permit interface

Use permit interface to configure a list of interfaces accessible to a user role.

Use undo permit interface to disable the access of a user role to specific interfaces.

Syntax

permit interface interface-list

undo permit interface [ interface-list ]

Default

No permitted interfaces are configured in user role interface policy view.

Views

User role interface policy view

Predefined user roles

network-admin

mdc-admin

Parameters

interface interface-list: Specifies a space-separated list of up to 10 interface items. Each interface item specifies one interface in the interface-type interface-number form or a range of interfaces in the interface-type interface-number to interface-type interface-number form. If you specify an interface range, the end interface must meet the following requirements:

• Be the same type as the start interface.

• Have a higher interface number than the start interface.

Usage guidelines

To permit a user role to access an interface after you configure the interface policy deny command, you must add the interface to the permitted interface list of the policy. With the user role, you can perform the following operations to the interfaces in the permitted interface list:

• Create, remove, or configure the interfaces.

• Enter the interface views.

• Specify the interfaces in feature commands.

The create and remove operations are available only for logical interfaces.

You can repeat the permit interface command to add permitted interfaces to a user role interface policy.

The undo permit interface command removes the entire list of permitted interfaces if you do not specify an interface.

Any change to a user role interface policy takes effect only on users who log in with the user role after the change.

Examples

1. Configure user role role1:

   # Permit the user role to execute all commands available in interface view and VLAN view.

   <Sysname> system-view
   [Sysname] role name role1
   [Sysname-role-role1] rule 1 permit command system-view ; interface *
   [Sysname-role-role1] rule 2 permit command system-view ; vlan *
   

   # Permit the user role to access FortyGigE 1/0/1, and FortyGigE 1/0/5 to FortyGigE 1/0/7.

   [Sysname-role-role1] interface policy deny
   [Sysname-role-role1-ifpolicy] permit interface fortygige 1/0/1 fortygige 1/0/5 to fortygige 1/0/7
   [Sysname-role-role1-ifpolicy] quit
   [Sysname-role-role1] quit
   

2. Verify that you cannot use the user role to work on any interfaces except FortyGigE 1/0/1 and FortyGigE 1/0/5 to FortyGigE 1/0/7:

   # Verify that you can enter FortyGigE 1/0/1 interface view.

   [Sysname] interface fortygige 1/0/1
   [Sysname-FortyGigE1/0/1] quit
   

   # Verify that you can assign FortyGigE 1/0/5 to VLAN 10. In this example, the user role can access all VLANs because the default VLAN policy of the user role is used.

   [Sysname] vlan 10
   [Sysname-vlan10] port fortygige 1/0/5
   [Sysname-vlan10] quit
   

   # Verify that you cannot enter FortyGigE 1/0/2 interface view.

   [Sysname] interface fortygige 1/0/2
   Permission denied.
   

Related commands

display role

interface policy deny

role