disable (mac-acl)

Disables a MAC deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.

Supported on the following devices:

Syntax

disable [deny|insert|permit]
disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] 
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log 
(rule-precedence <1-5000>) {(rule-description <LINE>)}
disable insert [deny|permit]

Parameters

disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] 
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],
type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log 
(rule-precedence <1-5000>) {(rule-description <LINE>)}
disable [deny|insert|permit] Disables a deny, insert or permit access rule without removing it from the MAC ACL

Provide the exact values used to configure the deny or permit rule that is to be disabled.
<SOURCE-MAC> <SOURCE-MAC-MASK> Specifies the source MAC address and mask to match
  • <SOURCE-MAC> – Specify the source MAC address to match.
    • <SOURCE-MAC-MASK> – Specify the source MAC address mask.

any

Select ‘any‘ if the rule is applicable to any source MAC address

host <SOURCE-HOST-MAC>

Specify the source host‘s exact MAC address

<DEST-MAC> <DEST-MAC-MASK>

Specifies the destination MAC address and mask to match

  • <DEST-MAC> – Specify the destination MAC address.

    • <DEST-MAC-MASK> – Specify the destination MAC address mask.

any

Select ‘any‘ if the rule is applicable to any destination MAC address

host <DEST-HOST-MAC>

Specify the destination host‘s exact MAC address

log

The following keyword defines the action taken when a packet matches any of the deny rules:

  • log – Logs a record, when a packet matches the specified criteria

dot1p <0-7>

Specify the 802.1p priority from 0 - 7.
mark [8021p <0-7>,dscp <0-63>] Marks/modifies packets that match the criteria specified here
  • 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7
  • dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63
Note: This option is applicable only to the MAC ACL permit rule.

type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint| rarp|wisp]

Use the available options to specify the EtherType value to match.

vlan <1-4095>

Specify the VLAN ID(s)

log

Select log, if the rule has been configured to log records in case of a match.

rule-precedence <1-5000> {(rule-description <LINE>)}

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.

    • rule-description – Optional. Configures a description for this rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Examples

The following example shows the MAC access list ‘test‘ settings before the ‘disable‘ command is executed:

nx9500-6C8809(config-mac-acl-test)#show context
mac access-list test
 deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1
 deny host 00-01-AE-00-22-11 any rule-precedence 2
nx9500-6C8809(config-mac-acl-test)#
nx9500-6C8809(config-mac-acl-test)#disable deny host 00-01-AE-00-22-11 any rule-precedence 2

The following example shows the MAC access list ‘test‘ settings after the ‘disable‘ command is executed:

nx9500-6C8809(config-mac-acl-test)#show context
mac access-list test
 deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1
 disable deny host 00-01-AE-00-22-11 any rule-precedence 2
nx9500-6C8809(config-mac-acl-test)#

Related Commands

no (mac-acl)

Enables a disabled deny or permit rule
9037762-01 Rev AA