cisco.ios.ios_acl_interfaces – ACL interfaces resource module
Note
This plugin is part of the cisco.ios collection (version 2.5.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.ios.
To use it in a playbook, specify: cisco.ios.ios_acl_interfaces.
New in version 1.0.0: of cisco.ios
Synopsis
- This module configures and manages the access-control (ACL) attributes of interfaces on IOS platforms.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A dictionary of ACL interfaces options
|
||||
| access_groups
list / elements=dictionary
|
Specify access-group for IP access list (standard or extended).
|
||||
| acls
list / elements=dictionary
|
Specifies the ACLs for the provided AFI.
|
||||
| direction
string / required
|
|
Specifies the direction of packets that the ACL will be applied on.
With one direction already assigned, other acl direction cannot be same.
|
|||
| name
string / required
|
Specifies the name of the IPv4/IPv4 ACL for the interface.
|
||||
| afi
string / required
|
|
Specifies the AFI for the ACLs to be configured on this interface.
|
|||
| name
string / required
|
Full name of the interface excluding any logical unit number, i.e. GigabitEthernet0/1.
|
||||
| running_config
string
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command.
|
||||
| state
string
|
|
The state the configuration should be left in
The states rendered, gathered and parsed does not perform any change on the device.
The state rendered will transform the configuration in
config option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required.
The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result.
The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of running_config option should be the same format as the output of command show running-config | include ip route|ipv6 route executed on device. For state parsed active connection to remote host is not required.
|
|||
Notes
Note
- Tested against Cisco IOSv Version 15.2 on VIRL
Examples
# Using Merged
# Before state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# interface GigabitEthernet0/2
# ip access-group 123 out
- name: Merge module attributes of given access-groups
cisco.ios.ios_acl_interfaces:
config:
- name: GigabitEthernet0/1
access_groups:
- afi: ipv4
acls:
- name: 110
direction: in
- name: 123
direction: out
- afi: ipv6
acls:
- name: test_v6
direction: out
- name: temp_v6
direction: in
- name: GigabitEthernet0/2
access_groups:
- afi: ipv4
acls:
- name: 100
direction: in
state: merged
# Commands Fired:
# ---------------
#
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 100 in
# After state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
# Using Replaced
# Before state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
- name: Replace module attributes of given access-groups
cisco.ios.ios_acl_interfaces:
config:
- name: GigabitEthernet0/1
access_groups:
- afi: ipv4
acls:
- name: 100
direction: out
- name: 110
direction: in
state: replaced
# Commands Fired:
# ---------------
#
# interface GigabitEthernet0/1
# no ip access-group 123 out
# no ipv6 traffic-filter temp_v6 in
# no ipv6 traffic-filter test_v6 out
# ip access-group 100 out
# After state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 100 out
# ip access-group 110 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
# Using Overridden
# Before state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
- name: Overridden module attributes of given access-groups
cisco.ios.ios_acl_interfaces:
config:
- name: GigabitEthernet0/1
access_groups:
- afi: ipv4
acls:
- name: 100
direction: out
- name: 110
direction: in
state: overridden
# Commands Fired:
# ---------------
#
# interface GigabitEthernet0/1
# no ip access-group 123 out
# no ipv6 traffic-filter test_v6 out
# no ipv6 traffic-filter temp_v6 in
# ip access-group 100 out
# interface GigabitEthernet0/2
# no ip access-group 110 in
# no ip access-group 123 out
# After state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 100 out
# ip access-group 110 in
# interface GigabitEthernet0/2
# Using Deleted
# Before state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
- name: Delete module attributes of given Interface
cisco.ios.ios_acl_interfaces:
config:
- name: GigabitEthernet0/1
state: deleted
# Commands Fired:
# ---------------
#
# interface GigabitEthernet0/1
# no ip access-group 110 in
# no ip access-group 123 out
# no ipv6 traffic-filter test_v6 out
# no ipv6 traffic-filter temp_v6 in
# After state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
# Using DELETED without any config passed
#"(NOTE: This will delete all of configured resource module attributes from each configured interface)"
# Before state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
- name: Delete module attributes of given access-groups from ALL Interfaces
cisco.ios.ios_acl_interfaces:
config:
state: deleted
# Commands Fired:
# ---------------
#
# interface GigabitEthernet0/1
# no ip access-group 110 in
# no ip access-group 123 out
# no ipv6 traffic-filter test_v6 out
# no ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# no ip access-group 110 out
# no ip access-group 123 out
# After state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# interface GigabitEthernet0/2
# Using Gathered
# Before state:
# -------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
- name: Gather listed acl interfaces with provided configurations
cisco.ios.ios_acl_interfaces:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "name": "Loopback888"
# },
# {
# "name": "GigabitEthernet0/0"
# },
# {
# "access_groups": [
# {
# "acls": [
# {
# "direction": "in",
# "name": "110"
# },
# {
# "direction": "out",
# "name": "123"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "direction": "in",
# "name": "temp_v6"
# },
# {
# "direction": "out",
# "name": "test_v6"
# }
# ],
# "afi": "ipv6"
# }
# ],
# "name": "GigabitEthernet0/1"
# },
# {
# "access_groups": [
# {
# "acls": [
# {
# "direction": "in",
# "name": "100"
# },
# {
# "direction": "out",
# "name": "123"
# }
# ],
# "afi": "ipv4"
# }
# ],
# "name": "GigabitEthernet0/2"
# }
# ]
# After state:
# ------------
#
# vios#sh running-config | include interface|ip access-group|ipv6 traffic-filter
# interface Loopback888
# interface GigabitEthernet0/0
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter test_v6 out
# ipv6 traffic-filter temp_v6 in
# interface GigabitEthernet0/2
# ip access-group 110 in
# ip access-group 123 out
# Using Rendered
- name: Render the commands for provided configuration
cisco.ios.ios_acl_interfaces:
config:
- name: GigabitEthernet0/1
access_groups:
- afi: ipv4
acls:
- name: 110
direction: in
- name: 123
direction: out
- afi: ipv6
acls:
- name: test_v6
direction: out
- name: temp_v6
direction: in
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "interface GigabitEthernet0/1",
# "ip access-group 110 in",
# "ip access-group 123 out",
# "ipv6 traffic-filter temp_v6 in",
# "ipv6 traffic-filter test_v6 out"
# ]
# Using Parsed
# File: parsed.cfg
# ----------------
#
# interface GigabitEthernet0/1
# ip access-group 110 in
# ip access-group 123 out
# ipv6 traffic-filter temp_v6 in
# ipv6 traffic-filter test_v6 out
- name: Parse the commands for provided configuration
cisco.ios.ios_acl_interfaces:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "access_groups": [
# {
# "acls": [
# {
# "direction": "in",
# "name": "110"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "direction": "in",
# "name": "temp_v6"
# }
# ],
# "afi": "ipv6"
# }
# ],
# "name": "GigabitEthernet0/1"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The configuration as structured data after module completion.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration as structured data prior to module invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device
Sample:
['interface GigabitEthernet0/1', 'ip access-group 110 in', 'ipv6 traffic-filter test_v6 out']
|
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acl_interfaces_module.html