4000 Router Series Fundamentals Command Reference

Syntax

interface policy deny

undo interface policy deny

Default

A user role has access to any interface.

Views

User role view

Predefined user roles

network-admin

Usage guidelines

The interface policy deny command denies the access of a user role to any interface.

To restrict the interface access of a user role to only a set of interfaces:

1. Use interface policy deny to deny access to any interface.

2. Use permit interface to specify accessible interfaces.

To create, remove, or configure an interface, enter its interface view, or specify the interface in a feature

command, you must make sure the interface is permitted by the interface policy of any user role that you

are logged in with. The create and remove operations are available only to logical interfaces.

Any change to a user role interface policy takes effect only on users that log in with the user role after the

change.

Examples

# Deny the user role role1 to access any interface.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] interface policy deny

[Sysname-role-role1-ifpolicy] quit

# Deny the user role role1 to access any interface but Ethernet 1/1 to Ethernet 1/5.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] interface policy deny

[Sysname-role-role1-ifpolicy] permit interface ethernet 1/1 to ethernet 1/5

Related commands

• display role

• permit interface

• role

permit interface

Use permit interface to configure a list of interfaces accessible to a user role.

Use undo permit interface to disable the access of a user role to specific interfaces.