Micro-segmentation for VXLAN Fabrics Using Group Policy Option (GPO)
Network administrators can use micro-segmentation to logically group network resources based on specific criteria. You can use micro-segmentation with security group and security group ACL (SGACL) create and enforce tailored security policies between specific groups of network resources regardless of network topology.
Creating Security Group
Creating Security Group
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
}
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgGroupInst | sys/esg/group/grp-50 |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Data Type | Description | Values |
|---|---|---|---|
| id | unit16 | ID of the security-group | Min: 1, Max: 65535 |
| name | String: esg_SGName | - | Name of the security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match VLAN
Match VLAN
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchVlan": {
"attributes": {
"vlanId": "vlan-2"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<vlan-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchVlan-list>
<vlanId>vlan-2</vlanId>
</MatchVlan-list>
</vlan-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match vlan 2
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchVlan | sys/esg/group/grp-50/selector/vlan-[vlan-2] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Description |
|---|---|---|---|
| vlanId | leaf | string | VLAN ID that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match external-subnets IPv4
Match external-subnets IPv4
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV4": {
"attributes": {
"addr": "66.1.1.0/24",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<extsubnetv4-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchExternalSubnetV4-list>
<vrf>tenant-1</vrf>
<addr>66.1.1.0/24</addr>
</MatchExternalSubnetV4-list>
</extsubnetv4-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv4 66.1.1.0/24
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV4 | sys/esg/group/grp-50/selector/extsubnetv4-[tenant-1]-[66.1.1.0/24] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv4 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match external-subnets IPv6
Match external-subnets IPv6
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchExternalSubnetV6": {
"attributes": {
"addr": "66:1:2::1/128",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<extsubnetv6-items>
<MatchExternalSubnetV6-list xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<vrf>tenant-1</vrf>
<addr>66:1:2::1/128</addr>
</MatchExternalSubnetV6-list>
</extsubnetv6-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match external-subnets vrf tenant-1 ipv6 66:1:2::1/128
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchExternalSubnetV6 | sys/esg/group/grp-50/selector/extsubnetv6-[tenant-1]-[66:1:2::1/128] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv6 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match Connected Endpoints VRF IPv4
Match Connected Endpoints VRF IPv4
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchConnectedEpV4": {
"attributes": {
"addr": "192.168.2.0/24",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<connectedepv4-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchConnectedEpV4-list>
<vrf>tenant-1</vrf>
<addr>192.168.2.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match connected-endpoints vrf tenant-1 ipv4 192.168.2.0/24
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchConnectedEpV4 | sys/esg/group/grp-50/selector/connectedepv4-[tenant-1]-[192.168.2.0/24] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv4 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match Connected Endpoints VRF IPv4
Match Connected Endpoints VRF IPv4
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchConnectedEpV4": {
"attributes": {
"addr": "192.168.2.0/24",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<connectedepv4-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchConnectedEpV4-list>
<vrf>tenant-1</vrf>
<addr>192.168.2.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match connected-endpoints vrf tenant-1 ipv4 192.168.2.0/24
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchConnectedEpV4 | sys/esg/group/grp-50/selector/connectedepv4-[tenant-1]-[192.168.2.0/24] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv4 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Match Connected Endpoints VRF IPv6
Match Connected Endpoints VRF IPv6
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgGroupEntity": {
"children": [
{
"esgGroupInst": {
"attributes": {
"id": "50",
"name": "50"
},
"children": [
{
"esgSelectorEntity": {
"children": [
{
"esgMatchConnectedEpV6": {
"attributes": {
"addr": "192:168:1::2/128",
"vrf": "tenant-1"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device">
<esg-items>
<group-items>
<grp-items>
<GroupInst-list>
<id>50</id>
<name>50</name>
<selector-items>
<connectedepv6-items xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="create">
<MatchConnectedEpV6-list>
<vrf>tenant-1</vrf>
<addr>192:168:1::2/128</addr>
</MatchConnectedEpV6-list>
</connectedepv6-items>
</selector-items>
</GroupInst-list>
</grp-items>
</group-items>
</esg-items>
</System>
</config>
</edit-config>
</rpc>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
security-group 50 name 50
match connected-endpoints vrf tenant-1 ipv6 192:168:1::2/128
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| esgMatchConnectedEpV6 | sys/esg/group/grp-50/selector/connectedepv6-[tenant-1]-[192:168:1::2/128] |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| vrf | leaf | l3_VrfName | string | Name of VRF that the prefix belongs to |
| addr | leaf | address_Ip | union | IPv6 prefix that needs to be classified in this security-group |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Security Contracts (SGACL) Between Security Groups
Match Connected Endpoints VRF IPv6
{
"topSystem": {
"children": [
{
"esgEntity": {
"children": [
{
"esgDom": {
"attributes": {
"defaultAction": "deny",
"name": "vxlan-900101",
"pcTag": "101",
"securityMode": "enforced"
},
"children": [
{
"esgContractEntity": {
"children": [
{
"esgContract": {
"attributes": {
"dPcTag": "5002",
"direction": "bi-dir",
"policyMap": "PlMapvxlan-900101",
"sPcTag": "1001"
}
}
},
{
"esgContract": {
"attributes": {
"dPcTag": "5001",
"direction": "bi-dir",
"policyMap": "PlMapvxlan-900101",
"sPcTag": "1001"
}
}
}
]
}
}
]
}
}
]
}
},
{
"l3Inst": {
"attributes": {
"encap": "vxlan-900101",
"l3vni": "no",
"name": "vxlan-900101"
}
}
}
]
}
}
ESG Configuration
<GroupInst-list>
<id>5113</id>
<name>tag5113</name>
<selector-items>
<connectedepv4-items>
<MatchConnectedEpV4-list>
<vrf>vxlan-900157</vrf>
<addr>5.1.113.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
<connectedepv6-items>
<MatchConnectedEpV6-list>
<vrf>vxlan-900157</vrf>
<addr>5:1:0:71::/64</addr>
</MatchConnectedEpV6-list>
</connectedepv6-items>
<extsubnetv4-items>
<MatchExternalSubnetV4-list>
<vrf>vxlan-900157</vrf>
<addr>50.110.57.0/24</addr>
</MatchExternalSubnetV4-list>
</extsubnetv4-items>
<extsubnetv6-items>
<MatchExternalSubnetV6-list>
<vrf>vxlan-900157</vrf>
<addr>50:110:1:39::/64</addr>
</MatchExternalSubnetV6-list>
</extsubnetv6-items>
</selector-items>
</GroupInst-list>
<GroupInst-list>
<id>5073</id>
<name>tag5073</name>
<selector-items>
<connectedepv4-items>
<MatchConnectedEpV4-list>
<vrf>vxlan-900137</vrf>
<addr>5.1.73.0/24</addr>
</MatchConnectedEpV4-list>
</connectedepv4-items>
<connectedepv6-items>
<MatchConnectedEpV6-list>
<vrf>vxlan-900137</vrf>
<addr>5:1:0:49::/64</addr>
</MatchConnectedEpV6-list>
</connectedepv6-items>
<extsubnetv4-items>
<MatchExternalSubnetV4-list>
<vrf>vxlan-900137</vrf>
<addr>50.110.37.0/24</addr>
</MatchExternalSubnetV4-list>
</extsubnetv4-items>
<extsubnetv6-items>
<MatchExternalSubnetV6-list>
<vrf>vxlan-900137</vrf>
<addr>50:110:1:25::/64</addr>
</MatchExternalSubnetV6-list>
</extsubnetv6-items>
</selector-items>
</GroupInst-list>
<GroupInst-list>
<id>5475</id>
<name>tag5475</name>
<selector-items>
<vlan-items>
<MatchVlan-list>
<vlanId>vlan-1475</vlanId>
</MatchVlan-list>
</vlan-items>
</selector-items>
</GroupInst-list>
ClassMap
<ClassMapInst-list>
<name>clMapvxlan-900157</name>
<entry-items>
<ClassMapFilterEntry-list>
<name>l3:ipv6-l4:udp-spfrom:500-spto:500-dpfrom:1000-dpto:1000</name>
<applyToFrag>false</applyToFrag>
<arpOpc>unspecified</arpOpc>
<dFromPort>1000</dFromPort>
<dToPort>1000</dToPort>
<etherT>ipv6</etherT>
<icmpv4T>255</icmpv4T>
<icmpv6T>0</icmpv6T>
<matchDPortZero>false</matchDPortZero>
<matchDscp>64</matchDscp>
<matchSPortZero>false</matchSPortZero>
<prot>17</prot>
<sFromPort>500</sFromPort>
<sToPort>500</sToPort>
<stateful>false</stateful>
</ClassMapFilterEntry-list>
<ClassMapFilterEntry-list>
<name>l3:ipv6-l4:udp-spfrom:489-spto:489-dpfrom:500-dpto:500</name>
<applyToFrag>false</applyToFrag>
<arpOpc>unspecified</arpOpc>
<dFromPort>500</dFromPort>
<dToPort>500</dToPort>
<etherT>ipv6</etherT>
<icmpv4T>255</icmpv4T>
<icmpv6T>0</icmpv6T>
<matchDPortZero>false</matchDPortZero>
<matchDscp>64</matchDscp>
<matchSPortZero>false</matchSPortZero>
<prot>17</prot>
<sFromPort>489</sFromPort>
<sToPort>489</sToPort>
<stateful>false</stateful>
</ClassMapFilterEntry-list>
</entry-items>
</ClassMapInst-list>
PolicyMap
<PolicyMapInst-list>
<name>PlMapvxlan-900157</name>
<cmap-items>
<MatchClassMap-list>
<name>clMapvxlan-900157</name>
<countAction>true</countAction>
<forwardingAction>permit</forwardingAction>
<logAction>false</logAction>
</MatchClassMap-list>
</cmap-items>
</PolicyMapInst-list>
Contracts
<Dom-list>
<name>vxlan-900157</name>
<contract-items>
<sgt-items>
<Contract-list>
<sPcTag>5113</sPcTag>
<dPcTag>10113</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>1113</sPcTag>
<dPcTag>5113</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>1114</sPcTag>
<dPcTag>5114</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>5114</sPcTag>
<dPcTag>10113</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
<Contract-list>
<sPcTag>4114</sPcTag>
<dPcTag>5114</dPcTag>
<policyMap>PlMapvxlan-900157</policyMap>
<direction>bi-dir</direction>
</Contract-list>
</sgt-items>
</contract-items>
<defaultAction>deny</defaultAction>
<pcTag>151</pcTag>
<securityMode>enforced</securityMode>
</Dom-list>
Note: The property information for this example was added in Release 10.4(3).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
vrf context vxlan-900101
vni 900101
security contract source 1001 destination 5001 policy PlMapvxlan-900101
security contract source 1001 destination 5002 policy PlMapvxlan-900101
security enforce tag 101 default deny
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| - | - |
Properties
The following table contains information about the fmItd properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.
| Property Name | Node Type | Data Type | Base Type | Description |
|---|---|---|---|---|
| - | - | - | - |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
For detailed information about classes and attributes in the payload, see the NX-API DME Model Reference: https://developer.cisco.com/media/dme/index.html
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide: