Privilege levels for CLI access
Privilege levels at log on
Privilege levels control the type of access to the CLI. To implement this control, you must set at least a Manager password. Without a Manager password configured, anyone having serial port, Telnet, or web browser access to the switch can reach all CLI levels. (For more on setting passwords, See the usernames and passwords in the Access Security Guide for your switch.)
When you use the CLI to log on to the switch, and passwords are set, you will be prompted to enter a password. For example:
CLI log-on screen with password(s) set
HP J8697A Switch 5406zl
Software revision K.15.12.0001
Copyright (C) 1991-2013 Hewlett-Packard Development Company, L.P.
RESTRICTED RIGHTS LEGEND
Confidential computer software. Valid license from HP required for possession,
use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer
Software, Computer Software Documentation, and Technical Data for Commercial
Items are licensed to the U.S. Government under vendor's standard commercial
license.
HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
20555 State Highway 249, Houston, TX 77070
We'd like to keep you up to date about:
* Software feature updates
* New product announcements
* Special events
Please register your products now at: www.hp.com/networking/register
Username:In the above case, you will enter the CLI at the level corresponding to the password you provide (operator or manager).
If no passwords are set when you log on to the CLI, you will enter at the Manager level. For example:
switch# _
![[CAUTION: ]](images/caution.gif) | CAUTION: Hewlett Packard Enterprise strongly recommends that you configure a Manager password. If a Manager password is not configured, then the Manager level is not password-protected, and anyone having in-band or out-of-band access to the switch may be able to reach the Manager level and compromise switch and network security. Note that configuring only an Operator password does not prevent access to the Manager level by intruders who have the Operator password. Pressing the Clear button on the front of the switch removes password protection. For this reason, it is recommended that you protect the switch from physical access by unauthorized persons. If you are concerned about switch security and operation, you must install the switch in a secure location, such as a locked wiring closet. |
Privilege level operation
The access sequence for the various privilege levels is shown in Access sequence for privilege levels.
You can move between the privilege levels. The following table lists examples and results of movement between the privilege levels.
| Change in Levels | Example of Prompt, Command, and Result | ||
|---|---|---|---|
| Operator level to Manager level |
|
After you enter enable, the Password prompt appears. After you enter the Manager password, the system prompt appears with the # symbol: | |
| Manager level to Global configuration level |
|
||
| Global configuration level to a Context configuration level |
|
||
| Context configuration level to another Context configuration level |
|
The CLI accepts "e" as the abbreviated form of "ethernet". | |
| Move from any level to the preceding level |
|
||
| Move from any level to the Manager level |
-or-
|
||
Moving between the CLI and the Menu interface. When moving between interfaces, the switch retains the current privilege level (Manager or Operator). That is, if you are at the Operator level in the menu and select the Command Line Interface (CLI) option from the Main Menu, the CLI prompt appears at the Operator level.
Changing parameter settings. Regardless
of which interface is used (CLI, menu interface, or WebAgent), the
most recently configured version of a parameter setting overrides
any earlier settings for that parameter. For example, if you use the
menu interface to configure an IP address of "X" for VLAN 1 and later use the CLI
to configure a different IP address of "Y"
for VLAN 1, then "Y"
replaces "X" as the IP
address for VLAN 1 in the running-config file. If you subsequently
execute write memory in the CLI, then the switch
also stores "Y" as the
IP address for VLAN 1 in the startup-config file. (For more on the
startup-config and running config files, see "Switch Memory and
Configuration".)
Operator privileges
At the Operator level, you can examine the current configuration and move between interfaces without being able to change the configuration. A ">" character delimits the Operator-level prompt. For example:
When using enable to move
to the Manager level, the switch prompts you for the Manager password
if one has already been configured.
Manager privileges
Manager privileges give you three additional levels of access: Manager, Global Configuration, and Context Configuration. A "#" character delimits any Manager prompt. For example:
Manager level: Provides all Operator level privileges plus the ability to perform system-level actions that do not require saving changes to the system configuration file. The prompt for the Manager level contains only the system name and the "#" delimiter, as shown above. To select this level, enter the enable command at the Operator prompt and enter the Manager password, when prompted. For example:
switch> enable Password: switch# _
Enter enable at the Operator prompt. CLI prompt for the Manager password. The Manager prompt appears after the correct Manager password is entered.
Global configuration level: Provides all Operator and Manager level privileges, and enables you to make configuration changes to any of the switch’s software features. The prompt for the Global Configuration level includes the system name and "(config)". To select this level, enter the config command at the Manager prompt. For example:
switch# config switch(config)#_
Enter configat the Manager prompt. The Global Config prompt.
Context configuration level: Provides all Operator and Manager privileges, and enables you to make configuration changes in a specific context, such as one or more ports or a VLAN. The prompt for the Context Configuration level includes the system name and the selected context. For example:
switch(eth-1)# switch(vlan-10)#
The Context level is useful, for example, for executing several commands directed at the same port or VLAN, or if you want to shorten the command strings for a specific context area. To select this level, enter the specific context at the Global Configuration level prompt. For example, to select the context level for an existing VLAN with the VLAN ID of 10, you would enter the following command and see the indicated result:
switch(config)# vlan 10 switch(vlan-10)#
Privilege level hierarchy — Operator Privilege
| Privilege Level | Example of Prompt and Permitted Operations | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Operator Level |
|
|
View status and configuration information. | ||||||
|
Perform connectivity tests. | ||||||||
|
Move from the CLI interface to the menu interface.
| ||||||||
|
Move from the CLI interface to the menu interface. | ||||||||
|
Exit from the CLI interface and terminate the console session. | ||||||||
|
Terminate the current session (same as logout). | ||||||||
![[NOTE: ]](images/note.gif)
Privilege level hierarchy — Manager Privilege
| Privilege Level | Example of Prompt and Permitted Operations | |
|---|---|---|
| Manager Level |
|
Perform system-level actions such as system control, monitoring, and diagnostic commands, plus any of the Operator-level commands. For a list of available commands, enter ? at the prompt. |
| Global Configuration Level |
|
Execute configuration commands, plus all Operator and manager commands. For a list of available commands, enter ? at the prompt. |
| Context Configuration Level |
|
Execute context-specific configuration commands, such as a particular VLAN or switch port. This is useful for shortening the command strings you type, and for entering a series of commands for the same context. For a list of available commands, enter ? at the prompt. |