ACE Configuration Examples

This section uses examples to demonstrate many of the ACL configuration options and to show how the REST APIs correspond to the CLI commands.

Adding ACE to an Existing IPv4 ACL (deny)

 Adding ACE to an Existing IPv4 ACL (deny)
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
  "ipv4aclAF": {
    "children": [
      {
        "ipv4aclACL": {
          "attributes": {
            "name": "acl_tcp"
          },
          "children": [
            {	
              "ipv4aclACE": {
                "attributes": {
                  "action": "deny",
                  "dstPrefix": "13.235.46.97",
                  "dstPrefixLength": "9",
                  "protocol": "udp",
                  "seqNum": "2",
                  "srcPrefix": "12.234.56.97",
                  "srcPrefixLength": "13",
                  "userSetBit": "1"
}}}]}}]}}
{
    imdata": []
}
<System>
  <acl-items>
    <ipv4-items>
      <name-items>
        <ACL-list>
          <name>acl_tcp</name>
          <seq-items>
            <ACE-list>
              <seqNum>2</seqNum>
              <action>deny</action>
              <dstPrefix>13.235.46.97</dstPrefix>
              <dstPrefixLength>9</dstPrefixLength>
              <protocol>udp</protocol>
              <srcPrefix>12.234.56.97</srcPrefix>
              <srcPrefixLength>13</srcPrefixLength>
              <userSetBit>1</userSetBit>
            </ACE-list>
          </seq-items>
        </ACL-list>
      </name-items>
    </ipv4-items>
  </acl-items>
</System>

Adds ACE to an existing IPV4 ACL (configured to reject packets).


CLI Commands

The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

ip access-list acl_tcp
 2 deny udp 12.234.56.97/13 13.235.46.97/9

Note: The property information for this example was added in Release 9.3(3).


Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
ipv4aclAF sys/acl/ipv4
ipv4aclACL sys/acl/ipv4/name-{name}
ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


ipv4aclACL Properties

The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
nameacl:Name
(string:Basic)
Name of Access lists
MAX SIZE: 63


ipv4aclACE Properties

The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
actionacl:ActionType
(scalar:Enum8)
Specify packets to forward or rejectSELECTION:
0 - invalid
1 - permit
2 - deny
DEFAULT: invalid
dstPrefixipv4acl:IPv4Prefix
(address:IPv4)
Destination IPv4 prefixValue must match ipv4 format
dstPrefixLengthipv4acl:IPv4PrefixLen
(scalar:UByte)
Destination IPv4 prefix length
RANGE: [0 , 32]
DEFAULT: 0
protocolipv4acl:Protocol
(scalar:UByte)
Protocol for access-list entrySELECTION:
0 - ip
1 - icmp
2 - igmp
6 - tcp
17 - udp
47 - gre
50 - esp
51 - ahp
88 - eigrp
89 - ospf
94 - nos
103 - pim
108 - pcp
DEFAULT: 255
seqNumacl:SequenceNumber
(scalar:Uint32)
Sequence number
RANGE: [0 , 4294967295]
srcPrefixipv4acl:IPv4Prefix
(address:IPv4)
Source IPv4 prefixValue must match ipv4 format
srcPrefixLengthipv4acl:IPv4PrefixLen
(scalar:UByte)
Source IPv4 prefix length
RANGE: [0 , 32]
DEFAULT: 0
userSetBit
scalar:Uint64
user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Adding ACE to an Existing IPv6 ACL

     Adding ACE to an Existing IPv6 ACL
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv6.json
    
    {
    "ipv6aclAF": {
     "children": [
       {
         "ipv6aclACL": {
           "attributes": {
              "name": "L1"
           },
           "children": [
             {
               "ipv6aclACE": {
                 "attributes": {
                   "action": "deny",
                   "dstPrefix": "3::4",
                   "dstPrefixLength": "96",
                   "protocol": "tcp",
                   "seqNum": "32",
                   "srcPrefix": "1::2",
                   "srcPrefixLength": "127",
                   "userSetBit": "1"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv6-items>
          <name-items>
            <ACL-list>
              <name>foo</name>
              <seq-items>
                <ACE-list>
                  <seqNum>32</seqNum>
                  <action>deny</action>
                  <dstPrefix>3::4</dstPrefix>
                  <dstPrefixLength>96</dstPrefixLength>
                  <protocol>tcp</protocol>
                  <srcPrefix>1::2</srcPrefix>
                  <srcPrefixLength>127</srcPrefixLength>
                  <userSetBit>1</userSetBit>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv6-items>
      </acl-items>
    </System>
    

    Adds ACE to an existing IPv6 ACL (configured to reject packets).


