disable [deny|insert|permit]
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name| icmp|ip|proto|tcp|udp]
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>| dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>| dscp <0-63>],rule-precedence)
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>| dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>| dscp <0-63>],rule-precedence)
disable [deny| insert [deny|permit]| permit] | Disables a deny or permit access rule without
removing it from the ACL This command also enables the insertion of a disable deny or permit rule without overwriting an existing rule in the IP ACL. Note: To disable an existing deny/permit rule, provide the
exact values used to configure the deny or permit rule.
|
<NETWORK-SERVICE-ALIAS-NAME> | Specifies the network-service alias, identified by the <NETWORK-SERVICE-ALIAS-NAME> keyword, associated with the deny/permit rule |
dns-name [contains| exact|suffix] | Specifies the packets to reject based on the dns-name match. Applies this deny rule to packets based on dns-names specified in the network-service |
icmp |
Disables a rule applicable to ICMP packets only |
ip |
Disables a rule applicable to IP packets only |
proto <PROTOCOL-OPTIONS> |
Disables a rule applicable to any Internet
protocol other than TCP, UDP, or ICMP packets
|
tcp |
Disables a rule applicable to TCP packets only |
udp |
Disables a rule applicable to UDP packets
only Note: After specifying the packet type, specify the source and
destination devices and network address(es) to match.
|
<SOURCE-IP/MASK> |
Specify the source IP address and mask in the A.B.C.D/M format. |
<NETWORK-GROUP-ALIAS-NAME> |
Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit rule |
any |
Select ‘any‘ if the rule is applicable to any source IP address. |
from-vlan <VLAN-ID> |
Specify the VLAN IDs. |
host <SOURCE-HOST-IP> |
Specify the source host‘s exact IP address. |
<DEST-IP/MASK> |
Specify the destination IP address and mask in the A.B.C.D/M format. |
<NETWORK-GROUP-ALIAS-NAME> |
Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit rule |
any |
Select ‘any‘ if the rule is applicable to any destination IP address. |
host <DEST-HOST-IP> |
Specify the destination host‘s exact IP address. |
log |
Select log, if the rule has been configured to log records in case of a match. |
mark [8021p <0-7>| dscp <0-63>] |
Specifies packets to mark
|
rule-precedence <1-5000> |
Specify the rule precedence. The deny or permit rule with the specified precedence is disabled. Note: To enable a disabled rule, enter the rule again without the ‘disable‘
keyword.
Note: The command removes a disabled rule from the ACL.
|
The following example shows the ‘auto-tunnel-acl‘ settings before the disable command is executed:
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3 nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3
The following example shows the ‘auto-tunnel-acl‘ settings after the disable command is executed:
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 disable permit ip host 200.200.200.99 any rule-precedence 3 nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#
nx9500-6C8809(config-ip-acl-test)#deny icmp any any log rule-precedence 1
nx9500-6C8809(config-ip-acl-test)#show context ip access-list test deny icmp any any rule-precedence 1 nx9500-6C8809(config-ip-acl-test)#
nx9500-6C8809(config-ip-acl-test)#disable deny icmp any any rule-precedence 1
nx9500-6C8809(config-ip-acl-test)#show context ip access-list test disable deny icmp any any rule-precedence 1 nx9500-6C8809(config-ip-acl-test)#
nx9500-6C8809(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2 nx9500-6C8809(config-ip-acl-test)#
nx9500-6C8809(config-ip-acl-test)#disable insert deny ip any any log rule-precedence 2
nx9500-6C8809(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 disable deny ip any any log rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3 nx9500-6C8809(config-ip-acl-test)#
no (ipv4-acl) |
Enables a disabled deny or permit rule |
alias |
Creates and configures a aliases (network, VLAN, service, etc.) |