dellemc.enterprise_sonic.sonic_acl_interfaces module – Manage access control list (ACL) to interface binding on SONiC
Note
This module is part of the dellemc.enterprise_sonic collection (version 2.4.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_acl_interfaces.
New in dellemc.enterprise_sonic 2.1.0
Synopsis
This module provides configuration management of applying access control lists (ACL) to interfaces in devices running SONiC.
ACL needs to be created earlier in the device.
Parameters
Parameter |
Comments |
|---|---|
Specifies interface access-group configurations. |
|
Access-group configurations to be set for the interface. |
|
List of ACLs for the given type. |
|
Specifies the direction of the packets that the ACL will be applied on. Choices:
|
|
Name of the ACL to be applied on the interface. |
|
Type of the ACLs to be applied on the interface. Choices:
|
|
Full name of the interface, i.e. Eth1/1. |
|
The state of the configuration after module completion. merged - Merges provided interface access-group configuration with on-device configuration. replaced - Replaces on-device access-group configuration of the specified interfaces with provided configuration. overridden - Overrides all on-device interface access-group configurations with the provided configuration. deleted - Deletes on-device interface access-group configuration. Choices:
|
Notes
Note
Supports
check_mode.
Examples
# Using merged
#
# Before State:
# -------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# sonic#
- name: Merge provided interface access-group configurations
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
- name: 'Eth1/1'
access_groups:
- type: 'mac'
acls:
- name: 'mac-acl-1'
direction: 'in'
- name: 'mac-acl-2'
direction: 'out'
- type: 'ipv6'
acls:
- name: 'ipv6-acl-2'
direction: 'out'
- name: 'Eth1/2'
access_groups:
- type: 'ipv4'
acls:
- name: 'ip-acl-1'
direction: 'in'
state: merged
# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#
- name: Replace device access-group configuration of specified interfaces with provided configuration
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
- name: 'Eth1/2'
access_groups:
- type: 'ipv6'
acls:
- name: 'ipv6-acl-2'
direction: 'out'
- name: 'Eth1/3'
access_groups:
- type: 'ipv4'
acls:
- name: 'ip-acl-2'
direction: 'out'
state: replaced
# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
- name: Override all interfaces access-group device configuration with provided configuration
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
- name: 'Eth1/1'
access_groups:
- type: 'ip'
acls:
- name: 'ip-acl-2'
direction: 'out'
- name: 'Eth1/2'
access_groups:
- type: 'ip'
acls:
- name: 'ip-acl-2'
direction: 'out'
state: overridden
# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/1
# Egress IP access-list ip-acl-2 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
- name: Delete specified interfaces access-group configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'Eth1/1'
access_groups:
- type: 'mac'
acls:
- name: 'mac-acl-1'
direction: 'in'
- type: 'ipv6'
- name: 'Eth1/2'
state: deleted
# After State:
# ------------
#
# sonic# show mac access-group
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
- name: Delete all interface access-group configurations
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
state: deleted
# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# sonic#
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The resulting configuration model invocation. Returned: when changed Sample: |
|
The generated configuration model invocation. Returned: when Sample: |
|
The configuration prior to the model invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |