arista.eos.eos_acls module – ACLs resource module

Note

This module is part of the arista.eos collection (version 5.0.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install arista.eos.

To use it in a playbook, specify: arista.eos.eos_acls.

New in version 1.0.0: of arista.eos

Synopsis

  • This module manages the IP access-list attributes of Arista EOS interfaces.

Parameters

Parameter

Comments

config

list / elements=dictionary

A dictionary of IP access-list options

acls

list / elements=dictionary

A list of Access Control Lists (ACL).

aces

list / elements=dictionary

Filtering data

destination

dictionary

The packet’s destination address

address

string

dotted decimal notation of IP address

any

boolean

Rule matches all source addresses

Choices:

  • no

  • yes

host

string

Host IP address

port_protocol

dictionary

Specify dest port/protocol, along with operator . (comes with tcp/udp).

subnet_address

string

A subnet address

wildcard_bits

string

Source wildcard bits

fragment_rules

boolean

Add fragment rules

Choices:

  • no

  • yes

fragments

boolean

Match non-head fragment packets

Choices:

  • no

  • yes

grant

string

Action to be applied on the rule

Choices:

  • permit

  • deny

hop_limit

dictionary

Hop limit value.

line

aliases: ace

string

For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute.

log

boolean

Log matches against this rule

Choices:

  • no

  • yes

protocol

string

Specify the protocol to match.

Refer to vendor documentation for valid values.

protocol_options

dictionary

All the possible sub options for the protocol chosen.

icmp

dictionary

Internet Control Message Protocol settings.

administratively_prohibited

boolean

Administratively prohibited

Choices:

  • no

  • yes

alternate_address

boolean

Alternate address

Choices:

  • no

  • yes

conversion_error

boolean

Datagram conversion

Choices:

  • no

  • yes

dod_host_prohibited

boolean

Host prohibited

Choices:

  • no

  • yes

dod_net_prohibited

boolean

Net prohibited

Choices:

  • no

  • yes

echo

boolean

Echo (ping)

Choices:

  • no

  • yes

echo_reply

boolean

Echo reply

Choices:

  • no

  • yes

general_parameter_problem

boolean

Parameter problem

Choices:

  • no

  • yes

host_isolated

boolean

Host isolated

Choices:

  • no

  • yes

host_precedence_unreachable

boolean

Host unreachable for precedence

Choices:

  • no

  • yes

host_redirect

boolean

Host redirect

Choices:

  • no

  • yes

host_tos_redirect

boolean

Host redirect for TOS

Choices:

  • no

  • yes

host_tos_unreachable

boolean

Host unreachable for TOS

Choices:

  • no

  • yes

host_unknown

boolean

Host unknown

Choices:

  • no

  • yes

host_unreachable

boolean

Host unreachable

Choices:

  • no

  • yes

information_reply

boolean

Information replies

Choices:

  • no

  • yes

information_request

boolean

Information requests

Choices:

  • no

  • yes

mask_reply

boolean

Mask replies

Choices:

  • no

  • yes

mask_request

boolean

Mask requests

Choices:

  • no

  • yes

message_code

integer

ICMP message code

message_num

integer

icmp msg type number.

message_type

integer

ICMP message type

mobile_redirect

boolean

Mobile host redirect

Choices:

  • no

  • yes

net_redirect

boolean

Network redirect

Choices:

  • no

  • yes

net_tos_redirect

boolean

Net redirect for TOS

Choices:

  • no

  • yes

net_tos_unreachable

boolean

Network unreachable for TOS

Choices:

  • no

  • yes

net_unreachable

boolean

Net unreachable

Choices:

  • no

  • yes

network_unknown

boolean

Network unknown

Choices:

  • no

  • yes

no_room_for_option

boolean

Parameter required but no room

Choices:

  • no

  • yes

option_missing

boolean

Parameter required but not present

Choices:

  • no

  • yes

packet_too_big

boolean

Fragmentation needed and DF set

Choices:

  • no

  • yes

parameter_problem

boolean

All parameter problems

Choices:

  • no

  • yes

port_unreachable

boolean

Port unreachable

Choices:

  • no

  • yes

precedence_unreachable

boolean

Precedence cutoff

Choices:

  • no

  • yes

protocol_unreachable

boolean

Protocol unreachable

Choices:

  • no

  • yes

reassembly_timeout

boolean

Reassembly timeout

Choices:

  • no

  • yes

redirect

boolean

All redirects

Choices:

  • no

  • yes

router_advertisement

boolean

Router discovery advertisements

Choices:

  • no

  • yes

router_solicitation

boolean

Router discovery solicitations

Choices:

  • no

  • yes

source_quench

boolean

Source quenches

Choices:

  • no

  • yes

source_route_failed

boolean

Source route failed

Choices:

  • no

  • yes

time_exceeded

boolean

All time exceededs

Choices:

  • no

  • yes

timestamp_reply

boolean

Timestamp replies

Choices:

  • no

  • yes

timestamp_request

boolean

Timestamp requests

Choices:

  • no

  • yes

traceroute

boolean

Traceroute

Choices:

  • no

  • yes

ttl_exceeded

boolean

TTL exceeded

Choices:

  • no

  • yes

unreachable

boolean

All unreachables

Choices:

  • no

  • yes

icmpv6

dictionary

Options for icmpv6.

address_unreachable

boolean

address unreachable

Choices:

  • no

  • yes

beyond_scope

boolean

beyond_scope

Choices:

  • no

  • yes

echo_reply

boolean

echo_reply

Choices:

  • no

  • yes

echo_request

boolean

echo reques

Choices:

  • no

  • yes

erroneous_header

boolean

erroneous header

Choices:

  • no

  • yes

fragment_reassembly_exceeded

boolean

fragment_reassembly_exceeded

Choices:

  • no

  • yes

hop_limit_exceeded

boolean

hop limit exceeded

Choices:

  • no

  • yes

neighbor_advertisement

boolean

neighbor advertisement

Choices:

  • no

  • yes

neighbor_solicitation

boolean

neighbor_solicitation

Choices:

  • no

  • yes

no_admin

boolean

no admin

Choices:

  • no

  • yes

no_route

boolean

no route

Choices:

  • no

  • yes

packet_too_big

boolean

packet too big

Choices:

  • no

  • yes

parameter_problem

boolean

parameter problem

Choices:

  • no

  • yes

port_unreachable

boolean

port unreachable

Choices:

  • no

  • yes

redirect_message

boolean

redirect message

Choices:

  • no

  • yes

reject_route

boolean

reject route

Choices:

  • no

  • yes

router_advertisement

boolean

router_advertisement

Choices:

  • no

  • yes

router_solicitation

boolean

router_solicitation

Choices:

  • no

  • yes

source_address_failed

boolean

source_address_failed

Choices:

  • no

  • yes

source_routing_error

boolean

source_routing_error

Choices:

  • no

  • yes

time_exceeded

boolean

time_exceeded

Choices:

  • no

  • yes

unreachable

boolean

unreachable

Choices:

  • no

  • yes

unrecognized_ipv6_option

boolean

unrecognized_ipv6_option

Choices:

  • no

  • yes

unrecognized_next_header

boolean

unrecognized_next_header

Choices:

  • no

  • yes

ip

dictionary

Internet Protocol.

nexthop_group

string

Nexthop-group name.

ipv6

dictionary

Internet V6 Protocol.

nexthop_group

string

Nexthop-group name.

tcp

dictionary

Options for tcp protocol.

flags

dictionary

Match TCP packet flags

ack

boolean

Match on the ACK bit

Choices:

  • no

  • yes

established

boolean

Match established connections

Choices:

  • no

  • yes

fin

boolean

Match on the FIN bit

Choices:

  • no

  • yes

psh

boolean

Match on the PSH bit

Choices:

  • no

  • yes

rst

boolean

Match on the RST bit

Choices:

  • no

  • yes

syn

boolean

Match on the SYN bit

Choices:

  • no

  • yes

urg

boolean

Match on the URG bit

Choices:

  • no

  • yes

remark

string

Specify a comment

sequence

integer

sequence number for the ordered list of rules

source

dictionary

The packet’s source address

address

string

dotted decimal notation of IP address

any

boolean

Rule matches all source addresses

Choices:

  • no

  • yes

host

string

Host IP address

port_protocol

dictionary

Specify source port/protocoli, along with operator. (comes with tcp/udp).

subnet_address

string

A subnet address

wildcard_bits

string

Source wildcard bits

tracked

boolean

Match packets in existing ICMP/UDP/TCP connections

Choices:

  • no

  • yes

ttl

dictionary

Compares the TTL (time-to-live) value in the packet to a specified value

eq

integer

Match a single TTL value

gt

integer

Match TTL greater than this number

lt

integer

Match TTL lesser than this number

neq

integer

Match TTL not equal to this value

vlan

string

Vlan options

name

string / required

Name of the acl-list

standard

boolean

standard access-list or not

Choices:

  • no

  • yes

afi

string / required

The Address Family Indicator (AFI) for the Access Control Lists (ACL).

