RESTAPI Manual
Security
ACL
27 min
access control list urls summary urls summary url get post patch put delete /rest/v1/running/access list nexthop groups/{id} y y y n y /rest/v1/running/access list nexthop groups/{id}/nexthop/{ip address}/{vrf name} y y n n y /rest/v1/running/access list user defined types/{name} y y y n y /rest/v1/running/access lists/{name} y y y n y /rest/v1/running/access lists/{name}/access list entries/{ruleid} y y n y y /rest/v1/rpc/clear counters acl n y n n n /rest/v1/rpc/show acl rule n y n n n /rest/v1/rpc/show counters acl n y n n n examples examples get all access lists get all access lists get https //{switch ip}/rest/v1/running/access lists create an access list and add a rule for it create an access list and add a rule for it post https //{switch ip}/rest/v1/running/access lists { "name" "fc", "stage" "ingress", "type" "flow control", "access list entries" \[{ "ruleid" 11, "actions" { "traffic behavior" "policy test" }, "matches" {"source mac" "00 00 00 00 00 01"} }] } modify an access list modify an access list patch https //{switch ip}/rest/v1/running/access lists/l3in { "bind intfs" \["ethernet3", "ethernet4"] } delete an access list delete an access list delete https //{switch ip}/rest/v1/running/access lists/l3v6in1 get all the rules for an access list get all the rules for an access list get https //{switch ip}/rest/v1/running/access lists/test/access list entries create a rule for an access list create a rule for an access list post https //{switch ip}/rest/v1/running/access lists/mirrorv6e/access list entries { "ruleid" 100, "actions" { "egress mirror session" 2 }, "matches" { "out ports" \["ethernet2"] } } delete a rule from an access list delete a rule from an access list delete https //{switch ip}/rest/v1/running/access lists/l2e/access list entries/2 get all the user defined types get all the user defined types get https //{switch ip}/rest/v1/running/access list user defined types create an access list user defined type create an access list user defined type post https //{switch ip}/rest/v1/running/access list user defined types { "name" "test", "type" "ipv4", "match" "source mac", "action" "set dscp", "bind points" "port" } delete an access list user defined type delete an access list user defined type delete https //{switch ip}/rest/v1/running/access list user defined types/test get all the nexthop groups get all the nexthop groups get https //{switch ip}/rest/v1/running/access list nexthop groups create for nexthop groups create for nexthop groups post https //{switch ip}/rest/v1/running/access list nexthop groups { "id" 1, "nexthop" \[ { "ip address" "1 2 3 4", "vrf name" "default" }, { "ip address" "2 3 4 5", "vrf name" "default", "interface name" "ethernet0" } ] } delete from nexthop groups delete from nexthop groups delete https //{switch ip}/rest/v1/running/access list nexthop groups/1 show access list rule show access list rule post https //{switch ip}/rest/v1/rpc/show acl rule {"name" "test", "ruleid" 4} show access list counters show access list counters post https //{switch ip}/rest/v1/rpc/show counters acl {"acl names" \["test", "test1"]} clear access list counters clear access list counters post https //{switch ip}/rest/v1/rpc/clear counters acl {} properties descriptions properties descriptions acl entries acl entries tree diagrams + rw access lists \| + rw access list \[name] \| + rw name \| + rw type \| + rw stage? \| + rw services \| + rw bind intfs \| + rw access list entries \| | + rw access list entry \[ruleid] \| | + rw ruleid \| | + rw actions \| | | + rw packet action? \| | | + rw ingress mirror session? \| | | + rw egress mirror session? \| | | + rw redirect action? \| | | + rw redirect action ip params? \| | | + rw set tc? \| | | + rw set pcp? \| | | + rw set dscp? \| | | + rw traffic behavior? \| | + rw matches \| | + rw ethernet type? \| | + rw outer vlan? \| | + rw ip type? \| | + rw ip protocol? \| | + rw tcp flags? \| | + rw source ip? \| | + rw destination ip? \| | + rw source ipv6? \| | + rw destination ipv6? \| | + rw icmp type? \| | + rw icmp code? \| | + rw icmpv6 type? \| | + rw icmpv6 code? \| | + rw source port? \| | + rw destination port? \| | + rw dscp? \| | + rw ecn? \| | + rw vlan pri? \| | + rw vxlan vni? \| | + rw flow label? \| | + rw in ports \| | + rw out ports \| | + rw bth opcode? {cmn\ platform innovium}? \| | + rw aeth syndrome? {cmn\ platform innovium}? \| | + rw source mac? \| | + rw destination mac? \| + rw rule default drop? table of properties name required type/range description access lists m path only node, has no configurable value name m string (sub property of access lists) type m "l2" "l3" "l3v6" "mirror" "mirrorv6" "flow control" "ctrlplane" " / / /access list user defined types/access list user defined type/name" (sub property of access lists) stage o "ingress" "egress" (sub property of access lists) services o "snmp" "ssh" "ntp" "bgp" (sub property of access lists) only supported on tables where type is ctrlplane bind intfs o ethernet name portchannel0000 9999 (sub property of access lists) access list entries m (sub property of access lists) path only node, has no configurable value ruleid m 0 500 (sub property of access list entries) actions m (sub property of access list entries) path only node, has no configurable value packet action o "forward" "deny" "drop" "trap" "copy" (sub property of actions) specifies the packet action to be taken as part of the acl rule this action determines how packets are forwarded, dropped, or processed further applicable to acl tables layer 2 ingress/egress, layer 3 ipv4/ipv6 ingress/egress ingress mirror session o 1 63 (sub property of actions) configures an ingress mirror session identifier (1 63) for mirroring incoming traffic this action allows duplicating traffic to a monitoring or analysis port applicable to acl tables mirror/mirrorv6 ingress egress mirror session o 1 63 (sub property of actions) configures an egress mirror session identifier (1 63) for mirroring outgoing traffic facilitates traffic analysis by directing a copy of traffic to a designated port applicable to acl tables mirror/mirrorv6 egress redirect action o ethernet name portchannel0000 9999 1 12 "a b c d xx\ xx\ xx\ xx\ xx\ xx\ xx\ xx" (sub property of actions) defines the redirection destination for matched packets applicable to acl tables layer 3 ipv4/ipv6 ingress redirect action ip params o ethernet name portchannel0000 9999 vlan1 4094 "default" vrf name" (sub property of actions) defines the redirection destination interface or vrf with ipv4/ipv6 address for matched packets applicable to acl tables layer 3 ipv4/ipv6 ingress and redirect action is ipv4/ipv6 address set tc o 0 7 (sub property of actions) sets the traffic class (tc), influencing qos treatment applicable to acl tables layer 3 ipv4/ipv6 ingress set pcp o 0 7 (sub property of actions) sets the pcp, affecting prioritization within a vlan applicable to acl tables layer 2 ingress, layer 3 ipv4/ipv6 ingress, mirror/mirrorv6 ingress, flowctrl ingress set dscp o 0 63 (sub property of actions) sets the dscp applicable to acl tables layer 3 ipv4/ipv6 ingress/egress, flowctrl ingress traffic behavior o string (sub property of actions) configuring interface speed limiting policies applicable to acl tables layer 2 ingress, layer 3 ipv4/ipv6 ingress, mirror/mirrorv6 ingress, flowctrl ingress matches m (sub property of access list entries) path only node, has no configurable value ethernet type o 0x0000 ffff (sub property of matches) matches the ethernet frame type to be matched in the acl rule it accepts hexadecimal values ranging from 0x0000 to 0xffff, aiding in distinguishing different l2 protocols applicable to acl tables layer 2 ingress, layer 3 ipv4/ipv6 ingress outer vlan o 1 4094 or 0x1 ffe (sub property of matches) matches the outer vlan tag in a tagged frame, supporting a wide range of vlan ids (from 1 to 4094) with optional ethertype (in hexadecimal format) following a slash (/) for further refinement applicable to acl tables layer 2 ingress/egress, layer 3 ipv4 ingress/egress mirror ingress/egress, flowctrl ingress ip type o "any" "ip" "non ip" "ipv4any" "non ipv4" "ipv6any" "non ipv6" "arp" "arp request" "arp reply" (sub property of matches) matches the ip type(any/ip/non ip/ipv4any/non ipv4/ipv6any/non ipv6/arp /arp request/arp reply) to be inspected by the acl applicable to acl tables layer 3 ipv4 ingress/egress, mirror ingress/egress ip protocol o 0 255 (sub property of matches) matches the protocol field in the ip header, accepting values between 0 and 255 to filter traffic based on the upper layer protocol used applicable to acl tables layer 3 ipv4 ingress/egress ipv6 ingress, flowctrl ingress tcp flags o 0 63 (sub property of matches) matches the specific tcp flags within packets applicable to acl tables layer 3 ipv4 ingress/egress, mirror ingress/egress source ip o "a b c d/m" "a b c d" (sub property of matches) matches the source ipv4 address to filter network traffic based on its origin applicable to acl tables layer 3 ipv4 ingress/egress, mirror ingress/egress, flowctrl ingress destination ip o "a b c d/m" "a b c d" (sub property of matches) matches the destination ipv4 address to filter network traffic based on its intended endpoint applicable to acl tables layer 3 ipv4 ingress/egress, mirror ingress/egress source ipv6 o "xx\ xx\ xx\ xx\ xx\ xx\ xx\ xx/m" "xx\ xx\ xx\ xx\ xx\ xx\ xx\ xx" (sub property of matches) matches the source ipv6 address to filter network traffic based on its origin applicable to acl tables layer 3 ipv4 ingress/egress, mirrorv6 ingress/egress destination ipv6 o "xx\ xx\ xx\ xx\ xx\ xx\ xx\ xx/m" "xx\ xx\ xx\ xx\ xx\ xx\ xx\ xx" (sub property of matches) matches the destination ipv6 address to filter network traffic based on its intended endpoint applicable to acl tables layer 3 ipv4 ingress/egress, mirrorv6 ingress/egress icmp type o 0 16 (sub property of matches) matches the icmp traffic based on the message type applicable to acl tables layer 3 ipv4 ingress/egress, mirror ingress/egress icmp code o 0 5 (sub property of matches) matches the icmp traffic based on the code applicable to acl tables layer 3 ipv4 ingress/egress, mirror ingress/egress icmpv6 type o 1 137 (sub property of matches) matches the icmpv6 traffic based on the message type applicable to acl tables layer 3 ipv4 ingress icmpv6 code o 0 4 (sub property of matches) matches the icmpv6 traffic based on the code applicable to acl tables layer 3 ipv4 ingress source port o 0 65535 (sub property of matches) matches the source transport layer port numbers applicable to acl tables layer 2 ingress/egress, layer 3 ipv4 ingress/egress, mirror ingress/egress, flowctrl ingress destination port o 0 65535 (sub property of matches) matches the destination transport layer port numbers applicable to acl tables layer 2 ingress/egress, layer 3 ipv4 ingress/egress, mirror ingress/egress, flowctrl ingress dscp o 0 63 (sub property of matches) matches the differentiated services code point in the ip header, allowing quality of service (qos) differentiation with a range of 0 to 63 applicable to acl tables layer 3 ipv4 or ipv6 ingress/egress, mirror ingress/egress ecn o 0 3 (sub property of matches) matches the explicit congestion notification bits in the ip header applicable to acl tables layer 3 ipv4 ingress/egress vlan pri o 0 7 (sub property of matches) matches the 3 bit vlan priority code point applicable to acl tables layer 2 ingress/egress, layer 3 ipv4 ingress/egress vxlan vni o 1 16777215 (sub property of matches) matches the 6 bit vxlan priority code point applicable to acl tables layer 3 ipv4 ingress/egress flow label o ^\[0 9a fa f]{1,5} (sub property of matches) matches the flow label to be matched in the acl rule it accepts hexadecimal values ranging from 0x00000 to 0xfffff applicable to acl tables layer 3 ipv6 ingress in ports o ethernet name (sub property of matches) matches the in ports applicable to acl tables mirror ingress, flowctrl ingress out ports o ethernet name (sub property of matches) matches the out ports applicable to acl tables layer 3 ipv4 egress, mirrorv6 egress bth opcode o 0 255 (sub property of matches) (innovium platform specific) matches the byte transmission header opcode applicable to acl tables mirror/mirrorv6 ingress/egress aeth syndrome o 0 255 or 0 255/0x00 ff (sub property of matches) (innovium platform specific) matches the analyzed ethernet header syndrome applicable to acl tables mirror/mirrorv6 ingress/egress source mac o a\ b c\ d e\ f (sub property of matches) matches the source mac address applicable to acl tables layer 2 ingress, flowctrl ingress destination mac o a\ b c\ d e\ f (sub property of matches) matches the destination mac address applicable to acl tables layer 2 ingress, flowctrl ingress rule default drop co "out of band" "in band" (sub property of access lists) only applicable when type = "ctrlplane" acl user defined types acl user defined types tree diagrams + rw access list user defined types \| + rw access list user defined type \[name] \| + rw name \| + rw type \| + rw bind points? \| + rw match? \| + rw action? table of properties name required type/range description access list user defined types m path only node, has no configurable value name m ^\[a z0 9 ] (sub property of access list user defined types) type m "ipv4" "ipv6" "non ip" (sub property of access list user defined types) bind points o "port" "switch" (sub property of access list user defined types) match o "in ports" "out ports" "bth opcode" "aeth syndrome" "source mac" "destination mac" "ethernet type" "outer vlan" "ip type" "ip protocol" "tcp flags" "source ip" "destination ip" "source ipv6" "destination ipv6" "icmp type" "icmp code" "icmpv6 type" "icmpv6 code" "source port" "destination port" "dscp" "ecn" "vlan pri" "vxlan vni" (sub property of access list user defined types) action o "packet action" "ingress mirror session" "egress mirror session" "redirect action" "set tc" "set pcp" "set dscp" "traffic behavior" (sub property of access list user defined types) acl nexthop groups acl nexthop groups tree diagrams + rw access list nexthop groups + rw access list nexthop group \[id] + rw id + rw nexthop \[ip address vrf name] \| + rw ip address \| + rw vrf name \| + rw interface name? + rw commit? table of properties name required type/range description show acl rule m path only node, has no configurable value name o string (sub property of input) acl name ruleid o 0 500 (sub property of input) data ro \<anydata> (sub property of output) show acl rule show acl rule tree diagrams + x show acl rule \| + w input \| | + w name? \| | + w ruleid? \| + ro output \| + ro data? table of properties name required type/range description show acl rule m path only node, has no configurable value name o string (sub property of input) acl name ruleid o 0 500 (sub property of input) data ro \<anydata> (sub property of output) s s how counters acl how counters acl tree diagrams + x show counters acl \| + w input \| | + w acl names \| | + w rule ids \| + ro output \| + ro data? table of properties name required type/range description show counters acl m path only node, has no configurable value rpc for showing acl counters acl names o string (sub property of input) list of acl table names rule ids o string (sub property of input) list of rule ids data ro \<anydata> (sub property of output) clear counters acl clear counters acl tree diagrams + x clear counters acl table of properties name required type/range description clear counters acl m path only node, has no configurable value rpc for clearing acl counters
