permit vpn-instance

Use permit vpn-instance to configure a list of VPN instances accessible to a user role.

Use undo permit vpn-instance to disable the access of a user role to specific VPN instances.

Syntax

permit vpn-instance vpn-instance-name&<1-10>

undo permit vpn-instance [ vpn-instance-name&<1-10> ]

Default

No permitted VPN instances are configured in user role VPN instance policy.

Views

User role VPN instance policy view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name&<1-10>: Specifies a space-separated list of up to 10 MPLS L3VPN instance names. Each name is a case-sensitive string of 1 to 31 characters.

Usage guidelines

To permit a user role to access an MPLS L3VPN instance after you configure the vpn-instance policy deny command, you must add the VPN instance to the permitted VPN instance list of the policy. With the user role, you can perform the following tasks on the VPN instances in the permitted VPN instance list:

• Create, remove, or configure the VPN instances.

• Enter the VPN instance views.

• Specify the VPN instances in feature commands.

You can repeat the permit vpn-instance command to add permitted MPLS L3VPN instances to a user role VPN instance policy.

The undo permit vpn-instance command removes the entire list of permitted VPN instances if you do not specify a VPN instance.

Any change to a user role VPN instance policy takes effect only on users who log in with the user role after the change.

Examples

1. Configure user role role1:

   # Permit the user role to execute all commands available in system view and in the child views of system view.

   <Sysname> system-view
   [Sysname] role name role1
   [Sysname-role-role1] rule 1 permit command system-view ; *
   

   # Permit the user role to access VPN instance vpn1.

   [Sysname-role-role1] vpn policy deny
   [Sysname-role-role1-vpnpolicy] permit vpn-instance vpn1
   [Sysname-role-role1-vpnpolicy] quit
   [Sysname-role-role1] quit
   

2. Verify that you cannot use the user role to work on any VPN instances except vpn1:

   # Verify that you can enter the view of vpn1.

   [Sysname] ip vpn-instance vpn1
   [Sysname-vpn-instance-vpn1] quit
   

   # Verify that you can specify the primary accounting server at 10.110.1.2 in VPN instance vpn1 for RADIUS scheme radius1.

   [Sysname] radius scheme radius1
   [Sysname-radius-radius1] primary accounting 10.110.1.2 vpn-instance vpn1
   [Sysname-radius-radius1] quit
   

   # Verify that you cannot create VPN instance vpn2 or enter its view.

   [Sysname] ip vpn-instance vpn2
   Permission denied.
   

Related commands

display role

role

vpn-instance policy deny