arista.eos.eos_acls – ACLs resource module
Note
This plugin is part of the arista.eos collection (version 1.2.0).
To install it use: ansible-galaxy collection install arista.eos.
To use it in a playbook, specify: arista.eos.eos_acls.
New in version 1.0.0: of arista.eos
Synopsis
- This module manages the IP access-list attributes of Arista EOS interfaces.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A dictionary of IP access-list options
|
|||||||
| acls
list / elements=dictionary
|
A list of Access Control Lists (ACL).
|
|||||||
| aces
list / elements=dictionary
|
Filtering data
|
|||||||
| destination
dictionary
|
The packet's destination address
|
|||||||
| address
string
|
dotted decimal notation of IP address
|
|||||||
| any
boolean
|
|
Rule matches all source addresses
|
||||||
| host
string
|
Host IP address
|
|||||||
| port_protocol
dictionary
|
Specify dest port/protocol, along with operator . (comes with tcp/udp).
|
|||||||
| subnet_address
string
|
A subnet address
|
|||||||
| wildcard_bits
string
|
Source wildcard bits
|
|||||||
| fragment_rules
boolean
|
|
Add fragment rules
|
||||||
| fragments
boolean
|
|
Match non-head fragment packets
|
||||||
| grant
string
|
|
Action to be applied on the rule
|
||||||
| hop_limit
dictionary
|
Hop limit value.
|
|||||||
| line
string
|
For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute.
aliases: ace |
|||||||
| log
boolean
|
|
Log matches against this rule
|
||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
All the possible sub options for the protocol chosen.
|
|||||||
| icmp
dictionary
|
Internet Control Message Protocol settings.
|
|||||||
| administratively_prohibited
boolean
|
|
Administratively prohibited
|
||||||
| alternate_address
boolean
|
|
Alternate address
|
||||||
| conversion_error
boolean
|
|
Datagram conversion
|
||||||
| dod_host_prohibited
boolean
|
|
Host prohibited
|
||||||
| dod_net_prohibited
boolean
|
|
Net prohibited
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| general_parameter_problem
boolean
|
|
Parameter problem
|
||||||
| host_isolated
boolean
|
|
Host isolated
|
||||||
| host_precedence_unreachable
boolean
|
|
Host unreachable for precedence
|
||||||
| host_redirect
boolean
|
|
Host redirect
|
||||||
| host_tos_redirect
boolean
|
|
Host redirect for TOS
|
||||||
| host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
||||||
| host_unknown
boolean
|
|
Host unknown
|
||||||
| host_unreachable
boolean
|
|
Host unreachable
|
||||||
| information_reply
boolean
|
|
Information replies
|
||||||
| information_request
boolean
|
|
Information requests
|
||||||
| mask_reply
boolean
|
|
Mask replies
|
||||||
| mask_request
boolean
|
|
Mask requests
|
||||||
| message_code
integer
|
ICMP message code
|
|||||||
| message_num
integer
|
icmp msg type number.
|
|||||||
| message_type
integer
|
ICMP message type
|
|||||||
| mobile_redirect
boolean
|
|
Mobile host redirect
|
||||||
| net_redirect
boolean
|
|
Network redirect
|
||||||
| net_tos_redirect
boolean
|
|
Net redirect for TOS
|
||||||
| net_tos_unreachable
boolean
|
|
Network unreachable for TOS
|
||||||
| net_unreachable
boolean
|
|
Net unreachable
|
||||||
| network_unknown
boolean
|
|
Network unknown
|
||||||
| no_room_for_option
boolean
|
|
Parameter required but no room
|
||||||
| option_missing
boolean
|
|
Parameter required but not present
|
||||||
| packet_too_big
boolean
|
|
Fragmentation needed and DF set
|
||||||
| parameter_problem
boolean
|
|
All parameter problems
|
||||||
| port_unreachable
boolean
|
|
Port unreachable
|
||||||
| precedence_unreachable
boolean
|
|
Precedence cutoff
|
||||||
| protocol_unreachable
boolean
|
|
Protocol unreachable
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly timeout
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_quench
boolean
|
|
Source quenches
|
||||||
| source_route_failed
boolean
|
|
Source route failed
|
||||||
| time_exceeded
boolean
|
|
All time exceededs
|
||||||
| timestamp_reply
boolean
|
|
Timestamp replies
|
||||||
| timestamp_request
boolean
|
|
Timestamp requests
|
||||||
| traceroute
boolean
|
|
Traceroute
|
||||||
| ttl_exceeded
boolean
|
|
TTL exceeded
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| icmpv6
dictionary
|
Options for icmpv6.
|
|||||||
| address_unreachable
boolean
|
|
address unreachable
|
||||||
| beyond_scope
boolean
|
|
beyond_scope
|
||||||
| echo_reply
boolean
|
|
echo_reply
|
||||||
| echo_request
boolean
|
|
echo reques
|
||||||
| erroneous_header
boolean
|
|
erroneous header
|
||||||
| fragment_reassembly_exceeded
boolean
|
|
fragment_reassembly_exceeded
|
||||||
| hop_limit_exceeded
boolean
|
|
hop limit exceeded
|
||||||
| neighbor_advertisement
boolean
|
|
neighbor advertisement
|
||||||
| neighbor_solicitation
boolean
|
|
neighbor_solicitation
|
||||||
| no_admin
boolean
|
|
no admin
|
||||||
| no_route
boolean
|
|
no route
|
||||||
| packet_too_big
boolean
|
|
packet too big
|
||||||
| parameter_problem
boolean
|
|
parameter problem
|
||||||
| port_unreachable
boolean
|
|
port unreachable
|
||||||
| redirect_message
boolean
|
|
redirect message
|
||||||
| reject_route
boolean
|
|
reject route
|
||||||
| router_advertisement
boolean
|
|
router_advertisement
|
||||||
| router_solicitation
boolean
|
|
router_solicitation
|
||||||
| source_address_failed
boolean
|
|
source_address_failed
|
||||||
| source_routing_error
boolean
|
|
source_routing_error
|
||||||
| time_exceeded
boolean
|
|
time_exceeded
|
||||||
| unreachable
boolean
|
|
unreachable
|
||||||
| unrecognized_ipv6_option
boolean
|
|
unrecognized_ipv6_option
|
||||||
| unrecognized_next_header
boolean
|
|
unrecognized_next_header
|
||||||
| ip
dictionary
|
Internet Protocol.
|
|||||||
| nexthop_group
string
|
Nexthop-group name.
|
|||||||
| ipv6
dictionary
|
Internet V6 Protocol.
|
|||||||
| nexthop_group
string
|
Nexthop-group name.
|
|||||||
| tcp
dictionary
|
Options for tcp protocol.
|
|||||||
| flags
dictionary
|
Match TCP packet flags
|
|||||||
| ack
boolean
|
|
Match on the ACK bit
|
||||||
| established
boolean
|
|
Match established connections
|
||||||
| fin
boolean
|
|
Match on the FIN bit
|
||||||
| psh
boolean
|
|
Match on the PSH bit
|
||||||
| rst
boolean
|
|
Match on the RST bit
|
||||||
| syn
boolean
|
|
Match on the SYN bit
|
||||||
| urg
boolean
|
|
Match on the URG bit
|
||||||
| remark
string
|
Specify a comment
|
|||||||
| sequence
integer
|
sequence number for the ordered list of rules
|
|||||||
| source
dictionary
|
The packet's source address
|
|||||||
| address
string
|
dotted decimal notation of IP address
|
|||||||
| any
boolean
|
|
Rule matches all source addresses
|
||||||
| host
string
|
Host IP address
|
|||||||
| port_protocol
dictionary
|
Specify source port/protocoli, along with operator. (comes with tcp/udp).
|
|||||||
| subnet_address
string
|
A subnet address
|
|||||||
| wildcard_bits
string
|
Source wildcard bits
|
|||||||
| tracked
boolean
|
|
Match packets in existing ICMP/UDP/TCP connections
|
||||||
| ttl
dictionary
|
Compares the TTL (time-to-live) value in the packet to a specified value
|
|||||||
| eq
integer
|
Match a single TTL value
|
|||||||
| gt
integer
|
Match TTL greater than this number
|
|||||||
| lt
integer
|
Match TTL lesser than this number
|
|||||||
| neq
integer
|
Match TTL not equal to this value
|
|||||||
| vlan
string
|
Vlan options
|
|||||||
| name
string / required
|
Name of the acl-list
|
|||||||
| standard
boolean
|
|
standard access-list or not
|
||||||
| afi
string / required
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
|
||||||
| running_config
string
|
This option is used only with state parsed.
The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
|
|||||||
| state
string
|
|
The state the configuration should be left in.
|
||||||
Notes
Note
- Tested against Arista vEOS v4.20.10M
Examples
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge provided configuration with device configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destnation:
any: true
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge to update the given configuration with an existing ace
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
log: true
ttl:
eq: 33
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any ttl eq 33 log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using replaced
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Replace device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: replaced
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using overridden
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: override device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
action: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: overridden
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# Using deleted:
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# using gathered
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
- name: Gather the exisitng condiguration
arista.eos.eos_acls:
state: gathered
# returns:
# arista.eos.eos_acls:
# config:
# - afi: "ipv4"
# acls:
# - name: test1
# aces:
# - sequence: 35
# grant: "deny"
# protocol: "ospf"
# source:
# subnet_address: 20.0.0.0/8
# destination:
# any: true
# - afi: "ipv6"
# acls:
# - name: test2
# aces:
# - sequence: 40
# grant: "permit"
# vlan: "55 0xE2"
# protocol: "icmpv6"
# log: true
# source:
# any: true
# destination:
# any: true
# using rendered
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
- afi: ipv6
acls:
- name: test2
aces:
- sequence: 40
grant: permit
vlan: 55 0xE2
protocol: icmpv6
log: true
source:
any: true
destination:
any: true
state: rendered
# returns:
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
# Using Parsed
# parsed_acls.cfg
# ipv6 access-list standard test2
# 10 permit any log
# !
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# 45 remark Run by ansible
# 55 permit tcp any any
# !
- name: parse configs
arista.eos.eos_acls:
running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
state: parsed
# returns
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "deny",
# "protocol": "ospf",
# "sequence": 35,
# "source": {
# "subnet_address": "20.0.0.0/8"
# }
# },
# {
# "remark": "Run by ansible",
# "sequence": 45
# },
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "protocol": "tcp",
# "sequence": 55,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test1"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "grant": "permit",
# "log": true,
# "sequence": 10,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test2",
# "standard": true
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The resulting configuration model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration prior to the model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device.
Sample:
['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any']
|
Authors
- Gomathiselvi S (@GomathiselviS)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/arista/eos/eos_acls_module.html