Zyxel WAX640S-6E, WAX655E, WAX650S, WAC500H, NWA50AX CLI Reference Guide

...

Download

Default Login Details

3'ŻMÍº Guide

NWA/WAC/WAX Series

802.11 a/b/g/n/ac/ax Access Point

LAN IP Address http://DHCP-assigned IP

http://192.168.1.2

User Name admin

Password 1234

Version 6.29/6.55 Ed. 1, 04/2023

IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a Reference Guide for a series of products intended for people who want to configure the Zyxel Device via Command Line Interface (CLI).

Note: Some commands or command options in this guide may not be available in your

product. See your product's User’s Guide for a list of supported features. Every effort has been made to ensure that the information in this guide is accurate.

How To Use This Guide

1 Read Chapter 2 on page 21 for how to access and use the CLI (Command Line Interface).

2 Read Chapter 3 on page 32 to learn about the CLI user and privilege modes.

Do not use commands not documented in this guide.

Contents Overview

Introduction .......................................................................................................................................11

Getting to Know your Zyxel Device .................................................................................................... 12

Command Line Interface ....................................... ....... ....... ....... ....... ....... ....... .............. ....... .............. 21

User and Privilege Modes .................................................................................................................... 32

Reference ..........................................................................................................................................35

Status ......................................................................... ............................................................................. 36

Object Reference ................................................................................................................................ 39

Interfaces ................................................................................ ............................................................... 41

Storm Control ........................................................................................................................................ 48

NCC Discovery ...................................................................................................................................... 50

Users ....................................................................................................................................................... 52

AP Management .................................................................................................................................. 57

Wireless LAN Profiles .............................................................................................................................. 69

Rogue AP ............................................................................................................................................... 90

Wireless Frame Capture ....................................................................................................................... 94

Dynamic Channel Selection ............................................................................................................... 96

Wireless Load Balancing ...................................................................................................................... 97

Bluetooth ............................................................................................................................................. 100

Certificates .......................................................................................................................................... 102

System ................................................................ .................................................................................. 105

System Remote Management .......................................................................................................... 110

AAA Server .......................................................................................................................................... 116

Authentication Objects ..................................................................................................................... 122

File Manager ....................................................................................................................................... 125

Logs ...................................................................................................................................................... 141

Reports and Reboot ........................................................................................................................... 148

Session Timeout ................................................................................................................................... 153

LEDs ...................................................................................................................................................... 154

Antenna Switch ............................................................................ ....... ....... ....... ....... ....... ................... 156

Diagnostics .......................................................................................................................................... 158

Maintenance Tools .. ....... ....... ....... ....... ....... ...... ....... ....... ....... .............. ....... ....... ....... ....... ................... 160

Watchdog Timer ................................................................................................................................. 165

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

Contents Overview .............................................................................................................................3

Table of Contents.................................................................................................................................4

Part I: Introduction ..........................................................................................11

Chapter 1

Getting to Know your Zyxel Device .................................................................................................12

1.1 Overview ........................................................................................................................................ 12

1.2 Zyxel Device Product Feature ...................................................... ....... ....... ....... ....... ............ ......... 12

Chapter 2

Command Line Interface..................................................................................................................21

2.1 Overview ......................................................................................................................................... 21

2.1.1 The Configuration File ........................................................................................................... 21

2.2 Accessing the CLI ........................................................................................................................... 21

2.2.1 Console Port .......................................................................................................................... 22

2.2.2 SSH (Secure SHell) .................................................................................................................. 22

2.3 How to Find Commands in this Guide .........................................................................................23

2.4 How Commands Are Explained ................................................................................................... 23

2.4.1 Background Information ...................................................................................................... 23

2.4.2 Command Input Values ....................................................................................................... 23

2.4.3 Command Summary ............................................................................................................ 24

2.4.4 Command Examples ............................................................................................................ 24

2.4.5 Command Syntax ................................................................................................................. 24

2.4.6 Changing the Password ....................................................................................................... 24

2.5 CLI Modes ........................................................................................................................................ 24

2.6 Shortcuts and Help ......................................................................................................................... 25

2.6.1 List of Available Commands ................................................................................................ 25

2.6.2 List of Sub-commands or Required User Input ................................................................... 26

2.6.3 Entering Partial Commands ................................................................................................. 26

2.6.4 Entering a ? in a Command ................................................................................................27

2.6.5 Command History ................................................................................................................. 27

2.6.6 Navigation ............................................................................................................................. 27

2.6.7 Erase Current Command ..................................................................................................... 27

2.6.8 The no Commands ............................................................................................................... 27

2.7 Input Values .................................................................................................................................... 27

2.8 Saving Configuration Changes .................................................................................................... 31

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

2.9 Logging Out .......................................... .......................................................................................... 31

Chapter 3

User and Privilege Modes .................................................................................................................32

3.1 User And Privilege Modes .............................................................................................................. 32

3.1.1 Debug Commands ............................................................................................................... 33

Part II: Reference ............................................................................................35

Chapter 4

Status...................................................................................................................................................36

Chapter 5

Object Reference .............................................. .... .... ........................................................................39

5.1 Object Reference Commands ..................................................................................................... 39

5.1.1 Object Reference Command Example ............................................................................. 40

Chapter 6

Interfaces............................................................................................................................................41

6.1 Interface Overview ........................................................................................................................ 41

6.2 Interface General Commands Summary .................................................................................... 41

6.2.1 Basic Interface Properties and IP Address Commands .................................................... 42

6.3 Port Commands .............................................................................................................................. 45

6.3.1 Port Command Examples ............................................ ........................................................46

Chapter 7

Storm Control......................................................................................................................................48

7.1 Overview ......................................................................................................................................... 48

7.2 Storm Control Commands ............................................................................................................. 48

7.2.1 Storm Control Command Examples ......................................... .......................................... 49

Chapter 8

NCC Discovery...................................................................................................................................50

8.1 Overview ......................................................................................................................................... 50

8.2 NCC Discovery Commands .......................................................................................................... 50

8.2.1 NCC Discovery Command Example .................................................................................. 51

Chapter 9

Users....................................................................................................................................................52

9.1 User Account Overview ................................................................................................................. 52

9.1.1 User Types ............................................................................................................................... 52

9.2 User Commands Summary ............................................................................................................ 52

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

9.2.1 Username and User Commands ......................................................................................... 53

9.2.2 User Setting Commands ....................................................................................................... 54

9.2.3 Additional User Commands .................................................................................................55

Chapter 10

AP Management................................................................................................................................57

10.1 AP Management Overview ........................................................................................................ 57

10.2 AP Management Commands ....................................................................................................59

10.2.1 AP Management Commands Example ........................................................................... 62

10.3 AP Management Client Commands ......................................................................................... 66

10.3.1 AP Management Client Commands Example ....... ........................................................ 67

Chapter 11

Wireless LAN Profiles ..........................................................................................................................69

11.1 Wireless LAN Profiles Overview ...................................................................................... .............. 69

11.2 AP Radio Profile Commands ....................................................................................................... 69

11.2.1 AP radio Profile Commands Example .............................................................................. 76

11.3 SSID Profile Commands ................................................................................................................ 78

11.3.1 SSID Profile Example 1 ......................................................................................................... 80

11.3.2 SSID Profile Example 2 ......................................................................................................... 81

11.4 Security Profile Commands ......................................................................................................... 82

11.4.1 Security Profile Example ..................................................................................................... 86

11.5 MAC Filter Profile Commands ..................................................................................................... 86

11.5.1 MAC Filter Profile Example ................................................................................................. 87

11.6 Layer-2 Isolation Profile Commands ........................................................................................... 87

11.6.1 Layer-2 Isolation Profile Example .......................................................................................88

11.7 WDS Profile Commands ............................................................................................................... 88

11.7.1 WDS Profile Example ........................................................................................................... 89

Chapter 12

Rogue AP............................................................................................................................................90

12.1 Rogue AP Detection Overview ................................................................................................... 90

12.2 Rogue AP Detection Commands ...............................................................................................90

12.2.1 Rogue AP Detection Examples ......................................................................................... 92

Chapter 13

Wireless Frame Capture....................................................................................................................94

13.1 Wireless Frame Capture Overview ............................................................................................. 94

13.2 Wireless Frame Capture Commands ......................................................................................... 94

13.2.1 Wireless Frame Capture Examples .................................................................................... 95

Chapter 14

Dynamic Channel Selection.............................................................................................................96

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

14.1 DCS Overview ............................................................................................................................... 96

14.2 DCS Commands ........................................................................................................................... 96

Chapter 15

Wireless Load Balancing ...................................................................................................................97

15.1 Wireless Load Balancing Overview ............................................................................................ 97

15.2 Wireless Load Balancing Commands ........................................................................................ 97

15.2.1 Wireless Load Balancing Examples ................................................................................... 99

Chapter 16

Bluetooth...........................................................................................................................................100

16.1 Bluetooth Overview .................................................................................................................... 100

16.2 Bluetooth Commands ................................................................................................................ 101

16.2.1 Bluetooth Commands Example ...................................................................................... 101

Chapter 17

Certificates .......................................................................................................................................102

17.1 Certificates Overview ................................................................................................................ 102

17.2 Certificate Commands .............................................................................................................. 102

17.3 Certificates Commands Input Values ...................................................................................... 102

17.4 Certificates Commands Summary ........................................................................................... 103

17.5 Certificates Commands Examples ........................................................................................... 104

Chapter 18

System...............................................................................................................................................105

18.1 System Overview ........................................................................................................................ 105

18.2 Host Name Commands ............................................................................................................. 105

18.3 Roaming Group Commands ....................................................................................................106

18.4 Time and Date ........................................................................................................................... 106

18.4.1 Date/Time Commands ..................................................................................................... 106

18.5 Console Port Speed .................................................................................................................. 107

18.6 DNS Overview ............................................................................................................................ 108

18.6.1 DNS Commands ................................................................................................................ 108

18.6.2 DNS Command Example ................................................................................................. 109

18.7 Power Mode ................................................................................................................................ 109

Chapter 19

System Remote Management........................................................................................................110

19.1 System Timeout ........................................................................................................................... 110

19.2 HTTP/HTTPS Commands .............................................................................................................. 110

19.2.1 HTTP/HTTPS Command Examples .................................................................................... 111

19.3 SSH ..................... ........................................................................................................................... 112

19.3.1 SSH Implementation on the Zyxel Device ...................................................................... 112

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

19.3.2 Requirements for Using SSH ..............................................................................................112

19.3.3 SSH Commands ................................................................................................................. 112

19.3.4 SSH Command Examples ................................................................................................. 112

19.4 Configuring FTP .......................................................................................................................... 113

19.4.1 FTP Commands ................................................................................................................. 113

19.4.2 FTP Commands Examples ................................................................................................ 113

19.5 SNMP ............................................................................................................................................ 113

19.5.1 Supported MIBs ................................................................................................................. 114

19.5.2 SNMP Traps ......................................................................................................................... 114

19.5.3 SNMP Commands ............................................................................................................. 114

Chapter 20

AAA Server ................................... .... ................................................ ... .... .... .....................................116

20.1 AAA Server Overview ................................................................................................................. 116

20.2 Authentication Server Command Summary ........................................................................... 116

20.2.1 radius-server Commands ................................................................................................. 116

20.2.2 radius-server Command Example .................................................................................. 117

20.2.3 aaa group server ad Commands ................................................................................... 117

20.2.4 aaa group server ldap Commands ................................................................................ 118

20.2.5 aaa group server radius Commands ............................................................................. 120

20.2.6 aaa group server Command Example .......................................................................... 121

Chapter 21

Authentication Objects...................................................................................................................122

21.1 Authentication Objects Overview ............................................................................................ 122

21.2 aaa authentication Commands .............................................................................................. 122

21.2.1 aaa authentication Command Example ...................................................................... 123

21.3 test aaa Command ................................................................................................................... 123

21.3.1 Test a User Account Command Example ...................................................................... 124

Chapter 22

File Manager ....................................................................................................................................125

22.1 File Directories ............................................................................................................................. 125

22.2 Configuration Files and Shell Scripts Overview ..................................... ................................. 125

22.2.1 Comments in Configuration Files or Shell Scripts ........................................................... 126

22.2.2 Errors in Configuration Files or Shell Scripts ..................................................................... 127

22.2.3 Zyxel Device Configuration File Details .......................................................................... 128

22.2.4 Configuration File Flow at Restart ................................................................................... 128

22.2.5 Sensitive Data Protection ................................................................................................. 128

22.3 File Manager Commands Input Values ................................................................................... 129

22.4 File Manager Commands Summary ........................................................................................ 130

22.5 File Manager Command Example ........................................................................................... 131

22.6 FTP File Transfer ............................................................................................................................ 132

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

22.6.1 Command Line FTP File Upload ....................................................................................... 132

22.6.2 Command Line FTP Configuration File Upload Example ............................................. 132

22.6.3 Command Line FTP Firmware File Upload Example ...................................................... 133

22.6.4 Command Line FTP File Download ................................................................................. 134

22.6.5 Command Line FTP Configuration File Download Example ........................................ 134

22.7 Zyxel Device File Usage at Startup ........................................................................................... 135

22.8 Notification of a Damaged Recovery Image or Firmware ................................................... 135

22.9 Restoring the Recovery Image ................................................................................................. 137

22.10 Restoring the Firmware ............................................................................................................ 138

Chapter 23

Logs...................................................................................................................................................141

23.1 Log Commands Summary ......................................................................................................... 141

23.1.1 Log Entries Commands ....................................................................................................142

23.1.2 System Log Commands ........................................................... ........................................ 142

23.1.3 Debug Log Commands ................................................................................................... 143

23.1.4 Remote Syslog Server Log Commands .......................................................................... 144

23.1.5 Email Profile Log Commands ........................................................................................... 144

23.1.6 Console Port Log Commands ......................................................................................... 146

23.1.7 Access Point Logging Commands ................................................................................. 146

Chapter 24

Reports and Reboot... ... .... ...............................................................................................................148

24.1 Report Commands Summary ...................................................................................................148

24.1.1 Report Commands ........................................................................................................... 148

24.1.2 Report Command Examples ........................................................................................... 149

24.2 Email Daily Report Commands ................................................................................................. 149

24.2.1 Email Daily Report Example ................................................................... .......................... 151

24.3 Reboot ......................................................................................................................................... 152

Chapter 25

Session Timeout............. .... ...............................................................................................................153

25.1 Session Timeout Commands ..................................................................................................... 153

25.1.1 Session Timeout Commands Example ............................................................................ 153

Chapter 26

LEDs ...................................................................................................................................................154

26.1 LED Suppression Mode ............................................................................................................... 154

26.2 LED Suppression Commands ..................................................................................................... 154

26.2.1 LED Suppression Commands Example ........................................................................... 154

26.3 LED Locator ............................................................................................................................ ..... 154

26.4 LED Locator Commands ............................................................................................................ 155

26.4.1 LED Locator Commands Example .................................................................................. 155

NWA/WAC/WAX Series CLI Reference Guide

Table of Contents

Chapter 27

Antenna Switch................................................................................................................................156

27.1 Antenna Switch Overview ......................................................................................................... 156

27.2 Antenna Switch Commands ..................................................................................................... 156

27.2.1 Antenna Switch Commands Examples .......................................................................... 157

Chapter 28

Diagnostics.......................................................................................................................................158

28.1 Diagnostics Overview ................................................................................................................ 158

28.2 Diagnosis Commands ................................................................................................................ 158

28.2.1 Diagnosis Commands Examples ..................................................................................... 158

Chapter 29

Maintenance Tools ..................................... .... ... .... ..........................................................................160

29.0.1 Command Examples ........................................................................................................162

Chapter 30

Watchdog Timer................................... ... .... .... ............................................... .... .... .... ......................165

30.1 Hardware Watchdog Timer ........................................................ ....... ....... ....... ....... ....... ............ 165

30.2 Software Watchdog Timer ........................................................................ ....... ....... ....... ............ 165

30.3 Application Watchdog .............................................................................................................. 166

30.3.1 Application Watchdog Commands Example ............................................................... 167

List of Commands (Alphabetical) ..................................................................................................168

NWA/WAC/WAX Series CLI Reference Guide

PART I

Introduction

Getting to Know your Zyxel

1.1 Overview

Your Zyxel Device is a wireless AP (Access Point). It extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.

You can set the Zyxel Device to operate in either standalone AP or managed AP mode. When the Zyxel Device is in standalone AP mode, it can serve as a normal AP, as an RF monitor to search for rouge APs to help eliminate network threats (if it support rogue APs detection), or even as a root AP or a wireless repeater to establish wireless links with other APs in a WDS (Wireless Distribution System). A WDS is a wireless connection between two or more APs.

CHAPTER 1

Device

Your Zyxel Device’s business-class reliability, SMB features, and centralized wireless management make it ideally suited for advanced service delivery in mission-critical networks. It uses Multiple BSSID and VLAN to provide simultaneous independent virtual APs. Additionally, innovations in roaming technology and QoS features eliminate voice call disruptions.

The Zyxel Device controls network access with Media Access Control (MAC) address filtering, and rogue Access Point (AP) detection. It also provides a high level of network traffic security, supporting IEEE

802.1x, Wi-Fi Protected Access 2 and Wired Equivalent Privacy (WEP) data encryption.

1.2 Zyxel Device Product Feature

The following tables show the differences between each Zyxel Device model. You can find the feature introductions in the later sections.The following tables show the differences between each Zyxel Device model. You can find the feature introductions in the later sections.

The following table lists the features of the Zyxel Device.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

The following tables show the differences between each Zyxel Device model. You can find the feature introductions in the later sections.

