A command line interface (CLI) is a user
interface to interact with a switch. Through the CLI on a switch, a user can
enter commands to configure the switch and check output information to verify the
configuration. Each S3100 series Ethernet switch provides an easy-to-use CLI
and a set of configuration commands for the convenience of the user to configure
and manage the switch.
The CLI on S3100 series Ethernet switches provides
the following features, and so has good manageability and operability.
l
Hierarchical command protection: After users of
different levels log in, they can only use commands at their own, or lower,
levels. This prevents users from using unauthorized commands to configure
switches.
l
Online help: Users can gain online help at any
time by entering a question mark (?).
l
Debugging: Abundant and detailed debugging
information is provided to help users diagnose and locate network problems.
l
Command history function: This enables users to
check the commands that they have lately executed and re-execute the commands.
l
Partial matching of commands: The system will
use partially matching method to search for commands. This allows users to
execute a command by entering partially-spelled command keywords as long as the
keywords entered can be uniquely identified by the system.
I. Command level
The S3100 series Ethernet switches use
hierarchical command protection for command lines, so as to inhibit users at
lower levels from using higher-level commands to configure the switches.
Based on user privilege, commands are
classified into four levels, which default to:
l
Visit level (level 0): Commands at this level
are mainly used to diagnose network, and they cannot be saved in configuration
file. For example, ping, tracert and telnet are level 0
commands.
l
Monitor level (level 1): Commands at this level
are mainly used to maintain the system and diagnose service faults, and they cannot
be saved in configuration file. Such commands include debugging and terminal.
l
System level (level 2): Commands at this level
are mainly used to configure services. Commands concerning routing and network
layers are at this level. These commands can be used to provide network
services directly.
l
Manage level (level 3): Commands at this level
are associated with the basic operation modules and support modules of the
system. These commands provide support for services. Commands concerning file
system, FTP/TFTP/XModem downloading, user management, and level setting are at
this level.
II. User privilege level
Users logged into the switch fall into four
user privilege levels, which correspond to the four command levels respectively.
Users at a specific level can only use the commands at the same level or lower
levels.
By default, the Console user (a user who logs
into the switch through the Console port) is a level-3 user, and Telnet users
are level-0 users.
You can use the user privilege level command to set the
default user privilege level for users logging in through a certain user
interface. For details, refer to Login Operation.
If a user logs in
using AAA authentication, the user privilege level depends on the configuration
of the AAA scheme. For details, refer to AAA Operation.
I. Modifying the command level
Commands fall into four levels: visit
(level 0), monitor (level 1), system (level 2), and manage (level 3). By using
the following command, the administrator can change the level of a command in a
specific view as required.
Table 1-1 Set the level of a command in
a specific view
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the level of a command in a
specific view
|
command-privilege level level view view command
|
Required
|
Caution:
l
It is recommended not to change the level of a
command arbitrarily, for it may cause inconvenience to maintenance and
operation.
l
When you change the level of a command with
multiple keywords, you should input the keywords one by one in the order they
appear in the command syntax. Otherwise, your configuration will not take
effect.
II. Configuration example
The network administrator (a level 3 user)
wants to change some TFTP commands (such as tftp get) from level 3 to
level 0, so that general Telnet users (level 0 users) are able to download
files through TFTP.
# Change the tftp get command in
user view (shell) from level 3 to level 0. (Originally, only level 3 users can change
the level of a command.)
<Sysname> system-view
[Sysname] command-privilege level 0
view shell tftp
[Sysname] command-privilege level 0
view shell tftp 192.168.0.1
[Sysname] command-privilege level 0
view shell tftp 192.168.0.1 get
[Sysname] command-privilege level 0
view shell tftp 192.168.0.1 get bootrom.btm
After the above configuration, general
Telnet users can use the tftp get command to download file bootrom.btm
and other files from TFTP server 192.168.0.1 and other TFTP servers.
Table 1-2
User level switching configuration task list
You can switch between user levels through
corresponding commands after logging into a switch successfully. The
high-to-low user level switching is unlimited. However, the low-to-high user
level switching requires the corresponding authentication. The super password authentication
mode and HWTACACS authentication mode are available at the same time to provide
authentication redundancy.
The configuration of authentication mode
for user level switching is performed by Level-3 users, as described in Table 1-3.
Table 1-3 Specify the authentication
mode for user level switching
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter user interface view
|
user-interface [ type ] first-number [ last-number ]
|
—
|
|
Specify the authentication mode for user
level switching
|
Super password authentication
|
super authentication-mode super-password
|
Optional
By default, super password authentication
is adopted for user level switching.
|
|
HWTACACS authentication
|
super authentication-mode scheme
|
|
Super password authentication preferred
(with the HWTACACS authentication as the backup authentication mode)
|
super authentication-mode super-password scheme
|
|
HWTACACS authentication preferred (with
the super password authentication as the backup authentication mode)
|
super authentication-mode scheme super-password
|
When both the super
password authentication and the HWTACACS authentication are specified, the
device adopts the preferred authentication mode first. If the preferred
authentication mode cannot be implemented (for example, the super password is
not configured or the HWTACACS authentication server is unreachable), the
backup authentication mode is adopted.
With the super password set, you can pass
the super password authentication successfully only when you provide the super
password as prompted. If no super password is set, the system prompts “%Password
is not set” when you attempt to switch to a higher user level. In this
case, you cannot pass the super password authentication.
Table 1-4 lists the
operations to configure super password authentication for user level switching,
which can only be performed by level-3 users.
Table 1-4 Set a password
for use level switching
|
Operation
|
Command
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Set the
super password for user level switching
|
super
password [ level level ] {
cipher | simple } password
|
Required
By
default, the super password is not set.
|
To implement HWTACACS authentication for
user level switching, a level-3 user must perform the commands listed in Table 1-5 to configure
the HWTACACS authentication scheme used for low-to-high user level switching. With
HWTACACS authentication enabled, you can pass the HWTACACS authentication
successfully only after you provide the right user name and the corresponding password
as prompted. Note that if you have passed the HWTACACS authentication when
logging in to the switch, only the password is required.
Table 1-5 lists the
operations to configure HWTACACS authentication for user level switching, which
can only be performed by Level-3 users.
Table 1-5 Set the HWTACACS authentication
scheme for user level switching
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter ISP domain view
|
domain domain-name
|
—
|
|
Set the HWTACACS authentication scheme
for user level switching
|
authentication super hwtacacs-scheme hwtacacs-scheme-name
|
Required
By default, the HWTACACS authentication
scheme for user level switching is not set.
|
When setting the
HWTACACS authentication scheme for user level switching using the authentication
super hwtacacs-scheme command, make sure the HWTACACS authentication
scheme identified by the hwtacacs-scheme-name argument already exists. Refer
to AAA Operation for information about HWTACACS authentication scheme.
Table 1-6
Switch to a specific user level
|
Operation
|
Command
|
Remarks
|
|
Switch to a specified user level
|
super [ level
]
|
Required
Execute this command in user view.
|
l
If no user level is specified in the super
password command or the super command, level 3 is used by default.
l
For security purpose, the password entered is
not displayed when you switch to another user level. You will remain at the original
user level if you have tried three times but failed to enter the correct authentication
information.
V. Configuration example
After a general user telnets to the switch,
his/her user level is 0. Now, the network administrator wants to allow general
users to switch to level 3, so that they are able to configure the switch.
1)
Super password authentication configuration
example
# A level 3 user sets a switching password
for user level 3.
<Sysname> system-view
[Sysname] super password level 3
simple 123
# A general user telnets to the switch, and
then uses the set password to switch to user level 3.
<Sysname> super 3
Password:
User privilege level is 3, and only
those commands can be used
whose level is equal or less than
this.
Privilege note: 0-VISIT, 1-MONITOR,
2-SYSTEM, 3-MANAGE
# After configuring the switch, the general
user switches back to user level 0.
<Sysname> super 0
User privilege level is 0, and only
those commands can be used
whose level is equal or less than
this.
Privilege note: 0-VISIT, 1-MONITOR,
2-SYSTEM, 3-MANAGE
2)
HWTACACS authentication configuration example
# Configure a HWTACACS authentication
scheme named acs, and specify the user name and password used for user level switching
on the HWTACACS server defined in the scheme. Refer to AAA Operation for
detailed configuration procedures.
# Enable HWTACACS authentication for VTY 0 user
level switching.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] super
authentication-mode scheme
[Sysname-ui-vty0] quit
# Specify to adopt the HWTACACS authentication
scheme named acs for user level switching in the ISP domain named system.
[Sysname] domain system
[Sysname-isp-system] authentication
super hwtacacs-scheme acs
# Switch to user level 3 (assuming that you
log into the switch as a VTY 0 user by Telnet).
<Sysname> super 3
Username: user@system
Password:
User privilege level is 3, and only
those commands can be used
whose level is equal or less than
this.
Privilege note: 0-VISIT, 1-MONITOR,
2-SYSTEM, 3-MANAGE
CLI views are designed for different configuration
tasks. They are both correlated and distinguishing. For example, once a user logs
into a switch successfully, the user enters user view, where the user can
perform some simple operations such as checking the operation status and
statistics information of the switch. After executing the system-view
command, the user enters system view, where the user can go to other views by entering
corresponding commands.
Table 1-7 lists the CLI
views provided by S3100 series Ethernet switches, operations that can be performed
in different CLI views and the commands used to enter specific CLI views.
Table 1-7 CLI views
|
View
|
Available operation
|
Prompt example
|
Enter method
|
Quit method
|
|
User view
|
Display operation status and statistical
information of the switch
|
<Sysname>
|
Enter user view once logging into the
switch.
|
Execute the quit command to log out of the switch.
|
|
System view
|
Configure system parameters
|
[Sysname]
|
Execute the system-view command in
user view.
|
Execute the quit or return command to return to user view.
|
|
Ethernet port view
|
Configure Ethernet port parameters
|
100 Mbps
Ethernet port view:
[Sysname-Ethernet1/0/1]
|
Execute the interface ethernet
command in system view.
|
Execute
the quit command to
return to system view.
Execute
the return command to return
to user view.
|
|
1000 Mbps Ethernet port view:
[Sysname-GigabitEthernet1/1/1]
|
Execute the interface gigabitethernet
command in system view.
|
|
Aux1/0/0 port (the console port) view
|
The S3100 series do not support
configuration on port Aux1/0/0
|
[Sysname-Aux1/0/0]
|
Execute the interface aux 1/0/0
command in system view
|
|
VLAN view
|
Configure VLAN parameters
|
[Sysname-vlan1]
|
Execute the vlan command in system
view.
|
|
VLAN interface view
|
Configure VLAN interface parameters,
including the management VLAN parameters
|
[Sysname-Vlan-interface1]
|
Execute the interface Vlan-interface
command in system view.
|
|
Loopback interface view
|
Configure loopback interface parameters
|
[Sysname-LoopBack0]
|
Execute the interface loopback
command in system view.
|
|
NULL interface view
|
Configure NULL interface parameters
|
[Sysname-NULL0]
|
Execute the interface null
command in system view.
|
|
Local user view
|
Configure local user parameters
|
[Sysname-luser-user1]
|
Execute the local-user command in
system view.
|
|
User interface view
|
Configure user interface parameters
|
[Sysname-ui-aux0]
|
Execute the user-interface command
in system view.
|
|
FTP client view
|
Configure FTP client parameters
|
[ftp]
|
Execute the ftp command in user
view.
|
|
SFTP client view
|
Configure SFTP client parameters
|
sftp-client>
|
Execute the sftp command in system
view.
|
|
MST region view
|
Configure MST region parameters
|
[Sysname-mst-region]
|
Execute the stp region-configuration
command in system view.
|
|
Cluster view
|
Configure cluster parameters
|
[Sysname-cluster]
|
Execute the cluster command in
system view.
|
|
Public key view
|
Configure the RSA public key for SSH
users
|
[Sysname-rsa-public-key]
|
Execute the rsa peer-public-key
command in system view.
|
Execute the peer-public-key end
command to return to system view.
|
|
Configure the RSA or DSA public key for
SSH users
|
[Sysname-peer-public-key]
|
Execute the public-key peer command
in system view.
|
|
Public key editing view
|
Edit the RSA public key for SSH users
|
[Sysname-rsa-key-code]
|
Execute the public-key-code begin command
in public key view.
|
Execute the public-key-code end
command to return to public key view.
|
|
Edit the RSA or DSA public key for SSH
users
|
[Sysname-peer-key-code]
|
|
Basic ACL
view
|
Define
rules for a basic ACL (with ID ranging from 2000 to 2999)
|
[Sysname-acl- basic-2000]
|
Execute
the acl number command in system view.
|
Execute
the quit command to return to system view.
Execute
the return command to return to user view.
|
|
Advanced
ACL view
|
Define
rules for an advanced ACL (with ID ranging from 3000 to 3999)
|
[Sysname-acl-adv-3000]
|
Execute
the acl number command in system view.
|
|
Layer 2
ACL view
|
Define
rules for an layer 2 ACL (with ID ranging from 4000 to 4999)
|
[Sysname-acl-ethernetframe-4000]
|
Execute
the acl number command in system view.
|
|
QoS
profile view
|
Define QoS
profile
|
[Sysname-qos-profile-a123]
|
Execute
the qos-profile command in system view.
|
|
RADIUS
scheme view
|
Configure
RADIUS scheme parameters
|
[Sysname-radius-1]
|
Execute
the radius scheme command in system view.
|
|
ISP domain
view
|
Configure
ISP domain parameters
|
[Sysname-isp-aaa123.net]
|
Execute
the domain command in system view.
|
|
HWPing
view
|
Configure
HWPing parameters
|
[Sysname-hwping-a123-a123]
|
Execute
the hwping command in system view.
|
|
HWTACACS view
|
Configure HWTACACS parameters
|
[Sysname-hwtacacs-a123]
|
Execute the hwtacacs scheme
command in system view.
|
|
Smart link group view
|
Configure smart link group parameters
|
[Sysname-smlk-group1]
|
Execute the smart-link group
command in system view.
|
|
Monitor link group view
|
Configure monitor link group parameters
|
[Sysname-mtlk-group1]
|
Execute the monitor-link group
command in system view.
|
|
QinQ view
|
Configure QinQ parameters
|
[Sysname-Ethernet1/0/1-vid-20]
|
Execute the vlan-vpn vid command in
Ethernet port view.
The vlan-vpn
enable command should be first executed.
|
Execute the quit command to return
to Ethernet port view.
Execute the return command to
return to user view.
|
The shortcut key <Ctrl+Z>
is equivalent to the return command.
When configuring the switch, you can use the
online help to get related help information. The CLI provides two types of
online help: complete and partial.
I. Complete online help
1)
Enter a question mark (?) in any view on your
terminal to display all the commands available in the view and their brief
descriptions. The following takes user view as an example.
<Sysname> ?
User view commands:
boot Set boot option
cd Change current
directory
clock Specify the
system clock
cluster Run cluster
command
copy Copy from one
file to another
debugging Enable system
debugging functions
delete Delete a file
dir List files on a
file system
display Display current
system information
<Other information is omitted>
2)
Enter a command, a space, and a question mark (?).
If the question mark “?” is at
a keyword position in the command, all available keywords at the position and
their descriptions will be displayed on your terminal.
<Sysname> clock ?
datetime Specify the time and
date
summer-time Configure summer time
timezone Configure time zone
If the question mark “?” is at
an argument position in the command, the description of the argument will be
displayed on your terminal.
[Sysname] interface vlan-interface ?
<1-4094> VLAN interface
number
If only <cr> is displayed after you
enter “?”, it means no parameter is available at the “?”
position, and you can enter and execute the command directly.
[Sysname] interface vlan-interface 1
?
<cr>
II. Partial online help
1)
Enter a character/string, and then a question
mark (?) next to it. All the commands beginning with the character/string will
be displayed on your terminal. For example:
<Sysname> p?
ping
pwd
2)
Enter a command, a space, a character/string and
a question mark (?) next to it. All the keywords beginning with the character/string
(if available) are displayed on your terminal. For example:
<Sysname> display u?
udp
unit
user-interface
users
3)
Enter the first several characters of a keyword of
a command and then press <Tab>. If there is a unique keyword beginning
with the characters just typed, the unique keyword is displayed in its complete
form. If there are multiple keywords beginning with the characters, you can have
them displayed one by one (in complete form) by pressing <Tab>
repeatedly.
The CLI provides the screen splitting
feature to have display output suspended when the screen is full. When display
output pauses, you can perform the following operations as needed (see Table 1-8).
Table 1-8 Display-related operations
|
Operation
|
Function
|
|
Press <Ctrl+C>
|
Stop the display output and execution of
the command.
|
|
Press any character except <Space>,
<Enter>, /, +, and - when the display output pauses
|
Stop the display output.
|
|
Press the space key
|
Get to the next page.
|
|
Press <Enter>
|
Get to the next line.
|
The CLI provides the command history function.
You can use the display history-command command to view a specific
number of latest executed commands and execute them again in a convenient way.
By default, the CLI can store up to 10 latest executed commands for each user. You
can view the command history by performing the operations listed in Table 1-9.
Table 1-9 View history commands
|
Purpose
|
Operation
|
Remarks
|
|
Display the latest executed history
commands
|
Execute the display history-command
command
|
This command displays the command history.
|
