This manual is intended for people who want to want to configure the NXC using
the Web Configurator.
Related Documentation
•Quick Start Guide
The Quick Start Guide is designed to show you how to make the NXC hardw a re
connections and access the Web Configurator wizards. (See the wizard real time
help for information on configuring each screen.) It also contains a connection
diagram and package contents list.
•CLI Reference Guide
The CLI Reference Guide explains how to use the Command-Line Interface (CLI)
to configure the NXC.
Note: It is recommended you use the Web Configurator to configure the NXC.
• Web Configurator Online Help
Click the help icon in any screen for help in configuring that screen and
supplementary information.
• ZyXEL Web Site
Please refer to www.zyxel.com
product certifications.
for additional support documentation and
User Guide Feedback
Help us help you. Send all User Guide-related comments, questi ons or suggestions
for improvement to the following address, or use e-mail instead. Thank you!
The Technical Writing Team,
ZyXEL Communications Corp.,
6 Innovation Road II,
Science-Based Industrial Park,
Hsinchu, 300, Taiwan.
E-mail: techwriters@zyxel.com.tw
NXC5200 User’s Guide
3
About This User's Guide
Need More Help?
More help is available at www.zyx el.com.
• Download Library
Search for the latest product updates and documentation from this link. Read
the Tech Doc Overview to find out how to efficiently use the User Guide, Quick
Start Guide and Command Line Interface Reference Guide in order to better
understand how to use your product.
• Knowledge Base
If you have a specific question about your product, the answer may be here.
This is a collection of answers to previously asked questions about ZyXEL
products.
•Forum
This contains discussions on ZyXEL prod ucts. Learn from others who use ZyXEL
products and share your experiences as well.
Customer Support
Should problems arise that cannot be solved by the methods listed above, you
should conta ct your vendor. If you cannot contact your vendor, then contact a
ZyXEL office for the region in which you bought the device.
See http://www.zyxel.com/web/contact_us.php for contact information. Please
have the following informatio n ready when you contact an office.
• Product model and serial number.
•Warranty Information.
• Date that you received your device.
4
• Brief description of the problem and the steps you took to solve it.
NXC5200 User’s Guide
About This User's Guide
Disclaimer
Graphics in this book may differ slightly from the product due to differences in
operating systems, operating system versions, or if you installed updated
firmware/software fo r y our dev ice. Ev ery effort has been made to ensur e that the
information in this manual is accurate.
NXC5200 User’s Guide
5
Document Conventions
Warnings and Notes
These are how warnings and notes are shown in this User’s Guide.
Warnings tell you about things that could harm you or your device.
Note: Notes tell you other important information (for example, other things you may
need to configure or helpful tips) or recommendations.
Syntax Conventions
• The product may be referred to as the “N XC”, the “device”, the “system” or the
“product” in this User’s Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
Document Conventions
• A key stroke is denoted by square brackets and uppercase text, for example,
[ENTER] means the “enter” or “ret urn” key on your keyboard.
• “Enter” means for you to type one or more characters and then press the
[ENTER] key. “Select” or “choose” means for you to use one of the predefined
choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For
example, Maintenance > Log > Log Setting means you first click
Maintenance in the navigation panel, then the Log sub menu and finally the
Log Setting tab to get to that screen.
• Units of measurement may denote the “metric” value or the “scientific” value.
For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may
denote “1000000” or “1048576” and so on.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other
words”.
6
NXC5200 User’s Guide
Document Conventions
Icons Used in Figures
Figures in this User’s Guide may use the following generic icons. The NXC icon is
not an exact representation of your device.
NXCComputerNotebook computer
ServerFirewallTelephone
SwitchRouter
NXC5200 User’s Guide
7
Safety Warnings
• Do NOT use this product near water, for example, in a wet basement or near a swimming
pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk
of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel should
service or disassemble this device. Please contact your vendor for further information.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
• Always disconnect all cables from this device before servicing or disassembling.
• Caution: This unit has more than one power supply cord. Disconnect two power supply
cords before servicing to avoid electric shock. (has multiple power cords, e.g., chassisbased Ethernet switch. Make sure you specify the correct number of power cords in both
the English and the French that follows)
• Attention: Cet appareil comporte plus d'un cordon d'alimentation. Afin de prévenir les
chocs électriques, debrancher les deux cordons d'alimentation avant de faire le
dépannage.
• Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right
supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT remove the plug and connect it to a power outlet by itself; always attach the plug
to the power adaptor first before connecting it to a power outlet.
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the
product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause
electrocution.
• If the power adaptor or cord is damaged, remove it from the device and the power
source.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a
new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a
remote risk of electric shock from lightning.
• CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN
INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Dispose them at the applicable collection point for the recycling of electrical and
electronic equipment. For detailed information about recycling of this product, please
contact your local city office, your household waste disposal service or the store where
you purchased the product.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.
Safety Warnings
8
Your product is marked with this symbol, which is known as the WEEE mark. WEEE
stands for Waste Electronics and Electrical Equipment. It means that used electrical
and electronic products should not be mixed with general waste. Used electrical and
electronic equipment should be treated separately.
NXC5200 User’s Guide
Table of Contents
Table of Contents
About This User's Guide..........................................................................................................3
The NXC is a comprehensive wireless L AN controller. Its flexible con figuration
helps network administrators set up wireless LAN networks and efficiently enforce
security policies over them. In addition, the NXC provides excellent throughput,
making it an ideal solution for reliable, secure service.
The NXC’s security features include firewall, anti-virus, Intrusion Detection and
Prevention (IDP), Anomaly Detection and Protection (ADP), and certificates. It
also provides bandwidth management, captive portal configuration, NAT, port
forwarding, policy routing, DHCP server , extensi ve wireless AP control options, and
many other powerful features. Flexible configuration helps you set up the network
and enforce security policies efficiently.
The front panel physical Gigabit Ethernet ports (labeled P1, P2, P3, and so on)
are mapped to Gigabit Ethernet (ge) interfaces. By default P1 is mapped to ge1, P2 is mapped to ge2 and so on.
• The default LAN IP address is 192.168.1.1.
• The default administrator login user name and password are “admin” and
“1234” respectively.
1.2 Rack-mounted Installation
Note: ZyXEL provides a sliding rail accessory for your use with your device. Please
contact your local vendor for details.
The NXC can be mounted on an EIA standard si ze, 19-inch rack or in a wiring
closet with other equipment. Follow the steps below to mount your NXC on a
standard EIA rack using a rack-mounting kit. Make sure the rack will safely
support the combined weight of all the equipment it contains and that the position
of the NXC does not make the rack unstable or top-heavy. Take all necessary
precautions to anchor the rack securely before installing the unit.
Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.
NXC5200 User’s Guide
25
Chapter 1 Introduction
Use a #2 Phillips screwdriver to install the screws.
Note: Failure to use the proper screws may damage the unit.
1.2.1 Rack-Mounted Installation Procedure
1Align one bracket with the holes on one side of the NXC and secure it with the
included bracket screws (smaller than the rack-mounting screws).
2Attach the other bracket in a similar fashion.
3After attaching both mounting brackets, position the NXC in the rack by lining up
the holes in the brackets with the appropriate holes on the rack. Secure the NXC
to the rack with the rack-mounting screws.
26
NXC5200 User’s Guide
1.2.2 LAN Module Installation Procedure
1Turn the NXC over so that its bottom side faces up, then remove the LAN module
screw.
Chapter 1 Introduction
2Slide the empty LAN Module tray out of the NXC chassis.
NXC5200 User’s Guide
27
Chapter 1 Introduction
3Slide the LAN Module into the empty module bay, gently but firmly pressing it into
the NXC’s logic board until you feel it snap into place.
4Secure the newly installed LAN Module with the screw you removed in step 1.
28
NXC5200 User’s Guide
1.3 Front and Back Panels
This section gives you an overview of the front and back panels. There are three
possible front panel conf igurations, depending on how the expansion bay is used.
The back panel remains static across all configurations.
In configuration 1, the expansion bay is empty.
Figure 1 NXC Front Panel - Configuration 1
In configuration 2, the expansion bay utilizes an Ethernet module which provides
an additional 4 Ethernet ports.
Figure 2 NXC Front Panel - Configuration 2
Chapter 1 Introduction
In configuration 3, the expansion bay utilizes a Fiber port modules, which provides
fiber optic connectivity. This allows you to expand management of your APs to
distances greater than allowed by pure Ethernet connections.
Figure 3 NXC Front Panel - Configuration 3
Here is the back panel for all configurations.
Figure 4 NXC Back panel - All Configurations
1.3.1 1000Base-T Ports
The 1000Base-T auto-negotiating, auto-crossover Ethernet ports support 100/
1000 Mbps Gigabit Ethernet so the speed can be 100 Mbps or 1000 Mbps. The
duplex mode can be both half or full duplex at 100 Mbps and full duplex only at
1000 Mbps. An auto-negotiating port can detect and adjust to the optimum
Ethernet speed (100/1000 Mbps) and duplex mode (full duplex or half duplex) of
the connected device.
NXC5200 User’s Guide
29
Chapter 1 Introduction
An auto-crossover (auto-MDI/MDI-X) port automatically works with a straightthrough or crossover Ethernet cable.
Default Ethernet Settings
The factory default negotiation settings f or the Ethernet ports on the NXC are:
• Speed: Auto
•Duplex: Auto
• Flow control: On (you cannot configure the flow control setting, but the NXC can
negotiate with the peer and turn it off if needed)
1.3.2 Optional Fiber Ports
Fiber connectivity requires a few additional considerations when you deploy the
NXC with that in mind.
Figure 5 Fiber Connection Example
CS
PoE
NXC
AP
First, you must have a fiber-based Core Switch (CS) upstream of the NXC. It
connects to one of the available fiber ports in the Fiber port module loaded into
the NXC’s expansion bay. Next, an additional fiber connection is established
between the NXC and a downstream fiber-based Power over Ethernet ( PoE)
capable of converting Fiber-to-Ethernet data packets (s uch as the ZyXEL MC1000SFP-FP). Finally, you connect your AP to the edge switch using an Ethernet cable.
30
NXC5200 User’s Guide
1.3.3 Front Panel LEDs
This section describes the front panel LEDs.
Figure 6 NXC Front Panel - Configuration 3
Chapter 1 Introduction
Ethernet
LinkLink
The following table describes the LEDs.
Status
Fiber 5 / 6
Fiber 7 / 8
Link
Table 1 Front Panel LEDs
LEDCOLOR STATUS DESCRIPTION
POWEROffThe power module is turned off , not receiving power,
or not functioning.
GreenOnThe power module is operating.
STATUSOffThe NXC is turned off.
GreenOnThe NXC is ready and operating normally.
FlashingThe NXC is self-testing.
Ethernet LinkAmberOnThe port has a connected RJ-45 cable.
FlashingThe port is sending and receiving data.
Ethernet
Status
Fiber LinkAmberOnThe port has a connected fiber cable.
GreenOnThe port is functioning at 10/100M speed.
AmberOnThe port is functioning at 1000M speed.
1.4 Management Overview
You can use the following ways to manage the NXC.
Web Configurator
The Web Configurator allows easy NXC setup and management using an Internet
browser. This User’s Guide provides information about the Web Config urator.
NXC5200 User’s Guide
31
Chapter 1 Introduction
Command-Line Interface (CLI)
The CLI allows you to use text-based commands to configure the NXC. You can
access it using remote management (for example, SSH or Telnet) or via the
console port. See the Command Reference Guide for more information.
Console Port
You can use the console port to manage the NXC using CLI commands. See the
Command Reference Guide for more information about the CLI.
The default settings for the console port are as follows.
Table 2 Console Port Default Settings
SETTINGVALUE
Speed115200 bps
Data Bits8
ParityNone
Stop Bit1
Flow ControlOff
1.5 Starting and Stopping the NXC
Here are some of the ways to start and stop the NXC.
Always use Maintenance > Shutdown or the shutdown command
before you turn off the NXC or remove the power. Not doing so can
cause the firmware to become corrupt.
Table 3 Starting and Stopping the NXC
METHODDESCRIPTION
Turning on the
power
Rebooting the NXCA warm start (without powering down and powering up again)
Using the RESET
button
A cold start occurs when you turn on the power to the NXC. The NXC
powers up, checks the hardware, and starts the system processes.
occurs when you use the Reboot button in the Reboot screen or
when you use the reboot command. The NXC writes all cached data
to the local storage, stops the system processes, and then does a
warm start.
If you press the RESET button, the NXC sets the configuration to its
default values and then reboots.
32
NXC5200 User’s Guide
Chapter 1 Introduction
Table 3 Starting and Stopping the NXC
METHODDESCRIPTION
Clicking
Maintenance >
Shutdown >
Shutdown or
using the shutdown
command
Disconnecting the
power
The NXC does not stop or start the system processes when you apply
configuration files or run shell scripts although you may temporarily lose access to
network resources.
Clicking Maintenance > Shutdown > Shutdown or using the
shutdown command writes all cached data to the local storage and
stops the system processes. Wait for the device to shut down and
then manually turn off or remove the power. It does not turn off the
power.
Power off occurs when you turn off the power to the NXC. The NXC
simply turns off. It does not stop the system processes or write
cached data to local storage.
NXC5200 User’s Guide
33
Chapter 1 Introduction
34
NXC5200 User’s Guide
CHAPTER 2
Features and Applications
This chapter introduces the main features and applications of the NXC.
2.1 Features
The NXC is a wireless LAN controller. It has security features that include firewall,
anti-virus, Intrusion Detection and Prev ention (IDP), Anomaly Detection and
Protection (ADP), and certificates. It also provides bandwidth management, NAT,
port forwarding, captive portal configuration, policy routing, DHCP server, wireless
AP control options, and many other powerful features.
Data Forwarding
The NXC allows you to seamlessly manage the Access Points (APs) on your
network by having all configurable data tunneled to it or bridged to the local
network based on SSID settings.
AP Monitoring
You can assign a number of APs to act as wireless monitors, which can detect
rogue APs and help you in building a list of friendly ones. This gives you a security
advantage when setting up your network to prevent intrusions.
Managed APs
The NXC is initially configured to support up to 48 managed APs (such as the
NWA5160N). You can increase this by subscribing to additional licenses. As of this
writing, each license upgrade allows an additio nal 48 managed APs while the
maximum number of APs a single NXC can support is 240.
Flexible Security Zones
Many security settings are applied by zone, not by interface, port, or network. As
a result, it is much simpler to set up and to change security settings in the NXC.
You can create your own custom zones.
NXC5200 User’s Guide
35
Chapter 2 Features and Applications
Firewall
The NXC’s firewall is a stateful inspection firewall. The NXC restricts access by
screening data packets against defined access rules. It can also inspect sessions.
For example, traffic from one zone is not allowed unless it is initiated by a
computer in another zone first.
Intrusion Detection and Prevention (IDP)
IDP (Intrusion Detection and Protection) can detect malicious or suspicious
packets and respond instantaneously. It detects pattern-based attacks in order to
protect against network-based intrusions. See Section 21.5.1 on page 314 for a
list of attacks that the NXC can protect against. You can also create your own
custom IDP rules.
Anomaly Detection and Prevention (ADP)
ADP (Anomaly Detection and Prevention) can detect malicious or suspicious
packets and respond instantaneously. It can detect:
• Anomalies based on violations of protocol standards (RFCs – Requests for
Comments)
• Abnormal flows such as port scans.
The NXC’s ADP protects against network-based intrusions. See Section 22.3. 3 on
page 342 and Section 22.3.4 on page 345 for more on the kinds of attacks that
the NXC can protect against. You can also create your own custom ADP rules.
Bandwidth Management
Bandwidth management allows you to allocate network resources according to
defined policies. This policy-based bandwidth allocation helps your network to
better handle applications such as Internet access, e-mail, Voice-over-IP (VoIP),
video conferencing and other business-critical applications.
Anti-Virus Scanner
With the anti-virus packet scanner, your NXC scans files transmitting through the
enabled interfaces into the network. The NXC helps stop threats at the network
edge before they reach the local host computers.
36
Application Patrol
Application patrol manages instant messenger and peer-to-peer applications like
MSN and BitTorrent. You can even control the use of a particular application’s
individual features (like text messaging, voice, video conferencing, and file
transfers). Application patrol has powerful bandwidth management including
NXC5200 User’s Guide
traffic prioritization to enhance the performance of delay -sensitive applications like
voice and video. You can also use an option that gives SIP priority over all other
traffic. This maximizes SIP traffic throughput for improved VoIP call sound quality.
2.2 Applications
These are some example applications for your NXC. See also Chapter 5 on page
71 for configuration tutorial examples.
2.2.1 AP Management
Manage up to 240 separate Access Points (APs) from a si ngle, persis tent location.
APs can also be configured to monitor for rogue APs.
Figure 7 AP Management Example
Chapter 2 Features and Applications
Here, the NXC (A) connects to a number of Power over Ethernet (PoE) devices
(B). They connect to the NWA5260 Access Points (C), which in turn provide access
to the network for the wireless clients (D) within their broadcast radius.
2.2.2 Wireless Security
Keep the connections between wireless clients and your APs secure with the NXC’ s
comprehensive wireless security tools. APs can be configured to require WEP and
WPA encryption from all wireless clients attempting to associate with them.
