ACL Configuration Examples

This section contains payload examples and CLIs to demonstrate how to use the NX-API REST API to configure IP ACLs on Cisco Nexus 3000 and 9000 Series switches and to show how the REST APIs correspond to the CLI commands. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x.

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Configuring IPv4 and IPv6 Access Lists

Configuring IPv4 and IPv6 Access Lists

POST http://<mgmt0_IP>/api/mo/sys.json

{
  "topSystem": {
    "children": [
      {
        "aclEntity": {
          "children": [
            {
              "ipv6aclAF": {
                "children": [
                  {
                    "ipv6aclACL": {
                      "attributes": {
                        "name": "acl_ipv6"

}}}]}},{               
              "ipv4aclAF": {
                "children": [
                  {
                    "ipv4aclACL": {
                      "attributes": {
                        "name": "acl_tcp"
}}}]}}]}}]}}

{
    imdata": []
}

<System>
  <acl-items>
    <ipv6-items>
      <name-items>
        <ACL-list>
          <name>acl_ipv6</name>
        </ACL-list>
      </name-items>
    </ipv6-items>
    <ipv4-items>
      <name-items>
        <ACL-list>
          <name>acl_tcp</name>
        </ACL-list>
      </name-items>
    </ipv4-items>
  </acl-items>
</System>

You can create an IPv4 ACL or IPv6 ACL on the device and add rules to it.


CLI Commands

The CLI commands and options listed below are the equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

ip access-list acl_tcp
ipv6 access-list acl_ipv6

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a MAC Access List

 Configuring a MAC Access List

POST http://<mgmt0_IP>/api/mo/sys/acl/mac.json

{
  "macaclAF": {
    "children": [
      {
        "macaclACL": {
          "attributes": {
            "name": "ListName"
}}}]}}

{
    imdata": []
}

<System>
  <acl-items>
    <mac-items>
      <name-items>
        <ACL-list>
          <name>ListName</name>
        </ACL-list>
      </name-items>
    </mac-items>
  </acl-items>
</System>

Configurs a MAC access list.

Note: This example was added in Release 7.0(3)I6(1).


CLI Command

The CLI command below is the equivalent to the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

mac access-list ListName

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Applying Access Control to a List of VLANs

 Applying Access Control to a List of VLANs

POST http://<mgmt0_IP>/api/mo/sys/acl/vlan-vacl1.json

{
  "aclVLANACL": {
    "attributes": {
      "name": "vacl1"
    },
    "children": [
      {
        "aclVLANList": {
          "attributes": {
            "list": "1-10",
            "operation": "apply"
}}}]}}

{
    imdata": []
}

<System>
  <acl-items>
    <vlan-items>
      <VLANACL-list>
        <name>vacl1</name>
        <vlanlist-items>
          <list>1-10</list>
          <operation>apply</operation>
        </vlanlist-items>
      </VLANACL-list>
    </vlan-items>
  </acl-items>
</System>

Applies access control to a list of VLANs.


CLI Command

The CLI command below is the equivalent to the payload example displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload or the YANG tab to view the XML payload.

vlan filter vacl1 vlan-list 1-10

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html