ACE Configuration Examples
This section uses examples to demonstrate many of the ACL configuration options and to show how the REST APIs correspond to the CLI commands.
Adding ACE to an Existing IPv4 ACL (deny)
Adding ACE to an Existing IPv4 ACL (deny)
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "acl_tcp"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "deny",
"dstPrefix": "13.235.46.97",
"dstPrefixLength": "9",
"protocol": "udp",
"seqNum": "2",
"srcPrefix": "12.234.56.97",
"srcPrefixLength": "13",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>acl_tcp</name>
<seq-items>
<ACE-list>
<seqNum>2</seqNum>
<action>deny</action>
<dstPrefix>13.235.46.97</dstPrefix>
<dstPrefixLength>9</dstPrefixLength>
<protocol>udp</protocol>
<srcPrefix>12.234.56.97</srcPrefix>
<srcPrefixLength>13</srcPrefixLength>
<userSetBit>1</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Adds ACE to an existing IPV4 ACL (configured to reject packets).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list acl_tcp
2 deny udp 12.234.56.97/13 13.235.46.97/9
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Adding ACE to an Existing IPv6 ACL
Adding ACE to an Existing IPv6 ACL
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv6.json
{
"ipv6aclAF": {
"children": [
{
"ipv6aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv6aclACE": {
"attributes": {
"action": "deny",
"dstPrefix": "3::4",
"dstPrefixLength": "96",
"protocol": "tcp",
"seqNum": "32",
"srcPrefix": "1::2",
"srcPrefixLength": "127",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv6-items>
<name-items>
<ACL-list>
<name>foo</name>
<seq-items>
<ACE-list>
<seqNum>32</seqNum>
<action>deny</action>
<dstPrefix>3::4</dstPrefix>
<dstPrefixLength>96</dstPrefixLength>
<protocol>tcp</protocol>
<srcPrefix>1::2</srcPrefix>
<srcPrefixLength>127</srcPrefixLength>
<userSetBit>1</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv6-items>
</acl-items>
</System>
Adds ACE to an existing IPv6 ACL (configured to reject packets).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ipv6 access-list L1
32 deny tcp 1::2/127 3::4/96
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Adding ACE to an Existing IPv4 ACL (permit)
Adding ACE to an Existing IPv4 ACL (permit)
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "ipv4_test_ace"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "6.6.6.6",
"dstPrefixLength": "4",
"protocol": "udp",
"seqNum": "2",
"srcPrefix": "5.5.5.5",
"srcPrefixLength": "4",
"vni": "15"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>30</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>udp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
<vni>10</vni>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Adds ACE to an existing IPv4 ACL (configured to forward packets).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list ipv4_test_ace
2 permit udp 5.5.5.5/4 6.6.6.6/4
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring ACE with a Log that Matches Against an Entry
Configuring ACE with a Log that Matches Against an Entry
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "3",
"logging": "yes",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<logging>true</logging>
<protocol>tcp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE with a log that matches against an entry.
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
20 permit tcp 1.1.1.1/2 2.2.2.2/3 log
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring ACE to Check Non-Initial Fragments
Configuring ACE to Check Non-Initial Fragments
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "3",
"fragment": "yes",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv6-items>
<name-items>
<ACL-list>
<name>ipv6_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0::0</dstPrefix>
<fragment>true</fragment>
<protocol>ipv6</protocol>
<srcPrefix>0::0</srcPrefix>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv6-items>
</acl-items>
</System>
Configures ACE to check non-initial fragments
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
20 permit tcp 1.1.1.1/2 2.2.2.2/3 fragments
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring ACE to Match Packets Based on the HTTP Method
Configuring ACE to Match Packets Based on the HTTP Method
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "0.0.0.0",
"httpOption": "head",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "0.0.0.0",
"userSetBit": "1572865"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<httpOption>head</httpOption>
<protocol>tcp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE to match packets based on the HTTP method.
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
20 permit tcp any any http-method head
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring ACE to Make VLAN-Based Matches
Configuring ACE to Make VLAN-Based Matches
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "0.0.0.0",
"protocol": "ip",
"seqNum": "40",
"srcPrefix": "0.0.0.0",
"userSetBit": "1572865",
"vlan": "5"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>40</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>ip</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<userSetBit>1572865</userSetBit>
<vlan>5</vlan>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE to make VLAN-based matches.
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
40 permit ip any any vlan 5
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring ACE to Specify the TCP Options Size
Configuring ACE to Specify the TCP Options Size
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "ipv4_test_ace"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "0.0.0.0",
"protocol": "tcp",
"seqNum": "20",
"srcPrefix": "0.0.0.0",
"tcpOptionLength": "36",
"userSetBit": "1572865"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>ipv4_test_ace</name>
<seq-items>
<ACE-list>
<seqNum>20</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>tcp</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<tcpOptionLength>36</tcpOptionLength>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures ACE to specify the TCP options size.
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list ipv4_test_ace
20 permit tcp any any tcp-option-length 36
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring ACE with a User-Defined Field Match
Configuring ACE with a User-Defined Field Match
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "ipv4_test_ace"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "2",
"protocol": "ip",
"seqNum": "10",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"userSetBit": "1"
},
"children": [
{
"ipv4aclUDF": {
"attributes": {
"udf1Mask": "2",
"udf1Name": "name1",
"udf1Val": "1",
"udf2Mask": "238",
"udf2Name": "name2",
"udf2Val": "255"
}}}]}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>test2</name>
<seq-items>
<ACE-list>
<seqNum>10</seqNum>
<action>permit</action>
<dstPrefix>2.2.2.2</dstPrefix>
<dstPrefixLength>2</dstPrefixLength>
<protocol>ip</protocol>
<srcPrefix>1.1.1.1</srcPrefix>
<srcPrefixLength>2</srcPrefixLength>
<userSetBit>1</userSetBit>
<udf-items>
<udf1Mask>2</udf1Mask>
<udf1Name>name1</udf1Name>
<udf1Val>1</udf1Val>
<udf2Mask>238</udf2Mask>
<udf2Name>name2</udf2Name>
<udf2Val>255</udf2Val>
</udf-items>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configurs ACE with a user-defined field match.
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list ipv4_test_ace
10 permit ip 1.1.1.1/2 2.2.2.2/2 udf name1 0x1 0x2 udf name2 0xff 0xee
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring a Time Range
Applying a Time Range
POST http://<mgmt0_IP>/api/mo/sys/acl/ipv4.json
{
"ipv4aclAF": {
"children": [
{
"ipv4aclACL": {
"attributes": {
"name": "L1"
},
"children": [
{
"ipv4aclACE": {
"attributes": {
"action": "permit",
"dstPrefix": "2.2.2.2",
"dstPrefixLength": "3",
"protocol": "ip",
"seqNum": "10",
"srcPrefix": "1.1.1.1",
"srcPrefixLength": "2",
"timeRange": "t1",
"userSetBit": "1"
}}}]}}]}}
{
imdata": []
}
<System>
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>foo</name>
<seq-items>
<ACE-list>
<seqNum>10</seqNum>
<action>permit</action>
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>ip</protocol>
<srcPrefix>0.0.0.0</srcPrefix>
<timeRange>t1</timeRange>
<userSetBit>1572865</userSetBit>
</ACE-list>
</seq-items>
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Configures a time range.
Note: This example was added in Release 7.0(3)I6(1).
CLI Commands
The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.
ip access-list L1
10 permit ip 1.1.1.1/2 2.2.2.2/3 time-range t1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html