Furthermore, you can protect your network by monitoring for rogue APs. Rogue
APs are wireless access points operating in a network’s cov erage area that are not
BC
D
A
NXC5200 User’s Guide
37
Chapter 2 Features and Applications
under the control of the network’s administrators, and can potentially open up
critical holes in a network’s security policy.
2.2.3 Captive Portal
The NXC can be configured with a captive portal, which intercepts all network
traffic, regardless of address or port, until a connecting wireless user
authenticates his or her session, through a designated login Web page.
Figure 8 Applications: Captive Portal
The captive portal page only appears once per authentication session. Unless a
user idles out or closes the connection, he or she generally will not see it again
during the same session.
2.2.4 Load Balancing
With load balancing you can easily distribute wireless traffic across multiple APs to
relieve strain on your network. When a station becomes overloaded, it can
automatically delay a connection until the client associates with another network,
or it can alternatively disa s sociate idle clients or those clients with weak
connections from the network.
2.2.5 Dynamic Channel Selection
The NXC can automatically select the radio channel upon which its APs broadcast
by scanning the area around those APs and determining what channels are
currently being used by other devices not connected to the network.
38
NXC5200 User’s Guide
2.2.6 User-Aware Access Control
Set up security policies that restrict access to sensitive information and shared
resources based on the user who is trying to access it.
2.2.7 Device HA
Set one NXC as the master device and an additional NXC as a backup device to
ensure that one is always available for the network.
Chapter 2 Features and Applications
NXC5200 User’s Guide
39
Chapter 2 Features and Applications
40
NXC5200 User’s Guide
CHAPTER 3
The Web Configurator
3.1 Overview
The NXC Web Configurator allows easy management using an Internet browser.
In order to use the Web Configurator, you must:
• Use Internet Explorer 7.0 and later or Firefox 1.5 and later
• Allow pop-up windows
• Enable JavaScript (enabled by default)
• Enable Java permissions (enabled by default)
• Enable cookies
The recommended screen resolution is 1024 x 768 pixels and higher.
3.2 Access
1Make sure yo ur NXC hardwar e is properly connected. See the Quick Start Guide.
2Browse to https://192.168.1.1. The Login screen appears.
NXC5200 User’s Guide
41
Chapter 3 The Web Configurator
3Enter the user name (default: “admin”) and password (default : “1234”).
4Click Login. If you logged in using the default user name and password, the
Update Admin Info screen appears. Otherwise, the dashboard appears.
This screen appears every time you log in usi ng the default user name and default
password. If you change the password for the default user account, this screen
does not appear anymore.
42
NXC5200 User’s Guide
3.3 The Main Screen
The Web Configurator’s main screen is divided into these parts:
Figure 9 The Web Configurator’s Main Screen
B
Chapter 3 The Web Configurator
A
C
• A - Title Bar
• B - Navigation Panel
• C - Main Window
NXC5200 User’s Guide
43
Chapter 3 The Web Configurator
3.3.1 Title Bar
The title bar provides some useful links that always appear over the screens
below, regardless of how deep into the Web Configurator you navigate.
Figure 10 Title Bar
The icons provide the following functions.
Table 4 Title Bar: Web Configurator Icons
LABELDESCRIPTION
LogoutClick this to log out of the Web Configurator.
HelpClick this to open the help page for the current screen.
AboutClick this to display basic information about the NXC.
Site MapClick this to see an overview of links to the Web Configurator screens.
Object
Reference
ConsoleClick this to open the console in which you can use the command line
CLIClick this to open a popup window that displays the CLI commands sent
Click this to open a screen where you can check which configuration
items reference an object.
interface (CLI). See the NXC CLI Reference Guide for details.
by the Web Configurator.
3.3.2 Navigation Panel
Use the menu items on the navigation panel to open screens to configure NXC
features. Click the arrow in the middle of the right edge of the navigation panel to
hide the navigation panel menus or drag it to resize them. The following sections
introduce the NXC’s navigation panel menus and their screens.
Figure 11 Navigation Panel
44
NXC5200 User’s Guide
3.3.2.1 Dashboard
The dashboard displays general device information, system status, system
resource usage, licensed service status, and interface status in widgets that you
can re-arrange to suit your needs.
For details on the Dashboard’s features, see Chapter 6 on page 103.
3.3.2.2 Monitor Menu
The monitor menu screens display status and statistics information.
Table 5 Monitor Menu Screens Summary
FOLDER OR LINKTABFUNCTION
System Status
Port StatisticsDisplays packet statistics for each physical port.
Interface StatusDisplays general interface information and packet
Traffic StatisticsCollect and display traffic statistics.
Session MonitorDisplays the status of all current sessions.
IP/MAC BindingLists the devices that have received an IP address
Login UsersLists the users currently logged into the NXC.
Wireless
AP InfoAP ListDisplays information about the connected APs.
Station InfoDisplays information about the connected stations.
Rogue APDisplays information about suspected rogue APs.
AppPatrol StatisticsDisplays bandwidth and protocol statistics.
Anti-X Statistics
Anti-VirusCollects and display statistics on the viruses that the
IDPCollects and display statistics on the intrusions that
LogView LogLists log entries for the NXC.
Chapter 3 The Web Configurator
statistics.
from NXC interfaces using IP/MAC binding.
Radio ListDispla ys information about the radios of the connected
APs.
NXC has detected.
the NXC has detected.
View AP
Log
Allows you to query connected APs and view log
entries for them.
NXC5200 User’s Guide
45
Chapter 3 The Web Configurator
3.3.2.3 Configuration Menu
Use the configuration menu screens to configure the NXC’s features.
Table 6 Configuration Menu Screens Summary
FOLDER OR
LINK
Licensing
RegistrationRegistrationRegister the device and activate trial services.
Signature
Update
Wireless
ControllerConfigure how the NXC handles APs that newly
AP
Management
MON ModeConfigure how the NXC monitors for rogue APs.
InterfaceEthernetManage Ethernet interfaces and virtual Ethernet
RoutingPolicy RouteCreate and manage routing policies.
ZoneConfigure zones used to define various policies.
NATSet up and manage port forwarding rules.
ALGConfigure SIP, H.323, and FTP pass-through
IP/MAC
Binding
Captive PortalCaptive PortalAssign the captive portal web page to various
TABFUNCTION
ServiceView the licensed service status and upgrade
Anti-VirusUpdate anti-virus signatures immediately or by a
IDP/AppPatrolUpdate IDP signatures immediately or by a
System ProtectUpdate system-protect signatures immediately or
VLANCreate and manage VLAN interfaces and virtual
Static RouteCreate and manage IP static routing information.
SummaryConfigure IP to MAC address bindings for devices
Exempt ListConfigure ranges of IP addresses to which the NXC
Login PageAssign and customize the login page user’s see
licensed services.
schedule.
schedule.
by a schedule.
connect to the network.
Edit wireless AP information, remove APs, and
reboot them.
Configure load balancing for traffic moving to and
from wireless clients.
interfaces.
VLAN interfaces.
settings.
connected to each supported interface.
does not apply IP/MAC binding.
network services.
when they hit the captive portal.
46
NXC5200 User’s Guide
Chapter 3 The Web Configurator
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR
LINK
FirewallFirewallCreate and manage level-3 traffic rules.
AppPatrolGeneralEnable or disable traffic management by
Anti-X
Anti-Virus GeneralTurn anti-virus on or off, set up anti-virus policies
IDPGeneralDisplay and manage IDP bindings.
ADPGeneralDisplay and manage ADP bindings.
Device HAGeneralConfigure device HA global settings, and see the
Object
User/GroupUserCreate and manage users.
AP ProfileRadioCreate and manage wireless radio settings files
TABFUNCTION
Session LimitLimit the number of concurrent client NAT/firewall
sessions.
application and see registration and signature
information.
CommonManage traffic of the most commonly used web,
file transfer and e-mail protocols.
IMManage instant messenger traffic.
Peer to PeerManage peer-to-peer traffic.
VoIPManage VoIP traffic.
StreamingManage streaming traffic.
Other Manage other kinds of traffic.
and check the anti-virus engine type and the anti-
virus license and signature status.
Black/White List Set up anti-virus black (blocked) and white
(allowed) lists of virus file patterns.
SignatureSearch for signatures by signature name or
attributes and configure how the NXC uses them.
ProfileCreate and manage IDP profiles.
Custom
Signatures
ProfileCreate and manage ADP profiles.
Active-Passive
Mode
GroupCreate and manage groups of users.
SettingManage default settings for all users, general
SSIDCreate and manage wireless SSID, security, and
Create, import, or export custom signatures.
status of each interface monitored by device HA.
Configure active-passive mode device HA.
settings for user sessions, and rules to force user
authentication.
that can be associated with different APs.
MAC filtering settings files that can be associated
with different APs.
