cisco.nxos.nxos_acl_interfaces – ACL interfaces resource module

Note

This plugin is part of the cisco.nxos collection (version 1.4.0).

To install it use: ansible-galaxy collection install cisco.nxos.

To use it in a playbook, specify: cisco.nxos.nxos_acl_interfaces.

New in version 1.0.0: of cisco.nxos

Synopsis

  • Add and remove Access Control Lists on interfaces in NX-OS platform

Note

This module has a corresponding action plugin.

Parameters

Parameter Choices/Defaults Comments
config
list / elements=dictionary
A list of interfaces to be configured with ACLs
access_groups
list / elements=dictionary
List of address family indicators with ACLs to be configured on the interface
acls
list / elements=dictionary
List of Access Control Lists for the interface
direction
string / required
    Choices:
  • in
  • out
Direction to be applied for the ACL
name
string / required
Name of the ACL to be added/removed
port
boolean
    Choices:
  • no
  • yes
Use ACL as port policy.
afi
string / required
    Choices:
  • ipv4
  • ipv6
Address Family Indicator of the ACLs to be configured
name
string / required
Name of the interface
running_config
string
This option is used only with state parsed.
The value of this option should be the output received from the NX-OS device by executing the command show running-config | section '^interface'.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state
string
    Choices:
  • deleted
  • gathered
  • merged ←
  • overridden
  • rendered
  • replaced
  • parsed
The state the configuration should be left in

Notes

Note

  • Tested against NX-OS 7.3.(0)D1(1) on VIRL

Examples

# Using merged

# Before state:
# ------------
#

- name: Merge ACL interfaces configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/2
      access_groups:
      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in

    - name: Eth1/5
      access_groups:
      - afi: ipv4
        acls:
        - name: PortACL
          direction: in
          port: true

        - name: ACL1v4
          direction: out

      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in
    state: merged

# After state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

# Using replaced

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Replace interface configuration with given configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Eth1/5
      access_groups:
      - afi: ipv4
        acls:
        - name: NewACLv4
          direction: out

    - name: Ethernet1/3
      access_groups:
      - afi: ipv6
        acls:
        - name: NewACLv6
          direction: in
          port: true
    state: replaced

# After state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/3
#   ipv6 port traffic-filter NewACLv6 in
# interface Ethernet1/5
#   ip access-group NewACLv4 out

# Using overridden

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Override interface configuration with given configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/3
      access_groups:
      - afi: ipv4
        acls:
        - name: ACL1v4
          direction: out

        - name: PortACL
          port: true
          direction: in
      - afi: ipv6
        acls:
        - name: NewACLv6
          direction: in
          port: true
    state: overridden

# After state:
# ------------
# interface Ethernet1/3
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in
#   ipv6 port traffic-filter NewACLv6 in

# Using deleted to remove ACL config from specified interfaces

# Before state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Delete ACL configuration on interfaces
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/5
    - name: Ethernet1/2
    state: deleted

# After state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
# interface Ethernet1/5

# Using deleted to remove ACL config from all interfaces

# Before state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Delete ACL configuration from all interfaces
  cisco.nxos.nxos_acl_interfaces:
    state: deleted

# After state:
# -------------
# interface Ethernet1/1
# interface Ethernet1/2
# interface Ethernet1/5

# Using parsed

- name: Parse given configuration into structured format
  cisco.nxos.nxos_acl_interfaces:
    running_config: |
      interface Ethernet1/2
      ipv6 traffic-filter ACL1v6 in
      interface Ethernet1/5
      ipv6 traffic-filter ACL1v6 in
      ip access-group ACL1v4 out
      ip port access-group PortACL in
    state: parsed

# returns
# parsed:
#   - name: Ethernet1/2
#     access_groups:
#       - afi: ipv6
#         acls:
#           - name: ACL1v6
#             direction: in
#  - name: Ethernet1/5
#    access_groups:
#      - afi: ipv4
#        acls:
#          - name: PortACL
#            direction: in
#            port: True
#          - name: ACL1v4
#            direction: out
#      - afi: ipv6
#        acls:
#          - name: ACL1v6
#             direction: in


# Using gathered:

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ipv6 traffic-filter ACL1v6 in
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in

- name: Gather existing configuration from device
  cisco.nxos.nxos_acl_interfaces:
    config:
    state: gathered

# returns
# gathered:
#   - name: Ethernet1/2
#     access_groups:
#       - afi: ipv6
#         acls:
#           - name: ACL1v6
#             direction: in
#  - name: Ethernet1/5
#    access_groups:
#      - afi: ipv4
#        acls:
#          - name: PortACL
#            direction: in
#            port: True
#          - name: ACL1v4
#            direction: out
#      - afi: ipv6
#        acls:
#          - name: ACL1v6
#             direction: in


# Using rendered

- name: Render required configuration to be pushed to the device
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/2
      access_groups:
      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in

    - name: Ethernet1/5
      access_groups:
      - afi: ipv4
        acls:
        - name: PortACL
          direction: in
          port: true
        - name: ACL1v4
          direction: out
      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in
    state: rendered

# returns
# rendered:
#   interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
#   interface Ethernet1/5
#   ipv6 traffic-filter ACL1v6 in
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
dictionary
when changed
The resulting configuration model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
dictionary
always
The configuration prior to the model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list / elements=string
always
The set of commands pushed to the remote device.

Sample:
['interface Ethernet1/2', 'ipv6 traffic-filter ACL1v6 out', 'ip port access-group PortACL in']


Authors

  • Adharsh Srivats Rangarajan (@adharshsrivatsr)