cisco.nxos.nxos_acls module – ACLs resource module
Note
This module is part of the cisco.nxos collection (version 2.9.1).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.nxos.
To use it in a playbook, specify: cisco.nxos.nxos_acls.
New in version 1.0.0: of cisco.nxos
Synopsis
Manage named IP ACLs on the Cisco NX-OS platform
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
A dictionary of ACL options. |
|
A list of the ACLs. |
|
The entries within the ACL. |
|
Specify the packet destination. |
|
Destination network address. |
|
Any destination address. Choices:
|
|
Host IP address. |
|
Specify the destination port or protocol (only for TCP and UDP). |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Match only packets in the range of port numbers. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Destination network prefix. Only for prefixes of value less than 31 for ipv4 and 127 for ipv6. Prefixes of 32 (ipv4) and 128 (ipv6) should be given in the ‘host’ key. |
|
Destination wildcard bits. |
|
Match packets with given DSCP value. |
|
Check non-initial fragments. Choices:
|
|
Action to be applied on the rule. Choices:
|
|
Log matches against this entry. Choices:
|
|
Match packets with given precedence value. |
|
Specify the protocol. |
|
All possible suboptions for the protocol chosen. |
|
ICMP protocol options. |
|
Administratively prohibited Choices:
|
|
Alternate address Choices:
|
|
Datagram conversion Choices:
|
|
Host prohibited Choices:
|
|
Net prohibited Choices:
|
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Echo request (ping) Choices:
|
|
Parameter problem Choices:
|
|
Host isolated Choices:
|
|
Host unreachable for precedence Choices:
|
|
Host redirect Choices:
|
|
Host redirect for TOS Choices:
|
|
Host unreachable for TOS Choices:
|
|
Host unknown Choices:
|
|
Host unreachable Choices:
|
|
Information replies Choices:
|
|
Information requests Choices:
|
|
Mask replies Choices:
|
|
Mask requests Choices:
|
|
ICMP message code |
|
ICMP message type |
|
Mobile host redirect Choices:
|
|
Network redirect Choices:
|
|
Net redirect for TOS Choices:
|
|
Network unreachable for TOS Choices:
|
|
Net unreachable Choices:
|
|
Network unknown Choices:
|
|
Parameter required but no room Choices:
|
|
Parameter required but not present Choices:
|
|
Fragmentation needed and DF set Choices:
|
|
All parameter problems Choices:
|
|
Port unreachable Choices:
|
|
Precedence cutoff Choices:
|
|
Protocol unreachable Choices:
|
|
Reassembly timeout Choices:
|
|
All redirects Choices:
|
|
Router discovery advertisements Choices:
|
|
Router discovery solicitations Choices:
|
|
Source quenches Choices:
|
|
Source route failed Choices:
|
|
All time exceeded. Choices:
|
|
Timestamp replies Choices:
|
|
Timestamp requests Choices:
|
|
Traceroute Choices:
|
|
TTL exceeded Choices:
|
|
All unreachables Choices:
|
|
IGMP protocol options. |
|
Distance Vector Multicast Routing Protocol Choices:
|
|
Host Query Choices:
|
|
Host Report Choices:
|
|
TCP flags. |
|
Match on the ACK bit Choices:
|
|
Match established connections Choices:
|
|
Match on the FIN bit Choices:
|
|
Match on the PSH bit Choices:
|
|
Match on the RST bit Choices:
|
|
Match on the SYN bit Choices:
|
|
Match on the URG bit Choices:
|
|
Access list entry comment. |
|
Sequence number. |
|
Specify the packet source. |
|
Source network address. |
|
Any source address. Choices:
|
|
Host IP address. |
|
Specify the destination port or protocol (only for TCP and UDP). |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Match only packets in the range of port numbers. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Source network prefix. Only for prefixes of mask value less than 31 for ipv4 and 127 for ipv6. Prefixes of mask 32 (ipv4) and 128 (ipv6) should be given in the ‘host’ key. |
|
Source wildcard bits. |
|
Name of the ACL. |
|
The Address Family Indicator (AFI) for the ACL. Choices:
|
|
This option is used only with state parsed. The value of this option should be the output received from the NX-OS device by executing the command show running-config | section ‘ip(v6* access-list). The state parsed reads the configuration from |
|
The state the configuration should be left in Choices:
|
Notes
Note
Tested against NX-OS 7.3.(0)D1(1) on VIRL
Unsupported for Cisco MDS
As NX-OS allows configuring a rule again with different sequence numbers, the user is expected to provide sequence numbers for the access control entries to preserve idempotency. If no sequence number is given, the rule will be added as a new rule by the device.
