insert (mac-acl)

Enables the insertion of a rule in an MAC ACL without overwriting or replacing an existing rule having the same precedence

The insert option allows a new rule to be inserted within a MAC ACL. Consider an MAC ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule‘s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.

Note

Note

NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,
log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Parameters

insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,
log,rule-precedence <1-5000>) {(rule-description <LINE>)}

insert [deny|permit]

Inserts a deny or permit rule within an MAC ACL

<PARMETERS>

Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here.

For more information on the deny rule, see deny.

For more information on the permit rule, see permit.

dotp1p <0-7>

Configures the 802.1p priority value. Sets the service classes for traffic handling

  • <0-7> – Specify 802.1p priority from 0 - 7.

mark [8021p <0-7>,dscp <0-63>] Marks/modifies packets that match the criteria specified here
  • 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7
  • dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63
Note: This option is applicable only to the MAC ACL permit rule.

type [8021q|<1-65535>| aarp|appletalk| arp|ip|ipv6|ipx|mint| rarp|wisp]

Configures the EtherType value

An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:

  • 8021q – Indicates a 802.1q payload (0x8100)

  • <1-65535> – Indicates the EtherType protocol number

  • aarp – Indicates the Appletalk ARP payload (0x80F3)

  • appletalk – Indicates the Appletalk Protocol payload (0x809B)

  • arp – Indicates the ARP payload (0x0806)

  • ip – Indicates the IPv4 payload (0x0800)

  • ipv6 – Indicates the IPv6 payload (0x86DD)

  • ipx – Indicates the Novell‘s IPX payload (0x8137)

  • mint – Indicates the MiNT protocol payload (0x8783)

  • rarp – Indicates the reverse ARP payload (0x8035)

  • wisp – Indicates the WISP payload (0x8783)

vlan <1-4095>

Configures the VLAN where the traffic is received

  • <1-4095> – Specify the VLAN ID from 1 - 4095.

log

Logs all deny/permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this deny/permit rule

    • <1-5000> – Specify a value from 1 - 5000.

Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
  • rule-description – Optional. Configures a description for this deny/permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Examples

rfs4000-229D58(config-mac-acl-test1)#deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
rfs4000-229D58(config-mac-acl-test1)#deny host B4-C7-99-6D-CD-9B any rule-precedence 2
rfs4000-229D58(config-mac-acl-test1)#show context
mac access-list test1
 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
 deny host B4-C7-99-6D-CD-9B any rule-precedence 2
rfs4000-229D58(config-mac-acl-test1)#

In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2‘ rule changes to precedence 3.

rfs4000-229D58(config-mac-acl-test1)#insert permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2
rfs4000-229D58(config-mac-acl-test1)#show context
mac access-list test1
 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
 permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2
 deny host B4-C7-99-6D-CD-9B any rule-precedence 3
rfs4000-229D58(config-mac-acl-test1)#