R211x-HP Flexfabric 11900 Fundamentals Command Reference

Any change to a user role VLAN policy takes effect only on users who log in with the user role after the

change.

Examples

# Deny the access of role1 to any VLAN.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] quit

# Deny the access of role1 to any VLAN but VLANs 50 to 100.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] permit vlan 50 to 100

Related commands

• display role

• permit vlan

• role

vpn-instance policy deny

Use vpn-instance policy deny to enter user role VPN instance policy view.

Use undo vpn-instance policy deny to restore the default user role VPN instance policy.

Syntax

vpn-instance policy deny

undo vpn-instance policy deny

Default

A user role has access to any VPN.

Views

User role view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The vpn-instance policy deny command denies the access of a user role to any VPN.

To restrict the VPN access of a user role to only a set of VPNs:

1. Use vpn-instance policy deny to deny access to any VPN.

2. Use permit vpn-instance to specify accessible VPNs.

To perform any of the following operations, you must make sure the VPN is permitted by the VPN

instance policy of any user role that you are logged in with:

• Create, remove, or configure an MPLS L3VPN.