66 destination address pE TSE Sa a AA AAA HD he Oke eee ae ee 66 destination adress ODUBUDE aaa e 3 943 53 4 RE Ro dee E hee TK qe ax eq dude pa Kcu 115 gstrHatrsm scUFSS IBOR qxGY4d439 E eX RU SERE a xad EC eese ded ad n x Oe oak e Ra Gee 129 destination NOSE QUIE Sari ees Sen AAA SOLS audae b 13d dgLruracron ProFile GNE ra e RA AA Robe OR a oe RR Pe dr a mi dede 132 NXC CLI Reference Guide List of Commands no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no UBELIDNEDLDUDEE SUL IIBJODD aria ket eee dene ete dawned danas Conan see KG
73. and application patrol in addition to controlling access to configuration and services in the NXC 24 1 1 User Types There are the types of user accounts the NXC uses Table 95 Types of User Accounts Perform basic diagnostics CLI TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change NXC configuration web CLI WWW TELNET SSH FTP Limited Admin Look at NXC configuration web CLI WWW TELNET SSH Access Users User Access network services Captive Portal TELNET SSH Browse user mode commands CLI Guest Access network services Captive Portal Ext User External user account Captive Portal Ext User Group External group user account Captive Portal configuration guest manager Create dynamic guest accounts WWW dynamic guest Access network services Captive Portal mac address As permitted by the user aware feature MAC Authentication NXC CLI Reference Guide Chapter 24 User Group 24 2 User Group Commands Summary The following table identifies the values required for many username groupname commands Other input values are discussed with the corresponding commands Table 96 username groupname Command Input Values LABEL DESCRIPTION username value is case sensitive The name of the user account You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This groupname The nam
74. any is logged in the system log and debugging log for the specified category nol logging system log suppression interval lt 10 600 gt Sets the log consolidation interval for the system log The no command sets the interval to ten no logging system log suppression Enables log consolidation in the system log The no command disables log consolidation in the system log no connectivity check continuous log activate Has the NXC generate a log for each connectivity check The no command has the NXC only log the first connectivity check show connectivity check continuous log status Displays whether or not the NXC generates a log for each connectivity check clear logging system log buffer Clears the system log NXC CLI Reference Guide Chapter 36 Logs 36 1 2 1 System Log Command Examples The following command displays the current status of the system log Router configure terminal Router config show logging status system log 512 events logged suppression active yes suppression interval 10 category settings content filter normal forward web sites no j blocked web sites normal user normal myZyXEL com normal zysh normal idp normal app patrol normal ike normal ipsec normal firewall normal sessions limit normal policy route normal built in service normal system normal connectivity check normal device ha normal
75. arrives the NXC divides it into smaller fragments no mtu Disables the mtu feature for this interface no ip gateway gateway metric lt 0 15 gt Enter the IP address of the gateway The NXC sends packets to the gateway when it does not know how to route the packet to its destination The gateway should be on the same network as the interface Also enter the metric priority of the gateway if any on this interface The NXC decides which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the NXC uses the one that was configured first join lt interface_name gt lt tag untag gt Links the VLAN to the specified physical interface and also sets this interface to send packets with or without a VLAN tag no join lt interface_name gt Disassociates the specified physical interface from the VLAN upstream lt 0 1048576 gt Sets the maximum amount of traffic in kilobits per second the NXC can send through the interface to the network no upstream Disables the upstream bandwidth limit downstream lt 0 1048576 gt Sets the maximum amount of traffic in kilobits per second the NXC can receive from the network through the interface no downstream Disables the downstream bandwidth limit NXC CLI Reference Guide Chapter 6 Interfaces Table 22 Command Summary VLAN Interfac
76. commands to configure settings that apply to the USB storage device connected to the NXC NXC CLI Reference Guide Chapter 6 Interfaces BS For the NXC which supports more than one USB ports these commands only apply to the USB storage device that is first attached to the NXC Table 20 USB Storage General Commands COMMAND DESCRIPTION show usb storage no usb storage activate Displays the status of the connected USB storage device Enables or disables the connected USB storage service usb storage warn number lt percentage megabyte gt Sets a number and the unit percentage or megabyte to have the NXC send a warning message when the remaining USB storage space is less than the set value percentage 10 to 99 megabyte 100 to 9999 usb storage mount Mounts the connected USB storage device usb storage umount Unmounts the connected USB storage device no logging usb storage Sets to have the NXC log or not log any information about the connected USB storage device s for the system log logging usb storage category category level all normal Configures the logging settings for the specified category for the connected USB storage device logging usb storage category category disable Stops logging for the specified category to the connected USB storage device logging usb storage flushThreshold 1 100 Configures the maximum storage space
77. config activate no time interval 720 sensitivity level high client awar nabl auto none 3 channel 2 4 ghz selection method 2 4 ghz selected channels 2 4 ghz channel deployment 5 ghz selection method auto 5 ghz selected channels none 5 ghz DFS awar nabl NXC CLI Reference Guide 97 Chapter 12 Dynamic Channel Selection NXC CLI Reference Guide Wireless Load Balancing This chapter shows you how to configure wireless load balancing 13 1 Wireless Load Balancing Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point AP or you limit the amount of wireless traffic transmitted and received on it Because there is a hard upper limit on the AP s wireless bandwidth this can be a crucial function in areas crowded with wireless users Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity 13 2 Wireless Load Balancing Commands Table 46 The following table describes the commands available for wireless load balancing You must use the configure terminal command to enter the configuration mode before you can use these commands Command Summary Load Balancing COMMAND DESCRIPTION no load balancing kickout
78. connection NXC CLI Reference Guide Chapter 20 Application Patrol 20 2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands Other values are discussed with the corresponding commands Table 61 Input Values for Application Patrol Commands LABEL DESCRIPTION protocol name The name of a pre defined application These are listed by category general ftp smtp pop3 irc http im msn aol icq yahoo qa p2p bittorrent eDonkey fasttrack gnutella napster h323 sip soulseek stream rtsp rule number The number of an application patrol rule 1 X where X is the highest number of rules the NXC model supports See the NXC s User s Guide for details zone name The name of a zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive schedule name The name of a schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the application patrol commands 20 2 1 Pre defined Application Commands This table lists the commands for each pre defined application Table 62 app Commands Pre Defined Applications COMMAND DESCRIPTION no app protocol name activate Enables application patrol for the specified applicati
79. de eS PIX S ESXU AS diu E PIX OSS e EP ESCS 122 MI KES ERED OR CORN REOR OES A Re OE REN 125 Hol User BEAD 2 4426 al a eue AAA SS AE ARA OOM ERE WO E SERRE SES ORES RS 130 Heo user QAOEUEDM qQuyaxqaoqux 34e AAA NECK E GEEK OCA ESE GR ACC ARA Al Ho User o dk he kod Q3 4 P A E RR NH Edo dew d Uer Pu d Redes b Epp ike ee Eee ee eR 132 He WEST ISSUE uanuaacui tee cares ESSA wat as Se SQL eA dd md dd wt aub d LE nol queer User NAME arrendar 67 Bal users Bale denedtuSO aria eon opc UE Eco a ir S du A and acf shy nol users xdle detectigs tumeouc 1 25 Qm dee eee ERE due a CR EUR RR AC ERASER RUN RER 172 Hol users lockout peruad lic daa caia XR Edu ee dd S A TIS Heo users LORETO Le 089 AAA eae co aee AA FR Rep Ug qn RR AR A 172 Hol Gere POLPUSDIEMDE ocd WE V Y sth ba See reaa A esie Hew as 132 no users simulteneous logon administration access enforce 4 9 e nnn 172 no users simultaneous logon administration access Limit 1 10249 al 172 Ho Users Updlast e lbase AULOMALION Lica k ikea dk Sas kd d x e RR Ed x ODER eee dae 172 nol web a h Sot UNDE quie REFERS E hese dU Ede d REPRE eue dd bed eq Rb deg pde TES ho WELCOME ULIT HUDSON A ARA OR RRA o AENA LARA AAA A Sa AA 1313 no wlan macfrlter profile macfilter profile Hae rossi ea Ro A Aci e pon e 88 no wlan monttar prot bs monitor nrdille DES ai A A A EEA 81 no wilaneradro prorile Tadic Prova le Pane 2 6 Ge OS EMER EKER Ee eR e e E BESS 78 no wlan seourity profile sec
80. description Maps the specified OUI Organizationally Unique Identifier authenticated by the NXC s local user database to the specified MAC role MAC address user account The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device The no command deletes the mapping between the OUI and the MAC role 24 2 4 1 MAC Auth Example This example uses an external server to authenticate wireless clients by MAC address After authentication the NXC maps the wireless client to a mac address user account MAC role Configure user aware features to control MAC address user access to network services The following commands e Create a MAC role mac address user type user account named ZyXEL mac Mapa wireless client s MAC address of 00 13 49 11 a0 c4 to the ZyXEL mac MAC role MAC address user account e Modify the WLAN security profile named secureWLANI as follows Turn on MAC authentication Use the authentication method named Auth1 Use colons to separate the two character pairs within account MAC addresses NXC CLI Reference Guide Chapter 24 User Group Use upper case letters in the account MAC addresses Router config username ZyXEL mac us Router config mac auth database mac 00 13 49 11 a0 c4 typ mac role ZyXEL mac description zyxel mac 3 Modify wlan security profil Router config wlan security profile Router conf
81. ed Chea eae eae ae debug forcb subh UI ccehgenes Be kata Ekore e d dard dq EERE ESS COREE REECE ee Se ee HS debug wie QUE ungue added ace eee barn bad Seba ore dot aed ee eo eid ee Be dnt ed ao debug hardware 91 estas eee POKES HERE Owe SER SOR DRE SOR VOR HEC Ow ee ee DEOR E 33 rue Aa er 33 gebog LABRA ii ex ada hehe Cater eed APE RATER d Eq Ead Piu e c mda ade d E 33 debus IN Erie 1 528 X244 252992 sx BE Pda eee as SO GRE d Rid fa eee Edad RE e x d 33 debug Interface SECON LG librertac l sede e Red ee Ran eek eee are eae ema ee Mn eol eel 33 NXC CLI Reference Guide List of Commands debug XB o A toaesuedasaespekal eeu itu sewer eh E doc ob uoo ado dod asa 33 debug 35 WVISUCUSDCBOPUEOE Ai IS AAA ALSO NESS TS RANGE OSE ORE Rea Beles Od 33 Cebit o we sea eke 3 ee SMe oe o Oe Oe ROSEO E ee deed a dr dob dci OE REUS 33 debug ma EECRUERE ooa eh EKER E HE Yo UE d e AUR EES o E AA AA OER OR ORE Ro EORR e oe eS 33 debug Network arolanorea X5 saoire riori ra 33 debug ne registration Server F AA ARRE NHAC OC e ONCE Ae ee E Oe e Re RR ao Cebit Bolte equi QUE Aaa oa eee d bee SEAS FORE ae dq AAA AAA 33 SONUS o ed a a Beads ees O dur Bere cha ale eee anew 33 deban EROS JS whee eee RsQP EE Re bed eques eye Sat quede e endende bees 33 debug Show ZXegletfstogi BUerus SUAS sisas BG X ROB RA Ed re Bd Dod pag d e E HR E qx E 33 debug Update Serves 5 irrita 33 dolore rw oe wee pito ds Re id O ANA a a aA E AAA 31 delete cert conf
82. erae weg qub c is terse hed sed we gd anf 208 nel Loginepage messeqe text MESSAGE sincron a e Re S ead 208 nel LOLDE Aud tek sees Eo eh waa A ARA oe dos e Ere ad LER BUR ON ees 114 heo Logout urtl BEI dungagdaa exse AR AAA AAA AA CORSA RA RC CAE ee 114 no mac auth database mac mac address typ xt mac address mac role username description o o Aad b Gg Eun ERR EE ded d RE d No Rd x dd aki a RR dA d 173 no mac auth database mac mac address type int mac address mac role username description HOSEEWN A do Shee LOREEN SAS d OU RR OE RE eae d od a cdd 173 no mac auth database mac oui type ext oui mac role username description description 173 no mac auth database mac oui type int oui mac role username description description 173 nol sabilesubject append dabte LlIWe iio Greve RR x Cadet beter IURE a Oe RR ORO AR eR ADI Ee Wes S9S35 0 5 A tes ebd dub Ee qt dew ard oe qmd eee eid d usd 51 Be meU 207G 1900 sser dod eX R RCYXOE BOR AY E EA EEEE A OTE S GL nol mHUTPLIOBSE LO HIDOANEE Sisa Shiba Sade AAA A ded e ee 80 ho MESGGCISELON SUES SES AA Skee E EO E ALEGRE Re a ho OR br en awe 59 no next hop auto gateway address object interface interface name 67 O NED kee eb se Ro atre E AC eR e A REOR Y EROR KR Ae ARA A A AAA AAA Re RR E AAA 210 no Rie server A yF cuewebbewuRded dew v4 4999 Sea ee SHRRXR oy ER oe eee RS 210 Hol Gsjecb groDp address Groun Meme siria ADA c dab e ra d 179 noel eUgestegroup Grou NAME perike ehee A a Ria a
83. for access account yes maximum simultaneous logon per access account 3 NXC CLI Reference Guide Chapter 24 User Group 24 2 4 MAC Auth Commands This table lists the commands for mappings MAC addresses to MAC address user accounts Table 100 mac auth Commands Summary COMMAND DESCRIPTION no mac auth database mac mac address type xt mac address mac role username description description Maps the specified MAC address authenticated by an external server to the specified MAC role MAC address user account The no command deletes the mapping between the MAC address and the MAC role no mac auth database mac mac address type int mac address mac role username description Maps the specified MAC address authenticated by the NXC s local user database to the specified mac role username description description description MAC role MAC address user account The no command deletes the mapping between the MAC address and the MAC role no mac auth database mac oui type ext oui Maps the specified OUI Organizationally Unique Identifier authenticated by an external server to the specified MAC role MAC address user account The OUl is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device The no command deletes the mapping between the OUI and the MAC role no mac auth database mac oui type int oui mac role username description
84. hardware watchdog timer settings Table 154 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer lt 4 37 gt Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off hardware watchdog timer start Enables the hardware watchdog timer show hardware watchdog timer status Displays the settings of the hardware watchdog timer 42 2 Software Watchdog Timer The software watchdog has the system restart if the core firmware fails NXC CLI Reference Guide 267 Chapter 42 Watchdog Timer gt The software watchdog timer commands are for support engineers It is recommended that you not modify the software watchdog timer settings Table 155 software watchdog timer Commands COMMAND DESCRIPTION no software watchdog timer timer Sets how long the system s core firmware can be unresponsive before resetting The no command turns the timer off timer 10 to 600 NXC5200 or 10 to 60 NXC2500 show software watchdog timer status Displays the settings of the software watchdog timer show software watchdog timer log Displays a log of when the software watchdog timer took effect 42 3 Application Watchdog The application watchdog has the system restart a process that fails These are the app watchdog commands Use the configure terminal command to enter the configuration mode to be ab
85. hgs Iip Ses BOOTS ava cee hiked qva ee eu A OE Eee RC e dedic 192 nol Server password DassWOFO cede es Sh SSS d x ADRE ka dup CPU ARE ESE ROR qa de 188 hol Server Pessvora Passvere uie Seb bode ARIES ADIDAS 190 EO Server part ROC TO lt n weed ee RADAR qon Void e vnde ty e E iot a pego E 199 hol Sor qs Sore EU a qus daa reed d ERA RRA 190 HO server seatrch tzme liNxb CIME 24 4666 AR Ke ra E CS Ks od A A 189 nol Server gearoh timne linit DEB uusbiedseXi439 RE XQOUE dew Rudd ROBAR Shes Qe a dabo EERE 190 GONE 40 45 2 CIT waren Re ARA A eae eek he Gh AA en eh eRe ee EO Se 189 HO Server SEL pra ores 4d 93 Wed IA A DAA AAA eee ee 190 ho Server pineout 399 2 css i orsave weds Sob bodes ese Ren deba ead RA KR ak Me db eee IST Hol SPSS UTA lage wgunade dedo dE OR UR ICA CER Oe CAREERS OWEN ARE OR ue RC ARR mR VEO RON 87 Ho service IssrPUVPIcB name ang a2 gedqeaockXqe 4 m dex x x dom RR Edo dod RE CO ee RO qa ERN dea 67 nol Service cervice DAME siii AAA ANA AAA AAA 122 nol aervice obqect object nane AAs tact ds RA ANA Red E D RO ql RR dod TR 182 Bol session mk ELIAS dao ARA a OR Re deo qoe lake dud a ee pee n B we o idis 125 Ho dg srcODemEd SEE Dido ada donc ee dried ai we Shes Se bar duc rip db E uod xo i e dra 115 ES AUDIO QEusdes3 c md Aa eens A A ea dab e Rex mad dk s e 51 O SR E Od hares Rakes E ae Raw ee er d AN E 64 noel sXqhnstare Sid BORIS asa Ged ea de ox ean Oe a eka da Raa he orar koe ead edet de aed ibo 148 Bol S3q a Pe Gre ACE
86. in minutes for each new user Set it to zero to set unlimited reauthorization time The no command sets the default reauthorization time to thirty NXC CLI Reference Guide Chapter 24 User Group Table 99 username groupname Commands Summary Settings continued COMMAND DESCRIPTION users default setting no user type admin lext user guest limited admin ext group user Sets the default user type for each new user The no command sets the default user type to user show users retry settings Displays the current retry limit settings for users no users retry limit Enables the retry limit for users The no command disables the retry limit users retry count lt 1 99 gt Sets the number of failed login attempts a user can have before the account or IP address is locked out for lockout period minutes The no command sets the retry count to five users lockout period lt 1 65535 gt show users simultaneous logon settings Sets the amount of time in minutes a user or IP address is locked out after retry count number of failed login attempts The no command sets the lockout period to thirty minutes Displays the current settings for simultaneous logins by users no users simultaneous logon administration access enforce Enables the limit on the number of simultaneous logins by users of the specified account type The no command disables the limit or allow
87. lists the schedule commands Table 109 schedule Commands COMMAND DESCRIPTION show schedule object Displays information about the schedules in the NXC no schedule object object_nam Deletes the schedule object schedule object list Lists all schedules configured on the NXC schedule object object_name date time dat Creates or updates a one time schedule time date yyyy mm dd date format yyyy lt 01 12 gt lt 01 31 gt schedule object object_name time time day Creates or updates a recurring schedule day day day day day day day 3 character day of the week sun mon tue wed thu fri sat 27 2 1 Schedule Command Examples The following commands create recurring schedule SCHEDULE and one time schedule SCHEDULRE2 and then delete SCHEDULEI Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31 12 00 Router config show schedule object Object name Type Start End Ref SCHEDULE1 Recurring 11 00 12 00 MonTueWedThuFri 0 SCHEDULE2 Once 2006 07 29 11 00 2006 07 31 12 00 0 Router config no schedule object SCHEDULE1 Router config show schedule object Object name Type Start End Ref SCHEDULE2 Once 2006 07 29 11 00 2006 07 31 12 00 0
88. log alert block 99 xe 150 ho aeghadule e profile RAMS sco belie SLRS xq bd R SESS BES ERED ALLEE E AGRO HO A eie C REN LS ed 132 nol Schedule schedule FAM arawan acc obra RO RE OE EEE OEE EAR EE CO ACA CR E RO RO ae emo 115 nol shsdule secheg le HANO lt a RARA ARALAR AR ARA ARA RNA AR ARA AA RA A A AA 130 nol schedule schedule Nane acosan cra AAA ee Dek Ta HES Tal Hol schedule aBDHOSE e opeet sandalias aia AAA A A 122 nel Sone tls scheguls QUJIGEE drednot drita pop doles RO Rea aye pe bi oe ede p p C i qon ode dore Gok d 67 NXC CLI Reference Guide List of Commands no second dns server ip interface name 1st dns 2nd dns 3rd dns EnterpriseW La si ackhid RR RR EA RR RR AE OR RR COR e ML RRR ek COR RR E Qr RR we 55 nel BecONGCNIIMESSEEQEE Be iod bud a xe dou eA nic E p deo ndo a nei dol E e e e ded 59 no escret pecie yorini KEE Ex ACORN ASA Re ROS POKER EERE ADR REE KEE e ORS 197 no server acet address radius server aOCL BOEFL pOr eise pr itket Ao OO TRO OG 191 HS server get I nterin ASES sjerrie gnar eee ewe RANA RARA de AA SE A RAR 192 nol Aerea dpet interi m Interval si s 1AADS siment stan sence een shade ee AR A 191 Dol server mosL bpdLtrve escuHt ARES CINES 224453 KG Read ERU A 191 pol Server AEPTCSBECIEN KOY dggdW5bx es A rl RU ede AAA AAA ADA nib al nol Server altemativre 2 10dent trier Nid xp a Bux heres davies ben ad rea e
89. log proto accept begin lt 1 512 gt end lt 1 512 gt keyword keyword gra A O dd esdq dud exa adu dd Rd du Me d aaa eae fos oo an 246 show wtp logging debug entries field srcif dstif proto time msg src dst note pri cat all begin lt 1 1024 gt end lt 1 1024 gt ap mac 246 show wtp lodglhg debug Stebtus Sp ch siriar rabo UR ROGA deed X AGE ACERO Re dS ae Sooke 246 show wtp logging entries priority pri category module name srcip ipv4 dstip ipv4 service service srciface config interface dstiface config interface proto col log proto accept begin lt 1 512 gt end lt 1 512 gt keyword keyword ap mac 246 show wtp logging entries field srcif dstif proto time msg src dst notel pril cat all Bedia Alo biker mne Si RPG udue4 4 ak RR ECR OR Sates Cares dee E RP d 246 show wtpelesgging guery dbg log Bp MUS dus 99 s CREER ER Cra Que x dE aO ev e A RUP d bee 247 chow wtp lesglnud Sudre loq ABS avisar Ee ERG dux Ru dd eed fub S Ed wad boa ea Re 247 Show wtp lesgrHg EESUIE SEALUS cit ctedaur ene che ee e cere pae oic ole Rap whee rw podeis 247 show wtpeloagging ststus Mail ag mec rss etka tata eekaeee Pdedoe S een eee ase 247 ahow wep l gging Status syslog ap mec 442i debate e Lemar eR bd REE i eR C 246 shov wep logging STATUS sy5sLten loqg lap MAG ted asee ce eh A oR Ss 246 show rone Brote nane aaa ea eras i aan ei keen dox RAR Dba eee hare eh eae eee es 108 shov so
90. mechanism you can disable it and then any newly connected AP is registered automatically Figure 11 Example AP Management In this example the NXC A connects up to a number of Power over Ethernet switches such as the ES 2025 PWR B They connect to the NWA5160N Access Points C which in turn provide access to the network for the wireless clients within their broadcast radius Let s say one AP D starts giving you trouble You can log into the NXC via console or Telnet and troubleshoot such as viewing its traffic statistics or reboot it or even remove it altogether from the list of viable APs that stations can use NXC CLI Reference Guide Chapter 8 AP Management 8 2 AP Management Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 28 Input Values for General AP Management Commands LABEL DESCRIPTION ap_mac The Ethernet MAC address of the managed AP Enter 6 hexidecimal pairs separated by colons You can use 0 9 a z and A Z ap_model The model name of the managed AP such as NWA5160N NWA5560 N NWA5550 N NWA5121 NI or NWA5123 NI slot_name The slot name for the AP s on board wireless LAN card Use either s1ot1 or slot2 The NWA5560 N supports up to 2 radio slots profile_name The wireless LAN radio profile name You may use 1 31 alphanumeric characters underscores _ or dashes
91. name eritrea ktkt xo RR REOR RR ewe nn 199 SEN Grows Server TAOS CPOE ete ci hes duis AAA A AAA 191 aaa group server radius rename group name old group name new 191 acceso Lorvard Grop ERBUSOGE ariba a AAA AAA A chu 129 acceso Dfoswerd drop PETES T arica A e e ia AA e e CN 131 access torwasbprdgd Grop BEISSE svo ciGea ex QU quede RSP ERE OEE Ea ee ao Rx bed Eee os 132 access page message color color rgb color name color number 208 access page Title Olt Le 6464 5686s X OE RUNE OR Rr ERROR EUR TORRES EEO ARA AAA AA 208 access page window color color rgb color msame color number wow se kee web n 208 ction Tallow deny reject exXx 4 3 EHE eee bee eee Rede REX EUR bee seed eee as 122 o BOSTON E EK Sd ddp mek Se NES DEALS eSdA SE Su e n RES d ua 104 addres QNSE ear adde qui sex oW e d qo Required oq n eem dew yc i od ee p sh bod 104 ASAS MESE Qxupjsudo ERU Ru dU aeaa ufi c Qr ER ies deg bee wo wae ud ad 178 address object object name ip ip range ip subnet interface ip interface subnet auterrtacd uaLowsy LISSDLEFLSOHM seca eb ike sata eat id Ed Pew d pea dud REL 179 address object rename object name object name cele 178 anti virus black list replace old av file pattern new av file pattern activate deacti EDS AXXa wan d d edd b IN qas a RO C e Da add E E E CC EOE D NEC E eon vie E E 141 anti viris POlOSU SIGNE PEE anite owes dod huc d d IE A AEG AH ek AA
92. network Use a different cluster ID to identify each virtual router Monitored Interfaces in Active Passive Mode Device HA You can select which interfaces device HA monitors If a monitored interface on the NXC loses its connection device HA has the backup NXC take over Enable monitoring for the same interfaces on the master and backup NXCs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master NXC NXC CLI Reference Guide Chapter 23 Device HA Virtual Router and Management IP Addresses e Ifa backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP address You can connect to this IP address to manage the NXC regardless of whether it is the master or the backup 23 4 Active Passive Mode Device HA Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 93 Input Values for device ha Commands LABEL DESCRIPTION interface name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your NXC model VLAN interface vlanx x 0 511 The following sections list the device ha commands 23 4 1 Active Passive Mode Device HA C
93. no logging console category module_name Enables logging for the specified category in the console log The no command disables logging 36 1 6 Access Point Logging Commands This table lists the commands for the Access Point settings BES For the purposes of this device s CLI Access Points are referred to as WTPs Table 144 logging Commands Access Point Settings COMMAND DESCRIPTION show wtp logging status system log ap_mac show wtp logging entries category module_name ipv4 service service srciface config_interface dstiface config_interface protocol log_proto_accept begin lt 1 512 gt end lt 1 512 gt keyword keyword ap_mac priority pri srcip ipv4 dstip Displays the system log for the specified AP Displays only the specified log entries for the specified AP show wtp logging entries field srcif dstif proto time msg src dst note pril c at all begin lt 1 512 gt end lt 1 512 gt ap mac Displays only log entries for specified fields for the specified AP You can display a range of field entries from 1 512 show wtp logging debug status ap mac Displays the debug status of the specified AP show wtp logging debug entries category module name srcip ipv4 ipv4 service service srciface config interface dstiface config interface protocol log proto accept begin lt 1 512 gt end lt 1 512 gt keyword keyword priori
94. other rule rule_number Displays the rule s configuration show app other rule rule_number statistics Displays the rule s statistics show app other rule default show app other rule default statistics Displays the default rule s configuration Displays the default rule s statistics show app other rule all Displays the configurations of all the rules for other applications show app other rule all statistics Displays all the rule statistics for other applications show app highest sip bandwidth priority Displays whether or not the option to maximize the throughput of SIP traffic is enabled show bwm activation Displays whether or not the global setting for bandwidth management on the NXC is enabled 20 2 6 1 General Command Examples The following examples show the information that is displayed by some of the show commands Router gt configure terminal Router config show bwm activation bwm activation yes NXC CLI Reference Guide Chapter 20 Application Patrol Router configure terminal Router config show app http config application http active yes mode portless default access forward bandwidth graph yes Router configure terminal Router config show app http defaultport No Port 1 80 Router configure terminal Router config show app http rule all index default activate y
95. report schedule Bour i 23 gt minute SOs aD sarria rd Sadek ROU GE TERRE EG 252 dag yes5eupr DONDE A 252 das y selected chabnel 2 99 OBBHEDOIS circa x GC X ROC RO mur oS HOS BOWES SER RSE SORES 29 des 20 SeLlectod chanmel SQ_EASDIELS shame eee shal ea A pa Gm A tie ORO di OR Rie ale doe os 96 des channel ceployment channel 4 channel 49 9 eee a ae ea we 96 dese Client pwane fenableldi sanlel lt lt 5a kG ade Ae RACE EE Oe Re ob ARA E GR RE Bee we a6 des des zg Method auto manual yes da UAR oe eek Oe ORR AA c CH m Ra ee AAA 96 des dos 5g mebhod auto Manual aede Goa eq X RO E OXORORUM CULES KR E XO EC a A 26 des dfs aware Qenable disable airis E Rc Rex ok ERRARE E E EC eR ER UR PP EX EO e 96 des sensitivity level high medium LOW cit nae eeu an OR Roe en eels kha eee aad a6 des bpimeerdberusl RACE EVEL barrio e e Perego E eR ea ee Sk wade Bee CK Re ahead doe arene 96 DEN 5 gigs naci me red eodem gb C Edna RR dE i edes d scu ewes eee ed s Rd 3l debug cmdexec corefilelip kernel mac id rewritelobserver switch system zyinetp ER zslnppesr X95 3dd ub sese Ed aaa fous e2dd ebd 33 SS ME dir address ag RU ae pated See ee ARANA E A 23 DERE BP uiae Ed Abdo S qup des de Medica qd dou Ru dece RRA ASA 94 debug app show I7protocol Y bu boda xk eh dew he Se sane SESE NE OEE QU ERAS A ARA 39 BED QUE TU iaa dos eee Seq AA AAA AAA VEN PaL HR dO POE S ES 33 debug TADOS WX wii ee iad wee eva EGER ARSE Roa Dec RAS COUR e RC d GE
96. routes firewall rules application patrol and content filtering 27 1 Schedule Overview The NXC supports two types of schedules one time and recurring One time schedules are effective only once while recurring schedules usually repeat Both types of schedules are based on the current date and time in the NXC LES Schedules are based on the current date and time in the NXC One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 27 2 Schedule Commands Summary The following table describes the values required for many schedule commands Other values are discussed with the corresponding commands Table 108 Input Values for Schedule Commands LABEL DESCRIPTION object_name The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive time 24 hour time hours and minutes lt 0 23 gt lt 0 59 gt NXC CLI Reference Guide Chapter 27 Schedules The following table
97. routing protocol normal nat normal pki normal interface normal interface statistics no A account normal port grouping normal force auth normal 12tp over ipsec normal anti virus normal white list normal black list normal ssl vpn normal S cnm normal traffic log no file manage normal dial in normal adp normal default all y 36 1 3 Debug Log Commands This table lists the commands for the debug log settings Table 140 logging Commands Debug Log Settings COMMAND DESCRIPTION show logging debug status show logging debug entries priority pri category module name srcip ip dstip ip service service name begin lt 1 1024 gt end lt 1 1024 gt keyword keyword Displays the current settings for the debug log Displays the selected entries in the debug log pri alert crit debug emerg error info notice warn keyword You can use alphanumeric and 4 0 characters and it can be up to 63 characters long This searches the message Source destination and notes fields show logging debug entries field field lt 1 1024 gt end lt 1 1024 gt begin Displays the selected fields in the debug log field time msg src dst note pri cat all no logging debug suppression Enables log consolidation in the debug log The no command disables log consolidation in the debug log no logging debug suppression
98. s CLI Command Line Interface to configure the managed AP s CAPWAP Control And Provisioning of Wireless Access Points client and DNS server settings 43 1 Managed Series AP Commands Overview Log into an AP s CLI and use the commands in this chapter if the AP does not automatically connect to the NXC or you need to configure the AP s DNS server Use the CAPWAP client commands to configure settings to let the AP connect to the NXC Use the DNS server commands to configure the DNS server address to which the AP connects When the AP reboots it only keeps the configuration from commands covered in this chapter 43 2 Accessing the AP CLI Connect to the AP s console port and use a terminal emulation program or connect through the network using Telnet or SSH The settings and steps for logging in are similar to connecting to the NXC See Section 1 2 on page 15 for details BS The AP s default login username is admin and password is 1234 The username and password are case sensitive If the AP has connected to the NXC the AP uses the same admin password as the NXC Use the write command to save the current configuration to the NXC BS Always save the changes before you log out after each management session All unsaved changes will be lost after the system restarts NXC CLI Reference Guide 271 Chapter 43 Managed AP Commands 43 3 CAPWAP Client Commands Use the CAPWAP client commands to configure the AP s IP
99. server ad host 172 16 50 1 port 389 base dn DC ZyXEL DC com bind dn zyxel engineerABC password abcdefg login name attribute sAMAccountName account userABC dn Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEOzlaeVhFTCxEQz1jb20 objectClass top objectClass person objectClass organizationalPerson objectClass user cn MTIzNzco546L5a0r5 6uRKQ sn User 1 2341100 SNIP NXC CLI Reference Guide Chapter 29 Authentication Objects NXC CLI Reference Guide Authentication Server This chapter shows you how to configure the NXC as an authentication server for access points 30 1 Authentication Server Overview The NXC can also work as a RADIUS server to exchange messages with other APs for user authentication and authorization 30 2 Authentication Server Commands The following table lists the authentication server commands you use to configure the NXC s built in authentication server settings Table 115 Command Summary Authentication Server COMMAND DESCRIPTION no auth server activate Sets the NXC to act as an authentication server for other RADIUS clients such as APs The no command sets the NXC to not act as an authentication server for other APs auth server authentication Specifies an authentication method used by the authentication auth_method server no auth server Resets the authentication method used by the authentication authentication server to the factory d
100. shows an example using a text based SSH client program Refer to the documentation that comes with your SSH program for information on using it The default login username is admin and password is 1234 The username and password are case sensitive NXC CLI Reference Guide Chapter 1 Command Line Interface Figure 4 SSH Login Example C gt ssh2 admin 192 168 1 1 Host key not found from database Key fingerprint xolor takel fipef zevit visom gydog vetan bisol lysob cuvun muxex You can get a public key s fingerprint by running ssh keygen F publickey pub on the keyfile Are you sure you want to continue connecting yes no yes Host key saved to C Documents and Settings user Application Data SSH hostkeys ey 22 192 168 1 1 pub host key for 192 168 1 1 accepted by user Tue Aug 09 2005 07 38 28 admin s password Authentication successful 1 3 How to Find Commands in this Guide You can simply look for the feature chapter to find commands In addition you can use the List of Commands at the end of the guide This section lists the commands in alphabetical order that they appear in this guide If you are looking at the CLI Reference Guide electronically you might have additional options for example bookmarks or Find as well 1 4 How Commands Are Explained Each chapter explains the commands for one keyword The chapters are divided into the following sections 1 4 1 Background Infor
101. that match the black list patterns no anti virus black list file pattern Adds or removes a black list file pattern Turns a file pattern av_file_pattern activate deactivate on or off activate deactivate anti virus black list replace Replaces the specified black list file pattern with a new file old_av_file_pattern new_av_file_pattern pattern 21 2 3 1 White and Black Lists Example This example shows how to enable the white list and configure an active white list entry for files with a exe extension It also enables the black list and configure an inactive black list entry for files with a exe extension Router config Router config Router config Router config Router config Router config Router config No Status File Pattern anti virus white list status yes anti virus white list activate anti virus white list file pattern anti virus white list file pattern exe activate anti virus black list activate anti virus black list file pattern exe deactivate show anti virus white list status show anti virus white list 1 yes exe No Status File Pattern Router config show anti virus black list status anti virus black list status yes Router config show anti virus black list 1 no exe NXC CLI Reference Guide Chapter 21 Anti Virus 21 2 4 Signature Search Anti virus Command The following table describes the com
102. the NXC groupname rename groupname groupname no groupname groupname Creates the specified user group if necessary and enters sub command mode The no command deletes the specified user group no description description Sets the description for the specified user group The no command clears the description for the specified user group no groupname groupname Adds the specified user group second groupname to the specified user group first groupname no user username Adds the specified user to the specified user group show Displays information about the specified user group Renames the specified user group first groupname to the specified group name second groupname 24 2 3 User Setting Commands This table lists the commands for user settings except for forcing user authentication Table 99 username groupname Commands Summary Settings COMMAND DESCRIPTION show users default setting all user type admin user guest limited admin ext group user Displays the default lease and reauthentication times for the specified type of user accounts lt 0 1440 gt users default setting no logon lease time Sets the default lease time in minutes for each lt 0 1440 gt new user Set it to zero to set unlimited lease time The no command sets the default lease time to five users default setting no logon re auth time Sets the default reauthorization time
103. the rule s configuration 20 2 6 General Commands for Application Patrol Js You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 41 This table lists the general commands for application patrol Table 70 app Commands Pre Defined Applications COMMAND DESCRIPTION no app activate Turns on application patrol The no command turns off application patrol no app highest sip bandwidth priority Turns the option to maximize the throughput of SIP traffic on or off no app protocol name bandwidth graph Sets the specified protocol to display on the bandwidth statistics graph The no command has it not display on the bandwidth statistics graph no app other protocol name bandwidth graph Sets traffic for unidentified applications to display on the bandwidth statistics graph The no command it not display on the bandwidth statistics graph no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management show app config Displays whether or not application patrol is active show app all Displays the settings for all applications NXC CLI Reference Guide E Chapter 20 Application Patrol Table 70 app Commands Pre Defined App
104. udp Displays ICMP TCP and UDP session timeouts The following example sets the UDP se session timeout to 15 seconds and the I ssion connect timeout to 10 seconds the UDP deliver CMP timeout to 15 seconds Router config session timeout Router config session timeout Router config session timeout Router config UDP session connect timeout UDP session deliver timeout 10 15 ICMP session timeout 15 seconds udp connect 10 udp deliver 15 icmp 15 show session timeout udp seconds seconds Router config show session timeout icmp NXC CLI Reference Guide Chapter 38 Session Timeout NXC CLI Reference Guide This chapter covers how to use the diagnostics feature 39 1 Diagnostics Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the NXC s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting 39 2 Diagnosis Commands The following table lists the commands that you can use to have the NXC collect diagnostics information Use the configure terminal command to enter the configuration mode to be able to use these commands Table 150 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the NXC create a new diagnostic file diag info copy Sets the NXC to create an extra copy of the diagnostic file to a connected
105. usr def certificate name key type rsa dsa key len key length pass word Password a oca name Url Url seriste reret X Ee AAA ARA 204 ca generate pkcsl10 name certificate name cn type ip cn cn address fqgdn cn cn domain name mail cn cn email ou organizational unit o organization c country usr def certificate name key type rsa dsa key len key length 205 ca generate pkcslz name name password Password serios A 205 ca generate x509 name certificate_name cn type ip cn cn_address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country usr def certificate name key type rsa dsa key len key length 205 ca rename category local remote old name new name si dee eid x m caw et ee ee eee Seek as 205 En validation GSemobe COFLITIOHDE lige dd 69 S be EORR RUUR AAA SERA 205 capwap ap ac ip primary_ac_ip primary_ac_dns secondary ac ip secondary ac dns 272 SAP ap SORTIE DUES cuca edem Bre ad Wd qs RB Ru ede xu at vada need 212 CApwap ap add ap mac an model san bata e heh daw aS SETS HERE SEES ROR PRR Rb ANE S 74 CAPWAD Ap QE NEUE epicii FSS TOROS RECO d OE RUE Kd DOWER ANDA eH SO RS EE BER EP 74 DCSDNWED ap Kick DELI Be Tee ak uu Raoruckd E46 e X ene eee dew ea ew TQ eA CY ES ee RARAS 74 CAPWAD ap DEDOGE AD MES Uuiegdu4us deque pe SE SASS EDS SOR SORE ESSER EP EOE SS EEE REE e 74 gapwap ap Vien ip SOOPeSS GIO BOCUESE ia cheb ERE Re ee de wide eee ORO ECC CE OR OR COR Cede a dd 272 papap ap
106. value Set this to the class default to have the NXC set the DSCP value to 0 dscp_class default af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 wmm bk8 wmm bk16 wmm be0 wmm be24 wmm vi32 wmm vi40 wmm vo48 wmm vo56 User define no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries NXC CLI Reference Guide Chapter 20 Application Patrol Table 64 app protocol rule Sub commands continued COMMAND DESCRIPTION no outbound dscp mark lt 0 63 gt class This is how the NXC handles the DSCP value of default dscp_class the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the NXC apply that DSCP value Set this to the class default to have the NXC set the DSCP value to 0 dscp_class default af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 wmm bk8 wmm bk16 wmm be0 wmm be24 wmm vi32 wmm vi40 wmm vo48 wmm vo56 User define port 0 65535 Specifies the destination port 0 means any no schedule schedule nam Adds the specified schedule to the rule show Displays the rule s configuration no source address object Adds the specified source address to the rule no to zone name Specifies the destination zone no user username Add
107. xtension filter s 500 n tcpdump listening on ethl 07 24 07 898639 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 07 900450 192 168 105 40 192 168 105 133 icmp echo reply 07 24 08 908749 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 08 910606 192 168 105 40 192 168 105 133 icmp echo reply NXC CLI Reference Guide Chapter 41 Maintenance Tools Router packet trace interface ge2 ip proto icmp file extension filter and src host 192 168 105 133 and dst host 192 168 105 40 s 500 n tcpdump listening on ethl 07 26 51 731558 192 168 105 133 192 168 105 40 icmp echo request DF 07 26 52 742666 192 168 105 133 gt 192 168 105 40 icmp echo request DF 07 26 53 752774 192 168 105 133 gt 192 168 105 40 icmp echo request DF 07 26 54 762887 192 168 105 133 gt 192 168 105 40 icmp echo request DF 8 packets received by filter 0 packets dropped by kernel Router traceroute www zyxel com traceroute to www zyxel com 203 160 232 7 30 hops max 38 byte packets 1 172 16 13 254 3 049 ms 1 947 ms 1 979 ms 2 172 16 6 253 2 983 ms 2 961 ms 2 980 ms 3 172 16 6 1 5 991 ms 5 968 ms 6 984 ms 4 k The following example creates an ARP table entry for IP address 192 168 1 10 and MAC address 01 02 03 04 05 06 Then it shows the ARP table and finally removes the new entry Router arp 192 168 1 10 01 02 03 04 05 06 Router show arp table
108. 0 Use signal extra port With a listening port number 1025 to 65535 if you are also using SIP on an additional UDP port number enter it here Use media timeout and a number of seconds 1 786400 for how long to allow a voice session to remain idle without voice traffic before dropping it Use signal timeout and a number of seconds 1 786400 for how long to allow a SIP signaling session to remain idle without SIP packets before dropping it Use transformation to have the NXC modify IP addresses and port numbers embedded in the SIP data payload You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload The no command turns off the SIP ALG or removes the settings that you specify no alg lt h323 ftp signal port lt 1025 65535 gt signal extra port lt 1025 65535 gt transformation Turns on or configures the H 323 or FTP ALG Use signal port with a listening port number 1025 to 65535 if you are using H 323 on a TCP port other than 1720 or FTP on a TCP port other than 21 Use signal extra port With a listening port number 1025 to 65535 if you are also using H 323 or FTP on an additional TCP port number enter it here Use transformation to have the NXC modify IP addresses and port numbers embedded in the H 323 or FTP data payload You do not need to use this if you have an H 323 or FTP device or server that will modify IP ad
109. 122 dogipeshs8 SGRIUEDS quad d kdo Ra qd RR AE e we Ee dde aq AA du XR 164 device ha ap mode authentication string key ah md5 key 166 device ha ap mode backup sync authentication password password 166 dewlcp ha amp apethode DROEBD Syne AUCO sexso ech Pu ERE Ru Hp Wb pd dH RE Ed d ead d 166 device ha ap mode backup sync from master address port lt 1 65535 gt 166 device hd apemode backup syne interval lt 5 lt 1440 gt lt 2 css48 e804 rra che ee ewe neue 166 devics no ap mode BACer eee Hae ACTIVA couse deus ecavas es AA Cae see eee 166 device ha ap mode interface name manage ip ip subnet mask 166 device ha ap mode master sync authentication password password 166 dbBwipe Ha dap mode PESCMPE 6 ened aon Soe eta de Ron o reed eA ERA Rema de Re qu m 165 diag into day usbebLoDadO 125 p 2 0 0 d eave d d grade Marc ker d qd meae e dara 61 isabl5BedIseswiteM higiseks XR ud ARANA adc eae Pads RR PPS 79 ASMALRARAmS TOMA DONE er pag An E VON RURERCRGYOOR OC AUORK WOR EC ak OR ICR CR ED AED SS ROR 209 domabnename Jondan SO 65460 0S ak CN EE AS OREL ACC C UE OR OCA CU OR ed d CC EES 54 HOLIInmedisshle coOSETS Enee 1 6 28h E rr eee oN Oe ee eae Ed ed d ade de ESSE T2 downstresm SD I0JSDIBO ra X ehebeete doe ee hen RE AAA A ADA AS he REC we 20 poen fany 40 2699 AI tee sete eee wen Ted eh ee AA nC CREE eee ROT 66 deseo glass default ASE class prer seks cede nee KEK ORER
110. 168 1 2 192 168 2 20 config address object A2 192 168 3 0 24 config 4 object group address RD group address address object Al group address address object A2 Router Router Router Router Router Router group address exit Router config show object group address Group name Reference Description TW_TEAM 5 RD 0 Router config show object group address RD Object Group name Type Reference Al Object 1 A2 Object 1 NXC CLI Reference Guide Services Use service objects to define TCP applications UDP applications and ICMP messages You can also create servi ce groups to refer to multiple service objects in other features 26 1 Services Overview See the appendices in the web configurator s User Guide for a list of commonly used services 26 2 Services Commands Summary The following table describes the values required for many service object and service group commands Other values are discussed with the corresponding commands Table 105 Input Values for Service Commands LABEL DESCRIPTION group_name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive object_name The name of the service You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value i
111. 192 168 1 1 to Upload File Done Connect a computer to port 1 and FTP to 192 168 1 1 to upload the neu file 5 The NXC s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 6 Use an FTP client on your computer to connect to the NXC For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the default system database recovery finishes 7 Hit enter to log in anonymously NXC CLI Reference Guide Chapter 35 File Manager 8 Set the transfer mode to binary type bin 9 Transfer the firmware file from your computer to the NXC Type put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW 1 01 XL 0 CO db Figure 41 FTP Default System Database Transfer Command C V gt ftp 192 168 1 1 Connected to 192 168 1 1 226 lt lt gt gt 2 lt Welcome to PureFTPd 1 0 11 gt gt lt x gt gt 226 You are user number 1 of 58 allowed 22 Local time is now 03 56 and the load is 0 00 Server port 21 226 Only anonymous FTP is allowed here 226 You will be disconnected after 15 minutes of inactivity User lt 192 168 1 1 none gt gt 238 Anonymous user logged in ftp gt bin 206 TYPE is now 8 bit binary ftp put E ftproot ZLD_FW 161XL 161XLGCOM1 B1 lt XL B gt CB db 10 Wait for the file transfer to complete
