cisco.ios.ios_acls – ACLs resource module
cisco.ios.ios_acls – ACLs resource module
Note
This plugin is part of the cisco.ios collection (version 1.3.0).
To install it use: ansible-galaxy collection install cisco.ios.
To use it in a playbook, specify: cisco.ios.ios_acls.
New in version 1.0.0: of cisco.ios
Synopsis
- This module configures and manages the named or numbered ACLs on IOS platforms.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
|
config list / elements=dictionary |
A dictionary of ACL options. | |||||||
|
acls list / elements=dictionary |
A list of Access Control Lists (ACL). | |||||||
|
aces list / elements=dictionary |
The entries within the ACL. | |||||||
|
destination dictionary |
Specify the packet destination. | |||||||
|
address string |
Host address to match, or any single host address. | |||||||
|
any boolean |
|
Match any source address. | ||||||
|
host string |
A single destination host | |||||||
|
port_protocol dictionary |
Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
|
eq string |
Match only packets on a given port number. | |||||||
|
gt string |
Match only packets with a greater port number. | |||||||
|
lt string |
Match only packets with a lower port number. | |||||||
|
neq string |
Match only packets not on a given port number. | |||||||
|
range dictionary |
Port group. | |||||||
|
end integer |
Specify the end of the port range. | |||||||
|
start integer |
Specify the start of the port range. | |||||||
|
wildcard_bits string |
Destination wildcard bits, valid with IPV4 address. | |||||||
|
dscp string |
Match packets with given dscp value. | |||||||
|
evaluate string |
Evaluate an access list | |||||||
|
fragments string |
Check non-initial fragments. | |||||||
|
grant string |
|
Specify the action. | ||||||
|
log string |
Log matches against this entry. | |||||||
|
log_input string |
Log matches against this entry, including input interface. | |||||||
|
option dictionary |
Match packets with given IP Options value. Valid only for named acls. | |||||||
|
add_ext boolean |
|
Match packets with Address Extension Option (147). | ||||||
|
any_options boolean |
|
Match packets with ANY Option. | ||||||
|
com_security boolean |
|
Match packets with Commercial Security Option (134). | ||||||
|
dps boolean |
|
Match packets with Dynamic Packet State Option (151). | ||||||
|
encode boolean |
|
Match packets with Encode Option (15). | ||||||
|
eool boolean |
|
Match packets with End of Options (0). | ||||||
|
ext_ip boolean |
|
Match packets with Extended IP Option (145). | ||||||
|
ext_security boolean |
|
Match packets with Extended Security Option (133). | ||||||
|
finn boolean |
|
Match packets with Experimental Flow Control Option (205). | ||||||
|
imitd boolean |
|
Match packets with IMI Traffic Desriptor Option (144). | ||||||
|
lsr boolean |
|
Match packets with Loose Source Route Option (131). | ||||||
|
mtup boolean |
|
Match packets with MTU Probe Option (11). | ||||||
|
mtur boolean |
|
Match packets with MTU Reply Option (12). | ||||||
|
no_op boolean |
|
Match packets with No Operation Option (1). | ||||||
|
nsapa boolean |
|
Match packets with NSAP Addresses Option (150). | ||||||
|
record_route boolean |
|
Match packets with Record Route Option (7). | ||||||
|
router_alert boolean |
|
Match packets with Router Alert Option (148). | ||||||
|
sdb boolean |
|
Match packets with Selective Directed Broadcast Option (149). | ||||||
|
security boolean |
|
Match packets with Basic Security Option (130). | ||||||
|
ssr boolean |
|
Match packets with Strict Source Routing Option (137). | ||||||
|
stream_id boolean |
|
Match packets with Stream ID Option (136). | ||||||
|
timestamp boolean |
|
Match packets with Time Stamp Option (68). | ||||||
|
traceroute boolean |
|
Match packets with Trace Route Option (82). | ||||||
|
ump boolean |
|
Match packets with Upstream Multicast Packet Option (152). | ||||||
|
visa boolean |
|
Match packets with Experimental Access Control Option (142). | ||||||
|
zsu boolean |
|
Match packets with Experimental Measurement Option (10). | ||||||
|
precedence integer |
Match packets with given precedence value. | |||||||
|
protocol string |
Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
|
protocol_options dictionary |
protocol type. | |||||||
|
ahp boolean |
|
Authentication Header Protocol. | ||||||
|
eigrp boolean |
|
Cisco's EIGRP routing protocol. | ||||||
|
esp boolean |
|
Encapsulation Security Payload. | ||||||
|
gre boolean |
|
Cisco's GRE tunneling. | ||||||
|
hbh boolean |
|
Hop by Hop options header. Valid for IPV6 | ||||||
|
icmp dictionary |
Internet Control Message Protocol. | |||||||
|
administratively_prohibited boolean |
|
Administratively prohibited | ||||||
|
alternate_address boolean |
|
Alternate address | ||||||
|
conversion_error boolean |
|
Datagram conversion | ||||||
|
dod_host_prohibited boolean |
|
Host prohibited | ||||||
|
dod_net_prohibited boolean |
|
Net prohibited | ||||||
|
echo boolean |
|
Echo (ping) | ||||||
|
echo_reply boolean |
|
Echo reply | ||||||
|
general_parameter_problem boolean |
|
Parameter problem | ||||||
|
host_isolated boolean |
|
Host isolated | ||||||
|
host_precedence_unreachable boolean |
|
Host unreachable for precedence | ||||||
|
host_redirect boolean |
|
Host redirect | ||||||
|
host_tos_redirect boolean |
|
Host redirect for TOS | ||||||
|
host_tos_unreachable boolean |
|
Host unreachable for TOS | ||||||
|
host_unknown boolean |
|
Host unknown | ||||||
|
host_unreachable boolean |
|
Host unreachable | ||||||
|
information_reply boolean |
|
Information replies | ||||||
|
information_request boolean |
|
Information requests | ||||||
|
mask_reply boolean |
|
Mask replies | ||||||
|
mask_request boolean |
|
mask_request | ||||||
|
mobile_redirect boolean |
|
Mobile host redirect | ||||||
|
net_redirect boolean |
|
Network redirect | ||||||
|
net_tos_redirect boolean |
|
Net redirect for TOS | ||||||
|
net_tos_unreachable boolean |
|
Network unreachable for TOS | ||||||
|
net_unreachable boolean |
|
Net unreachable | ||||||
|
network_unknown boolean |
|
Network unknown | ||||||
|
no_room_for_option boolean |
|
Parameter required but no room | ||||||
|
option_missing boolean |
|
Parameter required but not present | ||||||
|
packet_too_big boolean |
|
Fragmentation needed and DF set | ||||||
|
parameter_problem boolean |
|
All parameter problems | ||||||
|
port_unreachable boolean |
|
Port unreachable | ||||||
|
precedence_unreachable boolean |
|
Precedence cutoff | ||||||
|
protocol_unreachable boolean |
|
Protocol unreachable | ||||||
|
reassembly_timeout boolean |
|
Reassembly timeout | ||||||
|
redirect boolean |
|
All redirects | ||||||
|
router_advertisement boolean |
|
Router discovery advertisements | ||||||
|
router_solicitation boolean |
|
Router discovery solicitations | ||||||
|
source_quench boolean |
|
Source quenches | ||||||
|
source_route_failed boolean |
|
Source route failed | ||||||
|
time_exceeded boolean |
|
All time exceededs | ||||||
|
timestamp_reply boolean |
|
Timestamp replies | ||||||
|
timestamp_request boolean |
|
Timestamp requests | ||||||
|
traceroute boolean |
|
Traceroute | ||||||
|
ttl_exceeded boolean |
|
TTL exceeded | ||||||
|
unreachable boolean |
|
All unreachables | ||||||
|
igmp dictionary |
Internet Gateway Message Protocol. | |||||||
|
dvmrp boolean |
|
Distance Vector Multicast Routing Protocol(2) | ||||||
|
host_query boolean |
|
IGMP Membership Query(0) | ||||||
|
mtrace_resp boolean |
|
Multicast Traceroute Response(7) | ||||||
|
mtrace_route boolean |
|
Multicast Traceroute(8) | ||||||
|
pim boolean |
|
Protocol Independent Multicast(3) | ||||||
|
trace boolean |
|
Multicast trace(4) | ||||||
|
v1host_report boolean |
|
IGMPv1 Membership Report(1) | ||||||
|
v2host_report boolean |
|
IGMPv2 Membership Report(5) | ||||||
|
v2leave_group boolean |
|
IGMPv2 Leave Group(6) | ||||||
|
v3host_report boolean |
|
IGMPv3 Membership Report(9) | ||||||
|
ip boolean |
|
Any Internet Protocol. | ||||||
|
ipinip boolean |
|
IP in IP tunneling. | ||||||
|
ipv6 boolean |
|
Any IPv6. | ||||||
|
nos boolean |
|
KA9Q NOS compatible IP over IP tunneling. | ||||||
|
ospf boolean |
|
OSPF routing protocol. | ||||||
|
pcp boolean |
|
Payload Compression Protocol. | ||||||
|
pim boolean |
|
Protocol Independent Multicast. | ||||||
|
protocol_number integer |
An IP protocol number | |||||||
|
sctp boolean |
|
Stream Control Transmission Protocol. | ||||||
|
tcp dictionary |
Match TCP packet flags | |||||||
|
ack boolean |
|
Match on the ACK bit | ||||||
|
established boolean |
|
Match established connections | ||||||
|
fin boolean |
|
Match on the FIN bit | ||||||
|
psh boolean |
|
Match on the PSH bit | ||||||
|
rst boolean |
|
Match on the RST bit | ||||||
|
syn boolean |
|
Match on the SYN bit | ||||||
|
urg boolean |
|
Match on the URG bit | ||||||
|
udp boolean |
|
User Datagram Protocol. | ||||||
|
sequence integer |
Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values. | |||||||
|
source dictionary |
Specify the packet source. | |||||||
|
address string |
Source network address. | |||||||
|
any boolean |
|
Match any source address. | ||||||
|
host string |
A single source host | |||||||
|
port_protocol dictionary |
Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
|
eq string |
Match only packets on a given port number. | |||||||
|
gt string |
