H3C S3100 Series Ethernet Switches Operation Manual (For Soliton)(V1.02)

HomeSupportSwitchesH3C S3100 Switch SeriesConfigure & DeployConfiguration GuidesH3C S3100 Series Ethernet Switches Operation Manual (For Soliton)(V1.02)
01-CLI Operation
Title Size Download
01-CLI Operation 80.56 KB

Chapter 1  CLI Configuration

1.1  Introduction to the CLI

A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a switch, a user can enter commands to configure the switch and check output information to verify the configuration. Each S3100 series Ethernet switch provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch.

The CLI on S3100 series Ethernet switches provides the following features, and so has good manageability and operability.

l           Hierarchical command protection: After users of different levels log in, they can only use commands at their own, or lower, levels. This prevents users from using unauthorized commands to configure switches.

l           Online help: Users can gain online help at any time by entering a question mark (?).

l           Debugging: Abundant and detailed debugging information is provided to help users diagnose and locate network problems.

l           Command history function: This enables users to check the commands that they have lately executed and re-execute the commands.

l           Partial matching of commands: The system will use partially matching method to search for commands. This allows users to execute a command by entering partially-spelled command keywords as long as the keywords entered can be uniquely identified by the system.

1.2  Command Hierarchy

1.2.1  Command Level and User Privilege Level

I. Command level

The S3100 series Ethernet switches use hierarchical command protection for command lines, so as to inhibit users at lower levels from using higher-level commands to configure the switches.

Based on user privilege, commands are classified into four levels, which default to:

l           Visit level (level 0): Commands at this level are mainly used to diagnose network, and they cannot be saved in configuration file. For example, ping, tracert and telnet are level 0 commands.

l           Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal.

l           System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level. These commands can be used to provide network services directly.

l           Manage level (level 3): Commands at this level are associated with the basic operation modules and support modules of the system. These commands provide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level.

II. User privilege level

Users logged into the switch fall into four user privilege levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the same level or lower levels.

By default, the Console user (a user who logs into the switch through the Console port) is a level-3 user, and Telnet users are level-0 users.

You can use the user privilege level command to set the default user privilege level for users logging in through a certain user interface. For details, refer to Login Operation.

 

&  Note:

If a user logs in using AAA authentication, the user privilege level depends on the configuration of the AAA scheme. For details, refer to AAA Operation.

 

1.2.2  Modifying the Command Level

I. Modifying the command level

Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3). By using the following command, the administrator can change the level of a command in a specific view as required.

Table 1-1 Set the level of a command in a specific view

Operation

Command

Remarks

Enter system view

system-view

Configure the level of a command in a specific view

command-privilege level level view view command

Required

 

  Caution:

l      It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience to maintenance and operation.

l      When you change the level of a command with multiple keywords, you should input the keywords one by one in the order they appear in the command syntax. Otherwise, your configuration will not take effect.

 

II. Configuration example

The network administrator (a level 3 user) wants to change some TFTP commands (such as tftp get) from level 3 to level 0, so that general Telnet users (level 0 users) are able to download files through TFTP.

# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally, only level 3 users can change the level of a command.)

<Sysname> system-view

[Sysname] command-privilege level 0 view shell tftp

[Sysname] command-privilege level 0 view shell tftp 192.168.0.1

[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get

[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm

After the above configuration, general Telnet users can use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.

1.2.3  Switching User Level

Table 1-2 User level switching configuration task list

Operation

Remarks

Specifying the authentication mode for user level switching

Optional

Adopting super password authentication for user level switching

Required

Adopting HWTACACS authentication for user level switching

Required

Switching to a specific user level

Required

 

I. Specifying the authentication mode for user level switching

You can switch between user levels through corresponding commands after logging into a switch successfully. The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. The super password authentication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy.

The configuration of authentication mode for user level switching is performed by Level-3 users, as described in Table 1-3.

Table 1-3 Specify the authentication mode for user level switching

Operation

Command

Remarks

Enter system view

system-view

Enter user interface view

user-interface [ type ] first-number [ last-number ]

Specify the authentication mode for user level switching

Super password authentication

super authentication-mode super-password

Optional

By default, super password authentication is adopted for user level switching.

HWTACACS authentication

super authentication-mode scheme

Super password authentication preferred (with the HWTACACS authentication as the backup authentication mode)

super authentication-mode super-password scheme

HWTACACS authentication preferred (with the super password authentication as the backup authentication mode)

super authentication-mode scheme super-password

 

&  Note:

When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.

 

II. Adopting super password authentication for user level switching

With the super password set, you can pass the super password authentication successfully only when you provide the super password as prompted. If no super password is set, the system prompts “%Password is not set” when you attempt to switch to a higher user level. In this case, you cannot pass the super password authentication.

Table 1-4 lists the operations to configure super password authentication for user level switching, which can only be performed by level-3 users.

Table 1-4 Set a password for use level switching

Operation

Command

Remarks

Enter system view

system-view

Set the super password for user level switching

super password [ level level ] { cipher | simple } password

Required

By default, the super password is not set.

 

III. Adopting HWTACACS authentication for user level switching

To implement HWTACACS authentication for user level switching, a level-3 user must perform the commands listed in Table 1-5 to configure the HWTACACS authentication scheme used for low-to-high user level switching. With HWTACACS authentication enabled, you can pass the HWTACACS authentication successfully only after you provide the right user name and the corresponding password as prompted. Note that if you have passed the HWTACACS authentication when logging in to the switch, only the password is required.

Table 1-5 lists the operations to configure HWTACACS authentication for user level switching, which can only be performed by Level-3 users.

Table 1-5 Set the HWTACACS authentication scheme for user level switching

Operation

Command

Description

Enter system view

system-view

Enter ISP domain view

domain domain-name

Set the HWTACACS authentication scheme for user level switching

authentication super hwtacacs-scheme hwtacacs-scheme-name

Required

By default, the HWTACACS authentication scheme for user level switching is not set.

 

&  Note:

When setting the HWTACACS authentication scheme for user level switching using the authentication super hwtacacs-scheme command, make sure the HWTACACS authentication scheme identified by the hwtacacs-scheme-name argument already exists. Refer to AAA Operation for information about HWTACACS authentication scheme.

 

IV. Switching to a specific user level

Table 1-6 Switch to a specific user level

Operation

Command

Remarks

Switch to a specified user level

super [ level ]

Required

Execute this command in user view.

 

&  Note:

l      If no user level is specified in the super password command or the super command, level 3 is used by default.

l      For security purpose, the password entered is not displayed when you switch to another user level. You will remain at the original user level if you have tried three times but failed to enter the correct authentication information.

 

V. Configuration example

After a general user telnets to the switch, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the switch.

1)         Super password authentication configuration example

# A level 3 user sets a switching password for user level 3.

<Sysname> system-view

[Sysname] super password level 3 simple 123

# A general user telnets to the switch, and then uses the set password to switch to user level 3.

<Sysname> super 3

 Password:

User privilege level is 3, and only those commands can be used

whose level is equal or less than this.

Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

# After configuring the switch, the general user switches back to user level 0.

<Sysname> super 0

User privilege level is 0, and only those commands can be used

whose level is equal or less than this.

Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

2)         HWTACACS authentication configuration example

# Configure a HWTACACS authentication scheme named acs, and specify the user name and password used for user level switching on the HWTACACS server defined in the scheme. Refer to AAA Operation for detailed configuration procedures.

# Enable HWTACACS authentication for VTY 0 user level switching.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] super authentication-mode scheme

[Sysname-ui-vty0] quit

# Specify  to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system.

[Sysname] domain system

[Sysname-isp-system] authentication super hwtacacs-scheme acs

# Switch to user level 3 (assuming that you log into the switch as a VTY 0 user by Telnet).

<Sysname> super 3

 Username: user@system

 Password:

User privilege level is 3, and only those commands can be used

whose level is equal or less than this.

Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

1.3  CLI Views

CLI views are designed for different configuration tasks. They are both correlated and distinguishing. For example, once a user logs into a switch successfully, the user enters user view, where the user can perform some simple operations such as checking the operation status and statistics information of the switch. After executing the system-view command, the user enters system view, where the user can go to other views by entering corresponding commands.

Table 1-7 lists the CLI views provided by S3100 series Ethernet switches, operations that can be performed in different CLI views and the commands used to enter specific CLI views.

Table 1-7 CLI views

View

Available operation

Prompt example

Enter method

Quit method

User view

Display operation status and statistical information of the switch

<Sysname>

Enter user view once logging into the switch.

Execute the quit command to log out of the switch.

System view

Configure system parameters

[Sysname]

Execute the system-view command in user view.

Execute the quit or return command to return to user view.

Ethernet port view

Configure Ethernet port parameters

100 Mbps Ethernet port view:

[Sysname-Ethernet1/0/1]

Execute the interface ethernet command in system view.

Execute the quit command to return to system view.

Execute the return command to return to user view.

1000 Mbps Ethernet port view:

[Sysname-GigabitEthernet1/1/1]

Execute the interface gigabitethernet command in system view.

Aux1/0/0 port (the console port) view

The S3100 series do not support configuration on port Aux1/0/0

[Sysname-Aux1/0/0]

Execute the interface aux 1/0/0 command in system view

VLAN view

Configure VLAN parameters

[Sysname-vlan1]

Execute the vlan command in system view.

VLAN interface view

Configure VLAN interface parameters, including the management VLAN parameters

[Sysname-Vlan-interface1]

Execute the interface Vlan-interface command in system view.

Loopback interface view

Configure loopback interface parameters

[Sysname-LoopBack0]

Execute the interface loopback command in system view.

NULL interface view

Configure NULL interface parameters

[Sysname-NULL0]

Execute the interface null command in system view.

Local user view

Configure local user parameters

[Sysname-luser-user1]

Execute the local-user command in system view.

User interface view

Configure user interface parameters

[Sysname-ui-aux0]

Execute the user-interface command in system view.

FTP client view

Configure FTP client parameters

[ftp]

Execute the ftp command in user view.

SFTP client view

Configure SFTP client parameters

sftp-client>

Execute the sftp command in system view.

MST region view

Configure MST region parameters

[Sysname-mst-region]

Execute the stp region-configuration command in system view.

Cluster view

Configure cluster parameters

[Sysname-cluster]

Execute the cluster command in system view.

Public key view

Configure the RSA public key for SSH users

[Sysname-rsa-public-key]

Execute the rsa peer-public-key command in system view.

Execute the peer-public-key end command to return to system view.

Configure the RSA or DSA public key for SSH users

[Sysname-peer-public-key]

Execute the public-key peer command in system view.

Public key editing view

Edit the RSA public key for SSH users

[Sysname-rsa-key-code]

Execute the public-key-code begin command in public key view.

Execute the public-key-code end command to return to public key view.

Edit the RSA or DSA public key for SSH users

[Sysname-peer-key-code]

Basic ACL view

Define rules for a basic ACL (with ID ranging from 2000 to 2999)

[Sysname-acl- basic-2000]

Execute the acl number command in system view.

Execute the quit command to return to system view.

Execute the return command to return to user view.

Advanced ACL view

Define rules for an advanced ACL (with ID ranging from 3000 to 3999)

[Sysname-acl-adv-3000]

Execute the acl number command in system view.

Layer 2 ACL view

Define rules for an layer 2 ACL (with ID ranging from 4000 to 4999)

[Sysname-acl-ethernetframe-4000]

Execute the acl number command in system view.

QoS profile view

Define QoS profile

[Sysname-qos-profile-a123]

Execute the qos-profile command in system view.

RADIUS scheme view

Configure RADIUS scheme parameters

[Sysname-radius-1]

Execute the radius scheme command in system view.

ISP domain view

Configure ISP domain parameters

[Sysname-isp-aaa123.net]

Execute the domain command in system view.

HWPing view

Configure HWPing parameters

[Sysname-hwping-a123-a123]

Execute the hwping command in system view.

HWTACACS view

Configure HWTACACS parameters

[Sysname-hwtacacs-a123]

Execute the hwtacacs scheme command in system view.

Smart link group view

Configure smart link group parameters

[Sysname-smlk-group1]

Execute the smart-link group command in system view.

Monitor link group view

Configure monitor link group parameters

[Sysname-mtlk-group1]

Execute the monitor-link group command in system view.

QinQ view

Configure QinQ parameters

[Sysname-Ethernet1/0/1-vid-20]

Execute the vlan-vpn vid command in Ethernet port view.

The vlan-vpn enable command should be first executed.

Execute the quit command to return to Ethernet port view.

Execute the return command to return to user view.

 

&  Note:

The shortcut key <Ctrl+Z> is equivalent to the return command.

 

1.4  CLI Features

1.4.1  Online Help

When configuring the switch, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial.

I. Complete online help

1)         Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions. The following takes user view as an example.

<Sysname> ?

