Open NX-OS

The ACL module includes APIs that provide basic network security for the Cisco NX-9000 Series switches, by creating access control lists (ACLs). The ACLs restrict IPv4 or IPv6 traffic based on configured IP filters, which contains rules to match an IP packet. If the packet matches, the rule specifies whether the packet is permitted or denied.

The ACL Module contains three classes:

  • ACL class: This is the base class for the IPv4ACL class and the IPv6ACL class.
  • IPv4ACL class: Use the IPv4ACL class to configure IPv4 ACLs.
  • IPv6ACL class: Use the IPv6ACL class to configure IPv6 ACLs.
Method Resolution Order
  • IPv4ACL or IPv6ACL
  • ACL
  • __builtin__.object

ACL Class

The ACL class is the base class for the IPv4ACL class and the IPv6ACL class.

python
CopyACL(object)

Example:
>>> import cisco
>>> from cisco.acl import *
>>> acltest = ACL("ip", "aclv4")

Arguments:

  • proto:
  • name:

Note: The following methods are inherited by the IPv4ACL class and the IPv6ACL class and should be used in those classes.

create

Use the create method to create the ACL associated with this object.

python
Copycreate(self)

Example:
>>> import cisco
>>> from cisco.acl import *
>>> acltest = ACL("ip", "aclv4")
>>> acltest.create()
True

Arguments: None

Returns: True on success

delete

Use the delete method to delete the ACL associated with this object.

python
Copydelete(self)

Example:
>>> acltest.delete()
True
>>> acltest.show()

['']

Arguments: None

Returns: True on success

delete_entry

Use the delete_entry method to delete a particular entry in this ACL by specifying the sequence number.

python
Copydelete_entry(self, sequence)

Example:
>>> acltest.delete_entry(10)
True
>>> acltest.show()

IP access list acltest
    20 permit tcp 1.1.1.1/32 2.2.2.2/32 
    30 remark Net 1 to Net 2

['', 'IP access list acltest', '\t20 permit tcp 1.1.1.1/32 2.2.2.2/32 ', '\t30 remark Net 1 to Net 2', '']

Arguments:

  • sequence: The line number in the ACL definition. An integer ranging from 1 to 4294967295.

Returns: True on success

load

Use the load method to set the per-entry statistics for the ACL.

python
Copyload(self)

Example:
>>> acltest.load()

set_per_entry_statistic

Set the per-entry statistics for this ACL. To remove this configuration, set the optional 'no' argument to True.

python
Copyset_per_entry_statistic(self, **kwargs)

Example:
>>> acltest.set_per_entry_statistic()
True

Arguments: None

Optional Arguments:

  • no: A boolean, set to True to remove the per-entry statistics.

Returns: True on success

set_remark

Use the set_remark method to specify a remark about the ACL. To remove a remark, set the optional 'no' argument to True.

python
Copyset_remark(self, remark, **kwargs)

Example:
>>> acltest.set_remark("Net 1 to Net 2")
True

Arguments:

  • remark: A string containing the remark

Optional Arguments:

  • no: A boolean, set to True to remove a particular remark.

  • sequence: An Integer, the sequence number (line number) where the remark will be placed in the ACL definition. If the sequence is not specified, the remark will be placed at the end.

Returns: True on success

show

Use the show method to show the currently configured entries in the ACL.

python
Copyshow(self)

Example:
>>> acltest.show()

IP access list acltest
    10 deny tcp 1.1.1.1/32 3.2.2.2/32 
    20 permit tcp 1.1.1.1/32 2.2.2.2/32 
    30 remark Net 1 to Net 2

['', 'IP access list acltest', '\t10 deny tcp 1.1.1.1/32 3.2.2.2/32 ', '\t20 permit tcp 1.1.1.1/32 2.2.2.2/32 ', '\t30 remark Net 1 to Net 2', '']

Arguments: None

Returns: Outputs the ACL entries

IPv4ACL Class

Use this class to configure the IPv4 ACL.

python
CopyIPv4ACL(ACL)

Example:
>>> from cisco.acl import *
>>> aclv4 = IPv4ACL("aclv4")

Arguments:

  • name:

Returns: An IPv4ACL object

Note: See also: methods of the ACL Class, which are inherited by the IPv4ACL class.

deny

Use the deny method to specify packets to reject. To stop rejecting particular packet types set the optional 'no' argument to True.

python
Copydeny(self, protocol, source, destination, sport_qualifier=None, sport=None, dport_qualifier=None, dport=None, **kwargs)

Examples:
    aclv4.deny("tcp", "1.1.1.1", "3.2.2.2")
    aclv4.deny("tcp", "1.1.1.2", "3.2.2.2", sequence=50, dscp=50)
    aclv4.deny("tcp", "1.1.1.3", "3.2.2.2", fragments=True, precedence=3)

    
>>> from cisco.acl import *
>>> aclv4 = IPv4ACL("aclv4")
>>> aclv4.deny("tcp", "1.1.1.1", "3.2.2.2")
True

Arguments:

  • protocol: An integer ranging from 0 to 255 representing the protocol number, or a string representing the protocol name.

  • source: A string representing the source ip address or network in either CIDR notation or dotted quad. E.g. 'any', '192.0.2.0', '192.0.2.0/24', '192.0.2.0 255.255.255.0'. For a network can also specify wildcard bits. E.g. '192.0.2.0 255.0.7.255'

  • sport_qualifier: A string that qualifies the source port. Valid qualifiers are: eq, gt, lt, host, neg, range

  • sport: A source port or a range of source ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whoi

  • destination: A string representing the source ip address or network in either CIDR notation or dotted quad. E.g. 'any', '192.0.2.0', '192.0.2.0/24', '192.0.2.0 255.255.255.0'. For a network can also specify wildcard bits. E.g. '192.0.2.0 255.0.7.255'

  • dport_qualifier: A string that qualifies the destination port. Valid qualifiers are: eq, gt, lt, host, neg, range

  • dport: A source port or a range of destination ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois

Optional Arguments:

  • sequence: an integer ranging from 1 to 4294967295 where this rule will be placed.

  • dscp: An integer ranging from 0 to 63 or a string represting the type of dscp. Use this to match packets with a particular dscp value. You cannot specify both dscp and precedence.

  • precedence: An integer ranging from 0 to 7 or a string representing the precedence type. Use this to match packets with a particular precedence value. You cannot specify both dscp and precedence.

  • fragments: A boolean, set to True to check non-initial fragments.

  • time-range: A time range name.

  • packet_length_qualifier: Match packets based on layer 3 packet length. Valid qualifiers are: eq, gt, lt, neq, range.

  • packet_length: Packet length in between 20 and 9210. If qualifier is range, min and max length needs to be provided through a list.

  • tcp_match_bit: TCP match bits in a list. Valid bits are: ack, established, psh, syn, fin, rst, urg

  • icmp_message_type: Icmp packet message type. Valid message types are: administratively-prohibited, host-tos-redirect, net-unreachable, router-advertisement, alternate-address, host-tos-unreachable, network-unknown, router-solicitation, conversion-error, host-unknown, no-room-for-option, source-quench, dod-host-prohibited, host-unreachable, option-missing, source-route-failed, dod-net-prohibited, information-reply, time-exceeded, information-request, packet-too-big, echo, parameter-problem, timestamp-reply, echo-reply, mask-reply, port-unreachable, timestamp-request, mask-request, traceroute, general-parameter-problem, mobile-redirect, precedence-unreachable, ttl-exceeded, host-isolated, net-redirect, protocol-unreachable, unreachable, host-precedence-unreachable, net-tos-redirect, reassembly-timeout, host-redirect, net-tos-unreachable, redirect

  • no: A boolean, set to True to stop rejecting particular packet types.

Returns: True on Success

permit

Use the permit method to set up a permit ACL.

python
Copypermit(self, protocol, source, destination, sport_qualifier=None, sport=None, dport_qualifier=None, dport=None, **kwargs)

Examples:
    aclv4.permit("tcp", "1.1.1.1", "3.2.2.2")
    aclv4.permit("tcp", "1.1.1.2", "3.2.2.2", sequence=50, dscp=50)
    aclv4.permit("tcp", "1.1.1.3", "3.2.2.2", fragments=True, precedence=3)

>>> from cisco.acl import *
>>> aclv4 = IPv4ACL("aclv4")
>>> aclv4.permit("tcp", "1.1.1.1", "2.2.2.2")
True

Specify packets to forward. To stop forwarding particular packet types set the optional 'no' argument to True.

Arguments:

  • protocol: An integer ranging from 0 to 255 representing the protocol number, or a string representing the protocol name.

  • source: A string representing the source ip address or network in either CIDR notation or dotted quad. E.g. 'any', '192.0.2.0', '192.0.2.0/24', '192.0.2.0 255.255.255.0'. For a network can also specify wildcard bits. E.g. '192.0.2.0 255.0.7.255'

  • sport_qualifier: A string that qualifies the source port. Valid qualifiers are: eq, gt, lt, host, neg, range

  • sport: A source port or a range of source ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois

  • destination: A string representing the source ip address or network in either CIDR notation or dotted quad. E.g. 'any', '192.0.2.0', '192.0.2.0/24', '192.0.2.0 255.255.255.0'. For a network can also specify wildcard bits. E.g. '192.0.2.0 255.0.7.255'

  • dport_qualifier: A string that qualifies the destination port. Valid qualifiers are: eq, gt, lt, host, neg, range

  • dport: A source port or a range of destination ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois

Optional Arguments:

  • sequence: an integer ranging from 1 to 4294967295 where this rule will be placed.

  • dscp: An integer ranging from 0 to 63 or a string represting the type of dscp. Use this to match packets with a particular dscp value. You cannot specify both dscp and precedence.

  • precedence: An integer ranging from 0 to 7 or a string representing the precedence type. Use this to match packets with a particular precedence value. You cannot specify both dscp and precedence.

  • fragments: A boolean, set to True to check non-initial fragments.

  • time_range: A time range name.

  • packet_length_qualifier: Match packets based on layer 3 packet length. Valid qualifiers are: eq, gt, lt, neq, range.

  • packet_length: Packet length in between 20 and 9210. If qualifier is range, min and max length needs to be provided through a list.

  • tcp_match_bit: TCP match bits in a list. Valid bits are: ack, established, psh, syn, fin, rst, urg

  • icmp_message_type: Icmp packet message type. Valid message types are: administratively-prohibited, host-tos-redirect, net-unreachable, router-advertisement, alternate-address, host-tos-unreachable, network-unknown, router-solicitation, conversion-error, host-unknown, no-room-for-option, source-quench, dod-host-prohibited, host-unreachable, option-missing, source-route-failed, dod-net-prohibited, information-reply, time-exceeded, information-request, packet-too-big, echo, parameter-problem, timestamp-reply, echo-reply, mask-reply, port-unreachable, timestamp-request, mask-request, traceroute, general-parameter-problem, mobile-redirect, precedence-unreachable, ttl-exceeded, host-isolated, net-redirect, protocol-unreachable, unreachable, host-precedence-unreachable, net-tos-redirect, reassembly-timeout, host-redirect, net-tos-unreachable, redirect

  • no: A boolean, set to True to stop forwarding particular packet types.

IPv6ACL Class

Use this class to configure the IPv6 ACL.

python
Copyclass IPv6ACL (ACL)

Example:
>>> aclv6 = IPv6ACL("aclv6")
>>>

Note: See also: methods of the ACL Class, which are inherited by the IPv6ACL class.

deny

Use the deny method to specify packets to reject.

python
Copydeny(self, protocol, source, destination, sport_qualifier=None, sport=None, dport_qualifier=None, dport=None, **kwargs)

Examples:
    aclv6.deny("tcp", "1::1", "3::2")
    aclv6.deny("tcp", "1::2", "3::2", sequence=50, dscp=50)
    aclv6.deny("tcp", "1::3", "3::2", fragments=True, precedence=3)

>>> aclv6.deny("tcp", "1::1", "3::2")
True
>>> aclv6.show()

IPv6 access list aclv6
    10 deny tcp 1::1/128 3::2/128 

['', 'IPv6 access list aclv6', '\t10 deny tcp 1::1/128 3::2/128 ', '']

Specify packets to reject. To stop rejecting particular packet types set the optional 'no' argument to True.

Arguments:

  • protocol: An integer ranging from 0 to 255 representing the protocol number, or a string representing the protocol name.
  • source: A string representing the source ip network in CIDR notation. E.g. '1:1::1:1/32'.
  • sport_qualifier: A string that qualifies the source port. Valid qualifiers are: eq, gt, lt, host, neg, range
  • sport: A source port or a range of source ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois
  • destination: A string representing the destination ip network in CIDR notation. E.g. '1:1::1:1/32'.
  • dport_qualifier: A string that qualifies the destination port. Valid qualifiers are: eq, gt, lt, host, neg, range
  • dport: A source port or a range of destination ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois

Optional Arguments:

  • sequence: an integer ranging from <1-4294967295> where this rule will be placed.

  • dscp: An integer ranging from <0-63> or a string represting the type of dscp. Use this to match packets with a particular dscp value.

  • fragments: A boolean, set to True to check non-initial fragments.

  • time-range: A time range name.

  • packet_length_qualifier: Match packets based on layer 3 packet length. Valid qualifiers are: eq, gt, lt, neq, range

  • packet_length: Packet length in between 20 and 9210. If qualifier is range, min and max length needs to be provided through a list.

  • tcp_match_bit: TCP match bits in a list. Valid bits are: ack, established, psh, syn, fin, rst, urg

  • icmp_message_type: Icmp packet message type. Valid message types are: administratively- prohibited, host-tos-redirect, net-unreachable, router-advertisement, alternate-address, host-tos-unreachable, network-unknown, router-solicitation, conversion-error, host-unknown, no-room-for-option, source-quench, dod-host-prohibited, host-unreachable, option-missing, source-route-failed, dod-net-prohibited, information-reply, time-exceeded, information-request, packet-too-big, echo, parameter-problem, timestamp-reply, echo-reply, mask-reply, port-unreachable, timestamp-request, mask-request, traceroute, general-parameter-problem, mobile-redirect, precedence-unreachable, ttl-exceeded, host-isolated, net-redirect, protocol-unreachable, unreachable, host-precedence-unreachable, net-tos-redirect, reassembly-timeout, host-redirect, net-tos-unreachable, redirect

  • no: A boolean, set to True to stop rejecting particular packet types.

Returns: True on Success

permit

Use the permit method to set up a permit ACL to specify packets to forward. To stop forwarding particular packet types, set the optional 'no' argument to True.

python
Copypermit(self, protocol, source, destination, sport_qualifier=None, sport=None, dport_qualifier=None, dport=None, **kwargs)

Examples:
    aclv6.permit("tcp", "1::1", "3::2")
    aclv6.permit("tcp", "1::2", "3::2", sequence=50, dscp=50)
    aclv6.permit("tcp", "1::3", "3::2", fragments=True, precedence=3)
    
>>> aclv6.permit("tcp", "1::1", "3::2")
True
>>> aclv6.show()

IPv6 access list aclv6
    10 permit tcp 1::1/128 3::2/128 

['', 'IPv6 access list aclv6', '\t10 permit tcp 1::1/128 3::2/128 ', '']

Arguments:

  • protocol: An integer ranging from 0 to 255 representing the protocol number, or a string representing the protocol name.

  • source: A string representing the source ip network in CIDR notation. E.g. '1:1::1:1/32'.

  • sport_qualifier: A string that qualifies the source port. Valid qualifiers are: eq, gt, lt, host, neg, range

  • sport: A source port or a range of source ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois

  • destination: A string representing the destination ip network in CIDR notation. E.g. '1:1::1:1/32'.

  • dport_qualifier: A string that qualifies the destination port. Valid qualifiers are: eq, gt, lt, host, neg, range

  • dport: A source port or a range of destination ports in an array. Port needs to be a number or its string representation. Valid string representations are: bgp, discard, exec, gopher, klogin, nntp, smtp, telnet, www, chargen, domain, finger, hostname, kshell, pim-auto-rp, sunrpc, time, cmd, drip, ftp, ident, login, pop2, tacacs, uucp, daytime, echo, ftp-data, irc, lpd, pop3, talk, whois

Optional Arguments:

  • sequence: an integer ranging from 1 to 4294967295 where this rule will be placed.

  • dscp: An integer ranging from 0 to 63 or a string represting the type of dscp. Use this to match packets with a particular dscp value.

  • fragments: A boolean, set to True to check non-initial fragments. time-range: A time range name.

  • packet_length_qualifier: Match packets based on layer 3 packet length. Valid qualifiers are: eq, gt, lt, neq, range

  • packet_length: Packet length in between 20 and 9210. If qualifier is range, min and max length needs to be provided through a list.

  • tcp_match_bit: TCP match bits in a list. Valid bits are: ack, established, psh, syn, fin, rst, urg

  • icmp_message_type: Icmp packet message type. Valid message types are: administratively-prohibited, host-tos-redirect, net-unreachable, router-advertisement, alternate-address, host-tos-unreachable, network-unknown, router-solicitation, conversion-error, host-unknown, no-room-for-option, source-quench, dod-host-prohibited, host-unreachable, option-missing, source-route-failed, dod-net-prohibited, information-reply, time-exceeded, information-request, packet-too-big, echo, parameter-problem, timestamp-reply, echo-reply, mask-reply, port-unreachable, timestamp-request, mask-request, traceroute, general-parameter-problem, mobile-redirect, precedence-unreachable, ttl-exceeded, host-isolated, net-redirect, protocol-unreachable, unreachable, host-precedence-unreachable, net-tos-redirect, reassembly-timeout, host-redirect, net-tos-unreachable, redirect

  • no: A boolean, set to True to stop forwarding particular packet types.

Next