Match only packets with a greater port number. | |||||||
|
lt string |
Match only packets with a lower port number. | |||||||
|
neq string |
Match only packets not on a given port number. | |||||||
|
range dictionary |
Port group. | |||||||
|
end integer |
Specify the end of the port range. | |||||||
|
start integer |
Specify the start of the port range. | |||||||
|
wildcard_bits string |
Destination wildcard bits, valid with IPV4 address. | |||||||
|
time_range string |
Specify a time-range. | |||||||
|
tos dictionary |
Match packets with given TOS value. Note, DSCP and TOS are mutually exclusive | |||||||
|
max_reliability boolean |
|
Match packets with max reliable TOS (2). | ||||||
|
max_throughput boolean |
|
Match packets with max throughput TOS (4). | ||||||
|
min_delay boolean |
|
Match packets with min delay TOS (8). | ||||||
|
min_monetary_cost boolean |
|
Match packets with min monetary cost TOS (1). | ||||||
|
normal boolean |
|
Match packets with normal TOS (0). | ||||||
|
service_value integer |
Type of service value | |||||||
|
ttl dictionary |
Match packets with given TTL value. | |||||||
|
eq integer |
Match only packets on a given TTL number. | |||||||
|
gt integer |
Match only packets with a greater TTL number. | |||||||
|
lt integer |
Match only packets with a lower TTL number. | |||||||
|
neq integer |
Match only packets not on a given TTL number. | |||||||
|
range dictionary |
Match only packets in the range of TTLs. | |||||||
|
end integer |
Specify the end of the port range. | |||||||
|
start integer |
Specify the start of the port range. | |||||||
|
acl_type string |
|
ACL type Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory. | ||||||
|
name string / required |
The name or the number of the ACL. | |||||||
|
afi string / required |
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). | ||||||
|
running_config string |
This option is used only with state parsed. The value of this option should be the output received from the IOS device by executing the command sh access-list. The state parsed reads the configuration from | |||||||
|
state string |
|
The state the configuration should be left in The states rendered, gathered and parsed does not perform any change on the device. The state rendered will transform the configuration in The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result. The state parsed reads the configuration from |
Notes
Note
- Tested against Cisco IOSv Version 15.2 on VIRL
Examples
# Using merged
# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: std_acl
acl_type: standard
aces:
- grant: deny
source:
address: 192.168.1.200
- grant: deny
source:
address: 192.168.2.0
wildcard_bits: 0.0.0.255
- name: 110
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
- grant: deny
protocol_options:
tcp:
ack: true
source:
host: 198.51.100.0
destination:
host: 198.51.110.0
port_protocol:
eq: telnet
- name: test
acl_type: extended
aces:
- grant: deny
protocol_options:
tcp:
fin: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
option:
traceroute: true
ttl:
eq: 10
- name: 123
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
destination:
address: 198.51.101.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
tos:
service_value: 12
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.4.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
lt: 20
- afi: ipv6
acls:
- name: R1_TRAFFIC
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
any: true
port_protocol:
eq: www
destination:
any: true
port_protocol:
eq: telnet
dscp: af11
state: merged
# Commands fired:
# ---------------
#
# - ip access-list standard std_acl
# - deny 192.168.1.200
# - deny 192.168.2.0 0.0.0.255
# - ip access-list extended 110
# - no 10
# - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - ip access-list extended test
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# - ip access-list extended 123
# - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack dscp af11
# After state:
# ------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
# Using replaced
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: Replaces device configuration of listed acls with provided configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: replaced
# Commands fired:
# ---------------
#
# - no ip access-list extended 110
# - ip access-list extended 110
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# - ip access-list extended 150
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# After state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list 150
# 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
# Using overridden
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: Override device configuration of all acls with provided configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: overridden
