cisco.iosxr.iosxr_acls – ACLs resource module
Note
This plugin is part of the cisco.iosxr collection (version 2.5.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.iosxr.
To use it in a playbook, specify: cisco.iosxr.iosxr_acls.
New in version 1.0.0: of cisco.iosxr
Synopsis
- This module manages Access Control Lists (ACLs) on devices running IOS-XR.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A list of dictionaries specifying ACL configurations.
|
|||||||
| acls
list / elements=dictionary
|
A list of Access Control Lists (ACLs).
|
|||||||
| aces
list / elements=dictionary
|
List of Access Control Entries (ACEs) for this Access Control List (ACL).
|
|||||||
| authen
boolean
|
|
Match if authentication header is present.
|
||||||
| capture
boolean
|
|
Capture matched packet.
|
||||||
| destination
dictionary
|
Specifies the packet destination.
|
|||||||
| address
string
|
The destination IP address to match.
|
|||||||
| any
boolean
|
|
Match any destination address.
|
||||||
| host
string
|
The host IP address to match.
|
|||||||
| port_protocol
dictionary
|
Specify the source port or protocol.
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Match only packets in the range of port numbers
|
|||||||
| end
string
|
Specify the end of the port range
|
|||||||
| start
string
|
Specify the start of the port range
|
|||||||
| prefix
string
|
Destination network prefix.
|
|||||||
| wildcard_bits
string
|
The Wildcard bits to apply to destination address.
|
|||||||
| destopts
boolean
|
|
Match if destination opts header is present.
|
||||||
| dscp
dictionary
|
Match packets with given DSCP value.
|
|||||||
| eq
string
|
Match only packets on a given dscp value
|
|||||||
| gt
string
|
Match only packets with a greater dscp value
|
|||||||
| lt
string
|
Match only packets with a lower dscp value
|
|||||||
| neq
string
|
Match only packets not on a given dscp value
|
|||||||
| range
dictionary
|
Match only packets in the range of dscp values
|
|||||||
| end
string
|
End of the dscp range
|
|||||||
| start
string
|
Start of the dscp range
|
|||||||
| fragments
boolean
|
|
Check non-intial fragments.
|
||||||
| grant
string
|
|
Forward or drop packets matching the Access Control Entry (ACE).
|
||||||
| hop_by_hop
boolean
|
|
Match if hop-by-hop opts header is present.
|
||||||
| icmp_off
boolean
|
|
Enable/disable the ICMP message for this entry.
|
||||||
| line
string
|
An ACE excluding the sequence number.
This key is mutually exclusive with all the other attributes except 'sequence'.
When used with other attributes, the value of this key will get precedence and the other keys will be ignored.
This should only be used when an attribute doesn't exist in the argspec but is valid for the device.
For fact gathering, any ACE that is not fully parsed, will show up as a value of this attribute, excluding the sequence number, which will be populated as value of the sequence key.
aliases: ace |
|||||||
| log
boolean
|
|
Enable/disable log matches against this entry.
|
||||||
| log_input
boolean
|
|
Enable/disable log matches against this entry, including input interface.
|
||||||
| packet_length
dictionary
|
Match packets given packet length.
|
|||||||
| eq
integer
|
Match only packets on a given packet length
|
|||||||
| gt
integer
|
Match only packets with a greater packet length
|
|||||||
| lt
integer
|
Match only packets with a lower packet length
|
|||||||
| neq
integer
|
Match only packets not on a given packet length
|
|||||||
| range
dictionary
|
Match only packets in the range of packet lengths
|
|||||||
| end
integer
|
End of the packet length range
|
|||||||
| start
integer
|
Start of the packet length range
|
|||||||
| precedence
string
|
Match packets with given precedence value
|
|||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
Additional suboptions for the protocol.
|
|||||||
| icmp
dictionary
|
Internet Control Message Protocol settings.