112. 20 2 1 Prede ned Application Commands cc andi sur das iade Decr a dual ndn abad 128 20 2 2 Rule Commands for Pre defined Applications esessseeeeeeennnn 128 20 2 3 Exception Commands for Pre defined Applications ssesseeseeees 130 20 8 4 Other BEIGE Commando cascade eoe da 131 20 2 5 Rule Commands tor Other ADDIGATIDIE ori aaaea 132 20 2 6 General Commands for Application Patrol soi ee mter ri 133 Chapter 21 l 137 ELT ARA USCIS aana 137 Cle AVS OMNIA NUS ia o 137 21 2 NASA VIFUS CONTA su o rs cs 138 21 2 2 ZO to Zone FUN RULES orsica aiaa i 138 1 23 Ye Dd DIES LRU a 140 21 2 4 Signature Search Anti virus Command 1 5 score ot S kae Res ea A eR ew iR Up RES 142 21 3 Update Ani Ev eec 142 213 01 Upda signatis EXAMPIOS asno o is 143 PIAA NS ae E f Tc M ET 143 Zikk Ap vis Salbe EXATIBIB b ee Pbi ea das A 144 Chapter 22 IDP GOMMAN t 145 ONE ior eM eM TM 145 222 GenerallOP Commande Me ER 145 nn D D DL D 145 22 RI Petia E EET dida 146 ecd d alebat Profile Om INNIS rra ea en amena debt ed a ta d epos C bcn aa 146 2o DP ZO TOO EUIS ao o ao bl 147 22 3 3 Editing renting IDF Signature Profiles eret ioni sett n trescientos cma uae ra teens 148 22 94 Editing Creating Anomaly Profiles in deci e trae br elec ERR DOG e PERRO a ERR 149 2 ENT Ver eM ru oe asa iia 153 22 545 SINAN
113. 4 config if vlan exit config NXC CLI Reference Guide Route This chapter shows you how to configure policies for IP routing and static routes on your NXC 7 1 Policy Route Traditionally routing is based on the destination address only and the NXC takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing 7 2 Policy Route Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 23 Input Values for General Policy Route Commands LABEL DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your NXC model policy_number The number of a policy route 1 x where x is the highest number of policy routes the NXC model supports See the NXC s User s Guide for details schedule_object The name of the schedule You may
114. 4 System Remote Management This command displays FTP settings Router configure terminal Router config show ip ftp server status active yes port 21 certificate default TLS no service control No Zone Address Action 34 8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices Your NXC supports SNMP agent functionality which allows a manager station to manage and monitor the NXC through the network The NXC supports SNMP version one SNMPv1 and version two SNMPv2c 34 8 1 Supported MIBs The NXC supports MIB II that is defined in RFC 1213 and RFC 1215 The NXC also supports private MIBs AAT private lol mib to collect information about CPU and memory usage The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the NXC s MIBs from www zyxel com 34 8 2 SNMP Traps The NXC will send traps to the SNMP manager when any one of the following events occurs Table 130 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the NXC is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when an SNM
115. 40 500 0 0 0 0 0 46 udp T27 O00 12500 0 0 0 0 0 NXC CLI Reference Guide Chapter 4 Status Here are examples of the commands that display the system uptime and model firmware and build information Router gt show system uptime system uptime 04 18 00 Router gt show version ZyXEL Communications Corp model NXC5200 firmware version 2 20 AQQ 0 b3 BM version 1408 build date 2009 11 21 01 18 06 This example shows the current LED states on the NXC The SYS LED lights on and green Router gt show led status sys green Router gt NXC CLI Reference Guide Registration This chapter introduces myzyxel com and shows you how to register the NXC for IDP AppPatrol and anti virus using commands 5 1 myZyXEL com overview ES BES myZyXEL com is ZyXEL s online services center where you can register your NXC and manage subscription services available for the NXC You need to create an account before you can register your device and activate the services at myZyXEL com You can directly create a myZyXEL com account register your NXC and activate a service using the Licensing gt Registration screens Alternatively go to http www myZyXEL com with the NXC s serial number and LAN MAC address to register it Refer to the web site s on line help for details To activate a service on a NXC you need to access myZyXEL com via that NXC 5 1 1 Subscripti
116. 5 15 9 TIS oO ETE orsa one tcl pntat aet oa agn ta 25 DEAE AAA A O AA A AT T 26 AS Camarillo Changes o a o 29 E On 29 Chapter 2 User and PO 3 o 31 URANO Privilege ues TE ica 31 a ee SU ONIS A A 33 NXC CLI Reference Guide EN Table of Contents Chapter 3 A CI 35 3 1 Object Reference Commande uuu er a Kok aaa up fab ada Kat d Rada 35 3 1 1 Object Reference Command Example cinc a 36 Chapter 4 AAPP PA 37 AS SO COME S rra daas cia a dd n Ka EUR aai tre Fo da da s 37 Chapter 5 i jii O A O A OO 41 mE WAY ZY AL SOM OSI cir 41 5 1 1 Subscription Services Available on the NXC seessssssssssseseeeeee eene 41 5 La Mamut Number ol Mana mice me 42 Sa PSO Strata CARMINA rra AAA 43 ce COIN EXI NEST ida 44 53 COLITA M A desea E 44 Chapter 6 Liar o 49 AAA INN a A m 49 mE X1 cR UU 49 B 2 Intemace General Commands SUMINA 155 2 en Gib endian a 49 6 2 1 Basic Interface Properties and IP Address Commands sss 50 62 2 DHCP Sei COMINGS soci 53 6 2 3 Connectivity Check Ping check Commands sse ennt 57 8 3 Ethernet Interface Specie Commands scsi 58 MM ew nic einstellen 58 Poids MEET OT T DT 59 Ds PT ole Comandancia 60 ets Pan POCE MOS rd aa eia
117. 5 cr X HOP 37 gei TM 41 incip Meme 49 HOME RUE 65 TUE SH DEBE nati fatten rer tant teri nm eh D co ect dep ist 73 ooe LAN PTO Mr AAA AA 77 POI ee ear c 89 Dui docu 18 007 P 93 Dinamie Channel celaco eae docs Spite css A e id 95 ls Lead Ba aia rinda iii te te ptu br E 99 PPI EI t 103 Enc MET T 107 A timen UND tte de cen ied bakes aaa Rd ee brad bud Qo Ec tse o eue leds U p ERU ae 111 area POI is bc du ati a a perra ad pra rrr ret reer reer e PE iaa iaa 113 PEDE Serre nara Muro SUMUS ONIS HO TCRR terre erent COD URN Cu nO IE OR iu ern tree 117 A 119 Appa Pato ani bcp ualde Haben Etc aaa bag PRO Rc Eu ex 127 AUS de T T UN 137 oke uale a 145 BoE PIE 163 M des E m sats D mm 169 PSS Me 177 tip rc NC TT rrr TINI UNT E 181 cii I T 185 ARA Sosa Dt eod dd cua Sla UN HAC CE a aed es ADR RR Ld aaa aa 187 AMNIS SU ied CI n EU D o LIS 193 Cinigie usiPw i der 197 zi pde e A mee Ter 199 Car MONIO EE OU LOCI EUST 203 AS dt 207 System Remote Management socias n 213 Ple MENESES siii 223 LODS Q 241 popore am RODO a
118. 5200 is initially configured to support up to 48 managed APs such as the NWAS160N You can increase this by subscribing to additional licenses As of this writing each license upgrade allows an additional 48 managed APs while the maximum number of APs a single NXC5200 can support is 240 BS To update the signature file or use a subscription service you have to register the NXC and activate the corresponding service at myZyXEL com through the NXC NXC CLI Reference Guide Chapter 5 Registration 5 2 Registration Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 9 Input Values for General Registration Commands LABEL DESCRIPTION user_name The user name of your myZyXEL com account You may use six to 20 alphanumeric characters and the underscore Spaces are not allowed password The password for the myZyXEL com account You may use six to 20 alphanumeric characters and the underscore Spaces are not allowed The following table describes the commands available for registration You must use the configure terminal command to enter the configuration mode before you can use these commands Table 10 Command Summary Registration password e mail user domainname country code country code reseller nam reseller name reseller mail user domainname reseller phone r
119. 8 5 BAG Filer Prol COMME vis iia eas 87 SSA Filler Profle ER ii ONG aieri ianea 88 Chapter 10 ROGNE AP 89 10 1 Roque AP Detection DIST oisssiirienieion kae ta tv En eaaa aai i a aaa Ni kaaa E aI aa 89 10 2 Rogue AP Dereeton CONTENUS ai 89 102 1 Rogue AP Detecion Examples sara 90 10 5 Rogue AP Comainment Overview aa 91 10 4 Ragua AP Containment Commande escrit 92 10 4 1 Rogue AP Containment Example unico aule ce sceau track aen Laban es 92 Chapter 11 Wireless Frame Capi coin 93 11 1 Wireless Frame Capture OVER is 93 11 2 Wireless Frame Capture Commands 12e oec rati code da Rd CERA X 93 11 2 1 Wireless Frame Capture Examples siria aiii 94 Chapter 12 curte cc ea ne aiiin ai 95 MEE A ERA EIE D D S 95 poer cde A D QE T 95 laa T DCE EXMOS airiai 96 NXC CLI Reference Guide Table of Contents Chapter 13 Wireless Load ERIN INS 9 99 19 1 Wireless Load Balancing OVervipw cnica ld o O aed enu ER Ga rA a ERE d 99 13 2 Wireless Load Balancing Me M sac 99 13 2 1 Wireless Load Balancing Examples secos idco crsocenssatiesd danmmoneeessansouce da e E 101 Chapter 14 ur QUES cri laisia iiaei ddi isad ian isicha isiriisi riposi iiiueidisii 103 NEC DECUIT ARAS p oc e ao 103 14 2 Dynamit Guest COMMEN srt Feet Da abo Ga bL op daga a 103 122 1 Dynamo Guest EXAITIDIBS enc Visa v best Qoo Sepa
120. 865000 K0 ese eee dats bo CR CN bee x 263 OLG Sree eck oe Cat Cee ree eR ee Moscou a He seh OR ee RS kee b ee ew EX COCO aug qxG rx dex va dew o de oU D d ee i Ug dot deo Rt UA ddp Re RR Nee o e do fe 197 subphestwe Utt TACI N ai AR AAA eee A AA AA eee 197 band 2 419 1561 Dand mole Liilix saesacekECdR BOEG RRESGOREG XAR AA A T9 Bandwidth inbound outbound 0 10485 76 gt arrat RR ECKE SOR ORCACRO ON AAA CR ae LA napdwridth Iunsensdbeutbaumd XQ 100853055 cerrar A a e Bee d 129 bandwidth inbsundloutboeund lt 0 LOTBS 5 si A A oun 132 DONN CA pruebe Slos ad aia Rei AAA A 129 tonswidgoh PELOLICY LI a be qox doe xe Rode EREDAR CR CU ROR eRe eee ale 131 DINNER priority Slos Ta AAA SAFC CP d REP P Pu QE Wade Se eee ded qb 132 hongwWigo hebes LG Gd A ac NR ERE SERRA do erac Rd A A aha PRG Eque dba de EA 128 bacon interval 20 1D0009 irte Foes SS ESHER SORES ESE AAA EERE ORE I RR AC Ra e 80 LED PESTE AAA DREN AS AU RC EC dea dee Ro e Qe e Skye oae CN 147 ca enroll cmp name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country usr def certificate name key type rsa dsa key len key length num 0 99999999 pass WORE Dacor cox masse MEL EIS ira A Base ene d diei raras 204 ca enroll scep name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country
121. 9 pore ENDE 2046404 cee os ed SOROS AAA AAA AAA ASA BARA do de ec OR wes 60 o AN BY tererenoe object wlan macrilter protile 144540246 ew ia Re op ease aes 36 reference object wlsn mondftor profilee 24448 NR AS ONES SR OE OS ORS 36 terterence object rlan radio pro LIS uaeisdesrke4o kn e ORCX AA REOR NOR AAA 36 reference object wlanm soeebrlibty b orfrile as debe mod dene s SNe A AA 36 reference object wlanssidg prefile sepia RCRYU Rp ACC a nex ce eos RR RR RH 36 reference object aaa authentication default auth method 35 referente object address DOLLIE cesen oe m a gre qox ee noe E 35 reference object ca category local remote cert name 35 reference object schedul Ifl 24h ehvar Oat ed pxqeadek4d AA 35 tererence object Service profile 22485 s hese 34d sub ak COTES Oe EES Sees eee 35 reference object username username 4ise9aRREOEA X RGRAC EEA rki AA AD teereencee object zone profile agrarias RA d Edo WC bee es 35 reference object group aaa ad group name 2 4 62 06 ecb mache wo SOS a 33 tererence ob ject qroup a a ldap Grou name 264465 bee kitki tekt Enia Re 35 reference object group aaa radius group name ie ddd veka we Rho eR eS 36 reference object group address profile iles corde xxm Rua ares Re ex Rm d wr dads 359 reference object group interface profile iiio xe oko RR GREAT RO RU ab RR x OX RR S e 3D Fererende object group service profzle icsece eem mc x AAA ee ee ease
122. 9 m ks 122 Be PERS AILS a ERU da A UE ELO fe DR AAA AAA UR res Mawes o M dd dim 59 RO Shi profile Isid Peer tie aia eee dede xa Era e x dre dom me Rd d eig Rd ETA no sssd prefile vian Interfacs Index Seid POTES Leste race 81 po stertinmg address I5 pogslesize Elo OSOS at duck h avast hake toad ade eGed gene awe are 55 no tcp decoder tcp xxx action drop reject sender reject receiver reject both 150 nel LepedbBOUBE LECCEN AICLTVADE desd ced ee CARTERS E RUF EU dU Pot ee eee 150 no third dns server ip interface name lst dns 2nd dns 3rd dns EnterpriseW BN ab seb Seed ER dad iub di d dx den ee eee xod side pP de Ped e xPe ES 55 ho to 20ne obgect ERterpfTSeNLAM P arica Rd 0 coe Se eee a Oe ew do dba 122 HO ES GONE HABE pretesne AG E AAA AAA AAA A ARA eS GS T130 ROL Co eS da AAA AE RRA AAA AA ARA AR ASA A OOM 131 nel ES SORE Mane ulus d9 94k RO Rad Fu dad V EXER AGRAR ARTS o AC deu XU X e Row e ded dre 132 Bol QsesocnB Sere erect 2h bs cheeses Lo 46s SoG SARS hese eek SROs adul aam dd ERE 139 no teespnsB BES DIQESIBS parir ARA Ro XR ROR RC UPU REAPS ESGRAREDET RETR SOR ER ROSS OR 147 no trigger lt 1 8 gt incoming service name trigger service name nn 67 no udp decoder truncated header undersize len oversize len activate 150 nO ostessam US IDO POS arcano AA a a Ai AAA A 51 ho usb storage etd E errar miniet que ded odo Aca de d a eee eee C 61 pol User Veer DOSE uas qe EG C RR S Pd sex bd
123. 9db 0 Router config enc agent authentication enable Router config show enc agent configuration Activate YES ACS URL https 172 16 1 10 8443 enc TR069 ACS Username ACS Password Username Password Provisioning Code Server Type TRO69 ACS Keepalive ENABLE Keepalive Interval 20 Periodic Inform DISABLE Periodic Inform Interval Custom IP NO HTTPS Authentication Server Certificate Router config 3600 YES enc cer NXC CLI Reference Guide Chapter 31 ENC NXC CLI Reference Guide Certificates This chapter explains how to use the Certificates 32 1 Certificates Overview The NXC can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the NXC to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority 32 2 Certificate Commands This section describes the commands for configuring certificates 32 3 Certi
124. AA AA Leh BUD gad Fok ES ASS Robot dos ee AI Re Vd pal AE ung ae AS AAA 32 BEEN uta quee dw d EA AA AA A AA AAA wb AR A do Modo dr RARA AR AA 53 show SLL 242244 acRasgc Sete ORE A a COE OR E ceeded oben AAA A UR m AR e dde 139 show aaa authentication igroup sanme dsfaUlLt soria x RR RORSCE i e ROSE bore ad A 193 show asd Group Server ad GEOP NANE gerea doe eee de ee CR Fold Robo ee ae UR dol 188 shov ada Group server Leap GEOSDODMUE parra AAN Gee Oh UR qc BU ed wee eee 189 show aas group Server radius QFSOUD HImE 2 44 sen Ck EUR chee tied RC REOR ERA a 190 Shov SECAS pad DELCLEASS 1245 34 mque xu ees wae ede e SAA Eq kei new eed e Iesus 209 show address abJect Lobrsoct name aca wukXG AAA AAA AAA dae eed RC od e ode A Rd 1728 show ally 52p B323 TED sao A ed ewe aed dex ede EDEN sid Ee a PE du d he ee 112 SOM Spy Pus SODI1ASE IO id d RAE eee tebe AH RR AC Eoi cea VE AA 138 BOW onti virus AGE activa Lio oue uoeseddope pees RO OR ERS dk Cea eR SS 138 show anti virus SIOSDUPGS HESTUS daw RE ER doe koe Reis Cox eek Re REOR RR ea Oe Red Rod 142 show anti virus skxlp unknown tfile type ACGLIVALIOR estrias xo OR ACRIOR CA RUP RUN dede 138 Shov abla Bieter ee GOLES essa cda AAA E ES we 143 show anti virus statistics ranking destination source virus name 143 chew dDbLeu bu BUHLISLIUS DUMMIES ue dd erede bag uad inca ad wee eee 143 show apbseunbum MBRATE denise rd AA a Mak OA I E RR ned dg eR ds eo oes 142 chow Ghai
125. AA DA ARA AI A 221 Socket MATT a EIA x apu duces oe dat ta pde ee See eae eee ea ee oF pU PSU 229 mde Rd os tee canadien E eA SR a tud qme as bee A 94 SoPLwarpewatoHdogetimer LS an oda eee ena s ode o por Roi wee d 268 SOL EWare Wiscuidoa Elmer RESCUE asirios 268 system debLxult sUdb ai ok dns ce ER X 3 RO ROCA ORE SSE CR CHESS DEERE ROLE RAE EROS SE 259 Syston Boule MaC l l restar E EC WX a RR RR UR ESE AS EER RO SR EERE Sea 259 SY sb toute DOG EQUOS pee Peek ae d Rank dex a C ACE CAU E RO A KC Meo a ed o CN 259 SYSTEM Ssnat SOIGULLeSRAL lt script T Ege wa od Fev Poe d Re P wq d emo P dp A Ed E ed 259 system snt nat l l ere OON EROR AAA RRA NR ARA A RRA CR COUR C 239 SYS TG sat net looDpdOR auguockRXX RO OEUE Oe RC GE HONOR OR CR ES RAS LER OOH Se ee RUE RC SRS 259 SYSTEM onat GODUQE guck okine honeran GR ex T RATE RACK oe RRA CADRE KEENER ES CR 259 SEO BHL Palle Pours garderi RR Y A Ead ER ud EN RR Ra Je m NR E d eee 209 Secon Meee iria CARAS GIC DOES EN GRE SR ARA xaxd Sd TAS SUIS RRA AAA a a a ee a ake aL Ee MELEE wipe a ele Ae Sore ee 61 NXC CLI Reference Guide List of Commands snow username LUSOIDENS ricerca OR OE ROROR RCA CHASES AAA EORON ACE CODERS RC a 170 show users username Ald CULESE xeakadoes koekoke RR Nee ELEC eee Shas OR RON wee eS COR 174 show users default setting all user type admin user guest limited admin ext group USER P 171 sh
126. ALG debug commands debug app Application patrol debug command debug app show l7protocol Shows app patrol protocol list cat etc 17 protocols protocol list responses for interfaces which don t own the IP address debug ca Certificate debug commands debug device ha Device HA debug commands debug force auth Authentication policy debug commands debug gui Web Configurator related debug commands debug hardware Hardware debug commands debug idp IDP debug commands debug idp av IDP and Anti Virus debug commands debug interface Interface debug commands debug interface ifconfig Shows system interfaces detail ifconfig interface interface debug ip dns DNS debug commands debug ip virtual server Virtual Server NAT debug commands debug logging System logging debug commands debug manufacture Manufacturing related debug commands debug network arpignore Enable Display the ignoring of ARP cat proc sys net ipv4 conf arp ignore debug no registration server Set the myZyXEL com registration update server to the official site debug policy route Policy route debug command debug service register Service registration debug command debug show ipset Lists the NXC s received cards debug show registration server status myZyXEL com debug commands debug cmdexec corefilelip kernel mac id rewrite observer switch system zyi
127. AN ID 3 Set the AP s default gateway IP address to 192 168 1 1 Add a domain zone forwarder record that specifies a DNS server s IP address of 10 1 1 1 and uses the bridge 0 interface to send queries to that DNS server Set the AP controller s primary domain name as capwap server zyxel com and secondary domain name as capwap test com Router config Router config Router config Router config interface brO0 Router config ip dns capwap ap vlan ip address 192 168 1 100 255 255 255 0 capwap ap vlan vlan id 3 capwap ap vlan ip gateway 192 168 1 1 server zone forwarder append user defined 10 1 1 1 capwap ap ac ip capwap server zyxel com capwap test com 274 NXC CLI Reference Guide Chapter 43 Managed AP Commands 43 4 2 DNS Server Commands and DHCP The AP in the example in Section 43 4 1 on page 274 uses a static IP address If the AP uses DHCP instead you do not need to configure the DNS server s IP address on the AP when you configure DHCP option 6 on the DHCP server For the example in Section 43 4 1 on page 274 you would just need to configure the management interface s VLAN ID capwap ap vlan vlan id 3 NXC CLI Reference Guide 275 Chapter 43 Managed AP Commands 276 NXC CLI Reference Guide List of Commands List of Commands This section lists the root commands in alphabetical order no no no no no no no no no no no no no no no
128. AS Wace S02 TIS ir 70 ip ssh server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 217 ip ssh server rule move rule number to Sule HUMES cies deed nue aca wee Boe Al ip telnet server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 218 ip telnet server rule move rule number to rule number eere 218 koevenn on Vere aioe WEBS A ea iR cS dr wade d uid gru cce de ewes ede a cR DER o Ue dedind 262 join fmbperfsce name gt Lteg UDESH rss AR ac GERE RURA eR ACE GUN KREISE RODEO Nd AER 63 language English Simplified Chinese Traditional Chinese 222 Lani heaped LODOS pirita kg qeXa d d kd AO ACE e Ro e RR eee OR CX AAA AGAR Dea 80 ihe A cer 4 DQE osque eque he oe Pee eee ORE Re aed Oe IPIE dud eed ee eee 80 iont balencing alpha xI 2027 id eA RE ARUM dob A ACQUA ALES Obs CASE RR Ree RA we 99 daa baloncino beta LORA A AA DNA AAA 100 lead balancing kickintetial 1 255 uera AAA A 100 load balseeunsg Jrlgbervsl 1 290 AA A A A A A A RR 100 isat ba lencia mee Sta lea Lere asar arial a Aa oo load balancing mode eration ESH TIQ emmm ee eee See Skene det eR Rom Oh Re RR Reed 99 NXC CLI Reference Guide List of Commands bosn balancing Siga Olea DE Ji cb ee c
129. BEL DESCRIPTION object_name value is case sensitive The name of the address You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This group_name value is case sensitive The name of the address group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This interface_name The name of the interface Use gex x 1 N for Ethernet interfaces where N equals the highest numbered Ethernet interface for your NXC model Use vlanx x 1 N for VLAN interfaces where N equals the highest numbered Ethernet interface for your NXC model The following sections list the address object and address group commands 25 2 1 Address Object Commands This table lists the commands for address objects Table 103 address object Commands Address Objects COMMAND DESCRIPTION show address object object name Displays information about the specified address or all the addresses ip ip range interface subnet address object object nam ip subnet interface ip interface gateway interface Creates the specified address object using the specified parameters ip range lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt ip_subnet lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 0 255 gt lt 1 32
130. C how clock status 0 Displays your time zone and daylight saving settings how clock time 0 Displays the current time of your NXC 0 how ntp server Displays time server settings NXC CLI Reference Guide Chapter 33 System 33 5 Console Port Speed This section shows you how to set the console port speed when you connect to the NXC via the console port using a terminal emulation program The following table describes the console port commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 122 Command Summary Console Port Speed COMMAND DESCRIPTION no console baud baud_rate Sets the speed of the console port The no command resets the console port speed to the default 115200 baud rate 9600 19200 38400 57600 or 115200 show console Displays console port speed 33 6 DNS Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it 33 6 1 DNS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 123 Input Values for General DNS Commands LABEL DESCRIPTION address object The name of the IP addres
131. C s services only within a given period of time and will become invalid after the expiration date time A dynamic guest account has a dynamically created user name and password You cannot modify or edit a dynamic guest account 14 2 Dynamic Guest Commands The following table describes the commands available for creating dynamic guest accounts You must use the configure terminal command to enter the configuration mode before you can use these commands Table 47 Command Summary Dynamic Guest COMMAND DESCRIPTION username username password password user type guest manager Creates a guest manager user account to generate dynamic guest accounts users default setting no user type dynamic guest logon lease time 0 1440 Sets the default lease time for the dynamic guests Set it to zero to set unlimited lease time The no command sets the lease time to five minutes users default setting no user type dynamic guest logon re auth time lt 0 1440 gt Sets the default reauthorization time for the dynamic guests Set it to zero to set unlimited reauthorization time The no command sets the reauthorization time to thirty minutes users default setting user type guest manager logon lease time lt 0 1440 gt Sets the default lease time for the guest manager user Set it to zero to set unlimited lease time The no command sets the lease time to five minutes users default setting
132. E Peet rae L3 BaniqdA Qu xS KD TAM Ex ERE E Rud Oa inea EUER d RE Ox 170 Lg Eu o eon o MTC TL 25i no marl supiect append Syo tE NAE arrasar enr Ed doe eee Eee ud 291 PEI anpeckes de HR B ke RES RC Y d ede OG w QR dd qe DEN e A EA AE d Aen e dea ovde 32 Peeve EN Sedet mede E eq SP dus sS quaa Ee Rond Marmi a Sates Ed qid Ma SA oe 219 object group address rename group name group Heg coelaaesoe cx echo m 8 eed ee de OR RR n 180 object qroup Service rename group name grOoUD Name ls eee eee LEA RO OR y UE RS 183 GLhers HESCELPELOO Harina 4 tae C Re qe dci aub e ede RC ip dC ac RR Ade e e Red eee be 104 SENSE TESEO AA AAA A AER O AE AA AO A AAA AS 104 outbut power Vlan POVERE dar ARS A ARA AR AAA RARA MAA AS 81 psockerecoptoOPe OOHLIGUED acc hk es Eq M b PP d REGO EE SORE eS bed ew des d Ed y Xd 262 ls a gadar EASE RE UE OR KU EORR KU EC ARMED CHESS EERE RES KORE CO Ue GU UE OE CN 32 packet trace interface interface name ip proto lt 0 255 gt protocol name any src host ip hostname any dst host ip hostname any port lt 1 65535 gt any file duration 1 3600 xtension filter filter extension Ver DL phones ocu pee a RR uu EX RR ROS EEG EROS OES ER m FE BA AR AAA 104 rho PTT E 32 prog gneck dorain seme zn Betauloc qHSUCBWHE ed dk cee doc RARUS RA og ping check domain name ip
133. EE NUN ERS RRA ARAS 66 pies Seah Hake dope aEoea 4d ee rki A ake he ee ie SOURCE ee al de we Oe 59 duyndmiccquast IuEEEESE CLBXL POCE Lbs hes sei es bbe CS tee eed Ado S BAUS EUR Ra See WS 104 enc agsnt eoObiwsbe agenacedg xke EO TED CHET EEROSTHEDSEOATEORASTBE SD OREM ROBO SEEM 199 ELSE MEL ux dau iode eu duras Ne Ed pudo eq hae da qe ERI EE S dx I hones bl 114 file decompression unsupported destroy ss 4 40 s6abs8bed ce uero RERO aa OR v ds 1339 frirewall DOEDE saosin Shi 5o dd AAA qu ac edd bee m tad ENS 121 first dns server ip interface name lst dns 2nd dns 3rd dns EnterpriseW LAN adc bep3 doen md Mu yeu eee Se doe KECK d eet dup hee dq xd ed eu pi ei 55 aci be me IV ON GE aane madi3d ee A Ecke bed RO RE SERS SRE ES CEN ee ea o ERS 55 flood detection tcp flood udp flood ip flood icmp flood activate log Faro lee Queqarba 652 d Eno 8 4 9 ARCA RC D e NH EATR 150 LOGS cs seh de kittet do AAN ERE Pu dede db IER Edd PExdup do edi ede 115 Prot ARA 52105 fades metas gd COLES das ADAN Ta fran cspLure ALELLA LTE arakaketa e HE od AA RNA a ae soe 94 Errom Zone Tane uL6bsw4 AAA ANA u EEK OR AR AE A CES Box OES AS Ce ue 8 129 fro SORE Name agg GG A d EGO RW KR ACE AAA A WR Ke DO A CARCER CARCER ORAE OO RC E 131 from Gone Hame sins a SORES CHESS einer S RU AAA AAA AAA OR AUR AUR ACE Ro X ROS 132 Erom EOHB HDUSUU 2 6 Se ad oe wae oe A a e wade Ba le a E ay b aoe Be 122 IbPOn rone mone O0 COL sawed xu b eu Castes YER RE RUE
134. EL ig 3344 9E Qe uoRCS dr Bakes A CAE rro 261 Show pescket capt ure SEALS ia NS A SE EOCENE ROE PERL OR Ra RC 261 Show paceccnsbdhnd DO LION gs Sees Caeser Sade bdo eek LEE GREE HS oe eee Sd 116 Show PACGS CUSEOINZALION lt a RIA A ASA A RRA AA DA Rd a ees ae 209 show pang check interface nane SUACUS LREace roc e teeta ee baa es ou esd ehasdee eee es 57 show pingecheck I2sBerlIscE Dame undue ke eben ead ba be ke e AL ACE E Ke Sena OR OR OCEAN Ro ee 57 show poligyebonbe polilor AUMDEr ses AAA naa AA DEC a a AA 67 show policy route begin policy number end policy number i i ek Rr neyd titiraa 68 show paoligy rcoube guerride QdPrect rOUDLO sarrak 9 P hae denen a 68 sio Polipy ute Bulls COIE 54054 26556 065 00468 BR AA Shes NES S SE 68 Shaw pelrcy roube nnderlayer PUleES errada e i HCl Ree EORR OR eae RC Rm ed ode 68 NXC CLI Reference Guide List of Commands show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show Pers CeCe ab eanip3 RE Redde db diede ons Ceo Roue Qs ard e duc ob xc db dosi wha 59 DOGS SQQ NE sarakit EX NER ARA a ARR e Y a X RAN GE RAPES SERRE SEATS BSR de 5
135. ER ECC dede e Eo RR A dede Rea ee ee a 210 clock saving interval begin apr aug dec feb jan jul jun mar may nov oct sep 1 213 4 1ast frilmon sat sun thu tue wed hh mm end aprlaug dec feb jan jul jun mar may nov oct sep 1121 314 1ast fIri mon ssc sun thultus wed Bam O TSOUt sexag xd OR OX oe eas Dada ewe wale 210 plock timneetane P BNBNHR irc kr Pack v ERA REQUE NOE CE e SC OC Ge de OR E CORAN 210 gonnegbpivitv dhack continusus Lod mOCINMLe iasgairean mur dA EUR Ru dos e and Wo Sr RO NUR 242 con ectivity checl contin ugu selog activate essere aoro cee pori opm eo dpa acia od Conlin quexcpEr HoNL les cee bey bse qx ee howe eee wed wares wee dar 120 console baud Daud Fete cick ad ed ee HESS Y RR XE WR Kg C3 EG AERA AA RUE A AUR NO A EE EC dg all poretibe or UBDSEDGENES aas ded X369 es hear XU Ed e du BR Duces meds Ede E 61 Creme to one SEE sad seeds edad Roa BORA HOHE Ode Oe AAA ere Dc m CE NICK 122 DLSULA HO EE RO Pea eee Wed e ue Ee Da Eee Hee qu a Bek awa Ed eee eee ee vede 73 d s ACCAVALE doa ka ed CE NES PEALE UE Ke A OUR A NCC LAC Ro OR RE EU EE OY D uc eL s D eS ARA OSE HSER REESE OWE Kee eRe Oe eS 66 debug PREIS DOTES aad xu Rey d dex e ed de RE A dene EUR MG awe ed A DR 201 debug E c agent STAGED artike seb d d ewe ESET ORDER OEE Hh dq a ke ded ye e 201 is e e AN 4 ix Mio ACRAS WC Re Ade di E TUE RESUS PURI OR OR QR D eb ROS 54 HESCEIPCLON SOBEPTIBEIOR senride hirer epo AA E e oed on de tee lobe e Ro aan eek de
136. File Details casis bcd aet aia 225 35 24 Congdon Pile Flow altea scan 226 35 3 File Manager Commands Input Vales csi DA rai 226 23544 File Manager Commands SUMMA secunda On iiaia 227 25 5 Fle Manager Command Example asi A 228 ld dy PU t ario ctu cnp e oe ap iau Erbe E cubic Rd Ea da wists ion oM SUD t FN uU bp 228 25 6 1 S o rt Line FTP FIS UDDAN eer 228 12 NXC CLI Reference Guide Table of Contents 35 6 2 Command Line FTP Configuration File Upload Example esseseeeee 229 25 5 3 Command Line FTP File DOWNDOD sur denise 229 35 6 4 Command Line FTP Configuration File Download Example ssseseess 230 ET NAC IB C E imr iir UP 230 35 8 Notification of a Damaged Recovery Image or Firmware cscccecesssccceceeeeseeeeeeeeeneeeeeeneeneeees 231 35 9 Restoring the Recovery Image NXC5200 ONIY ar is 232 3210 Ea STING the FI siecia auina aaO a a EEANN ENEA 234 35 11 Restoring the Default System Database sx sisccisciascecsceiedsnecsaraccetaceiccecueasdvicdnnnadenananieeavagesnranieneanese 236 35 11 1 Using the atkz u Debug Command NXC5200 Only ssssseseee 238 Chapter 36 RO U 241 ab Log Commands SUMMA hirano rie sessed costae ui dub bet Medo rcs DUaR tam d ado gbr ete iadaeb Food eed 241 commen VeL sr 242 812 LC LOG TORTI RAINS T E TD 242 JE 1o DeDig Log Commande ET E ind 243 36 14 E mall
137. I aded sa Qus ope E cerei E dud dcl qo ario tes AMARA ACERA 153 Bo Smcp eUpi A LIESS gucci doy PAG der XU bod edi dedu RE AAA A ERA 251 nol sneak subGorng interiace pool address ODJIBOELY isso NA A ESE 67 o LOMO SSEVSO skidka SSK SOKA RNA RA AAA UE ELAR ORC CR SRE eR Rae 221 no snmp seruvef community Comment SERING POPU 2 45 bebe ee a AAA 221 ho Andp server contact JeOSCPIDEIONM ian teichvade eeu AA E CS I E aA 221 nol snmp server enable lato ms ICESPS seh kek eee XR EC UE a eee ARA eo no s mp server host fodn ipv4 address community string i29 wo 221 nol suupesBIwer LacstigH QOBEILDLION Reg Gi Xu EUR ad ad Re Rp d 221 Heo onip Server perc El SIA sani cet narra 486560650 H AAA E MEA X RUE wA HE 221 RO SOrtwace watoHdosekimer CIS egauqonedo RUP Ree Syke pe bak does die p CC e RUN ae Ane eS ew 268 NXC CLI Reference Guide List of Commands nol susto Leto tana Coco anal adi AA qb sass ARA 67 Bo Source addresse ODJECE LAS A A be AG AU TIRAR DA ATA a e CR op 18 115 hol Source addien ODIUM da A p Ee qeu dpa EN AAA lU Ho couros SATA DERI uaque don X EA e e doa AR OOM Oe KOREA CR ERN A RCM Ree ae 131 nol SCS Prori le MON ei EIA 9 bd peu edede dd y P e RE eder SH SORE edd E RES 132 ho sourccin adreso OO ISCO fonts back e3 E KC RE RE KERALA ERG Ro CR ROE DUE QC dod TS 122 no sourceport tep udp ed 1 65535 range 1 65535 1 6553595 s9
138. ION wpa_key Sets the WPA WPA2 pre shared key in ASCII You may use 8 63 alphanumeric characters This value is case sensitive wpa_key_64 Sets the WPA WPA2 pre shared key in HEX You muse use 64 alphanumeric characters secret Sets the shared secret used by your network s RADIUS server auth_method The authentication method used by the security profile The following table describes the commands available for security profile management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 35 Command Summary Security Profile COMMAND DESCRIPTION show wlan security profile all security_profile_name Displays the security profile s a11 Displays all profiles for the selected operating mode security profile name Displays the specified profile for the selected operating mode wlan security profile rename security profile namel security profile name2 Gives existing security profile security profile namel a new name security profile name2 no wlan security profil security profile name Enters configuration mode for the specified security profile Use the no parameter to remove the specified profile no mac auth activate MAC authentication has the AP use an external server to authenticate wireless clients by their MAC addresses Users cannot get an IP address if the MAC authentication fails The no parameter t
139. KCS 12 certificates cer conf Configuration files conf idp IDP custom signatures rules packet trace Packet trace results download only script Shell scripts zysh tmp Temporary system maintenance files and crash dumps for technical support use download only A After you log in through FTP you do not need to change directories in order to upload the firmware 35 2 Configuration Files and Shell Scripts Overview You can store multiple configuration files and shell script files on the NXC When you apply a configuration file the NXC uses the factory default settings for any features that the configuration file does not include Shell scripts are files of commands that you can store on the NXC and run when you need them When you run a shell script the NXC only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the NXC Configuration files use a conf extension and shell scripts use a zysh extension NXC CLI Reference Guide 223 Chapter 35 File Manager These files have the same syntax which is also identical to the way you run CLI commands manually An example is shown below Figure 17 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 16
140. L support load balancing sigma lt 51 100 gt Sets the load balancing sigma value This value is algorithm parameter used to calculate whether an AP is considered overloaded balanced or underloaded It only applies to by traffic mode Note This parameter has been optimized for the NXC and should not be changed unless you have been specifically directed to do so by ZyXEL support load balancing timeout lt 1 255 gt Sets the length of time that an AP retains load balancing information it receives from other APs within its range load balancing lilnterval 1 255 Sets the interval in seconds that each AP communicates with the other APs in its range for calculating the load balancing algorithm Note This parameter has been optimized for the NXC and should not be changed unless you have been specifically directed to do so by ZyXEL support load balancing kickInterval 1 255 Enables the kickout feature for load balancing and also sets the kickout interval in seconds While load balancing is enabled the AP periodically disconnects stations at intervals equal to this setting This occurs until the load balancing threshold is no longer exceeded show load balancing config Displays the load balancing configuration no load balancing activate Enables load balancing Use the no parameter to disable it NXC CLI Reference Guide Chapter 13 Wireless Load Balancing
141. Mode Commands continued COMMAND MODE DESCRIPTION diag info P Has the NXC create a new diagnostic file dir P Lists files in a directory disable U P Goes from privilege mode to user mode enable U P Goes from user mode to privilege mode exit U P Goes to a previous mode or logs out htm U P Goes to htm hardware test module mode for testing hardware components You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process interface U P Dials or disconnects an interface no packet trace U P Turns of packet tracing nslookup U P Resolves an IP address to a host name and vice versa packet trace U P Performs a packet trace ping U P Pings an IP address or host name psm U P Goes to psm product support module mode for setting product parameters You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file renew P Renews DHCP information for an interface run P Runs a script setenv U P Turns stop on error on terminates booting if an error is found in a configuration file or off ignores configur
142. N Enters the firewall sub command mode to set a direction specific through EnterpriseWLAN rule or to EnterpriseWLAN rule NXC CLI Reference Guide Chapter 19 Firewall Table 57 Command Summary Firewall continued COMMAND DESCRIPTION firewall zone object zone object Enterpris append WLAN Enters the firewall sub command mode to add a direction specific through EnterpriseWLAN rule or to EnterpriseWLAN rule to the end of the global rule list firewall zone object zone object EnterpriseWLAN Removes a direction specific through delete rule number EnterpriseWLAN rule or to EnterpriseWLAN rule 1 5000 the index number in a direction specific firewall rule list firewall zone object zone object EnterpriseWLAN Removes all direction specific through flush EnterpriseWLAN rule or to EnterpriseWLAN rules firewall zone object zone object EnterpriseWLAN Enters the firewall sub command mode to add insert rule number a direction specific through EnterpriseWLAN rule or to EnterpriseWLAN rule before the specified rule number firewall zone object zone object EnterpriseWLAN Moves a direction specific through move rule number to rule number EnterpriseWLAN rule or to EnterpriseWLAN rule to the number that you specified no firewall activate Enables the firewall on the NXC The no command disables the f
143. OO ee ACRIOR PA OE RRR A 269 anp vateh ooa Sy EROS Su esq dese ibedcRcE weg ir a duce mal ek o UI ce 259 arp TOply DESECLOTOESO e eu Sis DR oye ak dol a d E runi UE ea Rp d aded 263 guthencxcsbli H Lares Sequxved coctootkds eka eh barns Di A Ro RC 115 AUREA ACTUALES depre p ood Ego n a ae ear poke Gare dodge ae Abele Baayen a 197 authe sBrvEr Cort certi itate Mane oned caves SR AAA eee AGRO E E HN OR 197 auth ssBrver Lsusred olient profile nale ioosewedo oe d ue eked RO RORUR CRURA CX RC HS Rc op RE 197 guto OIT ASIS i1uqeckhucb wee 3 3 4 AAA SEWER EG AA A EN RR SS ERES 66 bandwidth 1 1048576 priority 1 1024 maximize bandwidth usage 66 Bananridth eXCOBSESUNREde sirena Pd RNC EERE OE e de mE EY PEE REA KE E edes 129 panditi GQNO OGSS HSOUE Li rx de Rb quake a WU AN AAA GA doe eol d RSEN a TAL bopgeggtE BXOBSSCDIMARQE UA NA AREA haw See AAA A 132 A eda pd Ox pad oa cac Ue Jede aal e de aeg Pe dea SED RNR ER IR RUE GE e eR EO Red eae 108 Rises ewadgeswaanpa e MD Ree ved dde vam dad daa dd dixe eid ipd m aded Oo 80 Dub AXES wide weak nes Kh P AS ELSE SOS ERAS fas duda BEE SES 133 DW utri MT 66 bypass wise ls Diaci lisk ansiada A de xs br A we ewes 139 elrenbteidentifqref Mee SOOFOBS Aba dk hes eae eee Re CER A AAA CORN AS E 54 Sli ete ane BORE HOA asii ay aries X eU Ro E ROC SU RU A rA ae aed bowed nua CR GR 54 clock dSeybrOHt ssBAg BU da parado SERRATE EES ELD
144. ORBI id 153 za DP Cusin SEDED A aaka Od De Fus a aO zai P 156 ec Custom Sianat re Examples adas 157 28 5 ponds IDF SRA apii S eret MM TER Ert DR aaa Ra NTI S Mad A PIE P nid 160 22 9 1 Update Ina E UIDI non as 161 CRINIBUS D LU LOST 161 22 PASES dcn M 162 NXC CLI Reference Guide 9 Table of Contents Chapter 23 p i 163 23 1 Device ABRI T TETTE QD TS 163 23 1 Boore VOU BEGIN e 164 23 General Device HA COMAS sic o o ideo teed 164 20 9 Active Fassive Mode Device Pi 164 23 4 Active Passive Mode Device HA Commands sess sententie 165 23 4 1 Active Passive Mode Device HA Commands ssssssssssssssseeeenen enne 165 23 4 2 Active Passive Mode Device HA Command Example seen 167 Chapter 24 User GrOU 169 24 1 User Account SS OO DOES 169 AUS TES c erm 169 24 2 User Group Commands SUITE rn sspe con oor Cada a cec Aa pc aede n o boc ard 170 OERD AE a T e E EEEE A EAA icd IEI EXE da o a OE dm cp a irf Kb n 170 2422 Weer Grop Gam al deu eec ipee ten uc ep Eco puer esee eee eee 171 24 23 User Simp OOImmmltlbie asco Euri ue tp da re cea absurda pere unde 171 24 24 MAL Auli Commands sia 173 24 2 5 eel irl gentia Ae 174 Chapter 25 lp
145. OS 134 show app protocol same rule all SUBLISEIQCR 2oaaucees enc Roco E e RUP IR RON GR eae coe aioe o 134 Show pp Brorocsol name Sule Metal bodossdGdese ae AR RA 134 show app protocol name rile gdefsult statistics serret 40x 3 ea Rex Roe EUR E ie Seed ae 134 Bhow app protocol name rule rue numbeN cove reas RERO RE aw UAR AA wu RUE wanes 134 show app protocol name role rule number SUSLISLUTOS 24144 G nore Kur ee ex UE Rogo e ee on 134 Show app BrOPLOQUSOI Sume BLA RISCIES Gg dd sub S ARA Bares BUE daa do Rud 134 SHOW dopeWalchedgog SORIG X4 RAG Re EX i M RR Saeed wie eee awed eee eas 269 show sppewscohedog HOHDLOFCLNSE xee aue bu qb h4Edi ee wed CERES OE E Rd a PM Pop SE 269 show app wateh dgg PEDOGE LOS aaa 9 seen bike RR XORCAGECROROA ACE RON KG RIA A ERA SEES RES 259 BOW rp teply SOSLIQSLOD 22 4c ese ha io dee RP SE S SR ee EXE PU Nae e Ed dq Edd 261 Show arp table cco kb ee bE GG XO E SLSR OUS E AUN EERE OOEES EGOS DE NES KERR ACRCN ER e ROCCO CERCA 261 Blow gen server NEED esa dh at icio cae awh ee ee ee OR AAA eek A Oe SS 198 SHOW auth server LeUStedg CLTeNE rip Ad dox e o d e ra Ros dene e Re eee ade De ede eS 198 show auth sBrwvar Lrusred plxent profile name ar A A e dae 198 SHOW DOGE SCIENS Dai AAA AS A E RN BE EIA AA AO dud RUE AN A 24 show DWN ACEP RAT a doen s gos AAA qood Re RN SA BH e EC cR diese ane ah ee d erit ad 134 NXC CLI Reference Guide List of Commands Q0 ooououoouoodoooooououoouooooocoocoonoouu uuu Q ooououooo
146. P protocol The no command resets Service settings to the default any any means all services no snat outgoing interface pool Sets the source IP address of the matched address object packets that use SNAT The no command removes source NAT settings from the rule no source address object any Sets the source IP address that the matched packets must have The no command resets the source IP address to the default any any means all IP addresses no trigger 1 8 incoming service name Sets a port triggering rule The no command trigger service nam removes port trigger settings from the rule trigger append incoming service name trigger service name Adds a new port triggering rule to the end of the list Lii gger delete 1 8 Removes a port triggering rule tri Eri gger insert 1 8 incoming service name gger service nam Adds a new port triggering rule before the specified number tri gger move lt 1 8 gt to lt 1 8 gt Moves a port triggering rule to the number that you specified Sets the user name The no command resets the show policy route no user user name user name to the default any any means all users policy default route Enters the policy route sub command mode to set a route with the name default route policy delete policy number Removes a routing policy policy flush Clears the policy routing table policy
147. P request comes from non authenticated hosts NXC CLI Reference Guide Chapter 34 System Remote Management 34 8 3 SNMP Commands The following table describes the commands available for SNMP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 131 Command Summary SNMP COMMAND DESCRIPTION no snmp server Allows SNMP access to the NXC The no command disables SNMP access to the NXC no snmp server community community_string ro rw Enters up to 64 characters to set the password for read only ro or read write rw access The no command resets the password for read only ro or read write rw access to the default no snmp server contact description Sets the contact information of up to 60 characters for the person in charge of the NXC The no command removes the contact information for the person in charge of the NXC no snmp server enable informs traps Enables all SNMP notifications informs or traps The no command disables all SNMP notifications informs or traps no snmp server host fqdn ipv4_address community_string Sets the IP address or domain name of the host that receives the SNMP notifications The no command removes the host that receives the SNMP notifications no snmp server location description Sets the geographic location of up to 60 characters for the NXC The no comman
148. P s management IP address to 192 168 1 37 and netmask 255 255 255 0 Set the AP s default gateway IP address to 192 168 1 32 Sets the AP s management interface to use VLAN ID 2 and send tagged packets Specifies the primary and secondary IP addresses of the NXC 192 168 1 1 and 192 168 1 2 to which the AP connects Displays the settings it configured Router config Discovery type Router config Router config Router config Router config Router config Discovery type Router config Router config Router show c Discove S msg bu capwap Radio BSS Desc AC IP 192 168 Router configure terminal show capwap ap discovery type Broadcast capwap ap vlan ip address 192 168 1 37 255 255 255 0 capwap ap vlan ip gateway 192 168 1 32 capwap ap vlan vlan id 2 tag capwap ap ac ip 192 168 1 1 192 168 1 2 show capwap ap discovery type Static AC IP show capwap ap ac ip T 1 192 168 1 2 exit apwap ap info AC IP 192 168 1 1 ry type Static AC IP M State RUN 8 f usage 0 10 Usage Max version 10118 Number 1 4 Usage Max Number 8 8 Usage Max IANA ID 037a ription AP 0013499999FF NXC CLI Reference Guide 273 Chapter 43 Managed AP Commands 43 4 DNS Server Commands The following table describes commands for configuring the AP s DNS server You must use the configure terminal command to enter the configuration mode before you can use these commands Table 159 C
149. P service port number The no command resets the FTP service port number to the factory default 21 no ip ftp server tls required Allows FTP access over TLS The no command disables FTP access over TLS ip ftp server rule rule number append insert Sets a service control rule for FTP service rule number access group ALL address object address object The name of the IP address zone ALL zone object action accept deny group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive You can also use pre defined zone names like LAN and WLAN ip ftp server rule move rule number to Changes the index number of a service control rule number rule no ip ftp server rule rule number Deletes a service control rule for FTP service show ip ftp server status Displays FTP settings 34 7 2 FTP Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using FTP service Router configure terminal Router config ip ftp server rule 4 access group Sales zone LAN action accept NXC CLI Reference Guide 219 Chapter 3
150. Profile Log Commande iiio t pcr ed ah ei 244 Jp LS DOES Pot Eon COTAS is o a a bo prx DR bad bd 246 36 15 Access Point Logging CIRMAMOS cri 246 Chapter 37 Reports and POD OO ais eiit tht A AAA 249 uz Repon Domiiengs SUIS seco bote ped xin bur acia di par cdd da dud tna d dfi a 249 At 2osdiubruindepitbecui db DUNeper E elem ulacateaaeeund iasatcetatien nece da Nghe QuE UI dob rel d dudo ecd 249 AC LS Repot Command SINE ir 250 tr lE cc sad a pcr NN DI T 250 32 2 Emal Dally Repon COM AS suis 251 Ae Eel Daly Hepat Exempla sorna 253 A EE E E 254 Chapter 38 SESSION TIMED ec a ce a a E E act cae tae 255 Chapter 39 i is 257 r D O UT T m 257 30e Diagnosis Ms s em demebtatedacaremcsceesdanede 257 39 2 Diagnosis Commalios EX sco aries addi nara Ea Gal add ota 257 Chapter 40 Packet Flow EXplOfgi uuissssaia uz izixk nk eua EEERaR EROR MR E2R ERI FRU iS 259 OT PAC no qs sl e er 259 A2 Packet Flow Explore CONIIERCISLeeissisk pe coc aae detnr ideo A ca RR pc bc 259 20 3 Packet Flow Explore Commands Example retention tope t adepto nn iaeiei Vida taa idden 260 NXC CLI Reference Guide 13 Table of Contents Chapter 41 A TUG 261 41 1 Maintenance Tools Commands siii aide haan rae eta Y seo aec Y uda d da 261 413 1 Command EXamplQE cosida 263 Chapter 42 Watchdog TINA P A
151. Reference Guide Chapter 1 Command Line Interface 2 Enter the IP address of the NXC and click OK TROC ko KR X gt Adres 3 Next enter the user name of the account being used to log into your target device and then click OK CEN exe oS eae 4 You may be prompted to authenticate your account password depending on the type of device that you are logging into Enter the password and click OK NXC CLI Reference Guide Chapter 1 Command Line Interface 5 If your login is successful the command line appears and the status bar at the bottom of the Console updates to reflect your connection state Welcome to Console Mozilla Firefox a h B 1 1jet web pages das board jore hed 1 2 3 Telnet Js Use the following steps to Telnet into your NXC 1 If your computer is connected to the NXC over the Internet skip to the next step Make sure your computer IP address and the NXC IP address are on the same subnet 2 In Windows click Start usually in the bottom left corner and Run Then type telnet and the NXC s IP address For example enter telnet 192 168 1 1 the default management IP address 3 Click OK A login screen displays Enter the user name and password at the prompts The default login username is admin and password is 1234 The username and password are case sensitive 1 2 4 SSH Secure SHell Js You can use an SSH client program to access the CLI The following figure
152. Report syslog compatible format 36 1 4 E mail Profile Log Commands This table lists the commands for the e mail profile settings Table 142 logging Commands E mail Profile Settings COMMAND DESCRIPTION show logging status mail Displays the current settings for the e mail profiles hostname no logging mail 1 2 Enables the specified e mail profile The no command disables the specified e mail profile no logging mail 1 2 address ip Sets the URL or IP address of the mail server for the specified e mail profile The no command clears the mail server field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period username username password password no logging mail 1 2 authentication Enables SMTP authentication The no command disables SMTP authentication no logging mail 1 2 authentication Sets the username and password required by the SMTP mail server The no command clears the username and password fields username You can use alphanumeric characters underscores and dashes and it can be up to 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long NXC CLI Reference Guide Chapter 36 Logs Table 142 logging C
153. Sets the default gateway IP address for the AP s management interface capwap ap no ip gateway Clears the default gateway IP address setting for the AP s management interface capwap ap vlan id vid tag untag Sets the AP s management VLAN ID as well as whether the AP sends tagged or untagged packets The management VLAN on the NXC and AP must match for the NXC to manage the AP The NXC s force vlan command see Table 29 on page 74 takes priority over this command capwap ap ac ip primary ac ip lprimary ac dnsj secondary ac ip secondary ac dns Specifies the primary and secondary IP address or domain name of the AP controller the NXC to which the AP connects capwap ap ac ip auto Sets the AP to use DHCP to get the address of the AP controller the NXC show capwap ap info show capwap ap discovery type Displays the IP address of the NXC managing the AP and CAPWAP settings and status Displays how the AP finds the NXC show capwap ap ac ip Displays the address of the NXC or auto if the AP finds the NXC through broadcast packets 272 NXC CLI Reference Guide Chapter 43 Managed AP Commands 43 3 1 CAPWAP Client Commands Example This example shows how to configure the AP s management interface and how it connects to the AP controller the NXC and check the connecting status The following commands Display how the AP finds the NXC Setthe A
