ce_acl_advance – Manages advanced ACL configuration on HUAWEI CloudEngine switches

New in version 2.4.

Synopsis

  • Manages advanced ACL configurations on HUAWEI CloudEngine switches.

Parameters

Parameter Choices/Defaults Comments
acl_description
-
ACL description. The value is a string of 1 to 127 characters.
acl_name
- / required
ACL number or name. For a numbered rule group, the value ranging from 3000 to 3999 indicates a advance ACL. For a named rule group, the value is a string of 1 to 32 case-sensitive characters starting with a letter, spaces not supported.
acl_num
-
ACL number. The value is an integer ranging from 3000 to 3999.
acl_step
-
ACL step. The value is an integer ranging from 1 to 20. The default value is 5.
dest_ip
-
Destination IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
dest_mask
-
Destination IP address mask. The value is an integer ranging from 1 to 32.
dest_pool_name
-
Name of a destination pool. The value is a string of 1 to 32 characters.
dest_port_begin
-
Start port number of the destination port. The value is an integer ranging from 0 to 65535.
dest_port_end
-
End port number of the destination port. The value is an integer ranging from 0 to 65535.
dest_port_op
-
    Choices:
  • lt
  • eq
  • gt
  • range
Range type of the destination port.
dest_port_pool_name
-
Name of a destination port pool. The value is a string of 1 to 32 characters.
dscp
-
Differentiated Services Code Point. The value is an integer ranging from 0 to 63.
established
boolean
    Choices:
  • no ←
  • yes
Match established connections.
frag_type
-
    Choices:
  • fragment
  • clear_fragment
Type of packet fragmentation.
icmp_code
-
ICMP message code. Data packets can be filtered based on the ICMP message code. The value is an integer ranging from 0 to 255.
icmp_name
-
    Choices:
  • unconfiged
  • echo
  • echo-reply
  • fragmentneed-DFset
  • host-redirect
  • host-tos-redirect
  • host-unreachable
  • information-reply
  • information-request
  • net-redirect
  • net-tos-redirect
  • net-unreachable
  • parameter-problem
  • port-unreachable
  • protocol-unreachable
  • reassembly-timeout
  • source-quench
  • source-route-failed
  • timestamp-reply
  • timestamp-request
  • ttl-exceeded
  • address-mask-reply
  • address-mask-request
  • custom
ICMP name.
icmp_type
-
ICMP type. This parameter is available only when the packet protocol is ICMP. The value is an integer ranging from 0 to 255.
igmp_type
-
    Choices:
  • host-query
  • mrouter-adver
  • mrouter-solic
  • mrouter-termi
  • mtrace-resp
  • mtrace-route
  • v1host-report
  • v2host-report
  • v2leave-group
  • v3host-report
Internet Group Management Protocol.
log_flag
boolean
    Choices:
  • no ←
  • yes
Flag of logging matched data packets.
precedence
-
Data packets can be filtered based on the priority field. The value is an integer ranging from 0 to 7.
protocol
-
    Choices:
  • ip
  • icmp
  • igmp
  • ipinip
  • tcp
  • udp
  • gre
  • ospf
Protocol type.
rule_action
-
    Choices:
  • permit
  • deny
Matching mode of basic ACL rules.
rule_description
-
Description about an ACL rule.
rule_id
-
ID of a basic ACL rule in configuration mode. The value is an integer ranging from 0 to 4294967294.
rule_name
-
Name of a basic ACL rule. The value is a string of 1 to 32 characters.
source_ip
-
Source IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
src_mask
-
Source IP address mask. The value is an integer ranging from 1 to 32.
src_pool_name
-
Name of a source pool. The value is a string of 1 to 32 characters.
src_port_begin
-
Start port number of the source port. The value is an integer ranging from 0 to 65535.
src_port_end
-
End port number of the source port. The value is an integer ranging from 0 to 65535.
src_port_op
-
    Choices:
  • lt
  • eq
  • gt
  • range
Range type of the source port.
src_port_pool_name
-
Name of a source port pool. The value is a string of 1 to 32 characters.
state
-
    Choices:
  • present ←
  • absent
  • delete_acl
Specify desired state of the resource.
syn_flag
-
TCP flag value. The value is an integer ranging from 0 to 63.
tcp_flag_mask
-
TCP flag mask value. The value is an integer ranging from 0 to 63.
time_range
-
Name of a time range in which an ACL rule takes effect.
tos
-
ToS value on which data packet filtering is based. The value is an integer ranging from 0 to 15.
ttl_expired
boolean
    Choices:
  • no ←
  • yes
Whether TTL Expired is matched, with the TTL value of 1.
vrf_name
-
VPN instance name. The value is a string of 1 to 31 characters.The default value is _public_.

Notes

Note

  • This module requires the netconf system service be enabled on the remote device being managed.

  • Recommended connection is netconf.

  • This module also works with local connections for legacy playbooks.

Examples

- name: CloudEngine advance acl test
  hosts: cloudengine
  connection: local
  gather_facts: no
  vars:
    cli:
      host: "{{ inventory_hostname }}"
      port: "{{ ansible_ssh_port }}"
      username: "{{ username }}"
      password: "{{ password }}"
      transport: cli

  tasks:

  - name: "Config ACL"
    ce_acl_advance:
      state: present
      acl_name: 3200
      provider: "{{ cli }}"

  - name: "Undo ACL"
    ce_acl_advance:
      state: delete_acl
      acl_name: 3200
      provider: "{{ cli }}"

  - name: "Config ACL advance rule"
    ce_acl_advance:
      state: present
      acl_name: test
      rule_name: test_rule
      rule_id: 111
      rule_action: permit
      protocol: tcp
      source_ip: 10.10.10.10
      src_mask: 24
      frag_type: fragment
      provider: "{{ cli }}"

  - name: "Undo ACL advance rule"
    ce_acl_advance:
      state: absent
      acl_name: test
      rule_name: test_rule
      rule_id: 111
      rule_action: permit
      protocol: tcp
      source_ip: 10.10.10.10
      src_mask: 24
      frag_type: fragment
      provider: "{{ cli }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
changed
boolean
always
check to see if a change was made on the device

Sample:
True
end_state
dictionary
always
k/v pairs of aaa params after module execution

existing
dictionary
always
k/v pairs of existing aaa server

Sample:
{'aclNumOrName': 'test', 'aclType': 'Advance'}
proposed
dictionary
always
k/v pairs of parameters passed into module

Sample:
{'acl_name': 'test', 'state': 'delete_acl'}
updates
list
always
command sent to the device

Sample:
['undo acl name test']


Status

Authors

  • wangdezhuang (@QijunPan)

Hint

If you notice any issues in this documentation you can edit this document to improve it.