Configuring Secure VXLAN EVPN Multi-Site using CloudSec

Secure VXLAN EVPN Multi-Site using CloudSec ensures data security and data integrity for VXLAN-basedMulti-Site fabrics. Using the cryptographic machinery of IEEE MACSec for UDP packets, this feature providesa secure tunnel between authorized VXLAN EVPN endpoints.

The Secure VXLAN EVPN Multi-Site using CloudSec session is point to point over DCI between border gateways(BGWs) on two different sites. All communication between sites uses Multi-Site PIP instead of VIP. Formigration information, see Migrating from Multi-Site with VIP to Multi-Site with PIP, on page 16.

Secure VXLAN EVPN Multi-Site using CloudSec is enabled on a per-peer basis. Peers that do not support CloudSeccan operate with peers that do support CloudSec, but the traffic is unencrypted. We recommend allowingunencrypted traffic only during migration from non-CloudSec-enabled sites to CloudSec-enabled sites.

CloudSec key exchange uses BGP while MACsec uses the MACsec Key Agreement (MKA). The CloudSeccontrol plane uses the IPv4 address family for the BGP session.

For more information, see the Cisco Nexus 9000 VXLAN Multi-Site Configuration Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html

Configuring Tunnel Encryption

Configuring Tunnel Encryption

POST http://<mgmt0_IP>/api/mo/sys/fm.json

{
  "fmEntity": {
    "children": [
      {
        "fmTunnelEncryption": {
          "attributes": {
            "adminSt": "enabled"
}}}]}}

{
    imdata:[]
}

<System>
  <fm-items>
    <tunnelenc-items>
      <adminSt>enabled</adminSt>
    </tunnelenc-items>
  </fm-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

feature tunnel-encryption

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
fmEntity	sys/fm
fmTunnelEncryption	sys/fm/tunnelenc

fmTunnelEncryption Properties

The following table contains information about the fmTunnelEncryption properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
adminSt	fm:AdminState (scalar:Enum8)	Admin status	SELECTION: 1 - enabled 2 - disabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Tunnel Encryption

Deleting Tunnel Encryption

POST http://<mgmt0_IP>/api/mo/sys/fm.json

{
  "fmEntity": {
    "children": [
      {
        "fmTunnelEncryption": {
          "attributes": {
            "adminSt": "disabled"
}}}]}}

{
    imdata:[]
}

<System>
  <fm-items>
    <tunnelenc-items>
      <adminSt>disabled</adminSt>
    </tunnelenc-items>
  </fm-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

no feature tunnel-encryption

Verifying a DME Configuration

MO	DN
fmEntity	sys/fm
fmTunnelEncryption	sys/fm/tunnelenc

fmTunnelEncryption Properties

Property Name	Data Type	Description	Values
adminSt	fm:AdminState (scalar:Enum8)	Admin status	SELECTION: 1 - enabled 2 - disabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Tunnel Encryption Policy

Configuring a Tunnel Encryption Policy

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "policyName": "Pol1"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

The following table contains information about the tunnelencPolicy properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Tunnel Encryption Policy

Deleting a Tunnel Encryption Policy

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "policyName": "Pol1",
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list nc:operation="delete">
        <policyName>Pol1</policyName>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

no tunnel-encryption policy Pol1

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Window Size

Configuring the Window Size

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "policyName": "Pol1",
            "replayWindow": "319901218"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
        <replayWindow>319901218</replayWindow>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1
window-size 319901218

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy
replayWindow	tunnelenc:ReplayWindow (scalar:Uint32)	Replay Window for tunnel-encryption Policy	RANGE: [134217728 , 1073741823] DEFAULT: 268435456

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Window Size

Deleting the Window Size

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "policyName": "Pol1",
            "replayWindow": "268435456"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
        <replayWindow>268435456</replayWindow>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1
no window-size 319901218

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy
replayWindow	tunnelenc:ReplayWindow (scalar:Uint32)	Replay Window for tunnel-encryption Policy	RANGE: [134217728 , 1073741823] DEFAULT: 268435456

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Time in Seconds to Force SAK Rekey

Configuring the Time in Seconds to Force SAK Rekey

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "policyName": "Pol1",
            "sakExpiryTime": "1800"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
        <sakExpiryTime>1800</sakExpiryTime>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1
sak-rekey-time 1800

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy
sakExpiryTime	tunnelenc:SakExpiryTime (scalar:Uint32)	Security Association Key Expiry Time for tunnel-encryption Policy	RANGE: [0 , 2592000] DEFAULT: pn-rollover

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Time in Seconds to Force SAK Rekey

Deleting the Time in Seconds to Force SAK Rekey

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "policyName": "Pol1",
            "sakExpiryTime": "pn-rollover"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
        <sakExpiryTime>0</sakExpiryTime>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1
no sak-rekey-time 1800

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy
sakExpiryTime	tunnelenc:SakExpiryTime (scalar:Uint32)	Security Association Key Expiry Time for tunnel-encryption Policy	RANGE: [0 , 2592000] DEFAULT: pn-rollover

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring GCM AES XPN 128 Bit Encryption

Configuring GCM AES XPN 128 Bit Encryption

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "cipherSuite": "GCM-AES-XPN-128",
            "policyName": "Pol1"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
        <cipherSuite>GCM-AES-XPN-128</cipherSuite>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1
cipher-suite GCM-AES-XPN-128

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
cipherSuite	tunnelenc:CipherSuite (scalar:Enum8)	Cipher Suite for tunnel-encryption Policy	SELECTION: 3 - GCM-AES-XPN-128 4 - GCM-AES-XPN-256 DEFAULT: GCM-AES-XPN-256
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting GCM AES XPN 128 Bit Encryption

Deleting GCM AES XPN 128 Bit Encryption

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPolicy": {
          "attributes": {
            "cipherSuite": "GCM-AES-XPN-256",
            "policyName": "Pol1"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <policy-items>
      <Policy-list>
        <policyName>Pol1</policyName>
        <cipherSuite>GCM-AES-XPN-256</cipherSuite>
      </Policy-list>
    </policy-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption policy Pol1
no cipher-suite GCM-AES-XPN-128

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPolicy	sys/tunnelenc/policy-Pol1

tunnelencPolicy Properties

Property Name	Data Type	Description	Values
cipherSuite	tunnelenc:CipherSuite (scalar:Enum8)	Cipher Suite for tunnel-encryption Policy	SELECTION: 3 - GCM-AES-XPN-128 4 - GCM-AES-XPN-256 DEFAULT: GCM-AES-XPN-256
policyName	tunnelenc:PolicyName (string:Basic)	Name of tunnel-encryption Policy	A sequence of characters DEFAULT: system-default-tunenc-policy

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Tunnel Encryption Peer IP

Configuring a Tunnel Encryption Peer IP

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPeerIp": {
          "attributes": {
            "peerIp": "1.2.3.4"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <peerip-items>
      <PeerIp-list>
        <peerIp>1.2.3.4</peerIp>
      </PeerIp-list>
    </peerip-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption peer-ip 1.2.3.4

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPeerIp	sys/tunnelenc/peerip-1.2.3.4

tunnelencPeerIp Properties

The following table contains information about the tunnelencPeerIp properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
peerIp	address:IPv4	Peer-ips aasociated to tunnel-encryption	Value must match ipv4 format

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Tunnel Encryption Peer IP

Deleting a Tunnel Encryption Peer IP

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPeerIp": {
          "attributes": {
            "peerIp": "1.2.3.4",
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <peerip-items>
      <PeerIp-list nc:operation="delete">
        <peerIp>1.2.3.4</peerIp>
      </PeerIp-list>
    </peerip-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

no tunnel-encryption peer-ip 1.2.3.4

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPeerIp	sys/tunnelenc/peerip-1.2.3.4

tunnelencPeerIp Properties

Property Name	Data Type	Description	Values
peerIp	address:IPv4	Peer-ips aasociated to tunnel-encryption	Value must match ipv4 format
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Key Chain

Configuring a Key Chain

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPeerIp": {
          "attributes": {
            "keychainName": "key_name",
            "peerIp": "1.2.3.4",
            "policyName": "system-default-tunenc-policy"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <peerip-items>
      <PeerIp-list>
        <peerIp>1.2.3.4</peerIp>
        <keychainName>key_name</keychainName>
        <policyName>system-default-tunenc-policy</policyName>
      </PeerIp-list>
    </peerip-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption peer-ip 1.2.3.4
keychain key_name

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPeerIp	sys/tunnelenc/peerip-1.2.3.4

tunnelencPeerIp Properties

Property Name	Data Type	Description	Values
keychainName	tunnelenc:KeyChainName (string:Basic)	Name of Keychain assciated to Peer-ip	A sequence of characters
peerIp	address:IPv4	Peer-ips aasociated to tunnel-encryption	Value must match ipv4 format
policyName	string:Basic	Name of Policy assciated to Peer-ip	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Key Chain

Deleting a Key Chain

POST http://<mgmt0_IP>/api/mo/sys/tunnelenc.json

{
  "tunnelencEntity": {
    "children": [
      {
        "tunnelencPeerIp": {
          "attributes": {
            "keychainName": "",
            "peerIp": "1.2.3.4",
            "policyName": ""
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <peerip-items>
      <PeerIp-list>
        <peerIp>1.2.3.4</peerIp>
        <keychainName></keychainName>
        <policyName></policyName>
      </PeerIp-list>
    </peerip-items>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption peer-ip 1.2.3.4
no keychain key_name

Verifying a DME Configuration

MO	DN
tunnelencEntity	sys/tunnelenc
tunnelencPeerIp	sys/tunnelenc/peerip-1.2.3.4

tunnelencPeerIp Properties

Property Name	Data Type	Description	Values
keychainName	tunnelenc:KeyChainName (string:Basic)	Name of Keychain assciated to Peer-ip	A sequence of characters
peerIp	address:IPv4	Peer-ips aasociated to tunnel-encryption	Value must match ipv4 format
policyName	string:Basic	Name of Policy assciated to Peer-ip	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Tunnel Encryption Must-Secure Global Policy

Configuring Tunnel Encryption Must-Secure Global Policy

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "attributes": {
            "mustSecurePolicy": "yes"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <mustSecurePolicy>true</mustSecurePolicy>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

tunnel-encryption must-secure-policy

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc

tunnelencEntity Properties

The following table contains information about the tunnelencEntity properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
mustSecurePolicy	scalar:Bool	Must secure Policy of tunnel-encryption	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Tunnel Encryption Must-Secure Global Policy

Deleting Tunnel Encryption Must-Secure Global Policy

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "attributes": {
            "mustSecurePolicy": "no"
}}}]}}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <mustSecurePolicy>false</mustSecurePolicy>
  </tunnelenc-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

no tunnel-encryption must-secure-policy

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc

tunnelencEntity Properties

Property Name	Data Type	Description	Values
mustSecurePolicy	scalar:Bool	Must secure Policy of tunnel-encryption	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Advertise-PIP Towards DCI

Configuring Advertise-PIP Towards DCI

POST http://<mgmt0_IP>/api/mo/sys/eps.json

{
  "nvoEps": {
    "children": [
      {
        "nvoEvpnMultisiteBordergw": {
          "attributes": {
            "dciAdvertisePip": "enable",
            "siteId": "123",
            "state": "enabled"
}}}]}}

{
    imdata:[]
}

<System>
  <eps-items>
    <multisite-items>
      <dciAdvertisePip>enable</dciAdvertisePip>
      <siteId>123</siteId>
      <state>enabled</state>
    </multisite-items>
  </eps-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

evpn multisite border-gateway 123 dci-advertise-pip

Verifying a DME Configuration

MO	DN
nvoEps	sys/eps
nvoEvpnMultisiteBordergw	sys/eps/multisite

nvoEvpnMultisiteBordergw Properties

The following table contains information about the nvoEvpnMultisiteBordergw properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
dciAdvertisePip	nvo:DciAdvertisePipStateT (scalar:Enum16)	Enables/disables advertise PIP towards DCI in EVPN Multisite Border-gateway setup.	SELECTION: 0 - disable 1 - enable DEFAULT: disable
siteId	scalar:Uint64	Configuration of EVPN Multisite Border Gateway.	Supported values are 1 to 281474976710655. RANGE: [0, 18446744073709551615]
state	nvo:MultisiteStateT (scalar:Enum16)	Configures the state of EVPN Multisite Border-gateway.	SELECTION: 1 - enabled DEFAULT: enabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Advertise-PIP Towards DCI

Deleting Advertise-PIP Towards DCI

POST http://<mgmt0_IP>/api/mo/sys/eps.json

{
  "nvoEps": {
    "children": [
      {
        "nvoEvpnMultisiteBordergw": {
          "attributes": {
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <eps-items>
    <multisite-items nc:operation="delete">
    </multisite-items>
  </eps-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

no evpn multisite border-gateway 123 dci-advertise-pip

Verifying a DME Configuration

MO	DN
nvoEps	sys/eps
nvoEvpnMultisiteBordergw	sys/eps/multisite

nvoEvpnMultisiteBordergw Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Encryption on the Port

Configuring Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/2",
                  "tunnelEnable": "yes"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/2"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list>
        <id>eth1/2</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <phys-items>
      <PhysIf-list>
        <id>eth1/2</id>
      </PhysIf-list>
    </phys-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface ethernet 1/2
tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/2]

tunnelencTunencIf Properties

The following table contains information about the tunnelencTunencIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

l1PhysIf Properties

The following table contains information about the l1PhysIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Encryption on the Port

Deleting Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/2",
                  "status": "deleted"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/2"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list nc:operation="delete">
        <id>eth1/2</id>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <phys-items>
      <PhysIf-list>
        <id>eth1/2</id>
      </PhysIf-list>
    </phys-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface ethernet 1/2
no tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/2]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Encryption on the Port

Configuring Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "po123",
                  "tunnelEnable": "yes"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "pcAggrIf": {
                "attributes": {
                  "id": "po123"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list>
        <id>po123</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <aggr-items>
      <AggrIf-list>
        <id>po123</id>
      </AggrIf-list>
    </aggr-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface port-channel 123
tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[po123]
interfaceEntity	sys/intf
pcAggrIf	sys/intf/aggr-[po123]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

pcAggrIf Properties

The following table contains information about the pcAggrIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Encryption on the Port

Deleting Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "po123",
                  "status": "deleted"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "pcAggrIf": {
                "attributes": {
                  "id": "po123"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list nc:operation="delete">
        <id>po123</id>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <aggr-items>
      <AggrIf-list>
        <id>po123</id>
      </AggrIf-list>
    </aggr-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface port-channel 123
no tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[po123]
interfaceEntity	sys/intf
pcAggrIf	sys/intf/aggr-[po123]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

pcAggrIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Encryption on the Port

Configuring Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/2",
                  "tunnelEnable": "yes"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/3",
                  "tunnelEnable": "yes"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/6",
                  "tunnelEnable": "yes"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/4",
                  "tunnelEnable": "yes"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/5",
                  "tunnelEnable": "yes"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/6"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/2"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/3"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/4"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/5"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list>
        <id>eth1/2</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
      <TunencIf-list>
        <id>eth1/3</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
      <TunencIf-list>
        <id>eth1/6</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
      <TunencIf-list>
        <id>eth1/4</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
      <TunencIf-list>
        <id>eth1/5</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <phys-items>
      <PhysIf-list>
        <id>eth1/6</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/2</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/3</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/4</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/5</id>
      </PhysIf-list>
    </phys-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface ethernet 1/2-6
tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[eth1/2]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/3]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/6]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/4]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/5]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/6]
l1PhysIf	sys/intf/phys-[eth1/2]
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/4]
l1PhysIf	sys/intf/phys-[eth1/5]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Encryption on the Port

Deleting Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/2",
                  "status": "deleted"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/3",
                  "status": "deleted"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/6",
                  "status": "deleted"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/4",
                  "status": "deleted"
                }
              }
            },
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/5",
                  "status": "deleted"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/6"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/2"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/3"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/4"
                }
              }
            },
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/5"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list nc:operation="delete">
        <id>eth1/2</id>
      </TunencIf-list>
      <TunencIf-list nc:operation="delete">
        <id>eth1/3</id>
      </TunencIf-list>
      <TunencIf-list nc:operation="delete">
        <id>eth1/6</id>
      </TunencIf-list>
      <TunencIf-list nc:operation="delete">
        <id>eth1/4</id>
      </TunencIf-list>
      <TunencIf-list nc:operation="delete">
        <id>eth1/5</id>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <phys-items>
      <PhysIf-list>
        <id>eth1/6</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/2</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/3</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/4</id>
      </PhysIf-list>
      <PhysIf-list>
        <id>eth1/5</id>
      </PhysIf-list>
    </phys-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface ethernet 1/2-6
no tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[eth1/2]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/3]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/6]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/4]
tunnelencTunencIf	sys/tunnelenc/if-[eth1/5]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/6]
l1PhysIf	sys/intf/phys-[eth1/2]
l1PhysIf	sys/intf/phys-[eth1/3]
l1PhysIf	sys/intf/phys-[eth1/4]
l1PhysIf	sys/intf/phys-[eth1/5]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Encryption on the Port

Configuring Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/2",
                  "tunnelEnable": "yes"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/2",
                  "layer": "Layer3",
                  "userCfgdFlags": "admin_layer,admin_state"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list>
        <id>eth1/2</id>
        <tunnelEnable>true</tunnelEnable>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <phys-items>
      <PhysIf-list>
        <id>eth1/2</id>
        <layer>Layer3</layer>
        <userCfgdFlags>admin_layer,admin_state</userCfgdFlags>
      </PhysIf-list>
    </phys-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface ethernet 1/2
no switchport
tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/2]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
tunnelEnable	scalar:Bool	tunnel-encryption on interface	SELECTION: true or false

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
layer	l1:Layer (scalar:Enum8)	Administrative port layer	SELECTION: 1 - Layer2 2 - Layer3 DEFAULT: Layer2
userCfgdFlags	l1:userCfgdFlags (scalar:Bitmask8)	Port User Config Flags	SELECTION: 0 - none 1 - admin_state 2 - admin_layer 4 - admin_router_mac 8 - admin_dce_mode 16 - admin_mtu DEFAULT: none

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Encryption on the Port

Deleting Encryption on the Port

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "tunnelencEntity": {
          "children": [
            {
              "tunnelencTunencIf": {
                "attributes": {
                  "id": "eth1/2",
                  "status": "deleted"
                }
              }
            }
          ]
        }
      },
      {
        "interfaceEntity": {
          "children": [
            {
              "l1PhysIf": {
                "attributes": {
                  "id": "eth1/2",
                  "layer": "Layer3",
                  "userCfgdFlags": "admin_layer,admin_state"
                }
              }
            }
          ]
        }
      }
    ]
  }
}

{
    imdata:[]
}

<System>
  <tunnelenc-items>
    <if-items>
      <TunencIf-list nc:operation="delete">
        <id>eth1/2</id>
      </TunencIf-list>
    </if-items>
  </tunnelenc-items>
  <intf-items>
    <phys-items>
      <PhysIf-list>
        <id>eth1/2</id>
        <layer>Layer3</layer>
        <userCfgdFlags>admin_layer,admin_state</userCfgdFlags>
      </PhysIf-list>
    </phys-items>
  </intf-items>
</System>

Note: This example was added in Release 9.3(5).

CLI Commands

interface ethernet 1/2
no switchport
no tunnel-encryption

Verifying a DME Configuration

MO	DN
topSystem	sys
tunnelencEntity	sys/tunnelenc
tunnelencTunencIf	sys/tunnelenc/if-[eth1/2]
interfaceEntity	sys/intf
l1PhysIf	sys/intf/phys-[eth1/2]

tunnelencTunencIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

l1PhysIf Properties

Property Name	Data Type	Description	Values
id	nw:IfId (base:IfIndex)	An identifier .	Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100
layer	l1:Layer (scalar:Enum8)	Administrative port layer	SELECTION: 1 - Layer2 2 - Layer3 DEFAULT: Layer2
userCfgdFlags	l1:userCfgdFlags (scalar:Bitmask8)	Port User Config Flags	SELECTION: 0 - none 1 - admin_state 2 - admin_layer 4 - admin_router_mac 8 - admin_dce_mode 16 - admin_mtu DEFAULT: none

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html