topic Re: Is it possible to create ACLs? in Controllers

Is it possible to create ACLs?

paradoxxl — Fri, 01 Mar 2019 12:33:39 GMT

I’ve played around APIC-EM for a few days now, especially discovering the API. I used postman and the go-apic-em library (https://github.com/jbogarin/go-apic-em). At the beginning, I was confused by the naming similarities with cisco APIC which is a total different technology. Therefore, I had some wrong expectations as I thought it was SDN like in APIC/ACI.

In my semester project, I need to evaluate APIC-EM and Onos (OpenFlow Controller) to build a classical campus network. Therefore, creating ACL or more general ‘policies’ is crucial. I understand it it possible to create QoS Policies, but is it also possible to create ACL with APIC-EM and are there any examples if yes? Or do I have to switch to another product from the ‘ONE’-portfolio?

The first thought I had was using a DENY-Action when creating a policy (v1) via API. Unfortunately, I could not find the permitted values for the actions in the policy API and ‘DENY’ does not seem to work. I also checked the documents I found on the cisco website, but I was unable to find a clear description for the capabilities of APIC-EM, especially the word ‘policy’ they often use in the descriptions and videos.

Kind regards,

Dominik

Re: Is it possible to create ACLs?

yawming — Mon, 14 Nov 2016 17:25:46 GMT

Please take a look this learning lab see if you can find what you want.

Cisco DevNet Learning Labs

Re: Is it possible to create ACLs?

paradoxxl — Wed, 16 Nov 2016 14:10:14 GMT

Thank you for the hint. Unfortunately, I cannot find an answer to my problem in this lab as it only covers QoS.

Kind regards,

Dominik

Re: Is it possible to create ACLs?

yawming — Wed, 16 Nov 2016 15:53:30 GMT

Have you tried create policy example ? You can create policy single policy with your application and push ACL down to network device

You may need to change attributes in JSON.

"actions":[

"PERMIT"

]

"actions":[

"DENY"

]

I tried to change the actions from "SET_PROPERTY" to "DENY" but it fail ( "SET_PROPERTY" is OK)

Re: Is it possible to create ACLs?

aradford — Wed, 16 Nov 2016 18:01:45 GMT

ACL are not supported in policy in 1.3. We did have them in EFT code.

The policy model will be extended next year

Re: Is it possible to create ACLs?

paradoxxl — Thu, 17 Nov 2016 08:17:11 GMT

Thank you for the clarification.

Is there another product of the cisco ONE-portfolio which is yet able do distribute ACL? APIC/ACI can clearly do it, but we would need nexus switches for this.

Kind regards,

Dominik

Re: Is it possible to create ACLs?

rcsapo — Mon, 21 Nov 2016 12:53:05 GMT

There's the possibility to use Cisco ISE with Downloadable ACLs. (ACL based on Radius)

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Manage Authorization Policies and Profiles [Cisco Ide…

Then there's APIs on Cisco Prime Infra for using templates (ACL based on CLI commands)

Template based provisioning with Cisco Prime Infrastructure – Part 1

Both products are included when buying Cisco One for Access.