NXC5200 User’s Guide
47
Chapter 3 The Web Configurator
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR
LINK
MON ProfileCreate and manage rogue AP monitoring files that
AddressAddressCreate and manage host, range, and network
ServiceServiceCreate and manage TCP and UDP services.
ScheduleCreate one-time and recurring schedules.
AAA ServerActive DirectoryConfigure the default Active Directory settings.
Auth. MethodCreate and manage ways of authenticating users.
CertificateMy CertificatesCreate and manage the NXC’s certificates.
System
Host NameConfigure the system and domain name for the
Date/TimeConfigure the current date, time, and time zone in
Console
Speed
DNSConfigure the DNS server and address records for
WWWConfigure HTTP, HTTPS, and general
SSHConfigure SSH server and SSH service settings.
TELNETConfigure telnet server settings for the NXC.
FTPConfigure FTP server settings.
SNMPConfigure SNMP communities and services.
LanguageSelect the Web Configurator language.
Log & Report
Email Daily
Report
Log SettingConfigure the system log, e-mail logs, and remote
TABFUNCTION
can be associated with different APs.
(subnet) addresses.
Address GroupCreate and manage groups of addresses.
Service GroupCreate and manage groups of services.
LDAPConfigure the default LDAP settings.
RADIUSConfigure the default RADIUS settings.
Trusted
Certificates
Import and manage certificates from trusted
sources.
NXC.
the NXC.
Set the console speed.
the NXC.
authentication.
Configure where and how to send daily reports and
what reports to send.
syslog servers.
48
NXC5200 User’s Guide
3.3.2.4 Maintenance Menu
Use the maintenance menu screens to manage configuration and firmware files,
run diagnostics, and reboot or shut down the NXC.
Package
Shell ScriptManage and run shell script files for the NXC.
Packet CaptureCapture packets for analysis.
Wireless Frame
Capture
Chapter 3 The Web Configurator
Manage and upload configuration files for the NXC.
View the current firmware version and to upload
firmware.
Capture wireless frames from APs for analysis.
3.3.3 Warning Messages
Warning messages, such as those resulting from misconfiguration, display in a
popup window.
Figure 12 Warning Message
NXC5200 User’s Guide
49
Chapter 3 The Web Configurator
3.3.4 Site Map
Click Site MAP to see an overview of links to the Web Configurator screens. Click
a screen’s link to go to that screen.
Figure 13 Site Map
3.3.5 Object Reference
Click Object Ref erence to open the Object Reference screen. Select the type of
object and the individual object and click Refresh to show which configuration
settings reference the object. The following example shows which configuration
settings reference the ldap-users user object (in this case the first firewall rule).
Figure 14 Object Reference
50
NXC5200 User’s Guide
Chapter 3 The Web Configurator
The fields vary with the type of object. The following table describes labels that
can appear in this screen.
Table 8 Object References
LABELDESCRIPTION
Object NameThis identifies the object for which the configuration settings that use it
are displayed. Click the object’s name to display the object’s
configuration screen in the main window.
#This field is a sequential value, and it is not associated with any entry.
ServiceThis is the type of setting that references the selected object. Click a
service’s name to display the service’s configuration screen in the main
window.
PriorityIf it is applicable, this field lists the referencing configuration item’s
position in its list, otherwise N/A displays.
NameThis field identifies the configuration item that references the object.
DescriptionIf the referencing configuration item has a description configured, it
displays here.
RefreshClick this to update the information in this screen.
CancelClick Cancel to close the screen.
3.3.5.1 CLI Messages
Click CLI to look at the CLI commands sent by the Web Configurator. These
commands appear in a popup window, such as the following.
Figure 15 CLI Messages
Click Clear to remove the currently displayed information.
Note: See the Command Reference Guide for information about the commands.
NXC5200 User’s Guide
51
Chapter 3 The Web Configurator
3.3.5.2 Console
The Console allows you to use CLI commands from directly within the Web
Configurator rather than havin g to use a separate terminal program. In add ition to
logging in directly to the NXC’s CLI, you can also log into other devices on the
network through this Console. It uses SSH to establish a connection.
Note: To view the fuctions in the Web Configurator user interface that correspond
directly to specific NXC CLI commands, use the CLI Messages window (see
Section 3.3.5.1 on page 51) in tandem with this one.
Figure 16 Console
52
The following table describes the elements in this screen.
Table 9 Console
LABELDESCRIPTION
Command Line
Enter commands for the device that you are currently logged into here.
If you are logged into the NXC, see the CLI Reference Guide for details
on using the command line to configure it.
Device IP
Address
This is the IP address of the device that you are currently logged into.
NXC5200 User’s Guide
Table 9 Console (continued)
LABELDESCRIPTION
Logged-In User
This displays the username of the account currently logged into the NXC
through the Console Window.
Note: You can log into the Web Configurator with a different account
than used to log into the NXC through the Console.
Connection
Status
This displays the connection status of the account currently logged in.
If you are logged in and connected, then this displays ‘Connected’.
If you lose the connection, get disconnected, or logout, then this
displays ‘Not Connected’.
Tx/RX Activity
Monitor
Chapter 3 The Web Configurator
This displays the current upload / download activity . The faster and more
frequently an LED flashes, the faster the data connection.
Before you use the Console, ensure that:
• Your web browser of choice allows pop-up windows from the IP address
assigned to your NXC.
• Your web browser allows Java programs.
• You are using the latest version of the Java program (http://www.java.com).
To login in through the Console:
1Click the Console button on the Web Configurator title bar.
NXC5200 User’s Guide
53
Chapter 3 The Web Configurator
2Enter the IP address of the NXC and click OK.
3Next, enter the User Name of the account being used to log into your target
device and then click OK.
54
4You may be prompted to authenticate your account password, depending on the
type of device that you are logging into. Enter the password and click OK.
NXC5200 User’s Guide
5If your login is successful, the command line appears and the status bar at the
bottom of the Console updates to reflect your connection state.
3.3.6 Tables and Lists
The Web Configurator tables and lists are quite flexible and provide several
options for how to display their entries.
Chapter 3 The Web Configurator
3.3.6.1 Manipulating Table Display
Here are some of the ways you can manipulate the We b Configurator tables.
1Click a column heading to sort the table’s entries according to that column’s
criteria.
2Click the down arrow next to a column heading for more options about how to
display the entries. The options available vary depending on the type of fields in
the column. Here are some examples of what you can do:
• Sort in ascending alphabetical order
• Sort in descending (reverse) alphabetical order
• Select which columns to display
• Group entries by field
NXC5200 User’s Guide
55
Chapter 3 The Web Configurator
• Show entries in groups
• Filter by mathematical operators (<, >, or =) or searching for text.
3Select a column heading cell’s right border and drag to re-size the column.
56
4Select a column heading and drag and drop it to change the column order. A green
check mark displays next to the column’s title when you drag the column to a valid
new location.
NXC5200 User’s Guide
5Use the icons and fields at the bottom of the table to navigate to different pages of
entries and control how many entries display at a time.
3.3.6.2 Working with Table Entries
The tables have icons for working with table entries. A sample is shown next. You
can often use the [Shift] or [Ctrl] ke y t o sel e c t multiple entries to remove,
activate, or deactivate.
Chapter 3 The Web Configurator
Table 10 Common Table Icons
Here are descriptions for the most common table icons.
Table 11 Common Table Icons
LABELDESCRIPTION
AddClick this to create a new entry. For features where the entry’s
position in the numbered list is important (features where the NXC
applies the table’s entries in order like the firewall for example), you
can select an entry and click Add to create a new entry after the
selected entry.
EditDouble-click an entry or select it and click Edit to open a screen
where you can modify the entry’s settings. In some tables you can
just click a table entry and edit it directly in the table. For those types
of tables small red triangles display for table entries with changes
that you have not yet applied.
RemoveTo remove an entry, select it and click Remove. The NXC confirms
you want to remove it before doing so.
ActivateTo turn on an entry, select it and click Activate.
InactivateTo turn off an entry, select it and click Inactivate.
NXC5200 User’s Guide
57
Chapter 3 The Web Configurator
Table 11 Common Table Icons (continued)
LABELDESCRIPTION
Object References Select an entry and click Object References to open a screen that
shows which settings use the entry.
MoveTo change an entry’s position in a numbered list, select it and click
Move to display a field to type a number for where you want to put
that entry and press [ENTER] to move the entry to the number that
you typed. For example, if you type 6, the entry you are moving
becomes number 6 and the previous entry 6 (if there is one) gets
pushed up (or down) one.
3.3.6.3 Working with Lists
When a list of available entries displays next to a list of selected entries, you can
often just double-click an entry to move it from one list to the other. In some lists
you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use
the arrow button to move them to the other list.
Figure 17 Working with Lists
58
NXC5200 User’s Guide
CHAPTER 4
Configuration Basics
4.1 Overview
This section provides information to help you configure the NXC effectively. Some
of it is helpful when you are just getting started. Some of it is provided for your
reference when you configure various features in the NXC.
