Configuring ACL (Egress Direction)
This section contains payload examples and CLIs to demonstrate how to use the NX-API REST API to configure IP ACLs on Cisco Nexus 3000 and 9000 Series switches and to show how the REST APIs correspond to the CLI commands. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
Attaching an IPv4 ACL to an Interface in the Egress Direction
Attaching an IPv4 ACL to an Interface in the Egress Direction
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv6/policy/egress.json
{
"aclEgress": {
"children": [
{
"aclIf": {
"attributes": {
"name": "eth1/2"
},
"children": [
{
"aclInst": {
"attributes": {
"name": "bar"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<policy-items>
<egress-items>
<intf-items>
<If-list>
<name>eth1/2</name>
<acl-items>
<name>bar</name>
</acl-items>
</If-list>
</intf-items>
</egress-items>
</policy-items>
</ipv4-items>
</acl-items>
</System>
Attaches an IPv4 ACL to an interface in the egress direction.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
interface eth1/2
ip access-group bar out
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| aclEgress | sys/acl/mpls/policy/egress |
| aclIf | sys/acl/mpls/policy/egress/intf-{[name]} |
| aclInst | sys/acl/mpls/policy/egress/vty/acl |
aclIf Properties
The following table contains information about the aclIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| name | nw:IfId (base:IfIndex) | Interface to which ACL is applied | eth1/1(Ethernet1/1) or pc1(port-channel), short name for interface Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
aclInst Properties
The following table contains information about the aclInst properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| name | acl:Name (string:Basic) | Access Control List name | MAX SIZE: 63 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Attaching an IPv6 ACL to an Interface in the Egress Direction
Attaching an IPv6 ACL to an Interface in the Egress Direction
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv6/policy/egress.json
{
"aclEgress": {
"children": [
{
"aclIf": {
"attributes": {
"name": "eth1/3"
},
"children": [
{
"aclInst": {
"attributes": {
"name": "bar6"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv6-items>
<policy-items>
<egress-items>
<intf-items>
<If-list>
<name>eth1/3</name>
<acl-items>
<name>bar6</name>
</acl-items>
</If-list>
</intf-items>
</egress-items>
</policy-items>
</ipv6-items>
</acl-items>
</System>
Attaches and an IPv6 ACL to an interface in the egress direction.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
interface eth1/3
ipv6 traffic-filter bar6 out
Note: The property information for this example was added in Release 9.3(3).
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| aclEgress | sys/acl/mpls/policy/egress |
| aclIf | sys/acl/mpls/policy/egress/intf-{[name]} |
| aclInst | sys/acl/mpls/policy/egress/vty/acl |
aclIf Properties
The following table contains information about the aclIf properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| name | nw:IfId (base:IfIndex) | Interface to which ACL is applied | eth1/1(Ethernet1/1) or pc1(port-channel), short name for interface Must match first field in the output of `show intf brief`. Example: Eth1/1 or Vlan100 |
aclInst Properties
The following table contains information about the aclInst properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| name | acl:Name (string:Basic) | Access Control List name | MAX SIZE: 63 |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide: