arista.eos.eos_acls – ACLs resource module

Note

This plugin is part of the arista.eos collection (version 1.2.0).

To install it use: ansible-galaxy collection install arista.eos.

To use it in a playbook, specify: arista.eos.eos_acls.

New in version 1.0.0: of arista.eos

Synopsis
Parameters
Notes
Examples
Return Values

Synopsis

This module manages the IP access-list attributes of Arista EOS interfaces.

Note

This module has a corresponding action plugin.

Parameters

Parameter							Choices/Defaults	Comments
config list / elements=dictionary								A dictionary of IP access-list options
	acls list / elements=dictionary							A list of Access Control Lists (ACL).
		aces list / elements=dictionary						Filtering data
			destination dictionary					The packet's destination address
				address string				dotted decimal notation of IP address
				any boolean			no yes	Rule matches all source addresses
				host string				Host IP address
				port_protocol dictionary				Specify dest port/protocol, along with operator . (comes with tcp/udp).
				subnet_address string				A subnet address
				wildcard_bits string				Source wildcard bits
			fragment_rules boolean				no yes	Add fragment rules
			fragments boolean				no yes	Match non-head fragment packets
			grant string				permit deny	Action to be applied on the rule
			hop_limit dictionary					Hop limit value.
			line string					For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute. aliases: ace
			log boolean				no yes	Log matches against this rule
			protocol string					Specify the protocol to match. Refer to vendor documentation for valid values.
			protocol_options dictionary					All the possible sub options for the protocol chosen.
				icmp dictionary				Internet Control Message Protocol settings.
					administratively_prohibited boolean		no yes	Administratively prohibited
					alternate_address boolean		no yes	Alternate address
					conversion_error boolean		no yes	Datagram conversion
					dod_host_prohibited boolean		no yes	Host prohibited
					dod_net_prohibited boolean		no yes	Net prohibited
					echo boolean		no yes	Echo (ping)
					echo_reply boolean		no yes	Echo reply
					general_parameter_problem boolean		no yes	Parameter problem
					host_isolated boolean		no yes	Host isolated
					host_precedence_unreachable boolean		no yes	Host unreachable for precedence
					host_redirect boolean		no yes	Host redirect
					host_tos_redirect boolean		no yes	Host redirect for TOS
					host_tos_unreachable boolean		no yes	Host unreachable for TOS
					host_unknown boolean		no yes	Host unknown
					host_unreachable boolean		no yes	Host unreachable
					information_reply boolean		no yes	Information replies
					information_request boolean		no yes	Information requests
					mask_reply boolean		no yes	Mask replies
					mask_request boolean		no yes	Mask requests
					message_code integer			ICMP message code
					message_num integer			icmp msg type number.
					message_type integer			ICMP message type
					mobile_redirect boolean		no yes	Mobile host redirect
					net_redirect boolean		no yes	Network redirect
					net_tos_redirect boolean		no yes	Net redirect for TOS
					net_tos_unreachable boolean		no yes	Network unreachable for TOS
					net_unreachable boolean		no yes	Net unreachable
					network_unknown boolean		no yes	Network unknown
					no_room_for_option boolean		no yes	Parameter required but no room
					option_missing boolean		no yes	Parameter required but not present
					packet_too_big boolean		no yes	Fragmentation needed and DF set
					parameter_problem boolean		no yes	All parameter problems
					port_unreachable boolean		no yes	Port unreachable
					precedence_unreachable boolean		no yes	Precedence cutoff
					protocol_unreachable boolean		no yes	Protocol unreachable
					reassembly_timeout boolean		no yes	Reassembly timeout
					redirect boolean		no yes	All redirects
					router_advertisement boolean		no yes	Router discovery advertisements
					router_solicitation boolean		no yes	Router discovery solicitations
					source_quench boolean		no yes	Source quenches
					source_route_failed boolean		no yes	Source route failed
					time_exceeded boolean		no yes	All time exceededs
					timestamp_reply boolean		no yes	Timestamp replies
					timestamp_request boolean		no yes	Timestamp requests
					traceroute boolean		no yes	Traceroute
					ttl_exceeded boolean		no yes	TTL exceeded
					unreachable boolean		no yes	All unreachables
				icmpv6 dictionary				Options for icmpv6.
					address_unreachable boolean		no yes	address unreachable
					beyond_scope boolean		no yes	beyond_scope
					echo_reply boolean		no yes	echo_reply
					echo_request boolean		no yes	echo reques
					erroneous_header boolean		no yes	erroneous header
					fragment_reassembly_exceeded boolean		no yes	fragment_reassembly_exceeded
					hop_limit_exceeded boolean		no yes	hop limit exceeded
					neighbor_advertisement boolean		no yes	neighbor advertisement
					neighbor_solicitation boolean		no yes	neighbor_solicitation
					no_admin boolean		no yes	no admin
					no_route boolean		no yes	no route
					packet_too_big boolean		no yes	packet too big
					parameter_problem boolean		no yes	parameter problem
					port_unreachable boolean		no yes	port unreachable
					redirect_message boolean		no yes	redirect message
					reject_route boolean		no yes	reject route
					router_advertisement boolean		no yes	router_advertisement
					router_solicitation boolean		no yes	router_solicitation
					source_address_failed boolean		no yes	source_address_failed
					source_routing_error boolean		no yes	source_routing_error
					time_exceeded boolean		no yes	time_exceeded
					unreachable boolean		no yes	unreachable
					unrecognized_ipv6_option boolean		no yes	unrecognized_ipv6_option
					unrecognized_next_header boolean		no yes	unrecognized_next_header
				ip dictionary				Internet Protocol.
					nexthop_group string			Nexthop-group name.
				ipv6 dictionary				Internet V6 Protocol.
					nexthop_group string			Nexthop-group name.
				tcp dictionary				Options for tcp protocol.
					flags dictionary			Match TCP packet flags
						ack boolean	no yes	Match on the ACK bit
						established boolean	no yes	Match established connections
						fin boolean	no yes	Match on the FIN bit
						psh boolean	no yes	Match on the PSH bit
						rst boolean	no yes	Match on the RST bit
						syn boolean	no yes	Match on the SYN bit
						urg boolean	no yes	Match on the URG bit
			remark string					Specify a comment
			sequence integer					sequence number for the ordered list of rules
			source dictionary					The packet's source address
				address string				dotted decimal notation of IP address
				any boolean			no yes	Rule matches all source addresses
				host string				Host IP address
				port_protocol dictionary				Specify source port/protocoli, along with operator. (comes with tcp/udp).
				subnet_address string				A subnet address
				wildcard_bits string				Source wildcard bits
			tracked boolean				no yes	Match packets in existing ICMP/UDP/TCP connections
			ttl dictionary					Compares the TTL (time-to-live) value in the packet to a specified value
				eq integer				Match a single TTL value
				gt integer				Match TTL greater than this number
				lt integer				Match TTL lesser than this number
				neq integer				Match TTL not equal to this value
			vlan string					Vlan options
		name string / required						Name of the acl-list
		standard boolean					no ← yes	standard access-list or not
	afi string / required						ipv4 ipv6	The Address Family Indicator (AFI) for the Access Control Lists (ACL).
running_config string								This option is used only with state parsed. The value of this option should be the output received from the EOS device by executing the command show running-config \| section access-list. The state parsed reads the configuration from `running_config` option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state string							deleted merged ← overridden replaced gathered rendered parsed	The state the configuration should be left in.

