ZyXEL Communications ZLD User Manual

Download

Quick Start Guide

ZyWALL (ZLD) Series

Security Firewalls

Versions: 3.10 Edition 2, 12/2013

CLI Reference Guide

Default Login Details

LAN Port IP Address http://192.168.1.1 User Name admin Password 1234

www.zyxel.com

ZyXEL Communications Corporation

This is a Reference Guide for a series of products intended for people who want to configure ZLDbased ZyWALLs via Command Line Interface (CLI).

 Some commands or command options in this guide may not be available in your

product. See your product's User’s Guide for a list of supported features. Every effort has been made to ensure that the information in this guide is accurate.

Please refer to www.zyxel.com for product specific User Guides and product certifications.

 Do not use commands not documented in this guide.

How To Use This Guide

•Read Chapter 1 on page 19 for how to access and use the CLI (Command Line Interface).

•Read Chapter 2 on page 33 to learn about the CLI user and privilege modes.

Related Documentation

• Quick Start Guide The Quick Start Guide shows how to connect the ZyWALL and access the Web Configurator

wizards. (See the wizard real time help for information on configuring each screen.) It also contains a connection diagram and package contents list.

• User’s Guide The User’s Guide explains how to use the Web Configurator to configure the ZyWALL.

 It is recommended you use the Web Configurator to configure the ZyWALL.

Introduction ............................................................................................................................17

Command Line Interface ........................................................................................................... 19

User and Privilege Modes ......................................................................................................... 33

Reference ................................................................................................................................37

Object Reference ................ ... ... ... .... ... ... ... ... ....................................... ... .... ... ... ... .... ... ... ... .......... 39

Status ............................................................... ...................... ....................... ............................. 41

Registration ............................................................................................................................... 45

Interfaces ..................................... ....................................................... ....................................... 53

Trunks .................................................... .......................................... .......................................... 93

Route ......................................................................................................................................... 99

Routing Protocol ...................................................................................................................... 107

Zones .................................. ................... ................... .................... ................... .........................111

DDNS .......................................................................................................................................115

Virtual Servers ..........................................................................................................................119

HTTP Redirect ......................................................................................................................... 123

ALG ......................................................................................................................................... 127

IP/MAC Binding ....................................................................................................................... 131

Firewall .................................................................................................................................... 133

IPSec VPN ................... ... ....................................... ... .... ... ....................................... ... ... ........... 141

SSL VPN ................................................................................................................................. 151

L2TP VPN ................................................................................................................................ 157

Application Patrol ..................................................................................................................... 163

Anti-Virus ................................................................................................................................. 173

IDP Commands ....................................................................................................................... 181

Content Filtering ................. ... ... ... .... ... ....................................... ... ... ... ... .... ... ........................... 199

Anti-Spam .................................................................................................................................211

Device HA ................................................................................................................................ 221

User/Group .............................................................................................................................. 229

Addresses .............................. ................... .................... ................... ................... ..................... 237

Services ................................. ....................................................... ........................................... 243

Schedules ................................. ................................................. .............................................. 247

AAA Server .............................................................................................................................. 249

Authentication Objects ................. .... ... ... ... ... ....................................... ... .... ... ... ... .... ... ... ... ........ 255

Certificates ................................... ....................... ....................... ...................... ........................ 259

ISP Accounts ................................................... ... ... ... .... ... ... ... .... .............................................. 264

SSL Application ....................................................................................................................... 266

Endpoint Security .................................................................................................................... 269

DHCPv6 Objects .....................................................................................................................276

System ................................... ...................... ....................... ....................... .............................. 279

System Remote Management ................................................................................................. 285

File Manager ............................................................................................................................ 299

ZyWALL (ZLD) CLI Reference Guide

Logs ....................................... .................................................... .............................................. 317

Reports and Reboot ................................................................................................................ 323

Session Timeout ....................... ... .... ... ... ... ... ....................................... ... .... ... ... ... .... ................. 329

Diagnostics .............................................................................................................................331

Packet Flow Explore ................................................................................................................ 333

Packet Flow Filter .................................................................................................................... 337

Maintenance Tools ...................................................................................................................341

Watchdog Timer ....................................................................................................................... 347

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

Table of Contents .................................................................................................................................5

Part I: Introduction ..........................................................................................17

Chapter 1

Command Line Interface....................................................................................................................19

1.1 Overview ................................... ... .... ... ....................................... ... ... ... ..............................................19

1.1.1 The Configuration File .............................................................................................................19

1.2 Accessing the CLI .............................................................................................................................19

1.2.1 Console Port .................... ... .... ... ... ... ... ....................................... ... .... ... ... ... .... ..........................20

1.2.2 Web Configurator Console ......................................................................................................20

1.2.3 Telnet ............................ ... ... .... ... ... ....................................... ... .................................................23

1.2.4 SSH (Secure SHell) .................................................................................................................23

1.3 How to Find Commands in this Guide ...............................................................................................23

1.4 How Commands Are Explained ........................................................................................................24

1.4.1 Background Information (Optional) ............ ... ... .... ... ... ... .... ... ... ... ... .... ... ....................................24

1.4.2 Command Input Values (Optional) ...........................................................................................24

1.4.3 Command Summary ............... ... ... ... ... .... ...................................... .... ... ... ... .... ... ... ... ... .... ..........24

1.4.4 Command Examples (Optional) ............................. ... ... .... ... ... ... ... .... ... ....................................24

1.4.5 Command Syntax ............................................ .... ... ... ... .... ... ... ... ..............................................24

1.4.6 Changing the Password ..........................................................................................................25

1.5 CLI Modes ....... ....................................... ... ... .... ...................................... .... ... ....................................25

1.6 Shortcuts and Help ............................................................................................................................26

1.6.1 List of Available Commands ....................................................................................................26

1.6.2 List of Sub-commands or Required User Input .......................................................................26

1.6.3 Entering Partial Commands ....... ... ... ... .... ... ... ... .... ...................................... .... ... ... ... ... .... ... .......27

1.6.4 Entering a ? in a Command .....................................................................................................27

1.6.5 Command History ............... .... ... ... ... ....................................... ... ... .... ... ... ... ..............................27

1.6.6 Navigation .............. .... ... ... ....................................... ... ... .... ... ... ... ..............................................27

1.6.7 Erase Current Command ................. ... .... ... ..............................................................................27

1.6.8 The no Commands ..................................................................................................................27

1.7 Input Values ................................................. .... ... ....................................... ... ... ... ..............................28

1.8 Ethernet Interfaces .... ... ....................................... ... ... .... ... ... ... ...........................................................31

1.9 Saving Configuration Changes .........................................................................................................31

1.10 Logging Out .....................................................................................................................................32

Chapter 2

User and Privilege Modes..................................................................................................................33

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

2.1 User And Privilege Modes .................................................................................................................33

2.1.1 Debug Commands ........... ... .... ...................................... .... ... ... ... ... .... .......................................34

Part II: Reference.............................................................................................37

Chapter 3

Object Reference................................................................................................................................39

3.1 Object Reference Commands ...........................................................................................................39

3.1.1 Object Reference Command Example ....................................................................................40

Chapter 4

Status...................................................................................................................................................41

Chapter 5

Registration.........................................................................................................................................45

5.1 myZyXEL.com Overview .................................. ... ... ... .... ... ... ....................................... ... ... ... ..............45

5.1.1 Subscription Services Available on the ZyWALL .....................................................................45

5.2 Registration Commands ............................ ........................................................................................46

5.2.1 Command Examples .......... .... ... ... ....................................... ... ... ... .... ... ... ... ..............................47

5.3 Country Code ............ ... ... .... ... ....................................... ... ... ... .... ... ... .................................................48

Chapter 6

Interfaces.............................................................................................................................................53

6.1 Interface Overview .................................... ... .... ... ... ... .... ... ... ... .... ... ... .................................................53

6.1.1 Types of Interfaces ................................................. ....................................... ... ... ... ... ..............53

6.1.2 Relationships Between Interfaces ...........................................................................................56

6.2 Interface General Commands Summary ...........................................................................................57

6.2.1 Basic Interface Properties and IP Address Commands ..........................................................57

6.2.2 DHCP Setting Commands ............... ....................................... ... ... .... ... ... ... ..............................63

6.2.3 Interface Parameter Command Examples ..............................................................................67

6.2.4 RIP Commands ............... ... .... ... ....................................... ... ... ... ..............................................68

6.2.5 OSPF Commands ..................................... ... ... .... ... ... ... ....................................... ... ... .... ..........68

6.2.6 Connectivity Check (Ping-check) Commands .........................................................................70

6.3 Ethernet Interface Specific Commands ............................ ... ... .... ... ... ... ... .... ... ... ... ..............................71

6.3.1 MAC Address Setting Commands ...........................................................................................71

6.3.2 Port Grouping Commands .......................................................................................................72

6.4 Virtual Interface Specific Commands ......................................................... ... ... ... .... ... ... ... .................73

6.4.1 Virtual Interface Command Examples .....................................................................................73

6.5 PPPoE/PPTP Specific Commands ...................................................................................................74

6.5.1 PPPoE/PPTP Interface Command Examples .........................................................................75

6.6 Cellular Interface Specific Commands ............................................................. ... .... ... ... ... ... .... ..........76

6.6.1 Cellular Status ................................................. .... ... ... ....................................... ... ... .................78

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

6.6.2 Cellular Interface Command Examples ...................................................................................80

6.7 Tunnel Interface Specific Commands .......... .... ...................................... .... ... ... ... .... ... ... ... ... .... ..........81

6.7.1 Tunnel Interface Command Examples ....................................................................................82

6.8 USB Storage Specific Commands ....................................................................................................82

6.8.1 USB Storage General Commands Example ............................................................................83

6.9 WLAN Specific Commands . ... ... ... .... ... ... ... ... .... ...................................... .... ... ... ... .... ... ... ... ... ..............83

6.9.1 WLAN General Commands .....................................................................................................84

6.9.2 WLAN Interface Commands ......... ... ... .... ... ... ... .... ... ....................................... ... ... ... ... .... ... .......85

6.9.3 WLAN MAC Filter Commands ......... ... .... ... ... ... .... ... ... ... ....................................... ... ... .... ... ... ... .87

6.10 VLAN Interface Specific Commands ...............................................................................................88

6.10.1 VLAN Interface Command Examples ............................. ...................................................... .89

6.11 Bridge Specific Commands .............................................................................................................89

6.11.1 Bridge Interface Command Examples ...................................................................................90

6.12 Auxiliary Interface Specific Commands ...........................................................................................90

6.12.1 Auxiliary Interface Command Examples ......................... ......................... .......................... .... 91

Chapter 7

Trunks..................................................................................................................................................93

7.1 Trunks Overview .............................. ... ... ... ... .... ... ....................................... ... ... ... .... ..........................93

7.2 Trunk Scenario Examples ... ... ... ... .... ... ... ... ....................................... ... ... .... ... ... ... ..............................93

7.3 Trunk Commands Input Values .................................................. ... ... ... ... .... ... ... ... .... ... ... ....................94

7.4 Trunk Commands Summary .................................. ... .... ... ... ....................................... ... ... ... .... ..........94

7.5 Trunk Command Examples .......................... ....................................... ... .... ... ... ... .... ... ... ... ... ..............95

7.6 Link Sticking ........... ...................................... .... ... ... ... .... ... ....................................... ..........................96

7.7 Link Sticking Commands Summary ..................................................................................................97

7.8 Link Sticking Command Example ......................................................................................................97

Chapter 8

Route....................................................................................................................................................99

8.1 Policy Route ....... .... ...................................... .... ... ... ....................................... ... ... .... ..........................99

8.2 Policy Route Commands ...................................................................................................................99

8.2.1 Assured Forwarding (AF) PHB for DiffServ ...........................................................................104

8.2.2 Policy Route Command Example ..........................................................................................104

8.3 IP Static Route ................................................................................................................................105

8.4 Static Route Commands .................................................................................................................105

8.4.1 Static Route Commands Examples .......................................................................................106

Chapter 9

Routing Protocol...............................................................................................................................107

9.1 Routing Protocol Overview ..............................................................................................................107

9.2 Routing Protocol Commands Summary ..........................................................................................107

9.2.1 RIP Commands ............... ... .... ... ....................................... ... ... ... ............................................108

9.2.2 General OSPF Commands ....................................................................................................108

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

9.2.3 OSPF Area Commands ................ ... ... .... ... ... ....................................... ... ... .... ... ... ... ...............109

9.2.4 Virtual Link Commands ..........................................................................................................109

9.2.5 Learned Routing Information Commands ..............................................................................110

9.2.6 show ip route Command Example .......................... .......................... ......................... ............110

Chapter 10

Zones................................................................................................................................................. 111

10.1 Zones Overview ............................................................................................................................ 111

10.2 Zone Commands Summary ..........................................................................................................112

10.2.1 Zone Command Examples ..................................................................................................113

Chapter 11

DDNS..................................................................................................................................................115

11.1 DDNS Overview ............................................................................................................................115

11.2 DDNS Commands Summary ........................................................................................................116

Chapter 12

Virtual Servers .................................................................................................................................. 119

12.1 Virtual Server Overview ....... ... ... .... ... ... ... ... .... ...................................... .... ... ... ... .... ... ... ... ...............119

12.1.1 1:1 NAT and Many 1:1 NAT .................................................................................................119

12.2 Virtual Server Commands Summary .................................... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .. ...119

12.2.1 Virtual Server Command Examples .....................................................................................121

12.2.2 Tutorial - How to Allow Public Access to a Server ...............................................................122

Chapter 13

HTTP Redirect...................................................................................................................................123

13.1 HTTP Redirect Overview ..............................................................................................................123

13.1.1 Web Proxy Server .................................... ... ... .... ...................................... .... ........................123

13.2 HTTP Redirect Commands ...........................................................................................................124

13.2.1 HTTP Redirect Command Examples ..................................................................................125

Chapter 14

ALG ....................................................................................................................................................127

14.1 ALG Introduction ...........................................................................................................................127

14.2 ALG Commands ............................................................................................................................128

14.3 ALG Commands Example .............................................................................................................129

Chapter 15

IP/MAC Binding.................................................................................................................................131

15.1 IP/MAC Binding Overview .............................................................................................................131

15.2 IP/MAC Binding Commands .........................................................................................................131

15.3 IP/MAC Binding Commands Example ..........................................................................................132

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

Chapter 16

Firewall ..............................................................................................................................................133

16.1 Firewall Overview ..........................................................................................................................133

16.2 Firewall Commands ......................................................................................................................134

16.2.1 Firewall Sub-Commands .....................................................................................................137

16.2.2 Firewall Command Examples ..............................................................................................138

16.3 Session Limit Commands .............................................................................................................139

Chapter 17

IPSec VPN..........................................................................................................................................141

17.1 IPSec VPN Overview ....................................................................................................................141

17.2 IPSec VPN Commands Summary ................................................................................................142

17.2.1 IKE SA Commands ..............................................................................................................143

17.2.2 IPSec SA Commands (except Manual Keys) ......................................................................144

17.2.3 IPSec SA Commands (for Manual Keys) ............................................................................147

17.2.4 VPN Concentrator Commands ............................................................................................ 147

17.2.5 VPN Configuration Provisioning Commands .............. .... ... ... ... ... .... ... ... ... .... ........................148

17.2.6 SA Monitor Commands .......................................................................................................149

Chapter 18

SSL VPN ............................................................................................................................................151

18.1 SSL Access Policy ........................................................................................................................151

18.1.1 SSL Application Objects ......................................................................................................151

18.1.2 SSL Access Policy Limitations .............................................................................................151

18.2 SSL VPN Commands ....................................................................................................................151

18.2.1 SSL VPN Commands ..........................................................................................................152

18.2.2 Setting an SSL VPN Rule Tutorial ........................................................ ...............................153

Chapter 19

L2TP VPN...........................................................................................................................................157

19.1 L2TP VPN Overview ......................................... ... ... .... ... ... ... .... ... ... ... ............................................157

19.2 IPSec Configuration ......................................................................................................................157

19.2.1 Using the Default L2TP VPN Connection ............................................................................158

19.3 Policy Route ..................................................................................................................................158

19.4 L2TP VPN Commands ......... ... ... .... ... ................................................................................ ............159

19.4.1 L2TP VPN Commands ........................................................................................................159

19.5 L2TP VPN Example ................................................ .... ... ... ... .......................................... ...............160

19.5.1 Configuring the Default L2TP VPN Gateway Example ........................................................161

19.5.2 Configuring the Default L2TP VPN Connection Example ....................................................161

19.5.3 Configuring the L2TP VPN Settings Example ................ ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..161

19.5.4 Configuring the Policy Route for L2TP Example .................................................................162

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

Chapter 20

Application Patrol.............................................................................................................................163

20.1 Application Patrol Overview ..........................................................................................................163

20.2 Application Patrol Commands Summary ... .... ... ... ... .... ... ... ....................................... ... ... ... .... ... ... ..163

20.2.1 Pre-defined Application Commands ............................................... ... ... ... .... ... ... ... ... .... ... ... ..164

20.2.2 Rule Commands for Pre-defined Applications .....................................................................164

20.2.3 Exception Commands for Pre-defined Applications ............................................................166

20.2.4 Other Application Commands ..............................................................................................167

20.2.5 Rule Commands for Other Applications .. ... ... .... ... ... ... .... ... ... ....................................... ... ... ..167

20.2.6 General Commands for Application Patrol ........ ... ... ... .... ... ... ... ... .... ... ... ...............................168

Chapter 21

Anti-Virus...........................................................................................................................................173

21.1 Anti-Virus Overview .......................................................................................................................173

21.2 Anti-virus Commands ....................................................................................................................173

21.2.1 General Anti-virus Commands ............................................................................................174

21.2.2 Zone to Zone Anti-virus Rules .............................................................................................174

21.2.3 White and Black Lists ..........................................................................................................176

21.2.4 Signature Search Anti-virus Command ...............................................................................177

21.3 Update Anti-virus Signatures ........................................................................................................178

21.3.1 Update Signature Examples ................................................................................................179

21.4 Anti-virus Statistics ........................................................................................................................179

21.4.1 Anti-virus Statistics Example ...............................................................................................180

Chapter 22

IDP Commands .................................................................................................................................181

22.1 Overview .......................................................................................................................................181

22.2 General IDP Commands ...............................................................................................................181

22.2.1 IDP Activation ......................................................................................................................181

22.3 IDP Profile Commands ..................................................................................................................182

22.3.1 Global Profile Commands ....................................................................................................182

22.3.2 IDP Zone to Zone Rules ......................................................................................................183

22.3.3 Editing/Creating IDP Signature Profiles ......... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..184

22.3.4 Editing/Creating Anomaly Profiles ........................................... ... .... ... ... ... ............................184

22.3.5 Editing System Protect ........................................................................................................188

22.3.6 Signature Search .................................................................................................................188

22.4 IDP Custom Signatures .................................................................................................................191

22.4.1 Custom Signature Examples ................................... ... .... ...................................... ... .... ... ... ..192

22.5 Update IDP Signatures ........ ... ... .... ... ... ... ... .... ... ... ....................................... ... ... .... ... ... ... ...............195

22.5.1 Update Signature Examples ................................................................................................196

22.6 IDP Statistics .................................................................................................................................196

22.6.1 IDP Statistics Example ........................................................................................................197

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

Chapter 23

Content Filtering...............................................................................................................................199

23.1 Content Filtering Overview ......................... .................................... ...............................................199

23.2 Content Filtering Policies ..............................................................................................................199

23.3 External Web Filtering Service ....................................... ................................................ ...............199

23.4 Content Filtering Reports ..............................................................................................................199

23.5 Content Filter Command Input Values ..........................................................................................200

23.6 General Content Filter Commands ...............................................................................................201

23.7 Content Filter Filtering Profile Commands ........................... .... ... ... ... ... .... ... ... ...............................203

23.8 Content Filter URL Cache Commands .................... ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... .....205

23.9 Content Filtering Statistics .............................................................................................................206

23.9.1 Content Filtering Statistics Example ....................................................................................207

23.10 Content Filtering Commands Example .......................................................................................207

Chapter 24

Anti-Spam..........................................................................................................................................211

24.1 Anti-Spam Overview ......................................................................................................................211

24.2 Anti-Spam Commands ..................................................................................................................211

24.2.1 General Anti-Spam Commands ................................................................... ........................ 211

24.2.2 Zone to Zone Anti-spam Rules ............................................................................................212

24.2.3 White and Black Lists ..........................................................................................................214

24.2.4 DNSBL Anti-Spam Commands ............................................................................................216

24.3 Anti-Spam Statistics ......................................................................................................................219

24.3.1 Anti-Spam Statistics Example ..............................................................................................219

Chapter 25

Device HA..........................................................................................................................................221

25.1 Device HA Overview .....................................................................................................................221

25.1.1 Before You Begin .................................................................................................................222

25.2 General Device HA Commands ........................ ................................................................ ............222

25.3 Active-Passive Mode Device HA ...................................................................................................222

25.4 Active-Passive Mode Device HA Commands ...............................................................................223

25.4.1 Active-Passive Mode Device HA Commands ......................................................................223

25.4.2 Active-Passive Mode Device HA Command Example ........................................................225

25.5 Legacy Mode (VRRP) Device HA .................................................................................................225

25.6 Legacy Mode (VRRP) Device HA Commands .. ... ... .... ... ... ... .......................................... ...............225

25.6.1 VRRP Group Commands ....................................................................................................226

25.6.2 VRRP Synchronization Commands .. .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..................................226

25.6.3 Link Monitoring Commands .................................................................................................227

Chapter 26

User/Group........................................................................................................................................229

26.1 User Account Overview .................................................................................................................229

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

26.1.1 User Types ..........................................................................................................................229

26.2 User/Group Commands Summary .......................... ....................................... ...............................230

26.2.1 User Commands ..................................................................................................................230

26.2.2 User Group Commands .......................................................................................................231

26.2.3 User Setting Commands .....................................................................................................231

26.2.4 Force User Authentication Commands ................................................................................233

26.2.5 Additional User Commands .................................................................................................235

Chapter 27

Addresses .........................................................................................................................................237

27.1 Address Overview .........................................................................................................................237

27.2 Address Commands Summary .....................................................................................................237

27.2.1 Address Object Commands .................................................................................................238

27.2.2 Address Group Commands ................................................................................................. 240

Chapter 28

Services.............................................................................................................................................243

28.1 Services Overview ........................................................................................................................243

28.2 Services Commands Summary .....................................................................................................243

28.2.1 Service Object Commands ................................ ...................................................... ............243

28.2.2 Service Group Commands .................................................................................................. 244

Chapter 29

Schedules..........................................................................................................................................247

29.1 Schedule Overview .......................................................................................................................247

29.2 Schedule Commands Summary ................................................................................................... 247

29.2.1 Schedule Command Examples ...........................................................................................248

Chapter 30

AAA Server........................................................................................................................................249

30.1 AAA Server Overview ...................................................................................................................249

30.2 Authentication Server Command Summary ................................ ... ... ... .... ... ..................................249

30.2.1 ad-server Commands ..........................................................................................................249

30.2.2 ldap-server Commands ................. ....................................... ... ... .... ... ... ... ............................250

30.2.3 radius-server Commands ....................................................................................................251

30.2.4 radius-server Command Example .......................................................................................251

30.2.5 aaa group server ad Commands .........................................................................................251

30.2.6 aaa group server ldap Commands ......................................................................................252

30.2.7 aaa group server radius Commands ...................................................................................253

30.2.8 aaa group server Command Example .................................................................................254

Chapter 31

Authentication Objects.....................................................................................................................255

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

31.1 Authentication Objects Overview ..................................................................................................255

31.2 aaa authentication Commands .....................................................................................................255

31.2.1 aaa authentication Command Example ...............................................................................256

31.3 test aaa Command ........................................................................................................................256

31.3.1 Test a User Account Command Example ............................................................................256

Chapter 32

Certificates........................................................................................................................................259

32.1 Certificates Overview ....................................................................................................................259

32.2 Certificate Commands ...................................................................................................................259

32.3 Certificates Commands Input Values ............................................................. ... .... ........................259

32.4 Certificates Commands Summary . ... ... ... ... .... ... ... ... .... ... ... .......................................... ... ... .... ... .....260

32.5 Certificates Commands Examples .... ... ... ... .... ... ... ... .... ... ... ... .... ... .......................................... ... ... ..263

Chapter 33

ISP Accounts.....................................................................................................................................264

33.1 ISP Accounts Overview .................................................................................................................264

33.1.1 PPPoE and PPTP Account Commands ..............................................................................264

33.1.2 Cellular Account Commands ...............................................................................................265

Chapter 34

SSL Application................................................................................................................................266

34.1 SSL Application Overview .............................................................................................................266

34.1.1 SSL Application Object Commands ....................................................................................266

34.1.2 SSL Application Command Examples .................................. ............................................... 268

Chapter 35

Endpoint Security.............................................................................................................................269

35.1 Endpoint Security Overview ........... ... ... .........................................................................................269

35.1.1 Endpoint Security Commands Summary .............................................................................270

35.1.2 Endpoint Security Object Commands ..................................................................................270

35.1.3 Endpoint Security Object Command Example ................................... ... ... .... ... .....................273

Chapter 36

DHCPv6 Objects................................................................................................................................276

36.1 DHCPv6 Object Commands Summary .........................................................................................276

36.1.1 DHCPv6 Object Commands ................................................................................................276

36.1.2 DHCPv6 Object Command Examples .................................................................................277

Chapter 37

System...............................................................................................................................................279

37.1 System Overview ..........................................................................................................................279

37.2 Customizing the WWW Login Page ..............................................................................................279

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

37.3 Host Name Commands ................................................................................................................. 281

37.4 Time and Date ..............................................................................................................................281

37.4.1 Date/Time Commands .................................................... ............................................. ........282

37.5 Console Port Speed .....................................................................................................................282

37.6 DNS Overview ..............................................................................................................................283

37.6.1 Domain Zone Forwarder ......... ....................................... ... ...................................... .... ........283

37.6.2 DNS Commands ..................................................................................................................283

37.6.3 DNS Command Example ....................................................................................................284

Chapter 38

System Remote Management..........................................................................................................285

38.1 Remote Management Overview ....................................................................................................285

38.1.1 Remote Management Limitations ........................................................................................285

38.1.2 System Timeout ...................................................................................................................285

38.2 Common System Command Input Values ....................................................................................286

38.3 HTTP/HTTPS Commands .............................................................................................................286

38.3.1 HTTP/HTTPS Command Examples ....................................................................................288

38.4 SSH ...............................................................................................................................................288

38.4.1 SSH Implementation on the ZyWALL ..................................................................................288

38.4.2 Requirements for Using SSH ................................... ... .... ... ... ... ... .........................................288

38.4.3 SSH Commands ..................................................................................................................289

38.4.4 SSH Command Examples ...................................................................................................289

38.5 Telnet ............................................................................................................................................290

38.6 Telnet Commands .........................................................................................................................290

38.6.1 Telnet Commands Examples ................ ....................................................... ........................290

38.7 Configuring FTP ...........................................................................................................................291

38.7.1 FTP Commands ..................................................................................................................291

38.7.2 FTP Commands Examples ..................................................................................................292

38.8 SNMP ...........................................................................................................................................292

38.8.1 Supported MIBs ...................................................................................................................292

38.8.2 SNMP Traps ........................................................................................................................292

38.8.3 SNMP Commands ...............................................................................................................293

38.8.4 SNMP Commands Examples ..............................................................................................293

38.9 ICMP Filter ...................................................................................................................................294

38.10 Dial-in Management ...................................................................................................................294

38.10.1 AT Command Strings .........................................................................................................295

38.10.2 DTR Signal ........................................................................................................................295

38.10.3 Response Strings ..............................................................................................................295

38.10.4 Dial-in Management Commands ....................................................................................... 295

38.11 Vantage CNM ................. ... ... ... .... ...................................... .... ... ... ... ... .... .....................................296

38.11.1 Vantage CNM Commands ............................... ... ... ....................................... ... ... ... .... ... ... ..296

38.12 Language Commands .................................................................................................................297

38.13 IPv6 Commands .................................... ... .... ... ... ... .... ... ... ... .... ... ... ...............................................298

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

Chapter 39

File Manager......................................................................................................................................299

39.1 File Directories ..............................................................................................................................299

39.2 Configuration Files and Shell Scripts Overview ............................ ... ... .... .....................................299

39.2.1 Comments in Configuration Files or Shell Scripts ...............................................................300

39.2.2 Errors in Configuration Files or Shell Scripts .......................................................................301

39.2.3 ZyWALL Configuration File Details .......... ... ....................................... ... ... .... ........................301

39.2.4 Configuration File Flow at Restart .......................................................................................302

39.3 File Manager Commands Input Values .........................................................................................302

39.4 File Manager Commands Summary .............................................................................................303

39.5 File Manager Command Examples ......................... ....................................... ...............................304

39.6 FTP File Transfer ..........................................................................................................................304

39.6.1 Command Line FTP File Upload .........................................................................................304

39.6.2 Command Line FTP Configuration File Upload Example ....................................................305

39.6.3 Command Line FTP File Download .....................................................................................305

39.6.4 Command Line FTP Configuration File Download Example ...............................................306

39.7 ZyWALL File Usage at Startup ................ .............................................................. ........................306

39.8 Notification of a Damaged Recovery Image or Firmware .............................................................307

39.9 Restoring the Recovery Image .......................... ...... ....... ...... ....... ...... ....... ...... ....... ... ...... ...............308

39.10 Restoring the Firmware ...............................................................................................................310

39.11 Restoring the Default System Database .....................................................................................312

39.11.1 Using the atkz -u Debug Command ................................. ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..314

Chapter 40

Logs...................................................................................................................................................317

40.1 Log Commands Summary ............................................................................................................317

40.1.1 Log Entries Commands .......................................................................................................318

40.1.2 System Log Commands ......................................................................................................318

40.1.3 Debug Log Commands ........................................................................................................319

40.1.4 E-mail Profile Commands ....................................................................................................320

40.1.5 Console Port Logging Commands .......................................................................................322

Chapter 41

Reports and Reboot..........................................................................................................................323

41.1 Report Commands Summary ........................................................................................................323

41.1.1 Report Commands ..............................................................................................................323

41.1.2 Report Command Examples ...............................................................................................324

41.1.3 Session Commands ............................................................................................................324

41.1.4 Packet Size Statistics Commands ....................................................................................... 324

41.2 Email Daily Report Commands ............................ .........................................................................325

41.2.1 Email Daily Report Example .......................... .......................................................... ............326

41.3 Reboot ...........................................................................................................................................328

ZyWALL (ZLD) CLI Reference Guide

Table of Contents

Chapter 42

Session Timeout...............................................................................................................................329

Chapter 43

Diagnostics ......................................................................................................................................331

43.1 Diagnostics ....................................................................................................................................331

43.2 Diagnosis Commands ...................................................................................................................331

43.3 Diagnosis Commands Example ....................................................................................................331

Chapter 44

Packet Flow Explore.........................................................................................................................333

44.1 Packet Flow Explore .....................................................................................................................333

44.2 Packet Flow Explore Commands ...................... ............................................................................333

44.3 Packet Flow Explore Commands Example ...................................................................................334

Chapter 45

Packet Flow Filter.............................................................................................................................337

45.1 Packet Flow Filter ..........................................................................................................................337

45.2 Packet Flow Filter Commands ......................................................................................................337

45.3 Packet Flow Filter Commands Examples .....................................................................................338

Chapter 46

Maintenance Tools............................................................................................................................341

46.1 Maintenance Command Examples ...............................................................................................343

46.1.1 Packet Capture Command Example ....... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..344

Chapter 47

Watchdog Timer................................................................................................................................347

47.1 Hardware Watchdog Timer ............................... ... ... .... ... ... ... .... ... ... ... ... .... .....................................347

47.2 Software Watchdog Timer ................................................. ... ....................................... ... ... ............347

47.3 Application Watchdog ...................................................................................................................348

47.3.1 Application Watchdog Commands Example ........................................................................348

List of Commands (Alphabetical)....................................................................................................351

ZyWALL (ZLD) CLI Reference Guide

PART I

Introduction

This chapter describes how to access and use the CLI (Command Line Interface).

1.1 Overview

If you have problems with you r ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting.

Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable.

1.1.1 The Configuration File

CHAPTER 1

Command Line Interface

When you configure the ZyWALL using either the CLI (Command Line Interface) or the web configurator, the settings are saved as a series of commands in a configuration file on the Z yWALL. You can store more than one configuration file on the ZyW ALL. However, only one configuration file is used at a time.

You can perform the following with a configuration file:

• Back up ZyWALL configuration once the ZyWALL is set up to work in your network.

• Restore ZyWALL configuration.

• Save and edit a configuration file and upload it to multiple ZyWALLs (of the same model) in your network to have the same settings.

Note: You may also edit a configuration file using a text editor.

1.2 Accessing the CLI

You can access the CLI using a terminal emulation progr am on a computer connected to the console port, from the web configurator or access the Z yWALL using Telnet or S SH (Sec ure SHell).

Note: The ZyWALL might force you to log out of your session if reauthentication time,

lease time, or idle timeout is reached. See Chapter 26 on page 229 for more information about these settings.

ZyWALL (ZLD) CLI Reference Guide 19

Chapter 1 Command Line Interface

1.2.1 Console Port

The default settings for the console port are as follows.

Table 1 Managing the ZyWALL: Console Port

SETTING VALUE

Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off

When you turn on your ZyWALL, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.

• Garbled text displays if your terminal emulation program’ s speed is set lower than the Z yW ALL’ s.

• No text displays if the speed is set higher than the ZyWALL’s.

• If changing your terminal emulation program’s speed does n ot get anything to display, restart the ZyWALL.

• If restarting the ZyWALL does not get anything to display, contact your local customer support.

Figure 1 Console Port Pow er-on Display

FLASH: AMD 16M

BootModule Version: V1.14 | 07/09/2010 11:00:00 DRAM: Size = 256 Mbytes

Kernel Version: V2.6.25.4 | 2011-10-28 00:25:30 ZLD Version: V3.00(BDR.0)b9 | 2011-10-28 14:41:45

Press any key to enter debug mode within 1 seconds.

.....................

After the initialization, the login screen displays.

Figure 2 Login Screen

Welcome to ZyWALL USG 20W

Username:

Enter the user name and password at the prompts.

Note: The default login use rnam e is admin and password is 1234. The username and

password are case-sensitive.

1.2.2 Web Configurator Console

Note: Before you can access the CLI through the web configurator, make sure your

computer supports the Java Runtime Environment. You will be prompted to download and install the Java plug-in if it is not already installed.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the ZyWALL. Follow the steps below to access the web console.

1 Log into the web configurator.

2 Click the Console icon in the top-right corner of the web configurator screen.

3 If the Java plug-in is already installed, skip to step 4.

Otherwise, you will be prompted to install the Java plug-in. If the prompt does not display and the screen remains gray, you have to download the setup program.

4 The web console starts. This might take a few seconds. One or more security screens may display.

Click Yes or Always. Figure 3 Web Console: Security Warnings

Finally, the User Name screen appears.

Figure 4 Web Console: User Name

5 Enter the user name you want to use to log in to the console. The console begins to connect to the

ZyWALL.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

Note: The default login use rnam e is admin. It is case-sensitive.

Figure 5 Web Console: Connecting

Then, the Password screen appears.

Figure 6 Web Console: Password

6 Enter the password for the user name you specified earlier, and click OK. If you enter the password

incorrectly, you get an error message, and you may have to close the console window and open it again. If you enter the password correctly, the console screen appears.

Figure 7 Web Console

7 To use most commands in this User’s Guide, enter

change to

Router(config)#.

configure terminal. The prompt should

ZyWALL (ZLD) CLI Reference Guide

1.2.3 Telnet

Use the following steps to Telnet into your ZyWALL.

1 If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure

your computer IP address and the ZyWALL IP address are on the same subnet.

2 In Windows, click Start (usually in the bottom left corner) and Run. Then type telnet and the

ZyWALL’s IP address. For example, enter address).

3 Click OK. A login screen displays. Enter the user name and password at the prompts.

Note: The default login use rnam e is admin and password is 1234. The username and

password are case-sensitive.

1.2.4 SSH (Secure SHell)

You can use an SSH client progr am to access the CLI. The following figure shows an example using a text-based SSH client program. Refer to the documentation that comes with your SSH program for information on using it.

Chapter 1 Command Line Interface

telnet 192.168.1.1 (the default management IP

Note: The default login use rnam e is admin and password is 1234. The username and

password are case-sensitive.

Figure 8 SSH Login Example

C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes

Host key saved to C:/Documents and Settings/user/Application Data/SSH/hostkeys/ ey_22_192.168.1.1.pub host key for 192.168.1.1, accepted by user Tue Aug 09 2005 07:38:28 admin's password: Authentication successful.

1.3 How to Find Commands in this Guide

You can simply look for the feature chapter to find commands. In addition, you can use the List of

Commands (Alphabetical) at the end of the guide. This section lists the commands in alphabetical

order that they appear in this guide.

If you are looking at the CLI Reference Guide electronically, you might have additional options (for example, bookmarks or Find...) as well.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

1.4 How Commands Are Explained

Each chapter explains the commands for one keyword. The chapters are divided into the following sections.

1.4.1 Background Information (Optional)

Note: See the User’s Guide for background information about most features.

This section provides background information about features that you cannot configure in the web configurator. In addition, this section identifies related commands in other chapters.

1.4.2 Command Input Values (Optional)

This section lists common input values for the commands for the feature in one or more tables

1.4.3 Command Summary

This section lists the commands for the feature in one or more tables.

1.4.4 Command Examples (Optional)

This section contains any examples for the commands in this feature.

1.4.5 Command Syntax

The following conventions are used in this User’s Guide.

• A command or keyword in courier new must be entered literally as shown. Do not abbreviate.

• Values that you need to provide are in italics.

• Required fields that have multiple choices are enclosed in curly brackets

• A range of numbers is enclosed in angle brackets <>.

• Optional fields are enclosed in square brackets

•The

For example, look at the following command to create a TCP/UDP service object.

service-object object-name {tcp | udp} {eq <1..65535> | range <1..65535> <1..65535>}

1 Enter service-object exactly as it appears.

2 Enter the name of the object where you see object-name.

| symbol means OR.

{}.

[].

3 Enter

4 Finally, do one of the following.

tcp or udp, depending on the service object you want to create.

•Enter

eq exactly as it appears, followed by a number between 1 and 65535.

ZyWALL (ZLD) CLI Reference Guide

•Enter range exactly as it appears, followed by two numbers between 1 and 65535.

1.4.6 Changing the Password

It is highly recommended that you change the password for accessing the ZyWALL. See Section

26.2 on page 230 for the appropriate commands.

1.5 CLI Modes

You run CLI commands in one of several modes.

Table 2 CLI Modes

USER PRIVILEGE CONFIGURATION SUB-COMMAND

What Guest users can do

What User users can do

What Limited- Admin users can do

What Admin users can do

How you enter it Log in to the ZyWALL Type enable in User

What the prompt looks like

How you exit it Type exit Type disable Type exit Type exit

Unable to access Unable to access Unable to access Unable to access

• Look at (but not run) available commands

• Look at system information (like Status screen)

• Run basic diagnostics

• Look at system information (like Status screen)

• Run basic diagnostics

Router> Router# Router(config)# (varies by part)

Chapter 1 Command Line Interface

Unable to access Unable to access Unable to access

• Look at system information (like Status screen)

• Run basic diagnostics

• Look at system information (like Status screen)

• Run basic diagnostics

mode

Unable to access Unable to access

• Configure simple features (such as an address object)

• Create or remove complex parts (such as an interface)

Type configure

terminal in User or Privilege mode

• Configure complex parts (such as an interface) in the ZyWALL

Type the command used to create the specific part in Configuration mode

Router(zone)# Router(config-ifge)# ...

See Chapter 26 on page 229 for more information about the user types. User users can only log in, look at (but not run) the available commands in User mode, and log out. Limited-Admin users can look at the configuration in the web configurator and CLI, and they can run basic diagnostics in the CLI. Admin users can configure the ZyWALL in the web configurator or CLI.

At the time of writing, there is not much difference between User and Privilege mode for admin users. This is reserved for future use.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

1.6 Shortcuts and Help

1.6.1 List of Available Commands

A list of valid commands can be found by typing ? or [TAB] at the command prompt. T o view a list of available commands within a command group, enter <command> ? or <command> [TAB].

Figure 9 Help: Available Commands Example 1

Router> ? <cr> apply atse clear configure

------------------[Snip]-------------------shutdown telnet test traceroute write Router>

Figure 10 Help: Available Command Example 2

Router> show ? <wlan ap interface> aaa access-page account ad-server address-object

------------------[Snip]-------------------wlan workspace zone Router> show

1.6.2 List of Sub-commands or Required User Input

To view detailed help information for a command, enter <command> <sub command> ?.

Figure 11 Help: Sub-command Information Example

Router(config)# ip telnet server ? ; <cr> port rule | Router(config)# ip telnet server

Figure 12 Help: Required User Input Example

Router(config)# ip telnet server port ? <1..65535> Router(config)# ip telnet server port

ZyWALL (ZLD) CLI Reference Guide

1.6.3 Entering Partial Commands

The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press

[TAB] to have the ZyWALL automatically display the full command.

Chapter 1 Command Line Interface

For example, if you enter displays.

If you enter a partial command that is not unique and press commands that start with the partial command.

