ACE Configuration Examples
This section uses examples to demonstrate many of the ACL configuration options and to show how the REST APIs correspond to the CLI commands.
Adding ACE to an Existing IPv4 ACL (deny)
Adding ACE to an Existing IPv4 ACL (deny)
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "acl_tcp"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "deny",
"dstPrefix": "13.235.46.97",
"dstPrefixLength": "9",
"protocol": "udp",
"seqNum": "2",
"srcPrefix": "12.234.56.97",
"srcPrefixLength": "13",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>acl_tcp</name>
<seq-items>
<ACE-list>
<seqNum>2</seqNum>
<action>deny</action>
<dstPrefix>13.235.46.97</dstPrefix>
<dstPrefixLength>9</dstPrefixLength>
<protocol>udp</protocol>
<srcPrefix>12.234.56.97</srcPrefix>
<srcPrefixLength>13</srcPrefixLength>
<userSetBit>1</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Adds ACE to an existing IPV4 ACL (configured to reject packets).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list acl_tcp
2 deny udp 12.234.56.97/13 13.235.46.97/9
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
dstPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Destination IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
srcPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Source IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Adding ACE to an Existing IPv6 ACL
Adding ACE to an Existing IPv6 ACL
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv6.json
{
"ipv6aclAF": {
"children": [
{
"ipv6aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv6aclACE": {
"attributes": {
"action": "deny",
"dstPrefix": "3::4",
"dstPrefixLength": "96",
"protocol": "tcp",
"seqNum": "32",
"srcPrefix": "1::2",
"srcPrefixLength": "127",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv6-items>
<name-items>
<ACL-list>
<name>foo</name>
<seq-items>
<ACE-list>
<seqNum>32</seqNum>
<action>deny</action>
<dstPrefix>3::4</dstPrefix>
<dstPrefixLength>96</dstPrefixLength>
<protocol>tcp</protocol>
<srcPrefix>1::2</srcPrefix>
<srcPrefixLength>127</srcPrefixLength>
<userSetBit>1</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv6-items>
</acl-items>
</System>
Adds ACE to an existing IPv6 ACL (configured to reject packets).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ipv6 access-list L1
32 deny tcp 1::2/127 3::4/96
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv6aclAF | sys/acl/ipv6 |
ipv6aclACL | sys/acl/ipv6/name-{name} |
ipv6aclACE | sys/acl/ipv6/name-{name}/seq-{seqNum} |
ipv6aclACL Properties
The following table contains information about the ipv6aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv6aclACE Properties
The following table contains information about the ipv6aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv6acl:IPv6Prefix (address:IPv6) | Destination IPv6 prefix | Value must match ipv6 format |
dstPrefixLength | ipv6acl:IPv6PrefixLen (scalar:UByte) | Destination IPv6 prefix length | RANGE: [0 , 128] DEFAULT: 0 |
protocol | ipv6acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ipv6 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 58 - icmp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp 132 - sctp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv6acl:IPv6Prefix (address:IPv6) | Source IPv6 prefix | Value must match ipv6 format |
srcPrefixLength | ipv6acl:IPv6PrefixLen (scalar:UByte) | Source IPv6 prefix length | RANGE: [0 , 128] DEFAULT: 0 |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Adding ACE to an Existing IPv4 ACL (permit)
Adding ACE to an Existing IPv4 ACL (permit)
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "ipv4_test_ace"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "6.6.6.6",
"dstPrefixLength": "4",
"protocol": "udp",
"seqNum": "2",
"srcPrefix": "5.5.5.5",
"srcPrefixLength": "4",
"vni": "15"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>30</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>udp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
<vni>10</vni>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Adds ACE to an existing IPv4 ACL (configured to forward packets).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list ipv4_test_ace
2 permit udp 5.5.5.5/4 6.6.6.6/4
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
dstPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Destination IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
srcPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Source IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
vni | acl:VniType (scalar:Uint32) | nve vni ID | RANGE: [0 , 16777216] DEFAULT: invalid |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring ACE with a Log that Matches Against an Entry
Configuring ACE with a Log that Matches Against an Entry
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "3",
"logging": "yes",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<logging>true</logging>
<protocol>tcp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE with a log that matches against an entry.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
20 permit tcp 1.1.1.1/2 2.2.2.2/3 log
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
dstPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Destination IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
logging | scalar:Bool | Log matches against ACL entry | SELECTION: true or false DEFAULT: false |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
srcPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Source IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring ACE to Check Non-Initial Fragments
Configuring ACE to Check Non-Initial Fragments
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "3",
"fragment": "yes",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv6-items>
<name-items>
<ACL-list>
<name>ipv6_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0::0</dstPrefix>
<fragment>true</fragment>
<protocol>ipv6</protocol>
<srcPrefix>0::0</srcPrefix>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv6-items>
</acl-items>
</System>
Configures ACE to check non-initial fragments
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
20 permit tcp 1.1.1.1/2 2.2.2.2/3 fragments
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
dstPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Destination IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
fragment | scalar:Bool | Non-initial fragment | SELECTION: true or false |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
srcPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Source IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring ACE to Match Packets Based on the HTTP Method
Configuring ACE to Match Packets Based on the HTTP Method
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "0.0.0.0",
