Configuring VLAN policy

  1. Run the aaa authorization group command.
  2. Specify the group parameter.
  3. Specify the match-command parameter for the desired VLAN policy.
  4. Specify the access: permit or deny.


If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.

In this example, the network-admin role is denied access to the "policy:vlan:10-12,20,30-40" VLAN policy. The sequence parameter is used to give order to the sequence of commands to be executed. See: example

Since only one VLAN policy rule can be assigned per role, if access is permitted for VLAN IDs 10 to 12, access to the rest of the VLAN IDs is denied for the same role. Similarly, if access is denied for VLAN IDs 10 to 12, then access to the rest of the VLAN IDs is permitted for the same role.

Configuring VLAN policy rules

# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit

# aaa authorization group "network-admin" 2 match-command "command:configure vlan" permit log

# aaa authorization group "network-admin" 3 match-command "policy:vlan:10-12,20,30-40" deny log