cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2689
Views
11
Helpful
6
Replies

Is it possible to create ACLs?

paradoxxl
Level 1
Level 1

Hi

I’ve played around APIC-EM for a few days now, especially discovering the API. I used postman and the go-apic-em library (https://github.com/jbogarin/go-apic-em). At the beginning, I was confused by the naming similarities with cisco APIC which is a total different technology. Therefore, I had some wrong expectations as I thought it was SDN like in APIC/ACI.

In my semester project, I need to evaluate APIC-EM and Onos (OpenFlow Controller) to build a classical campus network. Therefore, creating ACL or more general ‘policies’ is crucial. I understand it it possible to create QoS Policies, but is it also possible to create ACL with APIC-EM and are there any examples if yes? Or do I have to switch to another product from the ‘ONE’-portfolio?

The first thought I had was using a DENY-Action when creating a policy (v1) via API. Unfortunately, I could not find the permitted values for the actions in the policy API and ‘DENY’ does not seem to work. I also checked the documents I found on the cisco website, but I was unable to find a clear description for the capabilities of APIC-EM, especially the word ‘policy’ they often use in the descriptions and videos.

Kind regards,

Dominik

1 Accepted Solution

Accepted Solutions

ACL are not supported in policy in 1.3.  We did have them in EFT code.

The policy model will be extended next year

View solution in original post

6 Replies 6

yawming
Cisco Employee
Cisco Employee

Please take a look this learning lab see if you can find what you want.

Cisco DevNet Learning Labs

Thank you for the hint. Unfortunately, I cannot find an answer to my problem in this lab as it only covers QoS.

Kind regards,

Dominik

Have you tried create policy example ? You can create policy single policy with your application and push ACL down to network device

You may need to change attributes in JSON.

"actions":[

        "PERMIT"

    ]

"actions":[

        "DENY"

    ]

I tried to change the actions from  "SET_PROPERTY" to "DENY" but it fail ( "SET_PROPERTY" is OK)

ACL are not supported in policy in 1.3.  We did have them in EFT code.

The policy model will be extended next year

Thank you for the clarification.

Is there another product of the cisco ONE-portfolio which is yet able do distribute ACL? APIC/ACI can clearly do it, but we would need nexus switches for this.

Kind regards,

Dominik

There's the possibility to use Cisco ISE with Downloadable ACLs. (ACL based on Radius)

Cisco Identity Services Engine Administrator Guide, Release 2.1  - Manage Authorization Policies and Profiles [Cisco Ide…

Then there's APIs on Cisco Prime Infra for using templates (ACL based on CLI commands)

Template based provisioning with Cisco Prime Infrastructure – Part 1

Both products are included when buying Cisco One for Access.