CI Command Reference


1. Command Syntax and General User Interface

CI has the following command syntax:

command <iface | device > subcommand [param]
command subcommand [param]
command ? | help
command subcommand ? | help

General user interface:  

1.

Shows the following commands and all major (sub)commands

2.

exit Returns to SMT

 


[ch-name]: enet0, enet1  

sys        
  baud <1|2|3|4|5>   change console speed if parameter present
1: 38400 bps
2: 19200 bps
3: 9600 bps
4: 57600 bps
5: 115200 bps
  callhist      
    add <name> <dir> <rate> <uptime> Add the call history
    display   display the call history
    remove <index> remove call history
  cbuf      
    cnt disp display cbuf static
      clear clear cbuf static
    disp [a|f|u] display cbuf a: all f: free u: used
  cmgr      
    cnt [ch-name] display call related counter
    data   display phone number related data
    trace [display|clear] [ch-name] display call related event
  country   <country code> set country code
  cpu disp   display CPU utilization
  date   <yy> <mm> <dd> Change current date if parameter present
  dir     display file directory
  edit   <filename> edit a text file
  errctl    [level] set the error control level
0:crash no save,not in debug mode (default)
1:crash no save,in debug mode
2:crash save,not in debug mode
3:crash save,in debug mode
  event      
    display   display tag flags information
    trace [display|clear] display system event information
  extraphnum      
    add <set 1-3> <1st phone number> [2nd phone number] add extra phone number
    display   display extra phone number
    node   map the extra phone number for remote node n
    remove   remove the extra phone number for remote node n
    reset   reset the extra phone number
  feature     display feature bit
  fid display   display function id list
  filter      
    disp   display filter statistic counters
    clear   clear filter statistic counter
    sw [on|off] switch on|off filter counter
    addNetBios   add default NetBIOS_LAN and NetBIOS_WAN filter sets
    removeNetBios   remove default NetBIOS_LAN and NetBIOS_WAN filter sets
  firewall      
    acl    
      clear clear firewall counter
      cnt clear clear firewall counter
      cnt display display firewall counter
    display   display firewall log
    dynamicrule   display firewall dynamic acl rule usage
    icmp    
      block_co set block icmp packet with type 3 code 3
      display display current code status
    online   display firewall log online
    pktdump   dump the 64 bytes of packets dropped by firewall
    trcprst    
      rst set sending tcp rst when reject a tcp connection except port 1
      rst113 set sending tcp rst when reject a tcp connection on tcp port 1
      display display current tcp reset status
    update   update firewall rule
  hostname     display system hostname
  iface disp   display iface list
  log      
    disp   display log error
    clear   clear log error
    online [on|off] turn on/off error log online display
  mbuf      
    cnt [disp|cl] display or clear system mbuf count
    link link list system mbuf link
    pool [id] [type] list system mbuf pool
    status   display system mbuf status
. . disp <address> display mbuf status
  memutil      
    usage   display memory allocate and heap status
    mq <address> <len> display memory queues
    mcell mid [f|u]  display memory cells by given ID
    msecs   display memory sections
  pro      
    disp   display all process information
    stack [TAG] display process's stack by a give TAG
    ps [TAG] display process's status by a give TAG
  queue      
    disp [a|f|u] [start#] [end#] display queue by given status and range numbers
    ndisp [#] display a queue by a given number
  quit     quit CI command mode
  reboot   [code] reboot system 
code =0 cold boot, 
        =1 immediately boot
        = 2 bootModule debug mode
  reslog   [disp|clear] display resources trace
. roadrun disp <iface-name> display roadrunner information
iface-name: enif1 (WAN port)
. . debug <level> enable/disable roadrunner service
0: disable <default>
1: enable
. . restart <iface-name> .
  socket     display system socket information
  spt dump [root|rn|user|slot] dump spt raw data
    size   display spt record size
  stdio   [second] change terminal timeout value
  syslog      
    facility <facility number> set UNIX syslog server facility
    mode [on|off] enable/disable the syslog service
    server <server ip>  
  time   [hh:mm:ss] set the current system time if the parameter present
  timer      
    disp [a|f|u] display timer cell 
  trcdisp     monitor packets
. . brief . online display packet content briefly
. . parse . online parse packet content
  trcl      
    call   display call event
    clear   clear trace
    disp   display trace log
    level [#] set trace level of trace log #:1-10
    online [on|off] set on/off trace log online
    switch [on|off] set system trace log
    type <bitmap> set trace type of trace log
  trcp      
    chann <name> [none|incoming|outgoing|bothway] <name>=enet0,enet1
set packet trace direction for a given channel
    create <entry> <size> create packet trace buffer
    destroy   packet trace related commands
    disp   display packet trace
    switch  [on|off] turn on/off the packet trace
    udp [sw|addr|port] send packet trace to other system
. . brief . display packet content briefly
. . parse [[begin_idx], end_idx] parse packet content 
  version     display RAS code and driver version
  wdog   <filename> view a text file
    switch [on|off] set on/off wdog
    cnt <value> display watchdog counts value: 0-34463

 


<hostid> format : xxx.xxx.xxx.xxx (ip Address)
<ether addr> format : xx:xx:xx:xx:xx:xx
<iface> : enif0, enif1
<gw> : gateway ip address
 

ip address     display host ip address
  arp      
    add <hostid> ether <ether addr> add arp
    drop <hostid> [ether] drop arp 
    flush   flush arp
    publish   add proxy arp
    status   display ip arp status
  dhcp <iface name>     set dhcp configuration
    server arpcount <num>
    . dnsserver  <dnsIP1> <dnsIP2>
    . gateway  <gateway IP>
    . hostname  <hostname>
    . leasetime  <period>
    . netmask  <netmask>
    . pool  <start IP> <num>
    . rebindtime  <period>
    . renewaltime  <period>
    .  reset  
. . status . display iface DHCP information
iface-name: enif1, enif0.
. . client release release DHCP client IP
. . . renew renew DHCP client IP
  dns      
    table   display dns table
    stats [disp|clear] display or clear dns statistics 
  icmp      
    echo [on|off] response for ICMP echo request
    status   display icmp statistic counter
    trace [on|off] turn on/off trace for debugging
. . discovery <iface name> [on|off] turn on|off icmp router discovery response
  ifconfig     display ifconfig
  nat iface <iface> disp display current NAT statistics
  nat loopback on LAN user can use Internet IP to access internal server on the LAN
  ping   <hostid>  ping remote host
 . rip      
    dialin_user [show|in|out|both|none] set sending RIP to remote dial-in user
    merge [on|off] RIP merging
    mode <iface> [in|out] [mode] mode: 0 - 3
    status   display rip statistic counters
  route      
    add <dest addr>[/<bits>] <gateway> [<metric>] add route
    addprivate   add private route
    drop <host address> [/bits] drop a route
    errcnt [disp|clear] display|clear routing statistic counters
    flush   flush route table
    status   display routing table
  status     display ip statistic counters
  tcp      
    status   display TCP statistic counters
  udp status    

 


<ch-name> : enet0, enet1  

ether        
  config     display Ethernet driver configuration information
  driver      
    cnt disp <ch-name> display ether driver counters
      clear <ch-name>  ch-name: enet0, enet1
. . reg . display LAN hardware related registers
. . status <ch-name> ch-name: enet0, enet1
. . rxmod <mode> set LAN receive mode.
mode: 1: turn off receiving
          2: receive only packets of this interface
          3: mode 2+ broadcast
          5: mode 2 + multicast
          6: all packets
. debug  . . display Ethernet debug information
. . disp <ch-name> display Ethernet debug information
. . level <ch-name> <level> set the Ethernet debug level
level 0: disable debug log
level 1: enable debug log (default)
  pkttest      
    arp [ip-addr] send an arp request
    disp event [ch-name] [on|off] enable packet test event trace
    disp packet [1|2|3] packet test display level
    sap   send an sap packet
  version     display driver version

 


The value for <set#> can be 1 or 2
set 1 = LAN to WAN direction
set 2 = WAN to LAN direction
The value for <rule #> starts from 1 to 10, i.e., 10 rules in total for a set

config          
  edit firewall active <yes|no>   Activate or deactivate the saved firewall settings
  retrieve firewall     Retrieve current saved firewall settings
  save firewall     Save the current firewall settings
  display firewall     Displays all the firewall settings
. .   set <set#>   Display current entries of a set configuration; including timeout values, name, default-permit, and number of rules in the set.
. .   set <set#> rule <rule#> Display current entries of a rule in a set.
. .   attack   Display all the attack alert settings in PNC
.     e-mail   Display all the e-mail settings in PNC
. .   ?   Display all the available sub commands
. .   e-mail mail-server <mail server IP> Edit the mail server IP to send the alert
        return-addr <e-mail address> Edit the mail address for returning an email alert
        e-mail-to <e-mail address> Edit the mail address to send the alert
        policy <full | hourly |daily | weekly> Edit email schedule when log is full or per hour, day, week.
        day <sunday | monday | tuesday | wednesday | thursday | friday | saturday> Edit the day to send the log when the email policy is set to Weekly
        hour <0~23> Edit the hour to send the log when the email policy is set to daily or weekly
        minute <0~59> Edit the minute to send to log when the email policy is set to daily or weekly
      attack send-alert <yes|no> Activate or deactivate the firewall DoS attacks notification emails
        block <yes|no> Yes: Block the traffic when exceeds the tcp-max-incomplete threshold
No: Delete the oldest half-open session when exceeds the tcp-max-incomplete threshold
        block-minute <0~255> Only valid when sets 'Block' to yes. The unit is minute
        minute-high <0~255> The threshold to start to delete the old half-opened sessions to minute-low
        minute-low <0~255> The threshold to stop deleting the old half-opened session
        max-incomplete-high <0~255> The threshold to start to delete the old half-opened sessions to max-incomplete-low
        max-incomplete-low <0~255> The threshold to stop deleting the half-opened session
        tcp-max-incomplete <0~255> The threshold to start executing the block field
      set <set#> name <desired name> Edit the name for a set
        default-permit <forward|block> Edit whether a packet is dropped or allowed when it does not match the default set
        icmp-timeout <seconds> Edit the timeout for an idle ICMP session before it is terminated
        udp-idle-timeout <seconds> Edit the timeout for an idle UDP session before it is terminated
        connection-timeout <seconds> Edit the wait time for the SYN TCP sessions before it is terminated
        fin-wait-timeout <seconds> Edit the wait time for FIN in concluding a TCP session before it is terminated
        tcp-idle-timeout <seconds> Edit the timeout for an idle TCP session before it is terminated
        pnc <yes|no> PNC is allowed when 'yes' is set even there is a rule to block PNC
        log <yes|no> Switch on/off sending the log for matching the default permit
        rule <rule#> permit <forward|block> Edit whether a packet is dropped or allowed when it matches this rule
          active <yes|no> Edit whether a rule is enabled or not
          protocol <0~255> Edit the protocol number for a rule. 1=ICMP, 6=TCP, 17=UDP...
          log <none|match|not-match|both> Sending a log for a rule when the packet none|matches|not match|both the rule
          alert <yes|no> Activate or deactivate the notification when a DoS attack occurs or there is a violation of any alert settings. In case of such instances, the function will send an email to the SMTP destination address and log an alert.
          srcaddr-single <ip address> Select and edit a source address of a packet which complies to this rule
          srcaddr-subnet <ip address> <subnet mask> Select and edit a source address and subnet mask if a packet which complies to this rule.
          srcaddr-range <start ip address> <end ip address> Select and edit a source address range of a packet which complies to this rule.
          destaddr-single <ip address> Select and edit a destination address of a packet which complies to this rule
          destaddr-subnet <ip address> <subnet mask> Select and edit a destination address and subnet mask if a packet which complies to this rule.
          destaddr-range <start ip address> <end ip address> Select and edit a destination address range of a packet which complies to this rule.
          tcp destport-single <port#> Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, the user may repeat this command line to enter the multiple port numbers.
          tcp destport-range <start port#> <end port#> Select and edit a destination port range of a packet which comply to this rule.
          udp destport-single <port#> Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, users may repeat this command line to enter the multiple port numbers.
          udp destport-range <start port#> <end port#> Select and edit a destination port range of a packet which comply to this rule.
          desport-custom <desired custom port name> Type in the desired custom port name
  delete firewall e-mail     Remove all email alert settings
      attack     Reset all alert settings to defaults
      set <set#>     Remove a specified set from the firewall configuration
      set <set#> rule <rule#>   Remove a specified rule in a set from the firewall configuration

 


ipsec . . . .
. debug <1|0> . turn on|off trace for IPsec debug information
. ipsec_log_disp . . show IPSec log, same as menu 27.3
. route dmz <on|off> After a packet is IPSec processed and will be sent to DMZ side, this switch is to control if this packet can be applied IPSec again.
Remark: Command available since 3.50(WA.3)
. . lan <on|off> After a packet is IPSec processed and will be sent to LAN side, this switch is to control if this packet can be applied IPSec again.
Remark: Command available since 3.50(WA.3)
. . wan <on|off> After a packet is IPSec processed and will be sent to WAN side, this switch is to control if this packet can be applied IPSec again.
Remark: Command available since 3.50(WA.3)
.. show_runtime sa . display runtime phase 1 and phase 2 SA information
. .. spd .. When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to peer local IP address. This command is to show these runtime SPD.
.. switch <on|off> . As long as there exists one active IPSec rule, all packets will run into IPSec process to check SPD. This switch is to control if a packet should do this. If it is turned on, even there exists active IPSec rules, packets will not run IPSec process.
. timer chk_my_ip <1~3600> - Adjust timer to check if WAN IP in menu is changed
- Interval is in seconds
- Default is 10 seconds
- 0 is not a valid value
.. .. chk_conn. <2~255> - Adjust auto-timer to check if any IPsec connection has no traffic for certain period. If yes, system will disconnect it.
- Interval is in minutes
- Default is 2 minuets
- 0 means never timeout
. .. update_peer <5~255> - Adjust auto-timer to update IPSec rules which use domain name as the secure gateway IP.
- Interval is in minutes
- Default is 30 minutes
- 0 means never update
Remark: Command available since 3.50(WA.3)
. updatePeerIp .... .. Force system to update IPSec rules which use domain name as the secure gateway IP right away.
Remark: Command available since 3.50(WA.3)
. dial <rule #> .. Initiate IPSec rule <#> from Prestige box
Remark: Command available since 3.50(WA.3)

All contents copyright (c) 2000 ZyXEL Communications Corporation.