17
Parameters
vlan-id-list
: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item
specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of
vlan-id1
to
vlan-id2
. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value
for the
vlan-id2
argument must be greater than the value for the
vlan-id1
argument.
Usage guidelines
To permit a user role to access a VLAN after you configure the
vlan policy deny
command, you
must add the VLAN to the permitted VLAN list of the policy. With the user role, you can perform the
following tasks on the VLANs in the permitted VLAN list:
•
Create, remove, or configure the VLANs.
•
Enter the VLAN views.
•
Specify the VLANs in feature commands.
You can repeat the
permit vlan
command to add multiple permitted VLANs to a user role VLAN
policy.
The
undo permit vlan
command removes the entire list of permitted VLANs if you do not specify
a VLAN.
Any change to a user role VLAN policy takes effect only on users who log in with the user role after
the change.
By default, all access ports belong to VLAN 1. To assign an access port to any other VLAN by using
the
port access vlan
command, make sure you have a user role that can access both VLAN 1
and the new VLAN.
Examples
1.
Configure user role
role1
:
# Permit user role
role1
to execute all commands available in interface view and VLAN view.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command system-view ; interface *
[Sysname-role-role1] rule 2 permit command system-view ; vlan *
# Permit user role
role1
to access VLANs 1, 2, 4, and 50 to 100.
[Sysname-role-role1] vlan policy deny
[Sysname-role-role1-vlanpolicy] permit vlan 1 2 4 50 to 100
[Sysname-role-role1-vlanpolicy] quit
[Sysname-role-role1] quit
2.
Verify that you cannot use user role
role1
to work on any VLANs except for VLANs 1, 2, 4, and
50 to 100:
# Verify that you can create VLAN 100 and enter VLAN view.
[Sysname] vlan 100
[Sysname-vlan100] quit
# Verify that you can add GigabitEthernet 1/0/1 to VLAN 100 as an access port.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port access vlan 100
[Sysname-GigabitEthernet1/0/1] quit
# Verify that you cannot create VLAN 101 or enter VLAN view.
[Sysname] vlan 101
Permission denied.
Summary of Contents for SOHO IE4300
Page 285: ...i Contents Tcl commands 1 cli 1 tclquit 1 tclsh 2...
Page 288: ...i Contents Python commands 1 exit 1 python 1 python filename 2...
Page 291: ...i Contents Automatic configuration commands 1 autodeploy udisk enable 1...
Page 323: ...25 Sysname Ten GigabitEthernet1 0 51 undo shutdown Related commands irf port...
Page 465: ...ii stp vlan enable 55 vlan mapping modulo 55...
Page 602: ...12 Related commands display mvrp statistics...
Page 609: ...i Contents VLAN mapping commands 1 display vlan mapping 1 vlan mapping 2...
Page 678: ...9 Related commands reset pppoe relay statistics...
Page 846: ...i Contents Basic IP forwarding commands 1 display fib 1 ip forwarding table save 2...
Page 1770: ...i Contents Time range commands 1 display time range 1 time range 1...
Page 2026: ...34 Related commands display mac authentication...
Page 2028: ...ii...
Page 2143: ...i Contents User profile commands 1 display user profile 1 user profile 2...
Page 2308: ...61 ipsec transform set...
Page 2531: ...i Contents SAVI commands 1 ipv6 savi down delay 1 ipv6 savi log enable 1 ipv6 savi strict 2...
Page 2534: ...3 Sysname ipv6 savi strict Related commands ipv6 verify source...
Page 2791: ...14 Sysname track 1 Related commands delay display track...
Page 2939: ...9 sntp authentication keyid sntp reliable authentication keyid...
Page 2967: ...27 Related commands apply poe profile poe enable poe max power interface view poe priority...