User view commands:

  boot               Set boot option

  cd                 Change current directory

  clock              Specify the system clock

  cluster            Run cluster command

  copy               Copy from one file to another

  debugging          Enable system debugging functions

  delete             Delete a file

  dir                List files on a file system

  display            Display current system information

<Other information is omitted>

2)         Enter a command, a space, and a question mark (?).

If the question mark “?” is at a keyword position in the command, all available keywords at the position and their descriptions will be displayed on your terminal.

<Sysname> clock ?

  datetime     Specify the time and date

  summer-time  Configure summer time

  timezone     Configure time zone

If the question mark “?” is at an argument position in the command, the description of the argument will be displayed on your terminal.

[Sysname] interface vlan-interface ?

  <1-4094>  VLAN interface number

If only <cr> is displayed after you enter “?”, it means no parameter is available at the “?” position, and you can enter and execute the command directly.

[Sysname] interface vlan-interface 1 ?

  <cr>

II. Partial online help

1)         Enter a character/string, and then a question mark (?) next to it. All the commands beginning with the character/string will be displayed on your terminal. For example:

<Sysname> p?

   ping

   pwd

2)         Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal. For example:

<Sysname> display u?

   udp

   unit

   user-interface

   users

3)         Enter the first several characters of a keyword of a command and then press <Tab>. If there is a unique keyword beginning with the characters just typed, the unique keyword is displayed in its complete form. If there are multiple keywords beginning with the characters, you can have them displayed one by one (in complete form) by pressing <Tab> repeatedly.

1.4.2  Terminal Display

The CLI provides the screen splitting feature to have display output suspended when the screen is full. When display output pauses, you can perform the following operations as needed (see Table 1-8).

Table 1-8 Display-related operations

Operation

Function

Press <Ctrl+C>

Stop the display output and execution of the command.

Press any character except <Space>, <Enter>, /, +, and - when the display output pauses

Stop the display output.

Press the space key

Get to the next page.

Press <Enter>

Get to the next line.

 

1.4.3  Command History

The CLI provides the command history function. You can use the display history-command command to view a specific number of latest executed commands and execute them again in a convenient way. By default, the CLI can store up to 10 latest executed commands for each user. You can view the command history by performing the operations listed in Table 1-9.

Table 1-9 View history commands

Purpose

Operation

Remarks

Display the latest executed history commands

Execute the display history-command command

This command displays the command history.

Recall the previous history command

Press the up arrow key or <Ctrl+P>

This operation recalls the previous history command (if available).

Recall the next history command

Press the down arrow key or <Ctrl+N>

This operation recalls the next history command (if available).

 

&  Note:

l      The Windows 9x HyperTerminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access history commands in such an environment. However, you can use <Ctrl+ P> and <Ctrl+ N> instead to achieve the same purpose.

l      When you enter the same command multiple times consecutively, only one history command entry is created by the command line interface.

 

1.4.4  Error Prompts

If a command passes the syntax check, it will be successfully executed; otherwise, an error message will be displayed. Table 1-10 lists the common error messages.

Table 1-10 Common error messages

Error message

Description

Unrecognized command

The command does not exist.

The keyword does not exist.

The parameter type is wrong.

The parameter value is out of range.

Incomplete command

The command entered is incomplete.

Too many parameters

The parameters entered are too many.

Ambiguous command

The parameters entered are ambiguous.

Wrong parameter

A parameter entered is wrong.

found at '^' position

An error is found at the '^' position.

 

1.4.5  Command Edit

The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 254. Table 1-11 lists the CLI edit operations.

Table 1-11 Edit operations

Press…

To…

A common key

Insert the corresponding character at the cursor position and move the cursor one character to the right if the command is shorter than 254 characters.

Backspace key

Delete the character on the left of the cursor and move the cursor one character to the left.

Left arrow key or <Ctrl+B>

Move the cursor one character to the left.

Right arrow key or <Ctrl+F>

Move the cursor one character to the right.

Up arrow key or <Ctrl+P>

Down arrow key or <Ctrl+N>

Display history commands.

<Tab>

Use the partial online help. That is, when you input an incomplete keyword and press <Tab>, if the input parameter uniquely identifies a complete keyword, the system substitutes the complete keyword for the input parameter; if more than one keywords match the input parameter, you can display them one by one (in complete form) by pressing <Tab> repeatedly; if no keyword matches the input parameter, the system displays your original input on a new line without any change.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网