Figure 13 Non-Unique Partial Command Example

Router# c [TAB] clear configure copy Router# co [TAB] configure copy

config and press [TAB] , the full command of configure automatically

1.6.4 Entering a ? in a Command

Typing a ? (question mark) usually displays help information. However, some commands allow you to input a ?, for example as part of a string. Press [CTRL+V] on your keyboard to enter a ? without the ZyWALL treating it as a help query.

1.6.5 Command History

The ZyWALL keeps a list of commands you have entered for the current CLI session. You can use any commands in the history again by pressing the up () or down () arrow key to scroll through the previously used commands and press

[TAB], the ZyWALL displays a list of

[ENTER].

1.6.6 Navigation

Press [CTRL]+A to move the cursor to the beginning of the line. Press [CTRL]+E to move the cursor to the end of the line.

1.6.7 Erase Current Command

Press [CTRL]+U to erase whatever you have currently typed at the prompt (before pressing [ENTER]).

1.6.8 The no Commands

When entering the no commands described in this document, you may not need to type the whole command. For example, with th e “[no] mss <536..1452>” command, you use “m ss 536” to specify the MSS value. But to disable the MSS setting, you only need to type “no mss” instead of “no mss 536”.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

1.7 Input Values

You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen. For example, in the following example, the next input value is a string called

Router# configure terminal Router(config)# interface ge1 Router(config-if-ge)# description <description>

When you use the example above, note that ZyW ALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.

<description>.

The following table provides more information about input values like

<description>.

Table 3 Input-Value Formats for Strings in CLI Commands

TAG # VALUES LEGAL VALUES

* 1* all -- ALL authentication key Used in IPSec SA

32-40 16-20

Used in MD5 authentication keys for RIP/OSPF and text authentication key for RIP 0-16 alphanumeric or _Used in text authentication keys for OSPF 0-8 alphanumeric or _-

certificate name 1-31 alphanumeric or ;`~!@#$%^&()_+[\]{}',.=- community string 0-63 alphanumeric or .-

connection_id 1+ alphanumeric or -_: contact 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-. country code 0 or 2 alphanumeric custom signature file

name description Used in keyword criteria for log entries

distinguished name 1-511 alphanumeric, spaces, or .@=,_-

0-30 alphanumeric or _-.

1-64 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-. Used in other commands 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-

“0x” or “0X” + 32-40 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\\{}':,./<>=-

first character: alphanumeric or -

first character: letter

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

Table 3 Input-Value Formats for Strings in CLI Commands (continued)

TAG # VALUES LEGAL VALUES

domain name Used in content filtering

0+ lower-case letters, numbers, or .Used in ip dns server 0-247 alphanumeric or .-

first character: alphanumeric or Used in domainname, ip dhcp pool, and ip domain 0-254 alphanumeric or ._-

first character: alphanumeric or -

email 1-63 alphanumeric or .@_- e-mail 1-64 alphanumeric or .@_- encryption key 16-64

file name 0-31 alphanumeric or _- filter extension 1-256 alphanumeric, spaces, or '()+,/:=?;!*#@$_%.- fqdn Used in ip dns server

full file name 0-256 alphanumeric or _/.- hostname Used in hostname command

import configuration file

import shell script 1-26+”.zysh” alphanumeric or ;`~!@#$%^&()_+[]{}',.=-

initial string 1-64 alphanumeric, spaces, or '()+,/:=!*#@$_%-.& isp account password 0-63 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./ isp account username 0-30 alphanumeric or -_@$./

ipv6_addr An IPv6 address. The 128-bit IPv6 address is written as eight 16-bit

8-32

0-252 alphanumeric or .-

Used in ip ddns, time server, device HA, VPN, certificates, and interface ping check

0-254 alphanumeric or .-

0-63 alphanumeric or .-_

Used in other commands 0-252 alphanumeric or .-

1-26+”.conf” alphanumeric or ;`~!@#$%^&()_+[]{}',.=-

“0x” or “0X” + 16-64 hexadecimal values

alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=-

first character: alphanumeric or -

add “.conf” at the end

add “.zysh” at the end

hexadecimal blocks separated by colons (:). This is an example IPv6

address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.

IPv6 addresses can be abbreviated in two ways:

Leading zeros in a block can be omitted. So

2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as

2001:db8:1a2b:15:0:0:1a2f:0.

Any number of consecutive blocks of zeros can be replaced by a double

colon. A double colon can only appear once in an IPv6 address. So

2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as

2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015,

2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

Table 3 Input-Value Formats for Strings in CLI Commands (continued)

TAG # VALUES LEGAL VALUES

key length -- 512, 768, 1024, 1536, 2048 license key 25 “S-” + 6 upper-case letters or numbers + “-” + 16 upper-case

letters or numbers

mac address -- aa:bb:cc:dd:ee:ff (hexadecimal) mail server fqdn lower-case letters, numbers, or -. name 1-31 alphanumeric or _- notification message 1-81 alphanumeric, spaces, or '()+,/:=?;!*#@$_%- password: less than 15

chars password: less than 8

chars password Used in user and ip ddns

phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values

profile name 0-30 alphanumeric or _-

proto name 1-16 lower-case letters, numbers, or - protocol name 0-30 alphanumeric or _-

quoted string less than 127 chars

quoted string less than 63 chars

quoted string 0+ alphanumeric, spaces, or punctuation marks

service name 0-63 alphanumeric or -_@$./ spi 2-8 hexadecimal string less than 15

chars string: less than 63

chars string 1+ alphanumeric or -_@ subject 1-61 alphanumeric, spaces, or '()+,./:=?;!*#@$_%- system type 0-2 hexadecimal timezone [-+]hh -- -12 through +12 (with or without “+”)

1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./

1-8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$

1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./ Used in device HA synchronization 1-63 alphanumeric or ~#%^*_-={}:,. Used in registration 6-20 alphanumeric or .@_-

alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=-

first character: letters or _-

first character: letters or _1-255 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%,

1-63 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%

enclosed in double quotation marks (“)

must put a backslash (\) before double quotation marks that are

part of input value itself

1-15 alphanumeric or -_

1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

Table 3 Input-Value Formats for Strings in CLI Commands (continued)

TAG # VALUES LEGAL VALUES

url 1-511 alphanumeric or '()+,/:.=?;!*#@$_%- url Used in content filtering redirect

“http://”+ “https://”+

Used in other content filtering commands “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,

user name Used in VPN extended authentication

1-31 alphanumeric or _Used in other commands 0-30 alphanumeric or _-

username 6-20 alphanumeric or .@_-

user name 1+ alphanumeric or -_.

user@domainname 1-80 alphanumeric or .@_- vrrp group name: less

than 15 chars week-day sequence, i.e.

1=first,2=second xauth method 1-31 alphanumeric or _- xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- mac address 0-12 (even

1-15 alphanumeric or _-

1 1-4

number)

alphanumeric or ;/?:@&=+$\.-_!~*'()%,

starts with “http://” or “https://”

may contain one pound sign (#)

starts with “http://”

may contain one pound sign (#)

first character: letters or _-

registration

logging commands

hexadecimal

for example: aa aabbcc aabbccddeeff

1.8 Ethernet Interfaces

How you specify an Ethernet interface depends on the ZyWA LL model.

• For the ZyWALL USG 300 and above, use gex, x = 1~N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

• The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.

1.9 Saving Configuration Changes

Use the write command to save the current configuration to the ZyWALL.

Note: Always save the changes before you log out after each management session. All

unsaved changes will be lost after the system restarts.

ZyWALL (ZLD) CLI Reference Guide

Chapter 1 Command Line Interface

1.10 Logging Out

Enter the exit or end command in configure mode to go to privilege mode.

Enter the

exit command in user mode or privilege mode to log out of the CLI.

ZyWALL (ZLD) CLI Reference Guide

User and Privilege Modes

This chapter describes how to use these two modes.

2.1 User And Privilege Modes

This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the ZyWALL uses. See Chapter 26 on page 229 for more information about the user types. ‘User’ type accounts can only run ‘exit’ in this mode. However, they may need to log into the device in order to be authenticated for ‘user-aware’ policies, for example a firewall rule that a particular user is exempt from or a VPN tunnel that only certain people may use.)

Type ‘enable’ to go to ‘privilege mode’. No password is required. All commands can be run from here except those marked with an asterisk. Many of these commands are for trouble-shooting purposes, for example the htm (hardware test module) and debug commands. Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device.

CHAPTER 2

For admin logins, all commands are visible in ‘user mode’ but not all can be run there. The following table displays which commands can be run in ‘user mode’. All commands can be run in ‘privilege mode’.

The htm and psm commands are for ZyXEL’s internal manufacturing process.

Table 4 User (U) and Privilege (P) Mode Commands

COMMAND MODE DESCRIPTION

apply P Applies a configuration file. atse U/P Displays the seed code clear U/P Clears system or debug logs or DHCP binding. configure U/P Use ‘configure terminal’ to enter configuration mode. copy P Copies configuration files. debug (*) U/P For support personnel only! The device needs to have the debug flag enabled. delete P Deletes configuration files. details P Performs diagnostic commands. diag P Provided for support personnel to collect internal system information. It is not recommended

that you use these.

diag-info P Has the ZyWALL create a new diagnostic file. dir P Lists files in a directory. disable U/P Goes from privilege mode to user mode enable U/P Goes from user mode to privilege mode

ZyWALL (ZLD) CLI Reference Guide 33

Chapter 2 User and Privilege Modes

Table 4 User (U) and Privilege (P) Mode Commands (continued)

COMMAND MODE DESCRIPTION

exit U/P Goes to a previous mode or logs out. htm U/P Goes to htm (hardware test module) mode for testing hardware components. Y ou ma y need to

use the htm commands if your customer support Engineer asks you to during troubleshooting.

Note: These commands are for ZyXEL’s internal manufacturing process.

interface U/P Dials or disconnects an interface. no packet-trace U/P Turns off packet tracing. nslookup U/P Resolves an IP address to a host name and vice-versa. packet-trace U/P Performs a packet trace. ping U/P Pings an IP address or host name. ping6 U/P Pings an IPv6 address or a host name. psm U/P Goes to psm (product support module) mode for setting product parameters. You may need to

use the htm commands if your customer support Engineer asks you to during troubleshooting.

Note: These commands are for ZyXEL’s internal manufacturing process.

reboot P Restarts the device. release P Releases DHCP information from an interface. rename P Renames a configuration file. renew P Renews DHCP information for an interface. run P Runs a script. setenv U/P Turns stop-on-error on (terminates booting if an error is found in a configuration file) or off

(ignores configuration file errors and continues booting).

show U/P Displays command statistics. See the associated command chapter in this guide. shutdown P Writes all d data to disk and stops the system processes. It does not turn off the power. telnet U/P Establi shes a connection to the TCP port number 23 of the specified host name or IP address. test aaa U/P Tests whether the specified user name can be successfully authenticated by an external

authentication server.

traceroute P Traces the route to the specified host name or IP address. traceroute6 P Traces the route to the specified host name or IPv6 address. write P Saves the current configuration to the ZyWALL. All unsaved changes are lost after the ZyWALL

restarts.

Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail in the related configuration command chapter.

2.1.1 Debug Commands

Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for ZyXEL service personnel use only. The debug commands follow a Linux-based syntax, so if there

ZyWALL (ZLD) CLI Reference Guide

Chapter 2 User and Privilege Modes

is a Linux equivalent, it is displayed in this chapter for your reference. You must know a command listed here well before you use it. Otherwise, it may cause undesired results.

Table 5 Debug Commands

COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT

debug alg FTP/SIP ALG debug commands debug anti-spam Anti-Spam debug commands debug app Application patrol debug command debug app show l7protocol (*) Shows app patrol protocol list > cat /etc/l7_protocols/

debug ca (*) Certificate debug commands debug content-filter Content Filtering debug commands debug device-ha (*) Device HA debug commands debug eps Endpoint security debug commands debug force-auth (*) Authentication policy debug commands debug gui (*) GUI cgi related debug commands debug gui (*) Web Configurator related debug

commands

debug hardware (*) Hardware debug commands debug idp IDP debug commands debug idp-av IDP and Anti-Virus debug commands debug interface Interface debug commands debug interface ifconfig

[interface] debug interface-group Port grouping debug commands debug ip dns DNS debug commands debug ip virtual-server Virtual Server (NAT) debug commands debug ipsec IPSec VPN debug commands debug logging System logging debug commands debug manufacture Manufacturing related debug commands debug myzyxel server (*) Myzyxel.com debug commands debug network arpignore (*) Enable/Display the ignoring of ARP

debug no myzyxel server (*) Set the myZyXEL.co m registration/update

debug policy-route (*) Policy route debug command debug reset content-filter

profiling debug service-register Service registration debug command debug show content-filter server Category-based content filtering debug

debug show myzyxel server status Myzyxel.com debug commands debug show ipset Lists the ZyWALL‘s received cards debug show myzyxel server status Myzyxel.com debug commands debug sslvpn SSL VPN debug commands

Shows system interfaces detail > ifconfig [interface]

responses for interfaces which don't own the IP address

server to the official site

Content Filtering debug commands

command

protocol.list

cat /proc/sys/net/ipv4/conf/*/ arp_ignore

ZyWALL (ZLD) CLI Reference Guide

Chapter 2 User and Privilege Modes

Table 5 Debug Commands (continued)

COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT

debug system ipv6 IPv6 debug commands debug [cmdexec|corefile|ip

debug update server (*) Update server debug command

ZLD internal debug commands

ZyWALL (ZLD) CLI Reference Guide

PART II

Reference

CHAPTER 3

Object Reference

This chapter describes how to use object reference commands.

3.1 Object Reference Commands

The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.

Table 6 show reference Commands

COMMAND DESCRIPTION

show reference object username [username]

show reference object address [object_name]

show reference object address6 [object_name]

show reference object eps [object_name] Displays which configuration settings referen ce the specified endpoint

show reference object service [object_name]

show reference object schedule [object_name]

show reference object interface [interface_name | virtual_interface_name]

show reference object aaa authentication [default | auth_method]

show reference object ca category {local|remote} [cert_name]

show reference object account pppoe [object_name]

show reference object account pptp [object_name]

show reference object sslvpn application [object_name]

show reference object crypto map [crypto_name]

show reference object isakmp policy [isakmp_name]

show reference object sslvpn policy [object_name]

Displays which configuration settings reference the specified user object.

Displays which configuration settings reference the specified address object.

Displays which configuration settings reference the specified IPv6 address object.

security object. Displays which configuration settings reference the specified service

object. Displays which configuration settings referen ce the specified schedule

object. Displays which configuration settings reference the specified interface or

virtual interface object.

Displays which configuration settings reference the specified AAA authentication object.

Displays which configuration settings reference the specified authentication method object.

Displays which configuration settings referen ce the specified PPPoE account object.

Displays which configuration settings reference the specified PPTP account object.

Displays which configuration settings referen ce the specified SSL VPN application object.

Displays which configuration settings reference the specified VPN connection object.

Displays which configuration settings reference the specified VP N gateway object.

Displays which configuration settings referen ce the specified SSL VPN object.

ZyWALL (ZLD) CLI Reference Guide 39

Chapter 3 Object Reference

Table 6 show reference Commands (continued)

COMMAND DESCRIPTION

show reference object zone [object_name] Displays which configuration settings reference the specified zone object. show reference object dhcp6-lease-object

[object_name] show reference object dhcp6-request-

object [object_name] show reference object-group username

[username] show reference object-group address

[object_name] show reference object-group address6

[object_name] show reference object-group service

[object_name] show reference object-group interface

[object_name] show reference object-group aaa ad

[group_name] show reference object-group aaa ldap

[group_name] show reference object-group aaa radius

[group_name]

Displays which configuration settings reference the specified DHCPv6 lease object.

Displays which configuration settings reference the specified DHCPv6 request object.

Displays which configuration settings reference the specified user group object.

Displays which configuration settings reference the specified address group object.

Displays which configuration settings reference the specified IPv6 address group object.

Displays which configuration settings reference the specified service group object.

Displays which configuration settings reference the specified trunk object.

Displays which configuration settings reference the specified AAA AD group object.

Displays which configuration settings reference the specified AAA LDAP group object.

Displays which configuration settings reference the specified AAA RADIUS group object.

3.1.1 Object Reference Command Example

This example shows how to check which configuration is using an address object named LAN1_SUBNET. For the command output, firewall rule 3 named LAN1-to-USG-2000 is using the address object.

Router(config)# show reference object address LAN1_SUBNET

LAN1_SUBNET References: Category Rule Priority Rule Name Description =========================================================================== Firewall 3 N/A LAN1-to-USG-2000 Router(config)#

ZyWALL (ZLD) CLI Reference Guide

CHAPTER 4

Status

This chapter explains some commands you can use to display information about the ZyWALL’s current operational state.

Table 7 Status Show Commands

COMMAND DESCRIPTION

show boot status Displays details about the ZyWALL’s startup state. show comport status Displays whether the console and auxiliary ports are on or off. show cpu status Displays the CPU utilization. show disk Displays the disk utilization. show extension-slot Displays the status of the extension card s lot an d USB port s and the names of devices connected

to them.

show fan-speed Displays the current fan speed. show led status Displays the status of each LED on the ZyWALL. show mac Displays the ZyWALL’s MAC address. show mem status Displays what percentage of the ZyWALL’s memory is currently being used. show ram-size Displays the size of the ZyWALL’s on-board RAM. show redundant-

power status show serial-number Displays the serial number of this ZyWALL. show socket listen Displays the ZyWALL’s listening ports show socket open Displays the ports that are open on the ZyWALL. show system uptime Displays how long the ZyWALL has been running since it last restarted or was turned on. show version Displays the ZyWALL’s model, firmware and build information.

Displays the status of the ZyWALL’s power modules. The ZyWALL has two power modules. It can continue operating on a single power module if one fails.

Here are examples of the commands that display the CPU and disk utilization.

Router(config)# show cpu status CPU utilization: 0 % CPU utilization for 1 min: 0 % CPU utilization for 5 min: 0 % Router(config)# show disk ; <cr> | Router(config)# show disk No. Disk Size(MB) Usage =========================================================================== 1 image 67 83% 2 onboard flash 163 15%

ZyWALL (ZLD) CLI Reference Guide 41

Chapter 4 Status

Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number.

Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=6500, limit(lo)=1400, max=6650, min=6642, avg=6644 FAN2(F01)(rpm): limit(hi)=6500, limit(lo)=1400, max=6809, min=6783, avg=6795 FAN3(F02)(rpm): limit(hi)=6500, limit(lo)=1400, max=6683, min=6666, avg=6674 FAN4(F03)(rpm): limit(hi)=6500, limit(lo)=1400, max=6633, min=6617, avg=6627 Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67 Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 510MB Router(config)# show serial-number serial number: S060Z12020460

Here is an example of the command that displays the listening ports.

Router(config)# show socket listen No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 0.0.0.0:2601 0.0.0.0:0 LISTEN 2 tcp 0.0.0.0:2602 0.0.0.0:0 LISTEN 3 tcp 127.0.0.1:10443 0.0.0.0:0 LISTEN 4 tcp 0.0.0.0:2604 0.0.0.0:0 LISTEN 5 tcp 0.0.0.0:80 0.0.0.0:0 LISTEN 6 tcp 127.0.0.1:8085 0.0.0.0:0 LISTEN 7 tcp 1.1.1.1:53 0.0.0.0:0 LISTEN 8 tcp 172.23.37.205:53 0.0.0.0:0 LISTEN 9 tcp 10.0.0.8:53 0.0.0.0:0 LISTEN 10 tcp 172.23.37.240:53 0.0.0.0:0 LISTEN 11 tcp 192.168.1.1:53 0.0.0.0:0 LISTEN 12 tcp 127.0.0.1:53 0.0.0.0:0 LISTEN 13 tcp 0.0.0.0:21 0.0.0.0:0 LISTEN 14 tcp 0.0.0.0:22 0.0.0.0:0 LISTEN 15 tcp 127.0.0.1:953 0.0.0.0:0 LISTEN 16 tcp 0.0.0.0:443 0.0.0.0:0 LISTEN 17 tcp 127.0.0.1:1723 0.0.0.0:0 LISTEN

ZyWALL (ZLD) CLI Reference Guide

Here is an example of the command that displays the open ports.

Router(config)# show socket open No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 2 udp 127.0.0.1:64002 0.0.0.0:0 3 udp 0.0.0.0:520 0.0.0.0:0 4 udp 0.0.0.0:138 0.0.0.0:0 5 udp 0.0.0.0:138 0.0.0.0:0 6 udp 0.0.0.0:138 0.0.0.0:0 7 udp 0.0.0.0:138 0.0.0.0:0 8 udp 0.0.0.0:138 0.0.0.0:0 9 udp 0.0.0.0:138 0.0.0.0:0 10 udp 0.0.0.0:138 0.0.0.0:0 11 udp 0.0.0.0:32779 0.0.0.0:0 12 udp 192.168.1.1:4500 0.0.0.0:0 13 udp 1.1.1.1:4500 0.0.0.0:0 14 udp 10.0.0.8:4500 0.0.0.0:0 15 udp 172.23.37.205:4500 0.0.0.0:0 16 udp 172.23.37.240:4500 0.0.0.0:0 17 udp 127.0.0.1:4500 0.0.0.0:0 18 udp 127.0.0.1:63000 0.0.0.0:0 19 udp 127.0.0.1:63001 0.0.0.0:0 20 udp 127.0.0.1:63002 0.0.0.0:0 21 udp 0.0.0.0:161 0.0.0.0:0 22 udp 127.0.0.1:63009 0.0.0.0:0 23 udp 192.168.1.1:1701 0.0.0.0:0 24 udp 1.1.1.1:1701 0.0.0.0:0 25 udp 10.0.0.8:1701 0.0.0.0:0 26 udp 172.23.37.205:1701 0.0.0.0:0 27 udp 172.23.37.240:1701 0.0.0.0:0 28 udp 127.0.0.1:1701 0.0.0.0:0 29 udp 127.0.0.1:63024 0.0.0.0:0 30 udp 127.0.0.1:30000 0.0.0.0:0 31 udp 1.1.1.1:53 0.0.0.0:0 32 udp 172.23.37.205:53 0.0.0.0:0 33 udp 10.0.0.8:53 0.0.0.0:0 34 udp 172.23.37.240:53 0.0.0.0:0 35 udp 192.168.1.1:53 0.0.0.0:0 36 udp 127.0.0.1:53 0.0.0.0:0 37 udp 0.0.0.0:67 0.0.0.0:0 38 udp 127.0.0.1:63046 0.0.0.0:0 39 udp 127.0.0.1:65097 0.0.0.0:0 40 udp 0.0.0.0:65098 0.0.0.0:0 41 udp 192.168.1.1:500 0.0.0.0:0 42 udp 1.1.1.1:500 0.0.0.0:0 43 udp 10.0.0.8:500 0.0.0.0:0 44 udp 172.23.37.205:500 0.0.0.0:0 45 udp 172.23.37.240:500 0.0.0.0:0 46 udp 127.0.0.1:500 0.0.0.0:0

Chapter 4 Status

ZyWALL (ZLD) CLI Reference Guide

Chapter 4 Status

Here are examples of the commands that display the system uptime and model, firmware, and build information.

Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : ZyWALL USG 100 firmware version: 2.20(AQQ.0)b3 BM version : 1.08 build date : 2009-11-21 01:18:06

This example shows the current LED states on the ZyWALL. The SYS LED lights on and green. The AUX and HDD LEDs are both off.

Router> show led status sys: green aux: off hdd: off Router>

ZyWALL (ZLD) CLI Reference Guide

This chapter introduces myzyxel.com and shows you how to register the ZyW ALL for IDP/AppPatrol, anti-virus, content filtering, and SSL VPN services using commands.

5.1 myZyXEL.com Overview

myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL.

Note: Y ou need to create an account before yo u can register y our device and activ ate the

services at myZyXEL.com.

You can directly create a myZ yXEL.com account, register your ZyWALL and activate a service using the Licensing > Registration screens. Alternatively, go to http://www.myZyXEL.com with the ZyWALL’ s serial number and LAN MAC address to register it. Refer to the web site’s on-line help for details.

CHAPTER 5

Registration

Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that

ZyWALL.

5.1.1 Subscription Services Available on the ZyWALL

The ZyWALL can use anti-virus, anti-spam, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), SSL VPN, and content filtering subscription services.

• The ZyWALL’s anti-virus packet scanner uses the signature files on the ZyWALL to detect virus files. Your ZyWALL scans files transmitting through the enabled interfaces into the network. Subscribe to signature files for ZyXEL’s anti-virus engine or one powered by Kaspersky. After the service is activated, the ZyWALL can download the up-to-date signature files from the update server (http://myupdate.zywall.zyxel.com).

When using the trial, you can switch from one engine to the other in the Registration screen. There is no limit on the number of times you can change the anti-virus engine selection during the trial, but you only get a total of one anti-virus trial period (not a separate trial period for each anti-virus engine). After the service is activated, the ZyWALL can download the up-to-date signature files from the update server (http://myupdate.zywall.zyxel.com).

After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and enter the PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription. Even if the earlier iCard anti-virus subscription was for a different anti-virus engine. For example,

ZyWALL (ZLD) CLI Reference Guide 45

Chapter 5 Registration

suppose you purchase a one-year Kaspersky engine anti-virus service subscription and use it for six months. Then you purchase a one-year ZyXEL engine anti-virus service subscription and enter the iCard’s PIN number (license key) in the Registration > Service screen. The one-year ZyXEL engine anti-virus service subscription is automatically extended to 18 months.

• The IDP and application patrol features use the IDP/AppPatrol signature files on the ZyWALL. IDP detects malicious or suspicious packets and responds immediately. Application patrol conveniently manages the use of various applications on the network. After the service is activated, the ZyWALL can download the up-to-date signature files from the update server (http://myupdate.zywall.zyxel.com).

• SSL VPN tunnels provide secure network access to remote users. You can purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels.

• The content filter allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content. Your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories.

• You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/AppPatrol service. You can also check for new signatures at http://

mysecurity.zyxel.com.

See the respective chapters for more information about these features.

Note: To update the signature file or use a subscription service, you have to register the

ZyWALL and activate the corresponding service at myZyXEL.com (through the ZyWALL).

5.2 Registration Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 8 Input Values for General Registration Commands

LABEL DESCRIPTION

user_name The user name of your myZyXEL.com account. You must use six to 20 alphanumeric

password The password for the myZyXEL.com account. You must use six to 20 alphanumeric

The following table describes the commands available for registration. You must use the

configure terminal command to enter the configuration mode before you can use these

commands.

Table 9 Command Summary: Registration

COMMAND DESCRIPTION

device-register checkuser user_name Checks if the user name exists in the myZyXEL.com

device-register username user_name password password [e-mail user@domainname] [country-code country_code] [reseller-name name] [reseller-mail email-address] [reseller-phone phone-number] [vat vat-number]

service-register checkexpire Gets information of all service subscriptions from

characters (and the underscore). Spaces are not allowed.

database. Registers the device with an existi ng account or creates a

new account and registers the device at one time. country_code: see Table 10 on page 48

myZyXEL.com and updates the status table.

ZyWALL (ZLD) CLI Reference Guide

Chapter 5 Registration

Table 9 Command Summary: Registration (continued)

COMMAND DESCRIPTION

service-register service-type standard license-key

key_value

service-register service-type trial service {contentfilter|idp}

service-register service-type trial service all {kav|zav}

service-register service-type trial service av {kav|zav}

service-register service-type trial av-engine {kav|zav}

show device-register status Displays whether the device is registered and account

show service-register reseller-info Displays your seller’s information that you have entered

show service-register server-type Displays the type of the register server to which your

show service-register status {all|idp|av|sslvpn|sslvpn-status}

show service-register status content-filter { bluecoat | commtouch }

show service-register content-filter-engine Displays which external web filtering service the ZyWALL

service-register content-filter-engine { bluecoat | commtouch }

service-register service-type trial service as Activates the Anti-Spam trial service subscription. show service-register status as Displays whether the Anti-Spam service is registered and

debug service-register erase service as Removes the ZyWALL’s Anti-Spam service registration.

Activates a standard service subscription with the license key.

Activates the content filter or IDP trial service subscription.

Activates all of the trial service subscriptions, including Kaspersky or ZyXEL anti-virus.

Activates a Kaspersky or ZyXEL anti-virus trial service subscription.

Changes from one anti-virus engine to the other.

information.

when registration.

ZyWALL is connected. Displays service license information.

Displays BlueCoat or Commtouch service license information.

is set to use for content filtering. Sets whether the ZyWALL uses BlueCoat or Commtouch

for content filtering.

account information.

5.2.1 Command Examples

The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription.

Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter

The following command displays the account information and whether the device is registered.

Router# configure terminal Router(config)# show device-register status username : example password : 123456 device register status : yes expiration self check : no

ZyWALL (ZLD) CLI Reference Guide

Chapter 5 Registration

The following command displays the service registration status and type and how many days remain before the service expires.

Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =========================================================================== IDP Signature Licensed Standard N/A 176 Anti-Virus Not Licensed None N/A 0 SSLVPN Not Licensed None 5 N/A Content-Filter Not Licensed None N/A 0

The following command displays the seller details you have entered on the ZyWALL.

Router# configure terminal Router(config)# show service-register reseller-info seller’s name: ABC seller’s e-mail: abc@example.com seller’s contact number: 12345678 vat number:

5.3 Country Code

The following table displays the number for each country.

Table 10 Country Codes

COUNTRY CODE

001 Afghanistan 002 Albania 003 Algeria 004 American Samoa 005 Andorra 006 Angola 007 Anguilla 008 Antarctica 009 Antigua & Barbuda 010 Argentina 011 Armenia 012 Aruba 013 Ascension Island 014 Australia 015 Austria 016 Azerbaijan 017 Bahamas 018 Bahrain 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Cameroon

COUNTRY NAME

COUNTRY CODE

COUNTRY NAME

ZyWALL (ZLD) CLI Reference Guide

Chapter 5 Registration

Table 10 Country Codes (continued)

COUNTRY CODE

039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos (Keeling) Islands 048 Colombia 049 Comoros 050 Congo, Democratic Republic of the 051 Congo, Republic of 052 Cook Islands 053 Costa Rica 054 Cote d'Ivoire 055 Croatia/Hrvatska 056 Cyprus 057 Czech Republic 058 Denmark 059 Djibouti 060 Dominica 061 Dominican Republic 062 East Timor 063 Ecuador 064 Egypt 065 El Salvador 066 Equatorial Guinea 067 Eritrea 068 Estonia 069 Ethiopia 070 Falkland Islands (Malvina) 071 Faroe Islands 072 Fiji 073 Finland 074 France 075 France (Metropolitan) 076 French Guiana 077 French Polynesia 078 French Southern Territories 079 Gabon 080 Gambia 081 Georgia 082 Germany 083 Ghana 084 Gibraltar 085 Great Britain 086 Greece 087 Greenland 088 Grenada 089 Guadeloupe 090 Guam 091 Guatemala 092 Guernsey 093 Guinea 094 Guinea-Bissau 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See (City Vatican State) 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Kenya 114 Kiribati 115 Korea, Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People’s Democratic Republic

COUNTRY NAME

COUNTRY CODE

COUNTRY NAME

ZyWALL (ZLD) CLI Reference Guide

Chapter 5 Registration

Table 10 Country Codes (continued)

COUNTRY CODE

119 Latvia 120 Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia, Former Yugoslav

129 Malawi 130 Malaysia 131 Maldives 132 Mali 133 Malta 134 Marshall Islands 135 Martinique 136 Mauritania 137 Mauritius 138 Mayotte 139 Mexico 140 Micronesia, Federal State of 141 Moldova, Republic of 142 Monaco 143 Mongolia 144 Montserrat 145 Morocco 146 Mozambique 147 Namibia 148 Nauru 149 Nepal 150 Netherlands 151 Netherlands Antilles 152 New Caledonia 153 New Zealand 154 Nicaragua 155 Niger 156 Nigeria 157 Niue 158 Norfolk Island 159 Northern Mariana Islands 160 Norway 161 Not Determined 162 Oman 163 Pakistan 164 Palau 165 Panama 166 Papua New Guinea 167 Paraguay 168 Peru 169 Philippines 170 Pitcairn Island 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent an d the Grenadines 182 San Marin o 183 Sao Tome and Principe 184 Saudi Arabia 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Islands 192 Somalia 193 South Africa 194 South Georgia and the South

185 Spain 196 Sri Lanka

COUNTRY NAME

Republic

COUNTRY CODE

128 Madagascar

COUNTRY NAME

Sandwich Islands

ZyWALL (ZLD) CLI Reference Guide

Chapter 5 Registration

Table 10 Country Codes (continued)

COUNTRY CODE

197 St Pierre and Miquelon 198 St. Helena 199 Suriname 200 Svalbard and Jan Mayen Islands 201 Swaziland 202 Sweden 203 Switzerland 204 Taiwan 205 Tajikistan 206 Tanzania 207 Thailand 208 Togo 209 Tokelau 210 Tonga 211 Trinidad and Tobago 212 Tunisia 213 Turkey 214 Turkmenistan 215 Turks and Caicos Islands 216 Tuvalu 217 US Minor Outlying Islands 218 Uganda 219 Ukraine 220 United Arab Emirates 221 United Kingdom 222 United States 223 Uruguay 224 Uzbekistan 225 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands (British) 229 Virgin Islands (USA) 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe

COUNTRY NAME

COUNTRY CODE

COUNTRY NAME

ZyWALL (ZLD) CLI Reference Guide

Chapter 5 Registration

ZyWALL (ZLD) CLI Reference Guide

This chapter shows you how to use interface-related commands.

6.1 Interface Overview

In general, an interface has the following characteristics.

• An interface is a logical entity through which (layer-3) packets pass.

• An interface is bound to a physical port or another interface.

• Many interfaces can share the same physical port.

• An interface is bound to at most one zone.

• Many interface can belong to the same zone.

• Layer-3 virtualization (IP alias, for example) is a kind of interface.

CHAPTER 6

Interfaces

Some characteristics do not apply to some types of interfaces.

6.1.1 Types of Interfaces

You can create several types of interfaces in the ZyWALL. The types supported vary by ZyWALL model.

• Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level.

• Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces.

• VLAN interfaces receive and send tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.

• Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage of some security features in the ZyWALL. You can also assign an IP address and subnet mask to the bridge.

• PPPoE/PPTP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.

• Cellular interfaces are for 3G WAN connections via a connected 3G device.

• WLAN interfaces are for wireless LAN (IEEE 802.11b/g) connections via an installed wireless LAN card.

• Virtual interfaces (IP alias) provide additional routing information in the ZyWALL. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.

ZyWALL (ZLD) CLI Reference Guide 53

Chapter 6 Interfaces

•The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port (labeled AUX on some models).

• Trunks manage load balancing between interfaces.

Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on.

Table 11 Characteristics of Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interface (ZyWALL USG 300 and Above)

CHARACTERISTICS ETHERNET VLAN BRIDGE PPPOE/PPTP VIRTUAL

Name* gex vlanx brx pppx ** IP Address Assignment

static IP address DHCP client Yes Yes Yes Yes No routing metric

Interface Parameters

bandwidth restrictions packet size (MTU) Yes Yes Yes Yes No data size (MSS) Yes Yes Yes Yes No traffic prioritization Yes Yes Yes Yes No

DHCP

DHCP server DHCP relay Yes Yes Yes No No

Ping Check Yes Yes Yes Yes No

Yes Yes Yes Yes Yes

Yes Yes Yes No No

* - The format of interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x,

limited by the maximum number of each type of interface). For example, Ethernet interface names are ge1, ge2, ge3, ...; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.

** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual

interfaces created on Ethernet interface ge1 are called ge1:1, ge1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the web configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual Interface Parameters

Table 12 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (ZyWALL USG 200 and Below Models)

CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL

Name* opt wan1, wan2 lan1, ext-

Configurable Zone IP Address Assignment

Static IP address DHCP client Yes Yes No Yes Yes Yes No Routing metric Yes Yes Yes Yes Yes Yes Yes

Interface Parameters

Bandwidth restrictions

Yes No No Yes Yes No No

Yes Yes Yes Yes Yes Yes Yes

wlan, dmz

vlanx brx pppx **

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 12 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (ZyWALL USG 200 and Below Models) (continued)

CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL

Packet size (MTU) Data size (MSS) Yes Yes Yes Yes Yes Yes No

DHCP

DHCP server DHCP relay Yes No Yes Yes Yes No No

Connectivity Check Yes Yes No Yes Yes Yes No

* - Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the

maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, Ethernet interface names are wan1, wan2, opt, lan1, ext-wlan, dmz; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.

** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual

interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the web configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.

Yes Yes Yes Yes Yes Yes No

Yes No Yes Yes Yes No No

Table 13 Cellular and WLAN Interface Characteristics

CHARACTERISTICS CELLULAR WLAN

Name* cellularx wlan-x-x Configurable Zone Yes** Yes IP Address

Assignment

Static IP address DHCP client Yes No Routing metric Yes No

Interface Parameters

Bandwidth restrictions

Packet size (MTU) Data size (MSS) Yes Yes

DHCP

DHCP server No DHCP relay No

Connectivity Check Yes No

Yes Yes

* - Each name consists of letters (interface type), followed by a number (x). For most interfaces, x is limited by the

maximum number of the type of interface. For WLAN interfaces, the first number identifies the slot and the second number identifies the individual interface.

** - Cellular interfaces can be added to the WAN zone or no zone.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.1.2 Relationships Between Interfaces

In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table.

Table 14 Relationships Between Different Types of Interfaces

INTERFACE REQUIRED PORT / INTERFACE

auxiliary interface auxiliary port port group physical port Ethernet interface physical port

port group

VLAN interface Ethernet interface bridge interface Ethernet interface*

WLAN interface* VLAN interface*

PPPoE/PPTP interface (ZyWALL USG 300 and above)

PPPoE/PPTP interface (ZyWALL

USG 200 and below models)

virtual interface

(virtual Ethernet interface)

Ethernet interface* VLAN interface* bridge interface

WAN1, WAN2, OPT*

Ethernet interface* (virtual VLAN interface) (virtual bridge interface)

trunk Ethernet interface

* - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface, or virtual VLAN interface if the underlying

interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPPoE/PPTP interface on top of it.

VLAN interface*

bridge interface

Cellular interface

VLAN interface

bridge interface

PPPoE/PPTP interface

auxiliary interface

ZyWALL (ZLD) CLI Reference Guide

6.2 Interface General Commands Summary

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 15 Input Values for General Interface Commands

LABEL DESCRIPTION

interface_name The name of the interface.

Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, extwlan, or dmz.

virtual interface on top of Ethernet interface: add a colon (:) and the number of the virtual interface. For example: gex:y, x = 1 - N, y = 1 - 4

VLAN interface: vlanx, x = 0 - 4094 virtual interface on top of VLAN interface: vlanx:y, x = 0 - 4094, y = 1 - 4 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces

your ZyWALL model supports. virtual interface on top of bridge interface: brx:y, x = the number of the bridge interface,

y = 1 - 4 PPPoE/PPTP interface: pppx, x = 0 - N, where N depends on the number of PPPoE/PPTP

interfaces your ZyWALL model supports.

profile_name The name of the DHCP pool. You may use 1-31 alphanumeric characters,

underscores( case-sensitive.

domain_name Fully-qualified domain name. You may up to 254 alphanumeric characters, dashes (-), or

periods (.), but the first character cannot be a period.

_), or dashes (-), but the first character cannot be a number. This value is

Chapter 6 Interfaces

The following sections introduce commands that are supported by several types of interfaces. See

Section 6.6 on page 76 for the unique commands for each type of interface.

6.2.1 Basic Interface Properties and IP Address Commands

This table lists basic properties and IP address commands.

Table 16 interface General Commands: Basic Properties and IP Address Assignment

COMMAND DESCRIPTION

show interface {ethernet | vlan | bridge | ppp | auxiliary} status

show interface {interface_name | ethernet | vlan | bridge | ppp | virtual ethernet | virtual vlan | virtual bridge | auxiliary | all}

show ipv6 interface {interface_name | all}

show ipv6 static address interface Displays the static IPv6 addresses configured on the specified IPv6

show ipv6 nd ra status config_interface Displays the specified IPv6 interface’s IPv6 router advertisement

Displays the connection status of the specified type of interfaces.

Displays information about the spec ified interface, specified type of interfaces, or all interfaces. See Section 6.6.1 on page 78 for all possible cellular status description.

Displays information about the specified IPv6 interface or all IPv6 interfaces.

interface.

configuration.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued)

COMMAND DESCRIPTION

show interface send statistics interval Displays the interval for how often the ZyWALL refreshes the sent

packet statistics for the interfaces.

show interface summary all Displays basic information about the interfaces. show interface summary all status Displays the connection status of the interfaces. [no] interface interface_name Creates the specified interface if necessary and enters sub-command

mode. The

[no] description description Specifies the description for the specified interface. The no command

clears the description.

no command deletes the specified interface.

description: You can use alphanumeric and characters, and it can be up to 60 characters long.

[no] downstream <0..1048576> This is reserved for future use.

Specifies the downstream bandwidth for the specified interface. The command sets the downstream bandwidth to 1048576.

exit Leaves the sub-command mode. [no] ip address dhcp Makes the specified interface a DHCP client; the DHCP server gives the

specified interface its IP address, subnet mask, and gateway. The command makes the IP address static IP address for the specified interface. (See the next command to set this IP address.)

[no] ip address ip subnet_mask Assigns the specified IP address and subnet mask to the specified

[no] ip gateway ip Adds the specified gateway using the specified interface. The no

ip gateway ip metric <0..15> Sets the priority (relative to every gateway on every interface) for the

[no] metric <0..15> Sets the tunnel, PPPoE/PPTP, or cellular interface’s priority relative to

[no] mss <536..1460> Specifies the maximum segment size (MSS) the interface is to use. MSS

[no] mtu <576..1500> Specifies the Maximum Transmission Unit, which is the maximum

[no] shutdown Deactivates the specified interface. The traffic-prioritize {tcp-ack|content-

filter|dns|ipsec-vpn|ssl-vpn} bandwidth <0..1048576> priority <1..7> [maximize-bandwidth-usage];

traffic-prioritize {tcp-ack|contentfilter|dns|ipsec-vpn|ssl-vpn} deactivate

[no] upstream <0..1048576> Specifies the upstream bandwidth for the specified interface. The

interface interface_name ipv6 Creates the specifi ed IPv6 interface if necessary and enters sub-

address ipv6_addr_prefix Sets an IPv6 address with prefix for the interface. gateway ipv6_addr metric <0..15> Sets the specified IPv6 address’s metric.

interface. The

command removes the gateway.

specified gateway. The lower the number, the higher the priority.

other interfaces. The lower the number, the higher the priority.

is the largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece. The interface use its default MSS.

number of bytes in each packet moving through this interface. The ZyWALL divides larger packets into smaller fragments. The command resets the MTU to 1500.

Applies traffic priority when the interface sends TCP-ACK traffic, traffic for querying the content filter, traffic for resolving domain names, or encrypted traffic for an IPSec or SSL VPN tunnel. It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage.

Turns off traffic priority settings for when the interface sends the specified type of traffic.

command sets the upstream bandwidth to 1048576.

command mode.

no command clears the IP address and the subnet mask.

()+/:=?!*#@$_%-

no command has the

no command activates it.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued)

COMMAND DESCRIPTION

enable Turns on the IPv6 interface. nd ra accept Sets the IPv6 interface to accept IPv6 neighbor discovery router

advertisement messages.

nd ra advertise Sets the IPv6 interface to send IPv6 neighbor discovery router

advertisement messages.

nd ra managed-config-flag Turns on the flag in IPv6 router advertisements that tells hosts to use

nd ra other-config-flag Turns on the other stateful configuration flag in IPv6 router

nd ra mtu <1280..1500> | <0> Sets the Maximum Transmission Unit (MTU) size of IPv6 pack ets sent on

nd ra hop-limit <0..255> Sets the maximum number of hops for router advertisements and all

nd ra router-preference { low | medium | high }

nd ra prefix-advertisement ipv6_addr_prefix [ auto { on | off } ] [ link{ on | off } ] [ preferredtime { <0..4294967294> | infinity }] [valid-time{ <0..4294967294> | infinity }]

nd ra min-rtr-interval <3..1350> Sets the minimum IPv6 router advertisement transmission interval. nd ra max-rtr-interval <4..1800> Sets the maximum IPv6 router advertisement transmission interval. nd ra reachable-time <0..3600000> Sets the amount of time a remote IPv6 node is considered reachable

nd ra default-lifetime <4..9000> Sets the router lifetime value is included in all IPv6 router

nd ra retrans-timer <0..4294967295> Sets the IPv6 router advertisement retransmission interval in

ipv6 address dhcp6_profile

dhcp6_suffix_128

managed (stateful) protocol for address autoconfiguration in addition to any addresses autoconfigured using stateless address autoconfiguration.

advertisements that tells hosts to use administered (stateful) protocol to obtain autoconfiguration information other than addresses.

the interface.

IPv6 packets originating from the interfa ce. Sets the Default Router Preference (DRP) extension metric (low,

medium, or high) in the interface’s IPv6 neighbor discovery router advertisement messages.

Sets the IPv6 prefix that the ZyWALL advertises to its clients, whether or not to advertise it, and how long before the prefix’s preference and lifetime expire.

after a reachability confirmation event.

advertisements sent out the interface. The router li fetime value should be equal to or greater than the router advertisement interval.

milliseconds. Has the ZyWALL obtain an IPv6 prefix from the ISP or a connected

uplink router for an internal network, such as the LAN or DMZ.

dhcp6_profile: Specify the DHCPv6 request object to use. dhcp6_suffix_128: Specify the ending part of the IPv6 address, a slash

(/), and the prefix length. The ZyWALL appends it to the delegated prefix.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 for the

dhcp6_suffix_128.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued)

COMMAND DESCRIPTION

nd ra prefix-advertisement

dhcp6_profile dhcp6_suffix_64

dhcp6 { server | client | relay upper { config_interface | ipv6_addr } }

dhcp6 rapid-commit This shortens the DHCPv6 message exchange process from four to two

Configures the network prefix to use a delegated prefix as the beginning part of the network prefix.

dhcp6_profile: Specify the DHCPv6 request object to use for generating the network prefix for the network.

dhcp6_suffix_64: Specify the ending part of the IPv6 network address plus a slash (/) and the prefix length. The ZyWALL appends it to the selected delegated prefix. The combined address is the network prefix for the network.

For example, you got a delegated prefix of 2003:1234:5678/48. You want to divide it into 2003:1234:5678:1111/64 for this interface and 2003:1234:5678:2222/64 for another interface. You can use ::1111/64 and ::2222/64 for the suffix address respectively . But if you do not want to divide the delegated prefix into subnetworks, enter ::0/48 here, which keeps the same prefix length (/48) as the delegated prefix.

Sets the IPv6 interface to be a DHCPv6 server, client or relay. For rel a y, specify an interface from which to get the DHCPv6 server’s address or the IPv6 address of a DHCPv6 server.

steps to help reduce network traffic.

Note: Make sure you also enable this option in the DHCPv6 clients to

make rapid commit work.

dhcp6 address-request Get this interface’s IPv6 address from the DHCPv6 server. dhcp6 refresh-time {

<600..4294967294> | infinity } dhcp6 duid { duid | mac } Specify the DHCP Unique IDentifier (DUID) of the interface or have it

dhcp6-lease-object dhcp6_profile For a DHCPv6 server interface, specify the profile of DHCPv6 lease

dhcp6-request-object dhcp6_profile For a DHCPv6 client interface, specify the profile of DHCPv6 request

interface interface_name no ipv6 Enters the sub-command mode for deleting the specified IPv6 address

enable Turns off the IPv6 interface. address ipv6_addr_prefix Removes the IPv6 interface’s IPv6 prefix setting. gateway Removes the IPv6 interface’s gateway setting. nd ra accept Sets the IPv6 interface to discard IPv6 neighbor discovery router

nd ra advertise Has the IPv6 interface not send IPv6 neighbor discovery router

nd ra managed-config-flag Turns off the flag in IPv6 router advertisements that tells hosts to use

nd ra other-config-flag Turns off the other stateful configuration flag in IPv6 router

nd ra mtu Removes the Maximum Transmission Unit (MTU) size setting for IPv6

Sets the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6.

generated from the interface’s default MAC address.

settings to offer to DHCPv6 clients.

settings that determine what additional information to get from the DHCPv6 server.

or removing it’s settings.

advertisement messages.

managed (stateful) protocol for address autoconfiguration in addition to any addresses autoconfigured using stateless address autoconfiguration.

advertisements that tells hosts to use administered (stateful) protocol to obtain autoconfiguration information other than addresses.

packets the interface sends.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued)

COMMAND DESCRIPTION

nd ra hop-limit Removes the maximum number of hops setting for router

advertisements and all IPv6 packets originating from the interface.

nd ra min-rtr-interval Removes the minimum IPv6 router advertisement transmission interval

setting.

nd ra max-rtr-interval Removes the maximum IPv6 router advertisement transmission interval

nd ra reachable-time Sets the amount of time a remote IPv6 node is considered reachable

nd ra default-lifetime Sets the router lifetime value included in all I P v6 router advertisements

nd ra retrans-timer Sets the IPv6 router advertisement retransmission interval to the

ipv6 address dhcp6_profile

dhcp6_suffix_128

nd ra prefix-advertisement DHCP6_PROFILE DHCP6_SUFFIX_64

dhcp6 Sets the interface’s DHCPv6 setting back to the default. dhcp6 address-request Has the ZyWALL not get this interface’s IPv6 address from the DHCPv6

dhcp6 rapid-commit Has the ZyWALL use the full four-step DHCPv6 message exchange

setting.

after a reachability confirmation event to the default.

the interface sends to the default. The router lifetime value should be equal to or greater than the router advertisement interval.

default. Removes the specified setting for having the ZyWALL obtain an IPv6

prefix from the ISP or a connected uplink router for an internal network. Removes the specified setting for using a delegated prefix as the

beginning part of the network prefix.

server.

process.

Note: Make sure you also disable this option in the DHCPv6 clients.

dhcp6-lease-object dhcp6_profile Removes the specified profile of DHCPv6 lease settings to offer to

dhcp6-request-object dhcp6_profile Removes the specified profile of DHCPv6 request settings that

interface reset {interface_name|virtual_interface_name|al l}

interface send statistics interval <15..3600>

show interface-name Displays all PPP and Ethernet interface system name and user-defined

interface-name {ppp_interface | ethernet_interface} user_defined_name

interface-rename old_user_defined_name

new_user_defined_name

DHCPv6 clients.

determine what additional information to get from the DHCPv6 server. Resets the interface statistics TxPkts (transmitted packets) and RxPkts

(received packets) counts to 0. You can use the show interface summary all status command to see the interface statistics.

Sets how often the ZyWALL sends interface statistics to external servers. For example, syslog server and Vantage Report server.

name mappings. Specifies a name for a PPP or an Ethernet interface. It can use

alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long.

ppp_interface | ethernet_interface: This must be the system name of a PPP or an Ethernet interface. Use the show interface-name command to see the system name of interfaces.

user_defined_name:

• This name cannot be one of the follows: "ethernet", "ppp", "vlan", "bridge", "virtual", "wlan", "cellular",

"aux", "tunnel", "status", "summary", "all"

• This name cannot begin with one of the follows either: "ge", "ppp", "vlan", "wlan-", "br", "cellular", "aux", "tunnel".

Modifies the user-defined name of a PPP or an Ethernet interface.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.2.1.1 Basic Interface Properties Command Examples

The following commands make Ethernet interface ge1 a DHCP client.

Router# configure terminal Router(config)# interface ge1 Router(config-if)# ip address dhcp Router(config-if)# exit

This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the ZyWALL. Then change the name and display the result.

Router> show interface-name No. System Name User Defined Name =========================================================================== 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 ge4 5 ge5 ge5 Router> configure terminal Router(config)# interface-name ge4 VIP Router(config)# show interface-name No. System Name User Defined Name =========================================================================== 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 VIP 5 ge5 ge5 Router(config)#

This example shows how to change the user defined name from VIP to Partner. Note that you have to use the “interface-rename” command if you do not know the system name of the interface. To use the “interface-name” command, you have to fi nd out the corresponding system name first (ge4 in this example). This example also shows how to change the user defined name from Partner to Customer using the “interface-name” command.

Router(config)# interface-rename VIP Partner Router(config)# show interface-name No. System Name User Defined Name =========================================================================== 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 Partner 5 ge5 ge5 Router(config)# Router(config)# interface-name ge4 Customer Router(config)# show interface-name No. System Name User Defined Name =========================================================================== 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 Customer 5 ge5 ge5

ZyWALL (ZLD) CLI Reference Guide

This example shows how to restart an interface. You can check all interface names on the ZyWALL. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it.

6.2.2 DHCP Setting Commands

This table lists DHCP setting commands. DHCP is based on DHCP pools. Create a DHCP pool if you want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients. There are different commands for each configuration. Afterwards, in either case, you hav e to bind the DHCP pool to the interface.

Chapter 6 Interfaces

Table 17 interface Commands: DHCP Settings

COMMAND DESCRIPTION

show ip dhcp dhcp-options Shows the DHCP extended option settings. show ip dhcp pool [profile_name] Shows information about the specified DHCP pool or about all DHCP

show ip dhcp pool profile_name dhcp-options Shows the specified DHCP pool’s DHCP extended option settings. ip dhcp pool rename profile_name

profile_name

[no] ip dhcp pool profile_name Creates a DHCP pool if ne cessary and enters sub-command mode.

show Shows information about the specified DHCP pool.

pools.

Renames the specified DHCP pool from the first profile_name to the second profile_name.

You can use the DHCP pool to create a static entry or to set up a range of IP addresses to assign dynamically.

About the sub-command settings:

•If you use the as a static DHCP entry.

• If you do not use the command, the ZyWALL treats this DHCP pool as a pool of IP addresses.

• If you do not use the command, the DHCP pool is not properly configured and cannot be bound to any interface.

no command removes the specified DHCP pool.

The

Use the following commands to create a static DHCP entry. If you do not use the section have no effect, but you can still set them.

host command, the ZyWALL treats this DHCP pool

host command and use the network

host command or the network

host command, the commands that are not in this

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 17 interface Commands: DHCP Settings (continued)

COMMAND DESCRIPTION

[no] host ip Specifies the static IP address the ZyWALL should assign. Use this

command, along with DHCP entry.

hardware-address, to create a static

Note: The IP address must be in the same subnet as the interface to

which you plan to bind the DHCP pool.

When this command is used, the ZyWALL treats this DHCP pool like a static entry, regardless of the clears this field.

[no] hardware-address mac_address Reserves the DHCP pool for the specified MAC address. Use this

command, along with command clears this field.

[no] client-identifier mac_address Specifies the MAC address that appears in the DHCP client list. The

host, to create a static DHCP entry. The no

network setting. The no command

no command clears this field.

[no] client-name host_name Specifies the host name that appears in the DHCP client list. The no

command clears this field. host_name: You may use 1-31 alphanumeric characters,

dhcp-option <1..254> option_name {boolean <0..1>| uint8 <0..255> | uint16 <0..65535> | uint32 <0..4294967295> | ip ipv4 [

underscores( number. This value is case-sensitive.

Use the following commands to create a pool of IP addresses. These commands have no effect if you use the still set them, however.

Adds or edits a DHCP extended option for the specified DHCP pool.

text: String of up to 250 characters hex: String of up to 250 hexadecimal pairs. vivc: Vendor-Identifying V endor Class option. A DHCP client may use

this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs.

enterprise_id: Number <0..4294967295>.

_), or dashes (-), but the first character cannot be a

host command. You can

hex_s: String of up to 120 hexadecimal pairs. vivs: Vendor-Identifying Vendor-Specific option. DHCP clients and

servers may use this option to ex change v endor -specific i nformation.

no dhcp-option <1..254> Removes the DHCP extended option for the specified DHCP pool. network IP/<1..32>

network ip mask no network

Specifies the IP address and subnet mask of the specified DHCP pool. The subnet mask can be written in w.x.y.z format or in /<1..32> format.

Note: The DHCP pool must have the same subnet as the interface to

which you plan to bind it.

The no command clears these fields.

[no] default-router ip Specifies the default gateway DHCP clients should use. The no

command clears this field.

[no] description description Specifies a description for the DHCP pool for identification. The no

[no] domain-name domain_name Specifies the domain name assi gned to DHCP clients. The no

command removes the description.

command clears this field.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 17 interface Commands: DHCP Settings (continued)

COMMAND DESCRIPTION

[no] starting-address ip pool-size <1..65535>

Sets the IP start address and maximum pool size of the specified DHCP pool. The final pool size is limited by the subnet mask.

Note: You must specify the network number first, and the start

address must be in the same subnet.

The no command clears the IP start address and maximum pool siz e.

[no] first-dns-server {ip | interface_name {1st-dns | 2nd-dns |

3rd-dns} | ZyWALL} [no] second-dns-server {ip |

interface_name {1st-dns | 2nd-dns | 3rd-dns} | ZyWALL}

[no] third-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | ZyWALL}

[no] first-wins-server ip Specifies the first WINS server IP address to assign to the remote

[no] second-wins-server ip Specifies the second WINS server IP address to assign to the remote

[no] lease {<0..365> [<0..23> [<0..59>]] | infinite}

interface interface_name Enters sub-command mode.

[no] ip dhcp-pool profile_name Binds the specified interface to the specified DHCP pool. You have to

[no] ip helper-address ip Creates the specified DHCP relay . You have to remove the DHCP pool

release dhcp interface-name Releases the TCP/IP configuration of the specified interface. The

renew dhcp interface-name Renews the TCP/IP configuration of the specified interface. The

show ip dhcp binding [ip] Displays information about DHCP bindings for the specified IP address

clear ip dhcp binding {ip | *} Removes the DHCP bindings for the specified IP address or for all IP

Sets the first DNS server to the specified IP address, the specified interface’s first, se cond, or third DNS serv er, or the ZyWALL itself . The

no command resets the setting to its default value.

Sets the second DNS server to the specified IP address, the specified interface’s first, se cond, or third DNS serv er, or the ZyWALL itself . The

no command resets the setting to its default value.

Sets the third DNS server to the specified IP address, the specified interface’s first, se cond, or third DNS serv er, or the ZyWALL itself . The

no command resets the setting to its default value.

users. The no command removes the setting.

users. The no command removes the setting. Sets the lease time to the specified number of days, hours, and

minutes or makes the lease ti me infinite. The first DNS server setting to its default value.

remove any DHCP relays first. The binding.

first, if the DHCP pool is bound to the specified interface. The command removes the specified DHCP relay.

interface must be a DHCP client. This command is available in privilege mode, not configuration mode.

or for all IP addresses.

addresses.

no command removes the

no command resets the

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.2.2.1 DHCP Setting Command Examples

The following example uses these commands to configure DHCP pool DHCP_TEST.

Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)# default-router 192.168.1.1 Router(config-ip-dhcp-pool)# lease 0 1 30 Router(config-ip-dhcp-pool)# starting-address 192.168.1.10 pool-size 30 Router(config-ip-dhcp-pool)# hardware-address 00:0F:20:74:B8:18 Router(config-ip-dhcp-pool)# client-identifier 00:0F:20:74:B8:18 Router(config-ip-dhcp-pool)# client-name TWtester1 Router(config-ip-dhcp-pool)# exit Router(config)# interface ge1 Router(config-if)# ip dhcp-pool DHCP_TEST Router(config-if)# exit Router(config)# show ip dhcp server status binding interface : ge1 binding pool : DHCP_TEST

6.2.2.2 DHCP Extended Option Setting Command Example

The following example configures the DHCP_TEST pool with a SIP server (code 120) extended DHCP option with one IP address to provide to the SIP clients.

Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# dhcp-option 120 sip ip 192.168.1.20 Router(config-ip-dhcp-pool)# exit

ZyWALL (ZLD) CLI Reference Guide

6.2.3 Interface Parameter Command Examples

This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types.

Table 18 Examples for Different Interface Parameters

ETHERNET VIRTUAL INTERFACE PPPOE/PPTP

Router(config)# interface wan1 Router(config-if-wan1)# description downstream exit ip ipv6 mac mss mtu no ping-check shutdown traffic-prioritize type upstream use-defined-mac

Router(config)# interface wan1:1 Router(config-if-vir)# description downstream exit ip no shutdown upstream

Chapter 6 Interfaces

Router(config)# interface wan1_ppp Router(config-if-ppp)# account bind connectivity description downstream exit ipv6 local-address metric mss mtu no ping-check remote-address shutdown traffic-prioritize upstream

CELLULAR WLAN VLAN

Router(config)# interface cellular1 Router(config-if-cellular)# account band budget connectivity description device downstream encrypted-pin exit local-address metric mtu network-selection no pin ping-check remote-address shutdown traffic-prioritize upstream

Router(config)# interface wlan-1-1 Router(config-if-wlan)# block-intra description downstream encrypted-wep-key exit group-key hide idle ip mtu no ping-check reauth security shutdown ssid station-limit traffic-prioritize upstream wep-key

Router(config)# interface vlan1 Router(config-if-vlan)# description downstream exit ip ipv6 mss mtu no ping-check port shutdown traffic-prioritize type upstream vlan-id

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 18 Examples for Different Interface Parameters

BRIDGE AUXILIARY TUNNEL

Router(config)# interface br0 Router(config-if-brg)# description downstream exit ip ipv6 join mss mtu no ping-check shutdown traffic-prioritize type upstream

6.2.4 RIP Commands

This table lists the commands for RIP settings.

Router(config)# interface aux Router(config-if-aux)# authentication description dial-timeout dialing-type encrypted-password exit idle initial-string no password phone-number port-speed shutdown traffic-prioritize username

downstream exit ip ipv6 metric mtu no ping-check shutdown traffic-prioritize tunnel upstream

Table 19 interface Commands: RIP Settings

COMMAND DESCRIPTION

router rip Enters sub-command mode.

[no] network interface_name Enables RIP for the specified interface. The no command disables RIP

for the specified interface.

[no] passive-interface interface_name Sets the RIP direction of the specified interface to in-only. The

[no] outonly-interface interface_name Sets the RIP direction of the specified interface to out-only. The

interface interface_name Enters sub-command mode.

[no] ip rip {send | receive} version <1..2>

[no] ip rip v2-broadcast Enables RIP-2 packets using subnet broadcasting. The

show rip {global | interface {all | interface_name}}

command makes RIP bi-directional in the specified interface.

