D Commands
This chapter describes the Cisco NX-OS TrustSec commands that begin with D.
deny
To configure a deny action in the security group access control list (SGACL), use the deny command. To remove the action, use the no form of this command.
deny {all | icmp | igmp | ip | {{tcp | udp} [{dest | dst | src} {{eq | gt | lt | neq} port-number} | range port-number1 port-number2}]} [log]
no deny {all | icmp | igmp | ip | {{tcp | udp} [{dest | dst | src} {{eq | gt | lt | neq} port-number} | range port-number1 port-number2}]} [log]
Syntax Description
Command Default
None
Command Modes
role-based access control list (RBACL)
Command History
|
|
5.1(3)N1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.
To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN. You must also enable Cisco TrustSec counters using the cts role-based counters enable command.
This command does not require a license.
Examples
This example shows how to add a deny action to an SGACL and enable RBACL logging:
switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# deny icmp log
switch(config-rbacl)#
This example shows how to remove a deny action from an SGACL:
switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# no deny icmp log
switch(config-rbacl)#