Downloadable ACLs (dACLs)

Synopsis

netapi ise get-dacls [OPTIONS]
netapi ise get-dacl <NAME>
netapi ise create-dacl <NAME> [OPTIONS]
netapi ise delete-dacl <NAME> [OPTIONS]
netapi ise create-dacls-from-file <FILE>

Description

Manage ISE Downloadable ACLs (dACLs). These are pushed to network devices during authorization.

On switches, dACLs appear as xACSACLx-IP-<NAME>-<hash>. The hash is generated by ISE and changes when ACL content changes.

Output Formats

All commands support multiple output formats via --format:

Format Flag Use Case

Table (default)

--format table

Human-readable terminal output

JSON

--format json

Piping to jq for extraction

YAML

--format yaml

Piping to yq for extraction

XML

--format xml

Piping to xq for extraction

Commands

get-dacls

List all downloadable ACLs.

# Table format (default)
netapi ise get-dacls

# JSON format (pipe to jq)
netapi ise --format json get-dacls | jq '.[].name'

# YAML format
netapi ise --format yaml get-dacls

# Pagination
netapi ise get-dacls --size 50 --page 2
Table 1. Options
Option Description

--size, -s

Results per page (default: 100, max: 100)

--page, -p

Page number (1-indexed, default: 1)
Sample Table Output
      Downloadable ACLs (Page 1, Size 100)
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name                      ┃ ID                                   ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ DACL_ADMIN_FULL           │ e8050060-f5ab-11f0-b76e-52c54a1d1f56 │
│ DACL_IOT_RESTRICTED       │ 8a2c1b3f-0000-11f1-0000-000000000000 │
│ DACL_GUEST_INTERNET       │ 9b3d2c4e-0000-11f1-0000-000000000001 │
│ Domus_dACL_Research       │ f5c12340-f5ab-11f0-b76e-52c54a1d1f57 │
│ Domus_dACL_Quarantine     │ f6d23451-f5ab-11f0-b76e-52c54a1d1f58 │
└───────────────────────────┴──────────────────────────────────────┘

Total: 5 results
Sample JSON Output
[
  {
    "id": "e8050060-f5ab-11f0-b76e-52c54a1d1f56",
    "name": "DACL_ADMIN_FULL",
    "description": "Full admin access including management",
    "link": {
      "rel": "self",
      "href": "https://10.50.1.20/ers/config/downloadableacl/e8050060-f5ab-11f0-b76e-52c54a1d1f56",
      "type": "application/json"
    }
  }
]
JSON Extraction Examples
# List all dACL names
netapi ise --format json get-dacls | jq -r '.[].name'

# Count dACLs
netapi ise --format json get-dacls | jq 'length'

# Find dACLs containing "Admin"
netapi ise --format json get-dacls | jq '.[] | select(.name | contains("Admin"))'

get-dacl

Get specific dACL rules.

# Table format (default)
netapi ise get-dacl "DACL_ADMIN_FULL"

# JSON format
netapi ise --format json get-dacl "DACL_ADMIN_FULL"

# YAML format
netapi ise --format yaml get-dacl "DACL_ADMIN_FULL"

# XML format
netapi ise --format xml get-dacl "DACL_ADMIN_FULL"
Sample Table Output
Name: DACL_ADMIN_FULL
ID: e8050060-f5ab-11f0-b76e-52c54a1d1f56
Type: IPV4
Description: Full admin access including management

ACL Content:
--------------------------------------------------
remark Full admin access including management
permit ip any any
Sample JSON Output
{
  "id": "e8050060-f5ab-11f0-b76e-52c54a1d1f56",
  "name": "DACL_ADMIN_FULL",
  "description": "Full admin access including management",
  "dacl": "remark Full admin access including management\npermit ip any any",
  "daclType": "IPV4",
  "link": {
    "rel": "self",
    "href": "https://10.50.1.20/ers/config/downloadableacl/e8050060-f5ab-11f0-b76e-52c54a1d1f56",
    "type": "application/json"
  }
}
Sample YAML Output
id: e8050060-f5ab-11f0-b76e-52c54a1d1f56
name: DACL_ADMIN_FULL
description: Full admin access including management
dacl: 'remark Full admin access including management

  permit ip any any'
daclType: IPV4
link:
  rel: self
  href: https://10.50.1.20/ers/config/downloadableacl/e8050060-f5ab-11f0-b76e-52c54a1d1f56
  type: application/json
JSON Extraction Examples
# Get ACL content only
netapi ise --format json get-dacl "DACL_ADMIN_FULL" | jq -r '.dacl'
# Output:
# remark Full admin access including management
# permit ip any any

# Get IP type
netapi ise --format json get-dacl "DACL_ADMIN_FULL" | jq -r '.daclType'
# Output: IPV4

# Get description
netapi ise --format json get-dacl "DACL_ADMIN_FULL" | jq -r '.description'
# Output: Full admin access including management

create-dacl

Create a new downloadable ACL.

# Simple inline ACL
netapi ise create-dacl "DACL_PERMIT_ALL" --acl "permit ip any any"

# Multi-line ACL (semicolon-separated)
netapi ise create-dacl "DACL_IOT" \
  --acl "permit udp any any eq 53; deny ip any 10.0.0.0 0.255.255.255; permit ip any any"

# From file
netapi ise create-dacl "DACL_SECURE" --file /path/to/dacl.txt

# With description
netapi ise create-dacl "DACL_GUEST" \
  --acl "deny ip any 10.0.0.0 0.255.255.255; permit ip any any" \
  --descr "Guest internet only"

# IPv6 DACL
netapi ise create-dacl "DACL_IPV6_PERMIT" --acl "permit ipv6 any any" --type IPV6
Table 2. Options
Option Description

--acl, -a

ACL content (single line or semicolon-separated)

--file, -f

File containing ACL content (one rule per line)

--descr, -d

Description

--type, -t

IP type: IPV4, IPV6, IP_AGNOSTIC (default: IPV4)

delete-dacl

Delete a downloadable ACL.

# With confirmation prompt
netapi ise delete-dacl "DACL_TEST"

# Skip confirmation
netapi ise delete-dacl "DACL_TEST" --force
Table 3. Options
Option Description

--force, -f

Skip confirmation prompt

create-dacls-from-file

Create multiple DACLs from a YAML file.

netapi ise create-dacls-from-file dacls.yaml
netapi ise create-dacls-from-file dacls.yaml --skip-existing
YAML File Format
dacls:
  DACL_ADMIN_FULL:
    description: "Full admin access"
    acl: |
      permit ip any any

  DACL_IOT_RESTRICTED:
    description: "IoT devices - internet only"
    acl: |
      permit udp any any eq 53
      deny ip any 10.0.0.0 0.255.255.255
      permit ip any any

  DACL_GUEST_INTERNET:
    description: "Guest - no internal access"
    acl: |
      deny ip any 10.0.0.0 0.255.255.255
      deny ip any 172.16.0.0 0.15.255.255
      deny ip any 192.168.0.0 0.0.255.255
      permit ip any any

Common Pipelines

Export All dACLs to JSON

netapi ise --format json get-dacls > dacls_backup.json

Export Full dACL Content

netapi ise --format json get-dacls | jq -r '.[].name' | while read name; do
  echo "=== $name ==="
  netapi ise --format json get-dacl "$name" | jq -r '.dacl'
  echo ""
done > dacls_full_export.txt

Find dACLs with Permit All

netapi ise --format json get-dacls | jq -r '.[].name' | while read name; do
  content=$(netapi ise --format json get-dacl "$name" | jq -r '.dacl')
  if echo "$content" | grep -q "permit ip any any"; then
    echo "$name"
  fi
done

Compare dACL on Switch vs ISE

# Get dACL from ISE
DACL_NAME="DACL_ADMIN_FULL"
netapi ise --format json get-dacl "$DACL_NAME" | jq -r '.dacl'

# Compare with switch ACL (SSH to switch):
# show ip access-list xACSACLx-IP-DACL_ADMIN_FULL-697290bb

dACL Mapping Reference

When viewing ACLs on switch vs ISE:

Switch Shows ISE dACL Name

xACSACLx-IP-TEST_Medical_Temp_Monitor-697290bb

TEST_Medical_Temp_Monitor

xACSACLx-IP-PERMIT_ALL-57f6b4de

PERMIT_ALL

xACSACLx-IP-DACL_IOT_RESTRICTED-8a2c1b3f

DACL_IOT_RESTRICTED

Common dACL Patterns

Permit All

permit ip any any

Deny Management, Permit All Else

deny ip any 10.50.0.0 0.0.0.255
permit ip any any

IoT Restricted (Allow specific subnets only)

permit ip any 10.238.0.0 0.0.255.255
permit udp any any eq 53
permit udp any any eq 123
deny ip any any

Guest Internet Only

deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

Research Segmentation

remark Allow DNS and DHCP
permit udp any any eq 53
permit udp any any eq 67
permit udp any any eq 68
remark Allow NTP
permit udp any any eq 123
remark Allow research subnet
permit ip any 10.50.100.0 0.0.0.255
remark Deny internal, allow internet
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

Environment Variables

Variable Description

ISE_PAN_IP

ISE Primary Admin Node IP address

ISE_API_TOKEN

Base64 encoded username:password
Example Setup
export ISE_PAN_IP="10.50.1.20"
export ISE_API_TOKEN=$(echo -n "admin:password" | base64)

See Also