Sets the send or receive version to the specified version number. The

no command sets the send or received ve rsion to the current global

setting for RIP. See Chapter 9 on page 107 for more information about routing protocols.

no command

uses multi-casting. Displays RIP settings.

6.2.5 OSPF Commands

This table lists the commands for OSPF settings.

Table 20 interface Commands: OSPF Settings

COMMAND DESCRIPTION

router ospf Enters sub-command mode.

[no] network interface_name area ip Makes the specified interface part of the specified area. The no

command removes the specified interface from the specified area, disabling OSPF in this interface.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 20 interface Commands: OSPF Settings (continued)

COMMAND DESCRIPTION

[no] passive-interface interface_name Sets the OSPF direction of the specified interface to in-only. The no

command makes OSPF bi-directional in the specified interface.

interface interface_name Enters sub-command mode.

[no] ip ospf priority <0..255> Sets the priority of the specified interface to the specified value. The

no command sets the priority to 1.

[no] ip ospf cost <1..65535> Sets the cost to route packets through the specified interface. The no

no ip ospf authentication Disables authentication for OSPF in the specified interface. ip ospf authentication Enables te xt authentication for OSPF in the specified interface. ip ospf authentication message-digest Enables MD5 authentication for OSPF in the specified interf a ce. ip ospf authentication same-as-area To exchange OSPF routing information with peer border routers, you

[no] ip ospf authentication-key

password

ip ospf message-digest-key <1..255> md5 password

command sets the cost to 10.

must use the same authentication method that they use. This command makes OSPF authentication in the specified interface follow the settings in the corresponding area.

Sets the simple text password for OSPF text authentication in the specified interface. The

password: 1-8 alphanumeric characters or underscores Sets the ID and password for OSPF MD5 authentication in th e specified

interface.

no command clears the text password.

password: 1-16 alphanumeric characters or underscores

no ip ospf message-digest-key Clears the ID and password for OSPF MD5 authentication in the

[no] ip ospf hello-interval <1..65535> Sets the number of seconds between “hello” messages to peer routers.

specified interface.

These messages let peer routers know the Z yWALL is a vailable. The command sets the number of seconds to 10. See

ip ospf dead-

interval for more information.

[no] ip ospf dead-interval <1..65535> Sets the number of seconds the ZyWALL waits for “hello” messages

from peer routers before it assumes the peer router is not available

[no] ip ospf retransmit-interval <1..65535>

and deletes associated routing information. The number of seconds to 40. See more information.

Sets the number of seconds the ZyWALL waits for an acknowledgment in response to a link state advertisement before it re-sends the advertisement.

Link state advertisements (LSA) are used to share the link state and routing information between routers.

ip ospf hello-interval for

no command sets the

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.2.6 Connectivity Check (Ping-check) Commands

Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. Y ou specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway. The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check.

This table lists the ping-check commands

Table 21 interface Commands: Ping Check

COMMAND DESCRIPTION

show ping-check [interface_name | status] Displays information about ping check settings for the specified

[no] connectivity-check continuous-log activate

show connectivity-check continuous-log status D isplays the continuous log setting about connectivity check. interface interface_name Enters sub-command mode.

[no] ping-check activate Enables ping check for the specified interface. The

ping-check {domain_name | ip | defaultgateway}

ping-check {domain_name | ip | defaultgateway} period <5..30>

ping-check {domain_name | ip | defaultgateway} timeout <1..10>

ping-check {domain_name | ip | defaultgateway} fail-tolerance <1..10>

ping-check {domain_name | ip | defaultgateway} method {icmp | tcp}

interface or for all interfaces. status: displays the current connectivity check status for any

interfaces upon which it is activated. Use this command to have the ZyWALL logs connectivity check

result continuously. The no command disables the setting.

no command

disables ping check for the specified interface. Specifies what the ZyWALL pings for the ping check; you can

specify a fully-qualified domain name, IP address, or the default gateway for the interface.

Specifies what the ZyWALL pings for the ping check and sets the number of seconds between each ping check.

Specifies what the ZyWALL pings for the ping check and sets the number of seconds the ZyWALL waits for a response.

Specifies what the ZyWALL pings for the ping check and sets the number of times the ZyWALL times out before it stops routing through the specified interface.

Sets how the ZyWALL checks the connection to the gateway.

icmp: ping the gateway you specify to mak e sure it is still av ailable.

ping-check {domain_name | ip | defaultgateway} port <1..65535>

tcp: perform a TCP handshake with the gateway you specify to make sure it is still available.

Specifies the port number to use for a TCP connectivity check.

ZyWALL (ZLD) CLI Reference Guide

6.2.6.1 Connectivity Check Command Example

The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2

Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check Interface: wan1 Check Method: tcp IP Address: 1.1.1.2 Period: 30 Timeout: 5 Fail Tolerance: 5 Activate: yes Port: 8080 Router(config)#

6.3 Ethernet Interface Specific Commands

Chapter 6 Interfaces

This section covers commands that are specific to Ethernet interfaces.

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 22 Input Values for Ethernet Interface Commands

LABEL DESCRIPTION

interface_name The name of the Ethernet interface. This depends on the ZyWALL model.

For the ZyWALL USG 300 and above, use gex, x = 1~N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.

6.3.1 MAC Address Setting Commands

This table lists the commands you can use to set the MAC address of an interface. On the ZyWALL USG 200 and below models, these commands only apply to a WAN or OPT interface.

Table 23 interface Commands: MAC Setting

COMMAND DESCRIPTION

interface interface_name Enters sub-command mode.

no mac Has the interface use its default MAC address. mac mac Specifies the MAC address the interface is to us e.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 23 interface Commands: MAC Setting (continued)

COMMAND DESCRIPTION

type {internal | external | general}

no use-defined-mac Has the interface use its default MAC address. use-defined-mac Has the interface use a MAC address that you specify.

Sets which type of network you will connect this int erface. The ZyWALL automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic.

internal: Set this to connect to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The ZyWALL automatically adds default SNAT settings for traffic flowing from this interface to an external interface.

external: Set this to connect to an external network (like the Internet). The ZyWALL automatically adds this interface to the default WAN trunk.

general: Set this if you want to manually configure a policy route to add routing and SNAT settings for the interface.

6.3.2 Port Grouping Commands

This section covers commands that are specific to port grouping.

Note: In CLI, representative interfaces are also called representative ports.

Table 24 Basic Interface Setting Commands

COMMAND DESCRIPTION

show port-grouping Displays which physical ports are assigned to each representative interface. port-grouping

representative_interface port <1..x>

no port <1..x> Removes the specified physical port from its current representative interface and

port status Port<1..x> Enters a sub-command mode to configure the specified port’s settings.

[no] duplex <full | half> Sets the port’s duplex mode. The no command returns the default setting. exit Leaves the sub-command mode. [no] negotiation auto Sets the port to use auto-negotiation to determine the port speed and duplex. The

[no] speed <100,10> Se ts the Ethernet port’s connection speed in Mbps. The no command returns the

show port setting Displays the Ethernet port negotiation, duplex, and speed settings. show port status Displays statistics for the Ethernet ports.

Adds the specified physical port to the specified representative interface. representative_interface: gex in a ZyWALL USG 300 or above. A dmz, ext-wlan, or lan1 interface in a ZyWALL USG 100 or 200. <1..x> where x equals the highest numbered port for your ZyWALL model.

adds it to its default representative interface (for example, port x --> gex).

no command turns off auto-negotiation.

default setting.

ZyWALL (ZLD) CLI Reference Guide

6.3.2.1 Port Grouping Command Examples

The following commands add physical port 5 to representative interface ge1.

Router# configure terminal Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 ========================================================= 1 ge1 yes no no no no 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no yes Router(config)# port-grouping ge1 Router(config-port-grouping)# port 5 Router(config-port-grouping)# exit Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 ========================================================= 1 ge1 yes no no no yes 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no no

Chapter 6 Interfaces

The following commands set port 1 to use auto-negotiation auto and port 2 to use a 10 Mbps connection speed and half duplex.

Router(config)# port status Port1 Router(config-port-status)# negotiation auto Router(config-port-status)# exit Router(config)# port status Port2 Router(config-port-status)# duplex half Router(config-port-status)# speed 10 Router(config-port-status)# exit Router(config)# exit

6.4 Virtual Interface Specific Commands

Virtual interfaces use many of the general interface commands discussed at the beginning of

Section 6.2 on page 57. There are no additional commands for virtual interfaces.

6.4.1 Virtual Interface Command Examples

The following commands set up a virtual interface on top of Ethernet interface ge1. The virtual interface is named ge1:1 with the following parameters: IP 1.2.3.4, subnet 255.255.255.0,

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”.

Router# configure terminal Router(config)# interface ge1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit

6.5 PPPoE/PPTP Specific Commands

This section covers commands that are specific to PPPoE/PPTP interfaces. PPPoE/PPTP interfaces also use many of the general interface commands discussed at the beginning of Section 6.2 on

page 57.

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 25 Input Values for PPPoE/PPTP Interface Commands

LABEL DESCRIPTION

interface_name PPPoE/PPTP interface: pppx, x = 0 - N, where N depends on the number of PPPoE/PPTP

interfaces your ZyWALL model supports.

profile_name The name of the ISP account. You may use 1-31 alphanumeric characters,

underscores( case-sensitive.

_), or dashes (-), but the first character cannot be a number. This value is

This table lists the PPPoE/PPTP interface commands.

Table 26 interface Commands: PPPoE/PPTP Interfaces

COMMAND DESCRIPTION

interface dial interface_name Connects the specified PPPoE/PPTP interface. interface disconnect interface_name Disconnects the specified PPPoE/PPTP interface. interface interface_name Creates the specified interface if necessary and enters sub-command mode.

[no] account profile_name Specifies the ISP account for the specified PPPoE/PPTP interface. The

[no] bind interface_name Specifies the base interface for the PPPoE/PPTP interface. The

[no] connectivity {nail-up | dial-on-demand}

[no] local-address ip Specifies a static IP address for the specified PPPoE/PPTP interface. The

[no] remote-address ip Specifies the IP address of the PPPoE/PPTP server. If the PPPoE/PPTP server is

command clears the ISP account field.

removes the base interface. Specifies whether the specified PPPoE/PPTP interface is always connected (nail-

up) or connected only when used (dial-on-demand). The to dial-on-demand.

command makes the PPPoE/PPTP interface a DHCP client; the other computer assigns the IP address.

not available at this IP address, no connection is made. The no command lets the ZyWALL get the IP address of the PPPoE/PPTP server automatically when it establishes the connection.

no command sets it

no command

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 26 interface Commands: PPPoE/PPTP Interfaces (continued)

COMMAND DESCRIPTION

[no] mss <536..1452> Specifies the maximum segment size (MSS) the interface can use. MSS is the

largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece. The no command has the ZyWALL use its default MSS setting.

mtu <576..1492> Sets the Maximum Transmission Unit in bytes. [no] ipv6 enable Turns on the IPv6 interface. The no command turns it off. [no] ipv6 nd ra accept Sets the IPv6 interface to accept IPv6 neighbor discovery router advertisement

messages. The no command sets the IPv6 interface to discard IPv6 neighbor discovery router advertisement messages.

[no] ipv6 metric <0..15> Sets the interface’s metric for IPv6 traffic. The no command clears it. [no] ipv6 address

dhcp6_profile dhcp6_suffix_128

ipv6 dhcp6 [client] Sets the IPv6 interface to be a DHCPv6 client. [no] ipv6 dhcp6 rapid-commit Shortens the DHCPv6 message exchange process from four to two steps to help

[no] ipv6 dhcp6 addressrequest

ipv6 dhcp6 duid { duid | mac } Specify the DHCP Unique IDentifier (DUID) of the interface or have it gener ated

[no] ipv6 dhcp6-request-object

dhcp6_profile

show interface ppp system-default Displays system defaul t PPP interfaces (non-deletable) that c ome with the

show interface ppp user-define Displays all PPP interfaces that were manually configured on the ZyWALL.

Has the ZyWALL obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network, such as the LAN or DMZ. The no command removes the specified setting for using a delegated prefix as the beginning part of the network prefix.

dhcp6_profile: Specify the DHCPv6 request object to use. dhcp6_suffix_128: Specify the ending part of the IPv6 address, a slash (/),

and the prefix length. The ZyWALL appends it to the delegated prefix. For example, you got a delegated prefix of 2003:1234:5678/48. You want to

configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 for the dhcp6_suffix_128.

reduce network traffic. The no command sets the full four-step DHCPv6 message exchange process.

Get this interface’s IPv6 address from the DHCPv6 server. The no command has the ZyWALL not get this interface’s IPv6 address from the DHCPv6 server.

from the interface’s default MAC address. For a DHCPv6 client interface, specify the profile of DHCPv6 request settings

that determine what additional information to get from the DHCPv6 server. The no command removes the DHCPv6 request settings profile.

ZyWALL.

6.5.1 PPPoE/PPTP Interface Command Examples

The following commands show you how to configure PPPoE/PPTP interface ppp0 with the following characteristics: base interface ge1, ISP account Hinet, local address 1.1.1.1, remote address

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

2.2.2.2, MTU 1200, upstream bandwidth 345, downstream bandwidth 123, description “I am ppp0” , and dialed only when used.

Router# configure terminal Router(config)# interface ppp0 Router(config-if-ppp)# account Hinet Router(config-if-ppp)# bind ge1 Router(config-if-ppp)# local-address 1.1.1.1 Router(config-if-ppp)# remote-address 2.2.2.2 Router(config-if-ppp)# mtu 1200 Router(config-if-ppp)# upstream 345 Router(config-if-ppp)# downstream 123 Router(config-if-ppp)# connectivity dial-on-demand Router(config-if-ppp)# description I am ppp0 Router(config-if-ppp)# exit

The following commands show you how to connect and disconnect ppp0.

Router# interface dial ppp0 Router# interface disconnect ppp0

6.6 Cellular Interface Specific Commands

Use a 3G (Third Generation) cellular device with the ZyWALL for wireless broadband Internet access.

Use these commands to add, edit, dial, disconnect, or delete cellular interfaces. When you add a new cellular interface, make sure you enter the account. Y ou must use the command to enter the configuration mode before you can use these commands.

Table 27 Cellular Interface Commands

COMMAND DESCRIPTION

[no] interface interface_name Creates the specified interface if necessary and enters sub-command

mode. The

[no] account profile_name Specifies the ISP account for the specified cellular interface. The no

command clears the ISP account field.

[no] band {auto|wcdma|gsm} Sets (or clears) the cellular band that the cellular interface uses.

auto has the ZyWALL always use the fastest network that is in range. gsm has this interface only use a 2.5G or 2.75G network

(respectively). If you only have a GSM network available to you, you may want to use this so the ZyWALL does not spend time looking for a WCDMA network.

wcdma has this interface only use a 3G or 3.5G network (respectively). You ma y w ant to use t his if y ou w ant to mak e sure the i nterfac e does not use the GSM network.

no command deletes the specified interface.

configure terminal

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 27 Cellular Interface Commands (continued)

COMMAND DESCRIPTION

[no] network-selection {auto|home} Home network is the network to which you are originally subscribed.

Home has the 3G device connect only to the home network. If the

home network is down, the ZyWALL's 3G Internet connection is also unavailable.

Auto is the default setting and allows the 3G device to connect to a network to which you are not subscribed when necessary, for example when the home network is down or another 3G base station's signal is stronger. This is recommended if you need continuous Internet connectivity. If you select this, you may be charged using the rate of a different network.

[no] budget active Sets a monthly limit for the user account of the installed 3G card. You

[no] budget time active <1..672> Sets the amount of time (in hours) that the 3G connection can be

[no] budget data active {downloadupload|download|upload} <1..100000>

can set a limit on the total traffic and/or call time. The ZyWALL takes the actions you specified when a limit is exceeded during the month. Use the no command to disable budget control.

used within one month. If you change the value, the ZyWALL resets the statistics. Use the no command to disable time budget control.

Sets how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G connection within one month.

download: set a limit on the downstream traffic (from the ISP to the ZyWALL).

upload: set a limit on the upstream traffic (from the ZyWALL to the ISP).

download-upload: set a limit on the total traffic in both directions. If you change the value, the ZyWALL resets the statistics. Use the no command to disable data budget control.

budget reset-day <0..31> Sets the date on which the Z yW ALL resets the budget every month . If

the date you selected is not available in a month, such as 30th or 31st, the ZyWALL resets the budget on the last day of the month.

budget reset-counters Resets the time and data budgets immediately. The count starts over

with the 3G connection’s full configured monthly time and data budgets. This does not affect the normal monthly budget restart.

budget {log|log-alert}[recursive <1..65535>]

no budget log [recursive] Sets the ZyWALL to not create a log when the time or data limit is

budget new-connection {allow|disallow} Sets to permit (allow) or drop/block (disallow) new 3G connections

budget current-connection {keep|drop} Sets to maintain the existing 3G connection (keep) or disconnect it

Sets the ZyWALL to create a l o g (log) or an al e rt log (log-alert) when the time or data limit is exceeded. You can also specify how often (from 1 to 65535 minutes) to generate a log or an alert.

exceeded. Specify recursive to have the ZyWALL only create a log one time when the time or data limit is exceeded.

when the time or data limit is exceeded.

(drop) when the time or data limit is exceeded. You cannot set budget new-connection to allow and budget current-connection to drop at the same time.

If you set budget new-connection to disallow and budget currentconnection to keep, the ZyWALL allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 27 Cellular Interface Commands (continued)

COMMAND DESCRIPTION

budget percentage {ptime|pdata} <0..99> Sets a percentage (0~99) of time budget (ptime) or data (pdata)

limit. When the specified limit is exceeded, the ZyWALL takes the action configured using the budget {log-percentage|log-

percentage-alert} command.

budget {log-percentage|log-percentagealert} [recursive <1..65535>]

no budget log-percentage Sets the ZyWALL to not create a log when the set percentage of tim e

connectivity {nail-up | dial-on-demand} Sets the connection to be always on or only when there is traffic. [no] local-address <ip> Sets (or clears) the cellular interface’s local (own) IP address. mtu <576..1492> Sets the Maximum Transmission Unit in bytes. [no] pin <pin code> Sets (or clears) the PIN code for the cellular device’s 3G card. Use 1-

[no] remote-address <ip> Sets (or clears) the IP address of the cellular interface’s peer (like a

interface cellular budget-auto-save <5..1440>

show interface cellular [correspondingslot|device-status|support-device]

show interface cellular corresponding-slot Shows which ce llular interface is on which slot and whether which

show interface cellular device-status Displays the installed SIM card and 3G card status. show interface cellular support-device Displays all 3G card models the ZyWALL can support. show interface cellular budget-auto-save Displays how often (in minutes) the ZyWALL records time and data

show interface cellular status Displays the traffic statistics and connection status for your cellular

show interface interface_name [budget] Displays the budget cont rol settings for the specified cellular

show interface interface_name device status Displays the 3G card and SIM card information for the specified

show interface interface_name device profile

Sets to have the ZyWALL create a log (log-percentage) or an alert log (log-percentage-alert) when the set percentage of time budget or data limit is exceeded. You can configure the percentage using the budget percentage command.

You can also set how often (from 1 to 65535 minutes) to send the log or alert.

budget or data limit is exceeded. You can configure the percentage using the budget percentage command.

4 alphanumeric characters, underscores(

gateway or PPPoE server). Sets how often (in minutes) the ZyWALL saves time and data usage

records for a connection using the 3G card. Shows the status of the specified cellular interface.

cellular interface has been configured.

usage of your 3G budgets.

interfaces. See Section 6.6.1 on page 78 for al l possible cellular status descriptions.

interface.

cellular interface. Displays the 3G connection profile settings of the specified cellular

interface.

_), or dashes (-).

6.6.1 Cellular Status

The following table describes the different kinds of cellular connection status on the ZyWALL.

