ce_acl_advance – Manages advanced ACL configuration on HUAWEI CloudEngine switches¶
New in version 2.4.
Synopsis¶
Manages advanced ACL configurations on HUAWEI CloudEngine switches.
Parameters¶
| Parameter | Choices/Defaults | Comments |
|---|---|---|
|
acl_description
-
|
ACL description. The value is a string of 1 to 127 characters.
|
|
|
acl_name
-
/ required
|
ACL number or name. For a numbered rule group, the value ranging from 3000 to 3999 indicates a advance ACL. For a named rule group, the value is a string of 1 to 32 case-sensitive characters starting with a letter, spaces not supported.
|
|
|
acl_num
-
|
ACL number. The value is an integer ranging from 3000 to 3999.
|
|
|
acl_step
-
|
ACL step. The value is an integer ranging from 1 to 20. The default value is 5.
|
|
|
dest_ip
-
|
Destination IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
|
|
|
dest_mask
-
|
Destination IP address mask. The value is an integer ranging from 1 to 32.
|
|
|
dest_pool_name
-
|
Name of a destination pool. The value is a string of 1 to 32 characters.
|
|
|
dest_port_begin
-
|
Start port number of the destination port. The value is an integer ranging from 0 to 65535.
|
|
|
dest_port_end
-
|
End port number of the destination port. The value is an integer ranging from 0 to 65535.
|
|
|
dest_port_op
-
|
|
Range type of the destination port.
|
|
dest_port_pool_name
-
|
Name of a destination port pool. The value is a string of 1 to 32 characters.
|
|
|
dscp
-
|
Differentiated Services Code Point. The value is an integer ranging from 0 to 63.
|
|
|
established
boolean
|
|
Match established connections.
|
|
frag_type
-
|
|
Type of packet fragmentation.
|
|
icmp_code
-
|
ICMP message code. Data packets can be filtered based on the ICMP message code. The value is an integer ranging from 0 to 255.
|
|
|
icmp_name
-
|
|
ICMP name.
|
|
icmp_type
-
|
ICMP type. This parameter is available only when the packet protocol is ICMP. The value is an integer ranging from 0 to 255.
|
|
|
igmp_type
-
|
|
Internet Group Management Protocol.
|
|
log_flag
boolean
|
|
Flag of logging matched data packets.
|
|
precedence
-
|
Data packets can be filtered based on the priority field. The value is an integer ranging from 0 to 7.
|
|
|
protocol
-
|
|
Protocol type.
|
|
rule_action
-
|
|
Matching mode of basic ACL rules.
|
|
rule_description
-
|
Description about an ACL rule.
|
|
|
rule_id
-
|
ID of a basic ACL rule in configuration mode. The value is an integer ranging from 0 to 4294967294.
|
|
|
rule_name
-
|
Name of a basic ACL rule. The value is a string of 1 to 32 characters.
|
|
|
source_ip
-
|
Source IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
|
|
|
src_mask
-
|
Source IP address mask. The value is an integer ranging from 1 to 32.
|
|
|
src_pool_name
-
|
Name of a source pool. The value is a string of 1 to 32 characters.
|
|
|
src_port_begin
-
|
Start port number of the source port. The value is an integer ranging from 0 to 65535.
|
|
|
src_port_end
-
|
End port number of the source port. The value is an integer ranging from 0 to 65535.
|
|
|
src_port_op
-
|
|
Range type of the source port.
|
|
src_port_pool_name
-
|
Name of a source port pool. The value is a string of 1 to 32 characters.
|
|
|
state
-
|
|
Specify desired state of the resource.
|
|
syn_flag
-
|
TCP flag value. The value is an integer ranging from 0 to 63.
|
|
|
tcp_flag_mask
-
|
TCP flag mask value. The value is an integer ranging from 0 to 63.
|
|
|
time_range
-
|
Name of a time range in which an ACL rule takes effect.
|
|
|
tos
-
|
ToS value on which data packet filtering is based. The value is an integer ranging from 0 to 15.
|
|
|
ttl_expired
boolean
|
|
Whether TTL Expired is matched, with the TTL value of 1.
|
|
vrf_name
-
|
VPN instance name. The value is a string of 1 to 31 characters.The default value is _public_.
|
Notes¶
Note
This module requires the netconf system service be enabled on the remote device being managed.
Recommended connection is
netconf.This module also works with
localconnections for legacy playbooks.
Examples¶
- name: CloudEngine advance acl test
hosts: cloudengine
connection: local
gather_facts: no
vars:
cli:
host: "{{ inventory_hostname }}"
port: "{{ ansible_ssh_port }}"
username: "{{ username }}"
password: "{{ password }}"
transport: cli
tasks:
- name: "Config ACL"
ce_acl_advance:
state: present
acl_name: 3200
provider: "{{ cli }}"
- name: "Undo ACL"
ce_acl_advance:
state: delete_acl
acl_name: 3200
provider: "{{ cli }}"
- name: "Config ACL advance rule"
ce_acl_advance:
state: present
acl_name: test
rule_name: test_rule
rule_id: 111
rule_action: permit
protocol: tcp
source_ip: 10.10.10.10
src_mask: 24
frag_type: fragment
provider: "{{ cli }}"
- name: "Undo ACL advance rule"
ce_acl_advance:
state: absent
acl_name: test
rule_name: test_rule
rule_id: 111
rule_action: permit
protocol: tcp
source_ip: 10.10.10.10
src_mask: 24
frag_type: fragment
provider: "{{ cli }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
changed
boolean
|
always |
check to see if a change was made on the device
Sample:
True
|
|
end_state
dictionary
|
always |
k/v pairs of aaa params after module execution
|
|
existing
dictionary
|
always |
k/v pairs of existing aaa server
Sample:
{'aclNumOrName': 'test', 'aclType': 'Advance'}
|
|
proposed
dictionary
|
always |
k/v pairs of parameters passed into module
Sample:
{'acl_name': 'test', 'state': 'delete_acl'}
|
|
updates
list
|
always |
command sent to the device
Sample:
['undo acl name test']
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]