insert (ipv4-acl)

Enables the insertion of a rule in an IP ACL without overwriting or replacing an existing rule having the same precedence

The insert option allows a new rule to be inserted within a IP access list. Consider an IP ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule‘s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.

Note

Note

NOT using insert when creating a new rule having the same precedence as an existing rule overwrites the existing rule.

Supported on the following devices:

Syntax

insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}

Parameters

insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}
[deny|permit] Inserts a deny or a permit rule within an IP ACL
<PARMETERS> Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here.

For more information on the deny rule, see deny (ipv4-acl).

For more information on the permit rule, see permit (ipv4-acl).
log After specifying the match criteria, specify the action taken for filtered packets

Logs all deny/permit events matching this entry. If a source and/or destination IP address is matched an event is logged.
mark [8021p <0-7>| dscp <0-63>] Specifies packets to mark
  • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority
  • dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header
rule-precedence <1-5000> rule-description <LINE> Assigns a precedence for this deny/permit rule
  • <1-5000> – Specify a value from 1 - 5000.
    Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
  • rule-description – Optional. Configures a description for this deny/permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
Note

Note

The log option is functional only for router ACL‘s. The log option displays an informational logging message about the packet that matches the entry sent to the console.

Examples

nx9500-6C8809(config-ip-acl-test)#deny tcp from-vlan 1 any any rule-precedence 1
nx9500-6C8809(config-ip-acl-test)#permit icmp any host 192.168.13.7 1 1 rule-precedence 2
nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 deny tcp from-vlan 1 any any rule-precedence 1
 permit icmp any host 192.168.13.7 1 1 rule-precedence 2
nx9500-6C8809(config-ip-acl-test)#

In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2‘ rule changes to precedence 3.

nx9500-6C8809(config-ip-acl-test)#insert deny ip any any rule-precedence 2
nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 deny tcp from-vlan 1 any any rule-precedence 1
 deny ip any any rule-precedence 2
 permit icmp any host 192.168.13.7 1 1 rule-precedence 3
nx9500-6C8809(config-ip-acl-test)#

Related Commands

alias

Creates and configures aliases (network, VLAN, service, etc.)
9037762-01 Rev AA