Table 28 Cellular Status

STATUS DESCRIPTION

No device no 3G device is connected to the ZyWALL. No service no 3G network is available in the area; you cannot connect to the Internet.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 28 Cellular Status

STATUS DESCRIPTION

Limited service returned by the service provider in cases where the SIM card is expired, the us er failed

to pay for the service and so on; you cannot connect to the Internet. Device detected displays when you connect a 3G device. Device error a 3G device is connected but there is an error. Probe device fail the ZyWALL’s test of the 3G device failed. Probe device ok the ZyWALL’s test of the 3G device failed. Init device fail the ZyWALL was not able to initialize the 3G device . Init device ok the ZyWALL initialized the 3G card. Check lock fail the ZyWALL’s check of whether or not the 3G device is locked failed. Device locked the 3G device is locked. SIM error there is a SIM card error on the 3G device. SIM locked-PUK the PUK is locked on the 3G device’s SIM card. SIM locked-PIN the PIN is locked on the 3G device’s SIM card. Unlock PUK fail Your attempt to unlock a WCDMA 3G device’s PUK failed because you entered an

incorrect PUK. Unlock PIN fail Your attempt to unlock a WCDMA 3G device’s PIN failed because you entered an

incorrect PIN. Unlock device fail Your attempt to unlock a CDMA2000 3G device failed bec ause you entered an incorrect

Device unlocked You entered the correct device code and unlocked a CDMA2000 3G device. Get dev-info fail The ZyWALL cannot get cellular device information. Get dev-info ok The ZyWALL succeeded in retrieving 3G device information. Searching network The 3G device is searching for a network. Get signal fail Th e 3G device cannot get a signal from a network. Network found The 3G device found a network. Apply config The ZyWALL is applying your configuration to the 3G device. Device unready The 3G interface is disabled. Active The 3G interface is enabled. Incorrect device The connected 3G device is not compatible with the ZyWALL. Correct device The ZyWALL detected a compatible 3G device. Set band fail Applying your band selection was not successful. Set band ok The ZyWALL successfully applied your band selection. Set profile fail Applying your ISP settings was not successful. Set profile ok The ZyWALL s uccessfully applied your ISP settings. PPP fail The ZyWALL failed to create a PPP connection for the cellular interface. Need auth-password You need to enter the password for the 3G card in the cellular edit screen. Device ready The ZyWALL successfully applied all of your configuration and you can use the 3G

device code.

connection.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.6.2 Cellular Interface Command Examples

This example shows the configuration of a cellular interface named cellular2 for use with a Sierra Wireless AC850 3G card. It uses only a 3G (or 3.5G) connection, PIN code 1234, an MTU of 1200 bytes, a description of "This is cellular2” and sets the connection to be nailed-up.

Router(config)# interface cellular2 Router(config-if-cellular)# device AC850 Router(config-if-cellular)# band wcdma Router(config-if-cellular)# pin 1234 Router(config-if-cellular)# connectivity nail-up Router(config-if-cellular)# description This is cellular2 Router(config-if-cellular)# mtu 1200 Router(config-if-cellular)# exit

This second example shows specifying a new PIN code of 4567.

Router(config)# interface cellular2 Router(config-if-cellular)# pin 4567 Router(config-if-cellular)# exit

This example shows the 3G and SIM card information for interface cellular2 on the ZyWALL.

Router(config)# show interface cellular2 device status interface name: cellular2 extension slot: USB 1 service provider: Chunghwa Telecom cellular system: WCDMA signal strength: -95 dBm signal quality: Poor device type: WCDMA device manufacturer: Huawei device model: E220/E270/E800A device firmware: 076.11.07.106 device IMEI/ESN: 351827019784694 SIM card IMSI: 466923100565274

This example shows the 3G connection profile settings for interface cellular2 on the ZyWALL. You have to dial *99***1# to use profile 1, but authentication is not required. Dial *99***2# to use profile 2 and authentication is required.

Router(config)# show interface cellular2 device profile profile: 1 apn: internet dial-string: *99***1# authentication: none user: n/a password: n/a profile: 2 apn: internet dial-string: *99***2# authentication: chap user: password: ***

----------------------SNIP!------------------------------------------------

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.7 Tunnel Interface Specific Commands

The ZyWALL uses tunnel interf aces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. This section covers commands specific to tunnel interfaces. Tunnel interfaces also use many of the general interface commands discussed at the beginning of Section 6.2 on page 57.

Use these commands to add, edit, activate, deactivate, or delete tunnel interfaces. You must use the

configure terminal command to enter the configuration mode before you can use these

commands. GRE mode tunnels support ping check. See Section 6.2.6 on page 70 for more on ping check.

Table 29 Tunnel Interface Commands

COMMAND DESCRIPTION

[no] interface tunnel_iface Creates the specified interface if necessary and enters sub-command

mode. The tunnel_iface: Name of tunnel interface. tunnel([0-3]).

[no] shutdown Deactivates the specified interface. The tunnel source

[ipv4|tunnel_bind_interface|_any]

tunnel destination ipv4 Configures the outer destination IP address of the tunneled IPv4 packets. ip address ipv4 ipv4 Sets the inner source IP of packets sent through the tunnel interface. tunnel mode ip gre Sets this interface to use GRE tunnel mode. [no] mtu <576..1480> Specifies the Maximum T ransmission Unit, which is the maximum number

[no] downstream <0..1048576> Specifies the downstream bandwidth for the specified interface. The

tunnel mode [ ipv6ip [ manual | 6to4 ] ] ]

ipv6 address ipv6_addr_prefix Sets an IPv6 address with prefix for the interface. ipv6 6to4 [ prefix ipv6_addr_prefix

| destination-prefix ipv4_cidr | relay ipv4 ]

traffic-prioritize {tcp-ack|contentfilter|dns} bandwidth <0..1048576> priority <1..7> [maximize-bandwidthusage];

traffic-prioritize {tcp-ack|contentfilter|dns} deactivate

exit Leaves the sub-command mode. show interface tunnel_iface Displays the the specified tunnel’s settings. show interface tunnel status Displays the status of the tunnel interfaces.

Configures the outer source IP address of the tunneled packets. Specify an IPv4 address or use the IP address of an interface.

_any: Have automatically select the outer source IP. Not available for ipv6ip mode tunnels.

of bytes in each packet moving through this interface. The ZyWALL divides larger packets into smaller fragments. The the MTU to 1480.

command sets the downstream bandwidth to 1048576. Sets the interface to be an IPv6 over IPv4 tunnel.

manual: Use for a point-to-point manual tunnel for IPv6 transition. You must also configure a policy route for the tunnel.

6to4: Use for a 6to4/6RD automatic tunnel.

For a 6to4 tunnel, sets the IPv6 address with prefix, remote gateway prefix, or relay router IPv4 address.

Applies traffic priority when the interface sends TCP- ACK traffic, tr affic for querying the content filter, or traffic for resolving domain names. It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage.

T urns off traffic priority settings for when the interface sends the specified type of traffic.

no command deletes the specified interface.

no command activates it.

no command resets

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.7.1 Tunnel Interface Command Examples

This example creates a tunnel interface called tunnel0 that uses wan1 as the source,

168.168.168.168 as the destination, and 10.0.0.100 and 255.255.0.0 as the inner source IP.

Router> configure terminal Router(config)# interface tunnel0 Router(config-if-tunnel)# tunnel source wan1 Router(config-if-tunnel)# tunnel destination 168.168.168.168 Router(config-if-tunnel)# ip address 10.0.0.100 255.255.0.0 Router(config-if-tunnel)# exit

Router(config)# show interface tunnel tunnel interface: 1 interface name: tunnel0 local address: ge2 local address type: bind remote address: 168.168.168.168 mode: gre IP address: 10.0.0.100 netmask: 255.255.0.0 status: Inactive active: no

6.8 USB Storage Specific Commands

Use these commands to configure settings that apply to the USB storage device connected to the ZyWALL.

Note: For the ZyWALL which supports more than one USB ports, these commands only

apply to the USB storage device that is first attached to the ZyWALL.

Table 30 USB Storage General Commands

COMMAND DESCRIPTION

show usb-storage Displays the status of the connected USB storage device. [no] usb-storage activate Enables or disables the connected USB storage service. usb-storage warn number

<percentage|megabyte> usb-storage mount Mounts the connected USB storage device. usb-storage umount Unmounts the connected USB storage device. [no] logging usb-storage Sets to have the ZyWALL log or not log any information about the connected USB

show logging status usb-storage Displays the logging settings for the connected USB storage device. logging usb-storage category

category level <all|normal> logging usb-storage category

category disable logging usb-storage

flushThreshold <1..100>

Sets a number and the unit (percentage or megabyte) to have the ZyWALL send a warning message when the remaining USB storage space is less than the set value.

storage device(s) for the system log.

Configures the logging settings for the specified category for the connected USB storage device.

Stops logging for the specified category to the connected USB storage device.

Configures the maximum storage space (in percentage) for storing system logs on the connected USB storage device.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 30 USB Storage General Commands (continued)

COMMAND DESCRIPTION

[no] diag-info copy usb-storage Sets to have the ZyWALL save or stop saving the current system diagnostics

information to the connected USB storage device. You may need to send this file to customer support for troubleshooting.

show diag-info copy usb-storage Displays whether (enable or disable) the ZyWALL saves the current system

[no] corefile copy usb-storage Sets to have the ZyWALL save or not save a process’s core dump to the connected

show corefile copy usb-storage Displays whether (enable or disable) the ZyWALL saves core dump files to the

diagnostics information to the connected USB storage device.

USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting.

connected USB storage device.

6.8.1 USB Storage General Commands Example

This example shows how to display the status of the connected USB storage device.

Router> show usb-storage USBStorage Configuration: Activation: enable Criterion Number: 100 Criterion Unit: megabyte USB Storage Status: Device description: N/A Usage: N/A Filesystem: N/A Speed: N/A Status: none Detail: none

6.9 WLAN Specific Commands

You can install a compatible WLAN card to use the ZyWALL as an access point (AP) for a wireless network.

The following table identifies the values required for several WLAN commands. Other input values are discussed with the corresponding commands.

Table 31 Input Values for WLAN Interface Commands

LABEL DESCRIPTION

psk-key Use 8 to 63 case-sensitive alphanumeric characters or 64 hexadecimal characters. This is

used for WLAN interface commands. See Table 33 on page 85

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

6.9.1 WLAN General Commands

Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card.

Table 32 WLAN General Commands

COMMAND DESCRIPTION

wlan slot_name Specifies the slot the WLAN card is installed in and enters sub-command mode.

slot_name: The name of the slot where the WLAN card is installed in the ZyWALL. Use

slotx where x equals the number of the card slot.

[no] activate Turns the wireless device on. The

band <b | g | bg| bgn |

gn>

channel

<wireless_channel |

auto>

channel-width <auto |

20m | 40m>

guard-interval <short

| long>

[no] ampdu For an IEEE 802.11n interface, enables or disables grouping of several A-MPDUs

[no] amsdu

[no] block-ack Turns the IEEE 802.11n interface’s block ACK (BA) mechanism on or off. Block ACK lets

qos <none | wmm> Select the WLAN Qu ality of Se rvice priority for an IEEE 802.11n interface.

[no] ctsrts

<256..2346>

[no] frag <256..2346> Sets the threshold (number of bytes) for the fragmentation boundary for directed

[no] super

role ap Sets the ZyWALL to act as an AP (only the AP role is supported at the time of writing.

output-power [100% |

50% | 25% | 12.5%]

qos [none | wmm} Applies W i-Fi Multimedia Quality of Service (QoS) or no wireless QoS.

Sets which IEEE 802.11 wireless standard wireless clients can use to connect to the wireless interface.

•b

•g

•b or g

•b, g, or n

•g or n. Sets the wireless operating channel of an IEEE 802.11n interface.

wireless_channel: Specify the channel number. The numbers available vary by region. Sets how wide a channel the IEEE 802.11n interface uses.

Sets the IEEE 802.11n interface’s gap between data transmissions from users to reduce interference.

short: increases data throughput but may make data transfer more prone to errors. long: prioritizes data integrity but reduces data transfer rates.

(Aggregate MAC Protocol Data Unit) into one larger frame for faster data transfer rates. For an IEEE 802.11n interface, enables or disables grouping of several A-MSDUs

(Aggregate MAC Service Data Units) into one large A-MPDU (Aggregate MAC Protocol Data Unit) for faster data transfer rates.

multiple frames be streamed out and acknowledged by a single frame. This cuts the wait time between frames and increases data throughput.

none: Apply no priority to traffic. wmm: Wi-Fi Multimedia has the priority of a data packet depend on the packet’s IEEE

802.1q or DSCP header. If a packet has no WMM value assigned to it, it is assigned the default priority.

Sets the Clear To Send/Request To Send threshold. CTS/RTS reduces data coll is ion s caused by wireless clients that are associated with the same AP but out of range of one another. The no command turns off CTS/RTS.

messages. It is the maximum data fragment size that can be sent. Enables super mode (fast frame and packet bursting).

Sets the wireless output power . Reducing output power can help re duce interference with other nearby APs.

no command turns it off.

ZyWALL (ZLD) CLI Reference Guide

Table 32 WLAN General Commands (continued)

COMMAND DESCRIPTION

guard-interval [short

| long]

[no] amsdu Enables Aggregated Mac Service Data Unit (AMSDU) for faster data transfer rates.

[no] ampdu Enables Aggregated Mac Protocol Data Unit (AMPDU) for faster data transfer rates.

[no] block-ack Adds the block ACK (BA) mechanism to increase data output.

exit Leaves the sub-command mode.

Sets Guard Interval to Short (increases data throughput) or Long (prioritize data integrity).

6.9.1.1 WLAN General Commands Example

This example sets wireless slot 1 to use the IEEE 802.11b and IEEE 802.11g bands, channel 5, super mode, 50 % output power, and enables it.

Router(config)# wlan slot1 Router(config-wlan-slot)# band bg Router(config-wlan-slot)# channel 5 Router(config-wlan-slot)# super Router(config-wlan-slot)# output-power 50% Router(config-wlan-slot)# activate Router(config-wlan-slot)# exit Router(config)#

Chapter 6 Interfaces

6.9.2 WLAN Interface Commands

Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card.

Table 33 WLAN Interface Commands

COMMAND DESCRIPTION

[no] interface ap_interface Creates the specified interface if necessary and enters sub-command mode. The

no command deletes the specified interface.

ap_interface: The name of the WLAN Access Point interface. Use wlan-x-y where x equals the number of the card slot and y equals the number of the individual WLAN interface. For example, wlan-1-1.

[no] block-intra Enables intra-BSS blocking (prevents) wireless clients in this profile’s BSS from

communicating with one another.

group-key <30..30000> Sets the WPA2 group key update timer. This is the interval in seconds for how

often the AP sends a new group key out to all clients.

[no] hide Obscures the SSID in the outgoing beacon frame so a station cannot obtain the

idle <30..30000> Sets the WPA2 idle timeout. The ZyWALL automatically disconnects a wireless

[no] ip address ip

subnet_mask

[no] ip gateway ip [metric

<0..15>]

SSID through scanning.

station that has been inactive for this number of seconds. The wireless station needs to enter the username and password again before access to the wired network is allowed.

Assigns the specified IP address and subnet mask to the specifi ed interface. The

no command clears the IP address and the subnet mask.

Adds the specified gateway for the interface. Sets the priority (relative to every gateway on every interface) for the s pecif ied gate wa y. The lower the number, the higher the priority. The

no command removes the gateway.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 33 WLAN Interface Commands (continued)

COMMAND DESCRIPTION

[no] mtu <576..2304> Specifies the Maximum Tr ansmission Unit, which is the maximum number of bytes

in each packet moving through this interface. The ZyWALL divides larger packets into smaller fragments. The

reauth <30..30000> Sets the WPA2 reauthentication timer. This is at what interval wireless stations

security mode {none | wep |

wpa | wpa-wpa2 | wpa2}

security wep <64 | 128>

default-key <1..4>

security wep mode <open |

share>

security wpa <tkip | aes> eap

internal profile-name tls-

cert certificate name

security wpa <tkip | aes> eap

external

security wpa <tkip | aes> psk

key psk-key

security wpa-wpa2 <tkip |

aes> eap internal profile-

name tls-cert certificate

name

security wpa-wpa2 <tkip |

aes> eap external

security wpa-wpa2 <tkip |

aes> psk key psk-key

security wpa2 <tkip | aes>

eap internal profile-name

tls-cert certificate name

security wpa2 <tkip | aes>

eap external

security wpa2 <tkip | aes>

psk key psk-key

[no] security dot1x acct ip

port <1..65535>

[no] security dot1x auth ip

port <1..65535>

[no] security dot1x activate Enables IEEE 802.1x accounting and authentication.

[no] security external acct

ip port <1..65535>

have to resend usernames and passwords in order to stay connected. If a RADIUS server authenticates wireless stations, the reauthentication timer on the RADIUS server has priority.

Sets what type of security the wireless interface uses.

none: applies no security. wep: WEP security (extremely weak). wpa: WPA security. wpa-wpa2: WPA/WPA2-Enterprise or WPA/WPA2-PSK security. wpa2: WPA2 security (strongest option).

Sets WEP encryption to use a 64 or 128 bit key and selects the default key.

Sets the WEP encryption to use open or shared key authentication.

Configures WPA enterprise security using TKIP or AES and an existing AAA authentication method object (profile-name). Set the certificate the ZyW A LL uses to authenticate itself to the wireless clients. The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel.

Configures WPA enterprise security using TKIP or AES and an external server . Use the security external command to specify the server’s address.

Configures WPA security using TKIP or AES and a Pre-Shared Key (PSK).

This allows users to either use WPA or WPA2 enterprise security to connect to the wireless interface. You have to also configure to use either TKIP or AES and an existing AAA authentication method object (profile-name). Set the certificate the ZyWALL uses to authenticate itself to the wireless clients. The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel.

Configures WPA or WPA2 enterprise security using TKIP or AES and an external server. Use the security external command to specify the server’s address.

Configures WPA or WPA2 security using TKIP or AES and a Pre-Shared Key (PSK).

Configures WPA2 enterprise security using TKIP or AES and an existing AAA authentication method object (profile-name). Select the certificate the ZyWALL uses to authenticate itself to the wireless clients. The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel.

Configures WPA2 enterprise security using TKIP or AES and an external server. Use the security external

Configures WPA2 security using TKIP or AES and a Pre-Shared Key (PSK).

Sets the IP address and port number of an external accounting server.

Sets the IP address and port number of an external authentication (RADIUS) server.

Sets the IP address and port number of an external accounting server.

no command resets the MTU to 1500.

command to specify the server’s address.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 33 WLAN Interface Commands (continued)

COMMAND DESCRIPTION

[no] security external auth

ip port <1..65535>

no security {none | wep | wpa

| wpa-wpa2 | wpa2}

ssid ssid Sets the (Service Set IDentity). This identifies the Service Set with which a

station-limit <1..255> Sets the highest number of wireless clients that are allowed to connect to the

wep-key <1..4> key There are four data encryption keys to secure your data from eavesdropping by

Sets the IP address and port number of an external authentication (RADIUS) server.

Disables the specified security mode for the wireless interface.

wireless station is associated. Wireless stations associating to the ZyWALL must have the same SSID.

ssid: Use up to 32 printable 7-bit ASCII characters as a name for the wireless LAN.

wireless interface at the same time.

unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless stations.

If you set WEP encryption to use a 64 bit key usin g the security mode and security wep 64 commands, type any 5 characters (ASCII string) or 5 pairs of hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

If you set WEP encryption to use a 128 bit key using the security mode and security wep 128 commands, type 13 characters (ASCII string) or 13 pairs of hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

6.9.2.1 WLAN Interface Commands Example

This example configures WLAN AP interface 2 for slot 1 to use SSID WLAN_test, WPA security modes with a pre-shared key of 12345678, IP address 1.1.1.1, netmask 255.255.255.0, and a gateway IP address of 1.2.3.4 with a priority of 10.

Router(config)# interface wlan-1-2 Router(config-if-wlan)# ssid WLAN_test Router(config-if-wlan)# security wpa tkip psk key 12345678 Router(config-if-wlan)# security mode wpa Router(config-if-wlan)# ip address 1.1.1.1 255.255.255.0 Router(config-if-wlan)# ip gateway 1.2.3.4 metric 10 Router(config-if-wlan)# exit

6.9.3 WLAN MAC Filter Commands

Use these commands to give specific wireless clients exclusive access to the ZyWALL (allow association) or block specific devices from accessing the ZyWALL (deny association) based on the devices’ MAC addresses.

Table 34 WLAN General Commands

COMMAND DESCRIPTION

[no] wlan mac-filter

mac_address [description description]

[no] wlan mac-filter activate Turns the MAC address filter on or off.

Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the wireless station that is to be allowed or denied access to the ZyWALL. The no command r emo ves t he entry.

description: You can use alphanumeric and can be up to 60 characters long.

()+/:=?!*#@$_%- characters, and it

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 34 WLAN General Commands (continued)

COMMAND DESCRIPTION

wlan mac-filter associate <allow | deny>

show wlan mac-filter status Displays the MAC filter’s activation and association settings. show wlan mac-filter Displays the WLAN MAC filter entries.

Defines the filter action for the list of MAC addresses in the MAC address filter table. Allow permits them to access to the ZyW ALL, MAC addresses not listed will be blocked.

Deny blocks the listed addresses from accessing the router, MAC addresses not listed will be allowed to access the router.

6.9.3.1 WLAN MAC Filter Commands Example

This example creates a MAC filter entry for MAC address 01:02:03:04:05:06 and sets the ZyWALL to allow wireless access from that entry’s MAC address only.

Router(config)# wlan mac-filter 01:02:03:04:05:06 description example Router(config)# wlan mac-filter associate allow Router(config)# wlan mac-filter activate Router(config)# show wlan mac-filter status Enable: yes Association: allow Router(config)# show wlan mac-filter No. MAC Description =========================================================================== 1 01:02:03:04:05:06 example

6.10 VLAN Interface Specific Commands

This section covers commands that are specific to VLAN interfaces. VLAN interfaces also use many of the general interface commands discussed at the beginning of Section 6.2 on page 57.

