At the command-line interface (CLI), youcan enter text commands to configure, manage, and monitor your device.
Figure 1 CLIexample
You can log in to the CLI in a variety ofways. For example, you can log in through the console port, or using Telnet orSSH. For more information about login methods, see "Logging in to the CLI."
Command conventions
Command conventions help you understand thesyntax of commands. Commands in product manuals comply with the conventionslisted in Table 1.
| Convention | Description |
| Boldface | Bold text represents commands and keywords that you enter literally as shown. |
| Italic | Italic text represents arguments that you replace with actual values. |
| [ ] | Square brackets enclose syntax choices (keywords or arguments) that are optional. |
| { x | y | ... } | Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. |
| [ x | y | ... ] | Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. |
| { x | y | ... } * | Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. |
| [ x | y | ... ] * | Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none. |
| &<1-n> | The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. |
| # | A line that starts with a pound (#) sign is comments. |
Command keywords are case insensitive.
The following example analyzes the syntaxof the clock datetime time date command according to Table 1.
Figure 2 Understanding command-line parameters
For example, to set the system time to 10:30:20,February 23, 2010, enter the following command line at the CLI and press Enter:
<Sysname> clock datetime 10:30:202/23/2010
Using the undo formof a command
Most configuration commands have an undo form for cancelinga configuration, restoring the default, or disabling a feature. For example, the info-centerenable command enables the information center, andthe undo info-center enable command disables the information center.
CLI views
Commands are grouped in different views byfunction. To use a command, you must enter its view.
CLI views are hierarchically organized, asshown in Figure 3. Each view has a unique prompt, from which you can identify whereyou are and what you can do. For example, the prompt [Sysname-vlan100]shows that you are in VLAN 100 view and can configure attributes for that VLAN.
You are placed in user view immediatelyafter you are logged in to the CLI. The user view prompt is <Device-name>,where the Device-name argument, representing the device hostname, defaultsto WA4620i-ACNand can be changed by using the sysname command. In user view, you can perform basic operations including display,debug, file management, FTP, Telnet, clock setting, and reboot.
From user view, you can enter system viewto configure global settings, including the daylight saving time, banners, and hotkeys.The system view prompt is [Device-name].
From system view, you can enter differentfunction views. For example, you can enter interface view to configureinterface parameters, enter VLAN view to add ports to the specific VLAN, enteruser interface view to configure login user attributes, or create a local userand enter local user view to configure attributes for the local user.
To display all commands available in aview, enter a question mark (?) at the view prompt.
Entering system view from user view
| Task | Command |
| Enter system view from user view. | system-view |
Returning to the upper-level view from any view
| Task | Command |
| Return to the upper-level view from any view. | quit |
Executing the quit command in user view terminatesyour connection to the device.
In public key code view, use the public-key-code end command to return to the upper-level view(public key view). In public key view, use the peer-public-key end command to returnto system view.
Returning to user view from any other view
You can return directly to user view fromany other view by using the return command or pressing Ctrl+Z, instead of using the quit command repeatedly.
To return to user view from any other view:
| Task | Command |
| Return to user view. | return |
Accessing the CLIonline help
The CLI online help is context sensitive.You can enter a question mark at any prompt or in any position of a command todisplay all available options.
To access the CLI online help, use one ofthe following methods:
·Enter a question mark at a view prompt to display the firstkeyword of every command available in the view. For example:
<Sysname> ?
User view commands:
archive Specifyarchive settings
backup Backupnext startup-configuration file to TFTP server
boot-loader Set bootloader
bootromUpdate/read/backup/restore bootrom
cd Changecurrent directory
clock Specifythe system clock
…
·Enter a space and aquestion mark after a command keywordto display all available, subsequent keywords and arguments.
¡ If you type a question mark in place of akeyword, the CLI displays all possible keyword matches with a brief descriptionfor each keyword. For example:
<Sysname> terminal ?
debugging Send debuginformation to terminal
logging Send loginformation to terminal
monitor Send informationoutput to current terminal
trapping Send trapinformation to terminal
¡ If you type a question mark in place of anargument, the CLI displays the description of this argument. For example:
<Sysname> system-view
[Sysname] interface vlan-interface?
<1-4094> VLANinterface number
[Sysname] interfacevlan-interface 1 ?
<cr>
[Sysname] interfacevlan-interface 1
The string <cr> indicates that the commandis complete, and you can press Enter to execute thecommand.
·Enter an incomplete keywordstring followed by a questionmark to display all keywords starting with the string. For example:
<Sysname> f?
fixdisk
format
free
ftp
<Sysname> display ftp?
ftp
Entering a command
When you enter a command, you can use keysor hotkeys to edit the command line, or use abbreviated keywords or keywordaliases.
Editing a command line
Use the keys listed in Table 2 or the hotkeys listed in Table 3 to edit a command line.
Table 2 Commandline editing keys
| Key | Function |
| Common keys | If the edit buffer is not full, pressing a common key inserts the character at the position of the cursor and moves the cursor to the right. |
| Backspace | Deletes the character to the left of the cursor and moves the cursor back one character. |
| Left arrow key or Ctrl+B | Moves the cursor one character to the left. |
| Right arrow key or Ctrl+F | Moves the cursor one character to the right. |
| Tab | If you press Tab after entering part of a keyword, the system automatically completes the keyword: · If a unique match is found, the system substitutes the complete keyword for the incomplete one and displays what you entered in the next line. · If there is more than one match, you can press Tab repeatedly to pick the keyword you want to enter. · If there is no match, the system does not modify what you entered but displays it again in the next line. |
Entering a STRING type value for an argument
A STRING type argument value can containany printable character (ASCII code in the range of 32 to 126) except thequestion mark (?), quotation mark ("), backward slash (\), and space.
For example, the domain name is of theSTRING type. You can give it a value such as forVPN1.
<Sysname> system-view
[Sysname] domain ?
STRING<1-24> Domain name
Abbreviating commands
You can enter a command line quickly byentering incomplete keywords that uniquely identify the complete command.
In user view, for example, commandsstarting with an s include startup saved-configuration and system-view. To enter the command system-view, youonly need to type sy. To enter the command startup saved-configuration, type st s.
You can also press Tab to complete anincomplete keyword.
Configuring and using command keyword aliases
The command keyword alias function allowsyou to replace the first keyword of a non-undo command or the second keyword ofan undo command with your preferred keyword when you execute the command. Forexample, if you configure show as the alias for the display keyword, you can enter show in place of display toexecute a display command.
Usage guidelines
·After you successfully execute a command byusing a keyword alias, the system saves the keyword, instead of its alias, tothe running configuration.
·If you press Tab after entering part of an alias, the keyword is displayed.
·If a string you entered partially matches a keyword and an alias, the command indicated by the alias is executed.To execute the command indicated by the keyword, enter the completekeyword.
·If you enter a string that partially matchesmultiple aliases, the system gives you a prompt.
Configurationprocedure
To configure a command keyword alias:
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Enable the command keyword alias function. | command-alias enable | By default, the command keyword alias function is disabled. |
| 3. Configure a command keyword alias. | command-alias mapping cmdkey alias | By default, no command keyword alias is configured. You must enter the cmdkey and alias arguments in their complete form. |
Configuring and using hotkeys
To facilitate CLI operation, the systemdefines the hotkeys shown in Table3 and provides five configurable command hotkeys.Pressing a command hotkey is the same as entering a command.
To configure a command hotkey:
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Configure hotkeys. | hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command | By default: · Ctrl+G is assigned the display current-configuration command. · Ctrl+L is assigned the display ip routing-table command. · Ctrl+O is assigned the undo debugging all command. · No command is assigned to Ctrl+T or Ctrl+U. |
| 3. Display hotkeys. | display hotkey [ | { begin | exclude | include } regular-expression ] | Optional. Available in any view. See Table 3 for hotkeys reserved by the system. |
The hotkeys in Table 3 aredefined by the device. If a hotkey is also defined by the terminal softwarethat you are using to interact with the device, the definition of the terminalsoftware takes effect.
Table 3 System-reserved hotkeys
| Hotkey | Function |
| Ctrl+A | Moves the cursor to the beginning of a line. |
| Ctrl+B | Moves the cursor one character to the left. |
| Ctrl+C | Stops the current command. |
| Ctrl+D | Deletes the character at the cursor. |
| Ctrl+E | Moves the cursor to the end of a line. |
| Ctrl+F | Moves the cursor one character to the right. |
| Ctrl+H | Deletes the character to the left of the cursor. |
| Ctrl+K | Aborts the connection request. |
| Ctrl+N | Displays the next command in the command history buffer. |
| Ctrl+P | Displays the previous command in the command history buffer. |
| Ctrl+R | Redisplays the current line. |
| Ctrl+V | Pastes text from the clipboard. |
| Ctrl+W | Deletes the word to the left of the cursor. |
| Ctrl+X | Deletes all characters to the left of the cursor. |
| Ctrl+Y | Deletes all characters to the right of the cursor. |
| Ctrl+Z | Returns to user view. |
| Ctrl+] | Terminates an incoming connection or a redirect connection. |
| Esc+B | Moves the cursor back one word. |
| Esc+D | Deletes all characters from the cursor to the end of the word. |
| Esc+F | Moves the cursor forward one word. |
| Esc+N | Moves the cursor down one line. This hotkey is available before you press Enter. |
| Esc+P | Moves the cursor up one line. This hotkey is available before you press Enter. |
| Esc+< | Moves the cursor to the beginning of the clipboard. |
| Esc+> | Moves the cursor to the ending of the clipboard. |
Enabling redisplaying entered-but-not-submitted commands
The redisplay entered-but-not-submittedcommands feature enables the system to display what you have typed (except Yes or No forconfirmation) at the CLI when your configuration is interrupted by systemoutput such as logs. If you have entered nothing, the system does not displaythe command-line prompt after the output.
To enable redisplaying entered-but-not-submittedcommands:
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Enable redisplaying entered-but-not-submitted commands. | info-center synchronous | By default, this feature is disabled. For more information about this command, see Network Management and Monitoring Command Reference. |
Understanding command-line error messages
When you press Enter to submit a command, thecommand line interpreter first examines the command syntax. If the commandpasses syntax check, the CLI executes the command. If not, the CLI displays an errormessage.
Table 4 Common command-lineerror messages
| Error message | Cause |
| % Unrecognized command found at '^' position. | The keyword in the marked position is invalid. |
| % Incomplete command found at '^' position. | One or more required keywords or arguments are missing. |
| % Ambiguous command found at '^' position. | The entered character sequence matches more than one command. |
| Too many parameters | The entered character sequence contains excessive keywords or arguments. |
| % Wrong parameter found at '^' position. | The argument in the marked position is invalid. |
Using the command history function
The system can automatically save successfullyexecuted commands to the command history buffer for the current user interface.You can view them and execute them again, or set the maximum number of commandsthat can be saved in the command history buffer.
A command is saved to the command historybuffer in the exact format as it was entered. For example, if you enter anincomplete command, the command saved in the command history buffer is alsoincomplete; if you enter a command by using a command keyword alias, the commandsaved in the command history buffer also uses the alias.
If you enter a commandin the same format repeatedly in succession, the system buffers the commandonly once. If you enter a command repeatedly in different formats, the system bufferseach command format. For example, display cu and display current-configuration are buffered as two entries but successive repetitions of display cu create only one entry in the buffer.
By default, the command history buffer cansave up to 10 commands for each user. To set the capacity of the commandhistory buffer for the current user interface, use the history-command max-size command.
Viewing history commands
You can use arrow keys to access historycommands in Windows 200x and Windows XP Terminal or Telnet. In Windows 9xHyperTerminal, the arrow keys are invalid, and you must use Ctrl+P and Ctrl+N instead.
To view command history, use one of thefollowing methods:
| Task | Command |
| Display all commands in the command history buffer. | display history-command [ | { begin | exclude | include } regular-expression ] |
| Display the previous history command. | Up arrow key or Ctrl+P |
| Display the next history command. | Down arrow key or Ctrl+N |
Setting the command history buffer sizefor user interfaces
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Enter user interface view. | user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } | N/A |
| 3. Set the maximum number of commands that can be saved in the command history buffer. | history-command max-size size-value | Optional. By default, the command history buffer can save up to 10 commands. |
Controlling the CLI output
This section describes the CLI outputcontrol features that help you quickly identify the desired output.
Pausing between screens of output
If the output being displayed is more than willfit on one screen, the system automatically pauses after displaying a screen.By default, up to 24 lines can be displayed on a screen. To change the screenlength, use the screen-length screen-length command. For more information about thiscommand, see Fundamentals Command Reference. To control output, use keysin Table 5.
