arista.eos.eos_acls – ACLs resource module
Note
This plugin is part of the arista.eos collection (version 2.2.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install arista.eos.
To use it in a playbook, specify: arista.eos.eos_acls.
New in version 1.0.0: of arista.eos
Synopsis
- This module manages the IP access-list attributes of Arista EOS interfaces.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A dictionary of IP access-list options
|
|||||||
| acls
list / elements=dictionary
|
A list of Access Control Lists (ACL).
|
|||||||
| aces
list / elements=dictionary
|
Filtering data
|
|||||||
| destination
dictionary
|
The packet's destination address
|
|||||||
| address
string
|
dotted decimal notation of IP address
|
|||||||
| any
boolean
|
|
Rule matches all source addresses
|
||||||
| host
string
|
Host IP address
|
|||||||
| port_protocol
dictionary
|
Specify dest port/protocol, along with operator . (comes with tcp/udp).
|
|||||||
| subnet_address
string
|
A subnet address
|
|||||||
| wildcard_bits
string
|
Source wildcard bits
|
|||||||
| fragment_rules
boolean
|
|
Add fragment rules
|
||||||
| fragments
boolean
|
|
Match non-head fragment packets
|
||||||
| grant
string
|
|
Action to be applied on the rule
|
||||||
| hop_limit
dictionary
|
Hop limit value.
|
|||||||
| line
string
|
For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute.
aliases: ace |
|||||||
| log
boolean
|
|
Log matches against this rule
|
||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
All the possible sub options for the protocol chosen.
|
|||||||
| icmp
dictionary
|
Internet Control Message Protocol settings.
|
|||||||
| administratively_prohibited
boolean
|
|
Administratively prohibited
|
||||||
| alternate_address
boolean
|
|
Alternate address
|
||||||
| conversion_error
boolean
|
|
Datagram conversion
|
||||||
| dod_host_prohibited
boolean
|
|
Host prohibited
|
||||||
| dod_net_prohibited
boolean
|
|
Net prohibited
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| general_parameter_problem
boolean
|
|
Parameter problem
|
||||||
| host_isolated
boolean
|
|
Host isolated
|
||||||
| host_precedence_unreachable
boolean
|
|
Host unreachable for precedence
|
||||||
| host_redirect
boolean
|
|
Host redirect
|
||||||
| host_tos_redirect
boolean
|
|
Host redirect for TOS
|
||||||
| host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
||||||
| host_unknown
boolean
|
|
Host unknown
|
||||||
| host_unreachable
boolean
|
|
Host unreachable
|
||||||
| information_reply
boolean
|
|
Information replies
|
||||||
| information_request
boolean
|
|
Information requests
|
||||||
| mask_reply
boolean
|
|
Mask replies
|
||||||
| mask_request
boolean
|
|
Mask requests
|
||||||
| message_code
integer
|
ICMP message code
|
|||||||
| message_num
integer
|
icmp msg type number.
|
|||||||
| message_type
integer
|
ICMP message type
|
|||||||
| mobile_redirect
boolean
|
|
Mobile host redirect
|
||||||
| net_redirect
boolean
|
|
Network redirect
|
||||||
| net_tos_redirect
boolean
|
|
Net redirect for TOS
|
||||||
| net_tos_unreachable
boolean
|
|
Network unreachable for TOS
|
||||||
| net_unreachable
boolean
|
|
Net unreachable
|
||||||
| network_unknown
boolean
|
|
Network unknown
|
||||||
| no_room_for_option
boolean
|
|
Parameter required but no room
|
||||||
| option_missing
boolean
|
|
Parameter required but not present
|
||||||
| packet_too_big
boolean
|
|
Fragmentation needed and DF set
|
||||||
| parameter_problem
boolean
|
|
All parameter problems
|
||||||
| port_unreachable
boolean
|
|
Port unreachable
|
||||||
| precedence_unreachable
boolean
|
|
Precedence cutoff
|
||||||
| protocol_unreachable
boolean
|
|
Protocol unreachable
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly timeout
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_quench
boolean
|
|
Source quenches
|
||||||
| source_route_failed
boolean
|
|
Source route failed
|
||||||
| time_exceeded
boolean
|
|
All time exceededs
|
||||||
| timestamp_reply
boolean
|
|
Timestamp replies
|
||||||
| timestamp_request
boolean
|
|
Timestamp requests
|
||||||
| traceroute
boolean
|
|
Traceroute
|
||||||
| ttl_exceeded
boolean
|
|
TTL exceeded
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| icmpv6
dictionary
|
Options for icmpv6.
|
|||||||
| address_unreachable
boolean
|
|
address unreachable
|
||||||
| beyond_scope
boolean
|
|
beyond_scope
|
||||||
| echo_reply
boolean
|
|
echo_reply
|
||||||
| echo_request
boolean
|
|
echo reques
|
||||||
| erroneous_header
boolean
|
|
erroneous header
|
||||||
| fragment_reassembly_exceeded
boolean
|
|
fragment_reassembly_exceeded
|
||||||
| hop_limit_exceeded
boolean
|
|
hop limit exceeded
|
||||||
| neighbor_advertisement
boolean
|
|
neighbor advertisement
|
||||||
| neighbor_solicitation
boolean
|
|
neighbor_solicitation
|
||||||
| no_admin
boolean
|
|
no admin
|
||||||
| no_route
boolean
|
|
no route
|
||||||
| packet_too_big
boolean
|
|
packet too big
|
||||||
| parameter_problem
boolean
|
|
parameter problem
|
||||||
| port_unreachable
boolean
|
|
port unreachable
|
||||||
| redirect_message
boolean
|
|
redirect message
|
||||||
| reject_route
boolean
|
|
reject route
|
||||||
| router_advertisement
boolean
|
|
router_advertisement
|
||||||
| router_solicitation
boolean
|
|
router_solicitation
|
||||||
| source_address_failed
boolean
|
|
source_address_failed
|
||||||
| source_routing_error
boolean
|
|
source_routing_error
|
||||||
| time_exceeded
boolean
|
|
time_exceeded
|
||||||
| unreachable
boolean
|
|
unreachable
|
||||||
| unrecognized_ipv6_option
boolean
|
|
unrecognized_ipv6_option
|
||||||
| unrecognized_next_header
boolean
|
|
unrecognized_next_header
|
||||||
| ip
dictionary
|
Internet Protocol.
|
|||||||
| nexthop_group
string
|
Nexthop-group name.
|
|||||||
| ipv6
dictionary
|
Internet V6 Protocol.
|
|||||||
| nexthop_group
string
|
Nexthop-group name.
|
|||||||
| tcp
dictionary
|
Options for tcp protocol.
|
|||||||
| flags
dictionary
|
Match TCP packet flags
|
|||||||
| ack
boolean
|
|
Match on the ACK bit
|
||||||
| established
boolean
|
|
Match established connections
|
||||||
| fin
boolean
|
|
Match on the FIN bit
|
||||||
| psh
boolean
|
|
Match on the PSH bit
|
||||||
| rst
boolean
|
|
Match on the RST bit
|
||||||
| syn
boolean
|
|
Match on the SYN bit
|
||||||
| urg
boolean
|
|
Match on the URG bit
|
||||||
| remark
string
|
Specify a comment
|
|||||||
| sequence
integer
|
sequence number for the ordered list of rules
|
|||||||
| source
dictionary
|
The packet's source address
|
|||||||
| address
string
|
dotted decimal notation of IP address
|
|||||||
| any
boolean
|
|
Rule matches all source addresses
|
||||||
| host
string
|
Host IP address
|
|||||||
| port_protocol
dictionary
|
Specify source port/protocoli, along with operator. (comes with tcp/udp).
|
|||||||
| subnet_address
string
|
A subnet address
|
|||||||
| wildcard_bits
string
|
Source wildcard bits
|
|||||||
| tracked
boolean
|
|
Match packets in existing ICMP/UDP/TCP connections
|
||||||
| ttl
dictionary
|
Compares the TTL (time-to-live) value in the packet to a specified value
|
|||||||
| eq
integer
|
Match a single TTL value
|
|||||||
| gt
integer
|
Match TTL greater than this number
|
|||||||
| lt
integer
|
Match TTL lesser than this number
|
|||||||
| neq
integer
|
Match TTL not equal to this value
|
|||||||
| vlan
string
|
Vlan options
|
|||||||
| name
string / required
|
Name of the acl-list
|
|||||||
| standard
boolean
|
|
standard access-list or not
|
||||||
| afi
string / required
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
|
||||||
| running_config
string
|
This option is used only with state parsed.
The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
|
|||||||
| state
string
|
|
The state the configuration should be left in.
|
||||||
Notes
Note
- Tested against Arista vEOS v4.20.10M
Examples
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge provided configuration with device configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destnation:
any: true
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge to update the given configuration with an existing ace
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
log: true
ttl:
eq: 33
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any ttl eq 33 log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using replaced
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Replace device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: replaced
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using overridden
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: override device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
action: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: overridden
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# Using deleted:
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# using gathered
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
- name: Gather the exisitng condiguration
arista.eos.eos_acls:
state: gathered
# returns:
# arista.eos.eos_acls:
# config:
# - afi: "ipv4"
# acls:
# - name: test1
# aces:
# - sequence: 35
# grant: "deny"
# protocol: "ospf"
# source:
# subnet_address: 20.0.0.0/8
# destination:
# any: true
# - afi: "ipv6"
# acls:
# - name: test2
# aces:
# - sequence: 40
# grant: "permit"
# vlan: "55 0xE2"
# protocol: "icmpv6"
# log: true
# source:
# any: true
# destination:
# any: true
# using rendered
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
- afi: ipv6
acls:
- name: test2
aces:
- sequence: 40
grant: permit
vlan: 55 0xE2
protocol: icmpv6
log: true
source:
any: true
destination:
any: true
state: rendered
# returns:
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
# Using Parsed
# parsed_acls.cfg
# ipv6 access-list standard test2
# 10 permit any log
# !
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# 45 remark Run by ansible
# 55 permit tcp any any
# !
- name: parse configs
arista.eos.eos_acls:
running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
state: parsed
# returns
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "deny",
# "protocol": "ospf",
# "sequence": 35,
# "source": {
# "subnet_address": "20.0.0.0/8"
# }
# },
# {
# "remark": "Run by ansible",
# "sequence": 45
# },
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "protocol": "tcp",
# "sequence": 55,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test1"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "grant": "permit",
# "log": true,
# "sequence": 10,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test2",
# "standard": true
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The resulting configuration model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration prior to the model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device.
Sample:
['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any']
|
Authors
- Gomathiselvi S (@GomathiselviS)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/arista/eos/eos_acls_module.html