07-28-2020 05:45 AM
Hi,
I've added the CSR1000v node simulation to CML2-PE and learning the RESTCONF via Python requests package.
The current target is to change one of the configured ACL port action from permit to deny.
The RESTCONF GET
headers = {'Content-Type': 'application/yang-data+json', 'Accept': 'application/yang-data+json'}
auth = requests.auth.HTTPBasicAuth(admin, password)
response = requests.get(https://csrIP:443/restconf/data/Cisco-IO-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended=z120",
headers=headers, auth = auth, verify=False
returns:
{'Cisco-IOS-XE-acl:extended': {'name': 'z120', 'access-list-seq-rule': [{'sequence': '40', 'ace-rule': {'action': 'permit', 'protocol': 'tcp', 'any': [None], 'src-eq': 1237, 'dst-any': [None]}}, ...}]}}
I'm trying to change the 'action' from 'permit' to 'deny' of the port ('src-eq': 1237), using PATCH as follows:
data = "{extended': [{'name': 'z120', 'access-list-seq-rule': [{'sequence': '40', 'ace-rule': {'action': 'deny', 'src-eq': 1237}]}"
response = requests.patch('https://csrIP:443/restconf/data/Cisco-IO-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended', data=data, verify=False)
but the error 404 is returned: {"errors": {"error": [{"error-message": "uri keypath not found", "error-tag": "invalid-value", "error-type": "application"}]
What might be the problem?
Thanks
Zeev
12-19-2022 12:29 PM - edited 12-19-2022 12:30 PM
I realize this is two years after the question, but found this via web search I believe that adding the solution would make sense.
One needs to use PATCH method with URL of https://ip/restconf/data/Cisco-IOS-XE-native:native/ip/access-list/extended=z120
with contents of
{
"Cisco-IOS-XE-acl:extended": [
{
"name": "z120",
"access-list-seq-rule": [
{
"sequence": "40",
"ace-rule": {
"action": "deny",
"protocol": "tcp",
"any": [null],
"src-eq": 1237,
"dst-any": [null]
}
}
]
}
]
}
12-20-2022 03:53 AM
Hello,
interesting, thanks for posting. In the original post, I wonder if the error was just a simple typo:
data = "{extended': [{'name': 'z120', 'access-list-seq-rule': [{'sequence': '40', 'ace-rule': {'action': 'deny', 'src-eq': 1237}]}"
response = requests.patch('https://csrIP:443/restconf/data/Cisco-IO-XE-native:native/ip/access-list/Cisco-IOS-XE-acl:extended', data=data, verify=False)
--> the IO misses the S
12-20-2022 12:07 PM - edited 12-20-2022 12:07 PM
Good catch. That would explain the 404 response. But when I tried the data from original post, it was also rejected, with a different status. The keys "any" and "dst-any" are also missing there.
Anyways, when trying to put it into production, and uploading an access list with many entries, the router logs commands executed in the uploaded order. Resulting ACL however is ordered randomly. And I have my doubts about the HW programming but could not confirm. When trying resequence, the numbers are changed into sequence but the order of ACEs stays. Raised a TAC SR today, I suspect one sev2 (order randomized) and one with a lower severity (resequence should fail if the entries are not sorted).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide