Configuring IPv4 and IPv6 ACLs

This section contains payload examples and CLIs to demonstrate how to use the NX-API REST API to configure IP ACLs on Cisco Nexus 3000 and 9000 Series switches and to show how the REST APIs correspond to the CLI commands. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Configuring IPv4 and IPv6 Access Lists

Configuring IPv4 and IPv6 Access Lists

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "aclEntity": {
          "children": [
            {
              "ipv6aclAF": {
                "children": [
                  {
                    "ipv6aclACL": {
                      "attributes": {
                        "name": "acl_ipv6"
                        
}}}]}},{               
              "ipv4aclAF": {
                "children": [
                  {
                    "ipv4aclACL": {
                      "attributes": {
                        "name": "acl_tcp"
}}}]}}]}}]}}

{
    imdata": []
}

<System>
  <acl-items>
    <ipv6-items>
      <name-items>
        <ACL-list>
          <name>acl_ipv6</name>
        </ACL-list>
      </name-items>
    </ipv6-items>
    <ipv4-items>
      <name-items>
        <ACL-list>
          <name>acl_tcp</name>
        </ACL-list>
      </name-items>
    </ipv4-items>
  </acl-items>
</System>

You can create an IPv4 ACL or IPv6 ACL on the device and add rules to it.


CLI Commands

The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

ip access-list acl_tcp
ipv6 access-list acl_ipv6

Note: The property information for this example was added in Release 9.3(3).


Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
topSystem sys
aclEntity sys/acl
ipv6aclAF sys/acl/ipv6
ipv6aclACL sys/acl/ipv6/name-{name}
ipv4aclAF sys/acl/ipv4
ipv4aclACL sys/acl/ipv4/name-{name}


ipv6aclACL Properties

The following table contains information about the ipv6aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
nameacl:Name
(string:Basic)		Name of Access lists
MAX SIZE: 63


ipv4aclACL Properties

The following table contains information about the ipv4aclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
nameacl:Name
(string:Basic)		Name of Access lists
MAX SIZE: 63


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a MAC Access List

 Configuring a MAC Access List

POST http://<mgmt0_IP>/api/mo/sys/acl/mac.json

{
  "macaclAF": {
    "children": [
      {
        "macaclACL": {
          "attributes": {
            "name": "ListName"
}}}]}}

{
    imdata": []
}

<System>
  <acl-items>
    <mac-items>
      <name-items>
        <ACL-list>
          <name>ListName</name>
        </ACL-list>
      </name-items>
    </mac-items>
  </acl-items>
</System>

Configurs a MAC access list.


CLI Command

The CLI command below is the equivalent to the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

mac access-list ListName

Note: The property information for this example was added in Release 9.3(3).


Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
macaclAF sys/acl/mac
macaclACL sys/acl/mac/name-{name}


macaclACL Properties

The following table contains information about the macaclACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
nameacl:Name
(string:Basic)		Name of Access lists
MAX SIZE: 63


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Applying Access Control to a List of VLANs

 Applying Access Control to a List of VLANs

POST http://<mgmt0_IP>/api/mo/sys/acl/vlan-vacl1.json

{
  "aclVLANACL": {
    "attributes": {
      "name": "vacl1"
    },
    "children": [
      {
        "aclVLANList": {
          "attributes": {
            "list": "1-10",
            "operation": "apply"
}}}]}}

{
    imdata": []
}

<System>
  <acl-items>
    <vlan-items>
      <VLANACL-list>
        <name>vacl1</name>
        <vlanlist-items>
          <list>1-10</list>
          <operation>apply</operation>
        </vlanlist-items>
      </VLANACL-list>
    </vlan-items>
  </acl-items>
</System>

Applies access control to a list of VLANs.


CLI Command

The CLI command below is the equivalent to the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

vlan filter vacl1 vlan-list 1-10

Note: The property information for this example was added in Release 9.3(3).


Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
aclVLANACL sys/acl/vlan-{name}
aclVLANList sys/acl/vlan-{name}/vlanlist


aclVLANACL Properties

The following table contains information about the aclVLANACL properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
nameacl:Name
(string:Basic)		Defines the VLAN acl name
MAX SIZE: 63


aclVLANList Properties

The following table contains information about the aclVLANList properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
listacl:VlanListStr
(string:Basic)		VLAN or a list of VLANS example 1,2 or 2-4
MAX SIZE: 512
operationacl:operation
(scalar:UByte)		Vlan Filter Operation apply or removeSELECTION:
0 - remove
1 - apply
DEFAULT: 1


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Port Expansion Threshold

Configuring the Port Expansion Threshold 

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "platformEntity": {
          "attributes": {
            "hwLouResThreshold": "5"
}}}]}}

{
    imdata:[]
}

<System>
  <pltfm-items>
    <hwLouResThreshold>5</hwLouResThreshold>
  </pltfm-items>
</System>

Note: This example was added in Release 9.3(1).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

hardware access-list lou resource threshold 5


Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
platformEntity sys/pltfm
topSystem sys


platformEntity Properties

The following table contains information about the platformEntity properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
hwLouResThresholdscalar:Uint16
Hardware Lou Resource Threshold value.
RANGE: [1 , 50]
DEFAULT: 5


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Port Expansion Threshold

Deleting the Port Expansion Threshold 

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "platformEntity": {
          "attributes": {
            "hwLouResThreshold": "5"
}}}]}}

{
    imdata:[]
}

<System>
  <pltfm-items>
    <hwLouResThreshold>5</hwLouResThreshold>
  </pltfm-items>
</System>

Note: This example was added in Release 9.3(1).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

no hardware access-list lou resource threshold 5


Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
platformEntity sys/pltfm
topSystem sys


platformEntity Properties

The following table contains information about the platformEntity properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
hwLouResThresholdscalar:Uint16
Hardware Lou Resource Threshold value.
RANGE: [1 , 50]
DEFAULT: 5


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Matching Inner Header Fields In IPinIP/GRE Packets

Matching Inner Header Fields In IPinIP/GRE Packets

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "platformEntity": {
          "attributes": {
            "accessListMatchInnerHeader": "enable"
}}}]}}

{
    imdata:[]
}

<System>
  <pltfm-items>
    <accessListMatchInnerHeader>enable</accessListMatchInnerHeader>
  </pltfm-items>
</System>

Note: This example was added in Release 9.3(3).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

hardware access-list match inner-header


Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
topSystem sys
platformEntity sys/pltfm


platformEntity Properties

The following table contains information about the platformEntity properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
accessListMatchInnerHeaderscalar:Enum8
Used to enable/disable hardware access-list match inner-header
DEFAULT: disable


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Unmatching Inner Header Fields In IPinIP/GRE Packets

Unmatching Inner Header Fields In IPinIP/GRE Packets 

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "platformEntity": {
          "attributes": {
            "accessListMatchInnerHeader": "disable"
}}}]}}

{
    imdata:[]
}

<System>
  <pltfm-items>
    <accessListMatchInnerHeader>disable</accessListMatchInnerHeader>
  </pltfm-items>
</System>

Note: This example was added in Release 9.3(3).


CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

no hardware access-list match inner-header


Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MODN
topSystem sys
platformEntity sys/pltfm


platformEntity Properties

The following table contains information about the platformEntity properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property NameData TypeDescriptionValues
accessListMatchInnerHeaderscalar:Enum8
Used to enable/disable hardware access-list match inner-header
DEFAULT: disable


Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html