cisco.iosxr.iosxr_acls – ACLs resource module¶
Note
This plugin is part of the cisco.iosxr collection (version 1.2.1).
To install it use: ansible-galaxy collection install cisco.iosxr.
To use it in a playbook, specify: cisco.iosxr.iosxr_acls.
New in version 1.0.0: of cisco.iosxr
Synopsis¶
This module manages Access Control Lists (ACLs) on devices running IOS-XR.
Note
This module has a corresponding action plugin.
Parameters¶
Examples¶
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
- name: Merge the provided configuration with the exisiting running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: 2001:db8:1234::/48
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:47:18.711 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: replaced
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:19:51.496 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "remark": "TEST_ACL_1_REMARK",
# "sequence": 16
# },
# {
# "destination": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.15"
# },
# "grant": "permit",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "rst": true
# }
# },
# "sequence": 21,
# "source": {
# "host": "192.0.2.10",
# "port_protocol": {
# "range": {
# "end": "121",
# "start": "pop3"
# }
# }
# }
# },
# {
# "destination": {
# "address": "198.51.100.0",
# "wildcard_bits": "0.0.0.15"
# },
# "dscp": {
# "lt": "af12"
# },
# "grant": "deny",
# "protocol": "icmp",
# "protocol_options": {
# "icmp": {
# "reassembly_timeout": true
# }
# },
# "sequence": 23,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl_1"
# },
# {
# "aces": [
# {
# "remark": "TEST_ACL_2_REMARK",
# "sequence": 10
# }
# ],
# "name": "acl_2"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 10,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 20,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl6_1"
# }
# ],
# "afi": "ipv6"
# }
# ]
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# "rendered": [
# "ipv4 access-list acl_2",
# "11 permit igmp host 198.51.100.130 any ttl eq 100",
# "12 deny icmp any any"
# Using parsed
# parsed.cfg
# ------------
#
# ipv4 access-list acl_1
# 10 remark TEST_ACL_2_REMARK
# ipv4 access-list acl_2
# 11 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# 21 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "remark": "TEST_ACL_2_REMARK",
# "sequence": 10
# }
# ],
# "name": "acl_1"
# },
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 11,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "packet_length": {
# "eq": 576
# },
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 21,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl_2"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "authen": true,
# "destination": {
# "any": true
# },
# "grant": "deny",
# "log": true,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": {
# "syn": true
# }
# },
# "routing": true,
# "sequence": 10,
# "source": {
# "port_protocol": {
# "range": {
# "end": "telnet",
# "start": "ftp"
# }
# },
# "prefix": "2001:db8:1234::/48"
# },
# "ttl": {
# "range": {
# "end": 250,
# "start": 180
# }
# }
# },
# {
# "destination": {
# "any": true
# },
# "destopts": true,
# "grant": "permit",
# "packet_length": {
# "eq": 576
# },
# "precedence": "network",
# "protocol": "icmpv6",
# "protocol_options": {
# "icmpv6": {
# "router_advertisement": true
# }
# },
# "sequence": 20,
# "source": {
# "any": true
# }
# }
# ],
# "name": "acl6_1"
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Authors¶
Nilashish Chakraborty (@NilashishC)