disable (ipv4-acl)

Disables an existing deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.

Supported on the following devices:

Access Points: AP3000/X, AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

disable [deny|insert|permit]

disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|
icmp|ip|proto|tcp|udp]

disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|
dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|
dscp <0-63>],rule-precedence)

Parameters

disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|
dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|
dscp <0-63>],rule-precedence)


disable [deny\| insert [deny\|permit]\| permit]	Disables a deny or permit access rule without removing it from the ACL This command also enables the insertion of a disable deny or permit rule without overwriting an existing rule in the IP ACL. Note: To disable an existing deny/permit rule, provide the exact values used to configure the deny or permit rule.
<NETWORK-SERVICE-ALIAS-NAME>	Specifies the network-service alias, identified by the <NETWORK-SERVICE-ALIAS-NAME> keyword, associated with the deny/permit rule
dns-name [contains\| exact\|suffix]	Specifies the packets to reject based on the dns-name match. Applies this deny rule to packets based on dns-names specified in the network-service
icmp	Disables a rule applicable to ICMP packets only
ip	Disables a rule applicable to IP packets only
proto <PROTOCOL-OPTIONS>	Disables a rule applicable to any Internet protocol other than TCP, UDP, or ICMP packets <PROTOCOL-OPTIONS> – Identify the Internet protocol using the options available.
tcp	Disables a rule applicable to TCP packets only
udp	Disables a rule applicable to UDP packets only Note: After specifying the packet type, specify the source and destination devices and network address(es) to match.
<SOURCE-IP/MASK>	Specify the source IP address and mask in the A.B.C.D/M format.
<NETWORK-GROUP-ALIAS-NAME>	Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit rule
any	Select ‘any‘ if the rule is applicable to any source IP address.
from-vlan <VLAN-ID>	Specify the VLAN IDs.
host <SOURCE-HOST-IP>	Specify the source host‘s exact IP address.
<DEST-IP/MASK>	Specify the destination IP address and mask in the A.B.C.D/M format.
<NETWORK-GROUP-ALIAS-NAME>	Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit rule
any	Select ‘any‘ if the rule is applicable to any destination IP address.
host <DEST-HOST-IP>	Specify the destination host‘s exact IP address.
log	Select log, if the rule has been configured to log records in case of a match.
mark [8021p <0-7>\| dscp <0-63>]	Specifies packets to mark 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header
rule-precedence <1-5000>	Specify the rule precedence. The deny or permit rule with the specified precedence is disabled. Note: To enable a disabled rule, enter the rule again without the ‘disable‘ keyword. Note: The no > disable command removes a disabled rule from the ACL.

Examples

The following example shows the ‘auto-tunnel-acl‘ settings before the disable command is executed:

nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
 deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
 permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#

nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3

The following example shows the ‘auto-tunnel-acl‘ settings after the disable command is executed:

nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#show context
ip access-list auto-tunnel-acl
 deny ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2
 disable permit ip host 200.200.200.99 any rule-precedence 3
nx9500-6C8809(config-ip-acl-auto-tunnel-acl)#

nx9500-6C8809(config-ip-acl-test)#deny icmp any any log rule-precedence 1

nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 deny icmp any any rule-precedence 1
nx9500-6C8809(config-ip-acl-test)#

nx9500-6C8809(config-ip-acl-test)#disable deny icmp any any rule-precedence 1

nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 disable deny icmp any any rule-precedence 1
nx9500-6C8809(config-ip-acl-test)#

In the following example a disable deny rule has been inserted in the IP ACL “test”:

nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 deny tcp from-vlan 1 any any rule-precedence 1
 permit icmp any host 192.168.13.7 1 1 rule-precedence 2
nx9500-6C8809(config-ip-acl-test)#

nx9500-6C8809(config-ip-acl-test)#disable insert deny ip any any log rule-precedence 2

nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 deny tcp from-vlan 1 any any rule-precedence 1
 disable deny ip any any log rule-precedence 2
 permit icmp any host 192.168.13.7 1 1 rule-precedence 3
nx9500-6C8809(config-ip-acl-test)#

Related Commands


no (ipv4-acl)	Enables a disabled deny or permit rule
alias	Creates and configures a aliases (network, VLAN, service, etc.)