4000 Router Series Fundamentals Command Reference

Usage guidelines

The vpn-instance policy deny command denies the access of a user role to any VPN.

To restrict the VPN access of a user role to only a set of VPNs:

1. Use vpn-instance policy deny to deny access to any VPN.

2. Use permit vpn-instance to specify accessible VPNs.

To create, remove, or configure an MPLS L3VPN, enter its view, or specify it in a feature command, you

must make sure the VPN is permitted by the VPN instance policy of any user role that you are logged in

with.

Any change to a user role VPN instance policy takes effect only on users that log in with the user role after

the change.

Examples

# Deny the access of user role role1 to any VPN.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vpn-instance policy deny

[Sysname-role-role1-vpnpolicy] quit

# Deny the access of user role role1 to any VPN but vpn2.

<Sysname> system-view

[Sysname] role name role1

[Sysname-role-role1] vpn-instance policy deny

[Sysname-role-role1-vpnpolicy] permit vpn-instance vpn2

Related commands

• display role

• permit vpn-instance

• role