insert (mac-acl)

Enables the insertion of a rule in an MAC ACL without overwriting or replacing an existing rule having the same precedence

The insert option allows a new rule to be inserted within a MAC ACL. Consider an MAC ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule‘s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.

Note

NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule.

Supported on the following devices:

Access Points: AP3000/X, AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,
log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Parameters

insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,
log,rule-precedence <1-5000>) {(rule-description <LINE>)}


insert [deny\|permit]	Inserts a deny or permit rule within an MAC ACL
<PARMETERS>	Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here. For more information on the deny rule, see deny (mac-acl). For more information on the permit rule, see permit (mac-acl).
dotp1p <0-7>	Configures the 802.1p priority value. Sets the service classes for traffic handling <0-7> – Specify 802.1p priority from 0 - 7.
mark [8021p <0-7>,dscp <0-63>]	Marks/modifies packets that match the criteria specified here 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7 dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63 Note: This option is applicable only to the MAC ACL permit rule.
type [8021q\|<1-65535>\| aarp\|appletalk\| arp\|ip\|ipv6\|ipx\|mint\| rarp\|wisp]	Configures the EtherType value An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are: 8021q – Indicates a 802.1q payload (0x8100) <1-65535> – Indicates the EtherType protocol number aarp – Indicates the Appletalk ARP payload (0x80F3) appletalk – Indicates the Appletalk Protocol payload (0x809B) arp – Indicates the ARP payload (0x0806) ip – Indicates the IPv4 payload (0x0800) ipv6 – Indicates the IPv6 payload (0x86DD) ipx – Indicates the Novell‘s IPX payload (0x8137) mint – Indicates the MiNT protocol payload (0x8783) rarp – Indicates the reverse ARP payload (0x8035) wisp – Indicates the WISP payload (0x8783)
vlan <1-4095>	Configures the VLAN where the traffic is received <1-4095> – Specify the VLAN ID from 1 - 4095.
log	Logs all deny/permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.
rule-precedence <1-5000> rule-description <LINE>	The following keywords are recursive and common to all of the above parameters: rule-precedence – Assigns a precedence for this deny/permit rule <1-5000> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description – Optional. Configures a description for this deny/permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Examples

nx9500-6C8809(config-mac-acl-test1)#deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1

nx9500-6C8809(config-mac-acl-test1)#deny host B4-C7-99-6D-CD-9B any rule-precedence 2

nx9500-6C8809(config-mac-acl-test1)#show context
mac access-list test1
 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
 deny host B4-C7-99-6D-CD-9B any rule-precedence 2
nx9500-6C8809(config-mac-acl-test1)#

In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2‘ rule changes to precedence 3.

nx9500-6C8809(config-mac-acl-test1)#insert permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2

nx9500-6C8809(config-mac-acl-test1)#show context
mac access-list test1
 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1
 permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2
 deny host B4-C7-99-6D-CD-9B any rule-precedence 3
nx9500-6C8809(config-mac-acl-test1)#