cisco.nxos.nxos_acl_interfaces – ACL interfaces resource module

Note

This plugin is part of the cisco.nxos collection (version 1.4.0).

To install it use: ansible-galaxy collection install cisco.nxos.

To use it in a playbook, specify: cisco.nxos.nxos_acl_interfaces.

New in version 1.0.0: of cisco.nxos

Synopsis

• Add and remove Access Control Lists on interfaces in NX-OS platform

Note

This module has a corresponding action plugin.

Parameters

Parameter				Choices/Defaults	Comments
config list / elements=dictionary					A list of interfaces to be configured with ACLs
	access_groups list / elements=dictionary				List of address family indicators with ACLs to be configured on the interface
		acls list / elements=dictionary			List of Access Control Lists for the interface
			direction string / required	Choices: in out	Direction to be applied for the ACL
			name string / required		Name of the ACL to be added/removed
			port boolean	Choices: no yes	Use ACL as port policy.
		afi string / required		Choices: ipv4 ipv6	Address Family Indicator of the ACLs to be configured
	name string / required				Name of the interface
running_config string					This option is used only with state parsed. The value of this option should be the output received from the NX-OS device by executing the command show running-config | section '^interface'. The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state string				Choices: deleted gathered merged ← overridden rendered replaced parsed	The state the configuration should be left in

Notes

Note

• Tested against NX-OS 7.3.(0)D1(1) on VIRL

Examples

# Using merged

# Before state:
# ------------
#

- name: Merge ACL interfaces configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/2
      access_groups:
      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in

    - name: Eth1/5
      access_groups:
      - afi: ipv4
        acls:
        - name: PortACL
          direction: in
          port: true

        - name: ACL1v4
          direction: out

      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in
    state: merged

# After state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

# Using replaced

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Replace interface configuration with given configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Eth1/5
      access_groups:
      - afi: ipv4
        acls:
        - name: NewACLv4
          direction: out

    - name: Ethernet1/3
      access_groups:
      - afi: ipv6
        acls:
        - name: NewACLv6
          direction: in
          port: true
    state: replaced

# After state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/3
#   ipv6 port traffic-filter NewACLv6 in
# interface Ethernet1/5
#   ip access-group NewACLv4 out

# Using overridden

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Override interface configuration with given configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/3
      access_groups:
      - afi: ipv4
        acls:
        - name: ACL1v4
          direction: out

        - name: PortACL
          port: true
          direction: in
      - afi: ipv6
        acls:
        - name: NewACLv6
          direction: in
          port: true
    state: overridden

# After state:
# ------------
# interface Ethernet1/3
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in
#   ipv6 port traffic-filter NewACLv6 in

# Using deleted to remove ACL config from specified interfaces

# Before state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Delete ACL configuration on interfaces
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/5
    - name: Ethernet1/2
    state: deleted

# After state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
# interface Ethernet1/5

# Using deleted to remove ACL config from all interfaces

# Before state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Delete ACL configuration from all interfaces
  cisco.nxos.nxos_acl_interfaces:
    state: deleted

# After state:
# -------------
# interface Ethernet1/1
# interface Ethernet1/2
# interface Ethernet1/5

# Using parsed

- name: Parse given configuration into structured format
  cisco.nxos.nxos_acl_interfaces:
    running_config: |
      interface Ethernet1/2
      ipv6 traffic-filter ACL1v6 in
      interface Ethernet1/5
      ipv6 traffic-filter ACL1v6 in
      ip access-group ACL1v4 out
      ip port access-group PortACL in
    state: parsed

# returns
# parsed:
#   - name: Ethernet1/2
#     access_groups:
#       - afi: ipv6
#         acls:
#           - name: ACL1v6
#             direction: in
#  - name: Ethernet1/5
#    access_groups:
#      - afi: ipv4
#        acls:
#          - name: PortACL
#            direction: in
#            port: True
#          - name: ACL1v4
#            direction: out
#      - afi: ipv6
#        acls:
#          - name: ACL1v6
#             direction: in


# Using gathered:

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ipv6 traffic-filter ACL1v6 in
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in

- name: Gather existing configuration from device
  cisco.nxos.nxos_acl_interfaces:
    config:
    state: gathered

# returns
# gathered:
#   - name: Ethernet1/2
#     access_groups:
#       - afi: ipv6
#         acls:
#           - name: ACL1v6
#             direction: in
#  - name: Ethernet1/5
#    access_groups:
#      - afi: ipv4
#        acls:
#          - name: PortACL
#            direction: in
#            port: True
#          - name: ACL1v4
#            direction: out
#      - afi: ipv6
#        acls:
#          - name: ACL1v6
#             direction: in


# Using rendered

- name: Render required configuration to be pushed to the device
  cisco.nxos.nxos_acl_interfaces:
    config:
    - name: Ethernet1/2
      access_groups:
      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in

    - name: Ethernet1/5
      access_groups:
      - afi: ipv4
        acls:
        - name: PortACL
          direction: in
          port: true
        - name: ACL1v4
          direction: out
      - afi: ipv6
        acls:
        - name: ACL1v6
          direction: in
    state: rendered

# returns
# rendered:
#   interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
#   interface Ethernet1/5
#   ipv6 traffic-filter ACL1v6 in
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
after dictionary	when changed	The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
before dictionary	always	The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
commands list / elements=string	always	The set of commands pushed to the remote device. Sample: ['interface Ethernet1/2', 'ipv6 traffic-filter ACL1v6 out', 'ip port access-group PortACL in']

Authors

• Adharsh Srivats Rangarajan (@adharshsrivatsr)