154. System Startup Stopped BootModule Version V1 08 05 05 2006 11 42 55 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version V2 4 27 4HL 2006 05 29 2006 05 29 15 23 46 ZLD Version V7ZM1058 10 DailyBuild New 2006 05 29 15 18 32 3 If the console session displays Invalid Firmware or Invalid Recovery Image or the console freezes at Press any key to enter debug mode within 3 seconds for more than one minute go to Section 35 9 on page 232 to restore the recovery image Figure 22 Recovery Image Damaged Press any key to enter debug mode within 3 seconds nvalid Recovery Image ERROR Enter Debug Mode gt 4 If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged Use the procedure in Section 35 10 on page 234 to restore it If the message does not display the firmware is OK and you do not need to use the firmware recovery procedure NXC CLI Reference Guide 231 Chapter 35 File Manager Figure 23 Firmware Damaged Building Connect a computer to port 1 and FIP to 192 168 1 1 to upload the neu file 35 9 Restoring the Recovery Image NXC5200 Only BES This procedure requires the NXC s recovery image Download the firmware package from www zyxel com and unzip it The recovery image uses a ri extension for example 1 01 XL 0 CO ri Do the following after you have obtain
155. T vY YY XT XT XT cp cp Cp Cp cp cp cp cp serwer recor EQU Wey abe dus OPER RD NE KH SEC RR Cdi pd ead server Hix recortd domain name w x v z fqds sca 4c dee eb e XR EO BENE huddle Radda dido Rd abd KE eR qe d dod ea CC UR de ao d n CECI ae Ske SS ea Server crt Ger Ir cate HEMOS lt i isk oe PELE ELEC ED EPR OR SIR ESR REE Server Port 1 9003 9 Gave beh eeeat OUR REA dod E Kee ESSER EAS SRE ES eo e Suvari CCM Imes ton aw esc wa ie kee ae ee Eee whee ee Pea Ses beway Gatewey metric 202 958 diia ox RR Seabee kb RC RC aw sede e es EU UE Sace cheese hhc kad A Gh eh ewe ah a e etna E Helneregsd hn eB 2 inns oe heb Ss be eee Read Bd es ad cad duod Sates edd RS EE RAS helper address Ip addresse occ da vier ede ce ease Soe ens renes eee Ree ean aw RAR authen cicarion quin method derredor toa 64 haw aa RUE DOW Ae Ad pure Hla eos gd de xdi d AAA dar dee E EC I eode d qo ie ds A SECS POE SLDS EAS AA ROCUPBESBENEE IA dp A AA AA A e cag BeCURS SerVer dute client dues eed 4454 9 OAS risa Sec re server cert Certificate Hale coruna wae awe ACA wee SSCURG SeEVeEr IGPLGBBGITOPUN ddgdgeedoeEG eta ee AAA OEC eae a A P RSGReE Gd Eg RA Eu qae bed dq ed ca Md ee eee ede c route wX w xr wx E IXxnterface WX v 90 1299 eue3 93 93 EY dy ss ss ss ss n n n n BOISE ids eda dx shies Sd made qw ek oes Cie see was bee Se ou Server pert SGPUIIIQGRUD NANG dora ec Rework who a co oed ea Re RR Server DONC tose
156. This chapter shows you how to determine which services protocols can access which NXC zones if any from which computers BS To allow the NXC to be accessed from a specified computer using a service make sure you do not have a service control rule or to NXC rule to block that traffic 34 1 Remote Management Overview You may manage your NXC from a remote location via Internet WAN only ALL LAN amp WAN amp DMZ LAN only DMZ only To disable remote management of a service deselect Enable in the corresponding service screen 34 1 1 Remote Management Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the NXC will disconnect the session immediately 3 There is a firewall rule that blocks it 34 1 2 System Timeout There is a lease timeout for administrators The NXC automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the NXC for authentication again when the reauthentication time expires NXC CLI Reference Guide 213 Chapter 34 System Remote Management 34 2 Common System Command Input Values The following table identifies the values required for many of these comma
157. USB storage usb storage device show diag info diagnostic file Displays the name size and creation date in yyyy mm dd hh mm ss format of the show diag info copy usb storage connected USB storage device Displays whether the NXC is set to create an extra copy of the diagnostic file to a 39 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Router configure terminal Router config diag info collect Please wait collecting information Router config show diag info Filename diaginfo 20070423 tar bz2 File size 1259 KB Date 2007 04 23 09 55 09 NXC CLI Reference Guide 257 Chapter 39 Diagnostics NXC CLI Reference Guide Packet Flow Explore This chapter covers how to use the packet flow explore feature 40 1 Packet Flow Explore Use this to get a clear picture on how the NXC determines where to forward a packet and how to change the source IP address of the packet according to your current settings This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems 40 2 Packet Flow Explore Commands The following table lists the commands that you can use to have the NXC display routing and SNAT related settings Table 151 Packet Flow Explore Commands COMMAND DESCRIPTION show route order Displays the order of routing related f
158. Vian Ip Gateway JALEWES id e eee AAA A Er Roo oO luos eee tla 212 papap dp Vien DO Ip gateway dog xd 3 Cung ACER Ne do go d A oa KC Ros KE REA CC Ri De UR RRS 272 GHDWAD sp vlan wviameud vid tag untag sarita mop Fac Roe S xe dO X RO CRURA da 272 gapwap manval ada enable disable 1229 232 EG 5e X eder REG ARdex B dra QUE RO CAKE EEE HEROS S 74 Gapwar Station kick SCS INEO is A eed ae d NR OI AR be rito dep S wate p a due ae edo ni T5 NXC CLI Reference Guide List of Commands PUE WR Phew uwadokeadbsusRE hu A eau aun eee eee Oe REUSE A 80 ELSE ir diate xA aAA ae A AS Desde aod e e eee ee hoe Sed dx NC p Sete eee g1 plear ass aAnthenticstion PESETAS uaque ei oie TK A AAA ARAS 193 clear aaa group server ad group namg cin ck hae ERADRER KA E pde EERE SRS RO ARE A 188 clear aaa grolp server ldap Group naue exea x99 xb 933 3E d E bee ARA 189 GlesrY das group Server radius group hane loq pre REN ROCA AC See RR ERR ERES 190 plear ip dher banding PELS S crisi A BORER eke AAA AA SO plar Jogcunert Seay bU ESI dupedbdope dde DR d b M dex Rowe A 243 plesr logging mxusbru lbogd DubLelf diria RR ea Ra CERNE REECE p ene RW d EE 242 Cleese re pore pier rece DONE lt 2 n64 shs do hes xe Sd eB E x dde dead Savas S RR 249 glock date lt yyyy m dd gt tame SON AMSS srta epo OR Ko ol o de ede icc 210 Gok CINE ANNEE AA TITO TOTUM 210 SOmmamu A eek ee hs HAGE UICE V Vd dup dorado DIE RICO A E ANO 104
159. ZyXEL NXC Series Wireless LAN Controller Versions 2 25 4 00 Edition 1 06 2013 CLI Reference Guide Default Login Details IP Address https 192 168 1 1 User Name admin Password 1234 Copyright 2013 ZyXEL Communications Corporation gt IMPORTANT READ CAREFULLY BEFORE USE KEEP THIS GUIDE FOR FUTURE REFERENCE This is a Reference Guide for a series of products intended for people who want to configure the NXC via Command Line Interface CLI BS Some commands or command options in this guide may not be available in your product See your product s User s Guide for a list of supported features Every effort has been made to ensure that the information in this guide is accurate How To Use This Guide 1 Read Chapter 1 on page 15 for how to access and use the CLI Command Line Interface 2 Read Chapter 2 on page 31 to learn about the CLI user and privilege modes gt Do not use commands not documented in this guide Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the NXC and access the Web Configurator User s Guide The User s Guide explains how to use the Web Configurator to configure the NXC BS It is recommended you use the Web Configurator to configure the NXC Contents Overview Contents Overview cCommnend Ls TRH rca A pate ae aes 15 Hi Boum v2 c r 31 COSO ROBOS P 3
160. a 2nka conde ee sia eas oes BS 804 Xe Su REG Sores RS bee we SS 94 frames LUPO SESS deosanaskeuck eee qus ora ee ee eke pw eae eee Reap ee a ee eee ads 94 NXC CLI Reference Guide List of Commands show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show CTS Leese are Vutec khercec dre EE ARE S dg Eq qu er dU hence eS EN uS 174 hsrpwafe watohdog timef SEALUS sorrisi hrath X AURORA AA A bee A A 267 HP AGREE LAK GEOR r E RES RR HON EER eee eR Ree eee aed A cha Ee a etr 146 igo signature anomaly base puobale sd Oe ee eae es RC E ERROR dae 146 da signature system protect Update i299 rad 1 61 ip signature sysbtem protect update status ssrerarrr iser id ERa nein 161 ado signature SsoBelv F PUES Qakgunia ERE FOEDE AAA Stans 147 idp anomaly profile rlecd debection lall SGebailB l x ezssdea a0 24 RA E dS Ee 152 idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood Versatile Barranca iD RR du a wi desea eet ae RS d ERES 152 idp anomaly profile http inspection ascii encoding u encoding bare byte uni code encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal di rectory traversal apache whitespace non rfc h
161. able 52 web auth login setting Sub commands continued COMMAND DESCRIPTION no session url url Sets the session page s URL for example http 192 168 1 1 session cgi 192 168 1 1 is the web server on which the web portal files are installed no welcome url url Sets the welcome page s URL for example http 192 168 1 1 welcome cgi 192 168 1 1 is the web server on which the web portal files are installed 17 1 1 2 web auth policy Sub commands The following table describes the sub commands for several web auth policy commands Note that not all rule commands use all the sub commands listed here Table 53 web auth policy Sub commands COMMAND DESCRIPTION no activate Activates the specified condition The no command deactivates the specified condition no authentication force Selects the authentication requirement for users with traffic matching required this policy The no command requires no user authentication force Users need to be authenticated The NXC automatically displays the login screen if unauthenticated users try to send HTTP traffic required Users need to be authenticated They must manually go to the login screen The NXC does not redirect them to the login screen no description description Sets the description for the specified condition The no command clears the description description You can use alphanumeric and _ characters and it ca
162. ac description2 Sets the device that owns the specified MAC address as a rogue AP You can also assign a description to this entry on the rogue AP list no rogue ap ap_mac Removes the device that owns the specified MAC address from the rogue AP list friendly ap ap mac description2 Sets the device that owns the specified MAC address as a friendly AP You can also assign a description to this entry on the friendly AP list no friendly ap ap mac Removes the device that owns the specified MAC address from the friendly AP list exit Exits configuration mode for rogue AP detection o how rogue ap detection monitoring Displays a table of detected APs and information about them such as their MAC addresses when they were last seen and their SSIDs to name a few o how rogue ap detection list rogue riendly all h o how rogue ap detection status Displays the specified rogue friendly all AP list Displays whether rogue AP detection is on or off o how rogue ap detection info Displays a summary of the number of detected devices from the following categories rogue friendly ad hoc unclassified and total 10 2 1 Rogue AP Detection Examples This example sets the device associated with MAC address 00 13 49 11 11 11 as a rogue AP and the device associated with MAC address 00 13 49 11 11 22 as a friendly AP It then removes MAC address from the rogue AP list with
163. activate Router config idp anomaly profile test xit Router config show idp anomaly test tcp decoder oversize offset details message tcp_decoder OVERSIZE OFFSET ATTACK keyword tcp decoder oversize offset activate no action drop log log alert 22 3 5 Editing System Protect Use these commands to edit the system protect profiles Table 85 Editing System Protect Profiles COMMAND DESCRIPTION idp system protect Configure the system protect profile Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature signature sid log alert Sets log or alert options for an IDP signature no signature sid log signature sid action drop reject receiver reject both reject sender Deactivates log options for an IDP signature Sets an action for an IDP signature no signature SID action Deactivates an action for an IDP signature 22 3 6 Signature Search Use this command to search for signatures in the named profile NXC CLI Reference Guide Chapter 22 IDP Commands BS Table 86 Signature Search Command It is recommended you use the web configurator to search for signatures COMMAND idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_ma
164. address and other related management interface settings Do not use the original interface commands to configure the IP address and related settings on the AP because the AP does not save interface command settings after rebooting The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 157 Input Values for CAPWAP Client Commands LABEL DESCRIPTION ip IPv4 address netmask The network subnet mask For example 255 255 255 0 gateway The default gateway IP address of the interface Enter a standard IPv4 IP address for example 127 0 0 1 primary_ac_ap The primary IPv4 address of the NXC vid secondary_ac_ap Optional IPv4 address of the NXC The VLAN ID 1 4094 of the managed AP primary_ac_dns The primary fully qualified domain name FQDN of the NXC secondary_ac_dns The secondary fully qualified domain name FQDN of the NXC The following table describes commands for configuring the AP s CAPWAP client parameters which include the management interface You must use the configure terminal command to enter the configuration mode before you can use these commands Table 158 Command Summary CAPWAP Client COMMAND DESCRIPTION capwap ap ip address ip netmask Sets the IP address and network mask of the AP s management interface capwap ap ip gateway gateway
165. ader undersize len oversize len action drop reject send r eelect reco rver fejgect Bgbh astas seed CoG RARE dede dat A RR ER 151 udp decoder truncated header undersize len oversize len log alert 151 udp filtered distributed portscan udp filtered portsweep details 151 unlock loskout usere ip Console edendo ede Rum RUE Re RECRURCR IDRCNCR CRURA CRUS NOR SCR RR RR eke 174 a Gost eges honed veu acie Dee Sox e n oed ipe dr qx dice dicata Sca dk ae de dci d 63 ushesterame MONNE Linck 9ad s ge edad hd ae dade ades A OSG eae Edd dg dead ee de imr 61 pabestersqe udguNE arriero ARIA XS cda eS NOK GE RES Rd wee e eos ad pee eae how sed SE 61 usb storage warn number percentage megabyte 4 m 4k RR RR eR RS DRE ERR S 61 dss ORIiWagee ise ee exer yet AAA Eee bud eq eq kee dad y pu e 59 username rename Username USERNAME oo een ceed RARA AAA OY RES CANO CC AC o C 170 username username nO description SescTIDE TON lt A SORE ESAS ORE ES HS 170 username username no logon lease time lt 0 1440 gt 2 n th mh EAA 171 username username no logon re auth time sS0 144D0 i54 Wed 9 EX HER PRAEC E ER A ew eae 171 username username logon time setting default manual inna 170 username username nopassword user type admin guest limited admin user 170 username username password password user type admin guest limited admin user 170 username username password pa
166. al Router config interface wanl Router config if wanl ping check 1 1 1 2 method tcp port 8080 Router config if wanl exit Router config show ping check Interface Check Method IP Address 1 1 1 2 Period 30 Timeout Fail Tolerance Activate yes Port 8080 6 3 Ethernet Interface Specific Commands This section covers commands that are specific to Ethernet interfaces The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 16 Input Values for Ethernet Interface Commands LABEL DESCRIPTION interface_name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your NXC model VLAN interface vlanx x 0 4094 6 3 1 MAC Address Setting Commands This table lists the commands you can use to set the MAC address of an interface Table 17 interface Commands MAC Setting COMMAND DESCRIPTION interfac interfac gt nam Enters sub command mode no mac Has the interface use its default MAC address mac ma E Specifies the MAC address the interface is to use NXC CLI Reference Guide Chapter 6 Interfaces Table 17 interface Commands MAC Setting continued COMMAND DESCRIPTION type internal external general Sets which type of network
167. al_Address Foreign_Address State 1 tcp 172 16 1341240 22 172 16 13 10 1179 ESTABLISHED 2 udp 127 0 0 1 64002 0 0 0 0 0 3 udp 0 0 0 0 520 0 0 0 0 0 4 udp 0 0 0 0 138 0 0 0 0 0 5 udp 0 0 0 0 138 0 0 0 0 0 6 udp 0 0 0 0 138 0 0 0 0 0 7 udp 0 0 0 0 138 0 0 0 0 0 8 udp 0 0 0 0 138 0 0 0 0 0 9 udp 0 0 0 0 138 0 0 0 0 0 10 udp 0 0 0 0 138 0 0 0 0 0 11 udp 0 0 0 0 32779 0 0 0 0 0 12 udp 192 168 1 1 4500 0 0 0 0 0 13 udp ML ols 4500 0 0 0 0 0 14 udp 10 0 0 8 4500 0 0 0 0 0 15 udp 172 16 13 205 4500 0 0 0 0 0 16 udp 172 16 13 240 4500 0 0 0 0 0 17 udp 127 0 0 1 4500 0 0 0 0 0 18 udp 127 0 0 1 63000 0 0 0 0 0 19 udp 127003 1630 01 00 00 50 20 udp 127 0 0 1 63002 0 0 0 0 0 21 udp 0 0 0 0 161 0 0 0 0 0 22 udp 127 0 0 1 63009 0 0 0 0 0 23 udp 192 168 1 1 1701 0 0 0 0 0 24 udp Tl 11701 00 00 00 25 udp 10 0 0 8 1701 0 0 0 0 0 26 udp 172 106 193 205 91702 0 0 0 0 0 27 udp 172 16 s 240 1701 0 0 0 0 0 28 udp 227 020 T 17017 0 0 0 0 0 29 udp 12 140 0 r 63024 0 0 0 0 0 30 udp 127 0 0 1 30000 0 0 0 0 0 31 udp ULA 0 0 0 0 0 32 udp 172 16413220053 0 0 0 0 0 33 udp 10 0 0 9 253 0 0 0 0 0 34 udp 172 16 13 240 53 0 0 0 0 0 35 udp 192 168 1 1 53 0 0 0 0 0 36 udp 127 0 0 1253 0 0 0 0 0 37 udp 0 0 0 0 67 0 0 0 0 0 38 udp 127 0 0 1 63046 0 0 0 0 0 39 udp 127 0 0 1 65097 0 0 0 0 0 40 udp 0 0 0 0 65098 0 0 0 0 0 41 udp 1923168113000 0 0 0 0 0 42 udp Th 31 35 00 0 0 0 0 0 43 udp 10 0 0 8 500 0 0 0 0 0 44 udp 172 16 13 205 500 0 0 0 0 0 45 udp 172 16 13 2
168. am Removes the password used to authenticate the ENC or ACS server when the server makes a connection request Removes the NXC s user name for authentication with the ENC or ACS server no enc agent password Removes the NXC s password for authentication with the ENC or ACS server NXC CLI Reference Guide Chapter 31 ENC Table 116 Command Summary ENC Agent continued COMMAND DESCRIPTION no enc agent periodic Sets the NXC to not periodically send Inform messages to the inform ENC or ACS server no debug enc agent Enables ENC agent debug logging The no command disables activate ENC agent debug logging no debug nc agent stderr Shows ENC agent debug messages on the console The no command sets the NXC to not ENC agent debug messages on the console show enc agent configuration Displays the NXC s ENC agent settings 31 2 1 ENC Agent Command Examples The following example shows you how to turn on the ENC agent feature on the NXC and sets the ENC server s IP address This example also enables HTTPS authentication and shows you the ENC agent settings Router configure terminal Router config Router config Router config enc agent activate enc agent manager https 172 16 1 10 8443 enc TR069 nc agent server certificate enc cer Doing var zyxel cert https trusted nc cer pem gt 3eed352e 0 https my default cert pem 470d9
169. and rates are 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 wlan 5g support speed Sets the support rate for the 5 GHz band The available band rates are 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 chain mask Sets the network traffic chain mask The range is 1 7 wlan power Sets the radio output power Select 100 50 25 or 12 5 scan method Sets the radio s scan method while in Monitor mode Select manua1 or auto wlan interface index Sets the radio interface index number The range is 1 8 ssid profile Sets the associated SSID profile name This name must be an existing SSID profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for radio and monitor profile management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 31 Command Summary Radio Profile COMMAND DESCRIPTION show wlan radio profile all radio profile name Displays the radio profile s a11 Displays all profiles for the selected operating mode radio profile name Displays the specified profile for the selected operating mode wlan radio profile renam radio profile namei radio profile name2 a new name radio profile name2 Gives an existing radio profile radio prof
170. ary all Displays basic information about the interfaces show inte rface summary all status Displays the connection status of the interfaces no int rface interface name Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface description description Specifies the description for the specified interface The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long downstream 0 1048576 This is reserved for future use Specifies the downstream bandwidth for the specified interface The no command sets the downstream bandwidth to 1048576 Leaves the sub command mode ip address dhcp Makes the specified interface a DHCP client the DHCP server gives the specified interface its IP address subnet mask and gateway The no command makes the IP address static IP address for the specified interface See the next command to set this IP address ip address ip subnet mask Assigns the specified IP address and subnet mask to the specified interface The no command clears the IP address and the subnet mask ip gateway ip Adds the specified gateway using the specified interface The no command removes the gateway ip gateway ip metric lt 0 15 gt Sets the priority relative to every gateway on every in
171. ase Ger nd ee bea Se ENKEN ESAERA E SREY ROO EES RS 81 sosnemethod Sob MeL LNOT AAA AAA EEE SERED ESOS ES ORES AAA 81 sclueduloscbiect LISE 1640864 S046 RON eR S A ARA Eh EA UE Qe EER ae 186 sched ule object object name date time date Lime cies A AAA 186 schedule object object name time time day day day day day day day 186 server domain auth domain name netbios name eee eese e e mnn 189 Server domainemEh vesim reali irse QUA mA E Rr eR wes daw ed AA wee EU 189 server domain auth username username password password 189 SELF EOL SE 12uesdbxa us Ade eee eho ees M dx AAA AAA 182 service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt 181 Bervips O0bjecrt object same icmp BGM VOTIVE Linz kde EA Go AREA EER A Ea Ewa 182 amp ppPuvipesebpbTqeocL object name protocol Sl Lo arcas UE E HORA ORO AR uo RARAS 182 service object rename object name object name l 6s kae kA RA ERE AORTA ERROR 182 s rvice register ONSQEONDI B escoria d eu weder eX sd edd dci dev Ex e 43 service register service type standard license key key value 43 service register service type trial av engine kav zav ccce 43 Bervice register service type trial service alllav idp a i ah mk OxLROR asma aaa 43 service register service type trial service all kav zaw i e mw RS 43 Service register service type trial service av kav zav
172. ate status current status Anti Virus Current signature version 1 046 on device is latest at Tue Apr 17 10 18 00 2007 last update time 2007 04 07 10 41 01 Router config show anti virus signatures status current version 1 046 release date 2007 04 06 10 41 29 Signature number 4124 21 4 Anti virus Statistics The following table describes the commands for collecting and displaying anti virus statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 77 Commands for Anti virus Statistics COMMAND DESCRIPTION no anti virus statistics collect Turn the collection of anti virus statistics on or off anti virus statistics flush Clears the collected statistics show anti virus statistics summary Displays the collected statistics show anti virus statistics collect Displays whether the collection of anti virus statistics is turned on or off show anti virus statistics ranking Query and sort the anti virus statistics entries by destination source virus name destination IP address source IP address or virus name virus name lists the most common viruses detected source lists the source IP addresses of the most virus infected files destination lists the most common destination IP addresses for virus infected files NXC CLI Reference Guide Chapter 21 Anti Virus 21 4 1 Anti virus
173. ation and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the NXC for remote management on port 22 by default 34 4 2 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the NXC over SSH 34 4 3 SSH Commands The following table describes the commands available for SSH You must use the configure terminal command to enter the configuration mode before you can use these commands Table 127 Command Summary SSH COMMAND DESCRIPTION no ip ssh server Allows SSH access to the NXC CLI The no command disables SSH access to the NXC CLI no ip ssh server cert certificate_name Sets a certificate whose corresponding private key is to be used to identify the NXC for SSH connections The no command resets the certificate used by the SSH server to the factory default default certificate_name The name of the certificate You can use up to 31 alphanumeric and amp _ characters NXC CLI Reference Guide Chapter 34 System Remote Management Table 127 Command Summary SSH continued COMMAND DESCRIPTION no ip ssh server port lt 1 65535 gt Sets the SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rule rule_number append insert Sets a service control rule
174. ation file errors and continues booting show U P Displays command statistics See the associated command chapter in this guide shutdown P Writes all d data to disk and stops the system processes It does not turn off the power telnet U P Establishes a connection to the TCP port number 23 of the specified host name or IP address test aaa U P Tests whether the specified user name can be successfully authenticated by an external authentication server traceroute Traces the route to the specified host name or IP address write Saves the current configuration to the NXC All unsaved changes are lost after the NXC restarts Subsequent chapters in this guide describe the configuration commands User privilege mode commands that are also configuration commands for example show are described in more detail in the related configuration command chapter NXC CLI Reference Guide Chapter 2 User and Privilege Modes 2 1 1 Debug Commands Debug commands marked with an asterisk are not available when the debug flag is on and are for ZyXEL service personnel use only The debug commands follow a syntax that is Linux based so if there is a Linux equivalent it is displayed in this chapter for your reference You must know a command listed here well before you use it Otherwise it may cause undesired results Table 6 Debug Commands pe COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug alg FTP SIP
175. b My ip SUSTO JOVE AUIGEBEN 2046454 de ESS AA RUE Dc d a p Ede Or SHE d E eren 200 cGho ageht PASSWORD DISSWOSO Lona 6688 RA AA RR KE RR KERN eC CARA RA RAR Ree 200 enceadenL pavas keepaltuve 0 486405 Qu gae bee oe Se eRe Re EOE SE Ce Ree eee eR 199 he agent petriosdic BTODH activate sonst A hee Ra m ped ewe Sede Wai OE eoe n o es 199 ncsageant periodic intorm interval J0 864009 secre ARANA ARA 200 ho egont server certilfigate certificate nane rss ob cier A RANA RR 200 RHossqent ssbpver bype ene EFC Adve a AAA AA de SUR CR OR S eek DD Gag 200 GiuceadcaHL btrrgqere rnfoxm ULL EDU ari eases RAS GRE RE RA Ro Re ug ed NR dub E dare 200 RHecssqsnt USSERAME ISEENSMS 6 44 ce cer Rx E opo deo RR ee weed oe HR oq He e he a de lb oleo be A 200 NXC CLI Reference Guide 287 List of Commands EXE 2 289 Rc Bw pedea dips md Ones ees dca eiie dea ese teeter abe eee doo ado dod wae 114 SAM gairis hoere bx XN quU ERE d aa dub aep aar Ed RC Wd OS MEG ER RC Rp Ud a 18 oe A IEA sien ae hata ee SORES TRS Ook EE TOA CERES ee CO ee SE SES 125 SETE AAA CU da e dox dnce i qo Ue Qi A OE ee deal dO RON eee Sale eae A ea e ee AR 32 BEER Clade ahh E Eure dra quod WE ORO s e bI AA AA 50 BINE IDA eed ded Rd aded Aca Eo A i ied Or er UR e CR o AA o ede deed eO f i a 59 ELM Bae Su AER SE REO EE OR TAME RN bee wee BORE Sek eed ae Gee ARA AA 64 SIG Diarra ues sane a fup Sees dU Ete tees OR al
176. ber The no command resets the HTTP service port number to the factory default 80 no ip http secure port lt 1 65535 gt Sets the HTTPS service port number The no command resets the HTTPS service port number to the factory default 443 no ip http secure server Enables HTTPS access to the NXC web configurator The no command disables HTTPS access to the NXC web configurator no ip http secure server auth client Sets the client to authenticate itself to the HTTPS server The no command sets the client not to authenticate itself to the HTTPS server no ip http secure server cert certificate_name Specifies a certificate used by the HTTPS server The no command resets the certificate used by the HTTPS server to the factory default default certificate_name The name of the certificate You can use up to 31 alphanumeric and amp _ characters NXC CLI Reference Guide Chapter 34 System Remote Management Table 126 Command Summary HTTP HTTPS continued COMMAND DESCRIPTION no ip http secure server force redirect Redirects all HTTP connection requests to a HTTPS URL The no command disables forwarding HTTP connection requests to a HTTPS URL ip http secure server table admin user rule rule number append insert rule _ number access group ALL address object zone ALL zone object a
177. ble it By default this is disabled output power wlan power Sets the output power for the radio in this profile The default is 100 no ssid profile wlan interface index ssid profile Assigns an SSID profile to this radio profile Requires an existing SSID profile Use the no parameter to disable it exit Exits configuration mode for this profile show wlan monitor profile all monitor profile name Displays all monitor profiles or just the specified one wlan monitor profile renam monitor profile namel monitor profile name2 Gives an existing monitor profile monitor profile namel a new name monitor profile name2 no wlan monitor profile monitor profile name Enters configuration mode for the specified monitor profile Use the no parameter to remove the specified profile no activate Makes this profile active or inactive By default this is enabled Scan method scan method Sets the channel scanning method for this profile no 2g scan channel wireless channel 2g Sets the broadcast band for this profile in the 2 4 Ghz frequency range Use the no parameter to disable it no 5g scan channel wireless channel 5g Sets the broadcast band for this profile in the 5 GHz frequency range Use the no parameter to disable it scan dwell 100 1000 Sets the duration in milliseconds that the device using this profile scans each channel exit
178. bute to determine to which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ldap server Enter the IP address in dotted decimal notation or the domain name of an LDAP server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 characters The no command clears this setting no server port port no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no server search time limit Sets the search timeout period in seconds Enter a time number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds no server ssl Enables the NXC to establish a secure connection to the LDAP server The no command disables this feature 28 2 3 aaa group server radius Commands The following table lists the aaa group server radius commands you
179. c The no command allows intra zone traffic no interface interface name Adds the specified interface to the specified zone The no command removes the specified interface from the specified zone exit Exits the sub command mode for this zone NXC CLI Reference Guide Chapter 15 Zones 15 2 1 Zone Command Examples The following commands add Ethernet interfaces gel and ge2 to zone A and block intra zone traffic Router configure terminal Router config zone A Router zone interface gel Router zone interface ge2 Router zone block Router zone exit Router config show zone No Name Block Member 1 A yes gel ge2 Router config show zone A blocking intra zone traffic yes No Type Member 1 interface gel 2 interface ge2 NXC CLI Reference Guide Chapter 15 Zones NXC CLI Reference Guide ALG This chapter covers how to use the NXC s ALG feature to allow certain applications to pass through the NXC 16 1 ALG Introduction The NXC can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as SIP to operate properly through the NXC s NAT Some applications cannot operate through NAT are NAT un friendly because they embed IP addresses and port numbers in their packets data payload The NXC examines and uses IP address and port number information embedded in the VoIP traffic s data strea
180. cation watchdog reboot log 42 3 1 Application Watchdog Commands Example The following example displays the application watchdog configuration Router configure terminal Router config show app watch dog config Application Watch Dog Setting activate yes alert yes console print always retry count 3 auto recover yes system reboot yes interval mem threshold 80 cpu threshold 80 disk threshold 80 Router config 60 seconds 90 90 90 NXC CLI Reference Guide Chapter 42 Watchdog Timer 270 The following example lists the processes that the application watchdog is monitoring Router configure terminal Router config show app watch dog monitor list tapp_name min process count max process count 1 unlimited recover reboot recover always recover max try count uamd T 2 jJ firewalld i 1 1 policyd 1 B 1 classify 1 1 resd 1 1 zyshd_wd 1 zyshd 0 al httpd httpd dhcpd i zylogd 1 syslog ng 1 zylogger il ddns_had Ji zebra 1 il link updown 1 1 T fauthd 1 1 1 signal_wrapper 1 dl capwap srv 1 T ipmonitord 1 i Router config recover_enabl ecover_max_fail_count 1 71 zu 3 0 3 1 3 0 3 0 3 0 3 0 3 1 1 Ki 3 0 3 0 3 0 3 0 3 0 9 0 3 0 3 0 3 0 3 0 3 NXC CLI Reference Guide Managed AP Commands Connect directly to a managed AP
181. ccessfully transferred 226 3 231 seconds measured here gt 10 83 Mbytes per second 36708858 bytes sent in 3 23Seconds 11350 91Kbytes sec NXC CLI Reference Guide Chapter 35 File Manager 8 After the transfer is complete Firmware received or ZLD current received displays Wait up to four minutes while the NXC recovers the firmware Figure 32 Firmware Received and Recovery Started Firmware received Update Filesystem Updating Code 9 The console session displays done when the firmware recovery is complete Then the NXC automatically restarts Figure 33 Firmware Recovery Complete and Restart Kernel Extracting Kernel Image done Writing Kernel Image done BootModulel Extracting BootModule Image done Writing BootModule Restarting system 10 The username prompt displays after the NXC starts up successfully The firmware recovery process is now complete and the NXC is ready to use NXC CLI Reference Guide 235 Chapter 35 File Manager Figure 34 Restart Complete Setting the System Clock using the Hardware Clock as reference System Clock set Local time Sun Jan 26 21 40 24 UTC 2003 Cleaning tmp vary lock varvrun Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully cavium nitrox device CN1005 init complete INIT Entering runlevel 3 i zylog daemon zulogd zyl
182. ce Guide List of Commands CES BEN usse e deed atis s o2 ee eee neh o deg uu ordo derer AAN 32 test aaa server secure server ad ldap host hostname ipv4 address host host name ipv4 address port lt 1 65535 gt base dn base dn string bind dn bind dn string password password login name attribute attribute alternative login nam attribute attribute account account name iooesce 9 o obe gom SCR E a AA 195 LEROBEOHNEB asic See Red pe pew Eq UE AER ESSN EERE RU a EORR NOROARN ALACRI a RS 32 Praceconte IXo Roster antaras AAA ek Meee icd A iem dE d 261 Ltraffic prioritize tep ackl das bandwidth 0 1048576 priority lt 1 7 gt maximize band ANIDDIeUDERSGBIS aos Rex xo p e oed Cm xv og te Up oer don d cede Rep d podes Rene oce Gade Sell Lrabtrlioprjoritize op are hans GURELIVNDE sesion DA ow QUE GR OL ewe Sew 51 trigger append incoming service name trigger service name eee 67 Drag Helse Sinks AA badness cea ow b Gaudi cech EU arca A AAA waa od acad 67 trigger insert 1 8 incoming service name trigger service name 67 trigger move list O Vick A AAA EGO RUE SCA RUE NOR RI Ea ed EEE ER EQ 67 Eat CASTES dade RR TAN 81 type external Literal ori Ged bd eee d RN FER el d xeu EE dH ee deed aes 114 Lupe tinternal external General ikzikx aXer4 kdo ok ARA NOR LAUS Qe RR eb E RC wee AR 59 udp decoder truncated he
183. ction accept The following command sets the password secret for read write rw access Router configure terminal Router config snmp server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172 23 15 84 and the password sent with each trap to qwerty Router configure terminal Router config snmp server host 172 23 15 84 qwerty 34 9 Language Commands Use the Language commands to display what language the web configurator is using or change it You must use the configure terminal command to enter the configuration mode before you can use these commands Table 132 Command Summary Language COMMAND DESCRIPTION language lt English Specifies the language used in the web configurator Simplified_Chinese screens Traditional_Chinese gt show language setting all setting displays the current display language in the web configurator screens all displays the available languages NXC CLI Reference Guide File Manager This chapter covers how to work with the NXC s firmware certificates configuration files custom IDP signatures packet trace results shell scripts and temporary files 35 1 File Directories The NXC stores files in the following directories Table 133 FTP File Transfer Notes DIRECTORY FILE TYPE NGN A Firmware upload only bin cert Non P
184. ction accept deny Sets a service control rule for HTTPS service ip http secure server table admin user rule move rule number to rule number Changes the index number of a HTTPS service control rule ip http secure server cipher suit cipher algorithm cipher algorithm cipher algorithm cipher algorithm Sets the encryption algorithms up to four that the NXC uses for the SSL in HTTPS connections and the sequence in which it uses them The cipher algorithm can be any of the following rc4 RC4 RC4 may impact the NXC s CPU performance since the NXC s encryption accelerator does not support it aes AES des DES 3des Triple DES no ip http secur cipher algorithm server cipher suit Has the NXC not use the specified encryption algorithm for the SSL in HTTPS connections no ip http server Allows HTTP access to the NXC web configurator The no command disables HTTP access to the NXC web configurator ip http server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for HTTP service ip http server table admin user rule move rule number to rule number Changes the number of a HTTP service control rule no ip http secure server tabl rule number admin user rule Deletes a service control rule for HTTPS service no ip h
185. d Shows the settings for a range of session limit rules show session limit rule number Shows the session limit rule s settings show session limit status Shows the general session limit settings NXC CLI Reference Guide Chapter 19 Firewall NXC CLI Reference Guide Application Patrol This chapter describes how to set up application patrol for the NXC 20 1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network It manages general protocols for example http and ftp and instant messenger IM peer to peer P2P Voice over IP VoIP and streaming RSTP applications You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol also has powerful bandwidth management including traffic prioritization to enhance the performance of delay sensitive applications like voice and video The NXC checks firewall rules before application patrol rules for traffic going through the NXC To use a service make sure both the firewall and application patrol allow the service s packets to go through the NXC Application patrol examines every TCP and UDP connection passing through the NXC and identifies what application is using the connection Then you can specify by application whether or not the NXC continues to route the
186. d show led status Displays the status of each LED on the NXC show mac Displays the NXC s MAC address show mem status Displays what percentage of the NXC s memory is currently being used now now ram size serial number Displays the size of the NXC s on board RAM Displays the serial number of this NXC now socket listen Displays the NXC s listening ports now socket open Displays the ports that are open on the NXC now system uptime Displays how long the NXC has been running since it last restarted or was turned on now version Displays the NXC s model firmware and build information NXC CLI Reference Guide Chapter 4 Status Here are examples of the commands that display the CPU and disk utilization Router config show cpu status CPU utilization 0 CPU utilization for 1 min 0 CPU utilization for 5 min 0 Router config show disk lt cr gt Router config show disk No Disk Size MB Usage 1 image 67 83 2 onboard flash 163 15 Here are examples of the commands that display the fan speed MAC address memory usage RAM size and serial number Router config show fan speed FAN1 F00 rpm limit hi 6500 limit 1lo 1400 max 6650 min 6642 avg 6644 FAN2 F01 rpm limit hi
187. d removes the geographic location for the NXC no snmp server port lt 1 65535 gt Sets the SNMP service port number The no command resets the SNMP service port number to the factory default 161 snmp server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for SNMP service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive You can also use pre defined zone names like LAN and WLAN snmp server rule move rule number to rule number Changes the index number of a service control rule no snmp server rule rule number Deletes a service control rule for SNMP service show snmp status Displays SNMP Settings NXC CLI Reference Guide Chapter 34 System Remote Management 34 8 4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service Router configure terminal Router config snmp server rule 11 access group Example zone WAN a
188. d Eq Ease dev 54 Bo Pocket CESCE cab ade beh ee a OF HERES Pe a VOR HON Roe ER ee wee SERRE Sock OUR EC CUR AAA eR LAORE 22 Ke Dort SL sae tees CRESTS Peau kd Na Xd E dq d ud d Rd dk EE RR E Nd aq ed eS 59 d sOBnddLecLlON SONS LENTES woes Sh baa eee SEE RH Re Y Eu pr ee eee E SES s 149 nu gchsdule oOb qe8G6L OQDIODDE Hate ils RS A RE RN edd ACE AC CA ORC RE dbo CAS CN do deca 186 dd SECTION JOEL GODIGUCOL DOE ad A e ACE RRO OR DARA AAA eee Se o eias aed 181 ho Bigmhebubce BI ACLU Lee ak A AE eed hen EO CE AA alee eee hee 149 RO sige rure SL ACEON 644i 65a Bader eed hess PEARED aw SERRE iude iru ee AUR ARR CORT HRS 153 no Pecos CEUTA BL LOS cir ida Budd fedi dad Ra RAS xd ba d etx duda E ANA 148 HO signature gid LOG si rra ON E RUN EUR eed eeedaR ed RU She rams Re eae Sea a eR doe A 153 Be SMEA NEESS A oed aeu A AAA eee auget a a ee woo te de sd EN HD Gmtpesuwbh serta Seria ARA 84 9 Bo RC e lada dee E p e ORA OU Kn RR et seen 25i HB SMLPCDONL anar ria As AE ASA E du 252 no smp server rule rule DRURDSP 6454 Kh PERE RRA HE RRA RRS SEER RRR RRS 221 ne Ecpedecader ECHR OG asociadas Gee oe PERSE ES OER AAA dr eo V E 150 no udp decoder truncated header undersize len oversize len action luf no udp decoder truncated header undersize len oversize len log IST HO MOLESTA ira sqRqKud 3d A Esc AA A RNA Re RC RC OR e doR dea e EX A Ae NOR A A ERAS 63 dd wsad ined AAA pd dp er ehh AAA FP OU SR RPG d ddp Ex 59 HE ASI
189. d ee ees eS eee Stas 32 LOLAS ar A aa N AA A eae A 32 releassB Choe INES SERA diiidan A A RR E RN Nerve da ta a d e RUE Reds 53 PAS auxuescdesda eM AR edd E AGES EES SA ew LE SS eo x ATE E EE ERE 32 rename cert conf idp packet_trace script tmp old file_name cert conf idp fpacket trace f soript tmph new file name lt 4 cares vwwe wns 227 CSN A 4 ux e dau adea qe eee ee Kd cee ac we qs eRe Qd ue Xen eee eee Stee eS eee 32 tonen HUE ada a o uud idee hae buc AERE ORE CURA pac dE ae eae bd E wq RUE So togue dp CONC ALEDSRE sI A S EN AE ANE ANAGR Eee Eee aes kee AA 92 f d e Sp detection aided tokter AAN ANDARE AA PEE ee ee eS 89 fole Nion O A 78 Pesto wee TOR aan peak cee ee Eos oec eee ee Oe poet die aodio e deba PE ee 78 Pes Geena ALEIDA sra 660 EXE Rea d dose d E E E ROCK OR e Ro RC Ra x eee ea bales 117 Sols ShEuhag ELUS AAA Ord uea ROS EUR BOR OR AM DOR RN EORR Aon ORA GE JR eee eee 1l role gala ip acres JUVE NOHPERE podos 00465 GREG ERRARE qe RUE db BARS Pee Ru ER S IIT role skahau Tp port Ll 5259939 ck ee daedeo odie AER ARA 117 POW rar dee O A ud edu dur eeu RA a RS eS ose d AA we eS 32 run Seripts file nome ENS 2 444628 e odd brasder ikae A A AA A RER 227 Fame Chet Hae sc wbeabace AAA hdd d URGE SS 81 scan devection bloock persog 3 3900100 set asad seve A sd Oi ee EA eee heeds CR en Rc 149 scan detection sensitivity low sedium Bigh Quee43 99 dad 149 scen dwelL A200 lt fQ00S sax cu nso t
190. d the file name would still match A file named test zipa for example would not match A in the middle of a pattern has the NXC check the beginning and end of the file name and ignore the middle For example with abc zip any file starting with abc and ending in zip matches no matter how many characters are in between The whole file name has to match if you do not use a question mark or asterisk If you do not use a wildcard the NXC checks up to the first 80 characters of a file name NXC CLI Reference Guide Chapter 21 Anti Virus 21 2 1 General Anti virus Commands The following table describes general anti virus commands You must use the configure terminal command to enter the configuration mode before you can use these commands BS You must register for the ant virus service before you can use it see Chapter 5 on page 41 Table 72 General Anti virus Commands COMMAND no anti virus activate DESCRIPTION Enables anti virus service Anti virus service also depends on anti virus service registration show anti virus activation Displays anti virus service status no anti virus eicar activate Turns detection of the EICAR test file on or off show anti virus eicar activation Displays whether or not detection of the EICAR test file is turned on anti virus reload signatures Recovers the anti virus signatures You should only need to do this i
191. d you must use the character Use these commands to have the NXC e mail you system statistics every day You must use the configure terminal command to enter the configuration mode before you can use these commands Table 148 Email Daily Report Commands COMMAND DESCRIPTION daily report no activate Turns daily e mail reports on or off show daily report status Displays the e mail daily report settings daily report Enter the daily report sub command mode smtp address ip hostname Sets the SMTP mail server IP address or domain name no smtp auth activate Enables or disables SMTP authentication smtp auth username username password password Sets the username and password for SMTP authentication no smtp address Resets the SMTP mail server configuration no smtp auth username Resets the authentication configuration mail subject set subject Configures the subject of the report e mails no mail subject set Clears the configured subject for the report e mails no mail subject append system name Determines whether the system name will be appended to the subject of report mail no mail subject append date tim Determine whether the sending date time will be appended at subject of the report e mails mail from e mail Sets the sender value of the report e mails mail to 1 e mail Sets to whom the NXC send
192. dap eb eo ape Mio olo arg ono p t RR ae Lee NXC CLI Reference Guide List of Commands Ap OSS Aiea ES ne ANE EAN E ab anaes edd d eee ded 132 app other move rule number to File number ikke be ae A RURAL EERO AA Se 132 Bpp Protocol Dame excepti On GDDOD sei i ae steht cera b Rc OR AA 130 app protocol name exception default or app protocol name exception modify default 130 app protocol hame exception insert rule namper 646k 3E SU X R3 Pd AA 130 app peotogol_ name exception modify FOULS nJUdDOf i i 49 RAD ARA OO E ORC Red Rn 130 app protocol name exception move rule number to rule number e 130 app Pprotoc l pane BxcnpLroON TULS_ DONDE dudueesckb s wa Rab A A CR ADAC A 130 apt pratocol name mods 4postiess DOILDESE aderat dee be Pu Re ea nex RUE ES Era E E 128 app Protocol name xxl GDMOSRE aadjGsqsdddeGchC3e ss RERO tat dU SE BUR A GOES RUE bue RC RC sane 128 app protocol name rule default or app protocol name rule modify default 129 app protocol same rele Insert Pele Ter oigre kd ee da Rm Bowed ee dob AA 128 app protocol name rule rule number or app protocol name rule modify rule number 129 ABRI Sanrio OSes beh See eu Pix ees Egal E PERPE ed du ESR OO She Ed PR MEE YT E Sd apply oonf filsg namc conf ignore error rollback asa sdkeed x URGE ROS d REOR Re ROADS 221 dpp watoh dog r bopt log PLUSH escritas EGRESS Ere REEERO ROE aOR AR d dq dE ed 269 arp ip address Dp AED II X X bed doers o
193. ddress Specify the IP address of the Ekahau RTLS Controller rtls ekahau ip port lt 1 65535 gt Specify the server port number of the Ekahau RTLS Controller rtls ekahau flush Clear the saved RTLS information from the NXC show rtls ekahau config Displays the RTLS configuration show rtls ekahau cli Displays the RTLS information recorded on the NXC NXC CLI Reference Guide Chapter 18 RTLS NXC CLI Reference Guide Firewall This chapter introduces the NXC s firewall and shows you how to configure your NXC s firewall 19 1 Firewall Overview The NXC s firewall is a stateful inspection firewall The NXC restricts access by screening data packets against defined access rules It can also inspect sessions For example traffic from one zone is not allowed unless it is initiated by a computer in another zone first A zone is a group of interfaces Group the NXC s interfaces into different zones based on your needs You can configure firewall rules for data passing between zones or even between interfaces in a zone The following figure shows the NXC s default firewall rules in action as well as demonstrates how stateful inspection works User 1 can initiate a Telnet session from within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between t
194. de to set a session limit rule no activate Enables the session limit rule The no command disables the session limit rule no address address object no description description Sets the source IP address The no command sets this to any which means all IP addresses Sets a descriptive name up to 64 printable ASCII characters for a session limit rule The no command removes the descriptive name from the rule Quits the firewall sub command mode no limit lt 0 8192 gt Sets the limit for the number of concurrent NAT firewall sessions this rule s users or addresses can have 0 means any no user user_name Sets a session limit rule for the specified user The no command resets the user name to the default any any means all users session limit append Enters the session limit sub Command mode to add a session limit rule to the end of the session limit rule list session limit delete rule number Removes a session limit rule session limit flush Removes all session limit rules session limit insert rule number Enters the session limit sub command mode to add a session limit rule before the specified rule number session limit move rule number to rule number Moves a session limit to the number that you specified show session limit Shows the session limit configuration rule number show session limit begin rule number en
