Hide CLI in Cisco I-Syle


Cisco IOS CLI can be “hidden” but at the same time we can still type in the CLI into IOS for it to execute the command.

Say i have one module which defines just one show command “show abc xyz”. With tailf:export none statement, I can completely hide the “show abc xyz” CLI, but when we type in “show abc xyz”, the confd_cli will complains some error:

user1@nfvis> show abc xyz
syntax error: element does not exist
[error][2016-03-21 18:31:26]

IS there anyway for confd to implement the Cisco IOS style hidden CLI?


Instead of using the tailf:export statement, you can use the tailf:hidden statement with a hide group instead in your YANG model. If you list the corresponding hide group in confd.conf, the hidden data can be unhidden with the unhide CLI command. You can find description of this feature in section 3.9 of the ConfD User Guide.

So the tailf:hidden statement will allow us to use the “show abc xyz” command even when the “show abc xyz” is still hidden? We do not want to unhide the CLI.

The “show abc xyz” is for debugging purpose. We do not want to be visible for any production image.

You can define a password for the hide group.

Looks like you do not get my question: we will NEVER unhide the group. so passwd or no passwd does NOT matter to us.

What I want to know is: with tailf:hide for show abc xyz, are we still able to type in “show abc xyz” into confd_cli? YES or NO?

The short answer to your question is no.

Here’s what is stated in section 3.9.2 of the ConfD User Guide:

A hide group can only be unhidden if the group is listed in the confd.conf.
This means that a hide group will be completely hidden to the user interfaces
unless it has been explicitly allowed to be unhidden in confd.conf . A
password can optionally be required to unhide a group.

The hidden part of your data model isn’t accessible until it gets unhidden with the unhide command.

Thanks to confirm. Basically confd does not support the Cisco IOS style hidden CLI implementation.

Hope confd can get this added in the future.

The ConfD CLI does support the “hidden” as in “you can do it if you know it”, but only for commands defined in a clispec file - from the clispec(5) manual page:


The “hidden” element makes a CLI command invisible even though it can
be evaluated if we know about its existence. This comes handy for
commands which are used for debugging or are in pre-release state.

The tailf:hidden YANG extension provides a richer functionality, and is not CLI-specific - the “you can do it if you know it” form of “hidden” obviously only works in a CLI context.