Table 1 500/1000 Models Comparison Table

FEATURES

Supported WiFi Standards IEEE 802.11a

Supported Frequency Bands 2.4 GHz

Supported Channel Width 2.4G: 20/40 MHz

Available Security Modes None

Number of SSID Profiles 64 64 Number of WiFi Radios 2 2 Security Profile Radius Settings Yes Yes Security Profile Enterprise

Authentication Settings Rogue AP Detection Yes Yes WDS (Wireless Distribution

System) - Root AP & Repeater Modes

Wireless Bridge No No Tunnel Forwarding Mode Yes No Layer-2 Isolation Yes Yes Supported PoE Standards IEEE 802.3af

Power Detection No No External Antennas No No Internal Antennas Yes Yes Antenna Switch No No Smart Antenna Yes Yes Console Port 4-Pin Serial 4-Pin Serial Reset Button Yes Yes LED Locator Yes Yes LED Suppression Yes Yes AC (AP Controller) Discovery Yes No NebulaFlex PRO Yes No NCC Discovery Yes Yes

802.11r Fast Roaming Support Yes Yes

802.11k/v Assisted Roaming Yes Yes Proxy ARP Yes Yes Bluetooth Low Energy (BLE) No No

WAC500/

WAC500H

IEEE 802.11b IEEE 802.11g

IEEE 802.11n

IEEE 802.11ac

5 GHz

5G: 20/40/80 MHz

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal & Enterprise

Yes Yes

IEEE 802.3at

NWA1123-ACV3

IEEE 802.11a IEEE 802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80 MHz

None

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal & Enterprise

IEEE 802.3af IEEE 802.3at

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

Table 1 500/1000 Models Comparison Table (continued)

FEATURES

Load Balancing Yes Yes Ethernet Storm Control Yes Yes Wireless Remote Capture Yes Yes SNMP Yes Yes Grounding No No Power Jack Yes Yes Maximum number of log

messages Latest Firmware Version

Supported

WAC500/

WAC500H

512 event logs

6.55 6.55

NWA1123-ACV3

Table 2 WiFi 6 Models Comparison Table

NWA110AX

FEATURES WAX630S WAX650S

NWA210AX

Supported WiFi Standards IEEE 802.11a

Supported Frequency Bands 2.4 GHz

Supported Channel Width

Available Security Modes None

Number of SSID Profiles 64 64 64 Number of WiFi Radios 2 2 2 Security Profile Radius Settings Yes Yes Yes Security Profile Enterprise Authentication

Settings Rogue AP Detection Yes Yes Yes WDS (Wireless Distribution System) - Root AP

& Repeater Modes Wireless Bridge Yes Yes No Tunnel Forwarding Mode Yes Yes No Layer-2 Isolation Yes Yes Yes Supported PoE Standards IEEE 802.3af

Power Detection Yes Yes Yes External Antennas No No No Internal Antennas Yes Yes Yes

IEEE 802.11b IEEE 802.11g

IEEE 802.11n IEEE 802.11ac IEEE 802.11ax

5 GHz

2.4G: 20/40 MHz

5G: 20/40/80/160

MHz

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal &

Enterprise

Yes Yes Yes

IEEE 802.3at

IEEE 802.11a IEEE 802.11b IEEE 802.11g

IEEE 802.11n IEEE 802.11ac IEEE 802.11ax

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80/160

MHz

None

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal &

Enterprise

IEEE 802.3at IEEE 802.3bt

IEEE 802.11a IEEE 802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

IEEE 802.11ax

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80 MHz

(NWA210AX supports

160 MHz)

None

Enhanced-open

WPA2-MIX / WPA3 -

Personal & Enterprise

IEEE 802.3af IEEE 802.3at

WEP

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

Table 2 WiFi 6 Models Comparison Table (continued)

NWA110AX

FEATURES WAX630S WAX650S

NWA210AX

Antenna Switch No No No Smart Antenna Yes Yes No Console Port 4-Pin Serial 4-Pin Serial 4-Pin Serial Reset Button Yes Yes Yes LED Locator Yes Yes Yes LED Suppression Yes Yes Yes AC (AP Controller) Discovery Yes Yes No NebulaFlex PRO Yes Yes No NCC Discovery Yes Yes Yes

802.11r Fast Roaming Support Yes Yes Yes

802.11k/v Assisted Roaming Yes Yes Yes Proxy ARP Yes Yes Yes Bluetooth Low Energy (BLE) No Yes No Load Balancing Yes Yes Yes Ethernet Storm Control Yes Yes Yes Wireless Remote Capture Yes Yes Yes SNMP Yes Yes Yes Grounding Yes Yes Yes Power Jack Yes Yes Yes Latest Firmware Version Supported 6.55 6.55 6.55 Maximum number of log messages 512 event logs

Table 3 WiFi 6 Models Comparison Table

WAX510D

FEATURES WAX655E

WAX610D

Supported WiFi Standards IEEE 802.11a

Supported Frequency Bands 2.4 GHz

Supported Channel Width

Available Security Modes None

Number of SSID Profiles 64 64 Number of WiFi Radios 2 2 Security Profile Radius Settings Yes Yes

IEEE 802.11b IEEE 802.11g

IEEE 802.11n

IEEE 802.11ac

IEEE 802.11ax

5 GHz

2.4G: 20/40 MHz

5G: 20/40/80/160

MHz

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal &

Enterprise

IEEE 802.11a IEEE 802.11b IEEE 802.11g

IEEE 802.11n IEEE 802.11ac IEEE 802.11ax

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80 MHz

(WAX610D supports

160 MHz)

None

Enhanced-open

WPA2-MIX / WPA3 -

Personal &

Enterprise

NWA/WAC/WAX Series CLI Reference Guide

WEP

Chapter 1 Getting to Know your Zyxel Device

Table 3 WiFi 6 Models Comparison Table (continued)

WAX510D

FEATURES WAX655E

WAX610D

Security Profile Enterprise Authentication Settings

Rogue AP Detection Yes Yes WDS (Wireless Distribution System)

- Root AP & Repeater Modes Wireless Bridge

Tunnel Forwarding Mode Yes Yes Layer-2 Isolation Yes Yes Supported PoE Standards IEEE 802.3af

Power Detection Yes Yes External Antennas Yes No Internal Antennas No Yes Antenna Switch

Smart Antenna No No Console Port 4-Pin Serial 4-Pin Serial Reset Button Yes Yes LED Locator Yes Yes LED Suppression Yes Yes AC (AP Controller) Discovery Yes Yes NebulaFlex PRO Yes Yes NCC Discovery Yes Yes

802.11r Fast Roaming Support Yes Yes

802.11k/v Assisted Roaming Yes Yes Proxy ARP Yes Yes Bluetooth Low Energy (BLE) No No Load Balancing Yes Yes Ethernet Storm Control Yes Yes Wireless Remote Capture Yes Yes SNMP Yes Yes Grounding Yes Yes Power Jack Yes Yes Maximum number of log

messages Latest Firmware Version

Supported

Yes Yes

Yes

IEEE 802.3at

512 event logs

6.55 6.55

WAX510D: No

WAX610D: Yes

IEEE 802.3af

IEEE 802.3at

Yes

(per AP)

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

Table 4 WiFi 6 Models Comparison Table

FEATURES NWA50AX NWA90AX NWA55AXE

Supported WiFi Standards IEEE 802.11a

Supported Frequency Bands 2.4 GHz

Supported Channel Width 2.4G: 20/40 MHz

Available Security Modes None

Number of SSID Profiles 64 64 64 Number of WiFi Radios 2 2 2 Security Profile Radius Settings No Yes No Security Profile Enterprise

Authentication Settings Rogue AP Detection Yes Yes Yes WDS (Wireless Distribution System) -

Root AP & Repeater Modes Wireless Bridge No No Yes Tunnel Forwarding Mode No No No Layer-2 Isolation No Yes No Supported PoE Standards IEEE 802.3at IEEE 802.3at IEEE 802.3at Power Detection No No N o External Antennas No No Yes Internal Antennas Yes Yes No Antenna Switch No No No Smart Antenna No No No Console Port 4-Pin Serial 4-Pin Serial No Reset button Yes Yes No LED Locator Yes Yes No LED Suppression Yes Yes Yes AC (AP Controller) Discovery No No No NCC Discovery Yes Yes Yes

802.11r Fast Roaming Support Yes Yes Yes

802.11k/v Assisted Roaming Yes Yes Yes Proxy ARP No No No Bluetooth Low Energy (BLE) No No No Load Balancing No No No Ethernet Storm Control No No No Wireless Remote Capture No No No SNMP No No No

IEEE802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

IEEE802.11ax

5 GHz

5G: 20/40/80 MHz

Enhanced-open

WEP

WPA2-MIX-Personal

WPA3-Personal

No Yes No

Yes Yes Yes

IEEE 802.11a IEEE802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

IEEE802.11ax

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80 MHz

None

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal & Enterprise

IEEE 802.11a

IEEE802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

IEEE802.11ax

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80 MHz

None

Enhanced-open

WEP

WPA2-MIX-Personal

WPA3-Personal

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

Table 4 WiFi 6 Models Comparison Table (continued)

FEATURES NWA50AX NWA90AX NWA55AXE

Grounding No No No Power Jack Yes Yes No Maximum number of log

messages Latest Firmware Version Supported 6.29 6.29 6.29

512 event logs

Table 5 WiFi 6 PRO Models Comparison Table

FEATURES NWA50AX PRO NWA90AX PRO

Supported WiFi Standards IEEE 802.11a

Supported Frequency Bands 2.4 GHz

Supported Channel Width 2.4G: 20/40 MHz

Available Security Modes None

Number of SSID Profiles 64 64 Number of WiFi Radios 2 2 Security Profile Radius Settings No Yes Security Profile Enterprise

Authentication Settings Rogue AP Detection Yes Yes WDS (Wireless Distribution System) -

Root AP & Repeater Modes Wireless Bridge No No Tunnel Forwarding Mode No No Layer-2 Isolation No Yes Supported PoE Standards IEEE 802.3at IEEE 802.3at Power Detection No No External Antennas No No Internal Antennas Yes Yes Antenna Switch No No Smart Antenna No No Console Port 4-Pin Serial 4-Pin Serial Reset Button Yes Yes LED Locator Yes Yes LED Suppression Yes Yes AC (AP Controller) Discovery No No NCC Discovery Yes Yes

802.11r Fast Roaming Support Yes Yes

IEEE802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

IEEE802.11ax

5 GHz

5G: 20/40/80/160 MHz

Enhanced-open

WEP

WPA2-MIX-Personal

WPA3-Personal

No Yes

Yes Yes

IEEE 802.11a IEEE802.11b IEEE 802.11g IEEE 802.11n

IEEE 802.11ac

IEEE802.11ax

2.4 GHz 5 GHz

2.4G: 20/40 MHz

5G: 20/40/80/160 MHz

None

Enhanced-open

WEP

WPA2-MIX / WPA3 -

Personal & Enterprise

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

Table 5 WiFi 6 PRO Models Comparison Table (continued)

FEATURES NWA50AX PRO NWA90AX PRO

802.11k/v Assisted Roaming Yes Yes Proxy ARP No No Bluetooth Low Energy (BLE) No No Load Balancing No No Ethernet Storm Control No No Wireless Remote Capture No No SNMP No No Grounding No No Power Jack Yes Yes Maximum number of log

messages Latest Firmware Version Supported 6.55 6.55

512 event logs

Table 6 WiFi 6E Models Comparison Table

FEATURES WAX620D-6E WAX640S-6E WA220AX-6E

Supported WiFi Standards IEEE 802.11a

Supported Frequency Bands 2.4 GHz

BandFlex (5 GHz/6 GHz) Yes No Yes Supported Channel Width 2.4G: 20/40 MHz

Available Security Modes None

Number of SSID Profiles 64 64 64 Number of WiFi Radios 2 3 2 Security Profile Radius Settings Yes Yes Yes Security Profile Enterprise

Authentication Settings Rogue AP Detection Yes Yes Yes WDS (Wireless Distribution

System) - Root AP & Repeater Modes

Wireless Bridge Yes Yes No Tunnel Forwarding Mode Yes Yes No Layer-2 Isolation Yes Yes Yes Supported PoE Standards IEEE 802.3af

Power Detection Yes Yes Yes External Antennas No No No

IEEE 802.11b IEEE 802.11g

IEEE 802.11n IEEE 802.11ac IEEE 802.11ax

5 GHz 6 GHz

5G: 20/40/80/160 MHz 6G: 20/40/80/160 MHz

Enhanced-open WEP

WPA2-MIX / WPA3 -

Personal & Enterprise

Yes Yes Yes

IEEE 802.3at

IEEE 802.11a IEEE 802.11b IEEE 802.11g

IEEE 802.11n IEEE 802.11ac IEEE 802.11ax

2.4 GHz 5 GHz 6 GHz

2.4G: 20/40 MHz 5G: 20/40/80/160 MHz 6G: 20/40/80/160 MHz

Enhanced-open WEP

Personal & Enterprise

None

WPA2-MIX / WPA3 -

IEEE 802.3at IEEE 802.3bt

IEEE 802.11a IEEE 802.11b IEEE 802.11g

IEEE 802.11n IEEE 802.11ac IEEE 802.11ax

2.4 GHz 5 GHz 6 GHz

2.4G: 20/40 MHz 5G: 20/40/80/160 MHz 6G: 20/40/80/160 MHz

None

Enhanced-open WEP

WPA2-MIX / WPA3 -

Personal & Enterprise

IEEE 802.3af IEEE 802.3at

NWA/WAC/WAX Series CLI Reference Guide

Chapter 1 Getting to Know your Zyxel Device

Table 6 WiFi 6E Models Comparison Table (continued)

FEATURES WAX620D-6E WAX640S-6E WA220AX-6E

Internal Antennas Yes Yes Yes Antenna Switch Yes

Smart Antenna No Yes No Console Port 4-Pin Serial 4-Pin Serial 4-Pin Serial Reset Button Yes Yes Yes LED Locator Yes Yes Yes LED Suppression Yes Yes Yes AC (AP Controller) Discovery Yes Yes No NebulaFlex PRO Yes Yes No NCC Discovery Ye s Yes Yes

802.11r Fast Roaming Support Yes Yes Yes

802.11k/v Assisted Roaming Yes Yes Yes Proxy ARP Yes Yes Yes Bluetooth Low Energy (BLE) No Yes No Load Balancing Yes Yes Yes Ethernet Storm Control Yes Yes Yes Wireless Remote Capture Yes Yes Yes SNMP Yes Yes Yes Grounding No Yes No Power Jack Yes Yes Yes Maximum number of log

messages Latest Firmware Version

Supported

(per AP)

6.55 6.55 6.55

No No

512 event logs

NWA/WAC/WAX Series CLI Reference Guide

Command Line Interface

This chapter describes how to access and use the CLI (Command Line Interface).

2.1 Overview

If you have problems with your Zyxel Device, customer support may request that you issue some of these commands to assist them in troubleshooting.

Use of undocumented commands or misconfiguration can damage the Zyxel Device and possibly render it unusable.

2.1.1 The Configuration File

CHAPTER 2

When you configure the Zyxel Device using either the CLI (Command Line Interface) or the web configurator, the settings are saved as a series of commands in a configuration file on the Zyxel Device. You can store more than one configuration file on the Zyxel Device. However, only one configuration file is used at a time.

You can perform the following with a configuration file:

• Back up Zyxel Device configuration once the Zyxel Device is set up to work in your network.

• Restore Zyxel Device configuration.

• Save and edit a configuration file and upload it to multiple Zyxel Devices in your network to have the same settings.

Note: You may also edit a configuration file using a text editor.

2.2 Accessing the CLI

You can access the CLI using a terminal emulation program on a computer connected to the console port, or access the Zyxel Device using SSH (Secure SHell).

Note: The console port is not available in every model. Please check the User’s Guide or

datasheet, or refer to the product page at www.zyxel.com to see if your Zyxel Device has a console port.

Note: The Zyxel Device might force you to log out of your session if reauthentication time,

lease time, or idle timeout is reached. See Chapter 9 on page 52 for more information about these settings.

NWA/WAC/WAX Series CLI Reference Guide

2.2.1 Console Port

The default settings for the console port are as follows. Table 7 Managing the Zyxel Device: Console Port

SETTING VALUE

Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off

When you turn on your Zyxel Device, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.

• Garbled text displays if your terminal emulation program’s speed is set lower than the Zyxel Device’s.

• No text displays if the speed is set higher than the Zyxel Device’s.

• If changing your terminal emulation program’s speed does not get anything to display, restart the Zyxel Device.

• If restarting the Zyxel Device does not get anything to display, contact your local customer support.

Figure 1 Console Port Power-on Display

FLASH: AMD 16M

Chapter 2 Command Line Interface

BootModule Version: V1.13 | 06/25/2010 15:05:00 DRAM: Size = 256 Mbytes

DRAM POST: Testing: 262144K

After the initialization, the login screen displays.

Figure 2 Login Screen

Welcome to WAX640S-6E

Username:

Enter the user name and password at the prompts.

Note: The default login username is admin and password is 1234. The username and password

are case-sensitive.

2.2.2 SSH (Secure SHell)

You can use an SSH client program to access the CLI. The following figure shows an example using a text-based SSH client program. Refer to the documentation that comes with your SSH program for information on using it.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

Note: The default login username is admin and password is 1234. The username and password

are case-sensitive.

Figure 3 SSH Login Example

C:\>ssh2 admin@192.168.1.2 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes

Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.2.pub host key for 192.168.1.2, accepted by user Tue Aug 09 2022 07:38:28 admin's password: Authentication successful.

2.3 How to Find Commands in this Guide

You can simply look for the feature chapter to find commands. In addition, you can use the List of

Commands (Alphabetical) at the end of the guide. This section lists the commands in alphabetical

order that they appear in this guide.

If you are looking at the CLI Reference Guide electronically, you might have additional options (for example, bookmarks or Find...) as well.

2.4 How Commands Are Explained

Each chapter explains the commands for one keyword. The chapters are divided into the following sections.

2.4.1 Background Information

Note: See the User’s Guide for background information about most features.

This section provides background information about features that you cannot configure in the web configurator. In addition, this section identifies related commands in other chapters.

2.4.2 Command Input Values

This section lists common input values for the commands for the feature in one or more tables

NWA/WAC/WAX Series CLI Reference Guide

2.4.3 Command Summary

This section lists the commands for the feature in one or more tables.

2.4.4 Command Examples

This section contains any examples for the commands in this feature.

2.4.5 Command Syntax

The following conventions are used in this User’s Guide.

• A command or keyword in courier new must be entered literally as shown. Do not abbreviate.

• Values that you need to provide are in italics.

• Required fields that have multiple choices are enclosed in curly brackets

• A range of numbers is enclosed in angle brackets <>.

• Optional fields are enclosed in square brackets [].

• The

| symbol means OR.

Chapter 2 Command Line Interface

{}.

2.4.6 Changing the Password

It is highly recommended that you change the password for accessing the Zyxel Device. See Section 9.2

on page 52 for the appropriate commands.

2.5 CLI Modes

You run CLI commands in one of several modes. Table 8 CLI Modes

USER PRIVILEGE CONFIGURATION SUB-COMMAND

What User users can do

What Limited- Admin users can do

What Admin users can do

How you enter it Log in to the Zyxel

• Look at (but not run) available commands

• Look at system information (like Status screen)

•Run basic diagnostics

• Look at system information (like Status screen)

•Run basic diagnostics

Device

Unable to access Unable to access Unable to access

•Look at system information (like Status screen)

•Run basic diagnostics

•Look at system information (like Status screen)

•Run basic diagnostics

Type enable in User mode

Unable to access Unable to access

• Configure simple features (such as an address object)

• Create or remove complex parts (such as an interface)

Type configure

terminal in User or Privilege mode

• Configure complex parts (such as an interface) in the Zyxel Device

Type the command used to create the specific part in Configuration mode

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

Table 8 CLI Modes (continued)

USER PRIVILEGE CONFIGURATION SUB-COMMAND

What the prompt looks like

How you exit it Type exit Type disable Type exit Type exit

See Chapter 9 on page 52 for more information about the user types. User users can only log in, look at (but not run) the available commands in User mode, and log out. Limited-Admin users can look at the configuration in the web configurator and CLI, and they can run basic diagnostics in the CLI. Admin users can configure the Zyxel Device in the web configurator or CLI.

At the time of writing, there is not much difference between User and Privilege mode for admin users. This is reserved for future use.

Router> Router# Router(config)#

2.6 Shortcuts and Help

(varies by part)

Router(configif-brg)# ...

2.6.1 List of Available Commands

A list of valid commands can be found by typing ? or [TAB] at the command prompt. To view a list of available commands within a command group, enter

Figure 4 Help: Available Commands Example 1

Router> ? <cr> apply atse clear configure

------------------[Snip]-------------------shutdown test traceroute wlan-report write Router>

<command> ? or <command> [TAB].

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

Figure 5 Help: Available Command Example 2

Router> show ? <wlan ap interface> aaa account app-watch-dog apply arp-table

------------------[Snip]-------------------wlan-security-profile wlan-ssid-profile wtp-logging Router> show

2.6.2 List of Sub-commands or Required User Input

To view detailed help information for a command, enter <command> <sub command> ?.

Figure 6 Help: Sub-command Information Example

Router(config)# ip ssh server ? ; <cr> cert port | Router(config)# ip ssh server

Figure 7 Help: Required User Input Example

Router(config)# ip ssh server port ? <1..65535> Router(config)# ip ssh server port

2.6.3 Entering Partial Commands

The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press

For example, if you enter config and press [TAB] , the full command of configure automatically displays.

If you enter a partial command that is not unique and press commands that start with the partial command.

Figure 8 Non-Unique Partial Command Example

Router# c [TAB] clear configure copy Router# co configure copy

[TAB] to have the Zyxel Device automatically display the full command.

[TAB]

[TAB], the Zyxel Device displays a list of

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

2.6.4 Entering a ? in a Command

Typing a ? (question mark) usually displays help information. However, some commands allow you to input a ?, for example as part of a string. Press [CTRL+V] on your keyboard to enter a ? without the Zyxel Device treating it as a help query.

2.6.5 Command History

The Zyxel Device keeps a list of commands you have entered for the current CLI session. You can use any commands in the history again by pre s s i ng th e up ( ) or down () arrow key to scroll through the previously used commands and press

2.6.6 Navigation

Press [CTRL]+A to move the cursor to the beginning of the line. Press [CTRL]+E to move the cursor to the end of the line.

2.6.7 Erase Current Command

[ENTER].

Press [CTRL]+U to erase whatever you have currently typed at the prompt (before pressing [ENTER]).

2.6.8 The no Commands

When entering the no commands described in this document, you may not need to type the whole command. For example, with the “[no] mss <536..1452>” command, you use “mss 536” to specify the MSS value. But to disable the MSS setting, you only need to type “no mss” instead of “no mss 536”.

2.7 Input Values

You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen. For example, in the following example, the next input value is a string called

<description>.

Router# configure terminal Router(config)# interface lan Router(config-if-brg)# description ? <description>

The following table provides more information about input values like <description>. Table 9 Input-Value Formats for Strings in CLI Commands

TAG # VALUES LEGAL VALUES

* 1*

all -- ALL

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

Table 9 Input-Value Formats for Strings in CLI Commands (continued)

TAG # VALUES LEGAL VALUES

authentication key 32-40

16-20

Used in MD5 authentication keys and text authentication key

0-16 alphanumeric or _-

Used in text authentication keys

0-8 alphanumeric or _-

certificate name 1-31 alphanumeric or ;`~!@#$%^&()_+[\]{}',.=-

community string 0-63 alphanumeric or .-

connection_id 1+ alphanumeric or -_:

contact 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-.

country code 0 or 2 alphanumeric

custom signature file name

description Used in keyword criteria for log entries

distinguished name 1-511 alphanumeric, spaces, or .@=,_-

domain name 0+ lower-case letters, numbers, or .-

email 1-63 alphanumeric or .@_-

e-mail 1-64 alphanumeric or .@_-

encryption key 16-64

file name 0-31 alphanumeric or _-

filter extension 1-256 alphanumeric, spaces, or '()+,/:=?;!*#@$_%.-

fqdn Used in ip dns server

full file name 0-256 alphanumeric or _/.-

0-30 alphanumeric or _-.

1-64 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-.

Used in other commands

1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-

Used in ip dns server

1-248 alphanumeric or .-

Used in domainname, ip dhcp pool, and ip domain

1-255 alphanumeric or ._-

8-32

1-253 alphanumeric or .-

Used in ip, time server, device HA, certificates, and interface ping check

1-255 alphanumeric or .-

“0x” or “0X” + 32-40 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\\{}':,./<>=-

first character: alphanumeric or -

first character: letter

first character: alphanumeric or -

“0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./ <>=-

first character: alphanumeric or -

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

Table 9 Input-Value Formats for Strings in CLI Commands (continued)

TAG # VALUES LEGAL VALUES

hostname Used in hostname command

1-64 alphanumeric or .-_

first character: alphanumeric or -

Used in other commands

1-253 alphanumeric or .-

first character: alphanumeric or -

import configuration file

import shell script 1-

initial string 1-64 alphanumeric, spaces, or '()+,/:=!*#@$_%-.&

key length -- 512, 768, 1024, 1536, 2048

license key 25 “S-” + 6 upper-case letters or numbers + “-” +

mac address -- aa:bb:cc:dd:ee:ff (hexadecimal)

mail server fqdn lower-case letters, numbers, or -.

name 1-31 alphanumeric or _-

notification message 1-81 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-

password: less than 15 chars

password: less than 8 chars

password Used in user and ip

phone number 1-20 numbers or ,+

preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values

profile name 1-31 alphanumeric or _-

proto name 1-16 lower-case letters, numbers, or -

protocol name 1-31 alphanumeric or _-

quoted string less than 255 chars

quoted string less than 63 chars

126+”.conf”

26+”.zysh”

1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./

1-8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$

1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./

Used in e-mail log profile SMTP authentication

1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./

Used in device HA synchronization

1-63 alphanumeric or ~#%^*_-={}:,.

Used in registration

6-20 alphanumeric or .@_-

1-255 alphanumeric, spaces, or ;/?:@&=+$\.-

1-63 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%

alphanumeric or ;`~!@#$%^&()_+[]{}',.=add “.conf” at the end

alphanumeric or ;`~!@#$%^&()_+[]{}',.=add “.zysh” at the end

16 upper-case letters or numbers

alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=-

first character: letters or _-

_!~*'()%,

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

Table 9 Input-Value Formats for Strings in CLI Commands (continued)

TAG # VALUES LEGAL VALUES

quoted string 0+ alphanumeric, spaces, or punctuation marks

enclosed in double quotation marks (“) must put a backslash (\) before double quotation marks that are part of input value itself

realm 1-253 alphanumeric or -_

first character: alphanumeric or -_ used in domain authentication

service name 0-63 alphanumeric or -_@$./

spi 2-8 hexadecimal

string less than 15 chars

string: less than 63 chars

string 1+ alphanumeric or -_@

subject 1-61 alphanumeric, spaces, or '()+,./:=?;!*#@$_%-

system type 0-2 hexadecimal

timezone [-+]hh -- -12 through +12 (with or without “+”)

url 1-511 alphanumeric or '()+,/:.=?;!*#@$_%-

url “http://”+

user name 1-31 alphanumeric or _-

username 1-31 alphanumeric or _-

username 6-20 alphanumeric or .@_-

user name 1+ alphanumeric or -_.

user@domainname 1-80 alphanumeric or .@_-

vrrp group name: less than 15 chars

week-day sequence, i.e. 1=first,2=second

xauth method 1-31 alphanumeric or _-

xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=-

mac address 0-12 (even

1-15 alphanumeric or -_

1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./

alphanumeric or ;/?:@&=+$\.-_!~*'()%,

“https://”+

1-15 alphanumeric or _-

11-4

number)

starts with “http://” or “https://” may contain one pound sign (#)

first character: letters or _-

first character: alphanumeric or _domain authorization

registration

logging commands

hexadecimal for example: xx-xx-xx-xx-xx-xx

NWA/WAC/WAX Series CLI Reference Guide

Chapter 2 Command Line Interface

2.8 Saving Configuration Changes

Use the write command to save the current configuration to the Zyxel Device.

Note: Always save the changes before you log out after each management session. All

unsaved changes will be lost after the system restarts.

2.9 Logging Out

Enter the exit or end command in configure mode to go to privilege mode.

Enter the

exit command in user mode or privilege mode to log out of the CLI.

NWA/WAC/WAX Series CLI Reference Guide

User and Privilege Modes

This chapter describes how to use these two modes.

3.1 User And Privilege Modes

This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the Zyxel Device uses. See Chapter 9 on page 52 for more information about the user types. ‘User’ type accounts can only run ‘exit’ in this mode. However, they may need to log into the device in order to be authenticated for ‘user-aware’ policies, for example a firewall rule that a particular user is exempt from.)

Type ‘enable’ to go to ‘privilege mode’. No password is required. All commands can be run from here except those marked with an asterisk. Many of these commands are for trouble-shooting purposes, for example the htm (hardware test module) and debug commands. Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device.

CHAPTER 3

For admin logins, all commands are visible in ‘user mode’ but not all can be run there. The following table displays which commands can be run in ‘user mode’. All commands can be run in ‘privilege mode’.

The htm and psm commands are for Zyxel’s internal manufacturing process.

Table 10 User (U) and Privilege (P) Mode Commands

COMMAND MODE DESCRIPTION

apply

atse

clear

configure

copy

daily-report

debug (*)

delete

details

diag

diag-info

dir

disable

P Applies a configuration file. U/P Displays the seed code U/P Clears system or debug logs or DHCP binding. U/P Use ‘configure terminal’ to enter configuration mode. P Copies configuration files. U/P Sets how and where to send daily reports and what reports to send. U/P For support personnel only! The device needs to have the debug flag enable d. P Deletes configuration files. P Performs diagnostic commands. P Provided for support personnel to collect internal system information. It is not

recommended that you use these.

P Has the Zyxel Device create a new diagnostic file. P Lists files in a directory. U/P Goes from privilege mode to user mode

NWA/WAC/WAX Series CLI Reference Guide

Chapter 3 User and Privilege Modes

Table 10 User (U) and Privilege (P) Mode Commands (continued)

COMMAND MODE DESCRIPTION

enable

exit

htm

U/P Goes from user mode to privilege mode U/P Goes to a previous mode or logs out. U/P Goes to htm (hardware test module) mode for testing hardware components.

You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.

Note: These commands are for Zyxel’s internal manufacturing process.

interface

no packet-trace

nslookup

packet-trace

ping

psm

U/P Dials or disconnects an interface. U/P Turns off packet tracing. U/P Resolves an IP address to a host name and vice-versa. U/P Performs a packet trace. U/P Pings an IP address or host name. U/P Goes to psm (product support module) mode for setting product parameters.

You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.

Note: These commands are for Zyxel’s internal manufacturing process.

reboot

release

rename

renew

run

setenv

show

shutdown

test aaa

traceroute

write

P Restarts the device. P Releases DHCP information from an interface. P Renames a configuration file. P Renews DHCP information for an interface. P Runs a script. U/P Turns stop-on-error on (terminates booting if an error is found in a configuration

file) or off (ignores configuration file errors and continues booting).

U/P Displays command statistics. See the associated command chapter in this

guide.

P Writes all d data to disk and stops the system processes. It does not turn off the

power.

U/P Tests whether the specified user name can be successfully authenti cated by an

external authentication server.

P Traces the route to the specified host name or IP address. P Saves the current configuration to the Zyxel Device. All unsaved changes are

lost after the Zyxel Device restarts.

Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail in the related configuration command chapter.

3.1.1 Debug Commands

Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for Zyxel service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a

NWA/WAC/WAX Series CLI Reference Guide

Chapter 3 User and Privilege Modes

Linux equivalent, it is displayed in this chapter for your reference. You must know a command listed here well before you use it. Otherwise, it may cause undesired results.

Table 11 Debug Commands

COMMAND SYNTAX DESCRIPTION

debug app show l7protocol

Shows app patrol protocol list

(*)

LINUX COMMAND EQUIVALENT

> cat /etc/ l7_protocols/ protocol.list

debug ca (*)

debug device-ha (*)

debug gui (*)

debug hardware (*)

debug interface

debug interface ifconfig

Certificate debug commands Device HA debug commands Web Configurator related debug commands Hardware debug commands Interface debug commands Shows system interfaces detail

> ifconfig [interface]

debug ip dns

debug logging

debug manufacture

debug network arpignore (*)

DNS debug commands System logging debug commands Manufacturing related debug commands Enable/Display the ignoring of ARP responses

for interfaces which don't own the IP address

cat /proc/sys/net/ ipv4/conf/*/ arp_ignore

debug policy-route (*)

debug [cmdexec|corefile|ip

Policy route debug command ZLD internal debug commands

NWA/WAC/WAX Series CLI Reference Guide

PART II

Reference

CHAPTER 4

Status

This chapter explains some commands you can use to display information about the Zyxel Device’s current operational state.

Table 12 Status Show Commands

COMMAND DESCRIPTION

show boot status

show cpu status

show cpu all

show disk

show extension-slot

show led status

show mac

show mem status

show ram-size

show serial-number

show socket listen

show socket open

show system uptime

show version

Displays details about the Zyxel Device’s startup state. Displays the CPU utilization. Displays the CPU utilization of each CPU. Displays the disk utilization. Displays the status of the extension card slot and the USB ports and the names of any

connected devices. Displays the status of each LED on the Zyxel Device.

Displays the Zyxel Device’s MAC address. Displays what percentage of the Zyxel Device’s memory is currently being used. Displays the size of the Zyxel Device’s on-board RAM. Displays the serial number of this Zyxel Device. Displays the Zyxel Device’s listening ports Displays the ports that are open on the Zyxel Device. Displays how long the Zyxel Device has been running since it last restarted or was

turned on. Displays the Zyxel Device’s model, firmware and build information.

Here are examples of the commands that display the CPU and disk utilization.

Use show cpu all to check all the Zyxel Device CPU utilization. Use show cpu status to check the Zyxel Device average CPU utilization. You can use these commands to check your cpu status if you feel the Zyxel Device’s performance is becoming slower

Use show disk to check the percentage of Zyxel Device onboard flash memory that is currently being used. You can use this command to check your disk status if you’r e having tr ouble saving files on the

NWA/WAC/WAX Series CLI Reference Guide

Chapter 4 Status

Zyxel Device, such as the firmware or the packet capture files.

Router> show cpu status CPU utilization: 7 % CPU utilization for 1 min: 7 % CPU utilization for 5 min: 7 % Router> show cpu all CPU core 0 utilization: 4 % CPU core 0 utilization for 1 min: 6 % CPU core 0 utilization for 5 min: 6 % CPU core 1 utilization: 12 % CPU core 1 utilization for 1 min: 14 % CPU core 1 utilization for 5 min: 13 % Router> show disk No. Disk Size(MB) Usage =========================================================================== 1 onboard flash 3 15%

Here are examples of the commands that display the MAC address, memory usage, RAM size, and serial number. You need the MAC address and serial number if you want to pass the Zyxel Device management to Nebula.

Router(config)# show mac MAC address: 12:34:56:78:90:16-40:4A:03:42:70:17 Router(config)# show mem status memory usage: 19% Router(config)# show ram-size ram size: 256MB Router(config)# show serial-number serial number: XXXXXXXXXXXXX

Here is an example of the command that displays the listening ports.

Router(config)# show socket listen No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 0.0.0.0:80 0.0.0.0:0 LISTEN 2 tcp 192.168.1.245:53 0.0.0.0:0 LISTEN 3 tcp 127.0.0.1:53 0.0.0.0:0 LISTEN 4 tcp 0.0.0.0:21 0.0.0.0:0 LISTEN 5 tcp 0.0.0.0:22 0.0.0.0:0 LISTEN 6 tcp 127.0.0.1:953 0.0.0.0:0 LISTEN

Here is an example of the command that displays the open ports.

Router(config)# show socket open No. Proto Local_Address Foreign_Address State =========================================================================== 1 udp 0.0.0.0:1812 0.0.0.0:0 2 udp 0.0.0.0:1814 0.0.0.0:0 3 udp 0.0.0.0:161 0.0.0.0:0 4 udp 172.23.26.245:53 0.0.0.0:0 5 0.0.1:53 0.0.0.0:0 6 udp 0.0.0.0:43386 0.0.0.0:0 7 udp 0.0.0.0:5246 0.0.0.0:0

NWA/WAC/WAX Series CLI Reference Guide

Chapter 4 Status

Here are examples of the commands that display the system uptime and model, firmware, and build information.

Router> show system uptime system uptime: 04:18:00 Router> show version Zyxel Communications Corp. model : WAX650S firmware version: 6.55(ABRM.0)b2 BM version : 1.13 build date : 2023-03-21 09:10:11

This example shows the current LED states on the Zyxel Device. The SYS LED lights on and green.

Router> show led status sys: green Router>

NWA/WAC/WAX Series CLI Reference Guide

Object Reference

This chapter describes how to use object reference commands.

5.1 Object Reference Commands

The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.

Table 13 show reference Commands

COMMAND DESCRIPTION

show reference object username [username]

show reference object aaa authentication [default | profile]

show reference object ca category {local|remote} [cert_name]

show reference object [wlan-radio- profile]

show reference object [wlan-ssid- profile]

show reference object [wlan- security-profile]

show reference object [wlan- macfilter-profile]

Displays which configuration settings reference the specified user object.

Displays which configuration settings reference the specified AAA authentication object.

Displays which configuration settings reference the specified authentication method object.

Displays the specified radio profile object.

Displays the specified SSID profile object.

Displays the specified security profile object.

Displays the specified MAC filter profile object.

CHAPTER 5

NWA/WAC/WAX Series CLI Reference Guide

Chapter 5 Object Reference

5.1.1 Object Reference Command Example

This example shows the names of the WLAN profiles and which security profile each is set to use.

Router(config)# show reference object aaa authentication

default References: Category Rule Priority Rule Name Description =========================================================================== WLAN Profile SECURITY 1 default N/A WWW N/A N/A N/A

NWA/WAC/WAX Series CLI Reference Guide

This chapter shows you how to use interface-related commands.

6.1 Interface Overview

In general, an interface has the following characteristics.

• An interface is a logical entity through which (layer-3) packets pass.

• An interface is bound to a physical port or another interface.

• Many interfaces can share the same physical port. Some characteristics do not apply to some types of interfaces.

CHAPTER 6

Interfaces

6.2 Interface General Commands Summary

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 14 Input Values for General Interface Commands

LABEL DESCRIPTION

interface_name

domain_name

The following sections introduce commands that are supported by several types of interfaces.

The name of the interface. Ethernet interface: gex, x = 1 - N, where N equals the highest numbered Ethernet interface for

your Zyxel Device model. VLAN interface: vlanx, x = 0 - 511

Fully-qualified domain name. You may up to 254 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 6 Interfaces

6.2.1 Basic Interface Properties and IP Address Commands

This table lists basic properties and IP address commands. Table 15 interface General Commands: Basic Properties and IP Address Assignment

COMMAND DESCRIPTION

capwap ap vlan vlan-id <1..4094> <tag|untag>

interface-name {bridge_interface}

user_defined_name

interface-rename old_user_defined_name new_user_defined_name

interface send statistics interval <15..3600>

[no] interface interface_name

[no] description description

[no] downstream <0..1048576>

exit

[no] ip address dhcp

[no] ip address ip subnet_mask

When the Zyxel Device is in managed AP mode, this sets the AP’s VLAN identification number and sets it to send tagged or untagged packets.

Specifies a name for a bridge interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long.

ethernet_interface: This must be the system name of a bridge interface. Use the show interface-name command to see the system name of interfaces.

user_defined_name:

• This name cannot be one of the follows: "ethernet", "ppp", "vlan", "bridge", "virtual",

"wlan", "cellular", "aux", "tunnel", "status", "summary", "all"

• This name cannot begin with one of the follows either: "ge", "ppp", "vlan", "wlan-", "br", "cellular", "aux", "tunnel".

Modifies the user-defined name of an Ethernet interface.

Sets how often the Zyxel Device sends interface statistics to external servers. For example, a syslog server.

Creates the specified interface if necessary and enters sub-command mode. The deletes the specified interface.

Specifies the description for the specified interface. The description.

description: You can use alphanumeric and

no command clears the

()+/:=?!*#@$_%- characters, and it can

be up to 60 characters long. This is reserved for future use.

Specifies the downstream bandwidth for the specified interface. The downstream bandwidth to 1048576.

Leaves the sub-command mode. Makes the specified interface a DHCP client;

the DHCP server gives the specified interface its IP address, subnet mask, and gateway. The command makes the IP address static IP address for the specified interface. (See the next command to set this IP address.)

Assigns the specified IP address and subnet mask to the specified interface. The command clears the IP address and the subnet mask.

no command

no command sets the

NWA/WAC/WAX Series CLI Reference Guide

Chapter 6 Interfaces

Table 15 interface General Commands: Basic Properties and IP Address Assignment (continued)

COMMAND DESCRIPTION

[no] ip gateway ip

ip gateway ip metric <0..15>

[no] metric <0..15>

[no] mss <536..1460>

[no] mtu <576..1500>

[no] shutdown

traffic-prioritize {tcp-ack|dns} bandwidth <0..1048576> priority <1..7> [maximizebandwidth-usage];

traffic-prioritize {tcp-ack|dns} deactivate

[no] upstream <0..1048576>

manager ap vlan vlan-id <1..4094> <tag|untag>

manager ap vlan ip address [ip subnet_mask | dhcp]

manager ap vlan [no] ipv6 address ipv6_addr/

prefix

manager ap vlan [no] ipv6 dhcp6 {addressrequest | client}

Adds the specified gateway using the specified interface. The gateway.

Sets the priority (relative to every gateway on every interface) for the specified gateway. The lower the number, the higher the priority.

Sets the interface’s priority relative to other interfaces. The lower the number, the higher the priority.

Specifies the maximum segment size (MSS) the interface is to use. MSS is the largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece. The command has the interface use its default MSS.

Specifies the Maximum Transmission Unit, which is the maximum number of bytes in each packet moving through this interface. The Zyxel Device divides larger packets into smaller fragments. The

1500.

Deactivates the specified interface. The no command activates it.

Applies traffic priority when the interface sends TCP-ACK traffic, or traffic for resolving domain names. It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage.

Turns off traffic priority settings for when the interface sends the specified type of traffic.

Specifies the upstream bandwidth for the specified interface. The upstream bandwidth to 1048576.

When the Zyxel Device is in standalone or cloud management mode, this sets the AP’s VLAN identification number and sets it to send tagged or untagged packets.

Sets the management IPv4 address for the Zyxel Device.

Sets the IPv6 address and the prefix length for the LAN interface of the Zyxel Device.

The no command removes the IPv6 address settings.

Set the Zyxel Device to act as a DHCPv6 client or get this interface’s IPv6 address from a DHCPv6 server.

no command removes the

no command resets the MTU to

no command sets the

The no command sets the Zyxel Device to not get this interface’s IPv6 address from the DHCPv6 server.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 6 Interfaces

Table 15 interface General Commands: Basic Properties and IP Address Assignment (continued)

COMMAND DESCRIPTION

manager ap vlan [no] ipv6 dhcp6-request-object

dhcp6_profile

manager ap vlan [no] ipv6 enable

manager ap vlan [no] ipv6 gateway ipv6_addr

manager ap vlan [no] ipv6 nd ra accept

manager ap vlan [no] ip gateway ip

show interface {ethernet | vlan} status

show interface {interface_name | ethernet | vlan | bridge | all}

show interface send statistics interval

show interface summary all

show interface summary all status

show interface-name

show ipv6 interface {interface_name | ethernet |vlan | bridge | all}

show ipv6 nd ra status interface_name

show ipv6 static address interface

interface_name

For a DHCPv6 client interface, sets the profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.

The no command removes the DHCPv6 request settings profile.

Enables IPv6 stateless auto-configuration on the Zyxel Device. The Zyxel Device will generate an IPv6 address itself from a prefix obtained from an IPv6 router in the network.

The no command disables IPv6 stateless autoconfiguration.

Sets the IPv6 address of the default outgoing gateway.

The no command removes the IPv6 gateway settings.

Sets the IPv6 interface to accept IPv6 neighbor discovery router advertisement messages.

The no command sets the IPv6 interface to discard IPv6 neighbor discovery router advertisement messages.

Sets the manager gateway address. The no command removes the gateway.

Displays the connection status of the specified type of interfaces.

Displays information about the specified interface, specified type of interfaces, or all interfaces.

Displays the interval for how often the Zyxel Device refreshes the sent packet statistics for the interfaces.

Displays basic information about the interfaces. Displays the connection status of the interfaces. Displays all Ethernet interface system name and

user-defined name mappings. Displays information about the specified IPv6

interface, specified type of IPv6 interfaces, or all IPv6 interfaces.

Displays the specified IPv6 interface’s IPv6 router advertisement configuration.

Displays the static IPv6 addresses configured on the specified IPv6 interface.

6.2.1.1 Basic Interface Properties Command Examples

Use these commands to set LAN settings. Use manager ap vlan ip address to set the LAN interface to use a static IP address or DHCP (Dynamic Host Configuration Protocol). If you set an attribute twice, the latter setting overrides the previous one.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 6 Interfaces

The following example shows how to check the Internet interface status, including the current IP address used.

Router(config)# show interface all No. Name Status IP Address Mask IP Assignment ========================================================================== 2 lan Up 123.45.67.89 255.255.252.0 DHCP client 3 wlan-1 n/a n/a n/a n/a 4 wlan-1-1 Up 0.0.0.0 0.0.0.0 static 5 wlan-1-2 Up 0.0.0.0 0.0.0.0 static

The following commands configure the LAN Ethernet interface to use IP address 1.1.1.1, netmask

255.255.255.0, and gateway address 1.2.3.4.

Router(config)# manager ap vlan ip address 1.1.1.1 255.255.255.0 Router(config)# manager ap vlan ip gateway 1.2.3.4

The following command makes the LAN Ethernet interface a DHCP client. A DHCP client (your Zyxel Device) uses the IP address dynamically assigned by a DHCP server. Use this command to have the LAN Ethernet interface use dynamic IP address.

Router(config)# manager ap vlan ip address dhcp

A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. You can assign a VLAN Id for the Zyxel Device to be the management VLAN Id. The Zyxel Device only handles packets from the Ethernet port tagged with the same VLAN ID (management VLAN Id). Specify untag the Ethernet port.

This example sets the LAN Ethernet interface’s management VLAN Id to 100, untagged.

if you want the Zyxel Device to send outgoing packets tagged with VLAN Id through

Note: Mis-configuring the management VLAN settings in your Zyxel Device can make it

inaccessible. If this happens, you’ll have to reset the Zyxel Device.

Router(config)# manager ap vlan vlan-id 100 untag

6.3 Port Commands

This section covers commands that are specific to ports.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 6 Interfaces

Note: In CLI, representative interfaces are also called representative ports.

Table 16 Basic Interface Setting Commands

COMMAND DESCRIPTION

no port <1..x>

port status port_name

[no] duplex <full | half>

exit

[no] negotiation auto

[no] speed <10, 100, 1000, 2500, 5000, 10000>

show port setting

show port status

show port type

show manager vlan

Removes the specified physical port from its current representative interface and adds it to its default representative interface (for example, port x --> gex).

Enters a sub-command mode to configure the specified port’s settings.

port_name: The name of the Ethernet port. UPLINK,

lanx, x = 1-N, where N equals the highest

numbered Ethernet LAN interface for your Zyxel Device model.

Sets the port’s duplex mode. The no command returns the default setting.

Leaves the sub-command mode. Sets the port to use auto-negotiation to determine the

port speed and duplex. The no command turns off auto-negotiation.

Sets the Ethernet port’s connection speed in Mbps. The no command returns the default setting.

Not all Zyxel Device models support the 2500, 5000, 10000 Mbps connection speeds. See the product specification of your Zyxel Device for the supported connection speed.

Displays the Ethernet port negotiation, duplex, and speed settings.

Displays statistics for the Ethernet ports. Displays the type of cable connection for each

physical interface on the device. Displays the LAN interface’s management interface

settings.

6.3.1 Port Command Examples

The following example shows port status.

Router# show port status Port Status TxPkts RxPkts TxBcast RxBcast Colli. TxB/s RxB/s Up Time PVID =========================================================================== ==== 1 1000M/Full 465 5452 411 2647 0 812 612 00:13:28 1 2 Down 0 0 0 0 0 0 0 00:00:00 1 3 Down 0 0 0 0 0 0 0 00:00:00 1 4 Down 0 0 0 0 0 0 0 00:00:00 1 Router#

NWA/WAC/WAX Series CLI Reference Guide

The following example shows port settings.

Router(config)# show port setting Port Negotiation Duplex Speed EEE =========================================================================== ==== 1 auto full 1000 no

The following example shows LAN settings.

Router(config)# show manager vlan Management Interface: VLAN ID: 100 VLAN Tag: untag IP Status: static IP Address: 192.168.1.2 Mask: 255.255.255.0 Gateway: 0.0.0.0

The following example shows each port’s type of cable connection.

Router(config)# show port type Port Type =========================================================================== 1 Copper

NWA/WAC/WAX Series CLI Reference Guide

This chapter shows you how to configure the traffic storm control settings on the Zyxel Device. Check the feature comparison table in Section 1.2 on page 12 to see if your Zyxel Device model supports the Storm Control feature.

7.1 Overview

Traffic storm control limits the number of broadcast and/or multicast packets the Zyxel Device receives on the ports. When the maximum number of allowable broadcast and/or multicast packets is reached, the subsequent packets are discarded. Enable this feature to reduce broadcast and/or multicast packets in your network.

Chapter 7 Storm Control

CHAPTER 7

Storm Control

7.2 Storm Control Commands

The following table describes the commands available for storm control. You must use the configure

terminal

Table 17 Command Summary: Storm Control

COMMAND DESCRIPTION

storm-control ethernet

no storm-control ethernet

show storm-control ethernet

show storm-control port_name

command to enter the configuration mode before you can use these commands.

[no] broadcast

broadcast pps <1..10000>

[no] multicast

multicast pps <1..10000>

Enters a sub-command mode to configure the Zyxel Device’s storm control settings.

Enables or disables broadcast storm control, which drops broadcast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.

Sets the maximum rate for broadcast traffic before storm control starts dropping broadcast packets.

Enables or disables multicast storm control, which drops multicast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.

Sets the maximum rate for multicast traffic before storm control starts dropping multicast packets.

Disables broadcast/multicast storm control on the Zyxel Device.

Displays storm control settings on all Zyxel Device ports. Displays storm control settings on the specified port.

port_name: The name of the Ethernet port. UPLINK or lanx, x = 1-N, where N equals the highest numbered

Ethernet LAN interface for your Zyxel Device model.

NWA/WAC/WAX Series CLI Reference Guide

7.2.1 Storm Control Command Examples

The following example shows you how to enable broadcast storm control on the Zyxel Device.

Router# configure terminal Router(config)# storm-control ethernet Router(storm-control)# broadcast Router(storm-control)# exit Router(config)#

The following example shows you how to display the uplink port’s storm control settings. The way data is displayed may vary slightly for different models.

Router# configure terminal Router(config)# show storm-control UPLINK Port: UPLINK Storm Type 1: Multicast Storm Suppression: Disable Storm Type 2: Broadcast Storm Suppression: Enable Rate Type: pps Rate: 100 Storming: No Last Suppression Time: N/A Last Recovery Time: N/A Router(config)#

Router# configure terminal Router(config)# show storm-control UPLINK Port: UPLINK Storm Type 1: Multicast Storm Suppression: Disable Rate Type: pps Rate: 100 Storming: N/A Last Suppression Time: N/A Last Recovery Time: N/A Storm Type 2: Broadcast Storm Suppression: Enable Rate Type: pps Rate: 100 Storming: No Last Suppression Time: N/A Last Recovery Time: N/A Router(config)#

NWA/WAC/WAX Series CLI Reference Guide

This chapter shows you how to configure the NCC discovery and proxy server settings on the Zyxel Device.

8.1 Overview

If your Zyxel Device can be managed through the Zyxel Nebula Control Center (NCC) and is behind a proxy server, you will need to enable NCC discovery and configure the proxy server settings so that the Zyxel Device can access the NCC through the proxy server.

Chapter 8 NCC Discovery

CHAPTER 8

NCC Discovery

8.2 NCC Discovery Commands

The following table describes the commands available for NCC discovery and proxy server. You must use the commands.

Table 18 Command Summary: NCC Discovery

COMMAND DESCRIPTION

[no] netconf inactivate

[no] netconf proxy

netconf proxy server {ip|host_name}

netconf proxy port <1..65535>

[no] netconf proxy-auth

configure terminal command to enter the configuration mode before you can use these

Turns off NCC discovery on the Zyxel Device. If NCC discovery is disabled, the Zyxel Device will not discover the NCC and remain in standalone AP mode.

The

no command turns on NCC discovery. The Zyxel

Device will try to discover the NCC and go into cloud management mode when it is connected to the Internet and NCC, and has been registered in the NCC.

Sets the Zyxel Device to access the NCC through the specified proxy server.

The

no command sets the Zyxel Device to not access the

NCC through the specified proxy server. Sets the IP address or URL of the proxy server.

Sets the service port number used by the proxy server. Turns on proxy authentication. The no command turns it

off.

netconf proxy-auth username username {password|encrypted-password} {password|ciphertext}

NWA/WAC/WAX Series CLI Reference Guide

Enable this if the proxy server requires authentication before it grants access to the Internet.

Sets your proxy user name and password.

Chapter 8 NCC Discovery

Table 18 Command Summary: NCC Discovery (continued)

COMMAND DESCRIPTION

show netconf proxy status

show netconf status

show nebula ntp status

show nebula cloud status

show nebula claim status

8.2.1 NCC Discovery Command Example

The Zyxel Device will go to cloud management mode when it is connected to the Internet and NCC. Make sure you've registered your Zyxel Device on NCC.

The following example shows you how to enable NCC discovery and check the Zyxel Device NCC status.

Displays the proxy server settings. Displays whether NCC discovery is enabled or not on the

Zyxel Device. Displays the Internet connection status, NTP update status

and fail messages if the connection fails. Displays the Zyxel Device’s connection status with NCC

and fail messages if the connection fails. Displays the Zyxel Device’s registration status on NCC and

fail messages if the connection fails.

Router# configure terminal Router(config)# no netconf inactivate Router(config)# Router(config)# show nebula ntp status Nebula NTP status : success Nebula NTP reason : NTP update succeeded Router(config)# Router(config)# show nebula cloud status Nebula Cloud status : success Nebula Cloud reason : The device is connected to Nebula Router(config)# Router(config)# show nebula claim status Nebula Claim status : fail Nebula Claim reason : Not registered yet, next try in 1495 seconds

The following example shows proxy server settings.

Router> show netconf proxy status active: yes proxy server: 172.16.15.253 proxy port: 8080 proxy-auth active: yes proxy-auth username: Joseph proxy-auth encrypted-password: $4$hT65kQTR$Uh8lp5zfcP7vEfm O97C5MJ6U1B47M3DIiPvb6GcrPK2kEo3R7PTChiVWl7rRi+xr0xhg8DsdTPU$ Router>

NWA/WAC/WAX Series CLI Reference Guide

This chapter describes how to set up user accounts and user settings for the Zyxel Device. You can also set up rules that control when users have to log in to the Zyxel Device before the Zyxel Device routes traffic for them.

9.1 User Account Overview

A user account defines the privileges of a user logged into the Zyxel Device. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the Zyxel Device.

9.1.1 User Types

CHAPTER 9

Users

These are the types of user accounts the Zyxel Device uses. Table 19 Types of User Accounts

TYPE ABILITIES LOGIN METHOD(S)

Admin Users admin Modify Zyxel Device configuration (web, CLI) WWW, SSH, FTP, Console, limited-admin Verify Zyxel Device configuration (web, CLI)

Perform basic diagnostics (CLI) Access Users user Used for the embedded RADIUS server and

SNMPv3 user access

Browse user-mode commands (CLI)

9.2 User Commands Summary

The following table identify the values required for many username commands. Other input values are discussed with the corresponding commands.

Table 20 user Command Input Values

LABEL DESCRIPTION

username

The name of the user (account). You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive and must be unique.

WWW, SSH, Console

The following sections list the

NWA/WAC/WAX Series CLI Reference Guide

username commands.

Chapter 9 Users

9.2.1 Username and User Commands

The first table lists the commands for users. Table 21 username Commands Summary: Users

COMMAND DESCRIPTION

show username [username]

username username nopassword user-type {admin | guest | limited-admin | user}

username username password password user-type {admin | guest | limited-admin | user}

username username logon-due-time time

username username encrypted-password <ciphertext> user-type {admin | guest | limited-admin | user}

username username nopassword user-type {admin | guest | guest-manager| limited-admin | user}

username username password password user-type {admin | guest | limited-admin | user}

username username user-type ext-user

no username username

username rename username username

username username [no] description description

Displays information about the specified user or about all users set up in the Zyxel Device.

Creates a user with the specified type and username, and no password.

If the user already exists, this command removes the user’s password and changes the user type.

Creates a user with the specified user type, username, and password.

If the user already exists, this command changes the user’s type and password.

password:: Use 1-63 printable ASCII characters, except double quotation marks (“) and question marks (?).

time: HH:MM in 24-hour time format. Sets a user account password by ciphertext.

Creates a user with the specified type and username, and no password.

If the user already exists, this command removes the user’s password and changes the user type.

Creates a user with the specified user type, username, and password.

If the user already exists, this command changes the user’s type and password.

password: Use 1-63 printable ASCII

characters, except double quotation marks (“) and question marks (?).

Creates the specified user (if it does not already exist) and sets the user type to Ext-User.

Deletes the specified user. Renames the specified user (first username) to

the specified username (second username). Sets the description for the specified user. The

no command clears the description.

description: Use alphanumeric and

:=?!*#@$_%-

to 60 characters long.

NWA/WAC/WAX Series CLI Reference Guide

characters, and it can be up

()+/

Chapter 9 Users

Table 21 username Commands Summary: Users (continued)

COMMAND DESCRIPTION

username username encrypted-password <password>

username username logon-time-setting <default | manual>

username username [no] logon-lease-time <0..1440>

username username [no] logon-re-auth-time <0..1440>

Sets a user account password by ciphertext. Normally you would use username password

<clear text> to set the password. In special case cases (for GUI apply), you can

use username encrypted-password <ciphertext> to set password.

Sets the account to use the factory default lease and reauthentication times or custom ones.

Enter the number of minutes the user has to renew the current session before the user is logged out.

• You can specify 1 to 1440 minutes.

• Specify 0 to make the number of minutes unlimited.

•The

Enter the maximum number of minutes the user can be logged in to the Zyxel Device before the user is logged out.

no command sets the lease time to

five minutes, regardless of the current default setting for new users.

9.2.2 User Setting Commands

This table lists the commands for user settings. Table 22 users Commands Summary: Settings

COMMAND DESCRIPTION

show users default-setting user-type {admin | limited-admin| guest| ext-user| user}}

show users default-setting all

users default-setting [no] logon-lease-time <0..1440>

users default-setting [no] logon-re-auth-time <0..1440>

users default-setting [no] user-type <admin |limited-admin>

• You can specify 1 to 1440 minutes.

• Specify 0 to make the number of minutes unlimited.

•The

Displays the default lease and reauthentication times for the specified type of user accounts.

Displays the default lease and reauthentication times for all types of user account.

Sets the default lease time (in minutes) for each new user. Set it to zero to set unlimited lease time. The time to five.

Sets the default reauthorization time (in minutes) for each new user. Set it to zero to set unlimited reauthorization time. The default reauthorization time to thirty.

Sets the default user type for each new user. The user.

no command sets the reauthorization

time to five minutes, regardless of the current default setting for new users.

no command sets the default lease

no command sets the

no command sets the default user type to

NWA/WAC/WAX Series CLI Reference Guide

Chapter 9 Users

Table 22 users Commands Summary: Settings (continued)

COMMAND DESCRIPTION

[no] password complexity-verify

show password complexity-verify status

show users retry-settings

[no] users retry-limit

[no] users retry-count <1..99>

[no] users lockout-period <1..65535>

show users simultaneous-logon-settings

[no] users simultaneous-logon {administration | access} enforce

[no] users simultaneous-logon {administration | access} limit <1..1024>

Enforces a complex user password consisting of at least 8 characters and at most 64. The password must have:

• At least 1 upper case letter.

• At least 1 lower case letter.

• At least 1 number

• At least 1 special character from the keyboard, such as `~!@#$%^&*()_+={}|;:'<,>./\"-

Displays if the password complexity rule is enabled.

Displays the current retry limit settings for users. Enables the retry limit for users. The no

command disables the retry limit. Sets the number of failed login attempts a user

can have before the account or IP address is locked out for lockout-period minutes. The command sets the retry-count to five.

Sets the amount of time, in minutes, a user or IP address is locked out after retry-count number of failed login attempts. The the lockout period to thirty minutes.

Displays the current settings for sim ultaneous logins by users.

Enables the limit on the number of simultaneous logins by users of the specified account-type. The

no command disables the limit, or allows

an unlimited number of simultaneous logins. Sets the limit for the number of simultaneous

logins by users of the specified account-type. The

no command sets the limit to one.

no command sets

9.2.2.1 User Setting Command Examples

The following commands show the current settings for the number of simultaneous logins.

Router# configure terminal Router(config)# show users simultaneous-logon-settings enable simultaneous logon limitation for administration account: no maximum simultaneous logon per administration account : 1

9.2.3 Additional User Commands

This table lists additional commands for users. Table 23 users Commands Summary: Additional

COMMAND DESCRIPTION

show users {username | all | current}

show lockout-users

NWA/WAC/WAX Series CLI Reference Guide

Displays information about the users logged onto the system.

Displays users who are currently locked out.

Chapter 9 Users

Table 23 users Commands Summary: Additional (continued)

COMMAND DESCRIPTION

unlock lockout-users ip | console

users force-logout ip | username

9.2.3.1 Additional User Command Examples

The following commands display the users that are currently logged in to the Zyxel Device and forces the logout of all logins from a specific IP address.

Router# configure terminal outer(config)# show users all No. Name Type From Service Session Time Idle Time Lease Timeout Re-Auth. Timeout =============================================================================== 1 admin admin 172.17.16.101 http/https 04:31:01 unlimited unlimited unlimited 2 admin admin console console 04:23:51 unlimited unlimited unlimited Router(config)# users force-logout 172.17.16.101 Logout user 'admin'(from 172.17.16.101): OK Total 1 user has been forced logout Router(config)# show users all No. Name Type From Service Session Time Idle Time Lease Timeout Re-Auth. Timeout =============================================================================== 1 admin admin console console 04:24:55 unlimited unlimited unlimited

Unlocks the specified IP address. Logs out the specified logins.

The following commands display the users that are currently locked out and then unlocks the user who is displayed.

Router# configure terminal Router(config)# show lockout-users No. Username Tried From Lockout Time Remaining =========================================================================== No. From Failed Login Attempt Record Expired Timer =========================================================================== 1 172.17.13.60 2 46

Router(config)# unlock lockout-users 172.17.13.60 User from 172.17.13.60 is unlocked Router(config)# show lockout-users No. Username Tried From Lockout Time Remaining =========================================================================== No. From Failed Login Attempt Record Expired Timer ===========================================================================

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

AP Management

This chapter shows you how to configure wireless AP management options on your Zyxel Device.

10.1 AP Management Overview

The Zyxel Device supports CAPWAP. This is Zyxel’s implementation of the CAPWAP protocol (RFC 5415). The CAPWAP data flow is protected by Datagram Transport Layer Security (DTLS).

The Zyxel Device can be a standalone AP (default), or a CAPWAP managed AP.

CHAPTER 10

The following figure illustrates a CAPWAP wireless network. The user (U) configures the AP controller (C), which then automatically updates the configurations of the managed APs (M1 ~ M4).

Figure 9 CAPWAP Network Example

CAPWAP Discovery and Management

The link between CAPWAP-enabled access points proceeds as follows:

1 An AP in managed AP mode joins a wired network (receives a dynamic IP address).

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

2 The AP sends out a discovery request, looking for a CAPWAP AP controller.

3 If there is an AP controller on the network, it receives the discovery request. If the AP controller is in

Manual mode it adds the details of the AP to its Unmanaged Access Points list, and you decide which available APs to manage. If the AP controller is in Always Accept mode, it automatically adds the AP to its Managed Access Points list and provides the managed AP with default configuration information, as well as securely transmitting the DTLS pre-shared key. The managed AP is ready for association with WiFi clients.

Managed AP Finds the Controller

A managed Zyxel Device can find the controller in one of the following ways:

• Manually specify the controller’s IP address in the Web Configurator’s AC (AP Controller) Discovery screen or using the capwap ap ac-ip command.

• Get the controller’s IP address from a DHCP server with the controller’s IP address configured as option 138.

• Get the controller’s IP address from a DNS server SRV (Service) record.

• Broadcasting to discover the controller within the broadcast domain.

Note: The AP controller needs to have a static IP address. If it is a DHCP client, set the DHCP

server to reserve an IP address for the AP controller.

CAPWAP and IP Subnets

By default, CAPWAP works only between devices with IP addresses in the same subnet.

However, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following.

• Activate DHCP. Your network’s DHCP server must support option 138 defined in RFC 5415.

• Configure DHCP option 138 with the IP address of the CAPWAP AP controller on your network.

DHCP Option 138 allows the CAPWAP management request (from the AP in managed AP mode) to reach the AP controller in a different subnet, as shown in the following figure.

Figure 10 CAPWAP and DHCP Option 138

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Notes on CAPWAP

This section lists some additional features of Zyxel’s implementation of the CAPWAP protocol.

• When the AP controller uses its internal Remote Authentication Dial In User Service (RADIUS) server, managed APs also use the AP controller’s authentication server to authenticate WiFi clientWiFi clientWiFi clients.

• If a managed AP’s link to the AP controller is broken, the managed AP continues to use the wireless settings with which it was last provided.

10.2 AP Management Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 24 Input Values for General AP Management Commands

LABEL DESCRIPTION

ap_mac

slot_name

The Ethernet MAC address of the managed AP. Enter 6 hexadecimal pairs separated by colons. You can use 0-9, a-z and A-Z.

The slot name for the AP’s on-board wireless LAN card. Use either slot1, slot2, or slot3.

Note: The number of radio slots differ by models. See Section 1.2 on page 12 for

the supported radio number.

profile_name

ap_description

sta_mac

The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, underscores( sensitive.

The AP description. This is strictly used for reference purposes and has no effect on any other settings. You may use 1-31 alphanumeric characters, underscores( first character cannot be a number. This value is case-sensitive.

The Ethernet MAC address of the managed station (or WiFi client). Enter 6 hexadecimal pairs separated by colons. You can use 0-9, a-z and A-Z.

_), or dashes (-), but the first character cannot be a number. This value is case-

_), or dashes (-), but the

The following table describes the commands available for AP management. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. See Section 11.1 on page 69 for more information about WLAN profiles the radios use. Table 25 Command Summary: AP Management

COMMAND DESCRIPTION

wlan slot_name

[no] activate

ap profile radio_profile_name

output-power power

repeater profile radio_profile_name

rootap profile radio_profile_name

Enters the sub-command mode for the specified radio on the Zyxel Device.

Enables the specified radio. The no command disables the radio.

Sets the radio (slot_name) to AP mode and assigns a created radio profile to the radio.

Sets the output power (between 0 to 30 dBm) for the specified radio.

Sets the specified radio (slot_name) to repeater mode and assigns a creat ed r a di o profile to the radio.

Sets the specified radio (slot_name) to root AP mode and assigns a created radio profile to the radio.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Table 25 Command Summary: AP Management (continued)

COMMAND DESCRIPTION

ssid profile index ssid_profile_name

wds_profile wds_profile_name

wds_uplink {auto | manual bssid mac_address}

wireless-bridge {enable | disable}

Assigns an SSID profile to this radio. Requires an existing SSID profile.

Selects the WDS profile the radio (in repeater or root AP mode) uses to connect to a root AP or repeater.

Sets how the radio (in repeater mode) connect to a root AP or repeater.

auto: to have the Zyxel Device automatically use the settings in the applied WDS profile to connect to a root AP or repeater.

manual: to have the Zyxel Device connect to the root AP or repeater with the specified MAC address. You need to configure the MAC address of the root AP or repeater with which you want the Zyxel Device to associate.

Enables or disables wireless bridging on the specified radio (slot_name). The Zyxel Device must support LAN provision and the radio must be in repeater mode. VLAN and bridge interfaces are created automatically according to the LAN port’s VLAN settings.

wireless-bridge vlan

[no] vlanid <1..4094>

exit

show wireless-bridge vlan table

When wireless bridging is enabled, the Zyxel Device in repeater mode can still tran smit data through its Ethernet port(s) after the WDS link is up. This allows you to extend your wired network to a new area wirelessly, when it is difficult to run cables to that area.

The Zyxel Devices in the same WDS must use the same management VLAN ID.

Traffic with VLAN ID tags can only pass through or go to the Zyxel Devices with the same VLAN ID tags. When you enable wireless bridge on the specified radio, make sure to set the same VLAN IDs for the devices in your network below:

•Root AP.

• Repeater AP.

• Other Zyxel Devices the traffic might pass through.

Note: Be careful to avoid bridge loops. A bridge

loop occurs when there are two layer-2 paths between the same endpoints, causing broadcast packets to be send back and forth indefinitely.

Enters the sub-command mode to configure wireless bridge VLAN ID table.

Adds a VLAN ID to the wireless bridge VLAN ID table. The

no command removes the specified VLAN ID from

the wireless bridge VLAN ID table. Exits the sub-command mode of wireless bridge VLAN

configuration. Displays the VLAN IDs you configured in the wireless

bridge VLAN ID table.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Table 25 Command Summary: AP Management (continued)

COMMAND DESCRIPTION

show wireless-bridge port type

show wlan slot_name

show wlan slot_name detail

show wlan slot_name list all sta

show wlan country-code

show wlan channels {11A|11G}

show wlan channels {11A|11G|6G} [cw {20|20/40|20/40/80|20/40/80/160}] [country country_code] [indoor|outdoor|psc]

Displays the Zyxel Device's type (indoor or outdoor) and number of Ethernet ports.

Displays if the Zyxel Device supports wireless bridge. Displays the operating mode and profile settings for

the specified radio. Displays the SSID, MAC address, VLAN ID and security

mode for the specified radio. Displays statistics for the specified radio’s wireless

traffic. Displays the country code of the Zyxel Device.

Displays the channels available for the specified frequency band.

Displays the channels available for the specified frequency band, channel width, and/or country. You can also specify whether the channels are for indoor/ outdoor use or PSCs (Preferred Scanning Channels).

Note: PSCs are for the 6 GHz band only.

show wlan radio macaddr

show wireless-hal current channel

show wireless-hal station info

show wireless-hal station number

show wireless-hal statistic

show wireless-hal wds info {all | downlink | uplink}

show wireless-hal wds interface {all | downlink | uplink}

show wireless-hal wds number

At the time of writing, the available frequency bands are 11A (2.4 GHz), 11G (5 GHz), and 6G (6 GHz). See

Section 1.2 on page 12 for your Zyxel Device

supported frequency bands. Displays the MAC address(es) assigned to the Zyxel

Device’s radio(s). Displays the channel number the Zyxel Device’s radio

is using. Displays the connected station information of the

Zyxel Device’s radio. Displays the number of WiFi clients that are currently

connected to the Zyxel Device. Displays the overall traffic information of the Zyxel

Device’s radio. Displays the WDS traffic statistics between the Zyxel

Device and a root AP or repeaters Uplink refers to the WDS link from the repeaters to the

root AP. Downlink refers to the WDS link from the root AP to the

repeaters. Displays status information for the WDS links.

Uplink refers to the WDS link from the repeaters to the root AP.

Downlink refers to the WDS link from the root AP to the repeaters.

Displays the number of the root AP or repeater to which the Zyxel Device is connected using WDS.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

10.2.1 AP Management Commands Example

The followings are some AP management command examples.

Wireless Bridge Network Example

The following figure shows you how to wirelessly extend a wired network with wireless bridge.

Figure 11 Wireless Bridge (with VLAN10)

Suppose you have Network A at your main office and Network B at the branch office:

• Network A consists of client A devices, a root AP (X) and a gateway. Client A devices, X, and the gateway are connected using wired connections through a switch.

• Network B consists of client B devices, a repeater (Y) and a switch. Client B devices and Y are connected using wired connections through the switch.

The following example shows you how to combine Network A and Network B into one wireless bridge network.

Note: The switches must also have the same VLAN settings.

You must use the same radio for root AP and repeater. In this example, we use radio 1.

1 Set the AP X to root AP mode.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Router# configure terminal Router(config)# wlan slot1 Router(config-wlan-slot)# Router(config-wlan-slot)# wds-role rootap Router(config-wlan-slot)# Router(config-wlan-slot)# exit Router(config-wlan-slot)# Setup 2.4G 11AX HE20 channel 6 Setup 2.4G 11AX HE20 channel 6 dbctl> DB Success! dbctl> DB Success! dbctl> DB Success! dbctl> DB Success! Setup 2.4G 11AX HE20 channel 6 Setup 2.4G 11AX HE20 channel 6 Router(config)#

2 Set the AP Y to repeater mode.

Router# configure terminal Router(config)# wlan slot1 Router(config-wlan-slot)# Router(config-wlan-slot)# wds-role repeater Router(config-wlan-slot)# Router(config-wlan-slot)# exit Router(config-wlan-slot)# Setup 2.4G 11AX HE20 channel 6 Setup 2.4G 11AX HE20 channel 6 dbctl> DB Success! dbctl> DB Success! dbctl> DB Success! dbctl> DB Success! Setup 2.4G 11AX HE20 channel 6 Setup 2.4G 11AX HE20 channel 6 Router(config)#

3 Create WDS profiles on both root AP (X) and repeater (Y). The WDS profile settings must be the same on

X and Y.

Router# configure terminal Router(config)# wlan-wds-profile WDS_profile1 Router(config-wlan-wds WDS_profile1)# Router(config-wlan-wds WDS_profile1)# ssid WDS_SSID1 Router(config-wlan-wds WDS_profile1)# Router(config-wlan-wds WDS_profile1)# psk 13245768 Router(config-wlan-wds WDS_profile1)# Router(config-wlan-wds WDS_profile1)# exit Router(config)#

4 Apply the WDS profiles on both root AP (X) and repeater (Y).

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Router# configure terminal Router(config)# wlan slot1 Router(config-wlan-slot)# wds_profile WDS_profile1 WDS_Role rootap Router(config-wlan-slot)# Router(config-wlan-slot)# exit Setup 2.4G 11NG HT20 channel 6 Setup 2.4G 11NG HT20 channel 6 Setup 2.4G 11NG HT20 channel 6 Router(config)#

5 Enable wireless bridge on repeater (Y). You can only transmit data through Y's LAN ports when wireless

bridge is enabled.

The Zyxel Devices build WDS connection and a wireless bridge network between Network A and Network B after the settings are applied. Use show wireless-hal wds info {uplink|downlink} to check the WDS link status.

Router# configure terminal Router(config)# Router(config)# wlan slot1 Router(config-wlan-slot1)# Router(config-wlan-slot)# wireless-bridge enable Router(config-wlan-slot)# Router(config-wlan-slot)# exit Router(config)#

Wireless Bridge VLAN IDs

VLAN IDs are sent across the wireless bridge so that only clients with the same VLAN IDs receive that network traffic.

This example follows the parameters below:

•Network A is using VLAN ID 10 and VLAN ID 20.

•Network B is only using VLAN ID 10.

• We only want the traffic of VLAN 10 to pass through the wireless bridge.

Please note that you need to create the same VLAN IDs on both the root AP (X) and repeater (Y).

Router# configure terminal Router(config)# Router(config)# wireless-bridge vlan Router(wireless-bridge-vlan)# Router(wireless-bridge-vlan)# vlanid 10 Router(wireless-bridge-vlan)# Router(wireless-bridge-vlan)# exit Router(config)# Router(config)# show wireless-bridge vlan table no. Wireless-Bridge-VID ========================================================================= 1 10 Router(config)#

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Wireless Connection and Traffic Information Example

The following commands display:

• number of currently connected WiFi clients

• connection information

• overall traffic information of the Zyxel Device’s radio.

Use these commands to monitor the current wireless LAN status and connection of the Zyxel Device.

The following command displays the number of currently connected WiFi clients of each radio slot (Slot1

- 2.4 GHz, Slot2 - 5 GHz).

Router# configure terminal Router(config)# show wireless-hal station number Slot1: 0 Slot2: 1

The following command displays the identity information of currently connected clients and connection details. This can help you identify the WiFi clients connected to the Zyxel Device and check on respective connection statuses.

Router# configure terminal !Shows the connected clients’ info & connection info Router(config)# show wireless-hal station info index: 0 MAC: a1:bc:2d:3e:f4:56 IPv4: 123.45.67.89 Slot: 2 SSID: Zyxel Security: WPA2-PSK TxRate: 866M RxRate: 650M RSSI: 100 RSSI dBm: -44 Time: 13:11:21 2023/03/01 VapIdx: 1 Capability: 802.11ac DOT11 features: N/A Display SSID: Zyxel

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

The following command displays the overall throughput, traffic and signal information. You can use this command to check if there is any abnormal traffic or connection error.

Router# configure terminal !Shows the overall traffic info Router(config)# show wireless-hal statistic Slot: 1 ReceivedPktCount: 0 TransmittedPktCount: 0 wlanReceivedByte: 0 wlanTransmittedByte: 0 RetryCount: 0 FCSErrorCount: 0 TxPower: 24 Channel Utilization: 61 Slot: 2 ReceivedPktCount: 8053 TransmittedPktCount: 24746 wlanReceivedByte: 3302967 wlanTransmittedByte: 3203254 RetryCount: 0 FCSErrorCount: 193 TxPower: 23 Channel Utilization: 14

10.3 AP Management Client Commands

The following table describes the commands available for configuring CAPWAP AP settings. You must use the commands.

Table 26 Command Summary: CAPWAP AP Commands

COMMAND DESCRIPTION

capwap ap ac-ip {primary ip secondary ip | auto}

capwap ap vlan ip address {ip subnet_mask | dhcp}

capwap ap vlan [no] ip gateway ip

capwap ap vlan [no] ipv6 address ipv6_addr/prefix

capwap ap vlan [no] ipv6 dhcp6 {addressrequest | client}

configure terminal command to enter the configuration mode before you can use these

Sets the AP controller’s address or sets the Zyxel Device (in managed mode) to use DHCP option 138 to get the AP controller’s IP address.

Sets the IP address of the Zyxel Device or sets it to use DHCP.

Adds the gateway address of the Zyxel Device. The no command removes the gateway setting.

Sets the IPv6 address and the prefix length of the Zyxel Device.

The no command removes the IPv6 address settings. Set the Zyxel Device to act as a DHCPv6 client or get

an IPv6 address from a DHCPv6 server. The no command sets the Zyxel Device to not get the

IPv6 address from the DHCPv6 server.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

Table 26 Command Summary: CAPWAP AP Commands (continued)

COMMAND DESCRIPTION

capwap ap vlan [no] ipv6 dhcp6-requestobject dhcp6_profile

capwap ap vlan [no] ipv6 enable

capwap ap vlan [no] ipv6 gateway ipv6_addr

capwap ap vlan [no] ipv6 nd ra accept

capwap ap vlan vlan-id <1..4094> [tag | untag]

hybrid-mode [managed | standalone]

Sets the profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.

The no command removes the DHCPv6 request settings profile.

Enables IPv6 stateless auto-configuration on the Zyxel Device. The Zyxel Device will generate an IPv6 address itself from a prefix obtained from an IPv6 router in the network.

The no command disables IPv6 stateless autoconfiguration.

Sets the IPv6 address of the default outgoing gateway. The no command removes the IPv6 gateway settings.

Sets the Zyxel Device to accept IPv6 neighbor discovery router advertisement messages.

The no command sets the Zyxel Device to discard IPv6 neighbor discovery router advertisement messages.

Sets the VLAN ID and tagging setting of the Zyxel Device.

Sets the Zyxel Device to act as a CAPWAP managed AP, or uses it in its default standalone mode.

When the Zyxel Device is in standalone mode, you can manage the Zyxel Device using its own web configurator or commands.

When the Zyxel Device is in managed mode, it can be configured ONLY by the AP controller.

show capwap ap info

show capwap ap discovery-type

show capwap ap ac-ip

show hybrid-mode

Displays information about the Zyxel Device’s wireless usage.

Displays how the Zyxel Device gets its IP address. Displays the controller’s IP address. Displays the Zyxel Device management mode.

10.3.1 AP Management Client Commands Example

The following example shows you how to configure the Zyxel Device management mode to allow it to be managed by an AP controller and check the Zyxel Device management mode.

Router# configure terminal Router(config)# hybrid-mode managed Router(config)# show hybrid-mode mode: managed Router(config)#

NWA/WAC/WAX Series CLI Reference Guide

Chapter 10 AP Management

The following example shows you how to configure the interface of the Zyxel Device, set the AP controller IP address and display the related settings.

Router# configure terminal Router(config)# show capwap_wtp ap discovery-type Discovery type : Broadcast Router(config)# capwap ap vlan ip address 192.168.1.37 255.255.255.0 Router(config)# capwap ap vlan ip gateway 192.168.1.32 Router(config)# capwap ap ac-ip 192.168.1.1 192.168.1.2 Router(config)# show capwap ap discovery-type Discovery type : Static AC IP Router(config)# show capwap ap ac-ip AC IP: 192.168.1.1 192.168.1.2 Router(config)# exit Router# show capwap ap info SM-State RUN(8) msg-buf-usage 0/10 (Usage/Max) capwap-version 10118 Radio Number 1/4 (Usage/Max) BSS Number 8/8 (Usage/Max) IANA ID 037a Description AP-0013499999FF

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

CHAPTER 11

Wireless LAN Profiles

This chapter shows you how to configure wireless LAN profiles on your Zyxel Device.

11.1 Wireless LAN Profiles Overview

The Zyxel Devices are designed to work explicitly with your Zyxel Devices. If you do not have on-board configuration files, you must create “profiles” to manage them. Profiles are preset configurations that are uploaded to the APs and which manage them. They include: Radio profiles, SSID profiles, Security profiles, and MAC Filter profiles. Altogether, these profiles give you absolute control over your wireless network.

11.2 AP Radio Profile Commands

The radio profile commands allow you to set up configurations for the radios onboard your various APs.

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 27 Input Values for General Radio Profile Commands

LABEL DESCRIPTION

radio_profile_name

wireless_channel_2g

wireless_channel_5g

wireless_channel_6g

wlan_cw

wlan_htgi

The radio profile name. You may use 1-31 alphanumeric characters, underscores (

_), or dashes (-), but the first character cannot be a number. This value is case-

sensitive. Sets the 2 Ghz channel used by this radio profile. The channel range is 1 ~ 14.

Note: Your choice of channel may be restricted by regional regulations.

Sets the 5 Ghz channel used by this radio profile. The channel range is 36 ~ 165.

Note: Your choice of channel may be restricted by regional regulations.

Sets the 6 Ghz channel used by this radio profile. The channel range is 1 ~ 233.

Note: Your choice of channel may be restricted by regional regulations. Note: The available channels on the 6 GHz band are PSCs (Preferred

Scanning Channels). PSCs are dedicated channels for WiFi clients to send probe requests on to discover a compatible AP, instead of scanning the entire 6 GHz band.

Sets the channel width. Select either 20, 20/40, 20/40/80, or 20/40/80/160. Sets the HT guard interval. Select either long or short.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 27 Input Values for General Radio Profile Commands (continued)

LABEL DESCRIPTION

chain_mask

wlan_interface_index

wds_lan_interface_ind

Sets the network traffic chain mask. The range is 1 ~ 7. Sets the radio interface index number. The range is 1 ~ 8. Sets the AP-WDS mode interface’s index number. The range is 1 ~ 8.

The following table describes the commands available for radio profile management. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 28 Command Summary: Radio Profile

COMMAND DESCRIPTION

show wlan-radio-profile {all | rule_count | [radio_profile_name]}

wlan-radio-profile rename

radio_profile_name1 radio_profile_name2

[no] wlan-radio-profile radio_profile_name

2g-channel wireless_channel_2g

2g-multicast-speed

wlan_2g_support_speed

2g-wlan-rate-control rate_2g

5g-channel wireless_channel_5g

5g-multicast-speed

wlan_5g_basic_speed

Displays the radio profile(s). all: Displays all radio profiles created on the Zyxel

Device. rule_count: Displays how many radio profiles are

created on the Zyxel Device. radio_profile_name: Displays the specified radio

profile. Gives an existing radio profile

(radio_profile_name1) a new name (radio_profile_name2).

Enters configuration mode for the specified radio profile. Use the no parameter to remove the specified profile.

Sets the broadcast band for this profile in the 2.4 Ghz frequency range. The default is 6.

When you disable multicast to unicast, use this command to set the data rate {1.0 | 2.0 | …} in Mbps for 2.4 GHz multicast traffic.

Sets the minimum data rate that 2.4 Ghz WiFi clients can connect at, in Mbps.

rate_2g: At the time of writing, allowed values are –

1, 2, 5. 5, 6, 9, 11, 12, 18, 24, 36, 48, 54. Increasing the minimum data rate can reduce

network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the AP.

Sets the broadcast band for this profile in the 5 GHz frequency range.

When you disable multicast to unicast, use this command to set the data rate {6.0 | 9.0 | …} in Mbps for 5 GHz multicast traffic.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 28 Command Summary: Radio Profile (continued)

COMMAND DESCRIPTION

5g-wlan-rate-control rate_5g

Sets the minimum data rate that 5 Ghz WiFi clients can connect at, in Mbps.

rate_5g: At the time of writing, allowed values are –

6, 9, 12, 18, 24, 36, 48, 54. Increasing the minimum data rate can reduce

network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the AP.

6g-channel wireless_channel_6g

6g-multicast-speed

wlan_6g_basic_speed

6g-wlan-rate-control rate_6g

Sets the broadcast band for this profile in the 6 GHz frequency range.

When you disable multicast to unicast, use this command to set the data rate {6.0 | 9.0 | … |

54.0} in Mbps for 6 GHz multicast traffic. Sets the minimum data rate that 6 Ghz WiFi clients can

connect at, in Mbps.

rate_6g: At the time of writing, the allowed values

are – 6, 9, 12, 18, 24, 36, 48, 54. Increasing the minimum data rate can reduce

network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the AP.

[no] activate

[no] ampdu

Makes this profile active or inactive. Activates MPDU frame aggregation for this profile. Use

the no parameter to disable it.

[no] amsdu

band wlan_band band-mode

wlan_band_mode

Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.

By default this is enabled. Activates MPDU frame aggregation for this profile. Use

the no parameter to disable it. Mac Service Data Unit (MSDU) aggregat ion collects

Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header. This method is useful for increasing bandwidth throughput. It is also more efficient than AMPDU except in environments that are prone to high error rates.

By default this is enabled. Sets the radio band and 802.11 wireless mode for this

profile.

wlan_band: 2.4G, 5G, 6G wlan_band_mode: 11n, bg, bgn, a, ac, an, anacax,

bgnax, ax

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 28 Command Summary: Radio Profile (continued)

COMMAND DESCRIPTION

beacon-interval <40..1000>

[no] block-ack

bss-color <0..63>

[no] disable-bss-color

ch-width wlan_cw

[no] ctsrts <0..2347>

dcs time-interval interval

dcs sensitivity-level {high|medium |low}

dcs client-aware {enable|disable}

Sets the beacon interval for this profile. When a wirelessly networked device sends a beacon,

it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon. This value can be set from 40ms to 1000ms. A high value helps save current consumption of the access point.

The default is 100. Makes block-ack active or inactive. Use the no

parameter to disable it. Sets the BSS color of the Zyxel Device, which

distinguishes it from other nearby APs when they transmit over the same channel. Set it to 0 to automatically assign a BSS color.

Disables BSS coloring. Use the no command to enable BSS coloring.

Sets the channel width for this profile. Sets or removes the RTS/CTS value for this profile. Use RTS/CTS to reduce data collisions on the wireless

network if you have WiFi clients that are associated with the same AP but out of range of one another. When enabled, a WiFi client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops WiFi clients from transmitting packets at the same time (and causing data collisions).

A WiFi client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/ CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off.

The default is 2347. Sets the interval that specifies how often DCS should

run. Sets how sensitive DCS is to radio channel changes in

the vicinity of the AP running the scan. When enabled, this ensures that the Zyxel Device will

not change channels as long as a client is connected to it. If disabled, the Zyxel Device may change channels regardless of whether it has clients connected to it or not.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 28 Command Summary: Radio Profile (continued)

COMMAND DESCRIPTION

dcs channel-deployment {3-channel|4channel}

dcs 2g-selected-channel 2.4g_channels

dcs 5g-selected-channel 5g_channels

dcs 6g-selected-channel 6g_channels

dcs dcs-2g-method {auto|manual}

dcs dcs-5g-method {auto|manual}

dcs dcs-6g-method {auto|manual}

dcs dfs-aware {enable|disable}

Sets either a 3-channel deployment or a 4-channel deployment.

In a 3-channel deployment, the AP running the scan alternates between the following channels: 1, 6, and

11. In a 4-channel deployment, the AP running the scan

alternates between the following channels: 1, 4, 7, and 11 (FCC) or 1, 5, 9, and 13 (ETSI).

Set the option that is applicable to your region. (Channel deployment may be regulated differently between countries and locales.)

Specifies the channels that are available in the 2.4 GHz band when you manually configure the channels the Zyxel Device can use.

Specifies the channels that are available in the 5 GHz band when you manually configure the channels the Zyxel Device can use.

Specifies the channels that are available in the 6 GHz band when you manually configure the channels the Zyxel Device can use.

Sets the Zyxel Device to automatically search for available channels or manually configure the channels the Zyxel Device uses in the 2.4 GHz band.

Sets the Zyxel Device to automatically search for available channels or manually configure the channels the Zyxel Device uses in the 5 GHz band.

Sets the Zyxel Device to automatically search for available channels or manually configure the channels the Zyxel Device uses in the 6 GHz band.

Enable this to force the Zyxel Device to only use the non-DFS channels.

Disable this to allow the Zyxel Device to use the DFS channels for more channel options.

Dynamic Frequency Selection (DFS) is a WiFi channel allocation scheme that allows APs to use channels in the 5 GHz band normally reserved for radar. Before using a DFS channel, an AP must ensure there is no radar present by performing a Channel Availability Check (CAC). This check takes 1-10 minutes, depending on the country in which the AP is located.

The Zyxel Device only switches to a DFS channel when a nearby AP is broadcasting the same SSID the Zyxel Device uses. This allows WiFi clients to switch to connect to the same SSID on another AP when the Zyxel Device is under the CAC process before switching to a DFS channel.

The nearby AP’s SSID signal strength must be greater than the specified RSSI threshold. The nearby AP’s SSID channel utilization percentage must be under the specified threshold. You can specify the threshold using the dcs dfs-aware-neighbor-rssi <-20...-

105> and dcs dfs-aware-neighbor-ch-util <0100> commands.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 28 Command Summary: Radio Profile (continued)

COMMAND DESCRIPTION

dcs dfs-aware-neighbor-rssi <-20...105>

dcs dfs-aware-neighbor-ch-util <0100>

dcs mode {interval|schedule}

dcs schedule <hh:mm> {mon|tue|wed|thu|fri|sat|sun}

description description

[no] disable-dfs-switch

[no] dot11n-disable-coexistence

dtim-period <1..255>

[no] frag <256..2346>

guard-interval wlan_htgi

[no] htprotect

Sets the minimum RSSI threshold (dBm) requirement of the nearby AP’s SSID signal strength.

Sets the maximum threshold (percentage) of the nearby AP’s SSID channel utilization.

Sets the Zyxel Device to use DCS at the end of the specified time interval or at a specific time on selected days of the week.

Sets what time of day (in 24-hour format) the Zyxel Device starts to use DCS on the specified day(s) of the week.

Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive

Makes the DFS switch active or inactive. By default this is inactive.

Fixes the channel bandwidth as 40 MHz. The no command has the Zyxel Device automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.

Sets the DTIM period for this profile. Delivery Traffic Indication Message (DTIM) is the time

period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 255.

The default is 1. Sets or removes the fragmentation value for this profile.

The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent.

The default is 2346. Sets the guard interval for this profile.

The default for this is short. Activates HT protection for this profile. Use the no

parameter to disable it.

[no] ignore-country-ie

NWA/WAC/WAX Series CLI Reference Guide

By default, this is disabled. Prevents the AP from broadcasting a country code,

also called a country Information Element (IE), in beacon frames. This makes the AP incompatible with

802.11d networks and devices. The allows the AP to broadcast the country code.

802.11d is a WiFi network specification that allows an AP to broadcast a country code to WiFi clients. The country code tells clients where the AP is located.

no command

Note: Run this command if WiFi clients are

unable to connect to the AP because of an incompatible country code.

Chapter 11 Wireless LAN Profiles

Table 28 Command Summary: Radio Profile (continued)

COMMAND DESCRIPTION

limit-ampdu < 100..65535>

limit-amsdu <2290..4096>

[no] nol-channel-block

[no] multicast-to-unicast

[no] reject-legacy-station

role {ap}

[no] rssi-thres

rssi-dbm <-20..-105>

rssi-kickout <-20..-105>

Sets the maximum frame size to be aggregated. By default this is 50000.

Sets the maximum frame size to be aggregated. The default is 4096.

Enables or disables DFS channel blocking when the Zyxel Device detects radar signals within the range of that DFS channel.

“Multicast to unicast” broadcasts wireless multicast traffic to all WiFi clients as unicast traffic to provide more reliable transmission. The data rate changes dynamically based on the application’s bandwidth requirements. Although unicast provides more reliable transmission of the multicast traffic, it also produces duplicate packets.

The no command turns multicast to unicast off to send wireless multicast traffic at the rate you specify with the 2g-multicast-speed, 5g-multicast-speed or 6g-multicast-speed command.

Allows only 802.11 n/ac/ax clients to connect, and reject 802.11a/b/g clients.

Use the no command to also allow 802.11a/b/g clients.

Sets the profile’s wireless LAN radio operating mode. Use ap to have the radio function as an access point

with one or more BSSIDs. Sets whether or not to use the Received Signal

Strength Indication (RSSI) threshold to ensure WiFi clients receive good throughput. This allows only WiFi clients with a strong signal to connect to the Zyxel Device.

When using the RSSI threshold, set a minimum client signal strength for connecting to the AP.

-20 dBm is the strongest signal you can require and 105 is the weakest.

Set a minimum kick-off signal strength. You can set from -20dBm (the strongest signal) to -105dBm (the weakest signal).

When a WiFi client’s signal strength is lower than the specified threshold, the Zyxel Device checks the traffic between the Zyxel Device and the WiFi client. The Zyxel Device will only disconnect the WiFi client when

• the WiFi client signal strength falls below the kickoff strength and

• the WiFi client’s traffic throughput is below a minimum threshold.

Use the rssi-idlechecklvl {high|standard|low} command to set the idle check level.

Use the rssi-idlecheckpktnum/rssi- idlecheckinterval commands to specify the minimum traffic threshold and idle check period.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 28 Command Summary: Radio Profile (continued)

COMMAND DESCRIPTION

rssi-idlechecklvl {high|standard|low}

rssi-interval <1..86400>

rssi-idlecheckpktnum <0..65535>

rssi-idlecheckinterval <0..60>

[no] rssi-retry

rssi-retrycount <1~100>

tx-mask chain_mask

rx-mask chain_mask

subframe-ampdu <2..64>

exit

Set the minimum traffic throughput threshold here. high: Use this if you want the Zyxel Device to not

disconnect a WiFi client with a weak signal strength (below the kick-off threshold) when the traffic between the Zyxel Device and the WiFi client is heavy. The Zyxel Device will disconnect the WiFi client if the traffic between the Zyxel Device and the WiFi client is medium or low.

standard: Use this if you want the Zyxel Device to not disconnect a WiFi client with a weak signal strength (below the kick-off threshold) when the traffic between the Zyxel Device and the WiFi client is medium. The Zyxel Device will disconnect the WiFi client if the traffic between the Zyxel Device and the WiFi client is low.

low: Use this if you want the Zyxel Device to not disconnect a WiFi client with a weak signal strength (below the kick-off threshold) when the traffic between the Zyxel Device and the WiFi client is low. At the time of writing, the Zyxel Device will disconnect the WiFi client if there’s no packet sent between the Zyxel Device and the WiFi client in one second.

Sets the interval the Zyxel Device checks a WiFi client’s signal strength.

Sets the traffic threshold the Zyxel Device uses to determine when to disassociate a WiFi client with poor signal strength.

The Zyxel Device will disassociate a WiFi client when the WiFi client’s traffic (number of packets) during the check period is below the threshold.

Sets the check period during which the Zyxel Device counts a WiFi client’s traffic throughput and decides whether to disassociate the WiFi client.

Allows a WiFi client to try to associate with the Zyxel Device again after it is disconnected due to weak signal strength.

Use the no parameter to disallow it. Sets the maximum number of times a WiFi client can

attempt to re-connect to the Zyxel Device. Sets the outgoing chain mask.

Sets the incoming chain mask. Sets the maximum number of frames to be

aggregated each time. By default this is 32.

Exits configuration mode for this profile.

11.2.1 AP radio Profile Commands Example

The following example shows you how to set up the radio profile named ‘RADIO01’, activate it, and configure it to use the following settings:

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

• 2.4G band and 802.11ac wireless mode with channel 6

• channel width of 20MHz

• a DTIM period of 2

• a beacon interval of 100ms

• AMPDU frame aggregation enabled

• an AMPDU buffer limit of 65535 bytes

• an AMPDU subframe limit of 64 frames

• AMSDU frame aggregation enabled

• an AMSDU buffer limit of 4096

• block acknowledgement enabled

• a short guard interval

Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G band_mode ac Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20m Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu Router(config-profile-radio)# limit-ampdu 65535 Router(config-profile-radio)# subframe-ampdu 64 Router(config-profile-radio)# amsdu Router(config-profile-radio)# limit-amsdu 4096 Router(config-profile-radio)# block-ack Router(config-profile-radio)# guard-interval short Router(config-profile-radio)# tx-mask 5 Router(config-profile-radio)# rx-mask 7

Station Disassociation-Signal Threshold Example

This example shows you how to enable signal strength check and set up a minimum signal threshold for connection. WiFi clients with signal strength below the minimum threshold will be disassociated. This helps to avoid WiFi clients with poor signal strength taking up the AP resources. Configure a radio profile RADIO01 with the following settings:

• Enable RSSI checking on WiFi client connections.

• Set the minimum signal threshold to -105 dBm.

• Set the RSSI check interval to every 15 seconds.

Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# rssi-thres Router(config-profile-radio)# rssi-kickout -105 Router(config-profile-radio)# rssi-interval 15 Router(config-profile-radio)# exit Router(config)#

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Then, set the idle check level to “low”. The Zyxel Device will only disassociate WiFi clients with poor signals when they are not sending any traffic..

Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# rssi-idlechecklvl low Router(config-profile-radio)# exit Router(config)#

11.3 SSID Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 29 Input Values for General SSID Profile Commands

LABEL DESCRIPTION

ssid_profile_name

ssid

wlan_qos

securityprofile

macfilterprofile

description2

The SSID profile name. You may use 1-31 alphanumeric characters, underscores (

_), or dashes (-), but the first character cannot be a number. This value is case-

sensitive. The SSID broadcast name. You may use 1-32 alphanumeric characters,

underscores ( Sets the type of QoS the SSID should use.

disable: Turns off QoS for this SSID. wmm: Turns on QoS for this SSID. It automatically assigns Access Categories to

packets as the device inspects them in transit. wmm_be: Assigns the “best effort” Access Category to all traffic moving through the

SSID regardless of origin. wmm_bk: Assigns the “background” Access Category to all traffic moving through

the SSID regardless of origin. wmm_vi: Assigns the “video” Access Category to all traffic moving through the SSID

regardless of origin. wmm_vo: Assigns the “voice” Access Category to all traffic moving through the SSID

regardless of origin. Assigns an existing security profile to the SSID profile. You may use 1-31

alphanumeric characters, underscores ( cannot be a number. This value is case-sensitive.

Assigns an existing MAC filter profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores ( cannot be a number. This value is case-sensitive.

Sets the description of the profile. You may use up to 60 alphanumeric characters, underscores (

_), or dashes (-). This value is case-sensitive.

_), or dashes (-), but the first character

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

The following table describes the commands available for SSID profile management. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 30 Command Summary: SSID Profile

COMMAND DESCRIPTION

show wlan-ssid-profile {all | rule_count | ssid_profile_name}

wlan-ssid-profile rename

ssid_profile_name1 ssid_profile_name2

[no] wlan-ssid-profile ssid_profile_name

band {2.4G|5G|6G}

[no] block-intra

description description

[no] dot11k-v activate

downlink-rate-limit data_rate

exit

[no] hide

[no] l2isolation l2profile

[no] macfilter macfilterprofile

Displays the SSID profile(s).

all: Displays all profiles. rule_count: Displays how many SSID profiles are

created on the Zyxel Device. ssid_profile_name: Displays the specified profile.

Gives an existing SSID profile (ssid_profile_name1) a new name (ssid_profile_name2).

Enters configuration mode for the specified SSID profile. Use the no parameter to remove the specified profile.

Sets the frequency bands to which this profile is applicable.

You can use the ssid profile index ssid_profile_name command to assign the SSID profile to different radio slots. The SSID profile will only take effect on radio slots which are using the frequency bands the profile is applicable to.

Enables intra-BSSID traffic blocking. Use the no parameter to disable it in this profile.

By default this is disabled. Sets a descriptive name for this profile.

Enable IEEE 802.11k/v assisted roaming on the Zyxel Device. When the connected clients request 802.11k neighbor lists, the Zyxel Device will response with a list of neighbor APs that can be candidates for roaming.

Use the no parameter to disable it in this profile. Sets the maximum incoming transmission data rate

(either in mbps or kbps) on a per-station basis. Exits configuration mode for this profile. Prevents the SSID from being publicly broadcast. Use

the no parameter to re-enable public broadcast of the SSID in this profile.

By default this is disabled. Assigns the specified layer-2 isolation profile to this SSID

profile. Use the no parameter to remove it. By default, no layer-2 isolation profile is assigned.

Assigns the specified MAC filtering profile to this SSID profile. Use the no parameter to remove it.

By default, no MAC filter is assigned.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 30 Command Summary: SSID Profile (continued)

COMMAND DESCRIPTION

[no] proxy-arp

qos wlan_qos

security securityprofile

ssid

[no] ssid-schedule

{mon|tue|wed|thu|fri|sat|sun} {enable | disable} <hh:mm> <hh:mm>

Sets the Zyxel Device to answer ARP requests for an IP address on behalf of a client associated with this SSID. This can reduce broadcast traffic and improve network performance.

Use the no parameter to disable Proxy ARP. Sets the type of QoS used by this SSID. Assigns the specified security profile to this SSID profile.

Sets the SSID. This is the name visible on the network to WiFi clients. Enter up to 32 characters, spaces and underscores are allowed.

Enables the SSID schedule. Use the no parameter to disable the SSID schedule.

Sets whether the SSID is enabled or disabled on each day of the week. This also specifies the hour and minute (in 24-hour format) to set the time period of each day during which the SSID is enabled/disabled.

<hh:mm> <hh:mm>: If you set both start time and end time to 00:00, it indicates a whole day event.

[no] uapsd

uplink-rate-limit data_rate

[no] vlan-id <1..4094>

11.3.1 SSID Profile Example 1

The following example creates an SSID profile with the name ‘Zyxel’. It makes the assumption that both the security profile (SECURITY01) and the MAC filter profile (MACFILTER01) already exist.

Router(config)# wlan-ssid-profile SSID01 Router(config-ssid-radio)# ssid Zyxel Router(config-ssid-radio)# qos wmm Router(config-ssid-radio)# security SECURITY01 Router(config-ssid-radio)# macfilter MACFILTER01 Router(config-ssid-radio)# exit Router(config)#

Note: The end time must be larger than the start

time.

Enables Unscheduled Automatic Power Save Delivery (U-APSD), which is also known a s WMM-Power Save. This helpWiFi clientss increase battery life for batterypowered WiFi clients connected to the Zyxel Device using this SSID profile.

Use the no parameter to disable the U-APSD feature. Sets the maximum outgoing transmission data rate

(either in mbps or kbps) on a per-station basis. Applies to each SSID profile. If the VLAN ID is equal to

the AP’s native VLAN ID then traffic originating from the SSID is not tagged.

The default VLAN ID is 1.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

11.3.2 SSID Profile Example 2

Follow the steps below to have the 2.4G WiFi clients and 5G WiFi clients to use the same SSID profile when connected to different radios.

1 Create an SSID profile SSID01, set the SSID. Set the band to 2.4G and 5G.

Router(config)# wlan-ssid-profile SSID01 Router(config-ssid-radio)# ssid Zyxel Router(config-ssid-radio)# band 2.4G 5G Router(config-ssid-radio)# exit Router(config)#

2 Apply SSID01 to radio slot1 and radio slot2.

Router(config)# wlan slot1 Router(config-wlan-slot)# ssid profile 1 SSID01 Router(config-wlan-slot)# exit Router(config)# wlan slot2 Router(config-wlan-slot)# ssid profile 1 SSID01 Router(config-wlan-slot)# exit Router(config)#

3 Use the show command to check the current configurations on both radios. The 2.4G WiFi clients and 5G

WiFi clients can now connect to radio slot1 and slot2 using the same SSID to access the Internet.

Router# show wlan slot1 slot: slot1 card: none Role: ap Profile: default1

SSID_profile_1: SSID01

... SSID_profile_8: SLOT_1_Output_power: 30dBm Activate: yes WDS_Role: none WDS_Profile: default WDS_uplink: auto WDS_Downlink: unlimited Band: 2.4G SSID_profile_1_band: 2.4G/5G ... SSID_profile_8_band: Router#

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

11.4 Security Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 31 Input Values for General Security Profile Commands

LABEL DESCRIPTION

security_profile_name

wep_key

wpa_key

wpa_key_64

secret

auth-method

The following table describes the commands available for security profile management. You must use the

configure terminal command to enter the configuration mode before you can use these

commands.

The security profile name. You may use 1-31 alphanumeric characters, underscores (

_), or dashes (-), but the first character cannot be a number. This value is case-

sensitive. Sets the WEP key encryption strength. Select either 64bit or 128bit.

Sets the WPA/WPA2 pre-shared key in ASCII. You may use 8~63 alphanumeric characters. This value is case-sensitive.

Sets the WPA/WPA2 pre-shared key in HEX. You muse use 64 alphanumeric characters.

Sets the shared secret used by your network’s RADIUS server. The authentication method used by the security profile.

Table 32 Command Summary: Security Profile

COMMAND DESCRIPTION

show wlan-security-profile {all | rule_count | [security_profile_name]}

wlan-security-profile rename

security_profile_name1 security_profile_name2

[no] wlan-security-profile

security_profile_name

[no] accounting interim-interval <1..1440>

[no] accounting interim-update

description description

[no] dot11r activate

Displays the security profile(s).

all: Displays all profiles. rule_count: Displays how many security profiles are

created on the Zyxel Device. security_profile_name: Displays the specified

profile. Gives existing security profile

(security_profile_name1) a new name, (security_profile_name2).

Enters configuration mode for the specified security profile. Use the no parameter to remove the specified profile.

Sets the time interval for how often the Zyxel Device is to send an interim update message with current client statistics to the accounting server. Use the no parameter to clear the interval setting.

Sets the Zyxel Device to send accounting update messages to the accounting server at the specified interval. Use the no parameter to disable it.

Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive

Turns on IEEE 802.11r fast roaming on the Zyxel Device. Use the no parameter to turn it off.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 32 Command Summary: Security Profile (continued)

COMMAND DESCRIPTION

[no] dot11r ft-over-ds activate

Sets the clients to communicate with the target AP through the current AP (the Zyxel Device). The communication between the client and the target AP is carried in frames between the client and the current AP, and is then sent to the target AP through the wired Ethernet connection.

Use the no parameter to have the clients communicate directly with the target AP.

Note: This command is applicable to the Zyxel

Devices running with firmware version 5.30 or later.

[no] dot11r over-the-ds activate

Use the no parameter to have the clients communicate directly with the target AP.

[no] dot11w

dot11w-op <1..2>

[no] dot1x-eap

eap {external | internal auth_method}

group-key <30..30000>

Note: This command is applicable to the Zyxel

Devices running with firmware version older than v5.30.

Data frames in 802.11 WLANs can be encrypted and authenticated with WEP, WPA or WPA2. But 802.11 management frames, such as beacon/probe response, association request, association response, de-authentication and disassociation are always unauthenticated and unencrypted. IEEE 802.11w Protected Management Frames allows APs to use the existing security mechanisms (encryption and authentication methods defined in IEEE 802.11i WPA/ WPA2) to protect management frames. This helps prevent wireless DoS attacks.

Enables management frame protection (MFP) to add security to 802.11 management frames. Use the no parameter to disable it.

Sets whether WiFi clients have to support management frame protection in order to access the wireless network.

1: if you do not require the WiFi clients to support MFP. Management frames will be encrypted if the clients support MFP.

2: WiFi clients must support MFP in order to join the Zyxel Device’s wireless network.

Enables 802.1x secure authentication. Use the no parameter to disable it.

Sets the 802.1x authentication method. Sets the interval (in seconds) at which the AP updates

the group WPA/WPA2 encryption key. The default is 1800.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 32 Command Summary: Security Profile (continued)

COMMAND DESCRIPTION

idle <30..30000>

[no] mac-auth activate

mac-auth auth-method auth_method

mac-auth case account {upper | lower}

mac-auth case calling-station-id {upper | lower}

mac-auth delimiter account {colon | dash | none}

Sets the idle interval (in seconds) t h at a client can be idle before authentication is discontinued.

The default is 3000. MAC authentication has the AP use an external server

to authenticate WiFi clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails. The no parameter turns it off.

RADIUS servers can require the MAC address in the WiFi client’s account (username/password) or Calling Station ID RADIUS attribute.

Sets the authentication method for MAC authentication.

Sets the case (upper or lower) the external server requires for using MAC addresses as the account username and password.

For example, use mac-auth case account upper and mac-auth delimiter account dash if you need to use a MAC address formatted like 00-11-AC-01-A011 as the username and password.

Sets the case (upper or lower) the external server requires for letters in MAC addresses in the Calling Station ID RADIUS attribute.

Specify the separator the external server uses for the two-character pairs within MAC addresses used as the account username and password.

mac-auth delimiter calling-station-id {colon | dash | none}

mode {none | enhanced-open | wep | wpa2 | wpa2-mix | wpa3}

[no] server-auth <1..2> activate

radius-attr nas-id string

radius-attr nas-ip ip

[no] reauth <30..30000>

server-auth <1..2> IPv4 port port secret secret

[no] server-auth <1..2>

For example, use mac-auth case account upper and mac-auth delimiter account dash if you need to use a MAC address formatted like 00-11-AC-01-A011 as the username and password.

Select the separator the external server uses for the pairs in MAC addresses in the Calling Station ID RADIUS attribute.

Sets the security mode for this profile.

Activates server authentication. Use the no parameter to deactivate.

Sets the NAS (Network Access Server) identifier attribute if the RADIUS server requires the Zyxel Device to provide it. The NAS identifier is to identify the source of access request. It could be the NAS’s fully qualified domain name.

Sets the NAS (Network Access Server) IP address attribute if the RADIUS server requires the Zyxel Device to provide it.

Sets the interval (in seconds) between authentication requests.

The default is 0. Sets the server authentication IPv4 port and shared

secret. Clears the server authentication setting.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 32 Command Summary: Security Profile (continued)

COMMAND DESCRIPTION

[no] transition-mode

wep-auth-type {open | share}

wep <64 | 128> default-key <1..4>

wep-key <1..4> wep_key

Enables backward compatibility when used with WPA3 or Enhanced Open security mode. WPA3 falls back to WPA2, while Enhanced Open falls back to open (none).

Use the no command to disable this feature. Sets the authentication key type to either open or

share. Sets the WEP encryption strength (64 or 128) and the

default key index (1 ~ 4). If you select WEP-64 enter 10 hexadecimal digits in the

range of “A-F”, “a-f” and “0-9” (for example, 0x11AA22BB33) for each Key used; or enter 5 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey) for each Key used.

If you select WEP-128 enter 26 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example, 0x00112233445566778899AABBCC) for each Key used; or enter 13 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey12345678) for each Key used.

wpa-encrypt {aes | auto}

wpa-psk {wpa_key | wpa_key_64}

[no] wpa2-preauth

exit

You can save up to four different keys. Enter the default-key (1 ~ 4) to save your WEP to one of those four available slots.

Sets the WPA/WPA2 encryption cipher type. auto: This automatically chooses the best available

cipher based on the cipher in use by the WiFi client that is attempting to make a connection.

aes: This is the Advanced Encryption Standard encryption method, a newer more robust algorithm than TKIP Not all WiFi clients may support this.

Sets the WPA/WPA2 pre-shared key. Enables pre-authentication to allow WiFi clients to

switch APs without having to re-authenticate their network connection. The RADIUS server puts a temporary PMK Security Authorization cache on the WiFi clients. It contains their session ID and a preauthorized list of viable APs.

Use the no parameter to disable this. Exits configuration mode for this profile.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

11.4.1 Security Profile Example

The following example creates a security profile with the name ‘SECURITY01’.

Router(config)# wlan-security-profile SECURITY01 Router(config-security-profile)# mode wpa2 Router(config-security-profile)# wpa-encrypt aes Router(config-security-profile)# wpa-psk 12345678 Router(config-security-profile)# idle 3600 Router(config-security-profile)# reauth 1800 Router(config-security-profile)# group-key 1800 Router(config-security-profile)# exit Router(config)#

11.5 MAC Filter Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 33 Input Values for General MAC Filter Profile Commands

LABEL DESCRIPTION

macfilter_profile_name

description

The MAC filter profile name. You may use 1-31 alphanumeric characters, underscores ( value is case-sensitive.

Sets the description of the MAC address. You may use up to 60 alphanumeric characters, underscores (

_), or dashes (-), but the first character cannot be a number. This

_), or dashes (-). This value is case-sensitive.

The following table describes the commands available for MAC filter profile management. You must use the configure terminal command to enter the configuration mode before you can use these commands.

Table 34 Command Summary: MAC Filter Profile

COMMAND DESCRIPTION

show wlan-macfilter-profile {all | rule_count | [macfilter_profile_name]}

wlan-macfilter-profile rename

macfilter_profile_name1 macfilter_profile_name2

[no] wlan-macfilter-profile

macfilter_profile_name

filter-action {allow | deny}

Displays the MAC filter profile(s).

all: Displays all profiles. rule_count: Displays how many MAC filter profiles are

created on the Zyxel Device. macfilter_profile_name: Displays the specified

profile. Gives an existing MAC filter profile

(macfilter_profile_name1) a new name (macfilter_profile_name2).

Enters configuration mode for the sp ecified MAC filter profile. Use the no parameter to remove the specified profile.

Permits the WiFi client with the MAC addresses in this profile to connect to the network through the associated SSID; select deny to b lock the WiFi clients with the specified MAC addresses.

The default is set to deny.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

Table 34 Command Summary: MAC Filter Profile (continued)

COMMAND DESCRIPTION

[no] mac_addr [description description]

exit

11.5.1 MAC Filter Profile Example

The following example creates a MAC filter profile with the name ‘MACFILTER01’.

Router(config)# wlan-macfilter-profile MACFILTER01 Router(config-macfilter-profile)# filter-action deny Router(config-macfilter-profile)# 01:02:03:04:05:06 description MAC01 Router(config-macfilter-profile)# 01:02:03:04:05:07 description MAC02 Router(config-macfilter-profile)# 01:02:03:04:05:08 description MAC03 Router(config-macfilter-profile)# exit Router(config)#

Specifies a MAC address associated with this profile. You can also set a description for the MAC address. Enter up to 60 characters. Spaces and underscores allowed.

Exits configuration mode for this profile.

11.6 Layer-2 Isolation Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 35 Input Values for General Layer-2 Isolation Profile Commands

LABEL DESCRIPTION

l2isolation_profile_n ame

mac_address

description

The layer-2 isolation profile name. You may use 1-31 alphanumeric characters, underscores ( value is case-sensitive.

The MAC address of the device that is allowed to communicate with the Zyxel Device’s WiFi clients. Enter 6 hexadecimal pairs separated by colons. You can use 0-9, a-z and A-Z.

Sets the description name of MAC address in the profile. You may use 1-60 alphanumeric characters, underscores (

_), or dashes (-), but the first character cannot be a number. This

_), or dashes (-).

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

The following table describes the commands available for Layer-2 Isolation profile management. You must use the

configure terminal command to enter the configuration mode before you can use

these commands. Table 36 Command Summary: Layer-2 Isolation Profile

COMMAND DESCRIPTION

show wlan-l2isolation-profile {all | rule_count | [l2isolation_profile_name]}

wlan-l2isolation-profile rename

l2isolation_profile_name1 l2isolation_profile_name2

[no] wlan-l2isolation-profile

l2isolation_profile_name

[no] mac_address

description description

exit

Displays the layer-2 isolation profile(s) settings. all: Displays settings of all layer-2 isolation profiles

configured on the Zyxel Device. rule_count: Displays how many layer-2 isolation

profiles are created on the Zyxel Device. l2isolation_profile_name: Displays settings of the

specified profile. Gives the existing layer-2 isolation profile

(l2isolation_profile_name1) a new name, (l2isolation_profile_name2).

Enters configuration mode for the specified layer-2 isolation profile. Use the no parameter to remove the specified profile.

Sets the MAC address of the device that is allowed to communicate with the Zyxel Device’s WiFi clients in this profile.

Sets the description name for the MAC address associated with this profile.

Exits configuration mode for this profile.

11.6.1 Layer-2 Isolation Profile Example

The following example creates a layer-2 isolation profile with the name ‘test1’.

Router(config)# wlan-l2isolation-profile test1 Router(config-wlan-l2isolation test1)# 00:a0:c5:01:23:45 Router(config-wlan-l2isolation test1)# description user1 Router(config-wlan-l2isolation test1)# exit Router(config)#

11.7 WDS Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 37 Input Values for General WDS Profile Commands

LABEL DESCRIPTION

wds_profile_name

The WDS profile name. You may use 1-31 alphanumeric characters, underscores (

_), or dashes (-), but the first character cannot be a number. This value is case-

sensitive.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 11 Wireless LAN Profiles

The following table describes the commands available for WDS profile management. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 38 Command Summary: WDS Profile

COMMAND DESCRIPTION

show wlan-wds-profile {all | rule_count |

[wds_profile_name]}

wlan-wds-profile rename

wds_profile_name1 wds_profile_name2

[no] wlan-wds-profile wds_profile_name

psk psk

ssid ssid

exit

Displays the WDS profile(s) settings. all: Displays settings of all WDS profiles configured on

the Zyxel Device. rule_count: Displays how many WDS profiles are

created on the Zyxel Device. wds_profile_name: Displays settings of the specified

profile. Gives the existing WDS profile (wds_profile_name1) a

new name, (wds_profile_name2). Enters configuration mode for the specified WDS profile.

Sets a pre-shared key of between 8 and 63 casesensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.The key is used to encrypt the traffic between the APs.

Sets the SSID with which you want the Zyxel Device to connect to a root AP or repeater to form a WDS.

Exits configuration mode for this profile.

11.7.1 WDS Profile Example

The following example creates a WDS profile with the name ‘WDS1’, and shows the profile settings.

Router(config)# wlan-wds-profile WDS1 Router(config-wlan-wds WDS1)# ssid Zyxel-WDS Router(config-wlan-wds WDS1)# psk qwer1234 Router(config-wlan-wds WDS1)# exit Router(config)# show wlan-wds-profile WDS1 wds profile: WDS1 reference: 0 Id: 2 Description: WDS_SSID: Zyxel-WDS WDS_PSK: qwer1234 Router(config)#

NWA/WAC/WAX Series CLI Reference Guide

Chapter 12 Rogue AP

CHAPTER 12

This chapter shows you how to set up Rogue Access Point (AP) detection and containment.

12.1 Rogue AP Detection Overview

Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security. Attackers can take advantage of a rogue AP’s weaker (or non-existent) security to gain illicit access to the network, or set up their own rogue APs in order to capture information from WiFi clients.

Rogue AP

Conversely, a friendly AP is one that the Zyxel Device network administrator regards as non-threatening. This does not necessarily mean the friendly AP must belong to the network managed by the Zyxel Device; rather, it is any unmanaged AP within range of the Zyxel Device’s own wireless network that is allowed to operate without being contained. This can include APs from neighboring companies, for example, or even APs maintained by your company’s employees that operate outside of the established network.

12.2 Rogue AP Detection Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 39 Input Values for Rogue AP Detection Commands

LABEL DESCRIPTION

ap_mac

description2

Specifies the MAC address (in XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX format) of the AP to be added to either the rogue AP or friendly AP list. The no command removes the entry.

Sets the description of the AP. You may use 1-60 alphanumeric characters, underscores (

_), or dashes (-). This value is case-sensitive.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 12 Rogue AP

The following table describes the commands available for rogue AP detection. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 40 Command Summary: Rogue AP Detection

COMMAND DESCRIPTION

rogue-ap detection

[no] activate

[no] ap-mode detection activate

detect interval <10..1440>

friendly-ap ap_mac description2

no friendly-ap ap_mac

rogue-ap ap_mac description2

no rogue-ap ap_mac

[no] rogue-rule {hidden-ssid|ssidkeyword|weak-security}

[no] rogue-rule keyword <ssid>

exit

show rogue-ap detection keyword list

show rogue-ap detection monitoring

show rogue-ap detection list

{rogue|friendly|all}

show rogue-ap detection status

show rogue-ap detection info

Enters sub-command mode for rogue AP detection. Activates rogue AP detection. Use the no parameter

to deactivate rogue AP detection. Sets the Zyxel Device to detect Rogue APs in the

network. Use the no parameter to disable rogue AP detection.

Sets the time interval (in seconds) at which the Zyxel Device scans for rogues APs.

Sets the device that owns the specified MAC address as a friendly AP. You can also assign a description to this entry on the friendly AP list.

Removes the device that owns the specified MAC address from the friendly AP list.

Sets the device that owns the specified MAC address as a rogue AP. You can also assign a description to this entry on the rogue AP list.

Removes the device that owns the specified MAC address from the rogue AP list.

Specifies the characteristic(s) an AP should have for the Zyxel Device to classify it as a Rogue AP.

Use the no parameter to remove the classification rule. Adds an SSID Keyword.

Use the no parameter to remove the SSID keyword. Exits configuration mode for rogue AP detection.

Displays the SSID keyword(s) an AP should have for the Zyxel Device to rule it as a Rogue AP.

Displays a table of detected APs and information about them, such as their MAC addresses, when they were last seen, and their SSIDs, to name a few.

Displays the specified rogue/friendly/all AP list.

Displays whether rogue AP detection is on or off. Displays a summary of the number of detected

devices from the following categories: rogue, friendly, ad-hoc, unclassified, and total.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 12 Rogue AP

12.2.1 Rogue AP Detection Examples

This example sets the device associated with MAC address 00:13:49:11:11:11 as a rogue AP, and the device associated with MAC address 00:13:49:11:11:22 as a friendly AP. It then removes MAC address from the rogue AP list with the assumption that it was misidentified.

Router(config)# rogue-ap detection Router(config-detection)# rogue-ap 00:13:49:11:11:11 rogue Router(config-detection)# friendly-ap 00:13:49:11:11:22 friendly Router(config-detection)# no rogue-ap 00:13:49:11:11:11 Router(config-detection)# exit

This example displays the rogue AP detection list.

Router(config)# show rogue-ap detection list rogue no. mac description contain =========================================================================== 1 00:13:49:18:15:5A 0

This example shows the friendly AP detection list.

Router(config)# show rogue-ap detection list friendly no. mac description =========================================================================== 1 11:11:11:11:11:11 third floor 2 00:13:49:11:22:33 3 00:13:49:00:00:05 4 00:13:49:00:00:01 5 00:0D:0B:CB:39:33 dept1

This example shows the combined rogue and friendly AP detection list.

Router(config)# show rogue-ap detection list all no. role mac description =========================================================================== 1 friendly-ap 11:11:11:11:11:11 third floor 2 friendly-ap 00:13:49:11:22:33 3 friendly-ap 00:13:49:00:00:05 4 friendly-ap 00:13:49:00:00:01 5 friendly-ap 00:0D:0B:CB:39:33 dept1 6 rogue-ap 00:13:49:18:15:5A

NWA/WAC/WAX Series CLI Reference Guide

Chapter 12 Rogue AP

This example shows both the status of rogue AP detection and the summary of detected APs.

Router(config)# show rogue-ap detection status rogue-ap detection status: on

Router(config)# show rogue-ap detection info rogue ap: 1 friendly ap: 4 adhoc: 4 unclassified ap: 0 total devices: 0

NWA/WAC/WAX Series CLI Reference Guide

Chapter 13 Wireless Frame Capture

CHAPTER 13

Wireless Frame Capture

This chapter shows you how to configure and use wireless frame capture on the Zyxel Device.

13.1 Wireless Frame Capture Overview

Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging. It works well for local data traffic, but if your devices are spaced increasingly farther away then it often becomes correspondingly difficult to attempt remote debugging. Complicated wireless packet collection is arguably an arduous and perplexing process. The wireless frame capture feature in the Zyxel Device can help.

This chapter describes the wireless frame capture commands, which allows a network admin is trator to capture wireless traffic information and download it to an Ethereal/Tcpdump compatible format packet file for analysis.

13.2 Wireless Frame Capture Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 41 Input Values for Wireless Frame Capture Commands

LABEL DESCRIPTION

ip_address

mon_file_size

file_name

The IP address of the Access Point (AP) that you want to monitor. Enter a standard IPv4 IP address (for example, 192.168.1.2).

The size (in kbytes) of file to be captured. It stops the capture and generates the capture file when either it reaches this size

or the total combined size of all files in the directory reaches the maximum size which is 50 megabytes (51200 kbytes).

The file name prefix for each captured file. The default prefix is monitor while the default file name is monitor.dump.

You can use 1-31 alphanumeric characters, underscores or dashes but the first character cannot be a number. This string is case sensitive.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 13 Wireless Frame Capture

The following table describes the commands available for wireless frame capture. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 42 Command Summary: Wireless Frame Capture

COMMAND DESCRIPTION

frame-capture configure

src-ip add ip_address

file-prefix file_name

files-size mon_file_size

exit

[no] frame-capture activate

show frame-capture status

show frame-capture config

Enters sub-command mode for wireless frame capture.

Sets the IP address of an AP controlled by the Zyxel Device that you want to monitor. You can use this command multiple times to add additional IPs to the monitor list.

Sets the file name prefix for each captured file. Enter up to 31 alphanumeric characters. Spaces and underscores are not allowed.

Sets the size (in kbytes) of files to be captured. Exits configuration mode for wireless frame capture. Starts wireless frame capture. Use the no parameter to

turn it off. Displays whether frame capture is running or not.

Displays the frame capture configuration.

13.2.1 Wireless Frame Capture Examples

This example configures the wireless frame capture parameters for an AP located at IP address

192.168.1.2.

Router(config)# frame-capture configure Router(frame-capture)# src-ip add 192.168.1.2 Router(frame-capture)# file-prefix monitor Router(frame-capture)# files-size 1000 Router(frame-capture)# exit Router(config)#

This example shows frame capture status and configuration.

Router(config)# show frame-capture status capture status: off

Router(config)# show frame-capture config capture source: 192.168.1.2 file prefix: monitor file size: 1000

NWA/WAC/WAX Series CLI Reference Guide

Chapter 14 Dynamic Channel Selection

CHAPTER 14

Dynamic Channel Selection

This chapter shows you how to configure and use dynamic channel selection on the Zyxel Device.

14.1 DCS Overview

Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.

When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. This can make accessing the network potentially rather difficult for the stations connected to them. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of channel interference.

14.2 DCS Commands

See Section 11.2 on page 69 for detailed information about how to configure DCS settings in a radio profile.

The following table describes the commands available for dynamic channel selection. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 43 Command Summary: DCS

COMMAND DESCRIPTION

dcs now

NWA/WAC/WAX Series CLI Reference Guide

Sets the Zyxel Device to scan for and select an available channel immediately.

Chapter 15 Wireless Load Balancing

CHAPTER 15

Wireless Load Balancing

This chapter shows you how to configure wireless load balancing.

15.1 Wireless Load Balancing Overview

Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.

15.2 Wireless Load Balancing Commands

The following table describes the commands available for wireless load balancing. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. Table 44 Command Summary: Load Balancing

COMMAND DESCRIPTION

[no] load-balancing kickout

load-balancing mode {station | traffic | smart-classroom}

load-balancing max sta <1..127>

load-balancing traffic level {high | low | medium}

Enables an overloaded AP to disconnect (“kick”) idle clients or clients with noticeably weak connections.

Enables load balancing based on either number of stations (also known as WiFi clients) or wireless traffic on an AP.

station or traffic: once the threshold is crossed (either the maximum station numbers or with network traffic), the Zyxel Device delays association request and authentication request packets from any new station that attempts to make a connection.

smart-classroom: the Zyxel Device ignores association request and authentication request packets from any new station when the maximum number of stations is reached.

If load balancing by the number of stations/WiFi clients, this sets the maximum number of devices allowed to connect to a load-balanced AP.

If load balancing by traffic threshold, this sets the traffic threshold level.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 15 Wireless Load Balancing

Table 44 Command Summary: Load Balancing (continued)

COMMAND DESCRIPTION

load-balancing alpha <1..255>

Sets the load balancing alpha value. When the AP is balanced, then this setting delays a

client’s association with it by this number of seconds.

Note: This parameter has been optimized for

the Zyxel Device and should not be changed unless you have been specifically directed to do so by Zyxel support.

load-balancing beta <1..255>

Sets the load balancing beta value. When the AP is overloaded, then this setting delays a

client’s association with it by this number of seconds.

Note: This parameter has been optimized for

the Zyxel Device and should not be changed unless you have been specifically directed to do so by Zyxel support.

load-balancing sigma <51..100>

Sets the load balancing sigma value. This value is algorithm parameter used to calculate

whether an AP is considered overloaded, balanced, or underloaded. It only applies to ‘by traffic mode’.

load-balancing timeout <1..255>

load-balancing liInterval <1..255>

load-balancing kickInterval <1..255>

show load-balancing config

show load-balancing loading

[no] load-balancing activate

Note: This parameter has been optimized for

the Zyxel Device and should not be changed unless you have been specifically directed to do so by Zyxel support.

Sets the length of time that an AP retains load balancing information it receives from other APs within its range.

Sets the interval in seconds that each AP communicates with the other APs in its range for calculating the load balancing algorithm.

Note: This parameter has been optimized for

the Zyxel Device and should not be changed unless you have been specifically directed to do so by Zyxel support.

Enables the kickout feature for load balancing and also sets the kickout interval in seconds. While load balancing is enabled, the AP periodically disconnects stations at intervals equal to this setting.

This occurs until the load balancing threshold is no longer exceeded.

Displays the load balancing configuration. Displays the loading status per radio (underload /

balance / overload) when you enable the load balancing function.

Enables load balancing. Use the no parameter to disable it.

NWA/WAC/WAX Series CLI Reference Guide

Chapter 15 Wireless Load Balancing

15.2.1 Wireless Load Balancing Examples

The following example shows you how to configure AP load balancing in "by station" mode. The maximum number of stations is set to 1.

Router(config)# load-balancing mode station Router(config)# load-balancing max sta 1 Router(config)# show load-balancing config load balancing config: Activate: yes Kickout: no Mode: station Max-sta: 1 Traffic-level: high Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20

The following example shows you how to configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled.

Router(config)# load-balancing mode traffic Router(config)# load-balancing traffic level low Router(config)# load-balancing kickout Router(config)# show load-balancing config load balancing config: Activate: yes Kickout: yes Mode: traffic Max-sta: 1 Traffic-level: low Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20

NWA/WAC/WAX Series CLI Reference Guide

This chapter shows you how to configure the iBeacon advertising settings for the Zyxel Device that supports Bluetooth Low Energy (BLE). Bluetooth Low Energy, which is also known as Bluetooth Smart, transmits less data over a shorter distance but consumes less power than classic Bluetooth. Check the feature comparison table in Section 1.2 on page 12 to see which models support the BLE feature.

16.1 Bluetooth Overview

iBeacon is Apple’s communication protocol on top of Bluetooth Low Energy wireless technology. Beacons (Bluetooth radio transmitters) or BLE enabled devices broadcast packets to every device around it to announce their presence. Advertising packets contain their iBeacon ID, which consists of the Universally Unique Identifier (UUID), major number, and minor number. These packets also contain a TX (transmit) power measured at a reference point, which is used to approximate a device’s distance from the beacon. The UUID can be used to identify a service, a device, a manufacturer or an owner. The 2-byte major number is to identify and distinguish a group, and the 2-byte minor number is to identify and distinguish an individual.

CHAPTER 16

Bluetooth

For example, a company can set all its beacons to share the same UUID. The beacons in a particular branch uses the same major number, and each beacon in a branch can have its own minor number.

COMPANY A

BRANCH X BRANCH Y

BEACON 1 BEACON 2 BEACON 3

UUID EBAECFAF-DFE0-4039-BE5A-F030EED4303C Major 10 10 20 Minor 12 1

Developers can create apps that respond to the iBeacon ID that your Zyxel Device broadcasts. An app that is associated with the Zyxel Device’s iBeacon ID can measure the proximity of a customer to a beacon. This app can then push messages or trigger prompts and actions based on this information. This allows you to send highly contextual and highly localized advertisements to customers.

NWA/WAC/WAX Series CLI Reference Guide

100

Zyxel WAX640S-6E, WAX655E, WAX650S, WAC500H, NWA50AX CLI Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

NWA/WAC/WAX Series

Contents Overview

Table of Contents

Introduction

1.1 Overview

1.2 Zyxel Device Product Feature

Command Line Interface

2.1 Overview

2.1.1 The Configuration File

2.2 Accessing the CLI

2.2.1 Console Port

2.2.2 SSH (Secure SHell)

2.3 How to Find Commands in this Guide

2.4 How Commands Are Explained

2.4.1 Background Information

2.4.2 Command Input Values

2.4.3 Command Summary

2.4.4 Command Examples

2.4.5 Command Syntax

2.4.6 Changing the Password

2.5 CLI Modes

2.6 Shortcuts and Help

2.6.1 List of Available Commands

2.6.2 List of Sub-commands or Required User Input

2.6.3 Entering Partial Commands

2.6.4 Entering a ? in a Command

2.6.5 Command History

2.6.6 Navigation

2.6.7 Erase Current Command

2.6.8 The no Commands

2.7 Input Values

2.8 Saving Configuration Changes

2.9 Logging Out

User and Privilege Modes

3.1 User And Privilege Modes

3.1.1 Debug Commands

Reference

Status

Object Reference

5.1 Object Reference Commands

5.1.1 Object Reference Command Example

6.1 Interface Overview

Interfaces

6.2 Interface General Commands Summary

6.2.1 Basic Interface Properties and IP Address Commands

6.3 Port Commands

6.3.1 Port Command Examples

7.1 Overview

Storm Control

7.2 Storm Control Commands

7.2.1 Storm Control Command Examples

8.1 Overview

NCC Discovery

8.2 NCC Discovery Commands

8.2.1 NCC Discovery Command Example

9.1 User Account Overview

9.1.1 User Types

Users

9.2 User Commands Summary

9.2.1 Username and User Commands

9.2.2 User Setting Commands

9.2.3 Additional User Commands

AP Management

10.1 AP Management Overview

10.2 AP Management Commands

10.2.1 AP Management Commands Example

10.3 AP Management Client Commands

10.3.1 AP Management Client Commands Example

Wireless LAN Profiles

11.1 Wireless LAN Profiles Overview

11.2 AP Radio Profile Commands

11.2.1 AP radio Profile Commands Example

11.3 SSID Profile Commands

11.3.1 SSID Profile Example 1

11.3.2 SSID Profile Example 2

11.4 Security Profile Commands