Examples
# Using merged
# Before state:
# -------------
#
- name: Merge new ACLs configuration
cisco.nxos.nxos_acls:
config:
- afi: ipv4
acls:
- name: ACL1v4
aces:
- grant: deny
destination:
address: 192.0.2.64
wildcard_bits: 0.0.0.255
source:
any: true
port_protocol:
lt: 55
protocol: tcp
protocol_options:
tcp:
ack: true
fin: true
sequence: 50
- afi: ipv6
acls:
- name: ACL1v6
aces:
- grant: permit
sequence: 10
source:
any: true
destination:
prefix: 2001:db8:12::/32
protocol: sctp
state: merged
# After state:
# ------------
#
# ip access-list ACL1v4
# 50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
# 10 permit sctp any any
# Using replaced
# Before state:
# ----------------
#
# ip access-list ACL1v4
# 10 permit ip any any
# 20 deny udp any any
# ip access-list ACL2v4
# 10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
# 10 permit sctp any any
# 20 remark IPv6 ACL
# ip access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
- name: Replace existing ACL configuration with provided configuration
cisco.nxos.nxos_acls:
config:
- afi: ipv4
- afi: ipv6
acls:
- name: ACL1v6
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: pip
- remark: Replaced ACE
- name: ACL2v6
state: replaced
# After state:
# ---------------
#
# ipv6 access-list ACL1v6
# 20 permit pip any any
# 30 remark Replaced ACE
# ipv6 access-list ACL2v6
# Using overridden
# Before state:
# ----------------
#
# ip access-list ACL1v4
# 10 permit ip any any
# 20 deny udp any any
# ip access-list ACL2v4
# 10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
# 10 permit sctp any any
# 20 remark IPv6 ACL
# ip access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
- name: Override existing configuration with provided configuration
cisco.nxos.nxos_acls:
config:
- afi: ipv4
acls:
- name: NewACL
aces:
- grant: deny
source:
address: 192.0.2.0
wildcard_bits: 0.0.255.255
destination:
any: true
protocol: eigrp
- remark: Example for overridden state
state: overridden
# After state:
# ------------
#
# ip access-list NewACL
# 10 deny eigrp 192.0.2.0 0.0.255.255 any
# 20 remark Example for overridden state
# Using deleted:
#
# Before state:
# -------------
#
# ip access-list ACL1v4
# 10 permit ip any any
# 20 deny udp any any
# ip access-list ACL2v4
# 10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
# 10 permit sctp any any
# 20 remark IPv6 ACL
# ip access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
- name: Delete all ACLs
cisco.nxos.nxos_acls:
config:
state: deleted
# After state:
# -----------
#
# Before state:
# -------------
#
# ip access-list ACL1v4
# 10 permit ip any any
# 20 deny udp any any
# ip access-list ACL2v4
# 10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
# 10 permit sctp any any
# 20 remark IPv6 ACL
# ip access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
- name: Delete all ACLs in given AFI
cisco.nxos.nxos_acls:
config:
- afi: ipv4
state: deleted
# After state:
# ------------
#
# ip access-list ACL1v6
# 10 permit sctp any any
# 20 remark IPv6 ACL
# ip access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
# Before state:
# -------------
#
# ip access-list ACL1v4
# 10 permit ip any any
# 20 deny udp any any
# ip access-list ACL2v4
# 10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
# 10 permit sctp any any
# 20 remark IPv6 ACL
# ipv6 access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
- name: Delete specific ACLs
cisco.nxos.nxos_acls:
config:
- afi: ipv4
acls:
- name: ACL1v4
- name: ACL2v4
- afi: ipv6
acls:
- name: ACL1v6
state: deleted
# After state:
# ------------
# ipv6 access-list ACL2v6
# 10 deny ipv6 any 2001:db8:3000::/36
# 20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128
# Using parsed
- name: Parse given config to structured data
cisco.nxos.nxos_acls:
running_config: |
ip access-list ACL1v4
50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
ipv6 access-list ACL1v6
10 permit sctp any any
state: parsed
# returns:
# parsed:
# - afi: ipv4
# acls:
# - name: ACL1v4
# aces:
# - grant: deny
# destination:
# address: 192.0.2.64
# wildcard_bits: 0.0.0.255
# source:
# any: true
# port_protocol:
# lt: 55
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# fin: true
# sequence: 50
#
# - afi: ipv6
# acls:
# - name: ACL1v6
# aces:
# - grant: permit
# sequence: 10
# source:
# any: true
# destination:
# prefix: 2001:db8:12::/32
# protocol: sctp
# Using gathered:
# Before state:
# ------------
#
# ip access-list ACL1v4
# 50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
# 10 permit sctp any any
- name: Gather existing configuration
cisco.nxos.nxos_acls:
state: gathered
# returns:
# gathered:
# - afi: ipv4
# acls:
# - name: ACL1v4
# aces:
# - grant: deny
# destination:
# address: 192.0.2.64
# wildcard_bits: 0.0.0.255
# source:
# any: true
# port_protocol:
# lt: 55
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# fin: true
# sequence: 50
# - afi: ipv6
# acls:
# - name: ACL1v6
# aces:
# - grant: permit
# sequence: 10
# source:
# any: true
# destination:
# prefix: 2001:db8:12::/32
# protocol: sctp
# Using rendered
- name: Render required configuration to be pushed to the device
cisco.nxos.nxos_acls:
config:
- afi: ipv4
acls:
- name: ACL1v4
aces:
- grant: deny
destination:
address: 192.0.2.64
wildcard_bits: 0.0.0.255
source:
any: true
port_protocol:
lt: 55
protocol: tcp
protocol_options:
tcp:
ack: true
fin: true
sequence: 50
- afi: ipv6
acls:
- name: ACL1v6
aces:
- grant: permit
sequence: 10
source:
any: true
destination:
prefix: 2001:db8:12::/32
protocol: sctp
state: rendered
# returns:
# rendered:
# ip access-list ACL1v4
# 50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
# 10 permit sctp any any
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The resulting configuration model invocation. Returned: when changed Sample: “The configuration returned will always be in the same format\n of the parameters above.\n” |
|
The configuration prior to the model invocation. Returned: always Sample: “The configuration returned will always be in the same format\n of the parameters above.\n” |
|
The set of commands pushed to the remote device. Returned: always Sample: [“ip access-list ACL1v4”, “10 permit ip any any precedence critical log”, “20 deny tcp any lt smtp host 192.0.2.64 ack fin”] |
Authors
Adharsh Srivats Rangarajan (@adharshsrivatsr)