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 35 Input Values for VLAN Interface Commands

LABEL DESCRIPTION

interface_name VLAN interface: vlanx, x = 0 - 4094

Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.

This table lists the VLAN interface commands.

Table 36 interface Commands: VLAN Interfaces

COMMAND DESCRIPTION

interface interface_name Creates the specified interface if necessary and enters sub-command mode.

[no] port interface_name Specifies the E thernet interface on which the VLAN interface runs. The no command

clears the port.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 36 interface Commands: VLAN Interfaces (continued)

COMMAND DESCRIPTION

[no] vlan-id <1..4094> Specifies the VLAN ID used to identify the VLAN. The no command clears the VLAN ID. show port vlan-id Displays the Ethernet interface VLAN settings.

6.10.1 VLAN Interface Command Examples

The following commands show you how to set up VLAN vlan100 with the following parameters: VLAN ID 100, interface ge1, IP 1.2.3.4, subnet 255.255.255.0, MTU 598, gateway 2.2.2.2, description "I am vlan100” , upstream bandwidth 345, and downstream bandwidth 123.

Router# configure terminal Router(config)# interface vlan100 Router(config-if-vlan)# vlan-id 100 Router(config-if-vlan)# port ge1 Router(config-if-vlan)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vlan)# ip gateway 2.2.2.2 Router(config-if-vlan)# mtu 598 Router(config-if-vlan)# upstream 345 Router(config-if-vlan)# downstream 123 Router(config-if-vlan)# description I am vlan100 Router(config-if-vlan)# exit

6.11 Bridge Specific Commands

This section covers commands that are specific to bridge interfaces. Bridge interfaces also use many of the general interface commands discussed at the beginning of Section 6.2 on page 57.

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 37 Input Values for Bridge Interface Commands

LABEL DESCRIPTION

interface_name The name of the interface.

Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.

VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces

your ZyWALL model supports.

This table lists the bridge interface commands.

Table 38 interface Commands: Bridge Interfaces

COMMAND DESCRIPTION

interface interface_name Creates the specified interface if necessary and enters sub-command mode.

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

Table 38 interface Commands: Bridge Interfaces (continued)

COMMAND DESCRIPTION

[no] join interface_name Adds the specified Ethernet interface or VLAN interface to the specified bridge. The no

command removes the specified interface from the specified bridge.

show bridge available member Displays the available interfaces that could be added to a bridge.

6.11 .1 Bridge Interface Command Examples

The following commands show you how to set up a bridge interface named br0 with the following parameters: member ge1, IP 1.2.3.4, subnet 255.255.255.0, MTU 598, gateway 2.2.2.2, upstream bandwidth 345, downstream bandwidth 123, and description “I am br0”.

Router# configure terminal Router(config)# interface br0 Router(config-if-brg)# join ge1 Router(config-if-brg)# ip address 1.2.3.4 255.255.255.0 Router(config-if-brg)# ip gateway 2.2.2.2 Router(config-if-brg)# mtu 598 Router(config-if-brg)# upstream 345 Router(config-if-brg)# downstream 123 Router(config-if-brg)# description I am br0 Router(config-if-brg)# exit

6.12 Auxiliary Interface Specific Commands

The first table below lists the auxiliary interface commands, and the second table explains the values you can input with these commands.

Table 39 interface Commands: Auxiliary Interface

COMMAND DESCRIPTION

interface dial aux interface disconnect aux

interface aux Enters sub-command mode.

[no] authentication {chap-pap |

chap | pap | mschap | mschap-v2}

[no] dial-timeout <30..120> Specifies the number of seconds the auxiliary interface waits for an answer

[no] dialing-type {tone |

pulse}

[no] idle <0..360> Specifies the number of seconds the auxiliary interface waits for activity before

[no] initial-string

initial_string

[no] password password Specifies the password of the auxiliary interface. The

Dials or disconnects the auxiliary interface.

Specifies the authentication type of the auxiliary interface. The sets the authentication to chap-pap.

each time it tries to connect. The Specifies the dial type of the auxiliary interface. The no command sets the dial

type to tone.

it automatically disconnects. The Specifies the initial string of the auxiliary interface. The no command sets the

initial string to “ATZ”. initial_string: You can use up to 64 characters. Semicolons (;) and

backslashes (\) are not allowed.

no command disables the timeout.

no command disables the idle timeout.

no command

no command clears the

password. password: You can use up to 63 printable ASCII characters. Spaces are not

allowed.

ZyWALL (ZLD) CLI Reference Guide

Table 39 interface Commands: Auxiliary Interface (continued)

COMMAND DESCRIPTION

[no] phone-number phone Specifies the phone number of the auxiliary interface. You can use 1-20

numbers, commas (,), or plus signs (+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call. The

no command clears the phone number.

[no] port-speed {9600 | 19200 |

38400 | 57600 | 115200}

[no] username username Specifies the username of the auxiliary interface. The

Specifies the baud rate of the auxiliary interface. The baud rate to 115200.

no command sets the

no command clears the

username. username: You c an use alphanumeric, undersco res (_), dashes (-), periods (.),

and

/@$ characters, and it can be up to 64 characters long.

6.12.1 Auxiliary Interface Command Examples

The following commands show you how to set up the auxiliary interface aux with the following parameters: phone-number 0340508888, tone dialing, port speed 115200, initial-string ATZ, timeout 30 seconds, username kk, password kk@u2online, chap-pap authentication, and description “I am aux interface”.

Chapter 6 Interfaces

Router# configure terminal Router(config)# interface aux Router(config-if-aux)# phone-number 0340508888 Router(config-if-aux)# dialing-type tone Router(config-if-aux)# port-speed 115200 Router(config-if-aux)# initial-string ATZ Router(config-if-aux)# timeout 30 Router(config-if-aux)# username kk Router(config-if-aux)# password kk@u2online Router(config-if-aux)# authentication chap-pap Router(config-if-aux)# description I am aux interface Router(config-if-aux)# exit

The following commands show how to dial, disconnect, and stop the auxiliary interface.

Router# interface dial aux Router# interface disconnect aux

ZyWALL (ZLD) CLI Reference Guide

Chapter 6 Interfaces

ZyWALL (ZLD) CLI Reference Guide

This chapter shows you how to configure trunks on your Zy WALL.

7.1 Trunks Overview

You can group multiple interfaces together into trunks to hav e multiple connections share the tr affic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. For example, you can use two interfaces for WAN connections. Y ou can connect one interface to one ISP (or network) and connect the another to a second ISP (or network). The ZyWALL can balance the load between multiple connections. If one interface's connection goes down, the Z yWALL can automatically send its traffic through another interface.

You can use policy routing to specify through which interface to send specific traffic types. You can use trunks in combination with policy routing. You can also define multiple trunks for the same physical interfaces. This allows you to send specific traffic types through the interface that works best for that type of traffic, and if that interface’s connection goes down, the ZyWALL can still send its traffic through another interface.

CHAPTER 7

Trunks

7.2 Trunk Scenario Examples

Suppose one of the ZyWALL's interfaces is connected to an ISP that is also your Voice over IP (VoIP) service provider. You may want to set that interface as active and set another interface (connected to another ISP) to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface’s connection is up.

Another example would be if you use multiple ISPs that provide different levels of service to different places. Suppose ISP A has better connections to Europe while ISP B has better connections to Australia. You could use policy routing and trunks to send traffic for your European branch offices primarily through ISP A and traffic for your Australian branch offices primarily through ISP B.

ZyWALL (ZLD) CLI Reference Guide 93

Chapter 7 Trunks

7.3 Trunk Commands Input Values

The following table explains the values you can input with the interface-group commands.

Table 40 interface-group Command Input Values

LABEL DESCRIPTION

group-name A descriptive name for the trunk.

For the ZyW ALL USG 300 and above, use up to 31 char acters (a-zA -Z0-9_-). The name cannot start with a number. This value is case-sensitive.

The ZyWALL USG 200 and lower models use WAN_TRUNK or WAN_TRUNK2-5.

interfacename

The name of an interface, it could be an Ethernet, PPP, VLAN or bridge interface. The possible number of each interface type and the abbreviation to use are as follows.

Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, extwlan, or dmz.

PPPoE/PPTP interface: pppx, x = 0 - N, where N depends on the number of PPPoE/PPTP interfaces your ZyWALL model supports.

VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your

ZyWALL model supports.

num The interface’s position in the trunk’s list of members <1..8>. <CR> Carriage Return (the “enter” key).

7.4 Trunk Commands Summary

The following table lists the interface-group commands. You must use the configure

terminal

Table 40 on page 94 for details about the values you can input with these commands.

Table 41 interface-group Commands Summary

COMMAND DESCRIPTION

show interface-group {system-default|userdefine|group-name}

[no] interface-group group-name Creates a trunk name and enters the trunk sub-command mode where

algorithm {wrr|llf|spill-over} Sets the trunk’s load balancing algorithm.

exit Leaves the trunk sub-command mode.

flush Deletes a trunk’s interface settings.

interface {num|append|insert num}

interface-name [weight <1..10>|limit

<1..2097152>|passive]

command to enter the configuration mode before you can use these commands. See

Displays pre-configured system default trunks, your own user configuration trunks or a specified trunk’s settings.

you can configure the trunk. The

This subcommand adds an interface to a trunk. Sets the interface’s number. It also sets the interface’s weight and spillover limit or sets it to be passive.

no command removes the trunk.

ZyWALL (ZLD) CLI Reference Guide

Chapter 7 Trunks

Table 41 interface-group Commands Summary (continued)

COMMAND DESCRIPTION

loadbalancing-index

<inbound|outbound|total>

mode {normal|trunk} Sets the mode for a trunk. Do this first in the trunk’s sub-command

move <1..8> to <1..8> Changes a the interface order in a trunk.

[no] interface {num|interface-name} Removes an interface from the trunk. system default-interface-group group-name Sets the ZyWALL to first attempt to use the the specified WAN trunk. [no] system default-snat Enables or disables Source NAT (SNAT). When SNAT is enabled, the

show system default-snat Displays whether the ZyWALL enable SNAT or not. The ZyWALL

show system default-interface-group Displays the WAN trunk the ZyWALL first attempts to use.

Use this command only if you use least load first or spill-over as the trunk’s load balancing algorithm.

Set either inbound, outbound, or total (outbound and inbound) traffic to which the ZyWALL will apply the specified algorithm. Outbound traffic means the traffic travelling from an internal interface (ex. LAN) to an external interface (ex. WAN). Inbound traffic means the opposite.

mode.

ZyWALL uses the IP address of the outgoing interface as the source IP address of the packets it sends out through the WAN interfaces.

performs SNAT by default for traffic going to or from the WAN interfaces.

7.5 Trunk Command Examples

The following example creates a weighted round robin trunk for Ethernet interfaces ge1 and ge2. The ZyWALL sends twice as much traffic through ge1.

Router# configure terminal Router(config)# interface-group wrr-example Router(if-group)# mode trunk Router(if-group)# algorithm wrr Router(if-group)# interface 1 ge1 weight 2 Router(if-group)# interface 2 ge2 weight 1 Router(if-group)# exit Router(config)#

The following example creates a least load first trunk for Ethernet interface ge3 and VLAN 5, which will only apply to outgoing traffic through the trunk. The through the least utilized of these interfaces.

Router# configure terminal Router(config)# interface-group llf-example Router(if-group)# mode trunk Router(if-group)# algorithm llf Router(if-group)# interface 1 ge3 Router(if-group)# interface 2 vlan5 Router(if-group)# loadbalancing-index outbound Router(if-group)# exit Router(config)#

ZyWALL sends new session traffic

ZyWALL (ZLD) CLI Reference Guide

Chapter 7 Trunks

LAN

WAN1

WAN2

The following example creates a spill-over trunk for Ethernet interfaces ge1 and ge3, which will apply to both incoming and outgoing traffic through the trunk.. The through ge1 until it hits the limit of 1000 kbps. The through ge3.

Router# configure terminal Router(config)# interface-group spill-example Router(if-group)# mode trunk Router(if-group)# algorithm spill-over Router(if-group)# interface 1 ge1 limit 1000 Router(if-group)# interface 2 ge3 limit 1000 Router(if-group)# loadbalancing-index total Router(if-group)# exit Router(config)#

7.6 Link Sticking

You can have the ZyWALL send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user’s subsequent sessions came from a different WAN IP address, the file server would deny the request. Here is an example.

ZyWALL sends traffic

ZyWALL sends anything over 1000 kbps

Figure 14 Link Sticking

1 LAN user A tries to download a file from server B on the Internet. The ZyW ALL uses WAN1 to send

the request to server B.

2 However remote server B is actually a redirect server. So server B sends a file list to LAN user A.

The file list lets LAN user A’ s computer know that the desired file is actually on file server (C). At the same time, register server B informs file server C that a computer located at the W AN1’s IP address will download a file.

3 The ZyWALL is using active/activ e load balancing. So when LAN user A tries to retrieve the file from

file server C, the request goes out through WAN2.

ZyWALL (ZLD) CLI Reference Guide

4 File server C finds that the request comes from WAN2’s IP address instead of WAN1’s IP address

and rejects the request.

5 If link sticking had been configured, the ZyWALL would have still used WAN1 to send LAN user A’s

request to file server C and the file server would have given the file to A.

7.7 Link Sticking Commands Summary

The following table lists the ip load-balancing link-sticking commands for link sticking. (The link sticking commands have the prefix ip load-balancing because they affect the ZyWALL’s load balancing behavior.) You must use the mode before you can use these commands. See Table 40 on page 94 for details about the values you can input with these commands.

Table 42 ip load-balancing link-sticking Commands Summary

COMMAND DESCRIPTION

[no] ip load-balancing link-sticking activate Turns link sticking on or off. [no] ip load-balancing link-sticking timeout

timeout

show ip load-balancing link-sticking status Displays the current link sticking settings.

configure terminal command to enter the configuration

Sets for how many seconds (30-3600) the ZyWALL sends all of each local computer’s traffic through one WAN interface.

Chapter 7 Trunks

7.8 Link Sticking Command Example

This example shows how to activate link sticking and set the timeout to 600 seconds (ten minutes).

Router(config)# ip load-balancing link-sticking activate Router(config)# ip load-balancing link-sticking timeout 600 Router(config)# show ip load-balancing link-sticking status active : yes timeout : 300

ZyWALL (ZLD) CLI Reference Guide

Chapter 7 Trunks

ZyWALL (ZLD) CLI Reference Guide

This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL.

8.1 Policy Route

Traditionally, routing is based on the destination address only and the Z yWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.

8.2 Policy Route Commands

CHAPTER 8

Route

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 43 Input Values for General Policy Route Commands

LABEL DESCRIPTION

address_object The name of the IP address (group) object. You may use 1-31 alphanumeric

address6_object The name of the IPv6 address (group) object. You may use 1-31 alphanumeric

interface_name The name of the interface.

characters, underscores( number. This value is case-sensitive.

Ethernet interface: For the ZyW ALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.

The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.

virtual interface on top of Ethernet interface: add a colon (:) and the number of the virtual interface. For example: gex:y, x = 1 - N, y = 1 - 4

VLAN interface: vlanx, x = 0 - 4094 virtual interface on top of VLAN interface: vlanx:y, x = 0 - 4094, y = 1 - 12 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces

your ZyWALL model supports. virtual interface on top of bridge interface: brx:y, x = the number of the bridge

interface, y = 1 - 4

_), or dashes (-), but the first character cannot be a

PPPoE/PPTP interface: pppx, x = 0 - N, where N depends on the number of PPPoE/ PPTP interfaces your ZyWALL model supports.

ZyWALL (ZLD) CLI Reference Guide 99

Chapter 8 Route

Table 43 Input Values for General Policy Route Commands (continued)

LABEL DESCRIPTION

policy_number The number of a policy route. 1 - X where X is the highest number of policy routes

the ZyWALL model supports. See the ZyWALL’s User’s Guide for details.

schedule_object The name of the schedule. You may use 1-31 alphanumeric characters,

underscores( is case-sensitive.

service_name The name of the service (group). You may use 1-31 alphanumeric characters,

underscores( is case-sensitive.

user_name The name of a user (group). You may use 1-31 alphanumeric characters,

underscores( is case-sensitive.

destv6 The IPv6 route prefix (subnet address) for the destination. prefix The IPv6 prefix length, 0 - 128. gatewayv6 The IPv6 address of the specified gateway. ipv6_addr An IPv6 address. ipv6_global_address An IPv6 address excluding the link-local address (fe80::). ipv6_link_local An fe80:: IPv6 address.

_), or dashes (-), but the first character can not be a number. This value

The following table describes the commands available for policy route. You must use the

configure terminal command to enter the configuration mode before you can use these

commands.

Table 44 Command Summary: Policy Route

COMMAND DESCRIPTION

[no] bwm activate Globally enables bandwidth management. You must globally activate

bandwidth management to have individual policy routes or application patrol policies apply bandwidth management. The no command globally disables bandwidth management.

policy {policy_number | append | insert policy_number}

[no] auto-destination When you set tunnel as the next-hop type (using the next-hop

[no] auto-disable When you set interface or trunk as the next-hop type (using the

[no] bandwidth <1..1048576> priority

<1..1024> [maximize-bandwidth-usage]

[no] deactivate Disables the specified policy. The no command enables the specified

[no] description description Sets a descriptive name for the policy. The no command removes the

[no] destination {address_object|any} Sets the destination IP address the matched packets must have. The

Enters the policy-route sub-command mode to configure, add or insert a policy.

tunnel command) for this route, you can use this command to have the ZyWALL use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of what you configure by using the destination command. The no command disables the setting.

next-hop interface or next-hop trunk command) for this route, you can use this command to have the ZyWALL automatically disable this policy route when the next-hop’s connection is down. The no command disables the setting.

Sets the maximum bandwidth and priority for the policy. The no command removes bandwidth settings from the rule. You can also turn maximize bandwidth usage on or off.

policy.

name for the policy.

no command resets the destination IP address to the default (any). any means all IP addresses.

100

ZyWALL (ZLD) CLI Reference Guide

ZyXEL Communications ZLD User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

ZyWALL (ZLD) Series

Table of Contents

Introduction

1.1 Overview

1.1.1 The Configuration File

Command Line Interface

1.2 Accessing the CLI

1.2.1 Console Port

1.2.2 Web Configurator Console

1.2.3 Telnet

1.2.4 SSH (Secure SHell)

1.3 How to Find Commands in this Guide

1.4 How Commands Are Explained

1.4.1 Background Information (Optional)

1.4.2 Command Input Values (Optional)

1.4.3 Command Summary

1.4.4 Command Examples (Optional)

1.4.5 Command Syntax

1.4.6 Changing the Password

1.5 CLI Modes

1.6 Shortcuts and Help

1.6.1 List of Available Commands

1.6.2 List of Sub-commands or Required User Input

1.6.3 Entering Partial Commands

1.6.4 Entering a ? in a Command

1.6.5 Command History

1.6.6 Navigation

1.6.7 Erase Current Command

1.6.8 The no Commands

1.7 Input Values

1.8 Ethernet Interfaces

1.9 Saving Configuration Changes

1.10 Logging Out

User and Privilege Modes

2.1 User And Privilege Modes

2.1.1 Debug Commands

Reference

Object Reference

3.1 Object Reference Commands

3.1.1 Object Reference Command Example

Status

5.1 myZyXEL.com Overview

Registration

5.1.1 Subscription Services Available on the ZyWALL

5.2 Registration Commands

5.2.1 Command Examples

5.3 Country Code

6.1 Interface Overview

Interfaces

6.1.1 Types of Interfaces

6.1.2 Relationships Between Interfaces

6.2 Interface General Commands Summary

6.2.1 Basic Interface Properties and IP Address Commands

6.2.2 DHCP Setting Commands

6.2.3 Interface Parameter Command Examples

6.2.4 RIP Commands

6.2.5 OSPF Commands

6.2.6 Connectivity Check (Ping-check) Commands

6.3 Ethernet Interface Specific Commands

6.3.1 MAC Address Setting Commands

6.3.2 Port Grouping Commands

6.4 Virtual Interface Specific Commands

6.4.1 Virtual Interface Command Examples

6.5 PPPoE/PPTP Specific Commands

6.5.1 PPPoE/PPTP Interface Command Examples

6.6 Cellular Interface Specific Commands

6.6.1 Cellular Status

6.6.2 Cellular Interface Command Examples

6.7 Tunnel Interface Specific Commands

6.7.1 Tunnel Interface Command Examples

6.8 USB Storage Specific Commands

6.8.1 USB Storage General Commands Example

6.9 WLAN Specific Commands

6.9.1 WLAN General Commands

6.9.2 WLAN Interface Commands

6.9.3 WLAN MAC Filter Commands