disable (ipv4-acl)

Disables an existing deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

disable [deny|insert|permit]
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|
icmp|ip|proto|tcp|udp]
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|
dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|
dscp <0-63>],rule-precedence)

Parameters

disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|
dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|
dscp <0-63>],rule-precedence)
disable [deny| insert [deny|permit]| permit] Disables a deny or permit access rule without removing it from the ACL

This command also enables the insertion of a disable deny or permit rule without overwriting an existing rule in the IP ACL.

Note: To disable an existing deny/permit rule, provide the exact values used to configure the deny or permit rule.
<NETWORK-SERVICE-ALIAS-NAME> Specifies the network-service alias, identified by the <NETWORK-SERVICE-ALIAS-NAME> keyword, associated with the deny/permit rule
dns-name [contains| exact|suffix] Specifies the packets to reject based on the dns-name match. Applies this deny rule to packets based on dns-names specified in the network-service

icmp

Disables a rule applicable to ICMP packets only

ip

Disables a rule applicable to IP packets only

proto <PROTOCOL-OPTIONS>

Disables a rule applicable to any Internet protocol other than TCP, UDP, or ICMP packets
  • <PROTOCOL-OPTIONS> – Identify the Internet protocol using the options available.

tcp

Disables a rule applicable to TCP packets only

udp

Disables a rule applicable to UDP packets only
Note: After specifying the packet type, specify the source and destination devices and network address(es) to match.

<SOURCE-IP/MASK>

Specify the source IP address and mask in the A.B.C.D/M format.

<NETWORK-GROUP-ALIAS-NAME>

Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit rule

any

Select ‘any‘ if the rule is applicable to any source IP address.

from-vlan <VLAN-ID>

Specify the VLAN IDs.

host <SOURCE-HOST-IP>

Specify the source host‘s exact IP address.

<DEST-IP/MASK>

Specify the destination IP address and mask in the A.B.C.D/M format.

<NETWORK-GROUP-ALIAS-NAME>

Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit rule

any

Select ‘any‘ if the rule is applicable to any destination IP address.

host <DEST-HOST-IP>

Specify the destination host‘s exact IP address.

log

Select log, if the rule has been configured to log records in case of a match.

mark [8021p <0-7>| dscp <0-63>]

Specifies packets to mark

  • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority

  • dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence <1-5000>

Specify the rule precedence. The deny or permit rule with the specified precedence is disabled.

Note: To enable a disabled rule, enter the rule again without the ‘disable‘ keyword.
Note: The no > disable command removes a disabled rule from the ACL.

Examples

The following example shows the ‘auto-tunnel-acl‘ settings before the disable command is executed:

nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
 deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
 permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3

The following example shows the ‘auto-tunnel-acl‘ settings after the disable command is executed:

nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
 deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
 disable permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#
rfs4000-229D58(config-ip-acl-test)#deny icmp any any log rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
 deny icmp any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#
rfs4000-229D58(config-ip-acl-test)#disable deny icmp any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
 disable deny icmp any any rule-precedence 1
rfs4000-229D58(config-ip-acl-test)#
In the following example a disable deny rule has been inserted in the IP ACL “test”:
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
 deny tcp from-vlan 1 any any rule-precedence 1
 permit icmp any host 192.168.13.7 1 1 rule-precedence 2
rfs4000-229D58(config-ip-acl-test)#
rfs4000-229D58(config-ip-acl-test)#disable insert deny ip any any log rule-precedence 2
rfs4000-229D58(config-ip-acl-test)#show context
ip access-list test
 deny tcp from-vlan 1 any any rule-precedence 1
 disable deny ip any any log rule-precedence 2
 permit icmp any host 192.168.13.7 1 1 rule-precedence 3
rfs4000-229D58(config-ip-acl-test)#

Related Commands

no (ipv4-acl)

Enables a disabled deny or permit rule

alias

Creates and configures a aliases (network, VLAN, service, etc.)