# Commands fired:
# ---------------
#
# - no ip access-list standard std_acl
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended 150
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended 150
# - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# - ip access-list extended 110
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# After state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
# 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# Extended IP access list 150
# 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Using Deleted
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: test
acl_type: extended
- name: 110
- afi: ipv6
acls:
- name: R1_TRAFFIC
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ipv6 access-list R1_TRAFFIC
# After state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
cisco.ios.ios_acls:
config:
- afi: ipv4
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list standard std_acl
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123
# After state:
# -------------
#
# vios#sh access-lists
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured ACLs)"
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: 'Delete ALL of configured ACLs (Note: This WILL delete the all configured
ACLs)'
cisco.ios.ios_acls:
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC
# After state:
# -------------
#
# vios#sh access-lists
# Using Gathered
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: Gather listed acls with provided configurations
cisco.ios.ios_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "wildcard_bits": "0.0.0.255"
# },
# "dscp": "ef",
# "grant": "deny",
# "protocol_options": {
# "icmp": {
# "echo": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "192.0.2.0",
# "wildcard_bits": "0.0.0.255"
# },
# "ttl": {
# "eq": 10
# }
# }
# ],
# "acl_type": "extended",
# "name": "110"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "198.51.101.0",
# "port_protocol": {
# "eq": "telnet"
# },
# "wildcard_bits": "0.0.0.255"
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.255"
# },
# "tos": {
# "service_value": 12
# }
# },
# {
# "destination": {
# "address": "192.0.4.0",
# "port_protocol": {
# "eq": "www"
# },
# "wildcard_bits": "0.0.0.255"
# },
# "dscp": "ef",
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 20,
# "source": {
# "address": "192.0.3.0",
# "wildcard_bits": "0.0.0.255"
# },
# "ttl": {
# "lt": 20
# }
# }
# ],
# "acl_type": "extended",
# "name": "123"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "port_protocol": {
# "eq": "www"
# },
# "wildcard_bits": "0.0.0.255"
# },
# "grant": "deny",
# "option": {
# "traceroute": true
# },
# "protocol_options": {
# "tcp": {
# "fin": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "192.0.2.0",
# "wildcard_bits": "0.0.0.255"
# },
# "ttl": {
# "eq": 10
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_acl"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "dscp": "af11",
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 10,
# "source": {
# "any": true,
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "name": "R1_TRAFFIC"
# }
# ],
# "afi": "ipv6"
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the exisiting running configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "ip access-list extended 110",
# "10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10",
# "ip access-list extended 150",
# "deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10"
# ]
# Using Parsed
# File: parsed.cfg
# ----------------
#
# ipv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11
- name: Parse the commands for provided configuration
cisco.ios.ios_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "dscp": "af11",
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "source": {
# "any": true,
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "name": "R1_TRAFFIC"
# }
# ],
# "afi": "ipv6"
# }
# ]Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
after list / elements=string |
when changed |
The configuration as structured data after module completion.
Sample: The configuration returned will always be in the same format of the parameters above. |
|
before list / elements=string |
always |
The configuration as structured data prior to module invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
|
commands list / elements=string |
always |
The set of commands pushed to the remote device
Sample: ['ip access-list extended 110', 'deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10'] |
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/cisco/ios/ios_acls_module.html
