D Commands

This chapter describes the Cisco NX-OS TrustSec commands that begin with D.

deny

To configure a deny action in the security group access control list (SGACL), use the deny command. To remove the action, use the no form of this command.

deny {all | icmp | igmp | ip | {{tcp | udp} [{dest | dst | src} {{eq | gt | lt | neq} port-number} | range port-number1 port-number2}]} [log]

no deny {all | icmp | igmp | ip | {{tcp | udp} [{dest | dst | src} {{eq | gt | lt | neq} port-number} | range port-number1 port-number2}]} [log]

Syntax Description

all

Specifies all traffic.

icmp

Specifies Internet Control Message Protocol (ICMP) traffic.

igmp

Specifies Internet Group Management Protocol (IGMP) traffic.

ip

Specifies IP traffic.

tcp

Specifies TCP traffic.

udp

Specifies User Datagram Protocol (UDP) traffic.

dest

Specifies the destination port number.

dst

Specifies the destination port number.

src

Specifies the source port number.

eq

Specifies equal to the port number.

gt

Specifies greater than the port number.

lt

Specifies less than the port number.

neq

Specifies not equal to the port number.

port-number

Port number for TCP or UDP. The range is from 0 to 65535.

range

Specifies a port range for TCP or UDP.

port-number1

First port in the range. The range is from 0 to 65535.

port-number2

Last port in the range. The range is from 0 to 65535.

log

(Optional) Specifies that packets matching this configuration be logged.


Command Default

None

Command Modes

role-based access control list (RBACL)

Command History

Release
Modification

5.1(3)N1(1)

This command was introduced.


Usage Guidelines

To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.

To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN. You must also enable Cisco TrustSec counters using the cts role-based counters enable command.

This command does not require a license.

Examples

This example shows how to add a deny action to an SGACL and enable RBACL logging: 

switch# configure terminal

switch(config)# cts role-based access-list MySGACL

switch(config-rbacl)# deny icmp log

switch(config-rbacl)#

 
   
 
    
   
 This example shows how to remove a deny action from an SGACL: 
 
    
   
 
    
switch# configure terminal

 
   
 
    
   
 
    
switch(config)# cts role-based access-list MySGACL

 
   
 
    
   
 
    
switch(config-rbacl)# no deny icmp log

 
   
 
    
   
 
    
switch(config-rbacl)#

 
   
 
    
   
 
    
 
   
 
    
   
 Related Commands
 
   
 
    
 
      
      
      
 
        
        

          Command 
        
 		 
        
        

          Description 
        
 		 
      
 
      
 
       
 cts role-based access-list 
 		 
       
 Configures Cisco TrustSec SGACLs. 
 		 
      
 
      
 
       
 cts role-based counters 
 		 
       
 Enables RBACL counters. 
 		 
      
 
      
 
       
 feature cts 
 		 
       
 Enables the Cisco TrustSec feature. 
 		 
      
 
      
 
       
 feature dot1x 
 		 
       
 Enables the 802.1X feature on the switch. 
 		 
      
 
      
 
       
 permit 
 		 
       
 Configures permit actions in an SGACL. 
 		 
      
 
      
 
       
 show cts role-based access-list 
 		 
       
 Displays the Cisco TrustSec SGACL configuration.