195. ded Feb QU EAE E e utei bee esas 105 Chapter 15 o O O0oouUe 107 TOLOSA CN 107 15 9 Zo CTIA Cle MBIT GI ro ed eui Cauda RED oa naa 108 15 2 1 Zone Command Exemples co ter aaraa r aoaaa aaa N UNE ives 109 Chapter 16 rl YO Y O X 2z2ZJ2izd2 111 TOT AL ION STON gain 111 15 ALG DOMINIOS tas 112 MO ADG Commands Example A Eg Rd 112 Chapter 17 Lr iu jo e 113 DEC e Porna AR ar sean badness de Susann los soc ida 113 17 31 Web Authentication Policy Commands soi 113 171 2 page costomizalion COMIMANES sui li 116 Chapter 18 RATES P YO 117 De MILS VMI e is 117 152 DEEST ED sc TM 117 Chapter 19 ui 119 101 PSPs OUP salda 119 ox cR DN T AA 120 192 Pares CIE dianani outset ai 122 19 2 2 Firewall Command EXSImplbg ici pes ctae porticu c uere man e eos Ip A rupe estu E DUK cm 123 193 o8s80n Umi COnmnTANA OR EET 124 NXC CLI Reference Guide Table of Contents Chapter 20 Doce i uni Mc 127 20 1 Anpicauon Pato IG ca ii 127 20 2 Applicaton Patrol Commands SUMMAI sica 128
196. domain_name ip default Specifies what the NXC pings for the ping check gateway you can specify a fully qualified domain name IP address or the default gateway for the interface ping check domain_name ip default Specifies what the NXC pings for the ping check gateway period lt 5 30 gt and sets the number of seconds between each ping check ping check domain_name ip default Specifies what the NXC pings for the ping check gateway timeout lt 1 10 gt and sets the number of seconds the NXC waits for a response ping check domain name ip default Specifies what the NXC pings for the ping check gateway fail tolerance 1 10 and sets the number of times the NXC times out before it stops routing through the specified interface ping check domain name ip default Sets how the NXC checks the connection to the gateway method icmp tcp gateway icmp ping the gateway you specify to make sure it is still available tcp perform a TCP handshake with the gateway you specify to make sure it is still available ping check domain name ip default Specifies the port number to use for a TCP connectivity check NXC CLI Reference Guide Chapter 6 Interfaces 6 2 3 1 Connectivity Check Command Example The following commands show you how to set the WANI interface to use a TCP handshake on port 8080 to check the connection to IP address 1 1 1 2 wanl Router config Router configure termin
197. dox Aue Mosca RE Ud dcinde ee api Oe eee a dp ab bcd op SS 210 Glock CTHS ckhirtes qoae x p era A kee DR Ode Ro 219 CURUADUED GUOEEUS ao qe NES DUK d Ka P ea dw ees deos PW Eme wa ex a aded aede isque i s oF conn user username any unknown service service name any unknown source iplany destination iplany begin lt 1 100000 gt end lt 1 100000 gt wo 250 Cont g3oebsagrfire dosing aros ras Sess web doped udo Chee Bawa uL dr wae 230 CONT IP ELAELDO COUR 5d AAA Ge AS AAA A Oe Se SE 250 ECON SEARS Cars AAA we ES AAA ASADA A 200 cohmectivitv eheck pontiaUGUS Loqg SEALS 454052400404 REESE ERROR Re CR 242 ponnestrurLy chgesk contihubDUS loq STARS J6444 0465 Pela oe ied ew eee d ed e ees 57 Sonata E qSaxXxepad BoBE isa edd dki A A Ree EERE OTROS A 121 PAUTA sia AA A IA AS dS Kap e aq AAA AAA aLI coreta le copy Ush sbofdgs desk d EGG R M Ko Oa cx e wA AE OR EE CARRERA OR RO RC RE 61 Dur SLRBLDUS Leech ae keen Se OA RADAR IPA Ws PEa du d quei Eds at a mte UE eines shies tes dmide wet ee ned Cheah SS nee fub desawds qi eR 251 uq curso PPP 96 devices ap muss beck SYNG sesionar ee Rhe dads weg qued 167 dewitesHa apemode DesckDDp Syne SESBIS doge s REG ER E dE S X Ra ded Rr e de 167 dewice ha ap mode backup Syne SUNMaTY 219259 X R4 Rok RR ARE GORGE EUR a a ae 167 device ha ap mode forwarding port interface Name serna Ron a ew 167 devico ha apehogde INESVIADES
198. dresses and port numbers embedded in the H 323 or FTP data payload The no command turns off the H 323 or FTP ALG or removes the settings that you specify no alg sip defaultport 1 65535 Adds or removes a custom UDP port number for SIP traffic show alg sip h323 ftp Displays the specified ALG s configuration 16 3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config alg sip Router config no alg h323 NXC CLI Reference Guide Captive Portal This chapter describes how to configure which HTTP based network services default to the captive portal page when client makes an initial network connection 17 1 Captive Portal Overview A captive portal can intercept all network traffic regardless of address or port until the user authenticates his or her connection usually through a specifically designated login Web page 17 1 1 Web Authentication Policy Commands Use these commands to use a custom login page from an external web portal instead of the default one built into the NXC You can configure the look and feel of the web portal page Js login users It is recommended to have the external web server on the same subnet as the Table 51 Web Authentication Policy Commands COMMAND DESCRIPTION no web auth activate Turns on the captive portal feature This blocks all net
199. e retry times the primary RADIUS server before attempting to use the secondary RADIUS server This also sets how many times the NXC attempts to use the secondary RADIUS server The no command clears this setting no server nas id Specifies the Network Access Server identifier attribute nas identifier value if the RADIUS server requires it The no command clears this setting NXC CLI Reference Guide 191 Chapter 28 AAA Server Table 112 aaa group server radius Commands continued activate COMMAND DESCRIPTION no server nas ip Specifies the Network Access Server IP address lt nas_address gt attribute value if the RADIUS server requires it The no command clears this setting no server acct interim Enable this to have the NXC send subscriber status updates to the RADIUS server The no command has the NXC not send subscriber status updates to the RADIUS server 28 2 4 aaa group server Command Example The following example creates a RADIUS server group with two members and sets the secret key to 12345678 and the timeout to 100 seconds Then this example also shows how to view the RADIUS group settings Router configure terminal Router config aaa group server radius RADIUSGroupl Router group server radius Router group server radius Router group server radius Router group server radius Router group server radius Router config show aaa grou
200. e The default for this is short 2g basic speed wlan 2g basic speed Sets the 2 4 GHz basic band rates The default is 1 0 2 0 5 5 11 0 NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 31 Command Summary Radio Profile continued COMMAND DESCRIPTION 2g support speed disable wlan 2g support speed Disables or sets the 2 4 GHz support rate The default is 1 0 54 0 2g mcs speed disable wlan mcs speed Disables or sets the 2 4 GHz HT MCS rate The default is 0 15 2g multicast speed wlan 2g support speed When you disable multicast to unicast use this command to set the data rate 1 0 2 0 Fin Mbps for 2 4 GHz multicast traffic 5g basic speed wlan 5g basic speed Sets the 5 GHz basic band rate The default is 6 0 12 0 24 0 5g support speed disable wlan 5g support speed Disables or sets the 5 GHz support rate The default is 6 0 54 0 5g mcs speed disable wlan mcs speed Disables or sets the 5 GHz HT MCS rate The default is 0 15 5g multicast speed wlan 5g basic speed When you disable multicast to unicast use this command to set the data rate 6 0 9 0 in Mbps for 5 GHz multicast traffic tx mask chain mask Sets the outgoing chain mask rate rx mask chain mask Sets the incoming chain mask rate no htprotection Activates HT protection for this profile Use the no parameter to disa
201. e configuration file or shell script and applies all of the valid commands The NXC still generates a log for any errors 35 2 3 NXC Contiguration File Details You can store multiple configuration files on the NXC You can also have the NXC use a different configuration file without the NXC restarting When you first receive the NXC it uses the system default conf configuration file of default settings NXC CLI Reference Guide 225 Chapter 35 File Manager When you change the configuration the NXC creates a startup config conf file of the current configuration The NXC checks the startup config conf file for errors when it restarts If there is an error in the startup config conf file the NXC copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file When the NXC reboots if the startup config conf file passes the error check the NXC keeps a copy of the startup config conf file as the lastgood conf configuration file for you as a back up file If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration 35 2 4 Configuration File Flow at Restart If there is not a startup config conf when you restart the NXC whether through a management interface or by physically turning the power off and back on the NXC uses the system default conf configuration file with
202. e none from WAN to LAN source IP any source port any destination IP any service any log no action deny status yes Router config 19 3 Session Limit Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 59 Input Values for General Session Limit Commands LABEL DESCRIPTION rule_number The priority number of a session limit rule 1 1000 address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive NXC CLI Reference Guide Chapter 19 Firewall The following table describes the session limit commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 60 Command Summary Session Limit COMMAND DESCRIPTION session limit no session limit activate limit 0 8192 Turns the session limit feature on or off Sets the default number of concurrent NAT firewall sessions per host session limit rule number Enters the session limit sub command mo
203. e 58 firewall Sub commands COMMAND DESCRIPTION action allow deny reject Sets the action the NXC takes when packets match this rule no activate Enables a firewall rule The no command disables the firewall rule no ctmatch dnat snat Use dnat to block packets sent from a computer on the NXC s WAN network from being forwarded to an internal network according to a virtual server rule Use snat to block packets sent from a computer on the NXC s internal network from being forwarded to the WAN network according to a 1 1 NAT or Many 1 1 NAT rule The no command forwards the matched packets no description description Sets a descriptive name up to 60 printable ASCII characters for a firewall rule The no command removes the descriptive name from the rule no destinationip address_object Sets the destination IP address The no command resets the destination IP address es to the default any any means all IP addresses no from zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets it to the default any any means all interfaces or VPN tunnels no log alert Sets the NXC to create a log and optionally an alert when packets match this rule The no command sets the NXC not to create a log or alert when packets match this rule no schedule schedule_object Sets the sc
204. e Capture COMMAND DESCRIPTION frame capture configure Enters sub command mode for wireless frame capture src ip add del ipv4 address local Sets or removes the IPv4 address of an AP controlled by the NXC that you want to monitor You can use this command multiple times to add additional IPs to the monitor list file prefix file name Sets the file name prefix for each captured file Enter up to 31 alphanumeric characters Spaces and underscores are not allowed files size mon dir size Sets the total combined size in kbytes of all files to be captured exit Exits configuration mode for wireless frame capture no frame capture activate Starts wireless frame capture Use the no parameter to turn it off show frame capture status Displays whether frame capture is running or not show frame capture config Displays the frame capture configuration 11 2 1 Wireless Frame Capture Examples This example configures the wireless frame capture parameters for an AP located at IP address 192 168 1 2 Router config frame capture configure Router Router Router frame capture Router frame capture Router config frame capture src ip add 192 168 1 2 frame capture file prefix monitor files siz exit 1000 This example shows frame capture status and configuration capture status off file prefix mon
205. e Profile continued COMMAND DESCRIPTION description description Sets the description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long no description Removes the VLAN description no shutdown Exits this sub command mode saving all changes but without enabling the VLAN no ip dhcp pool profile_name Sets the DHCP server pool The no command removes the specified DHCP pool no ip helper address ip_address Sets the IP helper address The no command removes the IP address exit Exits configuration mode for this interface 6 7 1 VLAN Interface Examples This example creates a VLAN interface called vlan0 Router config interface vlan0 Router config if vlan vlanid 100 Router config if vlan join ge2 untag Router config if vlan ip address 1 2 3 4 255 255 255 0 Router config if vlan ip gateway 2 2 2 2 metric 11 Router config if vlan mtu 598 Router config if vlan upstream 345 Router config if vlan downstream 123 Router config if vlan description I am vlan0 Router config if vlan exit Router config This example changes VLAN interface vlan0 to use DHCP Router Router Router Router Router Router config interface vlan0 config if vlan vlanid 100 config if vlan join gel untag config if vlan ip address dhcp metric
206. e a 81 ERE rcr 81 Pic ERA A mis c atado end eee Nee Ae Sees Sap du sise eee s 84 c1 ecc bles tea Flt ah a ip hee dd ae fc ob dae Aa le ea ec 87 BXUUG sea sveralees sad aba ux e kt A ARA 88 CRS Late t cdech tier daeeieruehs tat saute es Penden ete Gs Ret sen AAA dua Sd PAS 90 PAPES LS le c Mr eS Sete A AAA AA eee AAA 104 ROL cx Caner iran o PIC ES E ee ale as ak ee 104 trTasesupe Il D190000DUDODS conri ASADA Oe dba ee eee deed es 262 ELVS IDETLR AQ DONO dE ARA ONE DOSS REWER REESE Eee RE Ie RUE XE A 262 items APPEN sr A toa de ee ee bee eee eh eee aS r21 firewall default rule action allow deny reject no log log alert 121 frsewall delete ule POMOCE 54 bss ets ee SERRE RES OE RON SUPCR ACA OEE WORE ie dew COHEN ED os 121 a A SN AA 121 firewall Xnsert ule numbBE dmca ARA AAA RARA HT GE SERS SRE REO RE ORE wR 121 firewall muve rule emer to Fule OHNDEE siii is A A CORRE A CR DECOR A 1Z1 frsowall Iul HumDOY ri AR A dee rx A e d ER NK EY AAA A 120 firewall zone object zone object EnterpriseWLAN append ees ied firewall zone object zone_object EnterpriseWLAN delete rule number 121 firewall zone object zone objeot EnterpriseWLAM flush i2 9 9 ERES 121 firewall zone object zone object EnterpriseWLAN insert rule number 121 firewall zone object zone object EnterpriseWLAN move rule number to rule number 121 firewall zone object zone object EnterpriseWLAN rule number
207. e eee ROBO dS 138 anti virus TULS TUS uaa bs mx RE Y eae Rhee Seda A RR Dobe ko deo e cde e a Ue de 139 anti vViros Pule Speen caricia ERA 138 anti virus rule delere lt L GIS Loigaoxkwo do a Kee eS ADAE RU ACA CD e de ACE ee eae 139 Bree PULS LLUS parrres Sg ee aon RA ae ee aah See he Bh code Bak ae ee ela eR ee 1239 ANTAS Sube taser Slee dope ia ara A ew opc V dog xS dro eee e dolia 138 anti virus rale move el lo ER Els BA hase bh tee erg Rok A ep RR UE UE ORR EEE RES 139 anti virus search signature all category category id id name name severity se verter Iiron Gu ctm GG nu eed qa op Ged ee RR E Se Grae Ri dee ode e aa 142 anc Tire O a LIM coke qq uA AE Vo ACRES QR Duk de qan o widow cS dee aad wear ates 143 anti virus Update daily Dil dr A 349 qe pU RR EPA ANX UU ER x RE RAE a R 142 anti PHA placa IDBON LV sy eee tes dog pisc ded E ORE aC ura dear eee uo ob CE OPER doors 142 anti virus pate BUQUES Aves bees ok RICE ex E eu dedo d x RACER E NK KC AUR AGE db d MCN 142 anti virus update weekly sun mon tue wed thu fri sat lt 0 23 gt 142 anti virus white list replace old av file pattern new av file pattern activate deacti SIDE PERRERA ee 140 app Other Adel forvard drop egest Le CIRC eR Re Roo A e Rede ERN 131 SPP ERASE Ell cona dac BER E E HER AAA dt e SR dU a KR RR ROI dE eee 122 app Ee OO asad eee ah aea SARE SONOS SOS MOSES NES SRI du a du du dud E mes BEE SA Re i e BDD ERASE SSA pa AAA dodo Re p vo
208. e it By default no MAC filter is assigned exit Exits configuration mode for this profile 9 3 1 SSID Profile Example The following example creates an SSID profile with the name ZyXEL It makes the assumption that both the security profile SECURITYO01 and the MAC filter profile MACFILTERO1 already exist Router config ssid radio Router config ssid radio Router config ssid radio Router config ssid radio Router config Router config wlan ssid profile SSIDO1 Router config ssid radio ssid ZyXEL Router config ssid radio qos wmm data forward localbridge security SECURITYO1 macfilter MACFILTERO1 exit 9 4 Security Profile Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 34 Input Values for General Security Profile Commands LABEL DESCRIPTION security profile name The security profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive wep_key Sets the WEP key encryption strength Select either 64bit or 128bit NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 34 Input Values for General Security Profile Commands continued LABEL DESCRIPT
209. e model and firmware version can synchronize Otherwise you must manually configure the master NXC s settings on the backup by editing copies of the configuration files in a text editor for example NXC CLI Reference Guide Chapter 23 Device HA 23 1 1 Before You Begin Configure a static IP address for each interface that you will have device HA monitor BS Subscribe to services on the backup NXC before synchronizing it with the master NXC e Synchronization includes updates for services to which the master and backup NXCs are both subscribed For example a backup subscribed to IDP AppPatrol but not anti virus gets IDP AppPatrol updates from the master but not anti virus updates It is highly recommended to subscribe the master and backup NXCS to the same services 23 2 General Device HA Commands This table lists the general commands for device HA Table 92 device ha General Commands COMMAND DESCRIPTION show device ha status Displays whether or not device HA is activated the configured device HA mode and the status of the monitored interfaces no device ha activate Turns device HA on or off device ha mode active passive Sets the NXC to use active passive or legacy VRRP group based device HA 23 3 Active Passive Mode Device HA Virtual Router The master and backup NXC form a single virtual router Cluster ID You can have multiple NXC virtual routers on your
210. e of the user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive It cannot be the same as the user name The following sections list the username groupname commands 24 2 1 User Commands The first table lists the commands for users Table 97 username groupname Commands Summary Users COMMAND DESCRIPTION show username username Displays information about the specified user or about all users set up in the NXC username username nopassword user type admin Creates the specified user if necessary disables guest limited admin user the password and sets the user type for the specified user username username password password user type Creates the specified user if necessary enables admin guest limited admin user and sets the password and sets the user type for the specified user password You can use 1 63 printable ASCII characters except double quotation marks and question marks username username user typ xt group user Creates the specified user if necessary and sets the user type to Ext User username username user type mac address Creates the specified user if necessary and sets the user type to mac address no username usernam Deletes the specified user username rename username username Renames the specified user first username to the sp
211. e write command to save your configuration changes to the flash non volatile or long term memory Use this command without specify both ignore error and rollback this is not recommended because it would leave the rest of the configuration blank If the interfaces were not configured before the first error the console port may be the only way to access the device Use ignore error Without rollback this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the NXC apply most of your configuration and you can refer to the logs for what to fix Use both ignore error and rollback this applies the valid parts of the configuration file generates error logs for all of the configuration file s errors and starts the NXC with a fully valid configuration file Use rollback without ignore error this gets the NXC started with a fully valid configuration file as quickly as possible You can use the apply conf system default conf command to reset the NXC to go back to its system defaults copy cert conf idp packet trace script tmp file name a conf cert conf idp packet trace script tmp file name b conf Saves a duplicate of a file on the NXC from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the directory and file name to use for the duplicate
212. ead ad cere S Sg Rd AAA SELF UL ce eae pia d ea ed des T Wa EE Ee DE d c de eda e d s a cde E uoloaddlwscsqps be Sb 56 04555405406 xd Edu RA dup RA aea RE Edad bie ES telnet Server Pore Sf 50030 donne s godes weno od cR I bap Ri cio Re a Rae a CR A RC Rae eee item QUePSDOPL iq de4 9 9 b Eee bu eie EP P ee hee ER nee ek dne qe Hen as LEG NEm USSO dipsa EX OU Ep A e Ra EA EE A AERA EUER ARR AN dod ALEOUE RE Seed R lease 1 lt 0 365 0 23 D 59x 1 infinite och ce ew dx ORO RR 9 x YO CR Ew Law Ua EISE X 2 heh x pae dard Y d eR E HU Oa o RON REOR CUORE E ES pues Yon doa ed eap deceat Lsad bala caing ALTIRO asirios eed dew ence berate bI d Skee eee ded y pu losdebalshoeng ESOGEDUE Baek she here Aq od Ado ERR SRERE DREW RES OSE CO bade OR e en N Eat od sxscdcodiearsadeuehen sd ween e Deeded wake e eae ae Shwe ee eee eee a eo ee ee alert cbues eens e sense AAA AC Ros E Dew RAS A DAA AAA ue areas ALERE eredes Gud a4 da d iw eee ee tae Obs aci T See eee Oe Se eee eRe S16RC devasxaAa dua doi AAA DA we A SHR SRO was bE ESAs Ls 6 he dee ea aw eed dee OR ea Re a ae oa eat Gk Ba ae Ree a wl ee oe mo doeekda scu ded EN ad d eio sd dea qa que Binds A as console category module name Ll ese ond wed chee WES SURES SEEN eee eee debog ALO SIDO idee dox udo mdr Sore NEUE Ga Ep An o ee eee ee AA debug suppression interval SIU 0D0 ianuae A ORC Shawnee ees Raw foil CELLS ARA d Shee eae a Suv oe Wer quad a ee pde epu du eq ive mail 1 2
213. ease IEEE qq E ewe sane eed Ree 190 igsad baleneing tameont L 29 909 nausea xk RR E REOR REOR UN Rod ALACRES R C FEEN E ees AC EE RC RR 100 load baelsnoesng trative level fhigh Low Mediun exesebxckque4s oe iniii t Edi POR AA 99 logging console category module_name level alert crit debug emerg Lear inte GE ee A eae ek Se Ae ae RE RO ERA Pe RE Se eS Poe eee ae dak OAS 246 logging mail lt 1 2 gt schedule daily hour lt 0 23 gt minute 0 59 gt esper eee eae 245 logging mail lt 1 2 gt schedule weekly day day hour lt 0 23 gt minute lt 0 59 gt cisacuss 245 Legon marl Bene ONE hive eho hed EU does dried eau eor kia eee eee beans a Mawes S Budd 245 logging system log category module name disable level normal level all 242 logging usb storage category category disable cacizssiia canadian 61 logging usb storage category category level all rnermal eeem m hmmm 61 logging usb storage flushlhrsshsda lt la LOVE 6 04 weg up deren ewe A 61 login page background color color rgb color name color number 9 208 login page message color eolor rgb color name color numbet ie o wn 208 lgsmemege CHES ELECTO cda X REO A RR Rd OUO A ERU Koo Rok Aa E OO dod sg bale dod cade 209 login page title color coler rgb color name color humbor ier 9 EYE 209 logo background color color rgo eolor name color mumbe r i040 ede caw tnr oNN 209 S Me SRA Caw SOR ees RATAS Cee ee oe ee COR oe eee ee eee nao
214. ecified username second username username username no description description Sets the description for the specified user The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long username usernam manual logon time setting default Sets the account to use the factory default lease and reauthentication times or custom ones NXC CLI Reference Guide Chapter 24 User Group Table 97 username groupname Commands Summary Users continued COMMAND DESCRIPTION username username no logon lease time Sets the lease time for the specified user Set it to lt 0 1440 gt zero to set unlimited lease time The no command sets the lease time to five minutes regardless of the current default setting for new users username username no logon re auth time Sets the reauthorization time for the specified user lt 0 1440 gt Set it to zero to set unlimited reauthorization time The no command sets the reauthorization time to thirty minutes regardless of the current default setting for new users 24 2 2 User Group Commands This table lists the commands for groups Table 98 username groupname Commands Summary Groups COMMAND DESCRIPTION show groupname groupname Displays information about the specified user group or about all user groups set up in
215. ection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the NXC stops routing to the gateway The NXC resumes routing to the gateway the first time the gateway passes the connectivity check This table lists the ping check commands Table 15 interface Commands Ping Check COMMAND DESCRIPTION show ping check interface name status Displays information about ping check settings for the specified interface or for all interfaces status displays the current connectivity check status for any interfaces upon which it is activated show ping check interface name Displays information about ping check settings for the specified interface or for all interfaces no connectivity check continuous log activate Use this command to have the NXC logs connectivity check result continuously The no command disables the setting show connectivity check continuous log status Displays the continuous log setting about connectivity check interface interface nam Enters sub command mode no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface gateway port lt 1 65535 gt ping check
216. ed the recovery image file You only need to use this section if you need to restore the recovery image 1 Restart the NXC 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 24 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version V2 4 2 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version U1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode within 3 seconds Enter Debug Mode 3 Enter at uk to initialize the recovery process If the screen displays ERROR enter atur to initialize the recovery process You only need to use the atuk or atur command if the recovery image is damaged NXC CLI Reference Guide Chapter 35 File Manager Figure 25 atuk Command for Restoring the Recovery Image gt atuk This command is for restoring the recovery image xxx ri se This command only uhen 1 the console displays Invalid Recovery Image or 2 the console freezes at Press any key to enter debug mode within 3 seconds for more than one ninute ote Please exit this command innediately if you do not need to restore the recovery image Do you want to start the recovery process Y N default ME 4 Enter Y and wait for the Starting XMODEM upload message before activating XMODEM upload on your termi
217. edits a DHCP extended option for the specified DHCP pool text String of up to 250 characters hex String of up to 250 hexadecimal pairs vivc Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running the software in use or an industry consortium to which the vendor belongs enterprise_id Number lt 0 4294967295 gt hex_s String of up to 120 hexadecimal pairs vivs Vendor Identifying Vendor Specific option DHCP clients and servers may use this option to exchange vendor specific information no dhcp option lt 1 254 gt Removes the DHCP extended option for the specified DHCP pool network IP lt 1 32 gt network ip mask no network Specifies the IP address and subnet mask of the specified DHCP pool The subnet mask can be written in w x y z format or in lt 1 32 gt format Note The DHCP pool must have the same subnet as the interface to which you plan to bind it The no command clears these fields no default router ip Specifies the default gateway DHCP clients should use The no command clears this field no description description Specifies a description for the DHCP pool for identification The no command removes the description no domain name domain_name Specifies the domain name assigned to DHCP clients The no command clears this field NXC CLI
218. ee to eed eae Wipe pe ARAN ek ae pee a ele ae EStE RIBE PHILS iD dg koa dedere exer ep mow Ed aes hite list file pattern av file pattern activate deactivate sac hendwarsth peceritU 1xiadqe qAGe3da A dedo odd Maas Baad other protocol name handwidthsembeapN Leia eee ese Ee REX HEU P ee dE Rd dod SE Fig protocol nane GSOLIVSER A ed AR GES E ROMAN A AR A e SRE RR CR RR CR A protocol name Dondgwidbhegrtsph sonora pbrotoubDl name defaultport 1 559355 Lira Rx E AUEGR E Seen ease dea eee ee eee BppcuRCtoNSeHDO AEL VADE Sates bi bed AAA Ide ade AA f app wWabelh dog alert ue sssdueew ke AA GE SS AS Ledo PERA AE AAA ECC EU Cale 112 NXC CLI Reference Guide List of Commands no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no 278 appewsaten dog AUMEO TECDUSE arrasa DEAR AA A 268 epp watch dog eonsole preint always once L iacc ERRARE RXLACKGede dO Roy Seka A 268 app watch dog epuetbhbresholng mun 7009 Max Us LODOS estonio 268 app watch dog disk threshold min 1 100 mox L 01009 wLlkkekk kk d xh e RR Re 268 Spp watohedog Interval Interval cise 04 4 4 4 4 9 9 A EOE d de redde EE PAS 268 app watech deg mem tbreshold man 1 100 max 1 1005 ercer ax Rond AR 269 abpewatoehedog ZMOLFySGOUDE XL essa REA UE Rer Qo
219. efault default no auth server cert Specifies a certificate used by the authentication server NXC certificate_name The no command resets the certificate used by the authentication server to the factory default default certificate_name The name of the certificate You can use up to 31 alphanumeric and amp _ characters no auth server trusted Creates a trusted RADIUS client profile The no command client profile name deletes the specified profile profile name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive no activate Enables the client profile The no command disables the profile no ip address ip Sets the client s IP address and subnet mask The no command subnet mask clears this setting no secret secret Sets a password as the key to be shared between the NXC and the client The no command clears this setting NXC CLI Reference Guide Chapter 30 Authentication Server Table 115 Command Summary Authentication Server continued COMMAND DESCRIPTION description no description Sets the description for the profile The no command clears this setting description You can use alphanumeric and S_ characters and it can be up to 60 characters long show auth server status Displays the NXC s authentication server settings
220. ei 58 marile rom D NOE Aa ea ac Eod Ue die qo C 2 eoo e e On da e COD E Rea d Me debe edo C UR a E OO d de b oc e 251 imll suDJgeot deb SUBTESO shi hsa ede A A d a Bua aed dec eden x oe Bebo CR e dn 251 teil Coe foe cc hen ah es SA ES MOS LENSES OOH SERES SEARS EMSS NES SEES ead gd a 291 MAT SEGS 2 e Hell sarrata aea SCR ROECAOHOR amp OWORONOR QCECKCROROROACR NC AO SOR ACC OEE ARETE SRE RR Owe AAA 251 idlepue S II dir ee A IA AR EA A ee ele ena 251 MALL ERA G ets enar oh E Rex md xq IO Rag CR ACRI AS WC c SOR S ea SCR eee a 25 Wat bers eee notes waned dw Sethe a Odea eE OS Os Da Es bode EYES 251 NEU A epaoys acad ICE ORCI d ERAS MELA AUC ORE ORAN CC AGAR oA E CR UR RE e MGR UC ACRES 63 Hare Sud chONMNe qu edded4d pes d d pue SSL pu ee bi d E ded Pd ex ducis Rr icis d uu pP ewe bs 104 dead XD MES Seki hed xCAUR V NOE Ed R do cac ub decor do EO ECC CA ADU CA M o de diio ees e e CAN 54 Hews DEP tes tenes as eee hanes Saeed Ss tL PRIOR QU ONERE ERR SOREN RUPEE eoe A Paus 54 n address 0bject ODICE NONE dauaukgopu dO shed oe AAA XE OR CCS Roa 0 Rd o e dioec 178 na app OL her BRE RUMBLE crasas Edob Ege ws d WV Pu d NADA A AAA eee eR 132 ne app protocol name rule Sue Ue adda wad es s REOR SOARS EH DERE AA e a E WS 129 no erp ID Adress Longe por ars rss op quie RRA ono be lah a eed RR a pop be rh 263 nes BAL server ANE ONT a dGusd ved EORR RA RR S QR ERU RU eas SOR SH OR KC de BU ea Tem Rees 197 DO PUGS oe Gee edie acca pend ER ee Cadet ed edv deeds
221. elivery Traffic Indication Message DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 255 The default is 1 NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 31 Command Summary Radio Profile continued COMMAND DESCRIPTION beacon interval lt 40 1000 gt Sets the beacon interval for this profile When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon This value can be set from 40ms to 1000ms A high value helps save current consumption of the access point The default is 100 no ampdu Activates MPDU frame aggregation for this profile Use the no parameter to disable it Message Protocol Data Unit MPDU aggregation collects Ethernet frames along with their 802 11n headers and wraps them in a 802 11n MAC header This method is useful for increasing bandwidth throughput in environments that are prone to high error rates By default this is enabled limit ampdu 100 65535 gt Sets the maximum frame size to be aggregated By default this is
222. enabled this ensures that an AP will not change channels as long as a client is connected to it If disabled the AP may change channels regardless of whether it has clients connected to it or not dcs channel deployment 3 channel 4 channel Sets either a 3 channel deployment or a 4 channel deployment In a 3 channel deployment the AP running the scan alternates between the following channels 1 6 and 11 In a 4 channel deployment the AP running the scan alternates between the following channels 1 4 7 and 11 FCC or 1 5 9 and 13 ETSI Sets the option that is applicable to your region Channel deployment may be regulated differently between countries and locales dcs dfs aware enable disable Enables this to allow an AP to avoid phase DFS channels below the 5 GHz spectrum show dcs config Displays the current DCS configuration 12 2 1 DCS Examples This example creates a DCS configuration Router config Router config dcs dcs time interval 720 sensitivity level high client awar nabl Router config dcs Router config dcs Router config dcs channel deployment 3 channel dfs aware enable NXC CLI Reference Guide Chapter 12 Dynamic Channel Selection This example displays the DCS configuration created in the previous example dcs dcs dcs dcs dcs dcs dcs dcs dcs dcs Router config show dcs
223. enia 012 Aruba 013 Ascension Island 014 Australia 015 Austria 016 Azerbaijan 017 Bahamas 018 Bahrain NXC CLI Reference Guide Chapter 5 Registration Table 11 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Cameroon 039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos Keeling Islands 048 Colombia 049 Comoros 050 Congo Democratic Republic of the 051 Congo Republic of 052 Cook Islands 053 Costa Rica 054 Cote d lvoire 055 Croatia Hrvatska 056 Cyprus 057 Czech Republic 058 Denmark 059 Djibouti 060 Dominica 061 Dominican Republic 062 East Timor 063 Ecuador 064 Egypt 065 EI Salvador 066 Equatorial Guinea 067 Eritrea 068 Estonia 069 Ethiopia 070 Falkland Islands Malvina 071 Faroe Islands 072 Fiji 073 Finland 074 France 075 France Metropolitan 076 French Guiana 077 French Polynesia 078 French Southern Territories 079 Gabon 080 Gambia 081 Georgia 082 Germany 083 Ghana 084
224. er action drop reject sender reject receiver reject both Sets icmp decoder action no icmp decoder truncated header truncated timestamp header truncated address header action Deactivates icmp decoder actions show idp anomaly profile scan detection all details Shows all scan detection settings of the specified IDP profile show idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details Shows selected TCP scan detection settings for the specified IDP profile show idp anomaly profile scan detection udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan filtered portsweep details udp Shows UDP scan detection settings for the specified IDP profile show idp anomaly profile scan detection ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep details Shows IP scan detection settings for the specified IDP profile show idp anomaly profile scan detection icmp sweep icmp f
225. er deactivates it server domain auth domain name netbios name Adds the NetBIOS name of the AD server The NXC uses it with the user name in the format NetBIOS USERNAME to do authentication The NXC uses the format USERNAME Q realm if you do not configure the NetBIOS name server domain auth username username password password Sets the user name and password for domain authentication server domain auth realm realm Sets the realm for domain authentication no server port port no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no server search time limit Sets the search timeout period in seconds Enter a time number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds no server ssl Enables the NXC to establish a secure connection to the AD server The no command disables this feature 28 2 2 aaa group server Idap Commands The following table lists the aa group server ldap commands you use to configure a group of LDAP servers Table 111 aaa group server Idap Commands COMMAND clear aaa group server ldap group name DESCRIPTION Deletes all LDAP server groups or the specified LDAP server group Note You can NOT delete a server group that is currently in use group name group name show aaa group server ldap group Displa
226. eript JEDD asnicar te 227 CE lele T ee ee ae o ae eer ee E ee AREA NR ee ee eee ee 32 DWIELIBSE Ue IIS E RIA A A tere S x Capo Ru pretio Sue Booed Maree wa Re aes 63 goer markio Kage AA Oh dud xe ee eR A AAA ROSE EASE 66 decn uarkrog lass Jadsteavlk Asco ers costar tas EA Ede R donee ae 66 AC MSPRELDA Lei SU C 79 duration Ae SOU audent eA eRe eee SSeS e ede P esp ux ei ad AE RE d pace de rt 262 dynamic guest enabl XRplbPedg account deleted iris 65 e Lb RADE SEHR SOS REE OR 104 aynan QUESE ABUELAS iia Cae eh ue RC OE TORR ew LS ew eee SS 104 dunaemic quest Generate 2630s 240 4 ei Red A A dq x RE de ORAS Dee eee eee dawns de 104 xg onanreguesb SEDUIM erre Te 4939 puce obese eu exe ed pup pd e debe Reid pea ted ded pus 104 SMALL MEG sige es head RA OCE KEK CASSIE BOR CE KO dE OR OCCUR RUE RC ACCADE EC ROCK OR ROCCO Rt RC 104 Snan 32 Endcacmemt Ge Pa nonora DNI dg ces Eck NCSUON e Ac NGHE bene ear dees OR COR SCR A SIS SCRI 200 amp nc sgent ACS uwsEIHAMO UEGIHANE Adi kx eo eek RON Ado ORAN CRURA Re eR d AAA RA 200 ehc acaHL authentication enable jas wedidiad 2 4239 A ERAS E RA rd dd ds spe tee hue Se uw 200 Roegqgent ksepalsve interval 10 909 mera ae ee a ke dione dede ode acus Sh ZO end agent Menager Cope JUE d PI UE aa AA AA DAA A ease 199 Guncc ogsnE MSP AUTO ci ia id AA A ERE SERE PA EK E Shea Xe qT dE 200 elceomen
227. ers sub command mode app other lt 1 64 gt Enters sub command mode for editing the rule at the specified row app other default Enters sub command mode for editing the default rule for traffic of an unidentified application app other move rule_number to rule_number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location no app other rule_number Deletes the specified rule 20 2 5 1 Other Rule Sub commands The following table describes the sub commands for several application patrol other rule commands Note that not all rule commands use all the sub commands listed here Table 69 app patrol other rule Sub commands COMMAND DESCRIPTION no activate Turns on this rule The no command turns off this rule no port lt 0 65535 gt Specifies the destination port 0 means any no schedule profile_name Adds the specified schedule to the rule no user username Adds the specified user to the rule no from zone_name Specifies the source zone no to zone_name Specifies the destination zone no source profile_name Adds the specified source address to the rule no destination profile_name Adds the specified destination address to the rule no protocol tcp udp Adds the specified protocol to the rule access forward drop reject Specifies the action when traffic matche
228. es port 0 schedule none user any from zone any to zone any source address any destination address any access forward action login na action message na action audio na action video na action file transfer na DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no Router configure terminal Router config f show app other config bandwidth graph yes NXC CLI Reference Guide Chapter 20 Application Patrol Router configure terminal Router config show app other rule all index 1 activate yes port 5963 schedule none user any from zone any to zone any source address any destination address any protocol tcp access forward DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no index default activate yes port 0 Schedule none user any from zone any to zone any Source address any destination address any protocol any access forward DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no NXC CLI Reference Guide Anti Virus This chapter introduces and shows you how to confi
229. es for the total combined size of all the capture files on the NXC including any existing capture files and any new capture files you generate The NXC stops the capture and generates the capture file when either the file reaches this size or the time period specified using the duration command above expires Note If you have existing capture files you may need to set this size larger or delete existing capture files host ip ip address any profile name Sets a host IP address or a host IP address object for which to capture packets any means to capture packets for all hosts host port 0 65535 If you set the IP Type to any tcp or udp using the ip type command below you can specify the port number of traffic to capture iface add del interface name virtual interface name Adds or deletes an interface or a virtual interface for which to capture packets to the capture interfaces list ip version any ip ip6 Sets the version of the Internet Protocol IP by which traffic is routed across the networks and Internet any means to capture packets for traffic sent by either IP version proto type icmp igmp igrp pim ah esp vrrp udp tcp any Sets the protocol of traffic for which to capture packets any means to capture packets for all types of traffic NXC CLI Reference Guide Chapter 41 Maintenance Tools Table 153 Maintenance Tools Comma
230. eseller phonenumber vat vat number COMMAND DESCRIPTION device register checkuser user nam Checks if the user name exists in the myZyXEL com database device register username user name password Registers the device with an existing account or creates a new account and registers the device at one time country code see Table 11 on page 44 vat number your seller s Value Added Tax number if you bought your NXC from Europe service register checkexpire Gets information of all service subscriptions from myZyXEL com and updates the status table service register standard license key key value service type Activates a standard service subscription with the license key service register service type trial service Activates the content filter or IDP trial service alllavlidp subscription service register service type trial service all Activates all of the trial service subscriptions kav zav including Kaspersky or ZyXEL anti virus service register trial service av kav zav service type Activates a Kaspersky or ZyXEL anti virus trial service subscription service register kav zav service type trial av engine Changes from one anti virus engine to the other show device register status Displays whether the device is registered and account information show service register status all idp av maps Displays service license information
231. et to automatically add new APs to the AP management list then any kicked APs are added back to the management list as soon as they reconnect capwap ap reboot ap mac Forces the specified AP ap mac to restart Doing this severs the connections of all associated stations capwap ap ap mac Enters the sub command mode for the specified AP slot name ap profile profile name Sets the radio slot_name to AP mode and assigns a created profile to the radio no slot name ap profile Removes the AP mode profile assignment for the specified radio s20t name NXC CLI Reference Guide Chapter 8 AP Management Table 29 Command Summary AP Management continued COMMAND DESCRIPTION slot name monitor profile profile name Sets the specified radio s1ot_name to monitor mode and assigns a created profile to the radio Monitor mode APs act as wireless monitors which can detect rogue APs and help you in building a list of friendly ones See also Section 9 2 on page 77 no slot name monitor profile Removes the monitor mode profile assignment for the specified radio s20t name description ap description Sets the description for the specified AP no force vlan Sets whether or not the NXC changes the AP s management VLAN to match the one you configure using the v1an sub command The management VLAN on the NXC and AP must match for the NXC to manage the AP This takes pri
232. ettings Lists the current logo background banner and floor line below the banner settings show page customization Lists whether the NXC is set to use custom login and access pages or the default ones 33 3 Host Name Commands The following table describes the commands available for the hostname and domain name You must use the configure terminal command to enter the configuration mode before you can use these commands Table 120 Command Summary Host Name COMMAND DESCRIPTION no domainname domain name Sets the domain name The no command removes the domain name domain name This name can be up to 254 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted no hostname hostname Sets a descriptive name to identify your NXC The no command removes the host name show fqdn 33 4 Time and Date Displays the fully qualified domain name For effective scheduling and logging the NXC system time must be accurate The NXC s Real Time Chip RTC keeps track of the time and date There is also a software mechanism to set the time manually or get the current time and date from an external server NXC CLI Reference Guide Chapter 33 System 33 4 1 Date Time Commands The following table describes the commands available for date and time setup You must use the configure terminal command to enter the configuration
233. ever some commands allow you to input a for example as part of a string Press CTRL V on your keyboard to enter a without the NXC treating it as a help query 1 6 5 Command History The NXC keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up 1 or down 1 arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning of the line Press CTRL E to move the cursor to the end of the line 1 6 7 Erase Current Command Press CTRL U to erase whatever you have currently typed at the prompt before pressing ENTER 1 6 8 The no Commands When entering the no commands described in this document you may not need to type the whole command For example with the no mss lt 536 1452 gt command you use mss 536 to specify the MSS value But to disable the MSS setting you only need to type no mss instead of no mss 536 NXC CLI Reference Guide 25 Chapter 1 Command Line Interface 1 7 Input Values You can use the or TAB to get more information about the next input value that is required for a command In some cases the next input value is a string whose length and allowable characters may not be displayed in the screen For example in the following example the next input value is a string called lt description gt Router c
234. ext within the signature name in quotes for example idp search LAN IDP name WORM sid 0 severity 0 platform 0 policytype 0 service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name show idp search system protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid O severity 0 platform O policytype 0 service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name NXC CLI Reference Guide Chapter 22 IDP Commands 22 3 6 1 Search Parameter Tables The following table displays the command line severity platform and policy type equivalent values If you want to combine platforms in a search then add their respective numbers together For example to search for signatures for Windows NT Windows XP and Windows 2000 computers then type 12 as the platform parameter Table 87 Severity Platform and Policy Type Command Values SEVERITY PLATFORM POLICY TYPE 1 VeryLow 1 Al
235. f instructed to do so by a support technician no anti virus skip unknown file type activate Sets whether or not anti virus checks files for which the NXC cannot identify a type show anti virus skip unknown file type activation Displays whether or not anti virus checks files for which the NXC cannot identify a type 21 2 1 1 Activate Deactivate Anti Virus Example This example shows how to activate and deactivate anti virus on the NXC anti virus activation anti virus activation Router config Router configure terminal Router config anti virus activate Router config show anti virus activation yes Router config no anti virus activate Router config show anti virus activation no 21 2 2 Zone to Zone Anti virus Rules The following table describes the commands for configuring the zone to zone rules You must use the configure terminal command to enter the configuration mode before you can use these commands Table 73 Commands for Zone to Zone Anti Virus Rules COMMAND DESCRIPTION anti virus rule append Enters the anti virus sub command mode to add a direction specific rule anti virus rule insert lt 1 64 gt Enters the anti virus sub command mode to add a direction specific rule NXC CLI Reference Guide Chapter 21 Anti Virus Table 73 Commands for Zone to Zone Anti Virus Rules continued COMMAND DESCRIPTION anti vir
236. fic nc agent periodic inform Allows the NXC to periodically send Inform messages to the activate ENC or ACS server NXC CLI Reference Guide Chapter 31 ENC Table 116 Command Summary ENC Agent continued COMMAND DESCRIPTION nc agent periodic inform interval lt 10 86400 gt Sets how often in seconds the NXC sends Inform messages to initiate connections to the ENC or ACS server enc agent authentication enable Sets the NXC to authenticate the ENC or ACS server s certificate when you are using HTTPs In order to do this you need to import the ENC or ACS server s public key certificate into the NXC s trusted certificates nc agent server certificate certificate name Specifies the certificate of the ENC or ACS server certificate name The name of the certificate You can use up to 31 alphanumeric and amp _ characters enc agent acs username username Specifies the user name used to authenticate the ACS server when the server makes a connection request username You may use up to 254 alphanumeric characters underscores or dashes This value is case sensitive enc agent acs password Specifies the password used to authenticate the ACS server password when the server makes a connection request password You may use up to 254 alphanumeric characters underscores or dashes This value is case sensitive
237. ficates Commands Input Values The following table explains the values you can input with the certificate commands Table 117 Certificates Commands Input Values LABEL DESCRIPTION certificate_name The name of a certificate You can use up to 31 alphanumeric and amp _ characters cn_address A common name IP address identifies the certificate s owner Type the IP address in dotted decimal notation cn domain name A common name domain name identifies the certificate s owner The domain name is for identification purposes only and can be any string The domain name can be up to 255 characters You can use alphanumeric characters the hyphen and periods cn email A common name e mail address identifies the certificate s owner The e mail address is for identification purposes only and can be any string The e mail address can be up to 63 characters You can use alphanumeric characters the hyphen the symbol periods and the underscore NXC CLI Reference Guide Chapter 32 Certificates Table 117 Certificates Commands Input Values continued LABEL DESCRIPTION organizational unit Identify the organizational unit or department to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore organization Identify the company or group to which the certificate owner belongs You can
238. file decompression to have the NXC attempt to to decompress zipped files for further scanning You can also have it destroy the zipped files it cannot decompress due to encryption or system resource limitations show all Displays the details of the anti virus rule you are configuring or all the rules anti virus rule move lt 1 64 gt to lt 1 64 gt Moves a specific anti virus rule to the number that you specified anti virus rule delete lt 1 64 gt Removes a specific anti virus rule anti virus rule flush Removes all anti virus rules NXC CLI Reference Guide Chapter 21 Anti Virus 21 2 2 1 Zone to Zone Anti virus Rule Example This example shows how to configure and display a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files The white and black lists are ignored and zipped files are decompressed Any zipped files that cannot be decompressed are not destroyed Router config anti virus rule 1 Router config av rule 1 Router config av rule 1 activate from zone WAN Router config av rul Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 destroy Router config av rule 1 Anti Virus Rule 1 active yes log log from zone WAN to zone LAN scan protocols http yes ftp yes smtp Yes pop3 yes imap4 yes infected
239. for SSH service rule number access group ALL address object address object The name of the IP address zone ALL zone object action accept deny group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive You can also use pre defined zone names like LAN and WLAN ip ssh server rule move rule number to Changes the index number of a SSH service rule number control rule no ip ssh server vl Enables remote management using SSH v1 The no command stops the NXC from using SSH v1 no ip ssh server rule rule number Deletes a service control rule for SSH service show ip ssh server status Displays SSH settings 34 4 4 SSH Command Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SSH service Router configure terminal Router config ip ssh server rule 2 access group Marketing zone LAN action accept This command sets a certificate Default to be used to identify the NXC Router configure terminal Router config ip ssh server cert Default 34 5 Telnet You can configure your NXC for remote Telnet access
240. gn to the remote users The no command removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no rfac lease lt 0 365 gt 0 23 lt 0 59 gt infinite interfac int gt nam Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first DNS server setting to its default value Enters sub command mode no ip dhcp pool profile_name Binds the specified interface to the specified DHCP pool You have to remove any DHCP relays first The no command removes the binding no ip helper address ip Creates the specified DHCP relay You have to remove the DHCP pool first if the DHCP pool is bound to the specified interface The no command removes the specified DHCP relay release dhcp interface name Releases the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode renew dhcp interface name Renews the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode show ip dhcp binding ip clear ip dhcp binding ip Displays information about DHCP bindings for the specified IP
241. gt interface You only need to specify an interface with you create an object based on an interface no address object object name Deletes the specified address address object list Displays all address objects on the NXC address object rename object name object name Renames the specified address first object name to the second object name NXC CLI Reference Guide Chapter 25 Addresses 25 2 1 1 Address Object Command Examples The following example creates three address objects and then deletes one Router configure terminal Router config Router config address object AO 10 1 1 1 Router config address object Al 10 1 1 1 10 1 1 20 Router config address object A2 10 1 1 0 24 Router config show address object Object name Type Address Note Ref LAN SUBNET INTERFACE SUBNET 192 168 1 0 24 vlan0 0 AO HOST LO et LT 0 Al RANGE LOG TAILS adel 20 0 A2 SUBNET 10 1 1 0 24 0 Router config no address object A2 Router config show address object Object name Type Address Note Ref LAN SUBNET INTERFACE SUBNET 192 168 1 0 24 vlan0 0 AO HOST TO TL L l 0 A1 RANGE l0O T T121 10 1 1 20 0 25 2 2 Address Group Commands This table lists the commands for address groups Table 104 object group Commands Address Groups COMMAND DESCRIPTION show object group address group name Disp
242. gure the anti virus scanner 21 1 Anti Virus Overview A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a self replicating virus that resides in active memory and duplicates itself The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable 21 2 Anti virus Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 71 Input Values for General Anti Virus Commands LABEL DESCRIPTION zone_object The name of the zone Use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive av file pattern Use up to 80 characters to specify a file pattern Alpghanumeric characters underscores dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends with a zip A file named testa zip would match There could be any number of any type of characters in front of the a zip at the end an
243. h a configuration file Back up NXC configuration once the NXC is set up to work in your network Restore NXC configuration Save and edit a configuration file and upload it to multiple NXCs in your network to have the same settings BS You may also edit a configuration file using a text editor 1 2 Accessing the CLI You can access the CLI using a terminal emulation program on a computer connected to the console port from the web configurator or access the NXC using Telnet or SSH Secure SHell NXC CLI Reference Guide 15 Chapter 1 Command Line Interface Js The NXC might force you to log out of your session if reauthentication time lease time or idle timeout is reached See Chapter 24 on page 169 for more information about these settings 1 2 1 Console Port The default settings for the console port are as follows Table 1 Managing the NXC Console Port SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off When you turn on your NXC it performs several internal tests as well as line initialization You can view the initialization information using the console port Garbled text displays if your terminal emulation program s speed is set lower than the NXC s No text displays if the speed is set higher than the NXC s If changing your terminal emulation program s speed does not get anything to display restart the NXC
244. he WAN and the DMZ zones are allowed Figure 13 Default Firewall Action A a NXC CLI Reference Guide Chapter 19 Firewall Your customized rules take precedence and override the NXC s default settings The NXC checks the schedule user name user s login name on the NXC source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the NXC takes the action specified in the rule For example if you want to allow a specific user from any computer to access one zone by logging in to the NXC you can set up a rule based on the user name only If you also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the NXC and will be disabled after the user logs out of the NXC 19 2 Firewall Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 56 Input Values for General Firewall Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters
245. he description of the profile You may use up to 60 alphanumeric characters underscores or dashes This value is case sensitive NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles The following table describes the commands available for security profile management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 37 Command Summary MAC Filter Profile COMMAND DESCRIPTION show wlan macfilter profile all macfilter_profile_name Displays the security profile s a11 Displays all profiles for the selected operating mode macfilter_profile_name Displays the specified profile for the selected operating mode wlan macfilter profil macfilter profile _ namel macfilter profile name2 renarm Gives an existing security profile macfilter profile_namel a new name macfilter profile name2 no wlan macfilter profile macfilter profile name Enters configuration mode for the specified MAC filter profile Use the no parameter to remove the specified profile filter action allow deny Permits the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses The default is set to deny no MAC description description2 Sets the description of this profile Enter u
246. he name for the dynamic guest user phone phone number Sets the telephone number for the dynamic guest user others description Sets the additional information for the dynamic guest user dynamic guest generate 2 32 Creates multiple dynamic guest users at a time address address Sets the geographic address for the dynamic guest user company company Sets the company name for the dynamic guest user xpire time yyyy mm dd Sets the date when the dynamic guest user account becomes invalid group groupname Sets the name of the dynamic guest group with which the dynamic guest user is associated others description Sets the additional information for the dynamic guest user no dynamic guest message text not Sets the notes that display in the paper along with the account information you print out for dynamic guest users The no command removes the notes that you configure no dynamic guest usernam Deletes the specified guest manager user account no dynamic guest expired account deleted Sets the NXC to not remove the dynamic guest accounts when they expire show dynamic guest status Displays dynamic guest group settings show dynamic guest Displays information about the dynamic guests NXC CLI Reference Guide Chapter 14 Dynamic Guest 14 2 1 Dynamic Guest Examples This example creates a guest manager user accoun
247. hedule that the rule uses The no command removes the schedule settings from the rule no service service_nam Sets the service to which the rule applies The no command resets the service settings to the default any any means all services no sourceip address_object Sets the source IP address es The no command resets the source IP address es to the default any any means all IP addresses no sourceport tcpludp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt Sets the source port for a firewall rule The no command removes the source port from the rule no to zone object EnterpriseWLAN Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces no user user name Sets a user aware firewall rule The rule is activated only when the specified user logs into the System The no command resets the user name to the default any any means all users NXC CLI Reference Guide Chapter 19 Firewall 19 2 2 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WLAN zone to the IP addresses Dest_1 in the LAN zone Enter configuration command mode Create an IP address object Create a service object Enter the firewall sub command mode to add a firewall rule
248. hese commands COMMAND DESCRIPTION no idp statistics collect Turn the collection of IDP statistics on or off idp statistics flush Clears the collected statistics show idp statistics summary Displays the collected statistics NXC CLI Reference Guide Chapter 22 IDP Commands Table 91 Commands for IDP Statistics continued COMMAND DESCRIPTION show idp statistics collect Displays whether the collection of IDP statistics is turned on or off show idp statistics ranking signature Query and sort the IDP statistics entries by signature name source destination name source IP address or destination IP address signature name lists the most commonly detected signatures source lists the source IP addresses from which the NXC has detected the most intrusion attempts destination lists the most common destination IP addresses for detected intrusion attempts 22 6 1 IDP Statistics Example This example shows how to collect and display IDP statistics It also shows how to sort the display by the most common signature name source IP address or destination IP address Router configure terminal Router config idp statistics collect Router config no idp statistics activate Router config idp statistics flush Router config show idp statistics collect status IDP collect statistics status yes Router config show idp statistics summary Scanned sess
249. ication Use the no parameter to deactivate server auth 1 2 ip address Sets the IPv4 address port number and shared secret of ipv4 address port 1 65535 secret the RADIUS server to be used for authentication secret no server auth 1 2 Clears the server authentication setting exit Exits configuration mode for this profile 9 4 1 Security Profile Example The following example creates a security profile with the name SECURITY01 Router config wlan security profile SECURITYO1 Router config curity profile mode wpa2 Router config Router config Router config Router config Router config Router config S S S Router config security S S S curity profile f wpa encrypt aes curity profile wpa psk 12345678 profile idle 3600 curity profile f reauth 1800 curity profile group key 1800 curity profile exit 9 5 MAC Filter Profile Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 36 Input Values for General MAC Filter Profile Commands LABEL DESCRIPTION macfilter profile name The MAC filter profile name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive description2 Sets t
250. ice 2013 06 11 14 21 28 notice 2013 06 11 14 21 18 2013 06 11 14 21 16 o your user documentation to rec This procedure requires the NXC s default system database file Download the firmware package from www zyxel com and unzip it The default system database file uses a db extension for example 1 01 XL 0 C0 db Do the following after you have obtained the default system database file 237 NXC CLI Reference Guide Chapter 35 File Manager 35 11 1 Using the atkz u Debug Command NXC5200 Only BS You only need to use the atkz u command if the default system database is damaged 1 Restart the NXC 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 38 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version U2 4 27 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version U1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode within 3 seconds Enter Debug Mode gt E 3 Enteratkz u to start the recovery process Figure 39 atkz u Command for Restoring the Default System Database gt atkz u 4 Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen Connect your computer to the NXC s port 1 only port 1 can be used Figure 40 Use FTP with Port 1 and IP
251. icy lt 1 1024 gt Creates the specified condition for forcing user authentication if necessary and enters sub command mode The NXC checks the conditions in sequence starting at 1 See Table 53 on page 115 for the sub commands web auth policy append Creates a new condition for forcing user authentication at the end of the current list and enters sub command mode See Table 53 on page 115 for the sub commands web auth policy delete lt 1 1024 gt Deletes the specified condition web auth policy flush Deletes all the conditions for forcing user authentication web auth policy insert lt 1 1024 gt Creates a new condition for forcing user authentication at the specified location renumbers the other conditions accordingly and enters sub command mode See Table 53 on page 115 for the sub commands web auth policy move 1 1024 to Moves the specified condition to the specified location and lt 1 1024 gt renumbers the other conditions accordingly show web auth activation Displays whether forcing user authentication is enabled or not show web auth authentication Displays the name of authentication method used for the captive portal page show web auth default rul Displays the default captive portal authentication settings the NXC uses on traffic not matching any exceptional service or other authentication policy show web auth exceptional service
252. idth usage and bandwidth usage statistics 7 2 14 Assured Forwarding AF PHB for DiffServ Assured Forwarding AF behavior is defined in RFC 2597 The AF behavior group defines four AF classes Inside each class packets are given a high medium or low drop precedence The drop precedence determines the probability that routers in the network will drop packets when congestion occurs If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43 The decimal equivalent is listed in brackets Table 25 Assured Forwarding AF Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4 Low Drop Precedence AF11 10 AF21 18 AF31 26 AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop Precedence AF13 14 AF23 22 AF33 30 AF43 38 NXC CLI Reference Guide Chapter 7 Route 7 2 2 Policy Route Command Example The following commands create two address objects TW_SUBNET and GW_1 and insert a policy that routes the packets with the source IP address TW_SUBNET and any destination IP address through the interface gel to the next hop router GW_1 This route uses the IP address of the outgoing interface as the matched packets source IP address TW_SUBNET 192 168 2 0 255 255 255 0 GW 1 192 168
253. ig wlan security default Router config wlan security default Router config wlan security default Router config wlan security default Router config wlan security default r type mac address xt mac address secureWwWLAN1l mac auth activate mac auth auth method Authl mac auth delimiter account colon mac auth case account upper exit 24 2 5 Additional User Commands This table lists additional commands for users Table 101 username groupname Commands Summary Additional COMMAND DESCRIPTION show users username all current Displays information about the users logged onto the system show lockout users Displays users who are currently locked out unlock lockout users ip console Unlocks the specified IP address users force logout ip username Logs out the specified logins NXC CLI Reference Guide Chapter 24 User Group 24 2 5 1 Additional User Command Examples The following commands display the users that are currently logged in to the NXC and forces the logout of all logins from a specific IP address Router configure terminal Router config show users all No Name Role Type MAC Service From Session Time Idle Time Lease Timeout Re Auth Timeout Acct Status Profile Name d admin admin admin console console 00 35 36 unlimited 00 30 00 unlimited N A 2 admin admin admin http htt
254. ignature system protect update weekly sun mon tue wed thu fri sat SUDAN NM Corinto asa quad qut axeda beads dose sm ee uade qued 160 idp signature anomaly rule append lt 1 64 gt insert lt 1 64 gt L9 99 147 idp signature anomaly rule delete lt 1 64 gt move lt 1 64 gt to lt 1 64 gt 147 lp anomaly newpro bese all none Xuddeezdcesdozuk ku ROAD AOE CEU sone Ee Odo d SORA AUS 149 ip customize signatures sedit guoted SCOPING facade eee he Wide ewe ACE SERRE REE CLA OES 156 tdp Customs signature QUO SEEING 14d de be eee eee EHI AS 156 d BOWS 4s Mee eda he EORR CAE Mw ark dea db doa Ja Baek ae Me ee he dade ead de a 146 idp rename signature anomaly profilel proflieZ 2c ce eides 999 tket Ron deed ea ead 146 idp search signature my profile name quoted string sid SID severity severity mask plat form platform mask policytype policytype mask service service mask activate any 288 NXC CLI Reference Guide List of Commands yes no log lany so dog log alert action action mask 2 24 154 idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 154 idp signature neworo base all lan wat dne nonel e esas 148 A Stacistrics IIBER podari eX mat
255. ile name1 no wlan radio profile radio profile name Enters configuration mode for the specified radio profile Use the no parameter to remove the specified profile no activate Makes this profile active or inactive role wlan_role Sets the role of this profile rssi dbm lt 20 76 gt When using the RSSI threshold set a minimum client signal strength for connecting to the AP 20 dBm is the strongest signal you can require and 76 is the weakest no rssi thres Sets whether or not to use the Received Signal Strength Indication RSSI threshold to ensure wireless clients receive good throughput This allows only wireless clients with a strong signal to connect to the AP NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 31 Command Summary Radio Profile continued COMMAND DESCRIPTION band 2 4G 5G band mode Sets the radio band 2 4 GHz or 5 GHz and band mode lln bg a for this profile Band mode details For 2 4 GHz 11n lets IEEE 802 11b IEEE 802 11g and IEEE 802 11n clients associate with the AP For 2 4 GHz bg lets IEEE 802 11b and IEEE 802 11g clients associate with the AP For 5 GHz 11n lets IEEE 802 11a and IEEE 802 11n clients associate with the AP For 5 GHz a lets only IEEE 802 11a clients associate with the AP 2g channel wireless channel 2g Sets the broadcast band for this profile in the 2
256. iltered sweep open port details Shows ICMP scan detection settings for the specified IDP profile NXC CLI Reference Guide Chapter 22 IDP Commands Table 84 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION how idp anomaly profile flood detection all etails an Shows all flood detection settings for the specified IDP profile show idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood details Shows flood detection settings for the specified IDP profile show idp anomaly profile http inspection all details Shows http inspection settings for the specified IDP profile show idp anomaly profile http inspection ascii encoding u encoding bare byte unicode encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal details Shows http inspection settings for the specified IDP profile show idp anomaly profile tcp decoder all details Shows tcp decoder settings for the specified IDP profile show idp anomaly profile tcp decoder undersiz Shows tcp decoder settings for the specified len undersize offset
257. imes and days anti virus update hourly Enables automatic signature download every hour anti virus update daily lt 0 23 gt Enables automatic signature download every day at the time specified anti virus update weekly sun mon tue Enables automatic signature download once a week wed thu fri sat 0 23 at the time and day specified show anti virus update Displays signature update schedule show anti virus update status Displays signature update status show anti virus signatures status Displays details about the current signature set 142 NXC CLI Reference Guide Chapter 21 Anti Virus 21 3 1 Update Signature Examples These examples show how to enable disable automatic anti virus downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created Router configure terminal Router config anti virus update signatures ANTI VIRUS signature update in progress Please check system log for future information Router config anti virus update auto Router config no anti virus update auto Router config anti virus update hourly Router config anti virus update daily 10 anti virus update weekly fri 13 show anti virus update Router config Router config auto yes schedule weekly at Friday 13 o clock Router config show anti virus upd
258. in 1 255 alphanumeric or first character alphanumeric or email 1 63 alphanumeric or Q8 NXC CLI Reference Guide Chapter 1 Command Line Interface Table 4 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES e mail 1 64 alphanumeric or _ encryption key 16 64 Ox or OX 16 64 hexadecimal values 8 32 alphanumeric or amp _4 lt gt file name 0 31 alphanumeric or filter extension 1 256 alphanumeric spaces or _ fqdn Used in ip dns server L 253 alphanumeric or first character alphanumeric or Used in ip tim interface ping check devic and server HA certificates 1 255 alphanumeric or first character alphanumeric or full file name 0 256 alphanumeric or _ hostname Used in hostname command 1 64 alphanumeric or first character alphanumeric or Used in other commands 1 253 alphanumeric or first character alphanumeric or import configuration file 26 cont lOs _ at the end alphanumeric or conf import shell script 26 zysh alphanumeric or 3 amp _t zysh at the end chars initial string 1 64 alphanumeric spaces or S_ amp key length E 512 768
259. ine FTP File Download 1 Connect to the NXC 2 Enter bin to set the transfer mode to binary 3 Use cd to change to the directory that contains the files you want to download 4 Use dir or Is if you need to display a list of the files in the directory 5 Use get to download files For example get vlan setup zysh vlan zysh transfers the vlan setup zysh configuration file on the NXC to your computer and renames it vlan zysh NXC CLI Reference Guide Chapter 35 File Manager 35 6 4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today conf from the NXC and saves it on the computer as current conf Figure 19 FTP Configuration File Download Example C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp bin 200 Type set to I ftp cd conf 250 CWD command successful ftp get today conf current conf 200 PORT command successful 150 Opening BINARY mode data connection for conf today conf 20220 bytes 226 Transfer complete ftp 20220 bytes received in 0 03Seconds 652 26Kbytes sec 35 7 NXC File Usage at Startup The NXC uses the following files at system startup Figure 20 NXC File Usage at Startup 1 Boot Module 2 Recovery Image Y 3 Firmware
260. ing to the interval you specify in device ha ap mod backup sync interval The first synchronization begins after the specified interval not immediately no device ha interval 5 1440 ap mode backup sync When you use automatic synchronization this sets how often in minutes the NXC synchronizes with the master no device ha from master address ap mode backup sync port lt 1 65535 gt Sets the address of the master NXC with which this backup NXC is to synchronize master_address The master NXC s IP address or fully qualified domain name FQDN port The master NXC s FTP port number device ha ap mode backup sync now show device ha ap mode interfaces Synchronize now Displays the device HA AP mode interface settings and status show device ha ap mode status Displays the NXC s key device HA settings NXC CLI Reference Guide Chapter 23 Device HA Table 94 device ha ap mode Commands continued COMMAND DESCRIPTION show device ha ap mode master sync Displays the master NXC s synchronization settings show device ha ap mode backup sync Displays the backup NXC s synchronization settings show device ha ap mode backup sync status Displays the backup NXC s current synchronization status show device ha ap mode backup sync summary Displays the backup NXC s synchronization settings show device ha ap m
261. interface Configure complex parts such as an interface in the NXC How you enter it Log in to the NXC Type enable in User mode Type configure terminal in User or Privilege mode Type the command used to create the specific part in Configuration mode What the prompt Router Router Router config varies by part looks like Router zone Router config if ge How you exit it Type exit Type disable Type exit Type exit See Chapter 24 on page 169 for more information about the user types User users can only log in look at but not run the available commands in User mode and log out Limited Admin users can look at the configuration in the web configurator and CLI and they can run basic diagnostics in the CLI Admin users can configure the NXC in the web configurator or CLI At the time of writing there is not much difference between User and Privilege mode for admin users This is reserved for future use 1 6 Shortcuts and Help 1 6 1 List of Available Commands A list of valid commands can be found by typing or TAB at the command prompt To view a list of available commands within a command group enter command or command TAB NXC CLI Reference Guide Chapter 1 Command Line Interface Figure 5 Help Available Commands Example 1 Router cr apply atse clear configure Snip shutdown telnet test
262. interval Sets the log consolidation interval for the debug lt 10 600 gt log The no command sets the interval to ten clear logging debug buffer Clears the debug log NXC CLI Reference Guide Chapter 36 Logs This table lists the commands for the remote syslog server settings Table 141 logging Commands Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers no logging syslog lt 1 4 gt Enables the specified remote server The no command disables the specified remote server no logging syslog 1 4 address ip Sets the URL or IP address of the specified remote hostname server The no command clears this field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period no level normal logging syslog lt 1 4 gt category disable level all no logging syslog lt 1 4 gt facility local 1 local_2 local_3 local_4 local_5 local_6 local_7 Specifies what kind of information if any is logged for the specified category Sets the log facility for the specified remote server The no command sets the facility to local_1 no logging syslog lt 1 4 gt format cef vrpt Sets the format of the log information cef Common Event Format syslog compatible format vrpt ZyXEL s Vantage
263. ion 268 packet dropped 0 packet reset 0 Router config show idp statistics ranking signature name ranking 1 Signature id 8003796 signature name ICMP L3retriever Ping type Scan severity verylow occurence 22 ranking 2 Signature id 8003992 signature name ICMP Large ICMP Packet type DDOS severity verylow occurence 4 Router config show idp statistics ranking destination ranking 1 destination ip 172 23 5 19 occurence 22 ranking 2 destination ip 172 23 5 1 occurence 4 Router config show idp statistics ranking source ranking 1 Source ip 192 168 1 34 occurence 26 NXC CLI Reference Guide Device HA Device HA lets a backup NXC automatically take over if the master NXC fails Figure 14 Device HA Backup Taking Over for the Master In this example device B is the backup for device A in the event something happens to it and prevents it from managing the wireless network 23 1 Device HA Overview Management Access You can configure a separate management IP address for each interface You can use it to access the NXC for management whether the NXC is the master or a backup The management IP address should be in the same subnet as the interface IP address Synchronization Use synchronization to have a backup NXC copy the master NXC s configuration signatures anti virus IDP application patrol and system protect and certificates BS Only NXCs of the sam
264. ion user name 1 alphanumeric or logging commands user domainname 80 alphanumeric or Q8 vrrp group name less 45 alphanumeric or _ than 15 chars week day sequence 1 4 i e 1 first 2 second xauth method Si alphanumeric or _ xauth password 1 31 alphanumeric or G4 amp N mac address 0 12 even hexadecimal number for example XX XX XX XX XX XX 1 8 Saving Configuration Changes Use the write command to save the current configuration to the NXC BS Always save the changes before you log out after each management session All unsaved changes will be lost after the system restarts 1 9 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI NXC CLI Reference Guide Chapter 1 Command Line Interface NXC CLI Reference Guide User and Privilege Modes This chapter describes how to use these two modes 2 1 User And Privilege Modes gt This is the mode you are in when you first log into the CLI Do not confuse user mode with types of user accounts the NXC uses See Chapter 24 on page 169 for more information about the user types User type accounts can only run exit in this mode However they may need to log into the device in order to be authenticated for user aware policies for example a firewall rule that a particular user is exempt from
265. irewall firewall append Enters the firewall sub command mode to add a global firewall rule to the end of the global rule list firewall default rule action allow deny Sets how the firewall handles packets that do reject no log log alert not match any other firewall rule firewall delete rule number Removes a firewall rule firewall flush Removes all firewall rules firewall insert rule number Enters the firewall sub command mode to add a firewall rule before the specified rule number firewall move rule number to rule number Moves a firewall rule to the number that you specified 0 how connlimit max per host Displays the highest number of sessions that the NXC will permit a host to have at one time how firewall 0 Displays all firewall settings how firewall rule number 0 Displays a firewall rule s settings 0 how firewall zone object zone object EnterpriseWLAN Displays all firewall rules settings for the specified packet direction 0 how firewall zone object zone object EnterpriseWLAN rule number Displays a specified firewall rule s settings for the specified packet direction show firewall status Displays whether the firewall is active or not NXC CLI Reference Guide Chapter 19 Firewall 19 2 1 Firewall Sub Commands The following table describes the sub commands for several firewall commands Tabl
266. is command to have the NXC automatically disable this policy route when the next hop s connection is down The no command disables the setting Sets the maximum bandwidth and priority for the policy The no command removes bandwidth settings from the rule You can also turn maximize bandwidth usage on or off no deactivate Disables the specified policy The no command enables the specified policy no description description Sets a descriptive name for the policy The no command removes the name for the policy no destination faddress_objectlany Sets the destination IP address the matched packets must have The no command resets the destination IP address to the default any any means all IP addresses no dscp any lt 0 63 gt Sets a custom DSCP code point 0 63 This is the DSCP value of incoming packets to which this policy route applies any means all DSCP value or no DSCP marker no dscp class default dscp class Sets a DSCP class Use default to apply this policy route to incoming packets that are marked with DSCP value 0 Use one of the pre defined AF classes including af11 af13 af21 af23 af31 af83 and af41 af43 to apply this policy route to incoming packets that are marked with the DSCP AF class The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences dscp marking 0 63 Se
267. isplays the total number of custom signatures NXC CLI Reference Guide Chapter 22 IDP Commands 22 4 1 Custom Signature Examples These examples show how to create a custom signature edit one display details of one all and show the total number of custom signatures Router configure terminal Router config idp customize signature msg test sid 9000000 sid 9000000 message test policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI no other Unix no network device service outbreak no no no no no no alert tcp any any lt gt any any This example shows you how to edit a custom signature msg sid test edit V 9000000 messag test policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI no other Unix no network device service outbreak sid 9000000 dit no no no no no no Router config idp customize signature edit alert tcp any any lt gt any any y NXC CLI Reference Guide Chapter 22 IDP Commands This example shows you how to display custom signature details Router config show idp signatures custom signature 9000000 details sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD
268. itish 229 Virgin Islands USA 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe NXC CLI Reference Guide Chapter 5 Registration NXC CLI Reference Guide Interfaces This chapter shows you how to use interface related commands 6 1 Interface Overview In general an interface has the following characteristics An interface is a logical entity through which layer 3 packets pass An interface is bound to a physical port or another interface Many interfaces can share the same physical port An interface is bound to one zone at most Many interface can belong to the same zone Layer 3 virtualization IP alias for example is a kind of interface Some characteristics do not apply to some types of interfaces 6 1 1 Types of Interfaces You can create several types of interfaces in the NXC Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The NXC automatically adds or removes the tags as needed 6 2 Interface General Commands Summary The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 12 Input Values for General Interface Commands LABEL DESCRIPTION interface name The name of
269. itor file size 1000 Router config show frame capture status Router config show frame capture config capture source 192 168 1 2 NXC CLI Reference Guide Dynamic Channel Selection This chapter shows you how to configure and use dynamic channel selection on the NXC 12 1 DCS Overview Dynamic Channel Selection DCS is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices When numerous APs broadcast within a given area they introduce the possibility of heightened radio interference especially if some or all of them are broadcasting on the same radio channel This can make accessing the network potentially rather difficult for the stations connected to them If the interference becomes too great then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using or at least a channel that has a lower level of interference in order to give the connected stations a minimum degree of channel interference 12 2 DCS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 44 Input Values for DCS Commands LABEL DESCRIPTION interval Enters the dynamic channel selection interval time
270. l 1 DoS 2 Low 2 Win95 98 2 Buffer Overflow 3 Medium 4 WinNT 3 Access Control 4 High 8 WinXP 2000 4 Scan 5 Severe 16 Linux 5 Backdoor Trojan 32 FreeBSD 6 Others 64 Solaris 7 P2P 128 SGI 8 IM 256 Other Unix 9 Virtus Worm 512 Network Device 10 Porn 11 Web Attack 12 Spam The following table displays the command line service and action equivalent values If you want to combine services in a search then add their respective numbers together For example to search for signatures for DNS Finger and FTP services then type 7 as the service parameter Table 88 Service and Action Command Values SERVICE SERVICE ACTION 12 DNS 65536 SMTP 1 None 2 FINGER 131072 SNMP 2 Drop 4 FTP 262144 SQL 4 Reject sender 8 MYSQL 524288 TELNET 8 Reject receiver 16 ICMP 1048576 TFTP 16 Reject both 32 IM 2097152 n a 64 IMAP 4194304 WEB_ATTACKS 128 MISC 8388608 WEB_CGl 256 NETBIOS 16777216 WEB_ FRONTPAGE 512 NNTP 33554432 WEB IS 1024 ORACLE 67108864 WEB MISC 2048 P2P 134217728 WEB PHP 4096 POP2 268435456 MISC BACKDOOR 8192 POP3 536870912 MISC_DDOS 16384 RPC 1073741824 MISC_EXPLOIT 32768 RSERVICES 22 3 6 2 Signature Search Example This example command searches for all signatures in the LAN_IDP profile Containing the text worm within the signature name With an ID of 12345 Has a very low severi
271. lays information about the specified address group or about all address groups no object group address group name Creates the specified address group if necessary and enters sub command mode The no command deletes the specified address group no address object object nam Adds the specified address to the specified address group The no command removes the specified address from the specified group no object group group name Adds the specified address group second group name to the specified address group first group name The no command removes the specified address group from the specified address NXC CLI Reference Guide group Chapter 25 Addresses Table 104 object group Commands Address Groups continued COMMAND DESCRIPTION no description description Sets the description to the specified value The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long object group address rename group name Renames the specified address group from the first group name group name to the second group name 25 2 2 1 Address Group Command Examples The following commands create three address objects AO A1 and A2 and add Al and A2 to address group RD Router configure terminal Router config address object AO 192 168 1 1 config address object A1 192
272. le to use these commands Table 156 app watchdog Commands COMMAND DESCRIPTION no app watch dog activate no app watch dog alert Turns the application watchdog timer on or off Has the NXC send an alert the user when the system is out of memory or disk space no app watch dog auto recover If app watch dog detects a dead process app watch dog will try to auto recover The no command turns off auto recover no app watch dog console print always once Display debug messages on the console every time they occur or once The no command changes the setting back to the default no app watch dog cpu threshold min lt 1 100 gt max 1 100 Sets the percentage thresholds for sending a CPU usage alert The NXC starts sending alerts when CPU usage exceeds the maximum the second threshold you enter The NXC stops sending alerts when the CPU usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default no app watch dog disk threshold min lt 1 100 gt max 1 100 Sets the percentage thresholds for sending a disk usage alert The NXC starts sending alerts when disk usage exceeds the maximum the second threshold you enter The NXC stops sending alerts when the disk usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default n
273. les mail logging on APs for the specified module name level alert all category no wtp logging system log category Enables system logging on the APs for the module name level normal all specified category no wtp logging system log category Disables system logging on the APs for the module name disable specified category no wtp logging system log suppression Enables log consolidation in the system log on the APs The no command disables log consolidation in the debug log no wtp logging system log suppression Sets the log consolidation interval for the system interval lt 10 600 gt log on the APs The no command sets the interval to ten no wtp logging debug suppression Enables debug logging suppression Use the no parameter to disable no wtp logging debug suppression interval Enables debug logging suppression during the 10 600 specified interval Use the no parameter to disable no wtp logging console Enables logging of console activity Use the no parameter to disable no wtp logging console category module name Enables logging of the specified category at the specified priority level NXC CLI Re ference Guide 247 Chapter 36 Logs NXC CLI Reference Guide Reports and Reboot This chapter provides information about the report associated commands and how to restart the NXC using commands It also covers the daily report e mail feature 37 1 Report Commands Summary The following section
274. lications continued COMMAND DESCRIPTION show app all defaultport Displays the default port settings for all applications show app all statistics Displays statistics for all applications show app general im p2p stream Displays protocols by category show app im support action Displays the supported actions of each Instant Messenger application show app protocol_name config Displays the basic configuration of this application show app protocol_name defaultport Displays the default ports of this application show app protocol_name statistics Display the statistics of this application show app protocol_name rule rule_number Displays the rule configuration of this application show app protocol_name rule rule_number Displays the rule statistics of this application statistics show app protocol_name rule default Displays the default rule configuration of this application show app protocol_name rule default statistics Displays the default rule statistics of this application show app protocol_name rule all Displays the configurations of all the rules for this application show app protocol_name rule all statistics Displays all the rule statistics for this application show app other config Displays the basic configuration for other applications show app other statistics Displays statistics for other applications show app
275. lid to 2016 06 06 15 52 52 GMT Router config no ca category local pkcsl2request Router config ca generate x509 name test x509 cn type ip cn 10 0 0 58 key NXC CLI Reference Guide System This chapter provides information on the commands that correspond to what you can configure in the system screens 33 1 System Overview Use these commands to configure general NXC information the system time and the console port connection speed for a terminal emulation program They also allow you to configure DNS settings and determine which services protocols can access which NXC zones if any from which computers 33 2 Customizing the WWW Login Page Use these commands to customize the Web Configurator login screen You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet The following figures identify the parts you can customize in the login and access pages Figure 15 Login Page Customization Logo My Device Note 1 Turn on Javascript and Cookie setting in your web browser 2 Tum off Popup Window Blocking in your web browser inne i e RE in your web browser This is the note you can configure Message Color color of all text Background Note Message last line of text NXC CLI Reference Guide 207 Chapter 33 System Figure 16 Access Page Customizatio
276. list table Displays all policy route settings policy move policy number to policy number Moves a routing policy to the number that you specified no policy override direct route activate Use this command to have the NXC forward policy number packets that match a policy route according to the policy route instead of sending the packets to a directly connected network Use the no command to disable it Displays all or specified policy route settings NXC CLI Reference Guide Chapter 7 Route Table 24 Command Summary Policy Route continued COMMAND DESCRIPTION show policy route begin policy_number end policy_number Displays the specified range of policy route settings show policy route override direct rout Displays whether or not the NXC forwards packets that match a policy route according to the policy route instead of sending the packets to a directly connected network o how policy route rule count Displays the number of policy routes that have been configured on the NXC o how policy route underlayer rules Displays all policy route rule details for advanced debugging show bwm activation Displays whether or not the global setting for bandwidth management on the NXC is enabled show bwm usage policy route policy number interface interface name Displays the specified policy route or interface s bandwidth allotment current bandw
277. llection is arguably an arduous and perplexing process The wireless frame capture feature in the NXC can help This chapter describes the wireless frame capture commands which allows a network administrator to capture wireless traffic information and download it to an Ethereal Tcpdump compatible format packet file for analysis 11 2 Wireless Frame Capture Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 42 Input Values for Wireless Frame Capture Commands LABEL DESCRIPTION ip address The IP address of the Access Point AP that you want to monitor Enter a standard IPv4 IP address for example 192 168 1 2 mon dir size The total combined size in kbytes of all files to be captured The maximum you can set is 50 megabtyes 52428800 bytes file name The file name prefix for each captured file The default prefix is monitor while the default file name is monitor dump You can use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This string is case sensitive NXC CLI Reference Guide Chapter 11 Wireless Frame Capture The following table describes the commands available for wireless frame capture You must use the configure terminal command to enter the configuration mode before you can use these commands Table 43 Command Summary Wireless Fram
278. lter filter extension Sends traffic through the specified interface with the specified protocol source address destination address and or port number If you specify ile the NXC dumps the traffic to packet trace packet trace interface UseFTP to retrieve the files see Section 35 6 on page 228 If you do not assign the duration the NXC keeps dumping traffic until you use Ctrl C Use the extension filter to extend the use of this command protocol name You can use the name instead of the number for some IP protocols such as t cp udp icmp and so on The names consist of 1 16 alphanumeric characters underscores or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters dashes or periods The first character cannot be a period filter extension You can use 1 256 alphanumeric characters spaces or _ characters traceroute ip hostname Displays the route taken by packets to the specified destination Use Ct r1 c when you want to return to the prompt show arp table Displays the current Address Resolution Protocol table show arp reply restricted Displays whether the NXC is set to only respond to ARP requests in which both the source and destination IP addresses are in different subnets show packet capture status Displays whether a packet capture is ongoing show packet capture config
279. m When a device behind the NXC uses an application for which the NXC has VoIP pass through enabled the NXC translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LAN The NXC only needs to use the ALG feature for traffic that goes through the NXC s NAT The firewall allows related sessions for VoIP applications that register with a server The firewall allows or blocks peer to peer VoIP traffic based on the firewall rules You do not need to use a TURN Traversal Using Relay NAT server for VoIP devices behind the NXC when you enable the SIP ALG NXC CLI Reference Guide Chapter 16 ALG 16 2 ALG Commands The following table lists the alg commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 50 alg Commands COMMAND DESCRIPTION no alg sip inactivity timeout signal port lt 1025 65535 gt signal extra port lt 1025 65535 gt media timeout lt 1 86400 gt signal timeout lt 1 86400 gt transformation Turns on or configures the ALG Use inactivity timeout to have the NXC apply SIP media and signaling inactivity time out limits Use signal port with a listening port number 1025 to 65535 if you are using SIP on a port other than UDP 506
280. mand for searching for signatures You must use the configure terminal command to enter the configuration mode before you can use this command Table 75 Command for Anti virus Signature Search COMMAND DESCRIPTION anti virus search signature all Search for signatures by their ID name severity or category category id id name name category severity severity from id to id all displays all signatures category select whether you want to see virus signatures or spyware signatures id type the ID or part of the ID of the signature you want to find name type the name or part of the name of the signature s you want to find This search is not case sensitive severity type the severity level of the signatures you want to find high medium or low 21 2 4 1 Signature Search Example This example shows how to search for anti virus signatures with MSN in the name Router config anti virus search signature name MSN signature 1 virus id 41212 virus name MSN category virus severity Low 21 3 Update Anti virus Signatures Use these commands to update new signatures You should have already registered for anti virus service Table 76 Update Signatures COMMAND DESCRIPTION anti virus update signatures Immediately downloads signatures from an update server no anti virus update auto Enables disables automatic signature downloads at regular t
281. mation BS See the User s Guide for background information about most features This section provides background information about features that you cannot configure in the web configurator In addition this section identifies related commands in other chapters 1 4 2 Command Input Values This section lists common input values for the commands for the feature in one or more tables NXC CLI Reference Guide EN Chapter 1 Command Line Interface 1 4 3 Command Summary This section lists the commands for the feature in one or more tables 1 4 4 Command Examples This section contains any examples for the commands in this feature 1 4 5 Command Syntax The following conventions are used in this guide A command or keyword in courier new must be entered literally as shown Do not abbreviate Values that you need to provide are in italics Required fields that have multiple choices are enclosed in curly brackets A range of numbers is enclosed in angle brackets lt gt Optional fields are enclosed in square brackets The symbol means OR For example look at the following command to create a TCP UDP service object service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt 1 Enter service object exactly as it appears 2 Enter the name of the object where you see ob ject name 3 Enter tcp or udp depending on the service object you want to crea
282. me and display the result Router show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 ge4 5 ge5 ge5 Router gt configure terminal Router config interface name ge4 VIP Router config show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 VIP 5 ge5 ge5 Router config This example shows how to restart an interface You can check all interface names on the NXC Then use either the system name or user defined name of an interface ge4 or Customer in this example to restart it Router show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 Customer 5 ge5 ge5 Router gt configure terminal Router config interface reset ge4 Router config interface reset Customer Router config NXC CLI Reference Guide Chapter 6 Interfaces 6 2 2 DHCP Setting Commands This table lists DHCP setting commands DHCP is based on DHCP pools Create a DHCP pool if you want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients There are different commands for each configuration Afterwards in either case you have to bind the DHCP pool to the interface Table 14 interface Commands DHCP Settings COMMAND DESCRIPTION
283. meric characters the underscore and some punctuation marks amp ah md5 Use an encrypted MD5 password for authentication key Use up to eight characters including alphanumeric characters the underscore and some punctuation marks amp no device ha ap mode interface_nam ip ip subnet_mask manag Sets the management IP address for an interface no device ha ap mode interface_name activate no device ha authentication ap mode master sync password password Has device HA monitor the status of an interface s connection This is for a master NXC It specifies the password to require from synchronizing backup NXCs Every router in the virtual router must use the same password The no command sets the password setting to blank which means no backups can synchronize with this master password Use 4 63 alphanumeric characters underscores _ dashes and 3 characters no device ha authentication ap mode backup sync password password no device ha ap mode backup sync auto Sets the password the backup NXC uses when synchronizing with the master The no command sets the password setting to blank which means this backup NXC cannot synchronize with the master password Use 4 63 alphanumeric characters underscores _ dashes and 3 characters Turns on automatic synchronization accord
284. mmary continued COMMAND DESCRIPTION show running config Displays the settings of the configuration file that the system is using setenv startup stop on error off Has the NXC ignore any errors in the startup config conf file and apply all of the valid commands show setenv startup Displays whether or not the NXC is set to ignore any errors in the startup config conf file and apply all of the valid commands write Saves your configuration changes to the flash non volatile or long term memory The NXC immediately uses configuration changes made via commands but if you do not use the wr ite command the changes will be lost when the NXC restarts 35 5 File Manager Command Example This example saves a back up of the current configuration before applying a shell script file Router config copy running config conf backup conf Router config run script vpn setup zysh 35 6 FTP File Transfer You can use FTP to transfer files to and from the NXC for advanced maintenance and support 35 6 1 Command Line FTP File Upload 1 Connect to the NXC 2 Enter bin to set the transfer mode to binary 3 You can upload the firmware after you log in through FTP To upload other files use cd to change to the corresponding directory 4 Use put to transfer files from the computer to the NXC For example In the conf directory use put config conf today conf to upload the config
285. mode before you can use these commands Table 121 Command Summary Date Time COMMAND DESCRIPTION clock date lt yyyy mm dd gt time lt hh mm ss gt Sets the new date in year month and day format manually and the new time in hour minute and second format no clock daylight saving Enables daylight saving The no command disables daylight saving no clock saving interval begin Configures the day and time when Daylight apr aug dec eb jan jul jun mar may nov oct se Saving Time starts and ends The no command p 1 213 4 last frilmon sat sun thu tue wed removes the day and time when Daylight Saving A nmemnd Time starts and ends apr augldec eb jan julljun mar may nov oct se offset a number from 1 to 5 5 by 0 5 increments p 1 2 3 4 last fril mon sat sun thu tue wed hh mm offset clock time hh mm ss Sets the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time zone settings no ntp Saves your date and time and time zone settings and updates the data and time every 24 hours The no command stops updating the data and time every 24 hours no ntp server fgdn w x y z Sets the IP address or URL of your NTP time server The no command removes time server information ntp sync Gets the time and date from a NTP time server how clock date 0 Displays the current date of your NX
286. mote Manage man cerraran iaa 213 341 Ramales Management CIVeIVIDW ci o aiaa E RD Bad dd ieee 218 34 1 1 Remote Management Limitations sesiones 213 DILE A er cere A 213 34 2 Common System Command Input Values oooonccccnnnoccconccanannnncnanaconnnnoconanc nn nana nnnnn aia narran 214 MI FT TR TPS COMES e 214 243 1 NTTPIHH TPS Command EXAMplES asis ii ntt adi d ec 215 201 SLOPE asse und NOU rere rere o 216 24 4 31 SSH Implementation en the NAC acetic cuisine iha a cua pee Ep cesa e Ree prev tudin usi ERE 216 3442 Baguiremepnts Tor Using SSH spa Cuneta Rr Tap Cuba end Kd aia 216 AA LOTH ars ana 216 gaad SSA Conia EXSIUBIBE aiii rar it 217 O E O c 217 310 TEM KUNIS n 218 248 1 Telnet commands ENS a ii 218 dE ONDAS FT T 219 c aulae Ae TR 219 ohra FIP CMN ees ESSE ara d addat cp ba dus OUR cca dalla Pel a 219 AS A T TJ emm 220 KE mese rri elc EL ELLE 220 Su NEP TER E NS 220 2433 SNMP feshDprigs qme er 221 248 4 SNMP Commands EXemiles ses prod d e rrt ad a ab ai ao ga a Cox RC qa d 222 24 9 Language omiies ia iii 222 Chapter 35 Fil MANAGE X 9 AAAe9 223 VW Pe CASS A A A E A I A A I A eee 223 35 2 Denftauiawon Files and Shell Scripts OVER iia a eras 223 35 2 1 Comments in Configuration Files or Shell Scripts reser ntsc a 224 25 2 2 Errors in Configuration Files or Shall Str tS er apri reir aiia ada daa 225 39 20 NXG Configuration
287. n Logo i Title Message Color color of all text Note Message last line of text Window Background You can specify colors in one of the following ways color rgb Enter red green and blue values in parenthesis and separate by commas For example use rgb 0 0 0 for black color name Enter the name of the desired color color number Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black The following table describes the commands available for customizing the Web Configurator login screen and the page that displays after an access user logs into the Web Configurator to access network services like the Internet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 119 Command Summary Customization COMMAND DESCRIPTION no access page color window background Sets whether or not the access page uses a colored background access page message color color rgb color name color number Sets the color of the message text on the access page no access pag message message text Sets a note to display below the access page s title Use up to 64 printable ASCII characters Spaces are allowed title title access pag Sets the title for the top of the access page Use up to 64 printable ASCII cha
288. n 255 chars quoted string less 1 63 alphanumeric spaces or amp _ than 63 chars quoted string O alphanumeric spaces or punctuation marks enclosed in double quotation marks must put a backslash 1 before double quotation marks that are part of input value itself realm 1 253 alphanumeric or first character alphanumeric or used in domain authentication service name 0 63 alphanumeric or Q spi 2 8 hexadecimal string less than 15 I I15 alphanumeric or chars string less than 63 1 63 alphanumeric or Q amp t NV 5 chars string 1 alphanumeric or _ subject 1 61 alphanumeric spaces or S_ system type 0 2 hexadecimal timezone hh 12 through 12 with or without url 1 511 alphanumeric or 2 4Q0 url http alphanumeric or amp _ amp https starts with http or https may contain one pound sign user name 1 31 alphanumeric or _ first character letters or NXC CLI Reference Guide Chapter 1 Command Line Interface Table 4 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES username 1 31 alphanumeric or first character alphanumeric or domain authorization username 6 20 alphanumeric or _ registrat
289. n Mariana Islands 160 Norway 161 Not Determined 162 Oman 163 Pakistan 164 Palau 165 Panama 166 Papua New Guinea 167 Paraguay 168 Peru 169 Philippines 170 Pitcairn Island NXC CLI Reference Guide Chapter 5 Registration Table 11 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent and the Grenadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Islands 192 Somalia 193 South Africa 194 South Georgia and the South Sandwich Islands 185 Spain 196 Sri Lanka 197 St Pierre and Miquelon 198 St Helena 199 Suriname 200 Svalbard and Jan Mayen Islands 201 Swaziland 202 Sweden 203 Switzerland 204 Taiwan 205 Tajikistan 206 Tanzania 207 Thailand 208 Togo 209 Tokelau 210 Tonga 211 Trinidad and Tobago 212 Tunisia 213 Turkey 214 Turkmenistan 215 Turks and Caicos Islands 216 Tuvalu 217 US Minor Outlying Islands 218 Uganda 219 Ukraine 220 United Arab Emirates 221 United Kingdom 222 United States 223 Uruguay 224 Uzbekistan 225 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands Br
290. n also create certificates or certification requests Use the configure terminal command to enter the configuration mode to be able to use these commands Table 118 ca Commands Summary COMMAND DESCRIPTION ca enroll cmp name certificate name cn typ Enrolls a certificate with a CA using Certificate ip cn cn address fqdn cn cn domain name mail Management Protocol CMP The certification cn cn email ou organizational unit o authority may want you to include a reference number and key password to identify your organization c country usr def suis certification request certificate name key type rsa dsa key len key length num lt 0 99999999 gt password password ca ca name url url ca enroll scep name certificate name cn type Enrolls a certificate with a CA using Simple ip cn cn address fqdn cn cn domain name mail Certificate Enrollment Protocol SCEP The cn cn email ou organizational unit o certification authority may want you to include a organization c country usr def key password to identify your certification request certificate name key type rsa dsa key len key length password password ca ca name url url 204 NXC CLI Reference Guide Chapter 32 Certificates Table 118 ca Commands Summary continued COMMAND DESCRIPTION ca generate pkcs10 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn emailj organizational unit co
291. n be up to 61 characters long no destination Sets the destination criteria for the specified condition The no address object command removes the destination criteria making the condition effective for all destinations no force Forces users that match the specified condition to log into the NXC The no command means users matching the specified condition do not have to log into the NXC no schedule schedule nam Sets the time criteria for the specified condition The no command removes the time criteria making the condition effective all the time no source address object Sets the source criteria for the specified condition The no command removes the source criteria so all sources match the condition no ssid profile Sets the SSID profile criteria for the specified condition The no ssid profile command removes the SSID profile criteria show Displays information about the specified condition 17 1 1 3 Web Authentication Policy Insert Command Example Here is an example of using a custom login page from an external web portal for web authentication The following commands Turn on web authentication e Set the NXC to use the authentication profile named AuthProfile1 Set www login com as the login web page through which users authenticate their connections Have the NXC use a custom login page from an external web portal instead of the default one built into the NXC Create web auth polic
292. n m UT 249 Cession e aee e la E ee edneenea paces 255 NXC CLI Reference Guide El Contents Overview DONO et T 257 PTT e E PIE se ss i aise ire Seats Gua ASEO RASE EEN AAEE 259 Mantenance Tools C 261 Woo MA Metu Cm RN 267 Enc e AF COMMAS Me EE 271 Emden c 277 a NXC CLI Reference Guide Table of Contents Table of Contents CAM A a 3 TA A gee me nO eS ou SD as PE Se rene se Geers eo Per 5 Chapter 1 COMIDA Line INTO SEAE AEri aA aB 15 LEER UII S UM NINE I Uu LE aN 15 lA Ihe SUPT EN B smia EA E 15 T2 o con En Rei er ae a a E e a EE E EN 15 Tot GONE PO E A A T A a A 16 12 2 VWebodagutslor Console aras 17 P D C PET 20 pex cocci ed rcr ear TTE RI 20 13 Howto Fna Commande im tis I Me M 21 14 Flow Gomiends Are Explained lt A lata teed aba di ao a sete 21 Ese Mods e e T 21 UR Command Ui e UE 21 LN Aces qup S E i D T 22 144 Command ExamiDsB caia aia 22 A e AR A 22 e a AA A EANA E Sa 22 SOLIS qe 22 ie SST IR SAE T TUM 23 1641 Lito Avallabla Commands rara E 23 1 62 Listo Sub commands or Reguired User INPUT nr 24 163 Entering Fanal Commands sorna A delia 25 Ies agit y 40 2 12 Lamar sia 25 AAA eia npe del ise tue Pru epa Eo eeeaiecees 25 15 INS a EE oss See seed E TS DL LT 25 IE acit xeu cues acis dani 2
293. n to bind the DHCP pool When this command is used the NXC treats this DHCP pool like a static entry regardless of the network setting The no command clears this field no hardware address mac_address Reserves the DHCP pool for the specified MAC address Use this command along with host to create a static DHCP entry The no command clears this field NXC CLI Reference Guide 53 Chapter 6 Interfaces Table 14 interface Commands DHCP Settings continued COMMAND DESCRIPTION no client identifier mac address Specifies the MAC address that appears in the DHCP client list The no command clears this field no client name host name Specifies the host name that appears in the DHCP client list The no command clears this field host name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive Use the following commands if you want to create a pool of IP addresses These commands have no effect if you use the host command You can still set them however dhcp option 1 254 option name boolean lt 0 1 gt uint8 lt 0 255 gt uint16 lt 0 65535 gt uint32 lt 0 4294967295 gt ip ipv4 ipv4 ipv4 fqdn fgdn fqdn fgdn text text hex hex vive enterprise id hex s enterprise_id hex_s vivs nterprise_id hex_s enterprise_id hex_s Adds or
294. naged AP within range of the NXC s own wireless network that is allowed to operate without being contained This can include APs from neighboring companies for example or even APs maintained by your company s employees that operate outside of the established network 10 2 Rogue AP Detection Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 38 Input Values for Rogue AP Detection Commands LABEL DESCRIPTION ap_mac Specifies the MAC address in XX XX XX XX XX XX format of the AP to be added to either the rogue AP or friendly AP list The no command removes the entry description2 Sets the description of the AP You may use 1 60 alphanumeric characters underscores _ or dashes This value is case sensitive The following table describes the commands available for rogue AP detection You must use the configure terminal command to enter the configuration mode before you can use these commands Table 39 Command Summary Rogue AP Detection COMMAND DESCRIPTION rogue ap detection Enters sub command mode for rogue AP detection no activate Activates rogue AP detection Use the no parameter to deactivate rogue AP detection NXC CLI Reference Guide Chapter 10 Rogue AP Table 39 Command Summary Rogue AP Detection continued COMMAND DESCRIPTION rogue ap ap_m
295. nal Figure 26 Starting Xmodem Upload Do you want to start the recovery process Y N default N Starting XMODEM upload CRC mode C 5 This is an example Xmodem configuration upload using HyperTerminal Click Transfer then Send File to display the following screen Figure 27 Example Xmodem Upload MESITA Folder C Product Filename C Product Firmware bin Type the firmware file s location or click Browse to search for it Browse Choose the 1K Xmodem protocol Protocol 1K Xmodem Cancel Then click Send 6 Wait for about three and a half minutes for the Xmodem upload to finish Figure 28 Recovery Image Upload Complete 7 Enter atgo The NXC starts up If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged and you need to use the procedure in to recover the firmware NXC CLI Reference Guide 233 Chapter 35 File Manager Figure 29 atgo Debug Command 35 10 Restoring the Firmware Js This procedure requires the NXC s firmware Download the firmware package from www zyxel com and unzip it The firmware file uses a bin extension for example 1 01 XL 0 CO bin Do the following after you have obtained the firmware file This section is not for normal firmware uploads You only need to use this section if you need to recover the firmware
296. name ssid profile name2 no wlan ssid profile ssid profile name Enters configuration mode for the specified SSID profile Use the no parameter to remove the specified profile no block intra Enables intra BSSID traffic blocking Use the no parameter to disable it in this profile By default this is disabled NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 33 Command Summary SSID Profile continued COMMAND DESCRIPTION no hide Prevents the SSID from being publicly broadcast Use the no parameter to re enable public broadcast of the SSID in this profile By default this is disabled ssid Sets the SSID This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed The default SSID is ZyXEL qos wlan qos Sets the type of QoS used by this SSID data forward localbridge tunnel vlan iface Sets the data forwarding mode used by this SSID The default is 1ocalbridge vlan id 1 4094 Applies to each SSID profile that uses 1ocalbridge lf the VLAN ID is equal to the AP s native VLAN ID then traffic originating from the SSID is not tagged The default VLAN ID is 1 security securityprofile Assigns the specified security profile to this SSID profile no macfilter macfilterprofile Assigns the specified MAC filtering profile to this SSID profile Use the no parameter to remov
297. nce object wlan ssid profile Displays the specified SSID profile object show reference object wlan security profile Displays the specified security profile object show reference object wlan macfilter profile Displays the specified macfilter profile object This example shows how to check which configuration is using an address object named LANI SUBNET For the command output firewall rule 3 named LAN1 to NXC is using the address object Router config show reference object address LAN1 SUBNET LAN1 SUBNET References Category Rule Priority Rule Name Description Firewall 3 N A LAN1 to NXC Router config NXC CLI Reference Guide Status This chapter explains some commands you can use to display information about the NXC s current operational state 4 1 Status Show Commands The following table describes the commands available for NXC system status Table 8 Status Show Commands COMMAND DESCRIPTION show boot status Displays details about the NXC s startup state show comport status Displays whether the console and auxiliary ports are on or off show cpu status Displays the CPU utilization show disk Displays the disk utilization show extension slot Displays the status of the extension card slot and the USB ports and the names of any connected devices show fan speed Displays the current fan spee
298. nd group name to the specified service group first group name The no command removes the specified service group from the specified service group no description description Sets the description to the specified value The no command removes the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long object group service rename group name group name Renames the specified service group from the first group name tothe second group name 26 2 2 1 Service Group Command Examples The following commands create service ICMP ECHO create service group SG1 and add ICMP ECHO to SGI Router configure terminal Router config service object ICMP ECHO icmp echo Router config object group service SGl Router group service service object ICMP ECHO Router group service exit Router config show service object ICMP ECHO Object name Protocol Minmum port Maxmum port Ref ICMP_ECHO ICMP 8 8 1 ICMP_ECHO References Category Rule Priority Rule Name Description Service Group N A sGl N A Router config show object group service SGl Object Group name Type Reference ICMP_ECHO Object 1 Router config NXC CLI Reference Guide Chapter 26 Services NXC CLI Reference Guide Schedules Use schedules to set up one time and recurring schedules for policy
299. nds Other input values are discussed with the corresponding commands Table 125 Input Values for General System Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive the NXC model supports rule_number The number of a service control rule 1 X where X is the highest number of rules zone_object The name of the zone Use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The NXC uses pre defined zone names like LAN and WLAN 34 3 HTTP HTTPS Commands The following table describes the commands available for HTTP HTTPS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 126 Command Summary HTTP HTTPS no ip COMMAND http authentication auth_method DESCRIPTION Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth_method The name of the authentication method You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no ip http port lt 1 65535 gt Sets the HTTP service port num
300. nds in Configuration Mode continued COMMAND DESCRIPTION snaplen lt 68 1512 gt Specifies the maximum number of bytes to capture per packet The NXC automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets arp ip_address mac_address Edits or creates an ARP table entry no arp ip_address Removes an ARP table entry no arp reply restricted Sets the NXC to only respond to ARP requests in which different subnets request both the source and destination IP addresses are in The no command sets the NXC to respond to any ARP 41 1 1 Command Examples Some packet trace command examples are shown below 8 packets received by filter 0 packets dropped by kernel Router packet trace duration 3 tcpdump listening on eth0 19 24 43 239798 192 168 1 10 192 168 1 1 icmp echo request 19 24 43 240199 192 168 1 1 192 168 1 10 icmp echo reply 19 24 44 258823 192 168 1 10 192 168 1 1 icmp echo request 19 24 44 259219 192 168 1 1 192 168 1 10 icmp echo reply 19 24 45 268839 192 168 1 10 192 168 1 1 icmp echo request 19 24 45 269238 192 168 1 1 gt 192 168 1 10 icmp echo reply 6 packets received by filter 0 packets dropped by kernel Router packet trace interface ge2 ip proto icmp fil
301. ne Dans InNG VERS wade EP3cQ riebi ee eed Cee eee beds ee iid Skee ened eens 108 show SONS DOSIS BLOOD ea A ORE RC E ROSEO REALEN OR RENNES OER EOE do doa E OR ir oa cde 108 show QUI DORBECUSE IEEE a che ace cae acer nome eee She ark Rp Pe RR Re nae Gioco Rude we ated A p OR ap epo oig 108 ENCON caras ARAS A Gee dun S SA AA ea Sewanee abu d ON POR cR ee eS 32 signature sid action drop reject sender reject receiver reject both 149 signature sid action drop reject sender reject receiver reject both 153 signature acd Las MIETE aoegedeeekeEO e Oe qux pe Ego Roe dom Reo eod dee d o de Rr 148 Aut curo m los lalestl arrienda a 153 RUtp sddress Ip ASostuemo sii kk AR ORARE ERE UR NO EURO CAE PACA EROR AURORA Rd KR zo smtb suth username username password DGSSIWOD e ari VOCE ROS POR VOR EROS OR RUE OR 251 tntbo Dort Ll D099390X ALEA ARX KORG AR RAS ed RC KO RC RC OLTRE RR Aa Rc dod E EES 252 BHURDPGn he lee eles hed tryoni ro EEAO REEE d pex 263 snmp server rule rule_numberlappendlinsert rule number access group ALL address_object zone ALL zone object action accept deny 221 snmp server rule move rule number to rule number 2420 6k bake ERR Se RR ER RC 221 Supt rone amO So 2 eS Ua Qd RU E eq ed A eor WB Cac da Fa qe AAA RARER OAR oe Ro 80 tSp decoder ito0p xxx Log Alert 425 344 24333080 ROGER he a SRS Sa De 150 SE C py AAA A RN Sylar ded pe 32 NXC CLI Referen
302. ned Routing Information Commands This table lists the commands to look at learned routing information Table 27 ip route Commands Learned Routing Information COMMAND DESCRIPTION show ip route kernel connected static Displays learned routing and other routing information 7 5 1 show ip route Command Example The following example shows learned routing information on the NXC Router gt show ip route Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persist 127 0 0 0 8 0 0 0 0 lo 0 ACG 192 168 1 0 24 0 0 0 0 vlan0 0 ACG Router gt NXC CLI Reference Guide Chapter 7 Route NXC CLI Reference Guide AP Management This chapter shows you how to configure wireless AP management options on your NXC 8 1 AP Management Overview The NXC allows you to remotely manage all of the wireless station Access Points APs on your network You can manage a number of APs without having to configure them individually as the NXC automatically handles basic configuration for you The commands in this chapter allow you to add delete and edit the APs managed by the NXC by means of the CAPWAP protocol An AP must be moved from the wait list to the management list before you can manage it If you do not want to use this registration
303. netpkt zysh ipt op ZLD internal debug commands debug update server Update server debug command NXC CLI Reference Guide Chapter 2 User and Privilege Modes NXC CLI Reference Guide Object Reference This chapter describes how to use object reference commands 3 1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object You can use this table when you want to delete an object because you have to remove references to the object first Table 7 show reference Commands COMMAND DESCRIPTION show reference object usernam Displays which configuration settings reference the username specified user object show reference object address Displays which configuration settings reference the profile specified address object show reference object servic Displays which configuration settings reference the profile specified service object show reference object schedul Displays which configuration settings reference the profile specified schedule object show reference object aaa Displays which configuration settings reference the authentication default specified AAA authentication object auth_method show reference object ca Displays which configuration settings reference the category local remote specified authentication method object cert_name sh
304. ng no deactivates UDP scan detection its logs alerts or blocking NXC CLI Reference Guide Chapter 22 IDP Commands Table 84 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION no scan detection ip xxx activate log Activates or deactivates IP scan detection alert block options where ip xxx ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep Also sets IP scan detection logs or alerts and blocking no deactivates IP scan detection its logs alerts or blocking no scan detection icmp sweep icmp Activates or deactivates ICMP scan detection filtered sweep activate log alert options Also sets ICMP scan detection logs or block alerts and blocking no deactivates ICMP scan detection its logs alerts or blocking no scan detection open port activate log alert block Activates or deactivates open port scan detection options Also sets open port scan detection logs or alerts and blocking no deactivates open port scan detection its logs alerts or blocking flood detection block period 1 3600 Sets for how many seconds the NXC blocks all packets from being sent to the victim destination of a detected anomaly attack no flood detection tcp flood udp flo
305. ng unauthorized users from file gaining access to the network customization Use the custom login page built into the NXC You can configure the look and feel of the page through the web configurator use uploaded file Use a web portal file with custom html pages which is uploaded to the NXC through the web configurator exit Goes to configuration mode show page customization Displays the custom login page settings NXC CLI Reference Guide RTLS Use the RTLS commands to use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi Fi tags 18 1 RTLS Introduction Ekahau RTLS Real Time Location Service tracks battery powered Wi Fi tags attached to APs managed by the NXC to create maps alerts and reports The Ekahau RTLS Controller is the centerpiece of the RTLS system This server software runs on a Windows computer to track and locate Ekahau tags from Wi Fi signal strength measurements Use the NXC with the Ekahau RTLS system to take signal strength measurements at the APs Integrated Approach Blink Mode 18 2 RTLS Commands The following table lists the rt 1s commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 55 rtls Commands COMMAND DESCRIPTION rtls ekahau activate Turn on RTLS to use Wi Fi to track the location of Ekahau Wi Fi tags rtls ekahau ip address ipv4 a
306. no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no 2Q Sscan Channel Wireless chaeghef 29 o ae RS PG RR EASE REPRE qd Freue sa wee DgT 5tan chHhanael we rkeless chenasd NOU asias ade RG REdG 3d aq AA aaa authenti aaa authenti aaa authenti aaa group se aaa group se BEA Group Server radius groun hae ues doped VR Y RACER OE UR OR UE e IURE EO qe Ue E Ee eS decesa page OSlbk wWimndow BsckqgboUOd oilgda age KON EG RAO NERD DEO do OR en ee RC access page messaqe Lext Message nino hr arre action block login message audio video file transfer oasis aetion block login message laudio video file transfer 99 9 ints DOTES Id dad a xd qvi dax Eb qu A Ree eR xb Re DE de dU qe Rob dedi Dec a eae Lie lr M m BODIE wes asradini ba dod d i edibus doas dare eg uui eeu erit dui pees we e ACTIVAL E Kets Kees Edo ddp HS CAGE CEES SG NOH Ree ada ea pe Rex Ree SEE dE PERSE a wes seus 2 225 nds ch Reus dg d eS Seded AN ST A aa a a a a a A AR a a A BODIE utbs dg ates d EA AA oes Aa a 242540446 A QA CEqu Obes bue au Ren qd Rx Ed A RC Eq d dup euam BOLING wusste eras deae oe ode ok eee Ibl od die qa RARAS d RR oO de oe o MET DC ec weekend bale oe he hee eae ee et ea eck ee ee mee HOLINESS yotipti tiiri abe eee Shee ond qim bead eee bbs edid dre A TALES SCOPE
307. nt Enters sub command mode for rogue AP containment no activate Activates rogue AP containment Use the no parameter to deactivate rogue AP containment no contain ap_mac Isolates the device associated with the specified MAC address Use the no parameter to remove this device from the containment list exit Exits configuration mode for rogue AP containment show rogue ap containment list Displays the rogue AP containment list 10 4 1 Rogue AP Containment Example This example contains the device associated with MAC address 00 13 49 11 11 12 then displays the containment list for confirmation Router config rogue ap containment Router config containment activate Router config containment contain 00 13 49 11 11 12 Router config containment exit Router config show rogue ap containment list no mac 1 00 13 49 11 11 12 NXC CLI Reference Guide Wireless Frame Capture This chapter shows you how to configure and use wireless frame capture on the NXC 11 1 Wireless Frame Capture Overview Troubleshooting wireless LAN issues has always been a challenge Wireless sniffer tools like Ethereal can help capture and decode packets of information which can then be analyzed for debugging It works well for local data traffic but if your devices are spaced increasingly farther away then it often becomes correspondingly difficult to attempt remote debugging Complicated wireless packet co
308. nutes 18 seconds 37 1 3 Session Commands This table lists the command to display the current sessions for debugging or statistical analysis Table 146 session Commands COMMAND DESCRIPTION show conn user username any unknown service service name any unknown source tiplany destination iplany begin lt 1 100000 gt end lt 1 100000 gt Displays information about the selected sessions or about all sessions You can look at all the active sessions or filter the information by user name service object source IP destination IP or session number s any means all users services and IP addresses respectively unknow means unknown users and services respectively show conn ip traffic destination Displays information about traffic session sorted by the destination show conn ip traffic source Displays information about traffic session sorted by the source show conn status Displays the number of active sessions NXC CLI Reference Guide Chapter 37 Reports and Reboot 37 2 Email Daily Report Commands The following table identifies the values used in some of these commands Other input values are discussed with the corresponding commands Table 147 Input Values for Email Daily Report Commands LABEL DESCRIPTION e_mail An e mail address You can use up to 80 alphanumeric characters underscores _ periods or dashes an
309. o app watch dog interval interval Sets how frequently in seconds the NXC checks the system processes The no command changes the setting back to the default interval 5 to 60 NXC5200 or 5 to 300 NXC2500 NXC CLI Reference Guide Chapter 42 Watchdog Timer Table 156 app watchdog Commands COMMAND DESCRIPTION no lt 1 100 gt app watch dog mem threshold min lt 1 100 gt max Sets the percentage thresholds for sending a memory usage alert The NXC starts sending alerts when memory usage exceeds the maximum the second threshold you enter The NXC stops sending alerts when the memory usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default app watch dog reboot log flush Flushes the reboot log record no app watch dog retry count Set how many times the NXC is to re check a process before X25 considering it failed The no command changes the setting back to the default no app watch dog sys reboot If auto recover fail reaches the maximum retry count app watch dog reboots the device The no command turns off system auto reboot show app watch dog config Displays the application watchdog timer settings show app watch dog monitor list Displays the list of applications that the application watchdog is monitoring show app watch dog reboot log Displays the appli
310. o command returns the default setting exit Leaves the sub command mode no negotiation auto Sets the port to use auto negotiation to determine the port speed and duplex The no command turns off auto negotiation no speed lt 100 10 gt Sets the Ethernet port s connection speed in Mbps The no command returns the default setting show port setting Displays the Ethernet port negotiation duplex and speed settings show port status Displays statistics for the Ethernet ports NXC CLI Reference Guide Chapter 6 Interfaces 6 5 Port Role Commands The following table describes the commands available for port role identification You must use the configure terminal command to enter the configuration mode before you can use these commands Table 19 Command Summary Port Role COMMAND DESCRIPTION show port type Displays the type of cable connection for each physical interface on the device show module type Display the type of module for each physical interface on the device 6 5 1 Port Role Examples The following are two port role examples Router config show port type Port Type 1 Copper 2 Down 3 Down 4 Down 9 Down 6 Down 7 Down 8 Down Router config show module type Port Type 1 Copper 2 Copper 3 Copper 4 Copper 5 Fiber 6 Fiber 7 Fiber 8 Fiber 6 6 USB Storage Specific Commands Use these
311. od ip flood icmp flood activate log alert block Activates or deactivates TCP UDP IP or ICMP flood detection Also sets flood detection logs or alerts and blocking no deactivates flood detection its logs alerts or blocking no http inspection http xxx activate Activates or deactivates http inspection options where http xxx ascii encoding u encoding bare byte unicode encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal http inspection http xxx log alert Sets http inspection log or alert no http inspection http xxx log Deactivates http inspection logs no http inspection http xxx action drop reject sender reject receiver reject both Sets http inspection action no tcp decoder tcp xxx activate Activates or deactivates tcp decoder options where tcp xxx undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options experimental options tcp decoder tcp xxx log alert Sets tcp decoder log or alert options no tcp decoder tcp xxx log Deactivates tcp decoder log or alert options
312. ode forwarding port If you apply Device HA on a bridge interface on a interface name backup NXC you can use this command to see which port in the bridge interface is chosen to receive VRRP packets used to monitor if the master NXC goes down interface name This is a bridge interface For example brx 23 4 2 Active Passive Mode Device HA Command Example This example configures a NXC to be a master NXC for active passive mode device HA There is a management IP address of 192 168 1 3 on lanl wanl and lanl are monitored The synchronization password is set to mySyncPassword Router config Router config Router config mySyncPasswor Router config Router config Router config d device ha ap mode lanl manage ip 192 168 1 3 255 255 255 0 device ha ap mode role master device ha ap mode master sync authentication password device ha ap mode wanl activate device ha ap mode lanl activate device ha activate NXC CLI Reference Guide Chapter 23 Device HA NXC CLI Reference Guide User Group This chapter describes how to set up user accounts user groups and user settings for the NXC You can also set up rules that control when users have to log in to the NXC before the NXC routes traffic for them 24 1 User Account Overview A user account defines the privileges of a user logged into the NXC User accounts are used in firewall rules
313. of interfaces The NXC uses zones not interfaces in many security and policy settings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface or VLAN interface can be assigned to at most one zone Figure 12 Example Zones Wireless Guest Guest ED d AJ AJ Employee SSID AJ Wireless Employee CE S NXC CLI Reference Guide Chapter 15 Zones 15 2 Zone Commands Summary The following table describes the values required for many zone commands Other values are discussed with the corresponding commands Table 48 Input Values for Zone Commands LABEL DESCRIPTION profile name The name of a zone Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive This table lists the zone commands Table 49 zone Commands COMMAND DESCRIPTION show zone profile name Displays information about the specified zone or about all zones show zone binding iface Displays each interface and zone mappings zone none binding Displays the interfaces that are not associated with a zone yet zone user define Displays all customized zones zone profile name Creates the zone if necessary and enters sub command mode The no command deletes the zone zone profile name Enter the sub command mode no block Blocks intra zone traffi
314. og starts syslog ng uam daemon app patrol daemon periodic command scheduler cron Start system daemon Got LINK CHANGE Port 01 is up gt Group 0 is up Applying system configuration file please wait System is configured successfully with startup conf ig conf 35 11 Restoring the Default System Database The default system database stores information such as the default anti virus or IDP signatures The NXC can still operate if the default system database is damaged or missing but related features like anti virus or IDP may not function properly If the default system database file is not valid the NXC displays a warning message in your console session at startup or when reloading the anti virus or IDP signatures It also generates a log Here are some examples Use this section to restore the NXC s default system database NXC CLI Reference Guide Chapter 35 File Manager Default System Database Console Session Warning at Startup Anti virus Figure 35 Ronuter confiaiA Figure 37 Default System Database Missing Log Anti virus ew Log j Show Filter Logs Display All Logs v Email Log Now Refresh Clear Time Priority Category Message Source Destinatior 192 168 10 47 1433 172 16 6 2 Captive Portal Traffic in TUNSG OUT OPEN from any to any REJECT Captive Portal Traffic in TUNSG OUT OPEN from any to any REJECT count 2 192 168 10 47 1432 172 16 6 2 2013 06 11 14 21 28 not
315. omaly profile tcp decoder undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options ex perumentel epblomnmg Sets dade Odea na oe Shwe eee iege cs eod Ce ECHO A de bd aed 152 ide anomaly profile Lpp decoder 611 details srta ds RUE FK 152 idp anomaly profile udp decoder truncated header undersize len oversize len Seta lt a AAA Leet etek ee ad DRO ESR EO HES CORO ORAM RR See 152 idp ancmely profile udp decoder all details ullis 64468 oR a RRR EA ACE 152 dp prorile signature all custom signaturel detalls obese x ROO Eae 149 igo prorils S QUACUES sid Geta ls 242 cowed A Geen cans Ho RO RARAS Qe REO Qd od do een 149 TOP PESELLES asirio ae cay me es Re tlt a dp ape qd beate da kc o qu pe t n aded 147 idp search signature my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 154 idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action TOLOSA id AAA wa SE TOROS e AO UR SORES eae eS 154 is sighature all ASAS rai ee Xx a Ex AE ACER ERO Rak RR e ECC QR e RC 146 idp signature base profile all none wan lan dmz settings
316. ommand Summary DNS Server COMMAND DESCRIPTION ip dns server zone forwarder 1 32 append insert lt 1 32 gt domain zone name interface interface name user defined ipv4 address interface interfac auto nam Sets a domain zone forwarder record that specifies a fully qualified domain name You can also use a asterisk if all domain zones are served by the specified DNS server s domain zone name This is a domain zone not a host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name So whenever the NXC receives needs to resolve a zyxel com tw domain name it can send a query to the recorded name server IP address interface name This is the interface through which the ISP provides a DNS server The interface should be activated and set to be a DHCP client auto any interface that the NXC uses to send DNS queries to a DNS server according to the routing rule ip dns server zone forwarder move lt 1 32 gt Lo L 23927 Changes the index number of a zone forwarder record no ip dns server zone forwarder 1 4 Removes the specified zone forwarder record 43 4 1 DNS Server Commands Example This example configures the AP to connect to the AP controller the NXC by DNS The following commands Setthe AP s management IP address to 192 168 1 100 and netmask 255 255 255 0 Sets the AP s management interface to use VL
317. ommands This table lists the commands for configuring active passive mode device HA Table 94 device ha ap mode Commands COMMAND DESCRIPTION no device ha ap mode preempt Turn on preempt if this NXC should become the master NXC if a lower priority NXC is the master when this NXC is enabled device ha ap mode role master backup Sets the NXC to be the master or a backup in the virtual router device ha ap mode cluster id lt 1 32 gt Sets the cluster ID number A virtual router consists of a master NXC and all of its backup NXCs If you have multiple NXC virtual routers on your network use a different cluster ID for each virtual router device ha ap mode priority 1 254 Sets backup NXC s priority The backup NXC with the highest value takes over the role of the master NXC if the master NXC becomes unavailable The priority must be between 1 and 254 The master interface has priority 255 NXC CLI Reference Guide Chapter 23 Device HA Table 94 device ha ap mode Commands continued COMMAND DESCRIPTION no key device ha ap mod ah md5 key authentication string Sets the authentication method the virtual router uses Every interface in a virtual router must use the same authentication method and password The no command disables authentication string Use a plain text password for authentication key Use up to eight characters including alphanu
318. ommands E mail Profile Settings continued COMMAND DESCRIPTION no logging mail 1 2 alerts to e mail send log to send Sets the e mail address for logs or alerts The no command clears the specified field e mail You can use up to 63 alphanumeric characters underscores or dashes and you must use the 9 character no logging mail 1 2 subject subject Sets the subject line when the NXC mails to the specified e mail profile The no command clears this field subject You can use up to 60 alphanumeric characters underscores dashes or S characters no logging mail 1 2 category module name Specifies what kind of information is logged for the level alert all specified category The no command disables logging for the specified category no logging mail 1 2 from e mail Sets the e mail address from which the outgoing e mail is delivered The no command clears this field no logging mail 1 2 schedule full Sets the e mail schedule for the specified e mail hourly profile The no command clears the schedule field logging mail 1 2 schedule daily hour Sets a daily e mail schedule for the specified e mail 0 23 minute 0 59 profile logging mail 1 2 schedule weekly day day Sets a weekly e mail schedule for the specified e hour lt 0 23 gt minute 0 59 mail profile day sun mon
319. on The no command disables application patrol for the specified application bandwidth graph no app protocol name defaultport 1 65535 For port base applications Adds the specified port to the list of ports used to identify the specified application This port number can only be included in one application s list The no command removes the specified port from the list app protocol name mode portless portbase Specifies how the NXC identifies this application 20 2 2 Rule Commands for Pre defined Applications This table lists the commands for rules in each pre defined application Table 63 app Commands Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol name rule insert rule number Creates a new rule at the specified row and enters sub command mode app protocol name rule append Creates a new rule appends it to the end of the list and enters sub command mode NXC CLI Reference Guide Chapter 20 Application Patrol Table 63 app Commands Rules in Pre Defined Applications continued COMMAND DESCRIPTION app protocol_name rule rule_number or app protocol_name rule modify rule_number Enters sub command mode for editing the rule at the specified row app protocol_name rule default or app protocol_name rule modify default Enters sub command mode for editing the default rule for the application no app protocol_name rule r
320. on Services Available on the NXC The NXC can use anti virus and IDP AppPatrol Intrusion Detection and Prevention and application patrol subscription services The NXC s anti virus packet scanner uses the signature files on the NXC to detect virus files Your NXC scans files transmitting through the enabled interfaces into the network Subscribe to signature files for ZyXEL s anti virus engine or one powered by Kaspersky After the service is activated the NXC can download the up to date signature files from the update server NXC CLI Reference Guide Chapter 5 Registration When using the trial you can switch from one engine to the other in the Registration screen There is no limit on the number of times you can change the anti virus engine selection during the trial but you only get a total of one anti virus trial period not a separate trial period for each anti virus engine After the service is activated the NXC can download the up to date signature files from the update server After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration gt Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an iCard anti virus subscription any remaining time on your earlier subscription is automatically added to
321. onfigure terminal Router config interface gel Router config if ge description lt description gt The following table provides more information about input values like lt description gt Table 4 Input Value Formats for Strings in CLI Commands TAG VALUES LEGAL VALUES 1 all rem ALL authentication key 32 40 Ox or OX 32 40 hexadecimal values 16 20 alphanumeric or gt S 3 amp _ lt gt Used in MD5 authentication keys and text authentication key 0 16 alphanumeric or _ Used in text authentication keys 0 8 alphanumeric or certificate name 1 31 alphanumeric or G 2 amp N community string 0 63 alphanumeric or first character alphanumeric or connection id 1 alphanumeric or contact 1 61 alphanumeric spaces or S _ country code Q 4035 52 alphanumeric custom signature file 0 30 alphanumeric or name first character letter description Used in keyword criteria for log entries 1 64 alphanumeric spaces or S_ Used in other commands 1 61 alphanumeric spaces or 2 t 0 distinguished name 1 511 alphanumeric spaces or _ domain name 0 lower case letters numbers or Used in ip dns server 1 248 alphanumeric or first character alphanumeric or Used in domainname ip dhcp pool and ip doma
322. or example com mail to 2 mail to 3 mail to 4 my email example com mail to 5 cpu usage yes mem usage yes Session usage yes port usage yes idp report yes av report yes as report yes traffic report yes Router config daily report send now 37 3 Reboot Use this to restart the device for example if the device begins behaving erratically If you made changes in the CLI you have to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Use the reboot command to restart the device NXC CLI Reference Guide Session Timeout Use these commands to modify and display the session timeout values You must use the configure terminal command before you can use these commands Table 149 Session Timeout Commands COMMAND DESCRIPTION synsent lt 1 300 gt tcp timewait lt 1 300 gt session timeout udp connect lt 1 300 gt udp Sets the timeout for UDP sessions to connect or deliver lt 1 300 gt icmp lt 1 300 gt deliver and for ICMP sessions session timeout tcp close 1 300 tcp Sets the timeout for TCP sessions in the closewait lt 1 300 gt tcp established ESTABLISHED SYN RECV FIN WAIT 1 432000 tcp finwait 1 300 tcp SYN SENT CLOSE WAIT LAST ACK or lastack lt 1 300 gt tcp synrecv lt 1 300 gt tcp TIME_WAIT state show session timeout icmp tcp
323. ority over the AP s CAPWAP client commands described in Chapter 43 on page 271 vlan lt 1 4094 gt tag untag Sets the VLAN ID for the specified AP as well as whether packets sent to and from that ID are tagged or untagged exit Exits the sub command mode for the specified AP show capwap ap wait list Displays a list of connected but as of yet unmanaged APs This is known as the wait list show capwap ap all ap mac Displays the management list a 11 or whether the specified AP is on the management list ap mac show capwap ap all statistics Displays radio statistics for all APs on the management list show capwap ap ap mac slot name detail Displays details for the specified radio s20t name on the specified AP ap mac show capwap status ap all ap mac config Displays whether or not any AP s configuration or the specified AP s configuration is in conflict with the NXC s settings for the AP and displays the settings in conflict if there are any show capwap station all Displays information for all stations connected to the APs on the management list capwap station kick sta mac Forcibly disconnects the specified station from the network NXC CLI Reference Guide Chapter 8 AP Management 8 2 1 AP Management Commands Example 76 The following example shows you how to add an AP to the management list and then edi
324. oversize offset bad IDP profile length options truncated options ttcp detected obsolete options experimental options details show idp anomaly profile udp decoder all details Shows udp decoder settings for the specified IDP profile show idp anomaly profile udp decoder truncated Shows specified udp decoder settings for the header undersize len oversize len details specified IDP profile show idp anomaly profile icmp decoder all details Shows all icmp decoder settings for the specified IDP profile show idp anomaly profile icmp decoder truncated header truncated timestamp header truncated address header details Shows specified icmp decoder settings for the specified IDP profile NXC CLI Reference Guide Chapter 22 IDP Commands 22 3 4 1 Creating an Anomaly Profile Example In this example we create a profile named test configure some settings display them and then return to global command mode Router configure terminal Router config idp anomaly test Router config Router config idp anomaly profile test tcp decoder oversize offset action drop Router config idp anomaly profile test tcp decoder oversize offset log alert Router config idp anomaly profile test tcp decoder oversize offset activate Router config idp anomaly profile test no tcp decoder oversize offset
325. ow reference object zon Displays which configuration settings reference the profile specified zone object show reference object group Displays which configuration settings reference the username username specified user group object show reference object group Displays which configuration settings reference the address profile specified address group object show reference object group Displays which configuration settings reference the service profile specified service group object show reference object group Displays which configuration settings reference the interface profile specified trunk object show reference object group aaa Displays which configuration settings reference the ad group name specified AAA AD group object show reference object group aaa Displays which configuration settings reference the ldap group name specified AAA LDAP group object NXC CLI Reference Guide Chapter 3 Object Reference 3 1 1 Object Reference Command Example Table 7 show reference Commands continued COMMAND DESCRIPTION radius group_name show reference object group aaa Displays which configuration settings reference the specified AAA RADIUS group object o how reference object wlan radio profile Displays the specified radio profile object show reference object wlan monitor profile Displays the specified monitor profile object show refere
326. ow users mdle detection HS tELLIAOS Zebibd pua vdd dee eee ee bderTibdeE d bd exp 172 SOW users PELEY SELCINGS ero Rd deme dc Ede X ER IA MAI EAQUE dod EO d e RACE 172 shov users Sm Lshecus logenesett LHES AAA RUE SH REOR Shaws 172 chow users undasbeclusgE SODLIUSE uacua ens ER E ACER A AA E ARNA iT Show Pee rrr oe pucw owHbeant SEMA isa EAS mata AE dud deese dead aw 114 Show wabsusth AUS LISIS seisis kon dren Opa Gk oie aaa ae oe e ok da ee A ke ghee eee ig 114 show wSbeagth Meranic tmle jeasal Sa S AAA AAA SEU Re Eder 114 show waebeuagth BECOBETIQHSI SENSWILGB 44640484 PEOR E ad D X Rex E Re SERRE SKE AR Pe estes 114 shov webesurth Policy Ls Lcd qo Cll rice POR EURO cous eee eR eS 114 show wob auth BESEUS e nena rar 842 EG E RORACE PRA AA ACE A EER ORES CARE OUR SR de eee 114 show wlan mscfilter profile all macfilter profile Hale ascii y sends 88 show wlan monitor protile fall monitor profile mae ica cen A A AA AAA 81 show wlane radridg Drolile fall 1 adio profile name serrat tikit wee bas CROP Rn 78 show wlan security protile all security profile name amp icc kx e hx RR XR koa wd as 85 show wlanessid prorfile jall gsid profile Heme siria RUE OR ROROR Rex EORR RR OR 83 show wtp logalng dbg resulb StatUM resarcir X RUE dS dU ROSE RES Soa ea 247 show wtp logging debug entries priority pri category module name srcip ipv4 dstip ipv4 service service srciface config interface dstiface config interface protocol
327. p server radius RADIUSGroupl Router config show aaa group server radius RADIUSGroupl server server server server exit host 192 168 1 100 auth port 1812 host 172 16 22 100 auth port 1812 key 12345678 timeout 100 Router config key 12345678 timeout 100 description group attribute TT nas ip 127 0 0 1 nas id case sensitive yes No Host Member Auth Port 1 192 168 1 100 1812 2 172 16 22 100 1812 NXC CLI Reference Guide Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database 29 1 Authentication Objects Overview After you have created the AAA server objects you can specify the authentication objects containing the AAA server information that the NXC uses to authenticate users such as managing through HTTP HTTPS or Captive Portal 29 2 aaa authentication Commands The following table lists the aaa authentication commands you use to configure an authentication profile Table 113 aaa authentication Commands COMMAND DESCRIPTION aaa authentication rename profile name old profile name new Changes the profile name profile name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive clear aaa authentication profile name Deletes all authentication p
328. p to 60 characters Spaces and underscores allowed exit Exits configuration mode for this profile 9 5 1 MAC Filter Profile Example The following example creates a MAC filter profile with the name MACFILTEROT Router config wlan macfilter profile MACFILTERO1 Router config macfilter profile filter action deny Router config macfilter profile MAC 01 02 03 04 05 config macfilter profile Router config macfilter profile 06 07 08 description MACO1 description MACO2 description MACO3 MAC 01 02 03 04 05 MAC 01 02 03 04 05 Router config macfilter profil Router Router config exit NXC CLI Reference Guide Rogue AP This chapter shows you how to set up Rogue Access Point AP detection and containment 10 1 Rogue AP Detection Overview Rogue APs are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can potentially open holes in the network security Attackers can take advantage of a rogue AP s weaker or non existent security to gain illicit access to the network or set up their own rogue APs in order to capture information from wireless clients Conversely a friendly AP is one that the NXC network administrator regards as non threatening This does not necessarily mean the friendly AP must belong to the network managed by the NXC rather it is any unma
329. pH ALIS lacada ra ex sage ddeseqesdte d dm 142 show apt general le PL etreeW ei e qe dedo 3 ACRON EA OREM ERASER eRe el 134 show bp SIT esbirros TORE SOE pp ROR bee OE eee ba ee di desee 133 Show app all OGI ISUltPOEE isa RADA E ROCK ARIAS LAA ORA OR RC UR 134 Show arr aLL Sint ELES Lora AA REQUERIDO Ie eee ee P ea e ed 134 BON apr CODERE sia 444 4a ba ead sex E RN EO dao eee eee hee ae bee e oat Qo es c 1x3 show app highest Sip bandwidth SELGEIES deirri cee steed Bebe ee PEDE A 134 one ape XD Puppets Bee ade chides dunes wabasiee ER i RA ss ees See See was Boa ep d 134 show app perher CONIO ems sue memes eee egeo er ARA pe arde oce apre popolo qe pool der gee 134 Sun app Seber ele SIL x34 83 4032 S pu doo Cede A RA 134 show App other tule ell SEALLSEDES celia eB DAR E B up RR LOCARE A ROO de 134 Show dpp Other rule Assad asesoran dee GRO E dC Ru ids d HA A RU UR UR Ed EQ 134 show app pther rule defsult StHELEESTOS Jia ech de ue Ron doe RR CE IRURE RR ORC d po veg 134 show app Other rale FURS FUMES isi oes go x SECEDE TEE ORE Re ENE SE AA Y EROR CONO e 134 show app other rule Puls MUDO SESTISELES eri nen bear Ee hea Wale A eee ed 134 Bnew SED ather BESLISLUSS ana A eh ea AR eee eee eS 134 show app Protocol nane COM ERO acca daa ee tase hd de eho Dedede aes bare eka dee eee eae 134 show spp protocol halo OeL3sUltpDOPL esa ced cokes VOR VO ok OR Ee OSE EEO Re ee ee ee eS 134 Show app protocol hamo tule ALL ar RR AA ER ROO RO RNA Oe FEES HO ROR ESR
330. packet capture iface del wan2 Router packet capture ip type any Router packet capture host ip any Router packet capture file suffix Example Router packet capture files size 10000 Router packet capture duration 150 Router packet capture Exit the sub command mode and have the NXC capture packets according to the settings you just configured Router packet capture exit Router config packet capture activate Router config Manually stop the running packet capturing Router config no packet capture activate Router config Check current packet capture status and list all packet captures the NXC has performed Router config show packet capture status capture status off Router config dir packet trace File Name Size Modified Time wanl Example cap 575160 2009 11 24 09 06 59 Router config You can use FTP to download a capture file Open and study it using a packet analyzer tool for example Ethereal or Wireshark NXC CLI Reference Guide 265 Chapter 41 Maintenance Tools NXC CLI Reference Guide Watchdog Timer This chapter provides information about the NXC s watchdog timers 42 1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails gt The hardware watchdog timer commands are for support engineers It is recommended that you not modify the
331. ple of Static Routing Topology N1 N2 N3 H P j PA E FA 7 4 Static Route Commands The following table describes the commands available for static route You must use the configure terminal command to enter the configuration mode before you can use these commands Table 26 Command Summary Static Route COMMAND DESCRIPTION no ip route w x y z w x y z Sets a static route The no command disables a interface w x y z lt 0 127 gt static route ip route replace w x y z w x y z Changes an existing route s settings interface w x y z lt 0 127 gt with w x y z w x y z interface w x y z lt 0 127 gt show ip route settings Displays static route information Use show ip route to see learned route information show ip route control virtual server rules Displays whether or not static routes have priority over NAT virtual server rules 1 1 SNAT 7 4 1 Static Route Commands Example The following command sets a static route with IP address 10 10 10 0 and subnet mask 255 255 255 0 and with the next hop interface gel Then use the show command to display the setting Router config ip route 10 10 10 0 255 255 255 0 gel Router config Router config show ip route settings Route Netmask Nexthop Metric 10 10 10 0 259 255 255 0 gel 0 NXC CLI Reference Guide Chapter 7 Route 7 5 Lear
332. pompdny A A 104 aso O A SL DODY 26h ee base ee NA dd pedea AA AA qax ERR quU aa oe PP Se rx que de dieu es aL copy cert conf idp packet_trace script tmp file_name a conf cert conf idp packet trace script tmp file name b conf 227 cone tiinina 2a0 LS FOSA DILE RAS BONS a RO d S ERU LEE ES EE REO NA ce E 221 Sopy GU HESCUINEDG SESSEUD DOREISg 446864 eee Bong Rd s Kara ie es dede de Rog RR 227 customizationmode customization use uploaded rfile cocdasds dates codes nasa a TS MER ico A P Tr 251 dariy repore mel AECI der AIDA A DAA we eae 251 gdaily report Ino dal ly teport ESSOL CODUBESE aser 3 4 ede Gene A EC A RUN AUR Re S dE 252 darly r report ine AN oV EEDOrE desistir sei dx x dra aane 202 daily report pho Item MJDebOlOPG sh cade dese 340 UE E RUNS E Deer bigcaen he Re eR ane needa 202 gadlverepost nol item porL uUSABd Q cach dea es oko ue d OEE EROR EX Oe HR Le a E Rp eee eae 252 datly teport no item sSes58TON USSUS shai dade SSK SR DRADER OER ON AS N 2592 ga3slverebost mel item SOSLIOWSOOUND Aw buopibad dc Ru AAA AA RD do ee ORE A AA 252 daily report nol bom EXSLELO DODOEE arias AA AA ea AAA wn eda ca 202 gaclyeneonoet puel Veh WODeEE casi PR Y ERES RAN eek eet beatae eee d EE bes 252 dsdlverenport mol tU Wipes a adida ES CO BAS dd RAMS Rede ee DS 292 daglyerenpgrb Seset HOURDEIeDOW ed Re hae nii op led eru pe oso p ay ee 202 daily
333. protocol to further secure Not all wireless clients may support this aes This is the Advanced Encryption Standard encryption method a newer more robust algorithm than TKIP Not all wireless clients may support this wpa psk wpa key wpa key 64 no wpa2 preauth Sets the WPA WPA2 pre shared key Enables pre authentication to allow wireless clients to switch APs without having to re authenticate their network connection The RADIUS server puts a temporary PMK Security Authorization cache on the wireless clients It contains their session ID and a pre authorized list of viable APs Use the no parameter to disable this no reauth lt 30 30000 gt Sets the interval in seconds between authentication requests The default is 0 idle 30 30000 Sets the idle interval in seconds that a client can be idle before authentication is discontinued The default is 300 group key lt 30 30000 gt no dotix eap Sets the interval in seconds at which the AP updates the group WPA WPA2 encryption key The default is 1800 Enables 802 1x secure authentication Use the no parameter to disable it NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 35 Command Summary Security Profile continued COMMAND DESCRIPTION eap external internal auth method Sets the 802 1x authentication method no server auth 1 2 activate Activates server authent
334. ps 192 168 1 5 00 04 06 unlimited 00 25 57 unlimited s N A 3 admin admin admin http https 192 168 1 5 00 03 39 unlimited 00 26 25 unlimited N A Router config users force logout 192 168 1 5 Logout user admin from 192 168 1 5 OK Logout user admin from 192 168 1 5 OK Total 2 users have been forced logout Router config show users all No Name Role Type MAC Service From Session Time Idle Time Lease Timeout Re Auth Timeout Acct Status Profile Name 1 admin admin admin console console 0033 22 unlimited 00 30 00 unlimited E N A NXC CLI Reference Guide Chapter 24 User Group The following commands display the users that are currently locked out and then unlocks the user who is displayed Router configure terminal Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer 1 192 168 1 60 2 46 Router config unlock lockout users 192 168 1 60 User from 192 168 1 60 is unlocked Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer NXC CLI Reference Guide Addresses This chapter describes how to set up addresses and address groups for the NXC Use the configure terminal command to enter Configuration mode in order to use the commands described in this chapter 25 1 Address Overview
335. qiie Rod e BEERS ERR MR AC e d dod e e RA e eee 157 Ago SV SCENCDEDGDOOSE Haras ceu ae eke eee ed E ea o ee Pd d PE EE 153 idp systern TOL eee BdOSULLVELE dude usi dnb DA dc b dO M CE E No mes 146 iface add del interface name virtual interface name ooooooooooooo o 262 DIETE Luisddd da sb awbExS Phases Oma BECO qx Rd dns hanes Weda ese S 32 lhtertase InPberfacs MI agegqexdee Ox DA AC AE wr re Qo Regio ede Ue ea dece RR CR 55 Incertacse SCS ISS nm aug 5p AE AE GS UR des Bees NOR uds d Seuss y intertane INDBFIIase nam wks asa ke d wd d RE ER A X ESE a REORDER Ka Ce NO RC AA HD Ro s UR 58 interiace bend Statisties interval eI5 43986009 qx EGO sn eee eae ORS eee RO 51 interface nam Chernet interlace user defined _ MEMES piristi Swe ewes eae Dak woke as n1 ip dhop pool rename profile name profile Bale cise seeks Se eS ee LORE SETA OR RES 53 Ip Bus Server cathe ELSA cn diva wea eee Set Oie Oat KEES OR do KC Qo A KOREA OR E OR Coe 211 ip dns server rule lt 1 64 gt append insert lt 1 64 gt access group ALL profile name zone ALL profile name action iacocept deBg x3 eX EGO deu Ree SRR d RO 212 ID dis Serer rule more Lo ble EO La DP acne eee ee eRe Re Ree eS aR ea ee RR 212 ip dns server zone forwarder 1 32 append insert lt 1 32 gt domain zone name in terface interface name user defined ipv4 address interface interface name auto 4 ADS AA ADA A a A DAS DAS E AAA AAA AA AA ate ae 274 ip dns server zone forwa
336. r truncated timestamp header truncated address head Ex JS sdieri hie X a X ROC E RO d OR CAD CR eee eR X D AI ee AER SESE RR he d RR ARI no lap signature sspmely QEGEIIISS Rie R4 AA Rode RACER UR IHR ET Roo 146 no xp Gergnature ano aly Jj Bula Wlllb4 seek ee dee GRE EG Rr sees e UE we 147 ny Xp custourisE gignabture Guston SIG eat sd RU Ree uio doe Sheed BER mA E NoR UR Mise dee dolls 156 NXC CLI Reference Guide List of Commands Beo 1 das Serves Sule Ae dad eed area eee td Sew abe ewes he eee Rubus als no 1p dns server 2one ferwarcer LS ii e A ADAC COR ACER CR A E EQ A 274 ud 2p PD pare mute IUIS NUNDBOGE QDauad4Rdcgd owe see EORR EFC I dp A eddie ob ar d d Edd 219 no ip http secure server cipher suite cipher algorithm ncsmrcram norris os 215 no ip http secure server table admin user rule rule number 215 no ip http server table admin user rule rule number assais Re ARRA EORR RECORDAR AC sam 215 ne A BS Server culo IXDIG HUME ia A AA AAA Eo RS 217 ne pi telnet Server rule TUS Tee inspira A A A ia 218 Ro Join interlace NBN icq dace der 3 Roe ox A RV ac gol eek RR TE RR Ro DOE UHR 63 NEC GNE ato O aa qd E Rus ead ENSE Lam aM sun O eR qd eer EE 58 LIIESU CM E oup oL M each a oa ee Re RR ee eon ere ar are hae adh ace ee eee wa er aed 251 EE EU conducs abe A RS a Oe eae ae a owes ew ee odd Berea us AAA 63 ED SENOS el xq ARA DAR ANA ee dee E
337. r each of them The no command clears the setting no server host Enter the IP address in dotted decimal notation or radius server auth port port domain name and authentication port of a RADIUS server to add to this server group The no command clears this setting no server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server s and the NXC The no command clears this setting no server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds no server acct address Enter the IP address in dotted decimal notation or radius server acct port port domain name and authentication port of the RADIUS accounting server to add to this server group The no command clears this setting no server acct secret key Enter the key up to 15 alphanumeric characters to share between the external accounting server and the NXC The key is not sent over the network This key must be the same on the external accounting server and the NXC The no command clears this setting no server acct interim Specifies the interval in minutes at which the NXC interval 1 1440 sends subscriber status updates to the RADIUS server The no command clears this setting no server acct retry count Sets the number of times the NXC reattempts to us
338. racters Spaces are allowed access page window color color rgb color name color number Sets the color of the access page s colored background login page background color color Sets the color of the login page s background color name color number rgb color name color number no login page color background Sets the login page to use a solid colored background login page message color color rgb Setsthe color of the message text on the login page no login page message text messag Sets a note to display at the bottom of the login screen Use up to 64 printable ASCII characters Spaces are allowed NXC CLI Reference Guide Chapter 33 System Table 119 Command Summary Customization continued COMMAND DESCRIPTION login page title titl Sets the title for the top of the login screen Use up to 64 printable ASCII characters Spaces are allowed login page title color color rgb color name color number Sets the title text color of the login page logo background color color rgb color name color number Sets the color of the logo banner across the top of the login screen and access page show access page settings Lists the current access page settings show login page default titl Lists the factory default title for the login page show login page settings Lists the current login page settings show logo s
339. rder lt 1 32 gt appendlinsert lt 1 32 gt domain_zone_name user defined w x y z private interface interface_name auto 212 ip dns server zone forwarder move lt 1 32 gt to 1 325 ssseevepaseoakeancaneas ee ae 212 ip des server kohe Iorwarder move 1 325 Lo 16 52 ex bx ar ra EGO RACE d ERE S E 274 ip ftp server rul rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 219 ip ftp server rule move rule number to rule number csc ska ceva ee Skea ee RRS EER RS ESTE 219 Le gaLeway Ip Metric DD LS cde een rakiet eek v3 d TORE ES EASES EEO A 50 ip http secure server cipher suite cipher_algorithm cipher_algorithm orpher algorithm Lbsrpher slooritim dodo airkiew a d res ee rr waa we Camas oe o 215 ip http secure server table admin user rule rule_number append insert rule_number access group ALL address_object zone ALL zone object action accept deny 215 ip http secure server table admin user rule move rule number to rule number 215 ip http server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny PNEU ip http server table admin user rule move rule number to rule number 215 ip route replace w x y z w x y z interface w x y z lt 0 127 gt with w x y z URLS ARE
340. rear io a wee ed 129 NXC CLI Reference Guide List of Commands no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Interface interi oce name EntebrpriseWLAM asscicenaw dbase ARA Mie apie CHOP o ee ON Lax Ex XC S Od es LAREDO AC ACC auk hs MMR EER interface In errate DONO ese wee ae AAA SR ES ee ER AAA AAA arerioa MER SOP Eee a hag apa da x Pee QC eode e A eee AA AA address UNE c ne Oar ce e y bd eue pace P Sd EHR qud euer Fee bora ee a ee ee ee ee address Ghee meteria 0 139 atic GRAS RED OR EO LACAN A URS DRAB gdaress I5 SUNS A bue eer CE RE AACR BORER olo oe E de Uere Ros awe Eee SUISSE Im OUT ae Qaae dux dade dca wd AR Bou ad wed m aca addresse IH Snes BOLUSEE desir dad obo dad N d eX xe vede p ER RE phep a CIS HANS A bg RMB NW A een d iai te eS E E NS dhopepgel PROT E doukaedeexcERquE FOR oer needa eee hae ated wag aah due qandin aoe aa cpi ee 2h a Quei pees ce ke ud gus eor her eed wee ie E ENSE ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip log log log log Log logging logging logging logging logging logging logging logging logging Legging logging dn dn S S itp ttp ttp ftp ga ga 939333 YY tee Y
341. rence Guide Chapter 22 IDP Commands 22 3 2 1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one The rule applies the LAN_IDP profile to all traffic going to the LAN zone Router configure terminal Router config idp signature rule 1 Router config idp signature 1 Router config idp signature 1 exit Router config Router config idp signature 1 from zone any Router config idp signature 1 to zone LAN Router config idp signature 1 bind LAN IDP Router config idp signature 1 activate Router config show idp signature rules Signature rules idp rule 1 from zone any to zone LAN profile LAN_IDP activate yes 22 3 3 Editing Creating IDP Signature Profiles Use these commands to create a new IDP signature profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none BS You CANNOT change the base profile later The following table describes the values required for many IDP signature profile commands Other values are discussed with the corresponding commands Table 82 Input Values for IDP Signature Profile Commands LABEL DESCRIPTION sid The signature ID identification number that uniquely identifies a NXC signature This table lists the IDP signature profile commands Table 83 Editing Creating
342. ric characters underscores or dashes but the first character cannot be a number This value is case sensitive wlan role Sets the wireless LAN radio operating mode At the time of writing you can use ap for Access Point wireless channel 2g Sets the 2 GHz channel used by this radio profile The channel range is 1 14 Note Your choice of channel may be restricted by regional regulations wireless channel 5g Sets the 5 GHz channel used by this radio profile The channel range is 36 165 Note Your choice of channel may be restricted by regional regulations NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 30 Input Values for General Radio and Monitor Profile Commands continued LABEL DESCRIPTION wlan_hctw Sets the HT channel width Select either auto or 20m wlan_htgi Sets the HT guard interval Select either long or short wlan 2g basic speed Sets the basic band rate for 2 4 GHz The available band rates are LO 250 5325 ALSO O 9705 124105 19105 24 50 36 0 48 0 54 0 wlan 2g support speed Sets the support rate for the 2 4 GHz band The available band rates aren Iu 07 2 30 De 11 05 60 940 2 05 018 0 24 0 36 0 48 0 54 0 wlan mcs speed Sets the HT MCS rate The available rates are 0 1 2 3 4 5 6 75 785 9 T0 Ll 12 T3 44 TS wlan 5g basic speed Sets the basic band rate for 5 GHz The available b
343. rofiles or the specified authentication profile Note You can NOT delete a profile that is currently in use show aaa authentication group name default Displays the specified authentication server profile settings no aaa authentication profile namej Sets a descriptive name for the authentication profile The no command deletes a profile NXC CLI Reference Guide Chapter 29 Authentication Objects Table 113 aaa authentication Commands continued COMMAND DESCRIPTION no aaa authentication default memberl member2 member3 member4 Sets the default profile to use the authentication method s in the order specified member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile The no command clears the specified authentication method s for the profile no aaa authentication profile name memberl member2 member3 member4 Sets the profile to use the authentication method s in the order specified member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile The no command clears the specified authentication method s for the profile 29 2 1 aaa authentication Command Example The following example creates an authentica
344. rotect scCIVAUtlOBR iia 4a eee EKER A Ro RR 146 uint32 lt 0 4294967295 gt ip ipv4 ipv4 ipv4 fqdn fqdn fqdn fgdn text text hex hex vivc enterprise id hex s enterprise id hex s vivs enterprise Jd hex s enterprise Jd hex S 2geswdep pode o ex OR HE AO Yom eee OR RUE ROCA 54 20 baste pee quls 20 8000 SIEGE 1a dbues a Pos dos dara JR RUE HUE M RE A RR ER Bl 80 Co channel Wireless siennel QU 2144444 wr dnr yeu Ra E NOR RR Nr os emos Rp ocn A ec IRR ci 79 20g mes spesd disable vian meos speed sisas di AAA ARA el 2g miltrecast speed vlan sg Support SOS eri A Ia aoe a x CR 81 cgesupbperbt spesd disable wian su support SOS Leadtek Des ata aa 81 vae basic spred Mian Gg Peete SPOBU dais OSA RA ter DEN ERI C e ESAE Sd REDE GRRE 81 ogechagunel Mir SS Channel CU 42d dene Rud AAA AE ee ea eee ARAS 79 sq ms specdl disable wian mes Spes sica CRX 4 Sateen ee Cede ease ARA bees 81 og muLticastespoed wien Sq Basic Sees adieu xe eee ede a dee ee eS pl og support speed disable alam 5g support speed cnc nd cece ese deeded OR REOR CEDE RC RC 81 aaa authentication rename profile name old profile name new e 193 aoa group berver ad gQroUD ha DE srst kGGerG AAA AAA YR ERS SES RR RO 188 ama group server sd rename group name group name serrana x m n sn eee a m RC es 188 aaa group Server lodar Grm HBDE uaaxdesecceead ke ERA E Ex Re duse Ha Med SER CARS EE 189 aaa group server ldap rename group name group
345. rver com no mail subject append system name subject set test subject from my example administrator example com no mail to 2 no mail to 3 tim com subject append dat mail exampl no mail to 5 smtp smtp schedule hour 13 minutes 57 no reset counter to 4 my email example com auth activate auth username 12345 password pass12345 cpu usage mem usage Router config daily repor item Router config daily repor item Router config daily repor item Router config daily repor item Router config daily repor item Router config daily repor item Router config daily repor item c Router config daily repor Cb Ch e Gk Sc GE ct CP er uet geb Chachi b ACh A A e A ON o SS ed Router config daily repor daily report activate session usag port usage idp report av report traffic report NXC CLI Reference Guide Chapter 37 Reports and Reboot This displays the email daily report settings and has the NXC send the report now Router config show daily report status email daily report status activate yes scheduled time 13 57 reset counter no smtp address example SMTP mail server com smtp auth yes smtp username 12345 smtp password pass12345 mail subject test subject append system name no append date time yes mail from my email example com mail to 1 example administrat
346. ry 198478 11 Fl El BB 03 approf01 E slot1 detail an 1 NXC CLI Reference Guide Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your NXC 9 1 Wireless LAN Profiles Overview The NWAS5160N Access Points designed to work explicitly with your NXC do not have on board configuration files you must create profiles to manage them Profiles are preset configurations that are uploaded to the APs and which manage them They include Radio and Monitor profiles SSID profiles Security profiles and MAC Filter profiles Altogether these profiles give you absolute control over your wireless network 9 2 AP amp Monitor Profile Commands The radio profile commands allow you to set up configurations for the radios onboard your various APs The monitor profile commands allow you to set up monitor mode configurations that allow your APs to scan for other APs in the vicinity The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 30 Input Values for General Radio and Monitor Profile Commands LABEL DESCRIPTION radio profile name The radio profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive monitor profile name The monitor profile name You may use 1 31 alphanume
347. s A Virtual Local Area Network VLAN divides a physical network into multiple logical networks The standard is defined in IEEE 802 1q In the NXC each VLAN is called a VLAN interface As a router the NXC routes traffic between VLAN interfaces but it does not route traffic within a VLAN interface vlanO is the default VLAN interface It cannot be deleted and its VID cannot changed Otherwise VLAN interfaces are similar to other interfaces in many ways They have an IP address subnet mask and gateway used to make routing decisions They restrict bandwidth and packet size They can provide DHCP services and they can verify the gateway is available The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 24 Input Values for VLAN Interface Commands LABEL DESCRIPTION virtual interface The VLAN interface name You may use 0 511 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive gateway The gateway IP address of the interface Enter a standard IPv4 IP address for example 127 0 0 1 ip address The network mask IP address Enter a standard IPv4 IP address netmask The network subnet mask For example 255 255 255 0 NXC CLI Reference Guide Chapter 6 Interfaces Table 21 Input Values for VLAN Interface Commands
348. s group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your NXC model VLAN interface vlanx x 0 511 The following table describes the commands available for DNS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 124 Command Summary DNS COMMAND DESCRIPTION no ip dns server a record fgdn w x y z Sets an A record that specifies the mapping of a fully qualified domain name FQDN to an IP address The no command deletes an A record ip dns server cache flush Clears the DNS no ip dns server mx record domain name Sets a MX record that specifies a mail server that w x y z fqdn is responsible for handling the mail for a particular domain The no command deletes a MX record NXC CLI Reference Guide 211 Chapter 33 System Table 124 Command Summary DNS continued COMMAND DESCRIPTION ip dns server rule lt 1 64 gt append insert lt 1 64 gt access group ALL profile name zone ALL profile name action accept deny Sets a service control rule for DNS requests ip dns server rule move 1 64 to 1 64 Changes the number of a service control rule
349. s an unlimited number of simultaneous logins no users simultaneous logon administration access limit lt 1 1024 gt Sets the limit for the number of simultaneous logins by users of the specified account type The no command sets the limit to one show users update lease settings Displays whether or not access users can automatically renew their lease time no users update lease automation Lets users automatically renew their lease time The no command prevents them from automatically renewing it show users idle detection settings Displays whether or not users are automatically logged out and if so how many minutes of idle time must pass before they are logged out no users idle detection Enables logging users out after a specified number of minutes of idle time The no command disables logging them out no users idle detection timeout 1 60 Sets the number of minutes of idle time before users are automatically logged out The no command sets the idle detection timeout to three minutes 24 2 3 1 User Setting Command Examples The following commands show the current settings for the number of simultaneous logins Router configure terminal Router config f show users simultaneous logon settings enable simultaneous logon limitation for administration account yes maximum simultaneous logon per administration account s xL enable simultaneous logon limitation
350. s ao reference cgbject group username username 1i2e s wx cow danas D008 a ca 22 report interface name ip service UELI crime 249 LENTE SEALS erase sra e NR dE RES e ER pa au dS RS ae RES 249 rogue arm conbsimmene LISE escri ed e eq E e o o Ra UN a ORR AA ele QR 92 foQque aD detection AMIGO ira AAA AAA x qe Ed d ew eee eee eee 90 togue ap detection list rogue Exvendliyl 6711 incor see hk RO sedate RR RC 90 taque Ap detection MONITO audaue4kxetexdeger OE AA V HO ORE ee ees 20 togue asI detection stabus 6446004 eR EKER dea Xe AA ERREUR ER RECREATION 90 EQUES BIAS 26454264 doped eH Ob ESAS ECE Te eee eR ee eed eee ae eRe as 259 Poke dem EE ge beds case nid Ree Dees PES OARS eee rd dur fuae d bab E EE NE TIT sele ekaba COBRELOA qo ooi oU Gee ARAS 117 Na d png DEN 4s caw ddaee Eu e dr dp ace dr cede e ean Seon kes wees cada wd and d add 228 Shedule cDJBOR rirkani iu dde ere RR A AAA ARERR dE Se GES 186 Pott Ales adiudawandsex 42gSRSd3 SSS PAS OSA eS She Ce Seo wes RAS RES Se Res 37 SErvIOBSDDJect object name oros dee Rer ende Re ERE EER m FOR a ee a 181 Servi ce registiee status alrlidplav Maps senado d x ve 43 sesi n timeout licne tup MGR arica be Meh dea A 255 AOS LOS LIE a tare ede IN AA Mop a OL EA d Era o de roti SS 125 sessron limit begin rule number end rule n mDef 24 kek wd eek ee ae A XC 125 sBsslon l1mit ule HONDQGE scenic AAA eR Wes 1259 Sees On 15nat SSeS P prm 125 cic kun tsp C e RA A ARA RARA RA 228 SOM Seeks mars AAA
351. s case sensitive The following sections list the service object and service group commands 26 2 1 Service Object Commands The first table lists the commands for service objects Table 106 service object Commands Service Objects COMMAND DESCRIPTION show service object obje ct_name Displays information about the specified service or about all the services no service object object_ name Deletes the specified service service object object_nam lt 1 65535 gt range lt 1 65 tcp udp eq Creates the specified TCP service or UDP service 535 gt lt 1 65535 gt using the specified parameters NXC CLI Reference Guide Chapter 26 Services Table 106 service object Commands Service Objects continued COMMAND DESCRIPTION service object object name icmp icmp value Creates the specified ICMP message using the specified parameters icmp value lt 0 255 gt alternate address conversion error echo echo reply information reply information request mask reply mask request mobile redirect parameter problem redirect router advertisement router solicitation source quench time exceeded timestamp reply timestamp request unreachable service object object name protocol 1 255 Creates the specified user defined service using the specified parameters service object list Lists all available network services
352. s list the report and session commands 37 1 1 Report Commands This table lists the commands for reports Table 145 report Commands COMMAND DESCRIPTION no report show report status Begins data collection The no command stops data collection Displays whether or not the NXC is collecting data and how long it has collected data clear report interface_name Clears the report for the specified interface or for all interfaces show report interface_name ip service url Displays the traffic report for the specified interface and controls the format of the report Formats are ip traffic by IP address and direction service traffic by service and direction url hits by URL NXC CLI Reference Guide Chapter 37 Reports and Reboot 37 1 2 Report Command Examples The following commands start collecting data display the traffic reports and stop collecting data Router configure terminal Router config show report gel ip No IP Address User Amount Direction 1 192 168 1 4 admin 1273 bytes Outgoing 2 192 168 1 4 admin 711 bytes Incoming Router config show report gel servic No Port Service Amount Direction 1 21 ftp 1273 bytes Outgoing 2 21 ftp 711 bytes Incoming Router config show report gel url No Hit URL ch a 140 114 79 60 Router config show report status Report status on Collection period 0 days 0 hours 0 mi
353. s the report e mails up to five recipients mail to 2 e mail See above mail to 3 e mail See above mail to 4 e mail See above mail to 5 e mail See above no item cf report Determines whether or not content filtering statistics are included in the report e mails no item cpu usage Determines whether or not CPU usage statistics are included in the report e mails no item mem usage Determines whether or not memory usage statistics are included in the report e mails NXC CLI Reference Guide Chapter 37 Reports and Reboot Table 148 Email Daily Report Commands continued COMMAND DESCRIPTION smtp port 1 65535 Sets the SMTP service port no smtp port Resets the SMTP service port configuration daily report no item station count Determines whether or not the station statistics are included in the report e mails daily report no item wtp tx Determines whether or not the NXC s outgoing traffic statistics are included in the report e mails daily report no item session usag Determines whether or not session usage statistics are included in the report e mails daily report no item port usage Determines whether or not port usage statistics are included in the report e mails daily report no item idp report Determines whether or not IDP statistics are included in the report e mails daily report no item av report Determine
354. s the rule bandwidth inbound outbound lt 0 1048576 gt Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority NXC CLI Reference Guide Chapter 20 Application Patrol Table 69 app patrol other rule Sub commands continued COMMAND DESCRIPTION no inbound dscp mark lt 0 63 gt class This is how the NXC handles the DSCP value of default dscp class the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the NXC apply that DSCP value Set this to the class default to have the NXC set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries no outbound dscp mark lt 0 63 gt class This is how the NXC handles the DSCP value of default dscp class the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the NXC apply that DSCP value Set this to the class default to have the NXC set the DSCP value to 0 show Displays
355. s the specified user to the rule 20 2 3 Exception Commands for Pre defined Applications This table lists the commands for exception rules for application access controls These commands are used for backward compatible only Table 65 app Commands Exception Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol name exception insert rule number Creates a new rule at the specified row and enters sub command mode app protocol name exception append Creates a new rule appends it to the end of the list and enters sub command mode app protocol name exception rule number Enters sub command mode for editing the rule at the specified row app protocol name exception modify rule number Enters sub command mode for editing the rule at the specified row app protocol name exception default or app protocol name exception modify default Enters sub command mode for editing the default rule for the application app protocol name exception move rule number to rule number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location NXC CLI Reference Guide Chapter 20 Application Patrol 20 2 3 1 Exception Rule Sub commands The following table describes the sub commands for several application patrol exception rule commands Note that no
356. s whether or not anti virus statistics are included in the report e mails daily report no item traffic report Determines whether or not network traffic statistics are included in the report e mails daily report schedule hour 0 23 minute Sets the time for sending out the report e mails 00 59 daily report no daily report reset counter Determines whether or not to clear the report statistics data after successfully sending out a report e mail daily report send now Sends the daily e mail report immediately let user actively send out the report e mails daily report reset counter now Discards all report data and starts all of the counters over at zero daily report no item wtp rx Determines whether or not the NXC s incoming traffic statistics are included in the report e mails NXC CLI Reference Guide Chapter 37 Reports and Reboot 37 2 1 Email Daily Report Example This example sets the NXC to send a daily report e mail Router config daily report Router config daily repor Router config daily repor Router config daily repor Router config daily repor Router config daily repor Router config daily repor Router config daily repor Router config daily repor Router config daily repor Router config daily repor smtp mail mail mail mail Router config daily repor Router config daily repor Router config daily repor address example SMTP mail se
357. se profiles available Router configure terminal Router config idp rename signature old profile new profile Router config no idp signature bye profile Router config show idp signature base profile No Base Profile Name 1 none 2 all 3 wan 4 lan 5 dmz Router config 22 3 2 IDP Zone to Zone Rules Use the following rules to apply IDP profiles to specific directions of packet travel Table 81 IDP Zone to Zone Rule Commands COMMAND DESCRIPTION idp signature anomaly rule append Create an IDP signature or anomaly rule and enter the sub 1 64 insert 1 64 command mode bind profile Binds the IDP profile to the entry s traffic direction no bind Removes the IDP profile s binding no from zone zone profile Specifies the zone the traffic is coming from The no command removes the zone specification no to zone zone profile Specifies the zone the traffic is going to The no command removes the zone specification no activate Turns on the IDP profile to traffic direction binding The no command turns it off idp signature anomaly rule delete Remove or move an IDP profile to traffic direction entry lt 1 64 gt move lt 1 64 gt to lt 1 64 gt no idp signature anomaly rule Removes an IDP profile to traffic direction entry 1 64 show idp signature anomaly rules Displays the IDP zone to zone rules NXC CLI Refe
358. send log to send alerts Lto e mall li 449 anc MSIL ls Address 10 BS HRS arras d OR ro ORO A Harl X1 29 Authentication Vase hie be dade Ed E dex E RR X CHOR Ro OEE ESS CRM mail 1 2 authentication username username password password mail lt 1 2 gt category module name level alert all mail lt l s22 TEO ETD ce civ cm Sire oh KE eR e RARA OR RR BOR UN NXC CLI Reference Guide List of Commands nel Logging mail 1 229 gebedale full Hourly sisas bowed eee aia 245 no Logging mall 1 259 subject Subject LZ bats edo EORR Re Red EEO RSE ie ACA de ER 245 nol Logging Balog sli fe nmi eee eee eee eee Y EON pU Pa Arr do d e OEC REOR E MORS 244 Bo Logging syslog Ll 9 address ap Pastneve lt 4k cc ced a AR E KR 244 no logging syslog 1 4 category disable level normal level all 244 no logging syslog lt 1 4 gt facility local IL lecal_2 local 3 locsl 4 local 5 lora A Fk A EG eee se SSS RUC C EE CE EORR EORR COR RC 244 no Legging syslog Sl 2 tocar POST WIDE ance kei baccde dees Bowes REOR CR ORO ey CC 244 no Jogging Bystem log SUDDEBBSSEIOU sabias oa ua Kok Urso e d E dos dr UP A eR RP ade ed 242 no legging system log suppression interval 10 6009 acens a cease 242 nel leggings usb steksqge ep ar poe Goma be Ried cni ok dicen pq pug ea ah ele Beata eee 61 Bel Logineneaus Golur hackb ggg aora
359. sk service service_mask activate any yes no log any no log log alert action action_mask DESCRIPTION Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN_IDP name WORM sid 0 severity 0 platform 0 policytype 0 service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid O severity 0 platform O policytype O service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a profile by the parameters specified The quoted string is any t
360. ssword user type guest manager 103 username username user typ Wxbegfrcupe mebM rerien ue ges ao p oe CORO ASIE RORIS CERO AD HR PR P di ois 170 username username usor type mag adgdress 24 cee a ee TORS Re ENG Se LORS EOS SRR 170 users default setting no logon lease time x0 14409 scascwen ce dew cre A 171 users gefault setting mol logon rfe auth time Us L CAOS asuntos AAA 171 users default setting no user type admin ext user guest limited admin ext group us GES ins qguqQed q esque dob dde d ee eee Eq ecedpdaduduesded pede EF edad ee eee ee qr devo 172 users default setting no user type dynamic guest logon lease time lt 0 1440 gt 103 users default setting no user type dynamic guest logon re auth time lt 0 1440 gt 103 users default setting user type guest manager logon lease time lt 0 1440 gt 193 users default setting user type guest manager logon re auth time 0 1440 153 users force logout ip DUE sete ees cdm ELEME idu eva OSCAR ease b s a 174 prb m di SS e 63 web auth nel exceptional serwvies Service DEMO uogda Rok Foe BOR ces SiN Oe CaN AUR Deo TO 113 Wweb adgch authentication Aut method aq dead RAE o ee a GRON CAE RAT ARCA 113 web auth default rule authentication required unnecessary no log log alert 1153 web at Eu logit Belen cided Q9 REPE YE AAA Ae eee ee ede d ead mud 114
