cisco.ios.ios_acls – ACLs resource module
Note
This plugin is part of the cisco.ios collection (version 2.5.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.ios.
To use it in a playbook, specify: cisco.ios.ios_acls.
New in version 1.0.0: of cisco.ios
Synopsis
- This module configures and manages the named or numbered ACLs on IOS platforms.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A dictionary of ACL options.
|
|||||||
| acls
list / elements=dictionary
|
A list of Access Control Lists (ACL).
|
|||||||
| aces
list / elements=dictionary
|
The entries within the ACL.
|
|||||||
| destination
dictionary
|
Specify the packet destination.
|
|||||||
| address
string
|
Host address to match, or any single host address.
|
|||||||
| any
boolean
|
|
Match any source address.
|
||||||
| host
string
|
A single destination host
|
|||||||
| object_group
string
|
Destination network object group
|
|||||||
| port_protocol
dictionary
|
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Port group.
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| wildcard_bits
string
|
Destination wildcard bits, valid with IPV4 address.
|
|||||||
| dscp
string
|
Match packets with given dscp value.
|
|||||||
| evaluate
string
|
Evaluate an access list
|
|||||||
| fragments
string
|
Check non-initial fragments.
|
|||||||
| grant
string
|
|
Specify the action.
|
||||||
| log
dictionary
|
Log matches against this entry.
|
|||||||
| set
boolean
|
|
Enable Log matches against this entry
|
||||||
| user_cookie
string
|
User defined cookie (max of 64 char)
|
|||||||
| log_input
dictionary
|
Log matches against this entry, including input interface.
|
|||||||
| set
boolean
|
|
Enable Log matches against this entry, including input interface.
|
||||||
| user_cookie
string
|
User defined cookie (max of 64 char)
|
|||||||
| option
dictionary
|
Match packets with given IP Options value.
Valid only for named acls.
|
|||||||
| add_ext
boolean
|
|
Match packets with Address Extension Option (147).
|
||||||
| any_options
boolean
|
|
Match packets with ANY Option.
|
||||||
| com_security
boolean
|
|
Match packets with Commercial Security Option (134).
|
||||||
| dps
boolean
|
|
Match packets with Dynamic Packet State Option (151).
|
||||||
| encode
boolean
|
|
Match packets with Encode Option (15).
|
||||||
| eool
boolean
|
|
Match packets with End of Options (0).
|
||||||
| ext_ip
boolean
|
|
Match packets with Extended IP Option (145).
|
||||||
| ext_security
boolean
|
|
Match packets with Extended Security Option (133).
|
||||||
| finn
boolean
|
|
Match packets with Experimental Flow Control Option (205).
|
||||||
| imitd
boolean
|
|
Match packets with IMI Traffic Desriptor Option (144).
|
||||||
| lsr
boolean
|
|
Match packets with Loose Source Route Option (131).
|
||||||
| mtup
boolean
|
|
Match packets with MTU Probe Option (11).
|
||||||
| mtur
boolean
|
|
Match packets with MTU Reply Option (12).
|
||||||
| no_op
boolean
|
|
Match packets with No Operation Option (1).
|
||||||
| nsapa
boolean
|
|
Match packets with NSAP Addresses Option (150).
|
||||||
| record_route
boolean
|
|
Match packets with Record Route Option (7).
|
||||||
| router_alert
boolean
|
|
Match packets with Router Alert Option (148).
|
||||||
| sdb
boolean
|
|
Match packets with Selective Directed Broadcast Option (149).
|
||||||
| security
boolean
|
|
Match packets with Basic Security Option (130).
|
||||||
| ssr
boolean
|
|
Match packets with Strict Source Routing Option (137).
|
||||||
| stream_id
boolean
|
|
Match packets with Stream ID Option (136).
|
||||||
| timestamp
boolean
|
|
Match packets with Time Stamp Option (68).
|
||||||
| traceroute
boolean
|
|
Match packets with Trace Route Option (82).
|
||||||
| ump
boolean
|
|
Match packets with Upstream Multicast Packet Option (152).
|
||||||
| visa
boolean
|
|
Match packets with Experimental Access Control Option (142).
|
||||||
| zsu
boolean
|
|
Match packets with Experimental Measurement Option (10).
|
||||||
| precedence
integer
|
Match packets with given precedence value.
|
|||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
protocol type.
|
|||||||
| ahp
boolean
|
|
Authentication Header Protocol.
|
||||||
| eigrp
boolean
|
|
Cisco's EIGRP routing protocol.
|
||||||
| esp
boolean
|
|
Encapsulation Security Payload.
|
||||||
| gre
boolean
|
|
Cisco's GRE tunneling.
|
||||||
| hbh
boolean
|
|
Hop by Hop options header. Valid for IPV6
|
||||||
| icmp
dictionary
|
Internet Control Message Protocol.
|
|||||||
| administratively_prohibited
boolean
|
|
Administratively prohibited
|
||||||
| alternate_address
boolean
|
|
Alternate address
|
||||||
| conversion_error
boolean
|
|
Datagram conversion
|
||||||
| dod_host_prohibited
boolean
|
|
Host prohibited
|
||||||
| dod_net_prohibited
boolean
|
|
Net prohibited
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| general_parameter_problem
boolean
|
|
Parameter problem
|
||||||
| host_isolated
boolean
|
|
Host isolated
|
||||||
| host_precedence_unreachable
boolean
|
|
Host unreachable for precedence
|
||||||
| host_redirect
boolean
|
|
Host redirect
|
||||||
| host_tos_redirect
boolean
|
|
Host redirect for TOS
|
||||||
| host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
||||||
| host_unknown
boolean
|
|
Host unknown
|
||||||
| host_unreachable
boolean
|
|
Host unreachable
|
||||||
| information_reply
boolean
|
|
Information replies
|
||||||
| information_request
boolean
|
|
Information requests
|
||||||
| mask_reply
boolean
|
|
Mask replies
|
||||||
| mask_request
boolean
|
|
mask_request
|
||||||
| mobile_redirect
boolean
|
|
Mobile host redirect
|
||||||
| net_redirect
boolean
|
|
Network redirect
|
||||||
| net_tos_redirect
boolean
|
|
Net redirect for TOS
|
||||||
| net_tos_unreachable
boolean
|
|
Network unreachable for TOS
|
||||||
| net_unreachable
boolean
|
|
Net unreachable
|
||||||
| network_unknown
boolean
|
|
Network unknown
|
||||||
| no_room_for_option
boolean
|
|
Parameter required but no room
|
||||||
| option_missing
boolean
|
|
Parameter required but not present
|
||||||
| packet_too_big
boolean
|
|
Fragmentation needed and DF set
|
||||||
| parameter_problem
boolean
|
|
All parameter problems
|
||||||
| port_unreachable
boolean
|
|
Port unreachable
|
||||||
| precedence_unreachable
boolean
|
|
Precedence cutoff
|
||||||
| protocol_unreachable
boolean
|
|
Protocol unreachable
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly timeout
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_quench
boolean
|
|
Source quenches
|
||||||
| source_route_failed
boolean
|
|
Source route failed
|
||||||
| time_exceeded
boolean
|
|
All time exceededs
|
||||||
| timestamp_reply
boolean
|
|
Timestamp replies
|
||||||
| timestamp_request
boolean
|
|
Timestamp requests
|
||||||
| traceroute
boolean
|
|
Traceroute
|
||||||
| ttl_exceeded
boolean
|
|
TTL exceeded
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| igmp
dictionary
|
Internet Gateway Message Protocol.
|
|||||||
| dvmrp
boolean
|
|
Distance Vector Multicast Routing Protocol(2)
|
||||||
| host_query
boolean
|
|
IGMP Membership Query(0)
|
||||||
| mtrace_resp
boolean
|
|
Multicast Traceroute Response(7)
|
||||||
| mtrace_route
boolean
|
|
Multicast Traceroute(8)
|
||||||
| pim
boolean
|
|
Protocol Independent Multicast(3)
|
||||||
| trace
boolean
|
|
Multicast trace(4)
|
||||||
| v1host_report
boolean
|
|
IGMPv1 Membership Report(1)
|
||||||
| v2host_report
boolean
|
|
IGMPv2 Membership Report(5)
|
||||||
| v2leave_group
boolean
|
|
IGMPv2 Leave Group(6)
|
||||||
| v3host_report
boolean
|
|
IGMPv3 Membership Report(9)
|
||||||
| ip
boolean
|
|
Any Internet Protocol.
