arista.eos.eos_acls – ACLs resource module
arista.eos.eos_acls – ACLs resource module
Note
This plugin is part of the arista.eos collection (version 1.2.0).
To install it use: ansible-galaxy collection install arista.eos
.
To use it in a playbook, specify: arista.eos.eos_acls
.
New in version 1.0.0: of arista.eos
Synopsis
- This module manages the IP access-list attributes of Arista EOS interfaces.
Parameters
Parameter | Choices/Defaults | Comments | ||||||
---|---|---|---|---|---|---|---|---|
config list / elements=dictionary |
A dictionary of IP access-list options | |||||||
acls list / elements=dictionary |
A list of Access Control Lists (ACL). | |||||||
aces list / elements=dictionary |
Filtering data | |||||||
destination dictionary |
The packet's destination address | |||||||
address string |
dotted decimal notation of IP address | |||||||
any boolean |
|
Rule matches all source addresses | ||||||
host string |
Host IP address | |||||||
port_protocol dictionary |
Specify dest port/protocol, along with operator . (comes with tcp/udp). | |||||||
subnet_address string |
A subnet address | |||||||
wildcard_bits string |
Source wildcard bits | |||||||
fragment_rules boolean |
|
Add fragment rules | ||||||
fragments boolean |
|
Match non-head fragment packets | ||||||
grant string |
|
Action to be applied on the rule | ||||||
hop_limit dictionary |
Hop limit value. | |||||||
line string |
For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute.
| |||||||
log boolean |
|
Log matches against this rule | ||||||
protocol string |
Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
protocol_options dictionary |
All the possible sub options for the protocol chosen. | |||||||
icmp dictionary |
Internet Control Message Protocol settings. | |||||||
administratively_prohibited boolean |
|
Administratively prohibited | ||||||
alternate_address boolean |
|
Alternate address | ||||||
conversion_error boolean |
|
Datagram conversion | ||||||
dod_host_prohibited boolean |
|
Host prohibited | ||||||
dod_net_prohibited boolean |
|
Net prohibited | ||||||
echo boolean |
|
Echo (ping) | ||||||
echo_reply boolean |
|
Echo reply | ||||||
general_parameter_problem boolean |
|
Parameter problem | ||||||
host_isolated boolean |
|
Host isolated | ||||||
host_precedence_unreachable boolean |
|
Host unreachable for precedence | ||||||
host_redirect boolean |
|
Host redirect | ||||||
host_tos_redirect boolean |
|
Host redirect for TOS | ||||||
host_tos_unreachable boolean |
|
Host unreachable for TOS | ||||||
host_unknown boolean |
|
Host unknown | ||||||
host_unreachable boolean |
|
Host unreachable | ||||||
information_reply boolean |
|
Information replies | ||||||
information_request boolean |
|
Information requests | ||||||
mask_reply boolean |
|
Mask replies | ||||||
mask_request boolean |
|
Mask requests | ||||||
message_code integer |
ICMP message code | |||||||
message_num integer |
icmp msg type number. | |||||||
message_type integer |
ICMP message type | |||||||
mobile_redirect boolean |
|
Mobile host redirect | ||||||
net_redirect boolean |
|
Network redirect | ||||||
net_tos_redirect boolean |
|
Net redirect for TOS | ||||||
net_tos_unreachable boolean |
|
Network unreachable for TOS | ||||||
net_unreachable boolean |
|
Net unreachable | ||||||
network_unknown boolean |
|
Network unknown | ||||||
no_room_for_option boolean |
|
Parameter required but no room | ||||||
option_missing boolean |
|
Parameter required but not present | ||||||
packet_too_big boolean |
|
Fragmentation needed and DF set | ||||||
parameter_problem boolean |
|
All parameter problems | ||||||
port_unreachable boolean |
|
Port unreachable | ||||||
precedence_unreachable boolean |
|
Precedence cutoff | ||||||
protocol_unreachable boolean |
|
Protocol unreachable | ||||||
reassembly_timeout boolean |
|
Reassembly timeout | ||||||
redirect boolean |
|
All redirects | ||||||
router_advertisement boolean |
|
Router discovery advertisements | ||||||
router_solicitation boolean |
|
Router discovery solicitations | ||||||
source_quench boolean |
|
Source quenches | ||||||
source_route_failed boolean |
|
Source route failed | ||||||
time_exceeded boolean |
|
All time exceededs | ||||||
timestamp_reply boolean |
|
Timestamp replies | ||||||
timestamp_request boolean |
|
Timestamp requests | ||||||
traceroute boolean |
|
Traceroute | ||||||
ttl_exceeded boolean |
|
TTL exceeded | ||||||
unreachable boolean |
|
All unreachables | ||||||
icmpv6 dictionary |
Options for icmpv6. | |||||||
address_unreachable boolean |
|
address unreachable | ||||||
beyond_scope boolean |
|
beyond_scope | ||||||
echo_reply boolean |
|
echo_reply | ||||||
echo_request boolean |
|
echo reques | ||||||
erroneous_header boolean |
|
erroneous header | ||||||
fragment_reassembly_exceeded boolean |
|
fragment_reassembly_exceeded | ||||||
hop_limit_exceeded boolean |
|
hop limit exceeded | ||||||
neighbor_advertisement boolean |
|
neighbor advertisement | ||||||
neighbor_solicitation boolean |
|
neighbor_solicitation | ||||||
no_admin boolean |
|
no admin | ||||||
no_route boolean |
|
no route | ||||||
packet_too_big boolean |
|
packet too big | ||||||
parameter_problem boolean |
|
parameter problem | ||||||
port_unreachable boolean |
|
port unreachable | ||||||
redirect_message boolean |
|
redirect message | ||||||
reject_route boolean |
|
reject route | ||||||
router_advertisement boolean |
|
router_advertisement | ||||||
router_solicitation boolean |
|
router_solicitation | ||||||
source_address_failed boolean |
|
source_address_failed | ||||||
source_routing_error boolean |
|
source_routing_error | ||||||
time_exceeded boolean |
|
time_exceeded | ||||||
unreachable boolean |
|
unreachable | ||||||
unrecognized_ipv6_option boolean |
|
unrecognized_ipv6_option | ||||||
unrecognized_next_header boolean |
|
unrecognized_next_header | ||||||
ip dictionary |
Internet Protocol. | |||||||
nexthop_group string |
Nexthop-group name. | |||||||
ipv6 dictionary |
Internet V6 Protocol. | |||||||
nexthop_group string |
Nexthop-group name. | |||||||
tcp dictionary |
Options for tcp protocol. | |||||||
flags dictionary |
Match TCP packet flags | |||||||
ack boolean |
|
Match on the ACK bit | ||||||
established boolean |
|
Match established connections | ||||||
fin boolean |
|
Match on the FIN bit | ||||||
psh boolean |
|
Match on the PSH bit | ||||||
rst boolean |
|
Match on the RST bit | ||||||
syn boolean |
|
Match on the SYN bit | ||||||
urg boolean |
|
Match on the URG bit | ||||||
remark string |
Specify a comment | |||||||
sequence integer |
sequence number for the ordered list of rules | |||||||
source dictionary |
The packet's source address | |||||||
address string |
dotted decimal notation of IP address | |||||||
any boolean |
|
Rule matches all source addresses | ||||||
host string |
Host IP address | |||||||
port_protocol dictionary |
Specify source port/protocoli, along with operator. (comes with tcp/udp). | |||||||
subnet_address string |
A subnet address | |||||||
wildcard_bits string |
Source wildcard bits | |||||||
tracked boolean |
|
Match packets in existing ICMP/UDP/TCP connections | ||||||
ttl dictionary |
Compares the TTL (time-to-live) value in the packet to a specified value | |||||||
eq integer |
Match a single TTL value | |||||||
gt integer |
Match TTL greater than this number | |||||||
lt integer |
Match TTL lesser than this number | |||||||
neq integer |
Match TTL not equal to this value | |||||||
vlan string |
Vlan options | |||||||
name string / required |
Name of the acl-list | |||||||
standard boolean |
|
standard access-list or not | ||||||
afi string / required |
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). | ||||||
running_config string |
This option is used only with state parsed. The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list. The state parsed reads the configuration from | |||||||
state string |
|
The state the configuration should be left in. |
Notes
Note
- Tested against Arista vEOS v4.20.10M
Examples
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge provided configuration with device configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destnation:
any: true
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge to update the given configuration with an existing ace
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
log: true
ttl:
eq: 33
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any ttl eq 33 log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using replaced
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Replace device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: replaced
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using overridden
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: override device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
action: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: overridden
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# Using deleted:
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# using gathered
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
- name: Gather the exisitng condiguration
arista.eos.eos_acls:
state: gathered
# returns:
# arista.eos.eos_acls:
# config:
# - afi: "ipv4"
# acls:
# - name: test1
# aces:
# - sequence: 35
# grant: "deny"
# protocol: "ospf"
# source:
# subnet_address: 20.0.0.0/8
# destination:
# any: true
# - afi: "ipv6"
# acls:
# - name: test2
# aces:
# - sequence: 40
# grant: "permit"
# vlan: "55 0xE2"
# protocol: "icmpv6"
# log: true
# source:
# any: true
# destination:
# any: true
# using rendered
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
- afi: ipv6
acls:
- name: test2
aces:
- sequence: 40
grant: permit
vlan: 55 0xE2
protocol: icmpv6
log: true
source:
any: true
destination:
any: true
state: rendered
# returns:
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
# Using Parsed
# parsed_acls.cfg
# ipv6 access-list standard test2
# 10 permit any log
# !
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# 45 remark Run by ansible
# 55 permit tcp any any
# !
- name: parse configs
arista.eos.eos_acls:
running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
state: parsed
# returns
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "deny",
# "protocol": "ospf",
# "sequence": 35,
# "source": {
# "subnet_address": "20.0.0.0/8"
# }
# },
# {
# "remark": "Run by ansible",
# "sequence": 45
# },
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "protocol": "tcp",
# "sequence": 55,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test1"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "grant": "permit",
# "log": true,
# "sequence": 10,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test2",
# "standard": true
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
after list / elements=string |
when changed |
The resulting configuration model invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
before list / elements=string |
always |
The configuration prior to the model invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
commands list / elements=string |
always |
The set of commands pushed to the remote device.
Sample: ['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any'] |
Authors
- Gomathiselvi S (@GomathiselviS)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/arista/eos/eos_acls_module.html