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ipv6 access-list L1
     32 deny tcp 1::2/127 3::4/96

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv6aclAF sys/acl/ipv6
    ipv6aclACL sys/acl/ipv6/name-{name}
    ipv6aclACE sys/acl/ipv6/name-{name}/seq-{seqNum}


    ipv6aclACL Properties

    The following table contains information about the ipv6aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv6aclACE Properties

    The following table contains information about the ipv6aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv6acl:IPv6Prefix
    (address:IPv6)
    Destination IPv6 prefixValue must match ipv6 format
    dstPrefixLengthipv6acl:IPv6PrefixLen
    (scalar:UByte)
    Destination IPv6 prefix length
    RANGE: [0 , 128]
    DEFAULT: 0
    protocolipv6acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ipv6
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    58 - icmp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    132 - sctp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv6acl:IPv6Prefix
    (address:IPv6)
    Source IPv6 prefixValue must match ipv6 format
    srcPrefixLengthipv6acl:IPv6PrefixLen
    (scalar:UByte)
    Source IPv6 prefix length
    RANGE: [0 , 128]
    DEFAULT: 0
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Adding ACE to an Existing IPv4 ACL (permit)

    Adding ACE to an Existing IPv4 ACL (permit)
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
    "ipv4aclAF": {
      "children": [
        {
          "ipv4aclACL": {
            "attributes": {
              "name": "ipv4_test_ace"
            },
            "children": [
              {
                "ipv4aclACE": {
                  "attributes": {
                    "action": "permit",
                    "dstPrefix": "6.6.6.6",
                    "dstPrefixLength": "4",
                    "protocol": "udp",
                    "seqNum": "2",
                    "srcPrefix": "5.5.5.5",
                    "srcPrefixLength": "4",
                    "vni": "15"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>ipv4_test_ace</name>
              <seq-items>
                <ACE-list>
                  <seqNum>30</seqNum>
                  <action>permit</action>
                  <dstPrefix>0.0.0.0</dstPrefix>
                  <protocol>udp</protocol>
                  <srcPrefix>0.0.0.0</srcPrefix>
                  <userSetBit>1572865</userSetBit>
                  <vni>10</vni>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Adds ACE to an existing IPv4 ACL (configured to forward packets).


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list ipv4_test_ace
     2 permit udp 5.5.5.5/4 6.6.6.6/4

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    dstPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Destination IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    srcPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Source IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    vniacl:VniType
    (scalar:Uint32)
    nve vni ID
    RANGE: [0 , 16777216]
    DEFAULT: invalid


    Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring ACE with a Log that Matches Against an Entry

     Configuring ACE with a Log that Matches Against an Entry
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "L1"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "2.2.2.2",
                      "dstPrefixLength": "3",
                      "logging": "yes",
                      "protocol": "tcp",
                      "seqNum": "20",
                      "srcPrefix": "1.1.1.1",
                      "srcPrefixLength": "2",
                      "userSetBit": "1"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>ipv4_test_ace</name>
              <seq-items>
                <ACE-list>
                  <seqNum>20</seqNum>
                  <action>permit</action>
                  <dstPrefix>0.0.0.0</dstPrefix>
                  <logging>true</logging>
                  <protocol>tcp</protocol>
                  <srcPrefix>0.0.0.0</srcPrefix>
                  <userSetBit>1572865</userSetBit>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Configures ACE with a log that matches against an entry.


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list L1
     20 permit tcp 1.1.1.1/2 2.2.2.2/3 log

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    dstPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Destination IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    loggingscalar:Bool
    Log matches against ACL entrySELECTION: true or false
    DEFAULT: false
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    srcPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Source IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring ACE to Check Non-Initial Fragments

     Configuring ACE to Check Non-Initial Fragments
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "L1"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "2.2.2.2",
                      "dstPrefixLength": "3",
                      "fragment": "yes",
                      "protocol": "tcp",
                      "seqNum": "20",
                      "srcPrefix": "1.1.1.1",
                      "srcPrefixLength": "2",
                      "userSetBit": "1"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv6-items>
          <name-items>
            <ACL-list>
              <name>ipv6_test_ace</name>
              <seq-items>
                <ACE-list>
                  <seqNum>20</seqNum>
                  <action>permit</action>
                  <dstPrefix>0::0</dstPrefix>
                  <fragment>true</fragment>
                  <protocol>ipv6</protocol>
                  <srcPrefix>0::0</srcPrefix>
                  <userSetBit>1572865</userSetBit>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv6-items>
      </acl-items>
    </System>
    

    Configures ACE to check non-initial fragments


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list L1
     20 permit tcp 1.1.1.1/2 2.2.2.2/3 fragments

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    dstPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Destination IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    fragmentscalar:Bool
    Non-initial fragmentSELECTION: true or false
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    srcPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Source IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring ACE to Match Packets Based on the HTTP Method