|
|||||||
| administratively_prohibited
boolean
|
|
Administratively prohibited
|
||||||
| alternate_address
boolean
|
|
Alternate address
|
||||||
| conversion_error
boolean
|
|
Datagram conversion
|
||||||
| dod_host_prohibited
boolean
|
|
Host prohibited
|
||||||
| dod_net_prohibited
boolean
|
|
Net prohibited
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| general_parameter_problem
boolean
|
|
Parameter problem
|
||||||
| host_isolated
boolean
|
|
Host isolated
|
||||||
| host_precedence_unreachable
boolean
|
|
Host unreachable for precedence
|
||||||
| host_redirect
boolean
|
|
Host redirect
|
||||||
| host_tos_redirect
boolean
|
|
Host redirect for TOS
|
||||||
| host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
||||||
| host_unknown
boolean
|
|
Host unknown
|
||||||
| host_unreachable
boolean
|
|
Host unreachable
|
||||||
| information_reply
boolean
|
|
Information replies
|
||||||
| information_request
boolean
|
|
Information requests
|
||||||
| mask_reply
boolean
|
|
Mask replies
|
||||||
| mask_request
boolean
|
|
Mask requests
|
||||||
| mobile_redirect
boolean
|
|
Mobile host redirect
|
||||||
| net_redirect
boolean
|
|
Network redirect
|
||||||
| net_tos_redirect
boolean
|
|
Net redirect for TOS
|
||||||
| net_tos_unreachable
boolean
|
|
Network unreachable for TOS
|
||||||
| net_unreachable
boolean
|
|
Net unreachable
|
||||||
| network_unknown
boolean
|
|
Network unknown
|
||||||
| no_room_for_option
boolean
|
|
Parameter required but no room
|
||||||
| option_missing
boolean
|
|
Parameter required but not present
|
||||||
| packet_too_big
boolean
|
|
Fragmentation needed and DF set
|
||||||
| parameter_problem
boolean
|
|
All parameter problems
|
||||||
| port_unreachable
boolean
|
|
Port unreachable
|
||||||
| precedence_unreachable
boolean
|
|
Precedence cutoff
|
||||||
| protocol_unreachable
boolean
|
|
Protocol unreachable
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly timeout
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_quench
boolean
|
|
Source quenches
|
||||||
| source_route_failed
boolean
|
|
Source route failed
|
||||||
| time_exceeded
boolean
|
|
All time exceededs
|
||||||
| timestamp_reply
boolean
|
|
Timestamp replies
|
||||||
| timestamp_request
boolean
|
|
Timestamp requests
|
||||||
| traceroute
boolean
|
|
Traceroute
|
||||||
| ttl_exceeded
boolean
|
|
TTL exceeded
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| icmpv6
dictionary
|
Internet Control Message Protocol settings for IPv6.
|
|||||||
| address_unreachable
boolean
|
|
Address Unreachable
|
||||||
| administratively_prohibited
boolean
|
|
Administratively Prohibited
|
||||||
| beyond_scope_of_source_address
boolean
|
|
Administratively Prohibited
|
||||||
| destination_unreachable
boolean
|
|
Destination Unreachable
|
||||||
| echo
boolean
|
|
Echo
|
||||||
| echo_reply
boolean
|
|
Echo Reply
|
||||||
| erroneous_header_field
boolean
|
|
Erroneous Header Field
|
||||||
| group_membership_query
boolean
|
|
Group Membership Query
|
||||||
| group_membership_report
boolean
|
|
Group Membership Report
|
||||||
| group_membership_termination
boolean
|
|
Group Membership Termination
|
||||||
| host_unreachable
boolean
|
|
Host Unreachable
|
||||||
| nd_na
boolean
|
|
Neighbor Discovery - Neighbor Advertisement
|
||||||
| nd_ns
boolean
|
|
Neighbor Discovery - Neighbor Solicitation
|
||||||
| neighbor_redirect
boolean
|
|
Neighbor Redirect
|
||||||
| no_route_to_destination
boolean
|
|
No Route To Destination
|
||||||
| node_information_request_is_refused
boolean
|
|
Node Information Request Is Refused
|
||||||
| node_information_successful_reply
boolean
|
|
Node Information Successful Reply
|
||||||
| packet_too_big
boolean
|
|
Packet Too Big
|
||||||
| parameter_problem
boolean
|
|
Parameter Problem
|
||||||
| port_unreachable
boolean
|
|
Port Unreachable
|
||||||
| query_subject_is_domainname
boolean
|
|
Query Subject Is Domain name
|
||||||
| query_subject_is_IPv4address
boolean
|
|
Query Subject Is IPv4 address
|
||||||
| query_subject_is_IPv6address
boolean
|
|
Query Subject Is IPv6 address
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly Timeout
|
||||||
| redirect
boolean
|
|
Redirect
|
||||||
| router_advertisement
boolean
|
|
Router Advertisement
|
||||||
| router_renumbering
boolean
|
|
Router Renumbering
|
||||||
| router_solicitation
boolean
|
|
Router Solicitation
|
||||||
| rr_command
boolean
|
|
RR Command
|
||||||
| rr_result
boolean
|
|
RR Result
|
||||||
| rr_seqnum_reset
boolean
|
|
RR Seqnum Reset
|
||||||
| time_exceeded
boolean
|
|
Time Exceeded
|
||||||
| ttl_exceeded
boolean
|
|
TTL Exceeded
|
||||||
| unknown_query_type
boolean
|
|
Unknown Query Type
|
||||||
| unreachable
boolean
|
|
Unreachable
|
||||||
| unrecognized_next_header
boolean
|
|
Unrecognized Next Header
|
||||||
| unrecognized_option
boolean
|
|
Unrecognized Option
|
||||||
| whoareyou_reply
boolean
|
|
Whoareyou Reply
|
||||||
| whoareyou_request
boolean
|
|
Whoareyou Request
|
||||||
| igmp
dictionary
|
Internet Group Management Protocol (IGMP) settings.