Table 5 Keys for controlling output
| Keys | Function |
| Space | Displays the next screen. |
| Enter | Displays the next line. |
| Ctrl+C | Stops the display and cancels the command execution. |
| <PageUp> | Displays the previous page. |
| <PageDown> | Displays the next page. |
To display all output at one time and refreshthe screen continuously until the last screen is displayed:
| Task | Command | Remarks |
| Disable pausing between screens of output for the current session. | screen-length disable | The default for a session depends on the setting of the screen-length command in user interface view. The default of the screen-length command is pausing between screens of output and displaying up to 24 lines on a screen. This command is executed in user view and takes effect only for the current session. When you relog in to the device, the default is restored. |
Filtering the output from a display command
You can use one of the following methods tofilter the output from a display command:
·Specify the | { begin | exclude | include } regular-expressionoption at the end of the command.
·When the system pausesafter displaying a screen of output, entera forward slash (/), minus sign (-), or plus sign (+), and a regularexpression to filter subsequent output. The forward slash equals the keyword begin, theminus sign equals the keywordexclude, and the plus sign equals the keyword include.
The following definitions apply to the begin, exclude, and includekeywords:
·begin—Displays the first line that matchesthe specified regular expression and all lines that follow.
·exclude—Displays all lines that do not matchthe specified regular expression.
·include—Displays all lines that match thespecified regular expression.
A regular expression is a case-sensitivestring of 1 to 256 characters that supports the special characters in Table 6.
Table 6 Special characters supported in aregular expression
| Character | Meaning | Examples |
| ^string | Matches the beginning of a line. | "^user" matches all lines beginning with "user". A line beginning with "Auser" is not matched. |
| string$ | Matches the end of a line. | "user$" matches lines ending with "user". A line ending with "userA" is not matched. |
| . | Matches any single character, such as a single character, a special character, and a blank. | ".s" matches both "as" and "bs". |
| * | Matches the preceding character or character group zero or multiple times. | "zo*" matches "z" and "zoo", and "(zo)*" matches "zo" and "zozo". |
| + | Matches the preceding character or character group one or multiple times | "zo+" matches "zo" and "zoo", but not "z". |
| | | Matches the preceding or succeeding character string | "def|int" only matches a character string containing "def" or "int". |
| _ | If it is at the beginning or the end of a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket. | "a_b" matches "a b" or "a(b"; "_ab" only matches a line starting with "ab"; "ab_" only matches a line ending with "ab". |
| - | It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ]. | "1-9" means 1 to 9 (inclusive); "a-h" means a to h (inclusive). |
| [ ] | Matches a single character contained within the brackets. | [16A] matches a string containing any character among 1, 6, and A; [1-36A] matches a string containing any character among 1, 2, 3, 6, and A (- is a hyphen). To match the character "]", put it at the beginning of a string within brackets, for example [ ]string]. There is no such limit on "[". |
| ( ) | A character group. It is usually used with "+" or "*". | (123A) means a character group "123A"; "408(12)+" matches 40812 or 408121212. But it does not match 408. |
| \index | Repeats the character string specified by the index. A character string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n. | (string)\1 repeats string, and a matching string must contain stringstring. (string1)(string2)\2 repeats string2, and a matching string must contain string1string2string2. (string1)(string2)\1\2 repeats string1 and string2 respectively, and a matching string must contain string1string2string1string2. |
| [^] | Matches a single character not contained within the brackets. | [^16A] means to match a string containing any character except 1, 6 or A, and the matching string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] matches "abc" and "m16", but not 1, 16, or 16A. |
| \<string | Matches a character string starting with string. | "\<do" matches word "domain" and string "doa". |
| string\> | Matches a character string ending with string. | "do\>" matches word "undo" and string "abcdo". |
| \bcharacter2 | Matches character1character2. character1 can be any character except number, letter or underline, and \b equals [^A-Za-z0-9_]. | "\ba" matches "-a" with "-" being character1, and "a" being character2, but it does not match "2a" or "ba". |
| \Bcharacter | Matches a string containing character, and no space is allowed before character. | "\Bt" matches "t" in "install", but not "t" in "big top". |
| character1\w | Matches character1character2. character2 must be a number, letter, or underline, and \w equals [A-Za-z0-9_]. | "v\w" matches "vlan" ("v" is character1 and "l" is character2) and "service" ( "i" is character2). |
| \W | Equals \b. | "\Wa" matches "-a", with "-" being character1, and "a" being character2, but does not match "2a" or "ba". |
| \ | Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed. | "\\" matches a string containing "\", "\^" matches a string containing "^", and "\\b" matches a string containing "\b". |
The following are several regularexpression examples:
# Use | begin user-interface in the display current-configuration command to match the first line of output that contains user-interface to the last line of output.
