30
Syntax
permit vlan vlan-id-list
undo permit vlan [ vlan-id-list ]
Default
No permitted VLANs are configured in user role VLAN policy view.
Views
User role VLAN policy view
Predefined user roles
network-admin
Parameters
vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a
VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range
for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must
be greater than the value for the vlan-id1 argument.
Usage guidelines
To permit a user role to access a VLAN after you configure the vlan policy deny command, you
must add the VLAN to the permitted VLAN list of the policy. With the user role, you can perform the
following tasks on the VLANs in the permitted VLAN list:
• Create, remove, or configure the VLANs.
• Enter the VLAN views.
• Specify the VLANs in feature commands.
You can repeat the permit vlan command to add multiple permitted VLANs to a user role VLAN
policy.
The undo permit vlan command removes the entire list of permitted VLANs if you do not specify a
VLAN.
Any change to a user role VLAN policy takes effect only on users who log in with the user role after
the change.
Examples
1. Configure user role role1:
# Permit user role role1 to execute all commands available in interface view and VLAN view.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command system-view ; interface *
[Sysname-role-role1] rule 2 permit command system-view ; vlan *
# Permit user role role1 to access VLANs 2, 4, and 50 to 100.
[Sysname-role-role1] vlan policy deny
[Sysname-role-role1-vlanpolicy] permit vlan 2 4 50 to 100
[Sysname-role-role1-vlanpolicy] quit
[Sysname-role-role1] quit
2. Verify that you cannot use user role role1 to work on all VLANs except for VLANs 2, 4, and 50
to 100:
# Verify that you can create VLAN 100 and enter VLAN view.
[Sysname] vlan 100
[Sysname-vlan100] quit
# Verify that you can add Ten-GigabitEthernet 1/0/1 to VLAN 100 as an access port.
To Next Page
Loading...
Need help?
General