cisco.iosxr.iosxr_acls module – ACLs resource module

Note

This module is part of the cisco.iosxr collection (version 2.9.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.iosxr.

To use it in a playbook, specify: cisco.iosxr.iosxr_acls.

New in version 1.0.0: of cisco.iosxr

Synopsis

  • This module manages Access Control Lists (ACLs) on devices running IOS-XR.

Parameters

Parameter

Comments

config

list / elements=dictionary

A list of dictionaries specifying ACL configurations.

acls

list / elements=dictionary

A list of Access Control Lists (ACLs).

aces

list / elements=dictionary

List of Access Control Entries (ACEs) for this Access Control List (ACL).

authen

boolean

Match if authentication header is present.

Choices:

  • no

  • yes

capture

boolean

Capture matched packet.

Choices:

  • no

  • yes

destination

dictionary

Specifies the packet destination.

address

string

The destination IP address to match.

any

boolean

Match any destination address.

Choices:

  • no

  • yes

host

string

The host IP address to match.

net_group

string

Name of net-group.

port_group

string

Name of port-group.

port_protocol

dictionary

Specify the source port or protocol.

eq

string

Match only packets on a given port number.

gt

string

Match only packets with a greater port number.

lt

string

Match only packets with a lower port number.

neq

string

Match only packets not on a given port number.

range

dictionary

Match only packets in the range of port numbers

end

string

Specify the end of the port range

start

string

Specify the start of the port range

prefix

string

Destination network prefix.

wildcard_bits

string

The Wildcard bits to apply to destination address.

destopts

boolean

Match if destination opts header is present.

Choices:

  • no

  • yes

dscp

dictionary

Match packets with given DSCP value.

eq

string

Match only packets on a given dscp value

gt

string

Match only packets with a greater dscp value

lt

string

Match only packets with a lower dscp value

neq

string

Match only packets not on a given dscp value

range

dictionary

Match only packets in the range of dscp values

end

string

End of the dscp range

start

string

Start of the dscp range

fragments

boolean

Check non-intial fragments.

Choices:

  • no

  • yes

grant

string

Forward or drop packets matching the Access Control Entry (ACE).

Choices:

  • permit

  • deny

hop_by_hop

boolean

Match if hop-by-hop opts header is present.

Choices:

  • no

  • yes

icmp_off

boolean

Enable/disable the ICMP message for this entry.

Choices:

  • no

  • yes

line

aliases: ace

string

An ACE excluding the sequence number.

This key is mutually exclusive with all the other attributes except ‘sequence’.

When used with other attributes, the value of this key will get precedence and the other keys will be ignored.

This should only be used when an attribute doesn’t exist in the argspec but is valid for the device.

For fact gathering, any ACE that is not fully parsed, will show up as a value of this attribute, excluding the sequence number, which will be populated as value of the sequence key.

log

boolean

Enable/disable log matches against this entry.

Choices:

  • no

  • yes

log_input

boolean

Enable/disable log matches against this entry, including input interface.

Choices:

  • no

  • yes

packet_length

dictionary

Match packets given packet length.

eq

integer

Match only packets on a given packet length

gt

integer

Match only packets with a greater packet length

lt

integer

Match only packets with a lower packet length

neq

integer

Match only packets not on a given packet length

range

dictionary

Match only packets in the range of packet lengths

end

integer

End of the packet length range

start

integer

Start of the packet length range

precedence

string

Match packets with given precedence value

protocol

string

Specify the protocol to match.

Refer to vendor documentation for valid values.

protocol_options

dictionary

Additional suboptions for the protocol.

icmp

dictionary

Internet Control Message Protocol settings.

administratively_prohibited

boolean

Administratively prohibited

Choices:

  • no

  • yes

alternate_address

boolean

Alternate address

Choices:

  • no

  • yes

conversion_error

boolean

Datagram conversion

Choices:

  • no

  • yes

dod_host_prohibited

boolean

Host prohibited

Choices:

  • no

  • yes

dod_net_prohibited

boolean

Net prohibited

Choices:

  • no

  • yes

echo

boolean

Echo (ping)

Choices:

  • no

  • yes

echo_reply

boolean

Echo reply

Choices:

  • no

  • yes

general_parameter_problem

boolean

Parameter problem

Choices:

  • no

  • yes

host_isolated

boolean

Host isolated

Choices:

  • no

  • yes

host_precedence_unreachable

boolean

Host unreachable for precedence

Choices:

  • no

  • yes

host_redirect

boolean

Host redirect

Choices:

  • no

  • yes

host_tos_redirect

boolean

Host redirect for TOS

Choices:

  • no

  • yes

host_tos_unreachable

boolean

Host unreachable for TOS

Choices:

  • no

  • yes

host_unknown

boolean

Host unknown

Choices:

  • no

  • yes

host_unreachable

boolean

Host unreachable

Choices:

  • no

  • yes

information_reply

boolean

Information replies

Choices:

  • no

  • yes

information_request

boolean

Information requests

Choices:

  • no

  • yes

mask_reply

boolean

Mask replies

Choices:

  • no

  • yes

mask_request

boolean

Mask requests

Choices:

  • no

  • yes

mobile_redirect

boolean

Mobile host redirect

Choices:

  • no

  • yes

net_redirect

boolean

Network redirect

Choices:

  • no

  • yes

net_tos_redirect

boolean

Net redirect for TOS

Choices:

  • no

  • yes

net_tos_unreachable

boolean

Network unreachable for TOS

Choices:

  • no

  • yes

net_unreachable

boolean

Net unreachable

Choices:

  • no

  • yes

network_unknown

boolean

Network unknown

Choices:

  • no

  • yes

no_room_for_option

boolean

Parameter required but no room

Choices:

  • no

  • yes

option_missing

boolean

Parameter required but not present

Choices:

  • no

  • yes

packet_too_big

boolean

Fragmentation needed and DF set

Choices:

  • no

  • yes

parameter_problem

boolean

All parameter problems

Choices:

  • no

  • yes

port_unreachable

boolean

Port unreachable

Choices:

  • no

  • yes

precedence_unreachable

boolean

Precedence cutoff

Choices:

  • no

  • yes

protocol_unreachable

boolean

Protocol unreachable

Choices:

  • no

  • yes

reassembly_timeout

boolean

Reassembly timeout

Choices:

  • no

  • yes

redirect

boolean

All redirects

Choices:

  • no

  • yes

router_advertisement

boolean

Router discovery advertisements

Choices:

  • no

  • yes

router_solicitation

boolean

Router discovery solicitations

Choices:

  • no

  • yes

source_quench

boolean

Source quenches

Choices:

  • no

  • yes

source_route_failed

boolean

Source route failed

Choices:

  • no

  • yes

time_exceeded

boolean

All time exceededs

Choices:

  • no

  • yes

timestamp_reply

boolean

Timestamp replies

Choices:

  • no

  • yes

timestamp_request

boolean

Timestamp requests

Choices:

  • no

  • yes

traceroute

boolean

Traceroute

Choices:

  • no

  • yes

ttl_exceeded

boolean

TTL exceeded

Choices:

  • no

  • yes

unreachable

boolean

All unreachables

Choices:

  • no

  • yes

icmpv6

dictionary

Internet Control Message Protocol settings for IPv6.

address_unreachable

boolean

Address Unreachable

Choices:

  • no

  • yes

administratively_prohibited

boolean

Administratively Prohibited

Choices:

  • no

  • yes

beyond_scope_of_source_address

boolean

Administratively Prohibited

Choices:

  • no

  • yes

destination_unreachable

boolean

Destination Unreachable

Choices:

  • no

  • yes

echo

boolean

Echo

Choices:

  • no

  • yes

echo_reply

boolean

Echo Reply

Choices:

  • no

  • yes

erroneous_header_field

boolean

Erroneous Header Field

Choices:

  • no

  • yes

group_membership_query

boolean

Group Membership Query

Choices:

  • no

  • yes

group_membership_report

boolean

Group Membership Report

Choices:

  • no

  • yes

group_membership_termination

boolean

Group Membership Termination

Choices:

  • no

  • yes

host_unreachable

boolean

Host Unreachable

Choices:

  • no

  • yes

nd_na

boolean

Neighbor Discovery - Neighbor Advertisement

Choices:

  • no

  • yes

nd_ns

boolean

Neighbor Discovery - Neighbor Solicitation

Choices:

  • no

  • yes

neighbor_redirect

boolean

Neighbor Redirect

Choices:

  • no

  • yes

no_route_to_destination

boolean

No Route To Destination

Choices:

  • no

  • yes

node_information_request_is_refused

boolean

Node Information Request Is Refused

Choices:

  • no

  • yes

node_information_successful_reply

boolean

Node Information Successful Reply

Choices:

  • no

  • yes

packet_too_big

boolean

Packet Too Big

Choices:

  • no

  • yes

parameter_problem

boolean

Parameter Problem

Choices:

  • no

  • yes

port_unreachable

boolean

Port Unreachable

Choices:

  • no

  • yes

query_subject_is_domainname

boolean

Query Subject Is Domain name

Choices:

  • no

  • yes

query_subject_is_IPv4address

boolean

Query Subject Is IPv4 address

Choices:

  • no

  • yes

query_subject_is_IPv6address

boolean

Query Subject Is IPv6 address

Choices:

  • no

  • yes

reassembly_timeout

boolean

Reassembly Timeout

Choices:

  • no

  • yes

redirect

boolean

Redirect

Choices:

  • no

  • yes

router_advertisement

boolean

Router Advertisement

Choices:

  • no

  • yes

router_renumbering

boolean

Router Renumbering

Choices:

  • no

  • yes

router_solicitation

boolean

Router Solicitation

Choices:

  • no

  • yes

rr_command

boolean

RR Command

Choices:

  • no

  • yes

rr_result

boolean

RR Result

Choices:

  • no

  • yes

rr_seqnum_reset

boolean

RR Seqnum Reset

Choices:

  • no

  • yes

time_exceeded

boolean

Time Exceeded

Choices:

  • no

  • yes

ttl_exceeded

boolean

TTL Exceeded

Choices:

  • no

  • yes

unknown_query_type

boolean

Unknown Query Type

Choices:

  • no

  • yes

unreachable

boolean

Unreachable

Choices:

  • no

  • yes

unrecognized_next_header

boolean

Unrecognized Next Header

Choices:

  • no

  • yes

unrecognized_option

boolean

Unrecognized Option

Choices:

  • no

  • yes

whoareyou_reply

boolean

Whoareyou Reply

Choices:

  • no

  • yes

whoareyou_request

boolean

Whoareyou Request

Choices:

  • no

  • yes

igmp

dictionary

Internet Group Management Protocol (IGMP) settings.

dvmrp

boolean

Match Distance Vector Multicast Routing Protocol

Choices:

  • no

  • yes

host_query

boolean

Match Host Query

Choices:

  • no

  • yes

host_report

boolean

Match Host Report

Choices:

  • no

  • yes

mtrace

boolean

Match mtrace

Choices:

  • no

  • yes

mtrace_response

boolean

Match mtrace response

Choices:

  • no

  • yes

pim

boolean

Match Protocol Independent Multicast

Choices:

  • no

  • yes

trace

boolean

Multicast trace

Choices:

  • no

  • yes

tcp

dictionary

Match TCP packet flags

ack

boolean

Match on the ACK bit

Choices:

  • no

  • yes

established

boolean

Match established connections

Choices:

  • no

  • yes

fin

boolean

Match on the FIN bit

Choices:

  • no

  • yes

psh

boolean

Match on the PSH bit

Choices:

  • no

  • yes

rst

boolean

Match on the RST bit

Choices:

  • no

  • yes

syn

boolean

Match on the SYN bit

Choices:

  • no

  • yes

urg

boolean

Match on the URG bit

Choices:

  • no

  • yes

remark

string

Comments or a description for the access list.

routing

boolean

Match if routing header is present.

Choices:

  • no

  • yes

sequence

integer

Sequence number for the Access Control Entry (ACE).

source

dictionary

Specifies the packet source.

address

string

The source IP address to match.

any

boolean

Match any source address.

Choices:

  • no

  • yes

host

string

The host IP address to match.

net_group

string

Name of net-group.

port_group

string

Name of port-group.

port_protocol

dictionary

Specify the source port or protocol.

eq

string

Match only packets on a given port number.

gt

string

Match only packets with a greater port number.

lt

string

Match only packets with a lower port number.

neq

string

Match only packets not on a given port number.

range

dictionary

Match only packets in the range of port numbers

end

string

Specify the end of the port range

start

string

Specify the start of the port range

prefix

string

Source network prefix.

wildcard_bits

string

The Wildcard bits to apply to source address.

ttl

dictionary

Match against specified TTL value.

eq

integer

Match only packets with exact TTL value.

gt

integer

Match only packets with a greater TTL value.

lt

integer

Match only packets with a lower TTL value.

neq

integer

Match only packets that won’t have the given TTL value.

range

dictionary

Match only packets in the range of given TTL values.

end

integer

End of the TTL range.

start

integer

Start of the TTL range.

name

string

The name of the Access Control List (ACL).

afi

string / required

The Address Family Indicator (AFI) for the Access Control Lists (ACL).

Choices:

  • ipv4

  • ipv6

running_config

string

The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command show running-config router static.

state

string

The state the configuration should be left in.

Choices:

  • merged ← (default)

  • replaced

  • overridden

  • deleted

  • gathered

  • rendered

  • parsed

Examples

# Using merged to add new ACLs

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#

- name: Merge the provided configuration with the existing running configuration
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv6
      acls:
      - name: acl6_1
        aces:
        - sequence: 10
          grant: deny
          protocol: tcp
          source:
            prefix: 2001:db8:1234::/48
            port_protocol:
              range:
                start: ftp
                end: telnet
          destination:
            any: true
          protocol_options:
            tcp:
              syn: true
          ttl:
            range:
              start: 180
              end: 250
          routing: true
          authen: true
          log: true

        - sequence: 20
          grant: permit
          protocol: icmpv6
          source:
            any: true
          destination:
            any: true
          protocol_options:
            icmpv6:
              router_advertisement: true
          precedence: network
          destopts: true

    - afi: ipv4
      acls:
      - name: acl_1
        aces:
        - sequence: 16
          remark: TEST_ACL_1_REMARK

        - sequence: 21
          grant: permit
          protocol: tcp
          source:
            host: 192.0.2.10
            port_protocol:
              range:
                start: pop3
                end: 121
          destination:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.15
          protocol_options:
            tcp:
              rst: true

        - sequence: 23
          grant: deny
          protocol: icmp
          source:
            any: true
          destination:
            prefix: 198.51.100.0/28
          protocol_options:
            icmp:
              reassembly_timeout: true
          dscp:
            lt: af12

      - name: acl_2
        aces:
        - sequence: 10
          remark: TEST_ACL_2_REMARK
    state: merged

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using merged to update existing ACLs

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Update existing ACEs
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_1
        aces:
        - sequence: 21
          source:
            prefix: 198.51.100.32/28
            port_protocol:
              range:
                start: pop3
                end: 121
          protocol_options:
            tcp:
              syn: true

        - sequence: 23
          protocol_options:
            icmp:
              router_advertisement: true
          dscp:
            eq: af23

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:47:18.711 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
#  23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using replaced to replace a whole ACL

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Replace device configurations of listed ACL with provided configurations
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_2
        aces:
        - sequence: 11
          grant: permit
          protocol: igmp
          source:
            host: 198.51.100.130
          destination:
            any: true
          ttl:
            eq: 100

        - sequence: 12
          grant: deny
          source:
            any: true
          destination:
            any: true
          protocol: icmp
    state: replaced

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:19:51.496 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
#  23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
#  11 permit igmp host 198.51.100.130 any ttl eq 100
#  12 deny icmp any any
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using overridden to override all ACLs in the device

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Overridde all ACLs configuration with provided configuration
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_1
        aces:
        - sequence: 10
          grant: permit
          source:
            any: true
          destination:
            any: true
          protocol: tcp

      - name: acl_2
        aces:
        - sequence: 20
          grant: permit
          source:
            any: true
          destination:
            any: true
          protocol: igmp
    state: overridden

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
#  10 permit tcp any any
# ipv4 access-list acl_2
#  20 permit igmp any any

# Using deleted to delete an entire ACL

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Delete a single ACL
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv6
      acls:
      - name: acl6_1
    state: deleted

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK

# Using deleted to delete all ACLs under one AFI

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Delete all ACLs under one AFI
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
    state: deleted

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using deleted to delete all ACLs from the device

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Delete all ACLs from the device
  cisco.iosxr.iosxr_acls:
    state: deleted

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#

# Using gathered to gather ACL facts from the device

- name: Gather ACL interfaces facts using gathered state
  cisco.iosxr.iosxr_acls:
    state: gathered

# Task Output (redacted)
# -----------------------
#

# "gathered": [
#    {
#        "acls": [
#            {
#                "aces": [
#                    {
#                        "remark": "TEST_ACL_1_REMARK",
#                        "sequence": 16
#                    },
#                    {
#                        "destination": {
#                            "address": "198.51.100.0",
#                            "wildcard_bits": "0.0.0.15"
#                        },
#                        "grant": "permit",
#                        "protocol": "tcp",
#                        "protocol_options": {
#                            "tcp": {
#                                "rst": true
#                            }
#                        },
#                        "sequence": 21,
#                        "source": {
#                            "host": "192.0.2.10",
#                            "port_protocol": {
#                                "range": {
#                                    "end": "121",
#                                    "start": "pop3"
#                                }
#                            }
#                        }
#                    },
#                    {
#                        "destination": {
#                            "address": "198.51.100.0",
#                            "wildcard_bits": "0.0.0.15"
#                        },
#                        "dscp": {
#                            "lt": "af12"
#                        },
#                        "grant": "deny",
#                        "protocol": "icmp",
#                        "protocol_options": {
#                            "icmp": {
#                                "reassembly_timeout": true
#                            }
#                        },
#                        "sequence": 23,
#                        "source": {
#                            "any": true
#                        }
#                    }
#                ],
#                "name": "acl_1"
#            },
#            {
#                "aces": [
#                    {
#                        "remark": "TEST_ACL_2_REMARK",
#                        "sequence": 10
#                    }
#                ],
#                "name": "acl_2"
#            }
#        ],
#        "afi": "ipv4"
#    },
#    {
#        "acls": [
#            {
#                "aces": [
#                    {
#                        "authen": true,
#                        "destination": {
#                            "any": true
#                        },
#                        "grant": "deny",
#                        "log": true,
#                        "protocol": "tcp",
#                        "protocol_options": {
#                            "tcp": {
#                                "syn": true
#                            }
#                        },
#                        "routing": true,
#                        "sequence": 10,
#                        "source": {
#                            "port_protocol": {
#                                "range": {
#                                   "end": "telnet",
#                                   "start": "ftp"
#                                }
#                            },
#                            "prefix": "2001:db8:1234::/48"
#                        },
#                        "ttl": {
#                            "range": {
#                                "end": 250,
#                                "start": 180
#                            }
#                        }
#                    },
#                    {
#                        "destination": {
#                            "any": true
#                        },
#                        "destopts": true,
#                        "grant": "permit",
#                        "precedence": "network",
#                        "protocol": "icmpv6",
#                        "protocol_options": {
#                            "icmpv6": {
#                                "router_advertisement": true
#                            }
#                        },
#                        "sequence": 20,
#                        "source": {
#                            "any": true
#                        }
#                    }
#                ],
#                "name": "acl6_1"
#            }
#        ],
#        "afi": "ipv6"
#    }
#  ]

# Using rendered

- name: Render platform specific commands (without connecting to the device)
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_2
        aces:
        - sequence: 11
          grant: permit
          protocol: igmp
          source:
            host: 198.51.100.130
          destination:
            any: true
          ttl:
            eq: 100

        - sequence: 12
          grant: deny
          source:
            any: true
          destination:
            any: true
          protocol: icmp
    state: rendered

# Task Output (redacted)
# -----------------------

# "rendered": [
#    "ipv4 access-list acl_2",
#    "11 permit igmp host 198.51.100.130 any ttl eq 100",
#    "12 deny icmp any any"