<Sysname> displaycurrent-configuration | begin user-interface
user-interface con 0
user-interface vty 0 4
authentication-mode none
user privilege level 3
#
return
# Use | exclude Direct in the display ip routing-table command to filter out direct routes and display only the non-directroutes.
<Sysname> display iprouting-table | exclude Direct
Routing Tables: Public
Destination/Mask Proto PreCost NextHop Interface
1.1.1.0/24 Static 60 0192.168.0.0 Vlan1
# Use | include Vlan in the display ip routing-table command to filter in route entries that contain Vlan.
<Sysname> display iprouting-table | include Vlan
Routing Tables: Public
Destination/Mask Proto PreCost NextHop Interface
192.168.1.0/24 Direct 00 192.168.1.42 Vlan999
Configuring user privilege and command levels
To avoid unauthorized access, the device definesthe user privilege levels and command levels in Table 7. User privilege levels correspondto command levels. A user logged in with a specific privilege level can use onlythe commands at that level or lower levels.
Table 7 Command levelsand user privilege levels
| Level | Privilege | Default set of commands |
| Visit | Includes commands for network diagnosis and commands for accessing an external device. Configuration of commands at this level cannot survive a device restart. Upon device restart, the commands at this level are restored to the default settings. Commands at this level include ping, tracert, telnet and ssh2. | |
| 1 | Monitor | Includes commands for system maintenance and service fault diagnosis. Commands at this level are not saved after being configured. After the device is restarted, the commands at this level are restored to the default settings. Commands at this level include debugging, terminal, refresh, and send. |
| 2 | System | Includes service configuration commands, including routing configuration commands and commands for configuring services at different network levels. By default, commands at this level include all configuration commands except for those at manage level. |
| 3 | Manage | Includes commands that influence the basic operation of the system and commands for configuring system support modules. By default, commands at this level involve the configuration commands of file system, FTP, TFTP, Xmodem download, user management, level setting, and parameter settings within a system, which are not defined by any protocols or RFCs. |
Configuring a user privilege level
If the authentication mode on a userinterface is scheme, configure a user privilege level for the user interface's usersthrough the AAA module or directly on the user interface. For SSH users who usepublic-key authentication, the user privilege level configured directly on theuser interface always takes effect. For other users, the user privilege levelconfigured in the AAA module has priority over the one configured directly onthe user interface.
If the authentication mode on a userinterface is none or password, configure the user privilege level directly onthe user interface.
For more information about user loginauthentication, see "Logging in to the CLI." For more informationabout AAA and SSH, see Security Configuration Guide.
Configuring a userprivilege level for users through the AAA module
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Enter user interface view. | user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } | N/A |
| 3. Specify the scheme authentication mode. | authentication-mode scheme | By default, the authentication mode for VTY users is password, and no authentication is needed for console login users. |
| 4. Return to system view. | quit | N/A |
| 5. Configure the authentication mode for SSH users as password. | For more information, see Security Configuration Guide. | This task is required only for SSH users who are required to provide their usernames and passwords for authentication. |
| 6. Configure the user privilege level through the AAA module. | · To use local authentication: a. Use the local-user command to create a local user and enter local user view. b. Use the level keyword in the authorization-attribute command to configure the user privilege level. · To use remote authentication (RADIUS, HWTACACS, or LDAP): | User either approach. For local authentication, if you do not configure the user privilege level, the user privilege level is 0. For remote authentication, if you do not configure the user privilege level, the user privilege level depends on the default configuration of the authentication server. For more information about the local-user and authorization-attribute commands, see Security Command Reference. |
For example:
# Configure the device to use localauthentication for Telnet users on VTY 1.
<Sysname> system-view
[Sysname] user-interface vty 1
[Sysname-ui-vty1] authentication-modescheme
[Sysname-ui-vty1] quit
[Sysname] local-user test
[Sysname-luser-test] password simple 123
[Sysname-luser-test] service-typetelnet
When users Telnet to the device through VTY1, they must enter username test and password 123. After passing the authentication, the users can only use level-0 commands.
# Assign commands of levels 0 through 3 tothe users.
[Sysname-luser-test] authorization-attributelevel 3
Configuring the userprivilege level directly on a user interface
To configure the user privilege leveldirectly on a user interface that uses the scheme authentication mode:
| Step | Command | Remarks |
| 1. Configure the authentication type for SSH users as publickey. | For more information, see Security Configuration Guide. | Required only for SSH users who use public-key authentication. |
| 2. Enter system view. | system-view | N/A |
| 3. Enter user interface view. | user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] } | N/A |
| 4. Enable the scheme authentication mode. | authentication-mode scheme | By default, the authentication mode for VTY users is password, and no authentication is needed for console users. |
| 5. Configure the user privilege level. | user privilege level level | By default, the user privilege level for users logged in through the console user interface is 3, and that for users logged in through the other user interfaces is 0. |
To configure the user privilege level directlyon a user interface that uses the none or password authentication mode:
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Enter user interface view. | user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } | N/A |
| 3. Configure the authentication mode for any user who uses the current user interface to log in to the device. | authentication-mode { none | password } | Optional. By default, the authentication mode for VTY user interfaces is password, and no authentication is needed for console login users. |
| 4. Configure the privilege level of users logged in through the current user interface. | user privilege level level | Optional. By default, the user privilege level for users logged in through the console user interface is 3, and that for users logged in through the other user interfaces is 0. |
For example:
# Display the commands a Telnet user canuse by default after login.
<Sysname> ?
User view commands:
display Display current systeminformation
ping Ping function
quit Exit from current commandview
rsh Establish one RSHconnection
ssh2 Establish a secure shellclient connection
super Set the current userpriority level
telnet Establish one TELNETconnection
tftp Open TFTP connection
tracert Trace route function
# Configure the device to perform noauthentication for Telnet users, and to authorize authenticated Telnet users touse level-0 and level-1 commands. (Use no authentication mode only in a securenetwork environment.)
<Sysname> system-view
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] authentication-modenone
[Sysname-ui-vty0-4] user privilegelevel 1
# Display the commands a Telnet user canuse after login. Because the user privilege level is 1, a Telnet user can usemore commands now.
<Sysname> ?
User view commands:
debugging Enable systemdebugging functions
dialer Dialer disconnect
display Display currentsystem information
ping Ping function
quit Exit from currentcommand view
refresh Do soft reset
reset Reset operation
rsh Establish one RSHconnection
screen-length Specify the linesdisplayed on one screen
send Send information toother user terminal interface
ssh2 Establish a secureshell client connection
super Set the current userpriority level
telnet Establish one TELNETconnection
terminal Set the terminalline characteristics
tftp Open TFTP connection
tracert Trace route function
undo Cancel currentsetting
# Configure the device to perform passwordauthentication for Telnet users, and to authorize authenticated Telnet users touse the commands of privilege levels 0, 1, and 2.
<Sysname> system-view
[Sysname] user-interface vty 0 4
[Sysname-ui-vty1] authentication-modepassword
[Sysname-ui-vty0-4] setauthentication password simple 123
[Sysname-ui-vty0-4] user privilegelevel 2
After the configuration is complete, whenusers Telnet to the device, they must enter the password 12345678. After passingauthentication, they can use commands of levels 0, 1, and 2.
Switching the user privilege level
Users can switch to a different userprivilege level without logging out and terminating the current connection. Afterthe privilege level switching, users can continue to manage the device withoutrelogging in, but the commands they can execute have changed. For example, withthe user privilege level 3, a user can configure system parameters. Afterswitching to user privilege level 0, the user can execute only basic commandslike ping and tracert and use a few display commands. The switching operation is effective for the currentlogin. After the user relogs in, the user privilege restores to the originallevel.
To avoid problems, H3C recommends that administratorslog in with a lower privilege level to view switch operating parameters, andswitch to a higher level temporarily only when they must maintain the device.
When administrators must leave for a whileor ask someone else to manage the device temporarily, they can switch to alower privilege level before they leave to restrict the operation by others.
Configuring theauthentication parameters for user privilege level switching
A user can switch to a lower privilegelevel without authentication. To switch to a higher privilege level, however, auser must provide the privilege level switching authentication information (ifany). Table 8 shows the privilege levelswitching authentication modes supported by the device.
Table 8 Privilege level switching authentication modes
| Authentication mode | Keywords | Description |
| Local password authentication only (local-only) | local | The device uses the locally configured passwords for privilege level switching authentication. To use this mode, you must set the passwords for privilege level switching using the super password command. |
| Remote AAA authentication through HWTACACS or RADIUS | scheme | The device sends the username and password for privilege level switching to the HWTACACS or RADIUS server for remote authentication. To use this mode, you must perform the following configuration tasks: · Configure the required HWTACACS or RADIUS schemes and configure the ISP domain to use the schemes for users. For more information, see Security Configuration Guide. · Add user accounts and specify the user passwords on the HWTACACS or RADIUS server. |
| Local password authentication first and then remote AAA authentication | local scheme | The device first uses the locally configured passwords for privilege level switching authentication. If no local password is set, the device allows console users to switch their privilege levels without authentication, but performs AAA authentication for VTY users. |
| Remote AAA authentication first and then local password authentication | scheme local | AAA authentication is performed first, and if the remote HWTACACS or RADIUS server does not respond or AAA configuration on the device is invalid, the local password authentication is performed. |
To configure the authentication parameters fora user privilege level:
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Set the authentication mode for user privilege level switching. | super authentication-mode { local | scheme } * | Optional. By default, local-only authentication is used. |
| 3. Configure the password for the user privilege level. | super password [ level user-level ] { cipher | simple } password | If local authentication is involved, this step is required. By default, a privilege level has no password. If no user privilege level is specified when you configure the command, the user privilege level defaults to 3. |
If local-only authentication is used, aconsole user interface user can switch to a higher privilege level, even if theprivilege level has not been assigned a password.
Switching to ahigher user privilege level
Before you switch to a higher userprivilege level, obtain the required authentication data as described in Table 9.
The privilege level switching fails afterthree consecutive unsuccessful password attempts.
To switch the user privilege level, performthe following task in user view:
| Task | Command | Remarks |
| Switch the user privilege level. | super [ level ] | When logging in to the device, a user has a user privilege level, which depends on user interface or authentication user level. |
Table 9 Information required for userprivilege level switching
| Login authentication mode | Level switching authentication mode | Information required for the first authentication mode | Information required for the second authentication mode |
| none/password | local | Password configured for the privilege level on the device with the super password command. | N/A |
| local scheme | Password configured for the privilege level on the device with the super password command. | Username and password configured on the AAA server for the privilege level. | |
| scheme | Username and password for the privilege level. | N/A | |
| scheme local | Username and password for the privilege level. | Local user privilege level switching password. | |
| scheme | local | Password configured for the privilege level on the device with the super password command. | N/A |
| local scheme | Password configured for the privilege level on the device with the super password command. | Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. | |
| scheme | Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. | N/A | |
| scheme local | Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. | Password configured on the device with the super password command for the privilege level. |
Changing the level of a command
Every command in a view has a default commandlevel. The default command level scheme is sufficient for the security and easeof maintenance requirements of most networks. If you want to change the levelof a command, make sure the change does not result in any security risk ormaintenance problem.
To change the level of a command:
| Step | Command | Remarks |
| 1. Enter system view. | system-view | N/A |
| 2. Change the level of a command in a specific view. | command-privilege level level view view command | See Table 7 for the default settings. |
Saving the running configuration
You can use the save command inany view to save all submitted and executed commands into the configurationfile. Commands saved in the configuration file can survive a reboot. The save commanddoes not take effect on one-time commands, including display and reset commands. One-timecommands are never saved.
Displaying andmaintaining CLI
| Task | Command | Remarks |
| Display the command keyword alias configuration. | display command-alias [ | { begin | exclude | include } regular-expression ] | Available in any view. |
| Display data in the clipboard. | display clipboard [ | { begin | exclude | include } regular-expression ] | Available in any view. |
