vlan policy deny
Use vlan policy deny to enter the user role VLAN policy view.
Use undo vlan policy deny to restore the default user role VLAN policy.
Syntax
vlan policy deny
undo vlan policy deny
Default
A user role has access to all VLANs.
Views
User role view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
To restrict the VLAN access of a user role to a set of VLANs, perform the following tasks:
Use vlan policy deny to enter user role VLAN policy view.
Use permit vlan to specify accessible VLANs.
![[NOTE: ]](images/note.png)
NOTE:
The vlan policy deny command denies the access of the user role to all VLANs if the permit vlan command is not configured.
To configure a VLAN, make sure the VLAN is permitted by the user role VLAN policy in use. You can perform the following tasks on an accessible VLAN:
Create, remove, or configure the VLAN.
Enter the VLAN view.
Specify the VLAN in feature commands.
Any change to a user role VLAN policy takes effect only on users who log in with the user role after the change.
Examples
# Enter user role VLAN policy view of role1, and deny the access of role1 to all VLANs.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] vlan policy deny [Sysname-role-role1-vlanpolicy] quit
# Enter user role VLAN policy view of role1, and deny the access of role1 to all VLANs except VLANs 50 to 100.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] vlan policy deny [Sysname-role-role1-vlanpolicy] permit vlan 50 to 100
Related commands
display role
permit vlan
role