|
|||||||
| dvmrp
boolean
|
|
Match Distance Vector Multicast Routing Protocol
|
||||||
| host_query
boolean
|
|
Match Host Query
|
||||||
| host_report
boolean
|
|
Match Host Report
|
||||||
| mtrace
boolean
|
|
Match mtrace
|
||||||
| mtrace_response
boolean
|
|
Match mtrace response
|
||||||
| pim
boolean
|
|
Match Protocol Independent Multicast
|
||||||
| trace
boolean
|
|
Multicast trace
|
||||||
| tcp
dictionary
|
Match TCP packet flags
|
|||||||
| ack
boolean
|
|
Match on the ACK bit
|
||||||
| established
boolean
|
|
Match established connections
|
||||||
| fin
boolean
|
|
Match on the FIN bit
|
||||||
| psh
boolean
|
|
Match on the PSH bit
|
||||||
| rst
boolean
|
|
Match on the RST bit
|
||||||
| syn
boolean
|
|
Match on the SYN bit
|
||||||
| urg
boolean
|
|
Match on the URG bit
|
||||||
| remark
string
|
Comments or a description for the access list.
|
|||||||
| routing
boolean
|
|
Match if routing header is present.
|
||||||
| sequence
integer
|
Sequence number for the Access Control Entry (ACE).
|
|||||||
| source
dictionary
|
Specifies the packet source.
|
|||||||
| address
string
|
The source IP address to match.
|
|||||||
| any
boolean
|
|
Match any source address.
|
||||||
| host
string
|
The host IP address to match.
|
|||||||
| port_protocol
dictionary
|
Specify the source port or protocol.
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Match only packets in the range of port numbers
|
|||||||
| end
string
|
Specify the end of the port range
|
|||||||
| start
string
|
Specify the start of the port range
|
|||||||
| prefix
string
|
Source network prefix.
|
|||||||
| wildcard_bits
string
|
The Wildcard bits to apply to source address.
|
|||||||
| ttl
dictionary
|
Match against specified TTL value.
|
|||||||
| eq
integer
|
Match only packets with exact TTL value.
|
|||||||
| gt
integer
|
Match only packets with a greater TTL value.
|
|||||||
| lt
integer
|
Match only packets with a lower TTL value.
|
|||||||
| neq
integer
|
Match only packets that won't have the given TTL value.
|
|||||||
| range
dictionary
|
Match only packets in the range of given TTL values.
|
|||||||
| end
integer
|
End of the TTL range.
|
|||||||
| start
integer
|
Start of the TTL range.
|
|||||||
| name
string
|
The name of the Access Control List (ACL).
|
|||||||
| afi
string / required
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
|
||||||
| running_config
string
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command show running-config router static.
|
|||||||
| state
string
|
|
The state the configuration should be left in.
|
||||||
Examples
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
- name: Merge the provided configuration with the existing running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: 2001:db8:1234::/48
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:47:18.711 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: replaced
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:19:51.496 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "remark": "TEST_ACL_1_REMARK",
# "sequence": 16
# },
# {
# "destination": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.15"
# },
# "grant": "permit",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "rst": true
# }
# },
# "sequence": 21,
# "source": {
# "host": "192.0.2.10",
# "port_protocol": {
# "range": {
# "end": "121",
# "start": "pop3"
# }
# }
# }
# },
# {
# "destination": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.15"
# },
# "dscp": {
# "lt": "af12"
# },
# "grant": "deny",
# "protocol": "icmp",
# "protocol_options": {
# "icmp": {
# "reassembly_timeout": true
# }
# },
# "sequence": 23,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl_1"
# },
# {
# "aces": [
# {
# "remark": "TEST_ACL_2_REMARK",
# "sequence": 10
# }
# ],
# "name": "acl_2"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 10,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 20,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl6_1"
# }
# ],
# "afi": "ipv6"
# }
# ]
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# "rendered": [
# "ipv4 access-list acl_2",
# "11 permit igmp host 198.51.100.130 any ttl eq 100",
# "12 deny icmp any any"
# Using parsed
# parsed.cfg
# ------------
#
# ipv4 access-list acl_1
# 10 remark TEST_ACL_2_REMARK
# ipv4 access-list acl_2
# 11 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# 21 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "remark": "TEST_ACL_2_REMARK",
# "sequence": 10
# }
# ],
# "name": "acl_1"
# },
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 11,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "packet_length": {
# "eq": 576
# },
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 21,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl_2"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 10,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "packet_length": {
# "eq": 576
# },
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 20,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl6_1"
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The resulting configuration model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration prior to the model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device.
Sample:
['ipv6 access-list acl6_1', '10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log', '20 permit icmpv6 any any router-advertisement precedence network destopts', 'ipv4 access-list acl_1', '16 remark TEST_ACL_1_REMARK', '21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst', '23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12']
|
Authors
- Nilashish Chakraborty (@NilashishC)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/iosxr/iosxr_acls_module.html