Micro-segmentation for VXLAN Fabrics Using Group Policy Option (GPO)
Network administrators can use micro-segmentation to logically group network resources based on specific criteria. You can use micro-segmentation with security group and security group ACL (SGACL) create and enforce tailored security policies between specific groups of network resources regardless of network topology.
Creating Security Group
Creating Security Group
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
}
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgGroupInst | sys/esg/group/grp-50 |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | unit16 | ID of the security-group | Min: 1, Max: 65535 |
| name | String: esg_SGName | - | Name of the security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match VLAN
Match VLAN
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchVlan": {
"attributes": {
"vlanId": "vlan-2"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<vlan-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchVlan-list>
<vlanId>vlan-2</vlanId>
</MatchVlan-list>
</vlan-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match vlan 2
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchVlan | sys/esg/group/grp-50/selector/vlan-[vlan-2] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Description |
|---|---|---|---|
| vlanId | leaf | string | VLAN ID that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match external-subnets IPv4
Match external-subnets IPv4
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV4": {
"attributes": {
"addr": "66.1.1.0/24",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<extsubnetv4-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchExternalSubnetV4-list>
<vrf>tenant-1</vrf>
<addr>66.1.1.0/24</addr>
</MatchExternalSubnetV4-list>
</extsubnetv4-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv4 66.1.1.0/24
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV4 | sys/esg/group/grp-50/selector/extsubnetv4-[tenant-1]-[66.1.1.0/24] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv4 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match external-subnets IPv6
Match external-subnets IPv6
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV6": {
"attributes": {
"addr": "66:1:2::1/128",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<extsubnetv6-items>
<MatchExternalSubnetV6-list xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<vrf>tenant-1</vrf>
<addr>66:1:2::1/128</addr>
</MatchExternalSubnetV6-list>
</extsubnetv6-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv6 66:1:2::1/128
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV6 | sys/esg/group/grp-50/selector/extsubnetv6-[tenant-1]-[66:1:2::1/128] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv6 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match Connected Endpoints VRF IPv4
Match Connected Endpoints VRF IPv4
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchConnectedEpV4": {
"attributes": {
"addr": "192.168.2.0/24",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<connectedepv4-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchConnectedEpV4-list>
<vrf>tenant-1</vrf>
<addr>192.168.2.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match connected-endpoints vrf tenant-1 ipv4 192.168.2.0/24
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchConnectedEpV4 | sys/esg/group/grp-50/selector/connectedepv4-[tenant-1]-[192.168.2.0/24] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv4 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match Connected Endpoints VRF IPv4
Match Connected Endpoints VRF IPv4
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchConnectedEpV4": {
"attributes": {
"addr": "192.168.2.0/24",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<connectedepv4-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchConnectedEpV4-list>
<vrf>tenant-1</vrf>
<addr>192.168.2.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match connected-endpoints vrf tenant-1 ipv4 192.168.2.0/24
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchConnectedEpV4 | sys/esg/group/grp-50/selector/connectedepv4-[tenant-1]-[192.168.2.0/24] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv4 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match Connected Endpoints VRF IPv6
Match Connected Endpoints VRF IPv6
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchConnectedEpV6": {
"attributes": {
"addr": "192:168:1::2/128",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<connectedepv6-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchConnectedEpV6-list>
<vrf>tenant-1</vrf>
<addr>192:168:1::2/128</addr>
</MatchConnectedEpV6-list>
</connectedepv6-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match connected-endpoints vrf tenant-1 ipv6 192:168:1::2/128
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchConnectedEpV6 | sys/esg/group/grp-50/selector/connectedepv6-[tenant-1]-[192:168:1::2/128] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv6 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Security Contracts (SGACL) Between Security Groups
Match Connected Endpoints VRF IPv6
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgDom": {
"attributes": {
"defaultAction": "deny",
"name": "vxlan-900101",
"pcTag": "101",
"securityMode": "enforced"
},
"children": [
{
"esgContractEntity": {
"children": [
{
"esgContract": {
"attributes": {
"dPcTag": "5002",
"direction": "bi-dir",
"policyMap": "PlMapvxlan-900101",
"sPcTag": "1001"
}
}
},
{
"esgContract": {
"attributes": {
"dPcTag": "5001",
"direction": "bi-dir",
"policyMap": "PlMapvxlan-900101",
"sPcTag": "1001"
}
}
}
]
}
}
]
}
}
]
}
},
{
"l3Inst": {
"attributes": {
"encap": "vxlan-900101",
"l3vni": "no",
"name": "vxlan-900101"
}
}
}
]
}
}
ESG Configuration
<GroupInst-list>
<id>5113</id>
<name>tag5113</name>
<selector-items>
<connectedepv4-items>
<MatchConnectedEpV4-list>
<vrf>vxlan-900157</vrf>
<addr>5.1.113.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
<connectedepv6-items>
<MatchConnectedEpV6-list>
<vrf>vxlan-900157</vrf>
<addr>5:1:0:71::/64</addr>
</MatchConnectedEpV6-list>
</connectedepv6-items>
<extsubnetv4-items>
<MatchExternalSubnetV4-list>
<vrf>vxlan-900157</vrf>
<addr>50.110.57.0/24</addr>
</MatchExternalSubnetV4-list>
</extsubnetv4-items>
<extsubnetv6-items>
<MatchExternalSubnetV6-list>
<vrf>vxlan-900157</vrf>
<addr>50:110:1:39::/64</addr>
</MatchExternalSubnetV6-list>
</extsubnetv6-items>
</selector-items>
</GroupInst-list>
<GroupInst-list>
<id>5073</id>
<name>tag5073</name>
<selector-items>
<connectedepv4-items>
<MatchConnectedEpV4-list>
<vrf>vxlan-900137</vrf>
<addr>5.1.73.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
<connectedepv6-items>
<MatchConnectedEpV6-list>
<vrf>vxlan-900137</vrf>
<addr>5:1:0:49::/64</addr>
</MatchConnectedEpV6-list>
</connectedepv6-items>
<extsubnetv4-items>
<MatchExternalSubnetV4-list>
<vrf>vxlan-900137</vrf>
<addr>50.110.37.0/24</addr>
</MatchExternalSubnetV4-list>
</extsubnetv4-items>
<extsubnetv6-items>
<MatchExternalSubnetV6-list>
<vrf>vxlan-900137</vrf>
<addr>50:110:1:25::/64</addr>
</MatchExternalSubnetV6-list>
</extsubnetv6-items>
</selector-items>
</GroupInst-list>
<GroupInst-list>
<id>5475</id>
<name>tag5475</name>
<selector-items>
<vlan-items>
<MatchVlan-list>
<vlanId>vlan-1475</vlanId>
</MatchVlan-list>
</vlan-items>
</selector-items>
</GroupInst-list>
ClassMap
<ClassMapInst-list>
<name>clMapvxlan-900157</name>
<entry-items>
<ClassMapFilterEntry-list>
<name>l3:ipv6-l4:udp-spfrom:500-spto:500-dpfrom:1000-dpto:1000</name>
<applyToFrag>false</applyToFrag>
<arpOpc>unspecified</arpOpc>
<dFromPort>1000</dFromPort>
<dToPort>1000</dToPort>
<etherT>ipv6</etherT>
<icmpv4T>255</icmpv4T>
<icmpv6T>0</icmpv6T>
<matchDPortZero>false</matchDPortZero>
<matchDscp>64</matchDscp>
<matchSPortZero>false</matchSPortZero>
<prot>17</prot>
<sFromPort>500</sFromPort>
<sToPort>500</sToPort>
<stateful>false</stateful>
</ClassMapFilterEntry-list>
<ClassMapFilterEntry-list>
<name>l3:ipv6-l4:udp-spfrom:489-spto:489-dpfrom:500-dpto:500</name>
<applyToFrag>false</applyToFrag>
<arpOpc>unspecified</arpOpc>
<dFromPort>500</dFromPort>
<dToPort>500</dToPort>
<etherT>ipv6</etherT>
<icmpv4T>255</icmpv4T>
<icmpv6T>0</icmpv6T>
<matchDPortZero>false</matchDPortZero>
<matchDscp>64</matchDscp>
<matchSPortZero>false</matchSPortZero>
<prot>17</prot>
<sFromPort>489</sFromPort>
<sToPort>489</sToPort>
<stateful>false</stateful>
</ClassMapFilterEntry-list>
</entry-items>
</ClassMapInst-list>
PolicyMap
<PolicyMapInst-list>
<name>PlMapvxlan-900157</name>
<cmap-items>
<MatchClassMap-list>
<name>clMapvxlan-900157</name>
<countAction>true</countAction>
<forwardingAction>permit</forwardingAction>
<logAction>false</logAction>
</MatchClassMap-list>
</cmap-items>
</PolicyMapInst-list>
Contracts
<Dom-list>
<name>vxlan-900157</name>
<contract-items>
<sgt-items>
<Contract-list>
<sPcTag>5113</sPcTag>
<dPcTag>10113</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>1113</sPcTag>
<dPcTag>5113</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>1114</sPcTag>
<dPcTag>5114</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>5114</sPcTag>
<dPcTag>10113</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>4114</sPcTag>
<dPcTag>5114</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
</sgt-items>
</contract-items>
<defaultAction>deny</defaultAction>
<pcTag>151</pcTag>
<securityMode>enforced</securityMode>
</Dom-list>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
vrf context vxlan-900101
vni 900101
security contract source 1001 destination 5001 policy PlMapvxlan-900101
security contract source 1001 destination 5002 policy PlMapvxlan-900101
security enforce tag 101 default deny
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| - | - |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| - | - | - | - |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring security-group as an layer4-7 type
Configuring security-group as an layer4-7 type
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgAttributeEntity": {
"attributes": {
"typeLayer4To7": "enabled"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
type layer4-7
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgAttributeEntity | sys/esg/group/grp-50/attribute |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| typeLayer4To7 | leaf | esg_AdminSt. | enumeration. | Set the security-group as an layer4-7 type |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Community Attribute for Resolved Injection Route
Configuring Community Attribute for Resolved Injection Route
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgRtInjectEntity": {
"children": [
{
"esgRtInjectResolved": {
"attributes": {
"resolvedComm": "regular:as2-nn2:1:1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group external-subnets route-inject resolved community 1:1
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgRtInjectResolved | sys/esg/group/rtinject/rtinjectresolved |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| resolvedComm | leaf | mtx_array_community. | string | Community to be set for resolved external subnets inject routes |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Route Injection for IPv4 External Selector
Configuring Route Injection for IPv4 External Selector
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV4": {
"attributes": {
"addr": "66.1.1.0/24",
"rtInject": "enabled",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv4 66.1.1.0/24 route-inject
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV4 | sys/esg/group/grp-50/selector/extsubnetv4-[tenant-1]-[66.1.1.0/24] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| rtInject | leaf | esg_AdminSt | enumeration | Enable/disable route-injection for this selector |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Route Injection for IPv6 External Selector
Configuring Route Injection for IPv6 External Selector
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV6": {
"attributes": {
"addr": "66:1:1::/64",
"rtInject": "enabled",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv6 66:1:1::/64 route-inject
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV6 | sys/esg/group/grp-50/selector/extsubnetv6-[tenant-1]-[66:1:1::/64] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| rtInject | leaf | esg_AdminSt | enumeration | Enable/disable route-injection for this selector |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring IPv4 External Selector with Nexthop
Configuring IPv4 External Selector with Nexthop
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV4WithNh": {
"attributes": {
"nexthopAddr": "11.1.1.1",
"selectorPrefix": "190.1.1.0/24",
"selectorVrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv4 190.1.1.0/24 nexthop ipv4 11.1.1.1
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV4WithNh | sys/esg/group/grp-50/selector/extsubnetv4nh-[tenant-1]-[190.1.1.0/24]-[11.1.1.1] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| nexthopAddr | leaf | address_Ip | union | Nexthop IP address for the selector prefix |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring IPv6 External Selector with Nexthop
Configuring IPv6 External Selector with Nexthop
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV6WithNh": {
"attributes": {
"nexthopAddr": "11:1:1::1",
"selectorPrefix": "190:1:1:1::/64",
"selectorVrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv6 190:1:1:1::/64 nexthop ipv6 11:1:1::1
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV6WithNh | sys/esg/group/grp-50/selector/extsubnetv6nh-[tenant-1]-[190:1:1:1::/64]-[11:1:1::1]" |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| nexthopAddr | leaf | address_Ip | union | Nexthop IP address for the selector prefix |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring External IPv4 with Nexthop Based out of mpls-vpn
Configuring External IPv4 with Nexthop Based out of mpls-vpn
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV4WithNhEncap": {
"attributes": {
"encapType": "mpls-vpn",
"nexthopAddr": "11.1.1.1",
"selectorPrefix": "190.1.1.0/24",
"selectorVrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv4 190.1.1.0/24 nexthop ipv4 11.1.1.1 encap-type mpls-vpn
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV4WithNhEncap | sys/esg/group/grp-50/selector/extsubnetv4nhencap-[tenant-1]-[190.1.1.0/24]-[11.1.1.1]-[mpls-vpn] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| encapType | leaf | esg_NhEncapType | enumeration | Encap type of the Nexthop IP address |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring External IPv6 with Nexthop Based out of mpls-vpn
Configuring External IPv6 with Nexthop Based out of mpls-vpn
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV6WithNhEncap": {
"attributes": {
"encapType": "mpls-vpn",
"nexthopAddr": "11.1.1.1",
"selectorPrefix": "190:1:1:1::/64",
"selectorVrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv6 190:1:1:1::/64 nexthop ipv4 11.1.1.1 encap-type mpls-vpn
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV6WithNhEncap | sys/esg/group/grp-50/selector/extsubnetv6nhencap-[tenant-1]-[190:1:1:1::/64]-[11.1.1.1]-[mpls-vpn] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| encapType | leaf | esg_NhEncapType | enumeration | Encap type of the Nexthop IP address |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match VLAN with Range
Match VLAN with Range
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchVlan": {
"attributes": {
"vlanId": "vlan-4"
}
}
},
{
"esgMatchVlan": {
"attributes": {
"vlanId": "vlan-3"
}
}
},
{
"esgMatchVlan": {
"attributes": {
"vlanId": "vlan-12"
}
}
},
{
"esgMatchVlan": {
"attributes": {
"vlanId": "vlan-2"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match vlan 2-4,12
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchVlan | sys/esg/group/grp-50/selector/vlan-[vlan-4] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Description |
|---|---|---|---|
| vlanId | leaf | string | VLAN ID that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match VLAN with MAC
Match VLAN with MAC
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchVlanMac": {
"attributes": {
"macAddr": "00:01:00:02:00:03",
"vlanId": "vlan-400"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match vlan 400 mac 0001.0002.0003
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchVlanMac | sys/esg/group/grp-50/selector/vlanmac-[vlan-400]-[00:01:00:02:00:03] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Data Type | Description |
|---|---|---|---|---|
| macAddr | leaf | address_Mac | string | MAC Address that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match VLAN with Interface
Match VLAN with Interface
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchVlanInterface": {
"attributes": {
"interfaceId": "po1",
"vlanId": "vlan-11"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match vlan 11 interface port-channel1
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchVlanInterface | sys/esg/group/grp-50/selector/vlaninterface-[vlan-11]-[po1] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| interfaceId | leaf | nw_IfId | string | Interface that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Match Interface using VLAN for Service Chaining
Configuring Match Interface using VLAN for Service Chaining
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchInterface": {
"attributes": {
"id": "vlan11"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
CLI Command
The CLI command below is the equivalent of the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
security-group 50 name 50
match interface Vlan11
Note: The property information for this example was added in Release 10.5(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchInterface | sys/esg/group/grp-50/selector/interface-[vlan11] |
Properties
The following table contains information about the properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| id | leaf | nw_IfId | string | Interface that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide: