Manualshelf

HP MSR2000/3000/4000 Router Series Fundamentals Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
31323334353637383940
31
Syntax
permit interface interface-list
undo permit interface [ interface-list ]
Default
No permitted interfaces are configured in user role interface policy view. A user role cannot access any
interface after you configure the interface policy deny command.
Views
User role interface policy view
Predefined user roles
network-admin
Parameters
interface interface-list: Specifies a space-separated list of up to 10 interface items. Each interface item
specifies one interface in the interface-type interface-number form or a range of interfaces in the
interface-type interface-number to interface-type interface-number form. If an interface range is specified,
the end interface must be the same type as the start interface and must have a higher interface number
than the start interface.
Usage guidelines
To permit a user role to access an interface after you configure the interface policy deny command, you
must add the interface to the permitted interface list of the policy. With the user role, you can create,
remove, configure only the interfaces in the permitted interface list, enter their views, and specify them in
a feature command. The create and remove operations are available only to logical interfaces.
You can repeat the permit interface command to add permitted interfaces to a user role interface policy.
The undo permit interface command removes the entire list of permitted interfaces if no interface is
specified.
Any change to a user role interface policy takes effect only on users that log in with the user role after the
change.
Examples
# Permit the user role role1 to access Ethernet 1/1 and Ethernet 1/5 to Ethernet 1/7, enter interface view
and VLAN view, and execute all the commands that are available in interface view and VLAN view.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command system-view ; interface *
[Sysname-role-role1] rule 2 permit command system-view ; vlan *
[Sysname-role-role1] interface policy deny
[Sysname-role-role1-ifpolicy] permit interface ethernet 1/1 ethernet 1/5 to ethernet 1/7
Verify that you cannot use the user role to work on any interfaces but Ethernet 1/1 and Ethernet 1/5 to
Ethernet 1/7:
# Verify that you can enter Ethernet 1/1 interface view.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1]