4000 Router Series Fundamentals Command Reference

Predefined user roles

network-admin

Usage guidelines

The vlan policy deny command denies the access of a user role to any VLAN.

To restrict the VLAN access of a user role to only a set of VLANs:

1. Use vlan policy deny to deny access to any VLAN.

2. Use permit vlan to specify accessible VLANs.

To create, remove, or configure a VLAN, enter its view, or specify the VLAN in a feature command, you

must make sure the VLAN is permitted by the VLAN policy of any user role that you are logged in with.

Any change to a user role VLAN policy takes effect only on users that log in with the user role after the

change.

Examples

# Deny the access of role1 to any VLAN.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] quit

# Deny the access of role1 to any VLAN but VLANs 50 to 100.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vlan policy deny

[Sysname-role-role1-vlanpolicy] permit vlan 50 to 100

Related commands

• display role

• permit vlan

• role

vpn-instance policy deny

Use vpn-instance policy deny to enter user role VPN instance policy view.

Use undo vpn-instance policy deny to restore the default user role VPN instance policy.

Syntax

vpn-instance policy deny

undo vpn-instance policy deny

Default

A user role has access to any VPN.

Views

User role view

Predefined user roles

network-admin