permit

To configure a permit action in a security group access control list (SGACL), use the permit command. To remove the action, use the no form of this command.

permit { all | icmp | igmp | ip | {{ tcp | udp } [{ dest | dst | src } {{ eq | gt | lt | neq } port-number } | range port-number1 port-number2 }]} [ log ]

no permit { all | icmp | igmp | ip | {{ tcp | udp } [{ dest | dst | src } {{ eq | gt | lt | neq } port-number } | range port-number1 port-number2 }]} [ log ]

Syntax Description

all
Specifies all traffic.
icmp
Specifies Internet Control Message Protocol (ICMP) traffic.
igmp
Specifies Internet Group Management Protocol (IGMP) traffic.
ip
Specifies IP traffic.
tcp
Specifies TCP traffic.
udp
Specifies User Datagram Protocol (UDP) traffic.
dest
Specifies the destination port number.
dst
Specifies the destination port number.
src
Specifies the source port number.
eq
Specifies equal to the port number.
gt
Specifies greater than the port number.
lt
Specifies less than the port number.
neq
Specifies not equal to the port number.
port-number
Port number for TCP or UDP. The range is from 0 to 65535.
range
Specifies a port range for TCP or UDP.
port-number1
First port in the range. The range is from 0 to 65535.
port-number2
Last port in the range. The range is from 0 to 65535.
log
(Optional) Specifies that packets matching this configuration be logged.

 

None

Command Modes

role-based access control list (RBACL)

Command History

Release
Modification
5.1(3)N1(1)
This command was introduced.

Usage Guidelines

To use this command, you must first enable the 802.1X feature by using the feature dot1x command and then enable the Cisco TrustSec feature using the feature cts command.

To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN. You must also enable Cisco TrustSec counters using the cts role-based counters enable command.

This command does not require a license.

Examples

This example shows how to add a permit action to an SGACL and enable RBACL logging:

switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# permit icmp log
switch(config-rbacl)#
 

This example shows how to remove a permit action from an SGACL:

switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# no permit icmp log
switch(config-rbacl)#
 

Related Commands

Command
Description
cts role-based access-list
Configures Cisco TrustSec SGACLs.
cts role-based counters
Enables RBACL counters.
deny
Configures deny actions in an SGACL.
feature cts
Enables the Cisco TrustSec feature.
feature dot1x
Enables the 802.1X feature on the switch.
show cts role-based access-list
Displays the Cisco TrustSec SGACL configuration.