|
||||||
| ipinip
boolean
|
|
IP in IP tunneling.
|
||||||
| ipv6
boolean
|
|
Any IPv6.
|
||||||
| nos
boolean
|
|
KA9Q NOS compatible IP over IP tunneling.
|
||||||
| ospf
boolean
|
|
OSPF routing protocol.
|
||||||
| pcp
boolean
|
|
Payload Compression Protocol.
|
||||||
| pim
boolean
|
|
Protocol Independent Multicast.
|
||||||
| protocol_number
integer
|
An IP protocol number
|
|||||||
| sctp
boolean
|
|
Stream Control Transmission Protocol.
|
||||||
| tcp
dictionary
|
Match TCP packet flags
|
|||||||
| ack
boolean
|
|
Match on the ACK bit
|
||||||
| established
boolean
|
|
Match established connections
|
||||||
| fin
boolean
|
|
Match on the FIN bit
|
||||||
| psh
boolean
|
|
Match on the PSH bit
|
||||||
| rst
boolean
|
|
Match on the RST bit
|
||||||
| syn
boolean
|
|
Match on the SYN bit
|
||||||
| urg
boolean
|
|
Match on the URG bit
|
||||||
| udp
boolean
|
|
User Datagram Protocol.
|
||||||
| sequence
integer
|
Sequence Number for the Access Control Entry(ACE).
Refer to vendor documentation for valid values.
|
|||||||
| source
dictionary
|
Specify the packet source.
|
|||||||
| address
string
|
Source network address.
|
|||||||
| any
boolean
|
|
Match any source address.
|
||||||
| host
string
|
A single source host
|
|||||||
| object_group
string
|
Source network object group
|
|||||||
| port_protocol
dictionary
|
Specify the source port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Port group.
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| wildcard_bits
string
|
Source wildcard bits, valid with IPV4 address.
|
|||||||
| time_range
string
|
Specify a time-range.
|
|||||||
| tos
dictionary
|
Match packets with given TOS value.
Note, DSCP and TOS are mutually exclusive
|
|||||||
| max_reliability
boolean
|
|
Match packets with max reliable TOS (2).
|
||||||
| max_throughput
boolean
|
|
Match packets with max throughput TOS (4).
|
||||||
| min_delay
boolean
|
|
Match packets with min delay TOS (8).
|
||||||
| min_monetary_cost
boolean
|
|
Match packets with min monetary cost TOS (1).
|
||||||
| normal
boolean
|
|
Match packets with normal TOS (0).
|
||||||
| service_value
integer
|
Type of service value
|
|||||||
| ttl
dictionary
|
Match packets with given TTL value.
|
|||||||
| eq
integer
|
Match only packets on a given TTL number.
|
|||||||
| gt
integer
|
Match only packets with a greater TTL number.
|
|||||||
| lt
integer
|
Match only packets with a lower TTL number.
|
|||||||
| neq
integer
|
Match only packets not on a given TTL number.
|
|||||||
| range
dictionary
|
Match only packets in the range of TTLs.
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| acl_type
string
|
|
ACL type
Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory.
|
||||||
| name
string / required
|
The name or the number of the ACL.
|
|||||||
| afi
string / required
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
|
||||||
| running_config
string
|
This option is used only with state parsed.
The value of this option should be the output received from the IOS device by executing the command sh access-list.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
|
|||||||
| state
string
|
|
The state the configuration should be left in
The states merged is the default state which merges the want and have config, but for ACL module as the IOS platform doesn't allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state.
The states rendered, gathered and parsed does not perform any change on the device.
The state rendered will transform the configuration in
config option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required.
The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result.
The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of running_config option should be the same format as the output of command show running-config | include ip route|ipv6 route executed on device. For state parsed active connection to remote host is not required.
|
||||||
Notes
Note
- Tested against Cisco IOSv Version 15.2 on VIRL
Examples
# Using merged
# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 100
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 100
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
state: merged
# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.
# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: std_acl
acl_type: standard
aces:
- grant: deny
source:
address: 192.168.1.200
- grant: deny
source:
address: 192.168.2.0
wildcard_bits: 0.0.0.255
- name: 110
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
- grant: deny
protocol_options:
tcp:
ack: true
source:
host: 198.51.100.0
destination:
host: 198.51.110.0
port_protocol:
eq: telnet
- name: test
acl_type: extended
aces:
- grant: deny
protocol_options:
tcp:
fin: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
option:
traceroute: true
ttl:
eq: 10
- name: 123
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
destination:
address: 198.51.101.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
tos:
service_value: 12
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.4.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
lt: 20
- afi: ipv6
acls:
- name: R1_TRAFFIC
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
any: true
port_protocol:
eq: www
destination:
any: true
port_protocol:
eq: telnet
dscp: af11
state: merged
# Commands fired:
# ---------------
#
# - ip access-list standard std_acl
# - deny 192.168.1.200
# - deny 192.168.2.0 0.0.0.255
# - ip access-list extended 110
# - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - ip access-list extended test
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# - ip access-list extended 123
# - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack dscp af11
# After state:
# ------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 100
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
# Using replaced
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: Replaces device configuration of listed acls with provided configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: replaced
# Commands fired:
# ---------------
#
# - no ip access-list extended 110
# - ip access-list extended 110
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# - ip access-list extended 150
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# After state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list 150
# 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
# Using overridden
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: Override device configuration of all acls with provided configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: overridden
# Commands fired:
# ---------------
#
# - no ip access-list standard std_acl
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended 150
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended 150
# - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# - ip access-list extended 110
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# After state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
# 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# Extended IP access list 150
# 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Using Deleted
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: test
acl_type: extended
- name: 110
- afi: ipv6
acls:
- name: R1_TRAFFIC
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ipv6 access-list R1_TRAFFIC
# After state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
cisco.ios.ios_acls:
config:
- afi: ipv4
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list standard std_acl
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123
# After state:
# -------------
#
# vios#sh access-lists
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured ACLs)"
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: 'Delete ALL of configured ACLs (Note: This WILL delete the all configured
ACLs)'
cisco.ios.ios_acls:
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC
# After state:
# -------------
#
# vios#sh access-lists
# Using Gathered
# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11 sequence 10
- name: Gather listed acls with provided configurations
cisco.ios.ios_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "wildcard_bits": "0.0.0.255"
# },
# "dscp": "ef",
# "grant": "deny",
# "protocol_options": {
# "icmp": {
# "echo": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "192.0.2.0",
# "wildcard_bits": "0.0.0.255"
# },
# "ttl": {
# "eq": 10
# }
# }
# ],
# "acl_type": "extended",
# "name": "110"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "198.51.101.0",
# "port_protocol": {
# "eq": "telnet"
# },
# "wildcard_bits": "0.0.0.255"
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.255"
# },
# "tos": {
# "service_value": 12
# }
# },
# {
# "destination": {
# "address": "192.0.4.0",
# "port_protocol": {
# "eq": "www"
# },
# "wildcard_bits": "0.0.0.255"
# },
# "dscp": "ef",
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 20,
# "source": {
# "address": "192.0.3.0",
# "wildcard_bits": "0.0.0.255"
# },
# "ttl": {
# "lt": 20
# }
# }
# ],
# "acl_type": "extended",
# "name": "123"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "port_protocol": {
# "eq": "www"
# },
# "wildcard_bits": "0.0.0.255"
# },
# "grant": "deny",
# "option": {
# "traceroute": true
# },
# "protocol_options": {
# "tcp": {
# "fin": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "192.0.2.0",
# "wildcard_bits": "0.0.0.255"
# },
# "ttl": {
# "eq": 10
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_acl"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "dscp": "af11",
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 10,
# "source": {
# "any": true,
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "name": "R1_TRAFFIC"
# }
# ],
# "afi": "ipv6"
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the existing running configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "ip access-list extended 110",
# "10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10",
# "ip access-list extended 150",
# "deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10"
# ]
# Using Parsed
# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11
- name: Parse the commands for provided configuration
cisco.ios.ios_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "dscp": "af11",
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "source": {
# "any": true,
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "name": "R1_TRAFFIC"
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The configuration as structured data after module completion.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration as structured data prior to module invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device
Sample:
['ip access-list extended 110', 'deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10']
|
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html