Choices:

  • ipv4

  • ipv6

running_config

string

This option is used only with state parsed.

The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list.

The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module’s argspec and the value is then returned in the parsed key within the result.

state

string

The state the configuration should be left in.

Choices:

  • deleted

  • merged ← (default)

  • overridden

  • replaced

  • gathered

  • rendered

  • parsed

Notes

Note

  • Tested against Arista EOS 4.24.6F

Examples

# Using merged

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Merge provided configuration with device configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: deny
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    state: merged

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    35 deny ospf 20.0.0.0/8 any
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using merged

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Merge to update the given configuration with an existing ace
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          log: true
          ttl:
            eq: 33
    state: merged

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    35 deny ospf 20.0.0.0/8 any ttl eq 33 log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using replaced

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20



- name: Replace device configuration with provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: permit
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    state: replaced

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20


# Using overridden

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20



- name: override device configuration with  provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: permit
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    state: overridden

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    35 permit ospf 20.0.0.0/8 any
# !

# Using deleted:

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# !

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
    state: deleted

# After state:
# ------------
#
# show running-config | section access-list

# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20


# using gathered

# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
# ip access-list test2
#    40 permit vlan 55 0xE2 icmpv6 any any log

- name: Gather the existing configuration
  arista.eos.eos_acls:
    state: gathered

# returns:


#  arista.eos.eos_acls:
#    config:
#     - afi: "ipv4"
#       acls:
#        - name: test1
#          aces:
#          - sequence: 35
#            grant: "deny"
#            protocol: "ospf"
#            source:
#              subnet_address: 20.0.0.0/8
#            destination:
#              any: true
#     - afi: "ipv6"
#       acls:
#        - name: test2
#          aces:
#           - sequence: 40
#             grant: "permit"
#             vlan: "55 0xE2"
#             protocol: "icmpv6"
#             log: true
#             source:
#               any: true
#             destination:
#               any: true


# using rendered

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
    - afi: ipv4
      acls:
      - name: test1
        aces:
        - sequence: 35
          grant: deny
          protocol: ospf
          source:
            subnet_address: 20.0.0.0/8
          destination:
            any: true
    - afi: ipv6
      acls:
      - name: test2
        aces:
        - sequence: 40
          grant: permit
          vlan: 55 0xE2
          protocol: icmpv6
          log: true
          source:
            any: true
          destination:
            any: true
    state: rendered

# returns:

# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
# ip access-list test2
#    40 permit vlan 55 0xE2 icmpv6 any any log


# Using Parsed

# parsed_acls.cfg

# ipv6 access-list standard test2
#    10 permit any log
# !
# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
#    45 remark Run by ansible
#    55 permit tcp any any
# !

- name: parse configs
  arista.eos.eos_acls:
    running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
    state: parsed

# returns
# "parsed": [
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "any": true
#                             },
#                             "grant": "deny",
#                             "protocol": "ospf",
#                             "sequence": 35,
#                             "source": {
#                                 "subnet_address": "20.0.0.0/8"
#                             }
#                         },
#                         {
#                             "remark": "Run by ansible",
#                             "sequence": 45
#                         },
#                         {
#                             "destination": {
#                                 "any": true
#                             },
#                             "grant": "permit",
#                             "protocol": "tcp",
#                             "sequence": 55,
#                             "source": {
#                                 "any": true
#                             }
#                         }
#                     ],
#                     "name": "test1"
#                 }
#             ],
#             "afi": "ipv4"
#         },
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "grant": "permit",
#                             "log": true,
#                             "sequence": 10,
#                             "source": {
#                                 "any": true
#                             }
#                         }
#                     ],
#                     "name": "test2",
#                     "standard": true
#                 }
#             ],
#             "afi": "ipv6"
#         }
#     ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

after

list / elements=string

The resulting configuration model invocation.

Returned: when changed

Sample: “The configuration returned will always be in the same format\n of the parameters above.\n”

before

list / elements=string

The configuration prior to the model invocation.

Returned: always

Sample: “The configuration returned will always be in the same format\n of the parameters above.\n”

commands

list / elements=string

The set of commands pushed to the remote device.

Returned: always

Sample: [“ipv6 access-list standard test2”, “10 permit any log”, “ip access-list test1”, “35 deny ospf 20.0.0.0/8 any”, “45 remark Run by ansible”, “55 permit tcp any any”]

Authors

  • Gomathiselvi S (@GomathiselviS)