Manualshelf

R211x-HP Flexfabric 11900 Fundamentals Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
71727374757677787980
63
Default
No permitted VLANs are configured in user role interface policy view.
Views
User role VLAN policy view
Predefined user roles
network-admin
mdc-admin
Parameters
vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN
by its VLAN ID or a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs
is 1 to 4094. If a VLAN range is specified, vlan-id2 must be greater than vlan-id1.
Usage guidelines
To permit a user role to access a VLAN after you configure the vlan policy deny command, you must add
the VLAN to the permitted VLAN list of the policy. With the user role, you can create, remove, or
configure only the VLANs in the permitted VLAN list, enter their views, and specify them in a feature
command.
You can repeat the permit vlan command to add permitted VLANs to a user role VLAN policy.
The undo permit vlan command removes the entire list of permitted VLANs if no VLAN is specified.
Any change to a user role VLAN policy takes effect only on users who log in with the user role after the
change.
Examples
1. Permit the user role role1 to access VLANs 2, 4, and 50 to 100, and to execute all commands
available in interface view and VLAN view.
<Sysname> system-view
[Sysname] role name role1
Sysname-role-role1] rule 1 permit command system-view ; interface *
[Sysname-role-role1] rule 2 permit command system-view ; vlan *
[Sysname-role-role1] vlan policy deny
[Sysname-role-role1-vlanpolicy] permit vlan 2 4 50 to 100
2. Verify that you cannot use the user role to work on any VLAN but VLANs 2, 4, and 50 to 100:
# Verify that you can create VLAN 100 and enter its view.
<Sysname> system-view
[Sysname] vlan 100
[Sysname-vlan100]
# Verify that you can add port Ten-GigabitEthernet 1/0/1 to VLAN 100 as an access port.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] port access vlan 100
# Verify that you cannot create VLAN 101 or enter its view.
<Sysname> system-view
[Sysname] vlan 101
Permission denied.