361. stream bandwidth to 1048576 interface send statistics interval lt 15 3600 gt Sets how often the NXC sends interface statistics to external servers For example a syslog server show interface name Displays all Ethernet interface system name and user defined name mappings interface nam thernet interface user defined name Specifies a name for an Ethernet interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long thernet interface This must be the system name of an Ethernet interface Use the show interface name command to see the system name of interfaces user defined name This name cannot be one of the follows ethernet ppp vlan bridge virtual wlan cellular aux tunnel status o summary all This name cannot begin with one of the follows either ge ppp vlan wlan br cellular aux tunnel 6 2 1 1 Basic Interface Properties Command Examples The following commands make Ethernet interface gel a DHCP client Router configure terminal Router config interface gel Router config if ip address dhcp Router config if exit NXC CLI Reference Guide Chapter 6 Interfaces This example shows how to modify the name of interface ge4 to VIP First you have to check the interface system name ge4 in this example on the NXC Then change the na
362. t adag Mads 60 iS USE Storage SEE LOIR oscila il 60 6 6 1 USB Storage General Commands EXgmplg isiuueici diet ici 62 8 7 VLAN Interac specie DOIRITIBIKIS A RE E obla dcr LR EDU 62 ERIT NI us E Sa IR eet 64 Chapter 7 o m 65 Buell m MM 65 Fo dne FUG I ANG E OT TO D D 65 721 Assured Forwarding AF PHB for DINGE ci a 68 7 22 Polley Route Command Example asii AA 69 APS ROUE pte t mE 69 6 NXC CLI Reference Guide Table of Contents PAU fS IN M cc iad 70 Za IU Roue Commands EAI uscar is cub ed aS ad 70 7 9 Learned Routing Information CONTITIQIOS ioco cre abri ji 71 725 1 show dp route Command Exalead APR de 71 Chapter 8 i i PPP em POP RE IAi YU 73 SAME cma Maragement Woni Lies eiu pose eee teeter Teer puit dla Lecuntds rere rere irre E dd bedufeiba bend 73 sec AFP Management Command ii dat qep A 74 8 2 1 AP Management Commands Example iii sisse eden nate nude nan IRR nta ERE usan M La nna 76 Chapter 9 Wireless LAN Profiles Y m 77 98 1 Wireless LAM Profiles DUOIVIBW vo FT 8 2 AP 3 Monito Prole Commands rc nas ep gustas Rd Fennec a S ia ada 77 9 2 1 AP amp Monitor Profile Commands Example iterare eina auto tno aeneo tk ugue er A ERR ees 82 A A A E 83 da aa ll Proe EXAME accedi cuenca aaa aA uma Oa E uon su VADE Pn A 84 5 Sacuite Pote ComnmandS Te rs 84 Sacar Prole EXAMINAR 87
363. t all rule commands use all the sub commands listed here Table 66 app patrol exception rule Sub commands COMMAND DESCRIPTION access forward drop reject Specifies the action when traffic matches the rule no action block Blocks use of a specific feature login message audio video file transfer no activate Turns on this rule The no command turns off this rule bandwidth inbound outbound Limits inbound or outbound bandwidth in kilobits lt 0 1048576 gt per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no destination address object Adds the specified destination address to the rule no from zone name Specifies the source zone no inbound dscp mark 0 63 class This is how the NXC handles the DSCP value of default dscp class the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the NXC apply that DSCP value Set this to the class default to have the NXC set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries
364. t and a dynamic guest user group then sets the NXC to generate two dynamic guest accounts automatically This also shows the dynamic guest users information Router config username GuestMaste Router config groupname dynamic g Router group user dynamic guest g r password 4321 user type guest manager uest roup Router config dynamic guest gener Router config dynamic guest compa Router config dynamic guest group ate 2 ny example dynamic guest Router group user exit Router config dynamic guest expir Router config dynamic guest exit dynamic guest username N84AVAJN dynamic guest username S6F8PZ3N Router config show dynamic guest Client N84AVAJN guest name phone e mail address company example xpire tim 2013 06 16 14 00 group dynamic guest others expire no Client S6F8PZ3N guest name phone e mail address company example xpire tim 2013 06 16 14 00 group dynamic guest others expire no Router config time 2013 06 16 14 00 password QAA3KJ63 password 66DA3BCX NXC CLI Reference Guide Chapter 14 Dynamic Guest NXC CLI Reference Guide Zones Set up zones to configure network security and network policies in the NXC BS Use the configure terminal command to enter Configuration mode in order to use the commands described in this chapter 15 1 Zones Overview A zone is a group
365. t it Router show ca index 1 IP 192 168 1 Model NWA516 index 2 IP 192 168 1 Model NWA516 Router configu Router config Router config Router Router config index 1 Status RUN IP 192 168 1 Description Model NWA516 R1 mode AP R2 mode AP Station O Mgnt VLAN ID WTP VLAN ID Router AP 00 19 AP 00 19 pwap ap wait list 239 MAC 007111 lt 11 011 T1 FE ON Description AP 00 11 11 11 36 MAC 00 19 CB 00 BB 03 ON Description AP 00 19 CB 00 re terminal capwap ap add 00 19 CB 00 BB 03 capwap ap 00 19 CB 00 BB 03 CB 00 BB 03 slotl ap profile CB 00 BB 03 exit show capwap ap all LH 37 MAC 40 4A 03 05 82 11 AP 404A0305821E ON R1Prof default R2Prof n a RadioNum 2 t Tp Tag no 1 WTP Tag no Force VLAN disable Firmware Vers ion 2 25 AAS 0 b2 Recent On lin Last Off line Router config index 1 SSID ZyXEL SecMode NONE Router config index 1 Status RUN AP MAC 40 4A Radio 1 OP Profile defa Description Model NWA516 Band 2 4GHz Station 0 RxPkt 4463 RxFCS 108332 Time 08 43 04 2012 07 24 Time N A show capwap ap 40 4A 03 05 82 1 BSSID 40 4A 03 05 82 1F Forward Mode Local Bridge V1 show capwap ap all statistics Loading 03 05 82 11 Mode AP ult MAC 40 4A 03 05 82 1F AP 404A0305821 ON Channel 6 Gl GI TxPkt 38848 3 TxRet
366. tatus 22 5 1 Update Signature Examples These examples show how to enable disable automatic IDP downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created Router config Router config Router config Router config Router config Router config Router config auto yes Schedule weekl Router config current status 22 47 47 2003 Router configure terminal idp signature update signatures IDP signature update in progress Please check system log for future information idp update auto no idp update auto idp update hourly idp update daily 10 idp update weekly fri 13 show idp update show idp signature I 2003 01 01 01 34 last update tim Router config s version 1 2000 Router config s signatures 2000 Router config s date 2005 11 13 how idp signature how idp signature how idp signature 13 00 08 y at Friday 13 o clock update status DP signature download failed do 1 retry at Sat Jan 39 signatures version signatures number signatures date 4 22 6 IDP Statistics Table 91 Commands for IDP Statistics The following table describes the commands for collecting and displaying IDP statistics You must use the configure terminal command to enter the configuration mode before you can use t
367. te 4 Finally do one of the following Enter eq exactly as it appears followed by a number between 1 and 65535 Enter range exactly as it appears followed by two numbers between 1 and 65535 1 4 6 Changing the Password It is highly recommended that you change the password for accessing the NXC See Section 24 2 on page 170 for the appropriate commands 1 5 CLI Modes You run CLI commands in one of several modes Table 3 CLI Modes USER PRIVILEGE CONFIGURATION SUB COMMAND What Guest users can do Unable to access Unable to access Unable to access Unable to access What User users can do Look at but not run available commands Unable to access Unable to access Unable to access A NXC CLI Reference Guide Chapter 1 Command Line Interface Table 3 CLI Modes continued USER PRIVILEGE CONFIGURATION SUB COMMAND What Limited Admin users can do e Look at system information like Status screen Run basic diagnostics e Look at system information like Status screen Run basic diagnostics Unable to access Unable to access What Admin users can do e Look at system information like Status screen Run basic diagnostics e Look at system information like Status screen Run basic diagnostics Configure simple features such as an address object Create or remove complex parts such as an
368. terface for the specified gateway The lower the number the higher the priority NXC CLI Reference Guide Chapter 6 Interfaces Table 13 interface General Commands Basic Properties and IP Address Assignment continued COMMAND DESCRIPTION no mss lt 536 1460 gt Specifies the maximum segment size MSS the interface is to use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the interface use its default MSS no mtu lt 576 1500 gt Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The NXC divides larger packets into smaller fragments The no command resets the MTU to 1500 no shutdown Deactivates the specified interface The no command activates it traffic prioritize tcp ack dns bandwidth 0 1048576 priority 1 7 maximize bandwidth usage Applies traffic priority when the interface sends TCP ACK traffic or traffic for resolving domain names It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage traffic prioritize tcp ack dns deactivate no upstream lt 0 1048576 gt Turns off traffic priority settings for when the interface sends the specified type of traffic Specifies the upstream bandwidth for the specified interface The no command sets the up
369. ternal server uses for the pairs colon dash none in MAC addresses in the Calling Station ID RADIUS attribute mode none wep wpa wpa2 wpa2 Sets the security mode for this profile mix wep 64 128 default key 1 4 Sets the WEP encryption strength 64 or 128 and the default key value 1 4 If you select WEP 64 enter 10 hexadecimal digits in the range of A F a f and 0 9 for example 0x11AA22BB33 for each Key used or enter 5 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey for each Key used If you select WEP 128 enter 26 hexadecimal digits in the range of A F a f and 0 9 for example 0x00112233445566778899AABBCC for each Key used or enter 13 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey12345678 for each Key used You can save up to four different keys Enter the default key 1 4 tosave your WEP to one of those four available slots wep auth type open share Sets the authentication key type to either open or share wpa encrypt tkip aes auto Sets the WPA WPA2 encryption cipher type auto This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection tkip This is the Temporal Key Integrity Protocol encryption method added later to the WEP encryption
370. the NXC s default settings If there is a startup config conf the NXC checks it for errors and applies it If there are no errors the NXC uses it and copies it to the lastgood conf configuration file If there is an error the NXC generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the NXC applies the system default conf configuration file You can change the way the startup config conf file is applied Include the setenv startup stop on error off command The NXC ignores any errors in the startup config conf file and applies all of the valid commands The NXC still generates a log for any errors 35 3 File Manager Commands Input Values The following table explains the values you can input with the file manager commands Table 135 File Manager Command Input Values file_name The name of a file Use up to 25 characters including a zA ZO 9 amp _ NXC CLI Reference Guide Chapter 35 File Manager 35 4 File Manager Commands Summary The following table lists the commands that you can use for file management Table 136 File Manager Commands Summary COMMAND DESCRIPTION apply conf file_name conf ignore error rollback Has the NXC use a specific configuration file You must still use th
371. the assumption that it was misidentified Router config detection Router config detection Router config detection Router config detection Router config rogue ap detection rogue ap 00 13 49 11 11 11 rogue friendly ap 00 13 49 11 11 22 friendly no rogue ap 00 13 49 11 11 11 exit This example displays the rogue AP detection list Router config show rogue ap detection list rogue no mac description contain 1 00 13 49 18 15 5A 0 NXC CLI Reference Guide Chapter 10 Rogue AP This example shows the friendly AP detection list Router config show rogue ap detection list friendly no mac description 1 tt a ese Utd Lgl third floor 2 00719249711222 33 3 00 13 49 00 00 05 4 00 13 49 00 00 01 5 00 0D 0B CB 39 33 deptl This example shows the combined rogue and friendly AP detection list Router config show rogue ap detection list all no role mac description 1 friendly ap 11 11 11 11 11 11 third floor 2 friendly ap 00 13 49 11 22 33 3 friendly ap 00 13 49 00 00 05 4 friendly ap 00 13 49 00 00 01 5 friendly ap 00 0D 0B CB 39 33 dept1 6 rogue ap 00213 49 18 15 5A This example shows both the status of rogue AP detection and the summary of detected APs Router config show rogue ap detection status rogue ap detection status on Router config show rogue ap detection info rogue ap 1 friendly ap 4
372. the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your NXC model VLAN interface vlanx x 0 4094 NXC CLI Reference Guide Chapter 6 Interfaces Table 12 Input Values for General Interface Commands continued LABEL DESCRIPTION profile_name The name of the DHCP pool You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive domain_name Fully qualified domain name You may up to 254 alphanumeric characters dashes or periods but the first character cannot be a period The following sections introduce commands that are supported by several types of interfaces 6 2 1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands Table 13 interface General Commands Basic Properties and IP Address Assignment COMMAND DESCRIPTION show interface ethernet vlan status Displays the connection status of the specified type of interfaces show interface interface name ethernet Displays information about the specified interface vlan all specified type of interfaces or all interfaces show inte rface send statistics interval Displays the interval for how often the NXC refreshes the sent packet statistics for the interfaces show inte rface summ
373. the new subscription Even if the earlier iCard anti virus subscription was for a different anti virus engine For example suppose you purchase a one year Kaspersky engine anti virus service subscription and use it for six months Then you purchase a one year ZyXEL engine anti virus service subscription and enter the iCard s PIN number license key in the Registration gt Service screen The one year ZyXEL engine anti virus service subscription is automatically extended to 18 months The IDP and application patrol features use the IDP AppPatrol signature files on the NXC IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the NXC can download the up to date signature files from the update server You will get automatic e mail notification of new signature releases from mySecurityZone after you activate the IDP AppPatrol service You can also check for new signatures at http mysecurity zyxel com See the respective chapters for more information about these features 5 1 2 Maximum Number of Managed APs The NXC2500 is initially configured to support up to 8 managed APs such as the NWA5123 NI You can increase this by subscribing to additional licenses As of this writing each license upgrade allows an additional 8 managed APs while the maximum number of APs a single NXC2500 can support is 24 The NXC
374. tion profile to authentication users using the LDAP server group and then the local user database Router configure terminal Router config f aaa authentication LDAPuser group ldap local Router config show aaa authentication LDAPuser No Method 0 ldap 1 local Router config NXC CLI Reference Guide Chapter 29 Authentication Objects 29 3 test aaa Command The following table lists the test authentication server Table 114 test aaa Command aaa command you use to teat a user account on an COMMAND DESCRIPTION test aaa server secure server ad ldap host hostname ipv4 address host hostname ipv4 address port lt 1 65535 gt base dn base dn string bind dn bind dn string password password login name attribute attribute alternative login nam attribute attribute account account name Tests whether a user account exists on the specified authentication server 29 3 1 Test a User Account Command Example The following example shows how to test whether a user account named userABC exists on the AD authentication server which uses the following settings P address 172 16 50 1 Port 389 Base dn DC ZyXEL DC com Bind dn zyxel engineerABC Password abcdefg Login name attribute SAMAccountName The result shows the account exists on the AD server Otherwise the NXC returns an error Router test aaa
375. traceroute write Router gt Figure 6 Help Available Command Example 2 Router gt show lt wlan ap interface gt aaa access page account ad server address object z S8nip cone wlan workspace zone Router show 1 6 2 List of Sub commands or Required User Input To view detailed help information for a command enter command sub command Figure 7 Help Sub command Information Example Router config ip telnet server lt er gt port rule Router config ip telnet server Figure 8 Help Required User Input Example Router config ip telnet server port lt 1 65535 gt Router config ip telnet server port NXC CLI Reference Guide Chapter 1 Command Line Interface 1 6 3 Entering Partial Commands The CLI does not accept partial or incomplete commands You may enter a unique part of a command and press TAB to have the NXC automatically display the full command For example if you enter config and press TAB the full command of configure automatically displays If you enter a partial command that is not unique and press TAB the NXC displays a list of commands that start with the partial command Figure 9 Non Unique Partial Command Example Router c TAB clear configure copy Router co TAB configure copy 1 6 4 Entering a ina Command Typing a question mark usually displays help information How
376. traffic moving through the SSID regardless of origin vlan iface The VLAN interface name of the controller in this case it is NXC5200 The maximum VLAN interface number is product specific for the NXC the number is 512 securityprofile Assigns an existing security profile to the SSID profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive macfilterprofile Assigns an existing MAC filter profile to the SSID profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive description2 Sets the description of the profile You may use up to 60 alphanumeric characters underscores _ or dashes This value is case sensitive The following table describes the commands available for SSID profile management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 33 Command Summary SSID Profile COMMAND DESCRIPTION show wlan ssid profile fall Displays the SSID profile s ssid_profile_name a11 Displays all profiles for the selected operating mode ssid profile name Displays the specified profile for the selected operating mode wlan ssid profile rename Gives an existing SSID profile ssid profile namel ssid profile namel ssid profile name2 a new
377. ts a DSCP value to have the NXC apply that DSCP value to the route s outgoing packets dscp marking class default dscp class Sets how the NXC handles the DSCP value of the outgoing packets that match this route Set this to default to have the NXC set the DSCP value of the packets to 0 Set this to an af class including af11 af13 af21 af23 af31 af33 and af41 af43 which stands for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences NXC CLI Reference Guide Chapter 7 Route Table 24 Command Summary Policy Route continued COMMAND DESCRIPTION no dscp marking Use this command to have the NXC not modify the DSCP value of the route s outgoing packets no interface interface_name Sets the interface on which the incoming packets EnterpriseWLAN are received The no command resets the incoming interface to the default any any means all interfaces EnterpriseWLAN the packets are coming from the NXC itself no next hop auto gateway address object Sets the next hop to which the matched packets interface interface name are routed The no command resets next hop settings to the default aut o no schedule schedule_object Sets the schedule The no command removes the schedule setting to the default none none means any time no service service name any Sets the I
378. ts in Configuration Files or Shell Scripts In a configuration file or shell script use or as the first character of a command line to have the NXC treat the line as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single P to have the NXC exit sub command mode NXC CLI Reference Guide Chapter 35 File Manager LES exit or must follow sub commands if it is to make the NXC exit sub command mode Line 3 in the following example exits sub command mode interface gel ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode interface gel this interface is a DHCP client Lines 1 and 2 are comments Line 5 exits sub command mode this is from Joe on 2006 06 05 interface gel ip address dhcp 35 2 2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script the NXC processes the file line by line The NXC checks the first line and applies the line if no errors are detected Then it continues with the next line If the NXC finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off inthe configuration file or shell script The NXC ignores any errors in th
379. ttp delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot direc PosUSLPSUSTASIL Gets ls gees bh een dees dog VOCE HERE ADI dt 152 dp anomaly profilo http inspection all detalls iiia eed sra 152 idp anomaly profile icmp decoder truncated header truncated timestamp header truncated address headar details jid a CUR io ESR RR 152 iio anomaly profile wenp decoder ALI details ose shone ogee ens eke ee SRE EROR EORR 152 dp anomaly profile scan detection all details amp icaciessk EUR REOR X RR 154 idp anomaly profile scan detection icmp sweep icmp filtered sweep open port NOTAS dusuuadoe ubi RAE A RE mean 151 idp anomaly profile scan detection ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip fil taered prorocol swesp detalle xcu 6 44944 43 RR NEUE EN eb d ince e dd dee d gd d d 151 idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp ports weep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details Tal idp anomaly profile scan detection udp portscan udp decoy portscan udp ports weep udp distributed portscan udp filtered portscan udp filtered decoy Perpsconm akiro anaur kes boeeeen AAA wee f 151 idp an
380. ttp server table admin user rule rule number Deletes a service control rule for HTTP service show ip http server status Displays HTTP settings show ip http server secure status Displays HTTPS settings 34 3 1 HTTP HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service Router configure terminal Marketing zone WAN action accept Router config ip http server table admin rule append access group NXC CLI Reference Guide Chapter 34 System Remote Management This command sets an authentication method used by the HTTP HTTPS server to authenticate the client s Router configure terminal Router config ip http authentication Example This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL client Router configure terminal Router config ip http secure server cert MyCert 34 4 SSH Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 34 4 1 SSH Implementation on the NXC Your NXC supports SSH versions 1 and 2 using RSA authentic
381. ty level Operates on the Windows NT platform NXC CLI Reference Guide Chapter 22 IDP Commands sa scan policy type DNS service s enabled Generates logs Router configure terminal Router config Router config idp search signature LAN IDP name worm sid 12345 severity 1 platform 4 policytype 4 service 1 activate yes log log action 2 22 4 IDP Custom Signatures BS BES Use these commands to create a new signature or edit an existing one It is recommended you use the web configurator to create edit signatures using the web configurator Anti X gt IDP gt Custom Signatures screen You must use the web configurator to import a custom signature file Table 89 Custom Signatures COMMAND DESCRIPTION idp custo idp customize signature edit quoted_string Edits an existing custom signature mize signature quoted_string Create a new custom signature The quoted string is the signature command string enclosed in quotes for example alert tcp any any lt gt any any msg test sid 9000000 no idp cu stomize signature custom sid Deletes a custom signature show idp details show idp signatures custom signature custom sid Displays custom signature information contents non contents signatures custom signature all details Displays all custom signatures information show idp signatures custom signature number D
382. ty pri dstip ap_mac Display only the specified debug log entries for the specified AP show wtp logging debug entries field srcif dstif proto time msg src dst note prilcat all begin lt 1 1024 gt end lt 1 1024 gt ap_mac show wtp logging status syslog ap_mac Displays only the log entries for the specified fields for the specified AP You can display a range of field entries from 1 1024 Displays the logging status for the specified AP s syslog NXC CLI Reference Guide Chapter 36 Logs Table 144 logging Commands Access Point Settings continued module_name disable COMMAND DESCRIPTION show wtp logging status mail ap mac Displays the logging status for the specified AP s mail log show wtp logging query log ap mac Displays the specified AP s query log show wtp logging query dbg log ap mac Displays the specified AP s query debug log show wtp logging result status Displays the AP logging result status show wtp logging dbg result status Displays the AP logging debug result status no wtp logging syslog syslog range category Disables the logging of the specified syslog category no wtp 1 module name level normal logging syslog syslog range category all Enables logging of the specified syslog category and specifies the logging level no wtp logging mail mail range category Enab
383. udoozcooo coodozouooouoozonoozouonuuuoouooooooooocoocococcoozcoocoocoocoozsncusu3 uuiiu now NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW Du eera IN sar A A was quee Kad T AA AAA AAA 68 bwm usage lt policy route policy_number interface interface name 68 ca category local remote name certificate name format text pem 205 ca category local remote name certificate name certpath 205 A o acgdaeuoded we vy mque ehe deua qu ed qu TOE Ee CASE HETERO RE dev ee 205 ga Veledgstoom heme HOM 444606 Gad sees id REOR RR ERA A ERROR KO KORR E e Re qd eee eye 203 papap ap pell ap madj nace do ed0E ee ADA Med ee Se ee Eee eRe 75 caprap amp celi epee Ceres Sars dia ohms s HOD WURDE AA ta CODWAE SP HOST ri a a a a e e hue eee ead 272 Petar ap all SESCISELOS conic ets dg A nAaR a d dada du d au NE ORA TO gapwap Ap ap mas siot name Geter eue onde e e Rok e oae ea ee ana dom aes Ta Sapnon AB HiscHUNSPU LUDE AUNAR ARIAS 212 Copies S InCD rr AA ANA ee dd a AAA 212 parnana WaLE TASTE oproer Rp oe eee ae do dE ea edes Feed Oe eS hee TS capwab meuwnel sd dodadgex RRURGOAEREOROR OR HE AR RON ACC QU RA ARA GR eR ORO a CR 74 papan SESUPOR ALL Li44u4 x9 wx dpa ido ec e ERA Ede e EIER toned eek ee ed d edes T9 CISC ASLE ererat RA ASS hse 2a Lo eR eee See dest aC 210 A O 4e
384. ule_number Deletes the specified rule 20 2 2 1 Rule Sub commands The following table describes the sub commands for several application patrol rule commands Note that not all rule commands use all the sub commands listed here Table 64 app protocol rule Sub commands COMMAND DESCRIPTION access forward drop reject Specifies the action when traffic matches the rule no action block login message audio video fil transfer Blocks use of a specific feature no activate Turns on this rule The no command turns off this rule bandwidth inbound outbound 0 1048576 Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 no destination address object Set the priority for traffic that matches this rule The smaller the number the higher the priority Adds the specified destination address to the rule no from zone name Specifies the source zone no inbound dscp mark lt 0 63 gt class default dscp class This is how the NXC handles the DSCP value of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the NXC apply that DSCP
385. unctions the NXC checks for packets Once a packet matches the criteria of a routing rule the NXC takes the corresponding action and does not perform any further flow checking show system default snat Displays whether the NXC enable SNAT or not The NXC performs SNAT by default for traffic going to or from the WAN interfaces show system route policy route Displays activated policy routes show system route nat 1 1 Displays activated 1 to 1 NAT rules show system snat default snat Displays activated default routes which use SNAT show system snat order Displays the order of SNAT related functions the NXC checks for packets Once a packet matches the criteria of an SNAT rule the NXC uses the corresponding source IP address and does not perform any further flow checking show system snat nat 1 1 Displays activated NAT rules which use SNAT show system snat nat loopback Displays activated NAT rules which use SNAT with NAT loopback enabled show system snat policy route Displays activated policy routes which use SNAT NXC CLI Reference Guide Chapter 40 Packet Flow Explore 40 3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order Router gt show route order route order Direct Route Policy Route 1 1 SNAT Main Route The following example shows all SNAT related functions and their order Router gt
386. untry usr def certificate name rsa dsa key len key length ou o organization c key type Generates a PKCS 10 certification request ca generate pkcs12 name name password password Generates a PKCS 12 certificate ca generate x509 name certificate name cn typ ip cn cn address fqdn cn cn domain name mail cn cn emailj ou organizational unit o organization c country usr def certificate name key type rsa dsa key len key length Generates a self signed x509 certificate ca rename category local remote old name new name ca validation remote certificate no ca category local remote certificate name Renames a local my certificates or remote trusted certificates certificate Enters the sub command mode for validation of certificates signed by the specified remote trusted certificates Deletes the specified local my certificates or remote trusted certificates certificate no ca validation name Removes the validation configuration for the specified remote trusted certificate local remote name certpath show ca category certificate name Displays the certification path of the specified local my certificates or remote trusted certificates certificate local remote name format text pem show ca category certificate name Displays a summary of the certificates in the specified category local for my certificates or remote for trusted certificates
387. uration file config conf to the NXC and rename it today conf put 1 00 XL 0 bin transfers the firmware 1 00 XL 0 bin to the NXC 1 When you upload a custom signature the NXC appends it to the existing custom signatures stored in the custom rules file NXC CLI Reference Guide Chapter 35 File Manager gt The firmware update can take up to five minutes Do not turn off or reset the NXC while the firmware update is in progress If you lose power during the firmware upload you may need to refer to Section 35 8 on page 231 to recover the firmware 35 6 2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow conf from the computer and saves it on the NXC as next conf BS Uploading a custom signature file named custom rules overwrites all custom signatures on the NXC Figure 18 FTP Configuration File Upload Example C M ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp cd conf 250 CWD command successful ftp bin 200 Type set to I ftp put tomorrow conf next conf 200 PORT command successful 150 Opening BINARY mode data connection for next conf 226 Post action ok 226 Transfer complete ftp 20231 bytes sent in 0 00Seconds 20231000 00Kbytes sec 35 6 3 Command L
388. ure activation idp signature activation no 22 3 IDP Profile Commands 22 3 1 Global Profile Commands Use these commands to rename or delete existing profiles and show IDP base profiles Table 80 Global Profile Commands COMMAND DESCRIPTION idp rename signature Rename an IDP signature or anomaly profile originally named profilel anomaly profilel profile2 to profile2 no idp signature anomaly Delete an IDP signature or system protect profile named profile3 profile3 show idp signature profile Lists the settings for all of the specified profile s signatures Use more to signature all details display the settings page by page show idp signature all Lists the settings for all of the signatures Use more to display the details settings page by page show idp signature Displays all IDP signature or system protect base profiles anomaly base profile 146 NXC CLI Reference Guide Chapter 22 IDP Commands Table 80 Global Profile Commands COMMAND DESCRIPTION show idp signature base Lists the specified signature base profile s settings Use more to display profile the settings page by page all none wan lan dmz settings show idp profiles Displays all IDP signature profiles 22 3 1 1 Example of Global Profile Commands In this example we rename an IDP signature profile from old profile to new profile delete the bye profile and show all ba
389. urity profile Pame o aia ee RU AA eR UR ai RCR E CR WLAS 85 no wlane ssid profile ssid profile FANS ocur tana a od NOR aee de Se ene oso 83 Bol Mes Seis SOODEQUE wines ke ed eus dopopedreed ad eg d eder wp dude wee ue ard 247 no wtp logging console category module name level pri 247 nel wto looging debug Suppression 2h cheb ed Ue d die es A eed eRe OE OR AS 247 no wtp legging debug suppression interval lt 10 600 gt wicivsarideeebavedaaes dad aae 247 no wtp logging mail mail range category module name level alert all 247 no wtp logging syslog syslog range category module name disable 247 no wtp logging syslog syslog range category module name level normal all 247 no wtp logging system log category module name disable 247 no wtp logging system log category module name level normal all 247 se wtp logging system Log sSUpp esBEION irzcaoaqsTR eq RAE Bee GR o REGE Rupe EE REESE e 247 no wip logging system log suppression interval 10 5009 clem derek on 247 NXC CLI Reference Guide List of Commands Lae Bene DCOIYIG SERE DDD ken Oda SUE ihe dris cat dux opui des Br dO awed e etia S Rd 108 CLIO So WES aua had chk eed WE SACRE SSS CR RA SE ORE CURAR IRA SOROS EAR AS 79 signaturas anomaly System protett SOUIVSULO resista ROS ACE ORC PORE RC Y RA 146 signature anomaly System p
390. urns it off RADIUS servers can require the MAC address in the wireless client s account username password or Calling Station ID RADIUS attribute See Section 24 2 4 1 on page 173 for a MAC authentication example mac auth auth method auth method Sets the authentication method for MAC authentication mac auth case account upper lower Sets the case upper or lower the external server requires for using MAC addresses as the account username and password For example use mac auth case account upper and mac auth delimiter account dash if you need to use a MAC address formatted like 00 11 AC 01 AO0 11 as the username and password mac auth case calling station id upper lower Sets the case upper or lower the external server requires for letters in MAC addresses in the Calling Station ID RADIUS attribute mac auth delimiter account colon dash none Specify the separator the external server uses for the two character pairs within MAC addresses used as the account username and password For example use mac auth case account upper and mac auth delimiter account dash if you need to use a MAC address formatted like 00 11 AC 01 AO 11 as the username and password NXC CLI Reference Guide Chapter 9 Wireless LAN Profiles Table 35 Command Summary Security Profile continued COMMAND DESCRIPTION mac auth delimiter calling station id Select the separator the ex
391. us rule lt 1 64 gt Enters the anti virus sub command mode to edit the specified direction specific rule no activate Turns a direction specific anti virus rule on or off no log alert Sets the NXC to create a log and optionally an alert when packets match this rule and are found to be virus infected The no command sets the NXC not to create a log or alert when packets match this rule no from zone zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets it to the default any any means all interfaces or VPN tunnels no to zone zone_object Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no scan http ftp imap4 smtp pop3 Sets the protocols of traffic to scan for viruses no infected action destroy send win msg Sets the action to take when the NXC detects a virus in a file The file can be destroyed filled with zeros from the point where the virus was found The NXC can also send a message alert to the file s intended user using a Microsoft Windows computer connected to the to interface no bypass white list black list Have the NXC not check files against a pattern list no file decompression unsupported destroy Enable
392. use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive service_name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive NXC CLI Reference Guide Chapter 7 Route The following table describes the commands available for policy route You must use the configure terminal command to enter the configuration mode before you can use these commands Table 24 Command Summary Policy Route COMMAND DESCRIPTION no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management policy policy_number append insert policy_number Enters the policy route sub command mode to configure add or insert a policy no auto disable no bandwidth lt 1 1048576 gt priority lt 1 1024 gt maximize bandwidth usage When you set interface as the next hop type using the next hop interface for this route you can use th
393. use to configure a group of RADIUS servers Table 112 aaa group server radius Commands COMMAND DESCRIPTION Clear aaa group server radius Deletes all RADIUS server groups or the specified group name RADIUS server group Note You can NOT delete a server group that is currently in use show aaa group server radius Displays the specified RADIUS server group settings group name 190 NXC CLI Reference Guide Chapter 28 AAA Server Table 112 aaa group server radius Commands continued COMMAND DESCRIPTION no aaa group server radius Sets a descriptive name for the RADIUS server group group name The no command deletes the specified server group aaa group server radius rename Changes the descriptive name for a RADIUS server group name old group name new group aaa group server radius group name Enter the sub command mode no server description Sets the descriptive information for the RADIUS server description group You can use up to 60 printable ASCII characters The no command clears the setting no server group attribute Sets the value of an attribute that the NXC is used to 1 255 determine to which group a user belongs This attribute s value is called a group identifier You can add ext group user user objects to identify groups based on different group identifier values For example you could configure attributes 1 10 and 100 and create a ext group user user object fo
394. use up to 31 characters You can use alphanumeric characters the hyphen and the underscore country Identify the nation where the certificate owner is located You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore key_length Type a number to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space password When you have the NXC enroll for a certificate immediately online the certification authority may want you to include a key password to identify your certification request Use up to 31 of the following characters a zA Z0 9 amp _ lt gt ca name When you have the NXC enroll for a certificate immediately online you must have the certification authority s certificate already imported as a trusted certificate Specify the name of the certification authority s certificate It can be up to 31 alphanumeric and amp _ characters url When you have the NXC enroll for a certificate immediately online enter the IP address or URL of the certification authority server You can use up to 511 of the following characters a zA Z0 9 _ 32 4 Certificates Commands Summary The following table lists the commands that you can use to display and manage the NXC s summary list of certificates and certification requests You ca
395. user type guest manager logon re auth time 0 1440 Sets the default reauthorization time for the guest manager user Set it to zero to set unlimited reauthorization time The no command sets the reauthorization time to thirty minutes no groupname groupname Creates the specified user group if necessary and enters sub command mode The no command deletes the specified user group NXC CLI Reference Guide Chapter 14 Dynamic Guest Table 47 Command Summary Dynamic Guest continued COMMAND DESCRIPTION no description description Sets the description for the specified user group The no command clears the description for the specified user group dynamic guest group Sets this group as a dynamic guest group nabl dynamic guest deleted xpired account Sets the NXC to remove the dynamic guest accounts from the NXC s local database when they expire dynamic guest generat Creates one dynamic guest user address address Sets the geographic address for the dynamic guest user company company Sets the company name for the dynamic guest user e mail mail Sets the E mail address for the dynamic guest user xpire time yyyy mm dd Sets the date when the dynamic guest user account becomes invalid group groupname Sets the name of the dynamic guest group with which the dynamic guest user is associated name real name Sets t
396. values icmp tcp udp or others config interface The interface name Enter up to 15 alphanumeric characters including hyphens and underscores The following sections list the logging commands NXC CLI Reference Guide Chapter 36 Logs 36 1 1 Log Entries Commands This table lists the commands to look at log entries Table 138 logging Commands Log Entries COMMAND DESCRIPTION show logging entries priority pri category module_name srcip ip dstip ip service service_name begin lt 1 512 gt end lt 1 512 gt keyword keyword Displays the selected entries in the system log PRI alert crit debug emerg error info notice warn keyword You can use alphanumeric and S _ characters and it can be up to 63 characters long This searches the message source destination and notes fields show logging entries field field lt 1 512 gt end lt 1 512 gt begin Displays the selected fields in the system log field time msg src dst note pri cat all 36 1 2 System Log Commands This table lists the commands for the system log settings Table 139 logging Commands System Log Settings COMMAND DESCRIPTION show logging status system log Displays the current settings for the system log logging system log category module_name disable level normal level all Specifies what kind of information if
397. work traffic until the client authenticates with the NXC through the external web portal page The no command turns off the external web portal feature web auth authentication auth method Sets the authentication method for captive portal web auth default rule authentication required unnecessary no log log alert Sets the default authentication policy the NXC uses on traffic not matching any exceptional service or other authentication policy required Users need to be authenticated Users must manually go to the NXC s login screen the NXC does not redirect them to it unnecessary Users do not need to be authenticated no log log alert Select whether to have the NXC generate a log 10g log and alert log alert or not no 109 for packets that match this default policy web auth no service_name exceptional service Lets users access a service without user authentication The no command removes the specified service from the exception list service_name the name of network service such as AH or DNS NXC CLI Reference Guide ma Chapter 17 Captive Portal Table 51 Web Authentication Policy Commands continued COMMAND DESCRIPTION web auth login setting Sets the login web page through which the user authenticate their connections before connecting to the rest of the network or Internet See Table 52 on page 114 for the sub commands web auth pol
398. wser based network management system that allows a network administrators from any location to manage and monitor multiple ZyXEL devices See the ENC User s Guide for details If you allow your NXC to be managed by the ENC server then you should not do any configurations directly to the NXC using either the Web Configurator or commands without notifying the ENC administrator 31 2 ENC Agent Commands The following table lists the ENC agent commands you use to configure the NXC s ENC agent settings Table 116 Command Summary ENC Agent COMMAND DESCRIPTION no enc agent activate Allows the NXC to be managed by the ENC or ACS server via TR 069 The no command disallows the ENC or ACS server to manage the NXC enc agent manager Specifies the URL of the ENC or ACS server starting with https url http url https or http and followed by enc TRO69 Note If the server port number has been changed to a different number you need to specify the port number in the URL for example https the NXC s IP address 8443 enc TRO69 nc agent keepaliv Sets how often in seconds the NXC sends a keep alive packet interval 10 90 to the ENC server if there is no other traffic The keep alive packets maintain the ENC server s control session enc agent pause keepalive Sets the time interval in seconds during which the NXC stops 0 8640 sending keep alive packets to the ENC server if there is no other traf
399. ww a 188 no server slterntatiwe cnun IdentafieS HI 44 dt eee dine bho eG ha Radek ea Deg maw ct e em 189 El server Pecon Sassen sick eked S Bu ids dr ead wd dupl Rr dre NRO 188 Eo Server basen DESCENSO FSK ee E dem demie e 189 no Server PLAT N GUIDES Ao A dc ROSEO AA eee eek oe ee E Red 188 ho cerror bang Danae Lax evar EG Ru aed ede ORE A UA EE ARA CR UR Ro oc xr Rd RR e dicc 190 ho Server GASOIL Uid duong Spe AAA AA d ded RE deg 188 no Server ENLACES Mid quiae Sesh ee bd dq RE E ROUEN do AE AC A a Ro OR RR CAE XE E dba ba 190 no Server descripcion COS CLELDEZOT esta AREA Se ARAS AAA 188 ho Server description esr BIO e A obw RR AA AA alee AR BER 190 Ho Server description DESTLIPBEL R och kee a A AA AA E AA TAL nol Server dumain cauti ACTIVE cs iadiobarserec ine AA DA GR Ad Ra KORE 189 no Server gqrgup stecribube L 8D8 edaeescnegeededox R eee SOREORORCRUR AAA OR ORA PON ROROR ROR OEE IX nol Server group attcrsbube OEGEp SELTIDUEE rss quce x tar dnaes DAWES OR ACA ECCE CU KR 188 Ho SEG qregup sttribube groupeabttr2z0U B pri Ro ERE PER AR E RO SR 1 90 hol server host ad Server ais caracas 188 no server host IUap Server exar ran R KORR XOKCACK ROC ROPA KON RC KR EC RARA RE REE P d Rl 190 no Server host radius server QULh DOFL Pore cios Bebe OR E PR edo die doe RH ES 191 to server key ceCret Laia EG tensons arier AA A AR AAA RNA AAA EERE EN 191 nol server nas id as IOONELI fTOE aiii A AAA DEK ADE SVG HERE AEROS 194 nb ASES
400. y 1 NXC CLI Reference Guide 115 Chapter 17 Captive Portal e Set web auth policy 1 to use the SSID profile named SSIDprofile1 Set web auth policy 1 to require user authentication Have the NXC automatically display the login screen when unauthenticated users try to send HTTP traffic Turn on web auth policy 1 Router config web auth activate Router config web auth authentication AuthProfilel Router config web auth login setting Router web auth login url http www login com Router web auth type external Router config web auth policy 1 Router config web auth 1 ssid profile SSIDprofilel Router config web auth 1 Router config web auth 1 4 activate Router web auth exit authentication force Router config web auth 1 exit 17 1 2 page customization Commands Use these commands to use a custom login page which is either built into the NXC or uploaded to the NXC Table 54 page customization Commands COMMAND DESCRIPTION no page customization Enters config page customization mode to set the NXC to use a custom login page which is built into the NXC or uploaded to the NXC The no command sets the NXC to use the default login page built into the device customization mode Sets which customized login page appears whenever the web portal customization use uploaded intercepts network traffic preventi
401. you will connect this interface The NXC automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces for example LAN to WAN traffic internal Set this to connect to a local network Other corresponding configuration options DHCP server and DHCP relay The NXC automatically adds default SNAT settings for traffic flowing from this interface to an external interface external Set this to connect to an external network like the Internet The NXC automatically adds this interface to the default WAN trunk general Set this if you want to manually configure a policy route to add routing and SNAT settings for the interface no use defined mac Has the interface use its default MAC address use defined mac Has the interface use a MAC address that you specify 6 4 Port Commands This section covers commands that are specific to ports BS In CLI representative interfaces are also called representative ports Table 18 Basic Interface Setting Commands COMMAND DESCRIPTION no port lt l x gt Removes the specified physical port from its current representative interface and adds it to its default representative interface for example port x gt gex port status Port lt l x gt Enters a sub command mode to configure the specified port s settings no duplex lt full half gt Sets the port s duplex mode The n
402. ys the specified LDAP server group settings name no aaa group server ldap group Sets a descriptive name for an LDAP server group name Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ldap rename Changes the descriptive name for an LDAP server group aaa group server ldap group name Enter the sub command mode no server alternative cn identifier uid Sets the second type of identifier that the users can use to log in if any For example name or e mail address The no command clears this setting server basedn basedn no Sets a base distinguished name DN to point to the LDAP directory on the LDAP server group The no command clears this setting NXC CLI Reference Guide Chapter 28 AAA Server Table 111 aaa group server Idap Commands continued COMMAND DESCRIPTION no server binddn binddn Sets the user name the NXC uses to log into the LDAP server group The no command clears this setting no server cn identifier uid Setsthe unique common name cn to identify a record The no command clears this setting no server description Sets the descriptive information for the LDAP server description group You can use up to 60 printable ASCII characters The no command clears this setting no server group attribute Sets the name of the attribute that the NXC is to check group attri
Download Pdf Manuals
Related Search