arista.eos.eos_acls module – ACLs resource module
Note
This module is part of the arista.eos collection (version 6.2.2).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install arista.eos
.
To use it in a playbook, specify: arista.eos.eos_acls
.
New in arista.eos 1.0.0
Synopsis
This module manages the IP access-list attributes of Arista EOS interfaces.
Parameters
Parameter |
Comments |
---|---|
A dictionary of IP access-list options |
|
A list of Access Control Lists (ACL). |
|
Filtering data |
|
The packet’s destination address |
|
dotted decimal notation of IP address |
|
Rule matches all source addresses Choices:
|
|
Host IP address |
|
Specify dest port/protocol, along with operator . (comes with tcp/udp). |
|
A subnet address |
|
Source wildcard bits |
|
Add fragment rules Choices:
|
|
Match non-head fragment packets Choices:
|
|
Action to be applied on the rule Choices:
|
|
Hop limit value. |
|
For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute. |
|
Log matches against this rule Choices:
|
|
Specify the protocol to match. Refer to vendor documentation for valid values. |
|
All the possible sub options for the protocol chosen. |
|
Internet Control Message Protocol settings. |
|
Administratively prohibited Choices:
|
|
Alternate address Choices:
|
|
Datagram conversion Choices:
|
|
Host prohibited Choices:
|
|
Net prohibited Choices:
|
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Parameter problem Choices:
|
|
Host isolated Choices:
|
|
Host unreachable for precedence Choices:
|
|
Host redirect Choices:
|
|
Host redirect for TOS Choices:
|
|
Host unreachable for TOS Choices:
|
|
Host unknown Choices:
|
|
Host unreachable Choices:
|
|
Information replies Choices:
|
|
Information requests Choices:
|
|
Mask replies Choices:
|
|
Mask requests Choices:
|
|
ICMP message code |
|
icmp msg type number. |
|
ICMP message type |
|
Mobile host redirect Choices:
|
|
Network redirect Choices:
|
|
Net redirect for TOS Choices:
|
|
Network unreachable for TOS Choices:
|
|
Net unreachable Choices:
|
|
Network unknown Choices:
|
|
Parameter required but no room Choices:
|
|
Parameter required but not present Choices:
|
|
Fragmentation needed and DF set Choices:
|
|
All parameter problems Choices:
|
|
Port unreachable Choices:
|
|
Precedence cutoff Choices:
|
|
Protocol unreachable Choices:
|
|
Reassembly timeout Choices:
|
|
All redirects Choices:
|
|
Router discovery advertisements Choices:
|
|
Router discovery solicitations Choices:
|
|
Source quenches Choices:
|
|
Source route failed Choices:
|
|
All time exceededs Choices:
|
|
Timestamp replies Choices:
|
|
Timestamp requests Choices:
|
|
Traceroute Choices:
|
|
TTL exceeded Choices:
|
|
All unreachables Choices:
|
|
Options for icmpv6. |
|
address unreachable Choices:
|
|
beyond_scope Choices:
|
|
echo_reply Choices:
|
|
echo reques Choices:
|
|
erroneous header Choices:
|
|
fragment_reassembly_exceeded Choices:
|
|
hop limit exceeded Choices:
|
|
neighbor advertisement Choices:
|
|
neighbor_solicitation Choices:
|
|
no admin Choices:
|
|
no route Choices:
|
|
packet too big Choices:
|
|
parameter problem Choices:
|
|
port unreachable Choices:
|
|
redirect message Choices:
|
|
reject route Choices:
|
|
router_advertisement Choices:
|
|
router_solicitation Choices:
|
|
source_address_failed Choices:
|
|
source_routing_error Choices:
|
|
time_exceeded Choices:
|
|
unreachable Choices:
|
|
unrecognized_ipv6_option Choices:
|
|
unrecognized_next_header Choices:
|
|
Internet Protocol. |
|
Nexthop-group name. |
|
Internet V6 Protocol. |
|
Nexthop-group name. |
|
Options for tcp protocol. |
|
Match TCP packet flags |
|
Match on the ACK bit Choices:
|
|
Match established connections Choices:
|
|
Match on the FIN bit Choices:
|
|
Match on the PSH bit Choices:
|
|
Match on the RST bit Choices:
|
|
Match on the SYN bit Choices:
|
|
Match on the URG bit Choices:
|
|
Specify a comment |
|
sequence number for the ordered list of rules |
|
The packet’s source address |
|
dotted decimal notation of IP address |
|
Rule matches all source addresses Choices:
|
|
Host IP address |
|
Specify source port/protocoli, along with operator. (comes with tcp/udp). |
|
A subnet address |
|
Source wildcard bits |
|
Match packets in existing ICMP/UDP/TCP connections Choices:
|
|
Compares the TTL (time-to-live) value in the packet to a specified value |
|
Match a single TTL value |
|
Match TTL greater than this number |
|
Match TTL lesser than this number |
|
Match TTL not equal to this value |
|
Vlan options |
|
Name of the acl-list |
|
standard access-list or not Choices:
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). Choices:
|
|
This option is used only with state parsed. The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list. The state parsed reads the configuration from |
|
The state the configuration should be left in. Choices:
|
Notes
Note
Tested against Arista EOS 4.24.6F
Examples
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge provided configuration with device configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge to update the given configuration with an existing ace
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
log: true
ttl:
eq: 33
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any ttl eq 33 log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using replaced
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Replace device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: replaced
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using overridden
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: override device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: overridden
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# Using deleted:
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# using gathered
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
- name: Gather the existing configuration
arista.eos.eos_acls:
state: gathered
# returns:
# arista.eos.eos_acls:
# config:
# - afi: "ipv4"
# acls:
# - name: test1
# aces:
# - sequence: 35
# grant: "deny"
# protocol: "ospf"
# source:
# subnet_address: 20.0.0.0/8
# destination:
# any: true
# - afi: "ipv6"
# acls:
# - name: test2
# aces:
# - sequence: 40
# grant: "permit"
# vlan: "55 0xE2"
# protocol: "icmpv6"
# log: true
# source:
# any: true
# destination:
# any: true
# using rendered
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
- afi: ipv6
acls:
- name: test2
aces:
- sequence: 40
grant: permit
vlan: 55 0xE2
protocol: icmpv6
log: true
source:
any: true
destination:
any: true
state: rendered
# returns:
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
# Using Parsed
# parsed_acls.cfg
# ipv6 access-list standard test2
# 10 permit any log
# !
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# 45 remark Run by ansible
# 55 permit tcp any any
# !
- name: parse configs
arista.eos.eos_acls:
running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
state: parsed
# returns
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "deny",
# "protocol": "ospf",
# "sequence": 35,
# "source": {
# "subnet_address": "20.0.0.0/8"
# }
# },
# {
# "remark": "Run by ansible",
# "sequence": 45
# },
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "protocol": "tcp",
# "sequence": 55,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test1"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "grant": "permit",
# "log": true,
# "sequence": 10,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test2",
# "standard": true
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The resulting configuration model invocation. Returned: when changed Sample: |
|
The configuration prior to the model invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |