Example: Creating an ACL with an interface using REST APIs

This example shows creating the following ACL and interface configuration on a switch at IP address 192.0.2.5:

access-list ip ACLv4
    10 permit tcp 10.0.100.101 eq 80 10.0.100.102 eq 8000
interface 1/1/2
    no shutdown
    apply access-list ip ACLv4 out

1. Creating the ACL.

   $ curl -k --noproxy 192.0.2.5 -X POST \
   -b /tmp/auth_cookie -d '{
   "cfg_version": 0,
   "list_type": "ipv4",
   "name": "ACLv4"}'  
   "https://192.0.2.5/rest/v10.04/system/acls"

2. Creating an ACL entry.

   $ curl -k --noproxy 192.0.2.5 -X POST \
   -b /tmp/auth_cookie -d '{
   "action": "permit",
   "dst_ip": "10.0.100.102/255.255.255.255",
   "dst_l4_port_max": 8000,
   "dst_l4_port_min": 8000,
   "protocol": 6,
   "sequence_number": 10,
   "src_ip": "10.0.100.101/255.255.255.255",
   "src_l4_port_max": 80,
   "src_l4_port_min": 80}'  
   "https://192.0.2.5/rest/v10.04/system/acls/ACLv4,ipv4/cfg_aces"

3. Getting the ACL writable configuration attributes to use in the next step. Ellipses (…) represent data not shown in the example.

   $ curl -k --noproxy 192.0.2.5 GET \
   -b /tmp/auth_cookie \ 
   "https://192.0.2.5/rest/v10.04/system/acls/ACLv4,ipv4?selector=writable"
   {
   ...
     "cfg_aces": "/rest/v10.04/system/acls/ACLv4,ipv4/cfg_aces",
     "cfg_version": 3738959816497071,
     "vsx_sync": []
   ...
     "list_type": "ipv4",
     "name": "ACLv4"
   ...
   }

4. Updating the ACL configuration using the return body received from the GET request performed in the previous step.

   Any writable attributes you do not include in the PUT request body are set to their defaults, which could be empty.

   The following example shows the request to update the ACL configuration:

   $ curl -k --noproxy 192.0.2.5 -X PUT \
   -b /tmp/auth_cookie -d '{
   "cfg_aces":{"10":"/rest/v10.04/system/acls/ACLv4,ipv4/cfg_aces/10"},
   "cfg_version":1}' \ 
   "https://192.0.2.5/rest/v10.04/system/acls/ACLv4,ipv4"

5. Getting the writable attributes of an interface.

   The GET response body includes only the configuration attributes that have been set.

   $ curl -k --noproxy 192.0.2.5 GET \
   -b /tmp/auth_cookie \ 
   "https://192.0.2.5/rest/v10.04/system/interfaces/1%2F1%2F2?selector=writable"
   {
     "cdp_disable": false,
     "description": null,
     "lldp_med_loc_civic_ca_info": {},
     "lldp_med_loc_civic_info": null,
     "lldp_med_loc_elin_info": null,
     "options": {},
     "other_config": {
       "lldp_dot3_macphy_disable": false,
       "lldp_med_capability_disable": false,
       "lldp_med_network_policy_disable": false,
       "lldp_med_topology_notification_disable": false
     },
     "pfc_priorities_config": null,
     "selftest_disable": false,
     "udld_arubaos_compatibility_mode": "forward_then_verify",
     "udld_compatibility": "aruba_os",
     "udld_enable": false,
     "udld_interval": 7000,
     "udld_retries": 4,
     "udld_rfc5171_compatibility_mode": "normal",
     "user_config": {
       "admin": "down"
     }

6. Enabling the interface and adding the ACL information to the interface by using the return body received from the GET request performed in the previous step. The modified values are shown in the following example.

   Ellipses (…) represent data not shown in the example.

   $ curl -k --noproxy 192.0.2.5 -X PUT \
   -b /tmp/auth_cookie -d '{
   ...
   "user_config": {"admin": "up" },
   "aclv4_out_cfg":"/rest/v10.04/system/acls/ACLv4,ipv4",
   "aclv4_out_cfg_version":0,
   ...
   }' -D- \
   "https://192.0.2.5/rest/v10.04/system/interfaces/1%2F1%2F2"