     Configuring ACE to Match Packets Based on the HTTP Method
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "L1"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "0.0.0.0",
                      "httpOption": "head",
                      "protocol": "tcp",
                      "seqNum": "20",
                      "srcPrefix": "0.0.0.0",
                      "userSetBit": "1572865"
    
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>ipv4_test_ace</name>
              <seq-items>
                <ACE-list>
                  <seqNum>20</seqNum>
                  <action>permit</action>
                  <dstPrefix>0.0.0.0</dstPrefix>
                  <httpOption>head</httpOption>
                  <protocol>tcp</protocol>
                  <srcPrefix>0.0.0.0</srcPrefix>
                  <userSetBit>1572865</userSetBit>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Configures ACE to match packets based on the HTTP method.


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list L1
     20 permit tcp any any http-method head

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    httpOptionacl:HttpOptionType
    (scalar:Enum8)
    http option http-methodSELECTION:
    0 - invalid
    1 - get
    2 - put
    3 - head
    4 - post
    5 - delete
    6 - trace
    7 - connect
    DEFAULT: invalid
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring ACE to Make VLAN-Based Matches

     Configuring ACE to Make VLAN-Based Matches
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "L1"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "0.0.0.0",
                      "protocol": "ip",
                      "seqNum": "40",
                      "srcPrefix": "0.0.0.0",
                      "userSetBit": "1572865",
                      "vlan": "5"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>ipv4_test_ace</name>
              <seq-items>
                <ACE-list>
                  <seqNum>40</seqNum>
                  <action>permit</action>
                  <dstPrefix>0.0.0.0</dstPrefix>
                  <protocol>ip</protocol>
                  <srcPrefix>0.0.0.0</srcPrefix>
                  <userSetBit>1572865</userSetBit>
                  <vlan>5</vlan>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Configures ACE to make VLAN-based matches.


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list L1
     40 permit ip any any vlan 5

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull
  • vlanacl:VlanType
    (scalar:Uint32)
    vlan
    RANGE: [0 , 4095]
    DEFAULT: 4095


    Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring ACE to Specify the TCP Options Size

     Configuring ACE to Specify the TCP Options Size
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "ipv4_test_ace"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "0.0.0.0",
                      "protocol": "tcp",
                      "seqNum": "20",
                      "srcPrefix": "0.0.0.0",
                      "tcpOptionLength": "36",
                      "userSetBit": "1572865"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>ipv4_test_ace</name>
              <seq-items>
                <ACE-list>
                  <seqNum>20</seqNum>
                  <action>permit</action>
                  <dstPrefix>0.0.0.0</dstPrefix>
                  <protocol>tcp</protocol>
                  <srcPrefix>0.0.0.0</srcPrefix>
                  <tcpOptionLength>36</tcpOptionLength>
                  <userSetBit>1572865</userSetBit>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Configures ACE to specify the TCP options size.


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list ipv4_test_ace
     20 permit tcp any any tcp-option-length 36

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    tcpOptionLengthacl:TcpOptionLengthType
    (scalar:Uint32)
    TCP options length
    RANGE: [0 , 41]
    DEFAULT: invalid
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring ACE with a User-Defined Field Match

     Configuring ACE with a User-Defined Field Match
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "ipv4_test_ace"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "2.2.2.2",
                      "dstPrefixLength": "2",
                      "protocol": "ip",
                      "seqNum": "10",
                      "srcPrefix": "1.1.1.1",
                      "srcPrefixLength": "2",
                      "userSetBit": "1"
                    },
                    "children": [
                      {
                        "ipv4aclUDF": {
                          "attributes": {
                            "udf1Mask": "2",
                            "udf1Name": "name1",
                            "udf1Val": "1",
                            "udf2Mask": "238",
                            "udf2Name": "name2",
                            "udf2Val": "255"
    }}}]}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>test2</name>
              <seq-items>
                <ACE-list>
                  <seqNum>10</seqNum>
                  <action>permit</action>
                  <dstPrefix>2.2.2.2</dstPrefix>
                  <dstPrefixLength>2</dstPrefixLength>
                  <protocol>ip</protocol>
                  <srcPrefix>1.1.1.1</srcPrefix>
                  <srcPrefixLength>2</srcPrefixLength>
                  <userSetBit>1</userSetBit>
                  <udf-items>
                    <udf1Mask>2</udf1Mask>
                    <udf1Name>name1</udf1Name>
                    <udf1Val>1</udf1Val>
                    <udf2Mask>238</udf2Mask>
                    <udf2Name>name2</udf2Name>
                    <udf2Val>255</udf2Val>
                  </udf-items>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Configurs ACE with a user-defined field match.


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list ipv4_test_ace
     10 permit ip 1.1.1.1/2 2.2.2.2/2 udf name1 0x1 0x2 udf name2 0xff 0xee

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}
    ipv4aclUDF sys/acl/ipv4/name-{name}/seq-{seqNum}/udf


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    dstPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Destination IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    srcPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Source IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • ipv4aclUDF Properties

    The following table contains information about the ipv4aclUDF properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    udf1Maskacl:UdfMask
    (scalar:Uint16)
    Mask to apply to UDF1 value
    RANGE: [0 , 65535]
    udf1Nameacl:UdfName
    (string:Basic)
    User-defined field match 1
    MAX SIZE: 15
    udf1Valacl:UdfVal
    (scalar:Uint16)
    UDF1 value to match
    RANGE: [0 , 65535]
    udf2Maskacl:UdfMask
    (scalar:Uint16)
    Mask to apply to UDF2 value
    RANGE: [0 , 65535]
    udf2Nameacl:UdfName
    (string:Basic)
    User-defined field match 2
    MAX SIZE: 15
    udf2Valacl:UdfVal
    (scalar:Uint16)
    UDF2 value to match
    RANGE: [0 , 65535]


    Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

    Configuring a Time Range

     Applying a Time Range
    
    POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
    
    {
      "ipv4aclAF": {
        "children": [
          {
            "ipv4aclACL": {
              "attributes": {
                "name": "L1"
              },
              "children": [
                {
                  "ipv4aclACE": {
                    "attributes": {
                      "action": "permit",
                      "dstPrefix": "2.2.2.2",
                      "dstPrefixLength": "3",
                      "protocol": "ip",
                      "seqNum": "10",
                      "srcPrefix": "1.1.1.1",
                      "srcPrefixLength": "2",
                      "timeRange": "t1",
                      "userSetBit": "1"
    }}}]}}]}}
    
    {
        imdata": []
    }
    
    <System>
      <acl-items>
        <ipv4-items>
          <name-items>
            <ACL-list>
              <name>foo</name>
              <seq-items>
                <ACE-list>
                  <seqNum>10</seqNum>
                  <action>permit</action>
                  <dstPrefix>0.0.0.0</dstPrefix>
                  <protocol>ip</protocol>
                  <srcPrefix>0.0.0.0</srcPrefix>
                  <timeRange>t1</timeRange>
                  <userSetBit>1572865</userSetBit>
                </ACE-list>
              </seq-items>
            </ACL-list>
          </name-items>
        </ipv4-items>
      </acl-items>
    </System>
    

    Configures a time range.


    CLI Commands

    The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

    ip access-list L1
     10 permit ip 1.1.1.1/2 2.2.2.2/3 time-range t1

    Note: The property information for this example was added in Release 9.3(3).


    Verifying a DME Configuration
    The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

    MODN
    ipv4aclAF sys/acl/ipv4
    ipv4aclACL sys/acl/ipv4/name-{name}
    ipv4aclACE sys/acl/ipv4/name-{name}/seq-{seqNum}


    ipv4aclACL Properties

    The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    nameacl:Name
    (string:Basic)
    Name of Access lists
    MAX SIZE: 63


    ipv4aclACE Properties

    The following table contains information about the ipv4aclACE properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

    Property NameData TypeDescriptionValues
    actionacl:ActionType
    (scalar:Enum8)
    Specify packets to forward or rejectSELECTION:
    0 - invalid
    1 - permit
    2 - deny
    DEFAULT: invalid
    dstPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Destination IPv4 prefixValue must match ipv4 format
    dstPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Destination IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    protocolipv4acl:Protocol
    (scalar:UByte)
    Protocol for access-list entrySELECTION:
    0 - ip
    1 - icmp
    2 - igmp
    6 - tcp
    17 - udp
    47 - gre
    50 - esp
    51 - ahp
    88 - eigrp
    89 - ospf
    94 - nos
    103 - pim
    108 - pcp
    DEFAULT: 255
    seqNumacl:SequenceNumber
    (scalar:Uint32)
    Sequence number
    RANGE: [0 , 4294967295]
    srcPrefixipv4acl:IPv4Prefix
    (address:IPv4)
    Source IPv4 prefixValue must match ipv4 format
    srcPrefixLengthipv4acl:IPv4PrefixLen
    (scalar:UByte)
    Source IPv4 prefix length
    RANGE: [0 , 32]
    DEFAULT: 0
    timeRangeacl:Name
    (string:Basic)
    time range name
    MAX SIZE: 63
    userSetBit
    scalar:Uint64
    user set BitSELECTION:
  • 1ull - defaultValue
  • defaultValue: 1ull

  • Related Documentation

    For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

    http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

    See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

    https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

    For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

    https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html