# Using parsed

# parsed.cfg
# ------------
#
# ipv4 access-list acl_1
#  10 remark TEST_ACL_2_REMARK
# ipv4 access-list acl_2
#  11 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
#  21 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts

- name: Parse externally provided ACL config to agnostic model
  cisco.iosxr.iosxr_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Task Output (redacted)
# -----------------------
#  "parsed": [
#        {
#            "acls": [
#                {
#                    "aces": [
#                      {
#                            "remark": "TEST_ACL_2_REMARK",
#                            "sequence": 10
#                        }
#                    ],
#                   "name": "acl_1"
#                },
#                {
#                    "aces": [
#                        {
#                            "authen": true,
#                            "destination": {
#                                "any": true
#                            },
#                            "grant": "deny",
#                            "log": true,
#                            "protocol": "tcp",
#                            "protocol_options": {
#                                "tcp": {
#                                    "syn": true
#                                }
#                            },
#                            "routing": true,
#                            "sequence": 11,
#                            "source": {
#                                "port_protocol": {
#                                    "range": {
#                                        "end": "telnet",
#                                        "start": "ftp"
#                                    }
#                                },
#                                "prefix": "2001:db8:1234::/48"
#                            },
#                            "ttl": {
#                                "range": {
#                                    "end": 250,
#                                    "start": 180
#                                }
#                            }
#                        },
#                        {
#                            "destination": {
#                                "any": true
#                            },
#                            "destopts": true,
#                            "grant": "permit",
#                            "packet_length": {
#                                "eq": 576
#                            },
#                            "precedence": "network",
#                            "protocol": "icmpv6",
#                            "protocol_options": {
#                                "icmpv6": {
#                                    "router_advertisement": true
#                                }
#                            },
#                            "sequence": 21,
#                            "source": {
#                                "any": true
#                            }
#                        }
#                    ],
#                    "name": "acl_2"
#                }
#            ],
#            "afi": "ipv4"
#        },
#        {
#            "acls": [
#                {
#                    "aces": [
#                        {
#                            "authen": true,
#                            "destination": {
#                                "any": true
#                            },
#                            "grant": "deny",
#                            "log": true,
#                            "protocol": "tcp",
#                            "protocol_options": {
#                                "tcp": {
#                                    "syn": true
#                                }
#                            },
#                            "routing": true,
#                            "sequence": 10,
#                            "source": {
#                                "port_protocol": {
#                                    "range": {
#                                        "end": "telnet",
#                                        "start": "ftp"
#                                    }
#                                },
#                                "prefix": "2001:db8:1234::/48"
#                            },
#                            "ttl": {
#                                "range": {
#                                    "end": 250,
#                                    "start": 180
#                                }
#                            }
#                        },
#                        {
#                            "destination": {
#                                "any": true
#                            },
#                            "destopts": true,
#                            "grant": "permit",
#                            "packet_length": {
#                                "eq": 576
#                            },
#                            "precedence": "network",
#                            "protocol": "icmpv6",
#                            "protocol_options": {
#                                "icmpv6": {
#                                    "router_advertisement": true
#                                }
#                            },
#                            "sequence": 20,
#                            "source": {
#                                "any": true
#                            }
#                        }
#                    ],
#                    "name": "acl6_1"
#                }
#            ],
#            "afi": "ipv6"
#        }
#    ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

after

list / elements=string

The resulting configuration model invocation.

Returned: when changed

Sample: “The configuration returned will always be in the same format\n of the parameters above.\n”

before

list / elements=string

The configuration prior to the model invocation.

Returned: always

Sample: “The configuration returned will always be in the same format\n of the parameters above.\n”

commands

list / elements=string

The set of commands pushed to the remote device.

Returned: always

Sample: [“ipv6 access-list acl6_1”, “10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log”, “20 permit icmpv6 any any router-advertisement precedence network destopts”, “ipv4 access-list acl_1”, “16 remark TEST_ACL_1_REMARK”, “21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst”, “23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12”]

Authors

  • Nilashish Chakraborty (@NilashishC)