"httpOption": "head",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "0.0.0.0",
"userSetBit": "1572865"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<httpOption>head</httpOption>
<protocol>tcp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE to match packets based on the HTTP method.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
20 permit tcp any any http-method head
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
httpOption | acl:HttpOptionType (scalar:Enum8) | http option http-method | SELECTION: 0 - invalid 1 - get 2 - put 3 - head 4 - post 5 - delete 6 - trace 7 - connect DEFAULT: invalid |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring ACE to Make VLAN-Based Matches
Configuring ACE to Make VLAN-Based Matches
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "0.0.0.0",
"protocol": "ip",
"seqNum": "40",
"srcPrefix": "0.0.0.0",
"userSetBit": "1572865",
"vlan": "5"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>40</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>ip</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
<vlan>5</vlan>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE to make VLAN-based matches.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
40 permit ip any any vlan 5
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
vlan | acl:VlanType (scalar:Uint32) | vlan | RANGE: [0 , 4095] DEFAULT: 4095 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring ACE to Specify the TCP Options Size
Configuring ACE to Specify the TCP Options Size
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "ipv4_test_ace"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "0.0.0.0",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "0.0.0.0",
"tcpOptionLength": "36",
"userSetBit": "1572865"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>tcp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<tcpOptionLength>36</tcpOptionLength>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE to specify the TCP options size.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list ipv4_test_ace
20 permit tcp any any tcp-option-length 36
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
tcpOptionLength | acl:TcpOptionLengthType (scalar:Uint32) | TCP options length | RANGE: [0 , 41] DEFAULT: invalid |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring ACE with a User-Defined Field Match
Configuring ACE with a User-Defined Field Match
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "ipv4_test_ace"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "2",
"protocol": "ip",
"seqNum": "10",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"userSetBit": "1"
},
"children": [
{
"ipv4aclUDF": {
"attributes": {
"udf1Mask": "2",
"udf1Name": "name1",
"udf1Val": "1",
"udf2Mask": "238",
"udf2Name": "name2",
"udf2Val": "255"
}}}]}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>test2</name>
<seq-items>
<ACE-list>
<seqNum>10</seqNum>
<action>permit</action>
<dstPrefix>2.2.2.2</dstPrefix>
<dstPrefixLength>2</dstPrefixLength>
<protocol>ip</protocol>
<srcPrefix>1.1.1.1</srcPrefix>
<srcPrefixLength>2</srcPrefixLength>
<userSetBit>1</userSetBit>
<udf-items>
<udf1Mask>2</udf1Mask>
<udf1Name>name1</udf1Name>
<udf1Val>1</udf1Val>
<udf2Mask>238</udf2Mask>
<udf2Name>name2</udf2Name>
<udf2Val>255</udf2Val>
</udf-items>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configurs ACE with a user-defined field match.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list ipv4_test_ace
10 permit ip 1.1.1.1/2 2.2.2.2/2 udf name1 0x1 0x2 udf name2 0xff 0xee
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclUDF | sys/acl/ipv4/name-{name}/seq-{seqNum}/udf |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
dstPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Destination IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
srcPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Source IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
ipv4aclUDF Properties
The following table contains information about the ipv4aclUDF properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
udf1Mask | acl:UdfMask (scalar:Uint16) | Mask to apply to UDF1 value | RANGE: [0 , 65535] |
udf1Name | acl:UdfName (string:Basic) | User-defined field match 1 | MAX SIZE: 15 |
udf1Val | acl:UdfVal (scalar:Uint16) | UDF1 value to match | RANGE: [0 , 65535] |
udf2Mask | acl:UdfMask (scalar:Uint16) | Mask to apply to UDF2 value | RANGE: [0 , 65535] |
udf2Name | acl:UdfName (string:Basic) | User-defined field match 2 | MAX SIZE: 15 |
udf2Val | acl:UdfVal (scalar:Uint16) | UDF2 value to match | RANGE: [0 , 65535] |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring a Time Range
Applying a Time Range
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "3",
"protocol": "ip",
"seqNum": "10",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"timeRange": "t1",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>foo</name>
<seq-items>
<ACE-list>
<seqNum>10</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>ip</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<timeRange>t1</timeRange>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures a time range.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
10 permit ip 1.1.1.1/2 2.2.2.2/3 time-range t1
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
MO | DN |
---|---|
ipv4aclAF | sys/acl/ipv4 |
ipv4aclACL | sys/acl/ipv4/name-{name} |
ipv4aclACE | sys/acl/ipv4/name-{name}/seq-{seqNum} |
ipv4aclACL Properties
The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
name | acl:Name (string:Basic) | Name of Access lists | MAX SIZE: 63 |
ipv4aclACE Properties
The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
Property Name | Data Type | Description | Values |
---|---|---|---|
action | acl:ActionType (scalar:Enum8) | Specify packets to forward or reject | SELECTION: 0 - invalid 1 - permit 2 - deny DEFAULT: invalid |
dstPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Destination IPv4 prefix | Value must match ipv4 format |
dstPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Destination IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
protocol | ipv4acl:Protocol (scalar:UByte) | Protocol for access-list entry | SELECTION: 0 - ip 1 - icmp 2 - igmp 6 - tcp 17 - udp 47 - gre 50 - esp 51 - ahp 88 - eigrp 89 - ospf 94 - nos 103 - pim 108 - pcp DEFAULT: 255 |
seqNum | acl:SequenceNumber (scalar:Uint32) | Sequence number | RANGE: [0 , 4294967295] |
srcPrefix | ipv4acl:IPv4Prefix (address:IPv4) | Source IPv4 prefix | Value must match ipv4 format |
srcPrefixLength | ipv4acl:IPv4PrefixLen (scalar:UByte) | Source IPv4 prefix length | RANGE: [0 , 32] DEFAULT: 0 |
timeRange | acl:Name (string:Basic) | time range name | MAX SIZE: 63 |
userSetBit | scalar:Uint64 | user set Bit | SELECTION:
|
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide: