Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
0
Helpful
3
Replies

Change the Cisco-IO-XE extended access-list using RESTCONF PATCH command

Zeevik
Level 1
Level 1

‎07-28-2020 05:45 AM

Hi,

I've added the CSR1000v node simulation to CML2-PE and learning the RESTCONF via Python requests package.

The current target is to change one of the configured ACL port action from permit to deny.

The RESTCONF GET

headers = {'Content-Type': 'application/yang-data+json', 'Accept': 'application/yang-data+json'}
auth = requests.auth.HTTPBasicAuth(admin, password)
response = requests.get(https://csrIP:443/restconf/data/Cisco-IO-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended=z120",
                    headers=headers, auth = auth, verify=False

returns:

{'Cisco-IOS-XE-acl:extended': {'name': 'z120', 'access-list-seq-rule': [{'sequence': '40', 'ace-rule': {'action': 'permit', 'protocol': 'tcp', 'any': [None], 'src-eq': 1237, 'dst-any': [None]}}, ...}]}}

I'm trying to change the 'action' from 'permit' to 'deny' of the port ('src-eq': 1237),  using PATCH as follows:

data = "{extended': [{'name': 'z120', 'access-list-seq-rule': [{'sequence': '40', 'ace-rule': {'action': 'deny', 'src-eq': 1237}]}"
response = requests.patch('https://csrIP:443/restconf/data/Cisco-IO-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended', data=data, verify=False)

but the error 404 is returned:  {"errors": {"error": [{"error-message": "uri keypath not found", "error-tag": "invalid-value", "error-type": "application"}]

 

What might be the problem?

 

Thanks

 

Zeev

Labels:
0 Helpful
3 Replies 3

amk__
Level 1
Level 1

‎12-19-2022 12:29 PM - edited ‎12-19-2022 12:30 PM

I realize this is two years after the question, but found this via web search I believe that adding the solution would make sense.

One needs to use PATCH method with URL of https://ip/restconf/data/Cisco-IOS-XE-native:native/ip/access-list/extended=z120
with contents of

 

{
    "Cisco-IOS-XE-acl:extended": [
      {
        "name": "z120",
        "access-list-seq-rule": [
          {
            "sequence": "40",
            "ace-rule": {
              "action": "deny",
              "protocol": "tcp",
              "any": [null],
              "src-eq": 1237,
              "dst-any": [null]
            }
          }
        ]
      }
    ]
}

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to amk__

‎12-20-2022 03:53 AM

Hello,

interesting, thanks for posting. In the original post, I wonder if the error was just a simple typo:

data = "{extended': [{'name': 'z120', 'access-list-seq-rule': [{'sequence': '40', 'ace-rule': {'action': 'deny', 'src-eq': 1237}]}"
response = requests.patch('https://csrIP:443/restconf/data/Cisco-IO-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended', data=data, verify=False)

--> the IO misses the S

0 Helpful

amk__
Level 1
Level 1
In response to Georg Pauwen

‎12-20-2022 12:07 PM - edited ‎12-20-2022 12:07 PM

Good catch. That would explain the 404 response. But when I tried the data from original post, it was also rejected, with a different status. The keys "any" and "dst-any" are also missing there.

Anyways, when trying to put it into production, and uploading an access list with many entries, the router logs commands executed in the uploaded order. Resulting ACL however is ordered randomly. And I have my doubts about the HW programming but could not confirm. When trying resequence, the numbers are changed into sequence but the order of ACEs stays. Raised a TAC SR today, I suspect one sev2 (order randomized) and one with a lower severity (resequence should fail if the entries are not sorted).

0 Helpful
Customers Also Viewed These Support Documents