4000 Router Series Fundamentals Command Reference

Parameters

vpn-instance-name&<1-10>: Specifies a space-separated list of up to 10 MPLS L3VPN names. Each

name is a case-sensitive string of 1 to 31 characters.

Usage guidelines

To permit a user role to access an MPLS L3VPN after you configure the vpn-instance policy deny

command, you must add the VPN to the permitted VPN list of the policy. With the user role, you can

create, remove, configure only the VPNs in the permitted VPN list, enter their views, and specify them in

a feature command.

You can repeat the permit vpn-instance command to add permitted MPLS L3VPNs to a user role interface

policy.

The undo permit interface command removes the entire list of permitted VPNs if no VPN is specified.

Any change to a user role VPN instance policy takes effect only on users that log in with the user role after

the change.

Examples

# Permit the user role role1 to access VPN 1 and to execute all the commands available in system view

and in the child views of system view.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] rule 1 permit command system-view ; *

[Sysname-role-role1] vpn policy deny

[Sysname-role-role1-vpnpolicy] permit vpn-instance vpn1

Verify that you cannot use the user role to work on any VPN but VPN 1:

# Verify that you can enter VPN1 view.

<Sysname> system-view

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1]

# Verify that you can assign the primary accounting server at 10.110.1.2 to the VPN in the RADIUS

scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 vpn-instance vpn1

# Verify that you cannot create the VPN vpn2 or enter its view.

<Sysname> system-view

[Sysname] ip vpn-instance vpn2

Permission denied.

Related commands

• display role

• role

• vpn-instance policy deny