4.2 Object-based Configuration
The NXC stores information or settings as objects. You use these objects to
configure many of the NXC’s features and settings. Once you configure an object,
you can reuse it in configuring other features.
When you change an object’s settings, the NXC automatically updates all the
settings or rules that use the object. For example, if y ou create a radio object, you
can have firewall, application patrol, and other settings use it. If you modify the
radio object, all the firewall, application pat r ol, and other settings that are linked
to that object automatically apply the updated settings.
You can create address objects based on an interface’s IP address, subnet, or
gateway. The NXC automatically updates every rule or setting that uses these
objects whenever the interface’s IP address settings change. For example, if you
change an Ethernet interface’s IP address, the NXC automatically updates the
rules or settings that use the interface-based, LAN subnet address object.
You can use the Configuration > Objects screens to create objects before you
configure features that use them. If you are in a screen that uses objects, you can
also usually select Create new Object to be able to configure a new object.
Use the Object Reference screen to see what objects are configured and which
configuration settings reference specific objects.
NXC5200 User’s Guide
59
Chapter 4 Configuration Basics
4.3 Zones, Interfaces, and Physical Ports
Zones (groups of interfaces) simplify security settings. Here is an overview of
zones, interfaces, and physical ports in the NXC.
Table 12 Zones, Interfaces, and Physical Ethernet Ports
Zones
(LAN, WLAN)
Interfaces
(Ethernet, VLAN)
Physical
Ethernet Ports
(1, 2, 3, 4)
4.3.1 Interface Types
A zone is a group of interfaces. Use zones to apply security settings
such as firewall, IDP, remote management, anti-virus, and
application patrol.
Interfaces are logical entities that (layer-3) packets pass through.
Use interfaces in configuring zones, device HA, policy routes, static
routes, and NAT.
Port combine physical ports into interfaces.
The physical port is where you connect a cable. In configuration, you
use physical ports when configuring port groups. You use interfaces
and zones in configuring other features.
There are two types of interfaces in the NXC. In addition to being used in various
features, interfaces also describe the network that is directly connected to it.
• Ethernet interfaces are the foundation for defining other interfaces and
network policies. By
• VLAN interfaces recognize tagged frames. The NXC automatically adds or
removes the tags as needed. Each VLAN can only be associated with one
Ethernet interface.
Note: By default, all Ethernet interfaces are placed into vlan0, allowing the NXC to
function as a bridge device.
60
NXC5200 User’s Guide
Chapter 4 Configuration Basics
4.3.2 Example Interface and Zone Configuration
This section introduces the NXC’ s default z one member physical interfaces and the
default configuration of those interfaces. The following figure uses letters to
denote public IP addresses or part of a private IP address.
Figure 18 Default Network Topology
Table 13 NXC Sample Topology
PORTINTERFACEZONE
P1~P8 ge1~ge8LAN
CONSOLE N/ANoneNoneLocal management
•The LAN zone contains the ge1~ ge8 interfaces (physical ports P1~P8). By
default, all LAN interfaces are put in vlan0.
•The WLAN zone contains Access Points (APs) that are available to the public.
These APs uses private IP addresses that can be assigned by an upstream DHCP
server (default) or the NXC itself in some configurations.
•The console port is not in a zone and can be directly accessed by a computer
attached to it using a special console-to-Ethernet adapter.
NXC5200 User’s Guide
IP ADDRESS AND DHCP
SETTINGS
192.168.1.1, DHCP server
(vlan0)
WLANDHCP clientsManaged Wireless APs
enabled
SUGGESTED USE WITH
DEFAULT SETTINGS
Dedicated LAN
connections
61
Chapter 4 Configuration Basics
4.4 Feature Configuration Overview
This section provides information about configuring the main features in the NXC.
The features are listed in the same sequence as the menu item(s) in the Web
Configurator. Each feature description is organized as shown below.
4.4.1 Feature
This provides a brief description. See the appropriate chapter(s) in this User’s
Guide for more information about any feature.
This shows you the sequence of menu items and tabs you should click
MENU ITEM(S)
PREREQUISITES
to find the main screen(s) for this feature. See the web help or the
related User’s Guide chapter for information about each screen.
These are other features you should configure before you configure
the main screen(s) for this feature.
If you did not configure one of the prerequisites first, you can often
select an option to create a new object. After you create the object
you return to the main screen to finish configuring the feature.
You may not have to configure everything in the list of prerequisites.
For example, you do not have to create a schedule for a policy route
unless time is one of the criterion.
There are two uses for this.
These are other features you should usually configure or check right
WHERE USED
after you configure the main screen(s) for this feature.
You have to delete the references to this feature before you can delete
any settings.
Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites
or references in other features to this one. For example, no other features
reference AP management entries, so there is no WHERE USED entry.
4.4.2 Licensing Registration
Use these screens to register your NXC and subscribe to services like anti-virus,
IDP and application patrol. You must have Internet access to myZyXEL.com.
MENU ITEM(S)
PREREQUISITES
Configuration > Licensing > Registration
Internet access to myZyXEL.com
62
NXC5200 User’s Guide
4.4.3 Licensing Update
Use these screens to update the NXC’s signature packages for the anti-virus, IDP
and application patrol features. You must have a valid subscription to update the
anti-virus and IDP/application patrol signatures. You must also have Internet
access to myZyXEL.com.
Chapter 4 Configuration Basics
MENU ITEM(S)
PREREQUISITES
4.4.4 Wireless
Use these screens to manage your wireless Access Points.
MENU ITEM(S)
PREREQUISITES
4.4.5 Interface
Most of the features that use interfaces support Ethernet and VLAN interfaces.
Note: When you create an interface, no security is applied to it until you assign it to a
zone first.
MENU ITEM(S)
PREREQUISITES
WHERE USED
Configuration > Licensing > Signature Update
Registration (for anti-virus and IDP/application patrol), Internet
access to myZyXEL.com
Configuration > Network > Wireless.
Radio profiles, SSID profiles, and security profiles
Use policy routes to override the NXC’s default routing behavior in order to send
packets through the appropriate interface. You can also use policy routes for
bandwidth management (out of the NXC), port triggering, and general NAT on the
source address. You have to set up the criteria, next-hops, and NAT settings first.
MENU ITEM(S)
PREREQUISITES
NXC5200 User’s Guide
Configuration > Network > Routing > Policy Routes
Criteria: users, user groups, interfaces (incoming), addresses (source,
destination), address groups (source, destination), schedules,
services, service groups
Next-hop: addresses (HOST gateway), interfaces
NAT: addresses (translated address), services and service groups
(port triggering)
63
Chapter 4 Configuration Basics
4.4.7 Static Routes
Use static routes to tell the NXC about networks not directly connected to the
NXC.
MENU ITEM(S)
PREREQUISITES
4.4.8 Zones
A zone is a group of interfaces. The NXC uses zones, not interfaces, in many
security settings, such as firewall rules and remote management.
Zones cannot overlap. Each interface can be assigned to one zone. Virtual
interfaces are automatically assigned to the same zone as the interface on which
they run. When you create a zone, the NXC does not create any firewall rules,
assign an IDP profile, or configure remote management for the new zone.
Use Network Address Translation (NAT) to make computers on a private network
behind the NXC available outside the private network.
The NXC only checks regular (through-NXC) firewall rules for packets that are
redirected by NAT, it does not check the to-NXC firewall rules.
MENU ITEM(S)
PREREQUISITES
4.4.10 ALG
The NXC’s Application Layer Gat eway (ALG) allows VoIP and FTP applications to go
through NA T on the NXC. You can also specify additional signaling port numbers.
MENU ITEM(S)
Configuration > Network > NAT
Interfaces, addresses (HOST)
Configuration > Network > ALG
64
NXC5200 User’s Guide
4.4.11 Captive Portal
A captive portal intercepts all HTTP-packets, regardless of address or port, until
the user authenticates his or her connection, usually through a specifically
designated login Web page..
Chapter 4 Configuration Basics
MENU ITEM(S)
Configuration > Captive Portal
4.4.12 Firewall
The firewall controls the travel of traffic between or within zones. You can also
configure the firewall to control traffic for NAT (DNAT) and policy routes (SNAT).
You can configure firewall rules based on schedules, specific users (or user
groups), source or destination addresses (or address groups) and services (or
service groups). Each of these objects must be configured in a different screen.
T o-NXC firew all rules control access to the NXC. Configure to-NXC firewall rules for
remote management. By default, the firewall only allows management
connections from the LAN, WAN zone.
MENU ITEM(S)
PREREQUISITES
Configuration > Firewall
Zones, schedules, users, user groups, addresses, services, service
groups
4.4.13 Application Patrol
Use application patrol to control which individuals can use which services through
the NXC (and when they can do so). You can also specify allowed amounts of
bandwidth and priorities. You must subscribe to use application patrol. You can
subscribe using the Configuration > Licensing > Registration screens or one
of the wizards.
MENU ITEM(S)
PREREQUISITES
4.4.14 Anti-Virus
Use anti-virus to detect and take action on viruses. You must subscribe to use
anti-virus. You can subscribe using the Licensing > Registration screens or one
of the wizards.
MENU ITEM(S)
PREREQUISITES
Configuration > AppPatrol
Registration, zones, schedules, users, user groups, addresses. These
are only used as criteria in exceptions and conditions.
Configuration > Anti-X > Anti-Virus
Registration, zones
NXC5200 User’s Guide
65
Chapter 4 Configuration Basics
4.4.15 IDP
Use IDP to detect and take action on malicious or suspicious packets. You must
subscribe to use IDP. You can subscribe using the Licensing > Registration
screens or one of the wizards.
MENU ITEM(S)
PREREQUISITES
4.4.16 ADP
Use ADP to detect and take action on traffic and protocol anomalies.
MENU ITEM(S)
PREREQUISITES
4.4.17 Device HA
To increase network reliability, device HA lets a backup NXC automatically take
over if a master NXC fails.
MENU ITEM(S)
PREREQUISITES
Configuration > Anti-X > IDP
Registration, zones
Configuration > Anti-X > ADP
Zones
Configuration > Device HA
Interfaces (with a static IP address), to-NXC firewall
4.5 Objects
Objects store information and are referenced by other features. If you update this
information in response to changes, the NXC automaticall y propagates the change
through the features that use the object. Select an object (such as a user group,
address, address group, service, service group, zone, or schedule) and then click
Object Reference at the top of the list box where the object appears in order to
display basic information about it.
The following table introduces the objects. You can also use this table when you
want to delete an object because you have to delete references to the object first.
Table 14 Objects Overview
OBJECTWHERE USED
user/groupSee the User/Group section on page 67 for details.
ap profileSee the AP Profile section on page 67 for details.
mon profileSee the MON Profile section on page 68 for details.
Policy routes (criteria, port triggering), firewall, service groups, log
(criteria)
patrol, user settings (force user authentication)
WWW (client authentication), captive portal
4.5.1 User/Group
Use these screens to configure the NXC’s administrator and user accounts. The
NXC provides the following user types.
Table 15 User Types
TYPEABILITIES
adminChange NXC configuration (web, CLI)
ldap usersLDAP authentication for downstream network clients
radius usersRADIUS authentication for downstream network clients
ad usersAD authentication for downstream network clients
4.5.2 AP Profile
Use these screens to configure preset profiles for the Access Points (APs)
connected to your NXC’s wireless network.
Table 16 AP Profile Types
TYPEABILITIES
RadioCreate radio profiles for the APs on your network.
SSIDCreate SSID profiles for the APs on your network.
SecurityCreate security profiles for the APs on your network.
MAC FilteringCreate MAC filtering profiles for the APs on your network.
NXC5200 User’s Guide
67
Chapter 4 Configuration Basics
4.5.3 MON Profile
Use these screens to set up monitor mode configurations that allow your
connected APs to scan for other wireless devices in the vicinity.
Table 17 MON Profile Types
TYPEABILITIES
MonitorCreate monitor mode configurations that can be used by the APs to
4.6 System
This section introduces some of the management features in the NXC. Use Host
Name to configure the system and domain name for the NXC. Use Date/Time to
configure the current date, time, and time zone in the NXC. Use Console Speed
to set the console speed. Use Language to select a language for the Web
Configurator screens.
periodically listen to a specified channel or number of channels for
other wireless devices broadcasting on the 802.11 frequencies.
4.6.1 DNS, WWW, SSH, TELNET, FTP, and SNMP
Use these screens to set which services or protocols can be used to access the
NXC through which zone and from which addresses (address objects) the access
can come.
MENU ITEM(S)
PREREQUISITES
Configuration > System > DNS, WWW, SSH, TELNET, FTP,
SNMP, Language
The NXC provides a system log, offers two e-mail profiles to which to send log
messages, and sends information to four syslog servers. It can also e-mail you
statistical reports on a daily basis.
MENU ITEM(S)
Configuration > Log & Report
68
NXC5200 User’s Guide
4.6.3 File Manager
Use these screens to upload, download, delete, or run scripts of CLI commands.
You can manage:
• Configuration files. Use configuration files to back up and restore the complete
configuration of the NXC. You can store multiple configuration files in the NXC
and switch between them without restarting.
• Shell scripts. Use shell scripts to run a series of CLI commands. These are useful
for large, repetitive configuration changes and for troubleshooting.
You can edit configuration files and shell scripts in any text editor.
Chapter 4 Configuration Basics
MENU ITEM(S)
4.6.4 Diagnostics
The NXC can generate a file containing the NXC’s configuration and diagnostic
information. It can also capture packets going through the NXC’s interfaces so yo u
can analyze them to identify network problems
MENU ITEM(S)
4.6.5 Shutdown
Use this to shutdown the device in preparation for disconnecting the power.
Always use Maintenance > Shutdown > Shut down or the shutdown
command before you turn off the NXC or remove the power. Not doing
so can cause the firmware to become corrupt.
MENU ITEM(S)
Maintenance > File Manager
Maintenance > Diagnostics
Maintenance > Shutdown
NXC5200 User’s Guide
69
Chapter 4 Configuration Basics
70
NXC5200 User’s Guide
CHAPTER 5
Tutorials
5.1 Overview
The tutorials featured here require a basic understanding of connecting to and
using the Web Configurator, as well as an understanding of networking concepts
and topology design.
The default login information for the NXC’s Web Configurator is:
Table 18 NXC Default Login Information
LOGINVALUESEE ALSO
IP Address192.168.1.1Chapter 3 on page 41.
User Nameadmin
Password1234
NXC5200 User’s Guide
71
Chapter 5 Tutorials
5.2 Sample Network Setup
This tutorial shows you how to create a wireless network that allows two types of
connections: staff and guest. Staff connections have full access to the network,
while guests are limited to Internet access (DNS, HTTP and HTTPS services).
Figure 19 Tutorial Network Topology
72
Requirements: A DHCP server with Option 138, an AD server, a switch that
supports 802.1q, a Layer-3 routing device and firewall.
Note: In this topology, vlan 199 is managed by the router responsible for the up stream
portion of the network, such as a ZyWALL.
The following VLAN settings are used in this tutorial:
In this example, the guest VLAN (102) is highlighted with the connections that it
may make over this particular network topology. The staff VLAN (101) is
unhighlighted because it has access to all aspects of the network.
5.2.1 Tutorial Tasks
In this tutorial, you will:
Table 20 Tutorial Tasks Summary
TASKSEE ALSO
Set the Management VLAN (vlan99)Chapter 11 on page 177
Set the Other VLANs (vlan101, vlan102)Chapter 11 on page 177
Configure the AAA ObjectChapter 30 on page 425
Configure the Auth. Method Objects (staff, guest)Chapter 31 on page 437
Create the AP Profiles (staff, guest)Chapter 25 on page 387
Create the Guest User AccountChapter 24 on page 373
Configure the Captive Portal SettingsChapter 17 on page 239
Configure the Guest Firewall RulesChapter 18 on page 249
NXC5200 User’s Guide
73
Chapter 5 Tutorials
5.2.2 Set the Management VLAN (vlan99)
This section shows you how to set up the VLAN for managing the NXC. This is only
for network administrators to access the device.
1Open the Configuration > Network > Interface > VLAN screen then click the
Add button.
2The Add VLAN window opens.
74
2aEnable Interface: Select this to enable this interface.
2bInterface Name: Enter ‘vlan99’.
2cVID: Enter ‘99’ as the VLAN ID tag.
2dUnder Member Configuration, set the ge1Member status to Yes and TX
Tagging to Yes.
NXC5200 User’s Guide
2eScroll down to IP Address Assignment and select Use Fixed IP Address.
2fIP Address: Enter 10.10.99.10.
2gSubnet Mask: Enter 255.255.255.0.
2hGateway: Enter 10.10.99.10.
3Click OK to save these changes.
See Also: Chapter 11 on page 177.
5.2.3 Set the Other VLANs (vlan101, vlan102)
This section shows you how to set up the other VLANs on your network. They
correspond to the topology map presented at the beginning of this tutorial.
Note: You will use this procedure twice: once for VLAN 101 and the other time for
VLAN 102. VLAN 101 is presented first, while VLAN 102 is presented second.
Chapter 5 Tutorials
1For VLAN 101: Open the Configuration > Network > Interface > VLAN screen
then click the Add button.
NXC5200 User’s Guide
75
Chapter 5 Tutorials
2The Add VLAN window opens.
2aEnable Interface: Select this to enable this interface.
2bInterface Name: Enter ‘vlan101’.
2cVID: Enter ‘101’ as the VLAN ID tag.
2dUnder Member Configuration, set the ge1Member status to Yes and TX
Tagging to Yes.
2eScroll down to IP Address Assignment and select Use Fixed IP Address.
2fIP Address, enter 10.10.101.254.
2gSubnet Mask: Enter 255.255.255.0.
2hGateway: Enter 10.10.101.254.
3For VLAN 102: Open the Configuration > Network > Interface > VLAN screen
then click the Add button.
4The Add VLAN window opens.
4aEnable Interface: Select this to enable this interface.
4bInterface Name: Enter ‘vlan102’.
76
4cVID: Enter ‘102’ as the VLAN ID tag.
NXC5200 User’s Guide
Chapter 5 Tutorials
4dUnder Member Configuration, set the ge1 Member status to Yes and TX
Tagging to Yes.
4eScroll down to IP Address Assignment and select Use Fixed IP Address.
4fIP Address, enter 10.10.102.254.
4gSubnet Mask: Enter 255.255.255.0.
4hGateway: Enter 10.10.102.254.
5Click OK to save these changes.
After configuring VLANs 99, 101, and 102, the Configuration > Network >
Interfaces > VLAN screen should look similar to this:
Figure 21 Tutorial VLANs Summary
See Also: Chapter 11 on page 177.
5.2.4 Configure the AAA Object
This section shows you how to set up the AAA (Authentication, Authorization,
Accounting) server settings to allow registered users to log into the network
through the staff SSID.
1Open the Configuration > Object > AAA Server > Active Directory screen
and then click the Add button.
NXC5200 User’s Guide
77
Chapter 5 Tutorials
2The Add Active Directory window opens.
78
2aName: Enter AD-1.
2bUnder Server Settings, enter a Server Address of 10.1.199.250.
2cBase DN: Enter settings that match your AD server configuration. For this
example, use ‘cn=Users,dc=zyxel,dc=test’.
2dUnder Server Authentication, enter a Bind DN that has privileges on your
AD server. In this tutorial, use ‘zyxel’.
2ePassword: Enter the password for the Bind DN that has privileges on your
AD server. In this tutorial, use ‘1234’.
2fScroll down to Configuration Validation, enter a valid test account for your
AD sever in the Username field, and click Test. This tests the settings you
just entered in this window.
Note: Unless your AD server is configured to explicitly handle these tutorial settings,
the Test button may not work. However, it is handy know for future reference.
NXC5200 User’s Guide
Chapter 5 Tutorials
3Click OK to save these settings.
See Also: Chapter 30 on page 425.
5.2.5 Configure the Auth. Method Objects (staff, guest)
This section shows you how to set up the Authentication Method profile to allow
registered users to log into the network through the staff SSID and guest users to
login through the guest SSID.
1Open the Configuration > Object > Auth. Method screen and then click the
Add button.
2The Add Authentication Method window opens.
2aName: Enter ‘staff’.
2bClick the Add button to create a blank rule in the Method list.
2cClick the rule to exand the list of available AAA server profiles and then select
group AD-1. This is the AAA server profile created in Section 5.2.4 on page
77.
3Click OK to save these settings.
4To create a guest authentication object, repeat steps 1-3 but with the following
guest settings instead:
NXC5200 User’s Guide
79
Chapter 5 Tutorials
4aName: Enter ‘guest’.
4bClick the Add button to create a blank rule in the Method list.
4cClick the rule to exand the list of available AAA server profiles and then select
local. The guest account created in Section 5.2.7 on page 83 is stored in this
authentication database.
See Also: Chapter 31 on page 437.
5.2.6 Create the AP Profiles (staff, guest)
This section shows you how to configure the Access Point (AP) profiles that wil l be
used by your APs once they are connected to the network. You will first create a
security profile and an SSID profile for staff access, then you will create a second
pair for guest access. Finally, you will associate them with a radio profile which is
linked to your AP’s radio transmitter.
1Open the Configuration > Object > AP Profile > SSID > Security List screen
and then click the Add button.
80
2The Add Security Profile window opens.
2aProfile Name: Enter ‘wap2’.
NXC5200 User’s Guide
Chapter 5 Tutorials
2bSecurity Mode: Select wpa2 from the list of available wireless security
encryption methods.
2cUnder Security Settings, select 802.1X then set the Radius Type to
Internal. For Authentication Method, select ‘staff’ from the list. This is the
method that you created in Section 5.2.5 on page 79.
3Next, open the Configuration > Object > AP Profile > SSID > SSID List
screen and click the Add button.
4The Add SSID Profile window opens.
4aProfile Name: Enter ‘staff’.
4bSSID: Enter ‘staff’. This is the wireless network name that appears when
wireless clients are looking for networks to join.
4cSecurity Profile: Selec t wap2 from the list. This is the security profile
created in Step 1a.
4dQoS: Select WMM.
4eForwar ding Mode: Select Tunnel from the list.
4fVLAN Interface: Select vlan101 from the list, which you created in Section
5.2.3 on page 75.
NXC5200 User’s Guide
81
Chapter 5 Tutorials
4gClick OK to save these settings.
5Repeat steps 1 and 2. All settings are the same, except as follows:
5aProfile Name: Enter ‘guest’.
5bSSID: Enter ‘guest’.
5cVLAN Interface: Select vlan102 from the list.
6Open the Configuration > Object> AP Profile > Radio screen and then click
the Add button.
7The Add Radio Profile window opens.
82
7aActivate: Select this to make the radio profile active.
7bProfile Name: Enter ‘nxc5200’.
NXC5200 User’s Guide
7cScroll down to MBSSID Settings. For item #1, select the staff SSID Profile.
For item #2, select the guest SSID profile. These are the two profiles you
created in steps 1-3 of this procedure.
7dClick OK to save these settings.
See Also: Chapter 25 on page 387.
5.2.7 Create the Guest User Account
This section shows you how to create a guest us er account. Guest users should log
into the network with the following user name and password: guest1 / guest1.
1Open the Configuration > Object > User/Group > User screen and click the
Add button.
Chapter 5 Tutorials
2The Add A User window opens.
NXC5200 User’s Guide
83
Chapter 5 Tutorials
2aUser Name: Enter ‘guest1’.
2bPassword: Enter ‘guest1’, then enter it again in the Retype field to confirm.
3Click OK to save these settings.
See Also: Chapter 24 on page 373.
5.2.8 Configure the Captive Portal Settings
This section shows you how to configure the NXC captive portal settings. This is
the web page that appears whenever anyone connects to the guest SSID , and it is
here where they can login using the guest credentials that you configured in
Section 5.2.7 on page 83.
1Open the Configuration > Captive Portal screen.
84
2Enable Captive Portal: Select this to turn on the captive portal feature for all
wireless networks managed by the NXC. Although enabled, it does not appear for
all SSIDs; only those assigned to the feature.
3Authentication Method: Select guest from the list. This is the Auth . Method
profile that you created in Section 5.2.5 on page 79.
4Under Authentication Policy Summary, click the Add button.
NXC5200 User’s Guide
5The Auth. Policy Edit window opens.
5aSSID Profile : S elec t guest from the list.
Chapter 5 Tutorials
5bAuthentication: Select required from the list.
See Also: Chapter 17 on page 239.
5.2.9 Configure the Guest Firewall Rules
Finally , configure the firewall rules required for regulating how guest users can use
the network. There are 5 firewall rules that you will need to configure:
2For each rule, click the Add button to open the Add Firewall Rule window.
3Enter the settings for the specific firewall rule described in Table 21 on page 85.
86
NXC5200 User’s Guide
Chapter 5 Tutorials
4Click OK to save the firewall rule settings.
For example, to configure firewall rule #5:
1Open the Configuration > Firewall screen and click the Add button.
2The Add Firewall Rule window opens.
2aUser: Select guest1 from the list.
2bService: Select HTTPS from the list.
2cAccess: Select allow from the list.
3Click OK to sav e these settings. The new firewall rule now appears in the Firewall
Rules Summary table.
Note: For the purposes of this tutorial, the firewall rules can be created in any order
just so long as they use the settings presented here.
See Also: Chapter 18 on page 249.
5.3 Blocking Network Protocols
The NXC’s firewall allows you to control which protocols are allowed on your
wireless network. If the NXC is connected to an upstream Internet access device,
then incoming traffic off the WAN should be filtered by that device’s firewall
feature. However traffic coming into the NXC from wireless clients is not filtered
until you configure its own firewall first.
5.3.1 Configuring the WLAN Zone
This section shows you how to configure the WLAN zone, which is necessary for
implementing the firewall rules and Application Patrol rules.
1Open the Configuration > Network > Zone screen.
2Select WLAN from the User Configuration table and click the Edit button.
