cisco.iosxr.iosxr_acls – ACLs resource module
cisco.iosxr.iosxr_acls – ACLs resource module
Note
This plugin is part of the cisco.iosxr collection (version 1.2.1).
To install it use: ansible-galaxy collection install cisco.iosxr.
To use it in a playbook, specify: cisco.iosxr.iosxr_acls.
New in version 1.0.0: of cisco.iosxr
Synopsis
- This module manages Access Control Lists (ACLs) on devices running IOS-XR.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
|
config list / elements=dictionary |
A list of dictionaries specifying ACL configurations. | |||||||
|
acls list / elements=dictionary |
A list of Access Control Lists (ACLs). | |||||||
|
aces list / elements=dictionary |
List of Access Control Entries (ACEs) for this Access Control List (ACL). | |||||||
|
authen boolean |
|
Match if authentication header is present. | ||||||
|
capture boolean |
|
Capture matched packet. | ||||||
|
destination dictionary |
Specifies the packet destination. | |||||||
|
address string |
The destination IP address to match. | |||||||
|
any boolean |
|
Match any destination address. | ||||||
|
host string |
The host IP address to match. | |||||||
|
port_protocol dictionary |
Specify the source port or protocol. | |||||||
|
eq string |
Match only packets on a given port number. | |||||||
|
gt string |
Match only packets with a greater port number. | |||||||
|
lt string |
Match only packets with a lower port number. | |||||||
|
neq string |
Match only packets not on a given port number. | |||||||
|
range dictionary |
Match only packets in the range of port numbers | |||||||
|
end string |
Specify the end of the port range | |||||||
|
start string |
Specify the start of the port range | |||||||
|
prefix string |
Destination network prefix. | |||||||
|
wildcard_bits string |
The Wildcard bits to apply to destination address. | |||||||
|
destopts boolean |
|
Match if destination opts header is present. | ||||||
|
dscp dictionary |
Match packets with given DSCP value. | |||||||
|
eq string |
Match only packets on a given dscp value | |||||||
|
gt string |
Match only packets with a greater dscp value | |||||||
|
lt string |
Match only packets with a lower dscp value | |||||||
|
neq string |
Match only packets not on a given dscp value | |||||||
|
range dictionary |
Match only packets in the range of dscp values | |||||||
|
end string |
End of the dscp range | |||||||
|
start string |
Start of the dscp range | |||||||
|
fragments boolean |
|
Check non-intial fragments. | ||||||
|
grant string |
|
Forward or drop packets matching the Access Control Entry (ACE). | ||||||
|
hop_by_hop boolean |
|
Match if hop-by-hop opts header is present. | ||||||
|
icmp_off boolean |
|
Enable/disable the ICMP message for this entry. | ||||||
|
line string |
An ACE excluding the sequence number. This key is mutually exclusive with all the other attributes except 'sequence'. When used with other attributes, the value of this key will get precedence and the other keys will be ignored. This should only be used when an attribute doesn't exist in the argspec but is valid for the device. For fact gathering, any ACE that is not fully parsed, will show up as a value of this attribute, excluding the sequence number, which will be populated as value of the sequence key.
| |||||||
|
log boolean |
|
Enable/disable log matches against this entry. | ||||||
|
log_input boolean |
|
Enable/disable log matches against this entry, including input interface. | ||||||
|
packet_length dictionary |
Match packets given packet length. | |||||||
|
eq integer |
Match only packets on a given packet length | |||||||
|
gt integer |
Match only packets with a greater packet length | |||||||
|
lt integer |
Match only packets with a lower packet length | |||||||
|
neq integer |
Match only packets not on a given packet length | |||||||
|
range dictionary |
Match only packets in the range of packet lengths | |||||||
|
end integer |
End of the packet length range | |||||||
|
start integer |
Start of the packet length range | |||||||
|
precedence string |
Match packets with given precedence value | |||||||
|
protocol string |
Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
|
protocol_options dictionary |
Additional suboptions for the protocol. | |||||||
|
icmp dictionary |
Internet Control Message Protocol settings. | |||||||
|
administratively_prohibited boolean |
|
Administratively prohibited | ||||||
|
alternate_address boolean |
|
Alternate address | ||||||
|
conversion_error boolean |
|
Datagram conversion | ||||||
|
dod_host_prohibited boolean |
|
Host prohibited | ||||||
|
dod_net_prohibited boolean |
|
Net prohibited | ||||||
|
echo boolean |
|
Echo (ping) | ||||||
|
echo_reply boolean |
|
Echo reply | ||||||
|
general_parameter_problem boolean |
|
Parameter problem | ||||||
|
host_isolated boolean |
|
Host isolated | ||||||
|
host_precedence_unreachable boolean |
|
Host unreachable for precedence | ||||||
|
host_redirect boolean |
|
Host redirect | ||||||
|
host_tos_redirect boolean |
|
Host redirect for TOS | ||||||
|
host_tos_unreachable boolean |
|
Host unreachable for TOS | ||||||
|
host_unknown boolean |
|
Host unknown | ||||||
|
host_unreachable boolean |
|
Host unreachable | ||||||
|
information_reply boolean |
|
Information replies | ||||||
|
information_request boolean |
|
Information requests | ||||||
|
mask_reply boolean |
|
Mask replies | ||||||
|
mask_request boolean |
|
Mask requests | ||||||
|
mobile_redirect boolean |
|
Mobile host redirect | ||||||
|
net_redirect boolean |
|
Network redirect | ||||||
|
net_tos_redirect boolean |
|
Net redirect for TOS | ||||||
|
net_tos_unreachable boolean |
|
Network unreachable for TOS | ||||||
|
net_unreachable boolean |
|
Net unreachable | ||||||
|
network_unknown boolean |
|
Network unknown | ||||||
|
no_room_for_option boolean |
|
Parameter required but no room | ||||||
|
option_missing boolean |
|
Parameter required but not present | ||||||
|
packet_too_big boolean |
|
Fragmentation needed and DF set | ||||||
|
parameter_problem boolean |
|
All parameter problems | ||||||
|
port_unreachable boolean |
|
Port unreachable | ||||||
|
precedence_unreachable boolean |
|
Precedence cutoff | ||||||
|
protocol_unreachable boolean |
|
Protocol unreachable | ||||||
|
reassembly_timeout boolean |
|
Reassembly timeout | ||||||
|
redirect boolean |
|
All redirects | ||||||
|
router_advertisement boolean |
|
Router discovery advertisements | ||||||
|
router_solicitation boolean |
|
Router discovery solicitations | ||||||
|
source_quench boolean |
|
Source quenches | ||||||
|
source_route_failed boolean |
|
Source route failed | ||||||
|
time_exceeded boolean |
|
All time exceededs | ||||||
|
timestamp_reply boolean |
|
Timestamp replies | ||||||
|
timestamp_request boolean |
|
Timestamp requests | ||||||
|
traceroute boolean |
|
Traceroute | ||||||
|
ttl_exceeded boolean |
|
TTL exceeded | ||||||
|
unreachable boolean |
|
All unreachables | ||||||
|
icmpv6 dictionary |
Internet Control Message Protocol settings for IPv6. | |||||||
|
address_unreachable boolean |
|
Address Unreachable | ||||||
|
administratively_prohibited boolean |
|
Administratively Prohibited | ||||||
|
beyond_scope_of_source_address boolean |
|
Administratively Prohibited | ||||||
|
destination_unreachable boolean |
|
Destination Unreachable | ||||||
|
echo boolean |
|
Echo | ||||||
|
echo_reply boolean |
|
Echo Reply | ||||||
|
erroneous_header_field boolean |
|
Erroneous Header Field | ||||||
|
group_membership_query boolean |
|
Group Membership Query | ||||||
|
group_membership_report boolean |
|
Group Membership Report | ||||||
|
group_membership_termination boolean |
|
Group Membership Termination | ||||||
|
host_unreachable boolean |
|
Host Unreachable | ||||||
|
nd_na boolean |
|
Neighbor Discovery - Neighbor Advertisement | ||||||
|
nd_ns boolean |
|
Neighbor Discovery - Neighbor Solicitation | ||||||
|
neighbor_redirect boolean |
|
Neighbor Redirect | ||||||
|
no_route_to_destination boolean |
|
No Route To Destination | ||||||
|
node_information_request_is_refused boolean |
|
Node Information Request Is Refused | ||||||
|
node_information_successful_reply boolean |
|
Node Information Successful Reply | ||||||
|
packet_too_big boolean |
|
Packet Too Big | ||||||
|
parameter_problem boolean |
|
Parameter Problem | ||||||
|
port_unreachable boolean |
|
Port Unreachable | ||||||
|
query_subject_is_domainname boolean |
|
Query Subject Is Domain name | ||||||
|
query_subject_is_IPv4address boolean |
|
Query Subject Is IPv4 address | ||||||
|
query_subject_is_IPv6address boolean |
|
Query Subject Is IPv6 address | ||||||
|
reassembly_timeout boolean |
|
Reassembly Timeout | ||||||
|
redirect boolean |
|
Redirect | ||||||
|
router_advertisement boolean |
|
Router Advertisement | ||||||
|
router_renumbering boolean |
|
Router Renumbering | ||||||
|
router_solicitation boolean |
|
Router Solicitation | ||||||
|
rr_command boolean |
|
RR Command | ||||||
|
rr_result boolean |
|
RR Result | ||||||
|
rr_seqnum_reset boolean |
|
RR Seqnum Reset | ||||||
|
time_exceeded boolean |
|
Time Exceeded | ||||||
|
ttl_exceeded boolean |
|
TTL Exceeded | ||||||
|
unknown_query_type boolean |
|
Unknown Query Type | ||||||
|
unreachable boolean |
|
Unreachable | ||||||
|
unrecognized_next_header boolean |
|
Unrecognized Next Header | ||||||
|
unrecognized_option boolean |
|
Unrecognized Option | ||||||
|
whoareyou_reply boolean |
|
Whoareyou Reply | ||||||
|
whoareyou_request boolean |
|
Whoareyou Request | ||||||
|
igmp dictionary |
Internet Group Management Protocol (IGMP) settings. | |||||||
|
dvmrp boolean |
|
Match Distance Vector Multicast Routing Protocol | ||||||
|
host_query boolean |
|
Match Host Query | ||||||
|
host_report boolean |
|
Match Host Report | ||||||
|
mtrace boolean |
|
Match mtrace | ||||||
|
mtrace_response boolean |
|
Match mtrace response | ||||||
|
pim boolean |
|
Match Protocol Independent Multicast | ||||||
|
trace boolean |
|
Multicast trace | ||||||
|
tcp dictionary |
Match TCP packet flags | |||||||
|
ack boolean |
|
Match on the ACK bit | ||||||
|
established boolean |
|
Match established connections | ||||||
|
fin boolean |
|
Match on the FIN bit | ||||||
|
psh boolean |
|
Match on the PSH bit | ||||||
|
rst boolean |
|
Match on the RST bit | ||||||
|
syn boolean |
|
Match on the SYN bit | ||||||
|
urg boolean |
|
Match on the URG bit | ||||||
|
remark string |
Comments or a description for the access list. | |||||||
|
routing boolean |
|
Match if routing header is present. | ||||||
|
sequence integer |
Sequence number for the Access Control Entry (ACE). | |||||||
|
source dictionary |
Specifies the packet source. | |||||||
|
address string |
The source IP address to match. | |||||||
|
any boolean |
|
Match any source address. | ||||||
|
host string |
The host IP address to match. | |||||||
|
port_protocol dictionary |
Specify the source port or protocol. | |||||||
|
eq string |
Match only packets on a given port number. | |||||||
|
gt string |
Match only packets with a greater port number. | |||||||
|
lt string |
Match only packets with a lower port number. | |||||||
|
neq string |
Match only packets not on a given port number. | |||||||
|
range dictionary |
Match only packets in the range of port numbers | |||||||
|
end string |
Specify the end of the port range | |||||||
|
start string |
Specify the start of the port range | |||||||
|
prefix string |
Source network prefix. | |||||||
|
wildcard_bits string |
The Wildcard bits to apply to source address. | |||||||
|
ttl dictionary |
Match against specified TTL value. | |||||||
|
eq integer |
Match only packets with exact TTL value. | |||||||
|
gt integer |
Match only packets with a greater TTL value. | |||||||
|
lt integer |
Match only packets with a lower TTL value. | |||||||
|
neq integer |
Match only packets that won't have the given TTL value. | |||||||
|
range dictionary |
Match only packets in the range of given TTL values. | |||||||
|
end integer |
End of the TTL range. | |||||||
|
start integer |
Start of the TTL range. | |||||||
|
name string |
The name of the Access Control List (ACL). | |||||||
|
afi string / required |
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). | ||||||
|
running_config string |
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command show running-config router static. | |||||||
|
state string |
|
The state the configuration should be left in. |
Examples
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
- name: Merge the provided configuration with the exisiting running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: 2001:db8:1234::/48
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:47:18.711 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: replaced
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:19:51.496 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "remark": "TEST_ACL_1_REMARK",
# "sequence": 16
# },
# {
# "destination": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.15"
# },
# "grant": "permit",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "rst": true
# }
# },
# "sequence": 21,
# "source": {
# "host": "192.0.2.10",
# "port_protocol": {
# "range": {
# "end": "121",
# "start": "pop3"
# }
# }
# }
# },
# {
# "destination": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.15"
# },
# "dscp": {
# "lt": "af12"
# },
# "grant": "deny",
# "protocol": "icmp",
# "protocol_options": {
# "icmp": {
# "reassembly_timeout": true
# }
# },
# "sequence": 23,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl_1"
# },
# {
# "aces": [
# {
# "remark": "TEST_ACL_2_REMARK",
# "sequence": 10
# }
# ],
# "name": "acl_2"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 10,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 20,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl6_1"
# }
# ],
# "afi": "ipv6"
# }
# ]
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# "rendered": [
# "ipv4 access-list acl_2",
# "11 permit igmp host 198.51.100.130 any ttl eq 100",
# "12 deny icmp any any"
# Using parsed
# parsed.cfg
# ------------
#
# ipv4 access-list acl_1
# 10 remark TEST_ACL_2_REMARK
# ipv4 access-list acl_2
# 11 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# 21 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "remark": "TEST_ACL_2_REMARK",
# "sequence": 10
# }
# ],
# "name": "acl_1"
# },
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 11,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "packet_length": {
# "eq": 576
# },
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 21,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl_2"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 10,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "packet_length": {
# "eq": 576
# },
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 20,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl6_1"
# }
# ],
# "afi": "ipv6"
# }
# ]Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
after list / elements=string |
when changed |
The resulting configuration model invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
|
before list / elements=string |
always |
The configuration prior to the model invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
|
commands list / elements=string |
always |
The set of commands pushed to the remote device.
Sample: ['ipv6 access-list acl6_1', '10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log', '20 permit icmpv6 any any router-advertisement precedence network destopts', 'ipv4 access-list acl_1', '16 remark TEST_ACL_1_REMARK', '21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst', '23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12'] |
Authors
- Nilashish Chakraborty (@NilashishC)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/cisco/iosxr/iosxr_acls_module.html
