31
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] port access vlan 100
[Sysname-Ten-GigabitEthernet1/0/1] quit
# Verify that you cannot create VLAN 101 or enter VLAN view.
[Sysname] vlan 101
Permission denied.
Related commands
display role
role
vlan policy deny
permit vpn-instance
Use permit vpn-instance to configure a list of MPLS L3VPN instances accessible to a user role.
Use undo permit vpn-instance to disable the access of a user role to specific MPLS L3VPN
instances.
Syntax
permit vpn-instance vpn-instance-name&<1-10>
undo permit vpn-instance [ vpn-instance-name&<1-10> ]
Default
No permitted VPN instances are configured in user role VPN instance policy.
Views
User role VPN instance policy view
Predefined user roles
network-admin
Parameters
vpn-instance-name&<1-10>: Specifies a space-separated list of up to 10 MPLS L3VPN instance
names. Each name is a case-sensitive string of 1 to 31 characters.
Usage guidelines
To permit a user role to access a VPN instance after you configure the vpn-instance policy deny
command, you must add the VPN instance to the permitted VPN instance list of the policy. With the
user role, you can perform the following tasks on the VPN instances in the permitted VPN instance
list:
• Create, remove, or configure the VPN instances.
• Enter the VPN instance views.
• Specify the VPN instances in feature commands.
You can repeat the permit vpn-instance command to add multiple permitted VPN instances to a
user role VPN instance policy.
The undo permit vpn-instance command removes the entire list of permitted VPN instances if you
do not specify a VPN instance.
Any change to a user role VPN instance policy takes effect only on users who log in with the user role
after the change.