NXC5200 User’s Guide
87
Chapter 5 Tutorials
3The Add Zone window opens.
4In Member List, select an interface from Available and add it to Member. For
the purposes of this tutorial, add staff and guest. These are the VIDs configured
in Section 5.2.3 on page 75.
5Click OK to save these settings.
See Also: Chapter 13 on page 213.
5.3.2 Configuring the Firewall
This section shows you how to configure the firewall to block certain network
protocols, such as AIM.
1Click Configuration > Firewall.
88
NXC5200 User’s Guide
Chapter 5 Tutorials
2Click the Add button in the Firewall Rule Summary table.
2aUser: Leave this as any to apply the rule to all users, or select a specific
subset of users, such as guest or staff.
2bEnable: Select this to make the firewall rule active.
2cDescription: Enter a description for the rule that makes it easy to identify
later. For the purposes of this tutorial, enter ‘AIM Block’. (This field is entirely
optional, so if you leave it blank there will be no adverse effects.)
2dService: Select AIM from the list.
2eAccess: Select reject from this list to block the service.
3Click OK to save your cha n ges.
See Also: Chapter 18 on page 249.
NXC5200 User’s Guide
89
Chapter 5 Tutorials
5.3.3 Blocking Sub-Protocols
Let’s say that instead of blocking all AIM traffi c, you want to only block the file
transfer and video chat options for the various Instant Messenger programs used
by employees, since those are fairly bandwidth intensive activities that maybe you
don’t want to burden your wireless network. This tutorial shows you how to do
that with the NXC’s Application Patrol feature.
1Click Configuration > App Patrol > IM.
2In the Configuration table, select aol-icq then click Edit.
90
NXC5200 User’s Guide
3Select Enable Service.
4In the Policy table, click Add.
Chapter 5 Tutorials
4aEnable Policy: Select this to make the policy active.
4bUser: Select ad-users from the list, since for the purposes of this tutorial
only employees are authenticated by an external AD server (as configured in
Section 5.2.5 on page 79.)
4cFrom: Se lec t WLAN from the list (Section 5.3.1 on page 87). This means
only employees logging over the wireless network have this restriction applied
to them.
4dAction Block: Select Video and File Transfer. This limits the restriction only
to video chat and file transfer requests.
5Click OK to save your cha n ges.
See Also: Chapter 19 on page 265.
NXC5200 User’s Guide
91
Chapter 5 Tutorials
5.4 Rogue AP Detection
Rogue APs are wireless access points interacting with the network managed b y the
NXC but which are not under the control of the network administrator. In short,
they are a security risk because they circumvent network security policy. AP
detection only works when at least 1 AP is configured for Monitor mode.
The following are some suggestions on monitor AP placement:
• Neighboring companies that both support wireless network. If you can detect
your neighbor’s APs and you know they are ‘friendly’, you can add them to the
friendly exception list.
• Reception areas. If a reception area has a high volume of visitor traffic, it might
be useful to see if anyone is setting up their wireless device as an AP.
• High security areas. An AP set to Monitor mode will let you see if any one sets up
an unauthorized AP that could potentially compromise your security.
In this example, an employee illicitly connects his own AP (RG) to the network
that the NXC manages. While not necessarily a malicious act, it can nonetheless
have severe security consequences on the network.
Figure 22 Rogue AP Example A
92
NXC5200 User’s Guide
Chapter 5 Tutorials
Here, an attacker sets up a rogue AP (RG) outside the network, which he uses in
an attempt to mimic an NXC-controlled SSID in or der to capture passwords and
other information when authorized wireless clients mistakenly connect to it.
Figure 23 Rogue AP Example B
This tutorial shows you how to detect rogue APs on your network:
1Click Configuration > Object > MON Profile.
NXC5200 User’s Guide
93
Chapter 5 Tutorials
2Click the Add button.
When the Add Mon Profile window opens, configure the following:
Activate: Select this to allow your monitor APs to use this profile.
Profile Name: For the purposes of this tutorial set this to ‘Monitor01’.
Channel Dwell Time: Leave this as the default 100 milliseconds. This field is the
number of milliseconds that the monitor AP scans each channel before moving on
to the next.
Scan Channel Mode: Set this to auto to automatically scan channels in the area.
3Click OK to save your cha n ges.
4Next, click Configuration > Wireless > AP Management.
94
NXC5200 User’s Guide
5Select an AP and click Edit.
When the Edit AP List window opens, configur e the following:
Chapter 5 Tutorials
Radio 1 OP Mode: Set this to MON Mode to turn the AP into a rogue AP
monitoring device.
Radio 1 Profile: Select your newly created ‘Monitor01’ profile from the list.
6Click OK to save your cha n ges.
See also: Chapter 7 on page 115 and Chapter 26 on page 401.
NXC5200 User’s Guide
95
Chapter 5 Tutorials
5.4.1 Rogue AP Containment
When the NXC discovers a rogue AP within its broadcast radius, it can react in one
of two ways: If the rogue AP is connected directly to the network (such as plugged
into a switch downstream of the NXC), then the network administrator must
manually disconnect it. The NXC does not allow the isolation of a rogue AP
connected directly to the network.
However, if a rogue AP independent of the NXC mimics a legitimate one, then the
NXC can interfere with it by broadcasting dummy p ack ets so that it cannot mak es
connections with employee clients and capture data from them.
Figure 24 Containing a Rogue AP
96
This tutorial shows you how to quarantine a rogue AP on your network:
1Click Configuration > Wireless > MON Mode.
NXC5200 User’s Guide
Chapter 5 Tutorials
2Click the Add button.
When the Edit Rogue/Friendly AP List opens, paste the MAC address copied
from the other screen in the corresponding field, set its Role as Rogue AP and
then click OK to save your changes.
3The new rogue AP appears in the Rogue/Friendly AP List.
Select it, then click the Containment button to quarantine it away from the rest
of the network.
5.5 Load Balancing
When your AP becomes overl oaded, there are two basic responses it can tak e. The
first one is to “delay” a client connection by withholding the connection until the
data transfer throughput is lowered or the client connection is picked up by
another AP. (If the client isn’t picked up after a set period of time, the AP allows it
to connect regardless.) The second response is to kick the connections until the AP
is no longer considered overloaded. Both of these tactics are known as ‘load
balancing’.
This tutorial shows you how to configure the NXC’s load balancing feature.
NXC5200 User’s Guide
97
Chapter 5 Tutorials
1Click Configuration > Wireless > Load Balancing.
2Select Enable Load Balancing to turn on this feature.
3Set the Mode. If you choose By Station Number, then enter the Max Station
Number in the available field. This balanc es network tr affic based on the number
of specified stations downstream of the NXC. If you choose By Traffic Level, then
enter the traffic threshold at which the NXC starts balancing connected stations.
4Select Disassociate station when overloaded to disconnect stations when the
load balancing threshold is crossed. The stations are first disconnected based on
how long they have been idle, then secondly based on the weakness of their
connection signal strength.
5Click Apply to save your changes.
See also: Chapter 10 on page 163.
5.6 Dynamic Channel Selection
Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically
select the radio channel upon which it broadcasts by scanning the area around it
and determining what channels are currently being used by other devices.
When numerous APs broadcast within a given area, they introduce the possibility
of heightened radio interference, especially if some or all of them are broadcasting
on the same radio channel. This can make accessing the network potentially
rather difficult for the stations connected to them. If the interference becomes too
great, then the network administrator must open his AP configuration options and
manually change the channel to one that no other AP is using (or at least a
channel that has a lower level of interference) in order to give the connected
stations a minimum degree of channel interference.
98
NXC5200 User’s Guide
Chapter 5 Tutorials
1Click Configuration > Wireless > DCS.
2Select Enable Dynamic Channel Selection to turn on this feature.
3Set the DCS Time Interval. This is how often the NXC surveys the other APs
within its broadcast radius. If y ou place your APs in an area with a large number of
competing APs, set this number lower to ensure that your device can adjust
quickly changing conditions.
4Select DCS Sensitivity Level. This is how sensitive the APs on your network are
to other channels. Generally, as long as the area in which your AP is located has
minimal interference from other devices you can set the DCS Sensitivity Level to
Low. This means that the AP has a very broad tolerance.
5Select Enable DCS Client Aware. Select this so that the APs on y our network do
not change channels as long as any wireless clients are connected to them. When
they must change channels, they will wait until all stations disconnect first.
6Select a 2.4 GHz Channel Deployment scheme. Choose Three-Channel
Deployment to have the device rotate through 3 channels. Choose FourChannel Deployment to have the device rotate through 4 channels, if allowed.
7Click Apply to save your changes.
See also: Chapter 10 on page 163.
NXC5200 User’s Guide
99
Chapter 5 Tutorials
100
NXC5200 User’s Guide
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.