dellemc.enterprise_sonic.sonic_l2_acls module – Manage Layer 2 access control lists (ACL) configurations on SONiC
Note
This module is part of the dellemc.enterprise_sonic collection (version 2.2.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic
.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_l2_acls
.
New in dellemc.enterprise_sonic 2.1.0
Synopsis
This module provides configuration management of Layer 2 access control lists (ACL) in devices running SONiC.
Parameters
Parameter |
Comments |
---|---|
Specifies Layer 2 ACL configurations. |
|
Specifies the ACL name. |
|
Specifies remark for the ACL. |
|
List of rules with the ACL. sequence_num, action, source & destination are required for adding a new rule. If state=deleted, options other than sequence_num are not considered. ethertype and vlan_tag_format are mutually exclusive. |
|
Specifies the action taken on the matched Ethernet frame. Choices:
|
|
Match Ethernet frame with the given Drop Eligible Indicator (DEI) value. Choices:
|
|
Specifies the destination of the Ethernet frame. address and address_mask are required together. any, host and address are mutually exclusive. |
|
Destination MAC address. |
|
Destination MAC address mask. |
|
Match any destination MAC address. Choices:
|
|
MAC address of a single destination host. |
|
Specifies the EtherType of the Ethernet frame. Only one suboption can be specified for ethertype in a rule. |
|
Match Ethernet frame with ARP EtherType (0x806). Choices:
|
|
Match Ethernet frame with IPv4 EtherType (0x800). Choices:
|
|
Match Ethernet frame with IPv6 EtherType (0x86DD). Choices:
|
|
Specifies the EtherType value to match as a hexadecimal string. The range is from 0x600 to 0xffff. |
|
Match Ethernet frames using Priority Code Point (PCP) value. mask is valid only when value is specified. value and traffic_type are mutually exclusive. |
|
Match Ethernet frame with given PCP value and mask. The range is from 0 to 7. |
|
Match Ethernet frame with PCP value for the given traffic type.
Choices:
|
|
Match Ethernet frame with the given PCP value. The range is from 0 to 7 |
|
Specifies remark for the ACL rule. |
|
Specifies the sequence number of the rule. The range is from 1 to 65535. |
|
Specifies the source of the Ethernet frame. address and address_mask are required together. any, host and address are mutually exclusive. |
|
Source MAC address. |
|
Source MAC address mask. |
|
Match any source MAC address. Choices:
|
|
MAC address of a single source host. |
|
Match Ethernet frame with the given VLAN ID. |
|
Match Ethernet frame with the given VLAN tag format. |
|
Match three of more VLAN tagged Ethernet frame. Choices:
|
|
The state of the configuration after module completion.
Choices:
|
Examples
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# sonic#
- name: Merge provided Layer 2 ACL configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test'
rules:
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
value: '0x88cc'
remark: 'LLDP'
- sequence_num: 3
action: 'permit'
source:
any: true
destination:
address: '00:00:10:00:00:00'
address_mask: '00:00:ff:ff:00:00'
pcp:
value: 4
mask: 6
- sequence_num: 4
action: 'deny'
source:
any: true
destination:
any: true
vlan_tag_format:
multi_tagged: true
- name: 'test1'
remark: 'test_mac_acl'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '11:11:11:11:11:11'
destination:
any: true
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
arp: true
vlan_id: 100
- sequence_num: 3
action: 'deny'
source:
any: true
destination:
any: true
dei: 0
state: merged
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# seq 4 deny any any vlan-tag-format multi-tagged
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any
# seq 2 permit any any arp vlan 100
# seq 3 deny any any dei 0
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any
# seq 2 permit any any arp vlan 100
# seq 3 deny any any dei 0
# sonic#
- name: Replace device configuration of specified Layer 2 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test1'
rules:
- sequence_num: 1
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
arp: true
vlan_id: 200
- sequence_num: 2
action: 'discard'
source:
any: true
destination:
any: true
- name: 'test2'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '33:33:33:33:33:33'
destination:
host: '44:44:44:44:44:44'
state: replaced
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# seq 1 permit any any arp vlan 200
# seq 2 discard any any
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# seq 1 permit any any arp vlan 200
# seq 2 discard any any
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Override device configuration of all Layer 2 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test1'
remark: 'test_mac_acl'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '11:11:11:11:11:11'
destination:
any: true
vlan_id: 100
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
pcp:
traffic_type: 'ca'
- sequence_num: 3
action: 'deny'
source:
any: true
destination:
any: true
ethertype:
ipv4: true
state: overridden
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 permit any any pcp ca
# seq 3 deny any any ip
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Delete specified Layer 2 ACLs, ACL remark and ACL rule entries
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test'
rules:
- sequence_num: 3
- name: 'test1'
remark: 'test_mac_acl'
- name: 'test2'
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# !
# mac access-list test1
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Delete all Layer 2 ACL configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# sonic#
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The resulting configuration model invocation. Returned: when changed Sample: |
|
The configuration prior to the model invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |