H3C S5830V2 Command Reference Manual page 70

Parameters
vpn-instance-name&<1-10>: Specifies a space-separated list of up to 10 MPLS L3VPN names.
Each name is a case-sensitive string of 1 to 31 characters.
Usage guidelines
To permit a user role to access an MPLS L3VPN after you configure the vpn-instance policy deny
command, you must add the VPN to the permitted VPN list of the policy. With the user role, you can
perform the following tasks on the VPNs in the permitted VPN list:
•
Create, remove, or configure the VPNs.
•
Enter the VPN instance views.
•
Specify the VPNs in feature commands.
You can repeat the permit vpn-instance command to add permitted MPLS L3VPNs to a user role
VPN instance policy.
The undo permit vpn-instance command removes the entire list of permitted VPNs if you do not
specify a VPN.
Any change to a user role VPN instance policy takes effect only on users who log in with the user role
after the change.
Examples
1. Configure user role role1:
# Permit the user role to execute all commands available in system view and in the child views
of system view.
<Sysname> system-view
[Sysname] role name role1
[Sysname-role-role1] rule 1 permit command system-view ; *
# Permit the user role to access VPN vpn1.
[Sysname-role-role1] vpn policy deny
[Sysname-role-role1-vpnpolicy] permit vpn-instance vpn1
[Sysname-role-role1-vpnpolicy] quit
[Sysname-role-role1] quit
2. Verify that you cannot use the user role to work on any VPN except vpn1:
# Verify that you can enter the view of vpn1.
[Sysname] ip vpn-instance vpn1
[Sysname-vpn-instance-vpn1] quit
# Verify that you can assign the primary accounting server at 10.110.1.2 to the VPN in the
RADIUS scheme radius1.
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 vpn-instance vpn1
[Sysname-radius-radius1] quit
# Verify that you cannot create the VPN vpn2 or enter the VPN instance view.
[Sysname] ip vpn-instance vpn2
Permission denied.
Related commands
•
display role
•
role
•
vpn-instance policy deny
58