Notes

Note

Tested against Arista vEOS v4.20.10M

Examples

# Using merged

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Merge provided configuration with device configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: deny
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destnation:
            any: true
    state: merged

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    35 deny ospf 20.0.0.0/8 any
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using merged

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Merge to update the given configuration with an existing ace
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          log: true
          ttl:
            eq: 33
    state: merged

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    35 deny ospf 20.0.0.0/8 any ttl eq 33 log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using replaced

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20



- name: Replace device configuration with provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: permit
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    state: replaced

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20


# Using overridden

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20



- name: override device configuration with  provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          action: permit
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    state: overridden

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    35 permit ospf 20.0.0.0/8 any
# !

# Using deleted:

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# !

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
    state: deleted

# After state:
# ------------
#
# show running-config | section access-list

# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20



# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# !

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
    state: deleted

# After state:
# ------------
#
# show running-config | section access-list

# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20


# using gathered

# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
# ip access-list test2
#    40 permit vlan 55 0xE2 icmpv6 any any log

- name: Gather the exisitng condiguration
  arista.eos.eos_acls:
    state: gathered

# returns:


#  arista.eos.eos_acls:
#    config:
#     - afi: "ipv4"
#       acls:
#        - name: test1
#          aces:
#          - sequence: 35
#            grant: "deny"
#            protocol: "ospf"
#            source:
#              subnet_address: 20.0.0.0/8
#            destination:
#              any: true
#     - afi: "ipv6"
#       acls:
#        - name: test2
#          aces:
#           - sequence: 40
#             grant: "permit"
#             vlan: "55 0xE2"
#             protocol: "icmpv6"
#             log: true
#             source:
#               any: true
#             destination:
#               any: true


# using rendered

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: deny
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    - afi: ipv6
      acls:
      - name: test2
        aces:
        - sequence: 40
          grant: permit
          vlan: 55 0xE2
          protocol: icmpv6
          log: true
          source:
            any: true
          destination:
            any: true
    state: rendered

# returns:

# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
# ip access-list test2
#    40 permit vlan 55 0xE2 icmpv6 any any log


# Using Parsed

# parsed_acls.cfg

# ipv6 access-list standard test2
#    10 permit any log
# !
# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
#    45 remark Run by ansible
#    55 permit tcp any any
# !

- name: parse configs
  arista.eos.eos_acls:
    running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
    state: parsed

# returns
# "parsed": [
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "any": true
#                             },
#                             "grant": "deny",
#                             "protocol": "ospf",
#                             "sequence": 35,
#                             "source": {
#                                 "subnet_address": "20.0.0.0/8"
#                             }
#                         },
#                         {
#                             "remark": "Run by ansible",
#                             "sequence": 45
#                         },
#                         {
#                             "destination": {
#                                 "any": true
#                             },
#                             "grant": "permit",
#                             "protocol": "tcp",
#                             "sequence": 55,
#                             "source": {
#                                 "any": true
#                             }
#                         }
#                     ],
#                     "name": "test1"
#                 }
#             ],
#             "afi": "ipv4"
#         },
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "grant": "permit",
#                             "log": true,
#                             "sequence": 10,
#                             "source": {
#                                 "any": true
#                             }
#                         }
#                     ],
#                     "name": "test2",
#                     "standard": true
#                 }
#             ],
#             "afi": "ipv6"
#         }
#     ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
after list / elements=string	when changed	The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
before list / elements=string	always	The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
commands list / elements=string	always	The set of commands pushed to the remote device. Sample: ['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any']

Authors

Gomathiselvi S (@GomathiselviS)

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/arista/eos/eos_acls_module.html