cisco.ios.ios_acls module – Resource module to configure ACLs.
Note
This module is part of the cisco.ios collection (version 9.0.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cisco.ios
.
To use it in a playbook, specify: cisco.ios.ios_acls
.
New in cisco.ios 1.0.0
Synopsis
This module configures and manages the named or numbered ACLs on IOS platforms.
Parameters
Parameter |
Comments |
---|---|
A list of ACL configuration options. |
|
A list of Access Control Lists (ACL) attributes. |
|
The entries within the ACL. |
|
Specify the packet destination. |
|
Host address to match, or any single host address. |
|
Match any source address. Choices:
|
|
A single destination host |
|
Destination network object group |
|
Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Port group. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Destination wildcard bits, valid with IPV4 address. |
|
Match packets with given dscp value. |
|
Enable non-initial fragments. Choices:
|
|
Evaluate an access list |
|
Specify the action. Choices:
|
|
Log matches against this entry. |
|
Enable Log matches against this entry Choices:
|
|
User defined cookie (max of 64 char) |
|
Log matches against this entry, including input interface. |
|
Enable Log matches against this entry, including input interface. Choices:
|
|
User defined cookie (max of 64 char) |
|
Match packets with given IP Options value. Valid only for named acls. |
|
Match packets with Address Extension Option (147). Choices:
|
|
Match packets with ANY Option. Choices:
|
|
Match packets with Commercial Security Option (134). Choices:
|
|
Match packets with Dynamic Packet State Option (151). Choices:
|
|
Match packets with Encode Option (15). Choices:
|
|
Match packets with End of Options (0). Choices:
|
|
Match packets with Extended IP Option (145). Choices:
|
|
Match packets with Extended Security Option (133). Choices:
|
|
Match packets with Experimental Flow Control Option (205). Choices:
|
|
Match packets with IMI Traffic Desriptor Option (144). Choices:
|
|
Match packets with Loose Source Route Option (131). Choices:
|
|
Match packets with MTU Probe Option (11). Choices:
|
|
Match packets with MTU Reply Option (12). Choices:
|
|
Match packets with No Operation Option (1). Choices:
|
|
Match packets with NSAP Addresses Option (150). Choices:
|
|
Match packets with Record Route Option (7). Choices:
|
|
Match packets with Router Alert Option (148). Choices:
|
|
Match packets with Selective Directed Broadcast Option (149). Choices:
|
|
Match packets with Basic Security Option (130). Choices:
|
|
Match packets with Strict Source Routing Option (137). Choices:
|
|
Match packets with Stream ID Option (136). Choices:
|
|
Match packets with Time Stamp Option (68). Choices:
|
|
Match packets with Trace Route Option (82). Choices:
|
|
Match packets with Upstream Multicast Packet Option (152). Choices:
|
|
Match packets with Experimental Access Control Option (142). Choices:
|
|
Match packets with Experimental Measurement Option (10). Choices:
|
|
Match packets with given precedence value. |
|
Specify the protocol to match. Refer to vendor documentation for valid values. |
|
protocol type. |
|
Authentication Header Protocol. Choices:
|
|
Cisco’s EIGRP routing protocol. Choices:
|
|
Encapsulation Security Payload. Choices:
|
|
Cisco’s GRE tunneling. Choices:
|
|
Hop by Hop options header. Valid for IPV6 Choices:
|
|
Internet Control Message Protocol. |
|
Administratively prohibited Choices:
|
|
Alternate address Choices:
|
|
Datagram conversion Choices:
|
|
Host prohibited Choices:
|
|
Net prohibited Choices:
|
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Parameter problem Choices:
|
|
Host isolated Choices:
|
|
Host unreachable for precedence Choices:
|
|
Host redirect Choices:
|
|
Host redirect for TOS Choices:
|
|
Host unreachable for TOS Choices:
|
|
Host unknown Choices:
|
|
Host unreachable Choices:
|
|
Information replies Choices:
|
|
Information requests Choices:
|
|
Mask replies Choices:
|
|
mask_request Choices:
|
|
Mobile host redirect Choices:
|
|
Network redirect Choices:
|
|
Net redirect for TOS Choices:
|
|
Network unreachable for TOS Choices:
|
|
Net unreachable Choices:
|
|
Network unknown Choices:
|
|
Parameter required but no room Choices:
|
|
Parameter required but not present Choices:
|
|
Fragmentation needed and DF set Choices:
|
|
All parameter problems Choices:
|
|
Port unreachable Choices:
|
|
Precedence cutoff Choices:
|
|
Protocol unreachable Choices:
|
|
Reassembly timeout Choices:
|
|
All redirects Choices:
|
|
Router discovery advertisements Choices:
|
|
Router discovery solicitations Choices:
|
|
Source quenches Choices:
|
|
Source route failed Choices:
|
|
All time exceededs Choices:
|
|
Timestamp replies Choices:
|
|
Timestamp requests Choices:
|
|
Traceroute Choices:
|
|
TTL exceeded Choices:
|
|
All unreachables Choices:
|
|
Internet Gateway Message Protocol. |
|
Distance Vector Multicast Routing Protocol(2) Choices:
|
|
IGMP Membership Query(0) Choices:
|
|
Multicast Traceroute Response(7) Choices:
|
|
Multicast Traceroute(8) Choices:
|
|
Protocol Independent Multicast(3) Choices:
|
|
Multicast trace(4) Choices:
|
|
IGMPv1 Membership Report(1) Choices:
|
|
IGMPv2 Membership Report(5) Choices:
|
|
IGMPv2 Leave Group(6) Choices:
|
|
IGMPv3 Membership Report(9) Choices:
|
|
Any Internet Protocol. Choices:
|
|
IP in IP tunneling. Choices:
|
|
Any IPv6. Choices:
|
|
KA9Q NOS compatible IP over IP tunneling. Choices:
|
|
OSPF routing protocol. Choices:
|
|
Payload Compression Protocol. Choices:
|
|
Protocol Independent Multicast. Choices:
|
|
An IP protocol number |
|
Stream Control Transmission Protocol. Choices:
|
|
Match TCP packet flags |
|
Match on the ACK bit Choices:
|
|
Match established connections Choices:
|
|
Match on the FIN bit Choices:
|
|
Match on the PSH bit Choices:
|
|
Match on the RST bit Choices:
|
|
Match on the SYN bit Choices:
|
|
Match on the URG bit Choices:
|
|
User Datagram Protocol. Choices:
|
|
The remarks/description of the ACL. The remarks attribute used within an ace with or without a sequence number will produce remarks that are pushed before the ace entry. Remarks entry used as the only key in as the list option will produce non ace specific remarks, these remarks would be pushed at the end of all the aces for an acl. Remarks is treated a block, for every single remarks updated for an ace all the remarks are negated and added back to maintain the order of remarks mentioned. As the appliance deletes all the remarks once the ace is updated, the set of remarks would be re-applied that is an expected behavior. |
|
Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values. |
|
Specify the packet source. |
|
Source network address. |
|
Match any source address. Choices:
|
|
A single source host |
|
Source network object group |
|
Specify the source port along with protocol. Note, Valid with TCP/UDP protocol_options |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Port group. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Source wildcard bits, valid with IPV4 address. |
|
Specify a time-range. |
|
Match packets with given TOS value. Note, DSCP and TOS are mutually exclusive |
|
Match packets with max reliable TOS (2). Choices:
|
|
Match packets with max throughput TOS (4). Choices:
|
|
Match packets with min delay TOS (8). Choices:
|
|
Match packets with min monetary cost TOS (1). Choices:
|
|
Match packets with normal TOS (0). Choices:
|
|
Type of service value |
|
Match packets with given TTL value. |
|
Match only packets on a given TTL number. |
|
Match only packets with a greater TTL number. |
|
Match only packets with a lower TTL number. |
|
Match only packets not on a given TTL number. |
|
Match only packets in the range of TTLs. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
ACL type Note, it’s mandatory and required for Named ACL, but for Numbered ACL it’s not mandatory. Choices:
|
|
The name or the number of the ACL. |
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). Choices:
|
|
This option is used only with state parsed. The value of this option should be the output received from the IOS device by executing the command sh access-list. The state parsed reads the configuration from |
|
The state the configuration should be left in The state merged is the default state which merges the want and have config, but for ACL module as the IOS platform doesn’t allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state. The states rendered, gathered and parsed does not perform any change on the device. The state rendered will transform the configuration in The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result. The state parsed reads the configuration from The state overridden, modify/add the ACLs defined, deleted all other ACLs. The state replaced, modify/add only the ACEs of the ACLs defined only. It does not perform any other change on the device. The state deleted, deletes only the specified ACLs, or all if not specified. Choices:
|
Notes
Note
Tested against Cisco IOSXE Version 17.3 on CML.
Module behavior is not idempotent when sequence for aces are not mentioned
This module works with connection
network_cli
. See https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html
Examples
# Using merged
# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: std_acl
acl_type: standard
aces:
- grant: deny
source:
address: 192.168.1.200
- grant: deny
source:
address: 192.168.2.0
wildcard_bits: 0.0.0.255
- name: 110
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
source:
address: 192.168.3.0
wildcard_bits: 255.255.255.0
destination:
any: true
grant: permit
- grant: deny
protocol_options:
tcp:
ack: true
source:
host: 198.51.100.0
destination:
host: 198.51.110.0
port_protocol:
eq: telnet
- name: extended_acl_1
acl_type: extended
aces:
- grant: deny
protocol_options:
tcp:
fin: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
option:
traceroute: true
ttl:
eq: 10
- name: 123
aces:
- remarks:
- "remarks for extended ACL 1"
- "check ACL"
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
destination:
address: 198.51.101.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
tos:
service_value: 12
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.4.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
lt: 20
- afi: ipv6
acls:
- name: R1_TRAFFIC
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
any: true
port_protocol:
eq: www
destination:
any: true
port_protocol:
eq: telnet
dscp: af11
state: merged
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# echo: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: '100'
# afi: ipv4
# commands:
# - ip access-list extended 110
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - 30 permit icmp 192.168.3.0 255.255.255.0 any traceroute
# - ip access-list extended extended_acl_1
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# - ip access-list standard std_acl
# - deny 192.168.1.20
# - deny 192.168.2.0 0.0.0.255
# - ip access-list extended 123
# - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# - remark remarks for extended ACL 1
# - remark check ACL
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack dscp af11
# after:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# echo: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# - destination:
# any: true
# grant: permit
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 30
# source:
# address: 0.0.0.0
# wildcard_bits: 255.255.255.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# - remarks:
# - remarks for extended ACL 1
# - check ACL
# acl_type: extended
# name: '123'
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: extended_acl_1
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.20
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# afi: ipv4
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
# After state:
# ------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 100
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
# vios#show running-config | include ip(v6)* access-list|remark
# ip access-list standard std_acl
# ip access-list extended extended_acl_1
# ip access-list extended 110
# ip access-list extended 123
# remark remarks for extended ACL 1
# remark check ACL
# ipv6 access-list R1_TRAFFIC
# Using merged (update existing ACE - will fail)
# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 100
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 100
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
state: merged
# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.
# Using replaced
# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
- name: Replaces device configuration of listed acls with provided configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: replaced
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# acl_type: extended
# name: R1_TRAFFIC
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test
# afi: ipv4
# commands:
# - ip access-list extended 110
# - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# - ip access-list extended 150
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# after:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - destination:
# address: 198.51.110.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 20
# source:
# address: 198.51.100.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: '150'
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# acl_type: extended
# name: R1_TRAFFIC
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test
# afi: ipv4
# After state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended 150
# 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
# Using replaced - example remarks specific
# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
# 10 remark FIRST REMARK BEFORE LINE 10
# 10 remark ============
# 10 remark ALLOW HOST FROM TEST 10
# 10 permit ip host 1.1.1.1 any
# 20 remark FIRST REMARK BEFORE LINE 20
# 20 remark ============
# 20 remark ALLOW HOST remarks AFTER LINE 20
# 20 permit ip host 2.2.2.2 any
# 30 remark FIRST REMARK BEFORE LINE 30
# 30 remark ============
# 30 remark ALLOW HOST remarks AFTER LINE 30
# 30 permit ip host 3.3.3.3 any
- name: Replace remarks of ace with sequence 10
# check_mode: true
cisco.ios.ios_acls:
state: replaced
config:
- acls:
- aces:
- destination:
any: true
grant: permit
protocol: ip
remarks:
- The new first remarks before 10
- ============new
- The new second remarks before 10
sequence: 10
source:
host: 1.1.1.1
- destination:
any: true
grant: permit
protocol: ip
remarks:
- FIRST REMARK BEFORE LINE 20
- ============
- ALLOW HOST remarks AFTER LINE 20
sequence: 20
source:
host: 2.2.2.2
- destination:
any: true
grant: permit
protocol: ip
remarks:
- FIRST REMARK BEFORE LINE 30
- ============
- ALLOW HOST remarks AFTER LINE 30
sequence: 30
source:
host: 3.3.3.3
acl_type: extended
name: TEST
afi: ipv4
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 10
# - ===========1=
# - ALLOW HOST FROM TEST 10
# sequence: 10
# source:
# host: 1.1.1.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 20
# - ============
# - ALLOW HOST remarks AFTER LINE 20
# sequence: 20
# source:
# host: 2.2.2.2
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 30
# - ============
# - ALLOW HOST remarks AFTER LINE 30
# sequence: 30
# source:
# host: 3.3.3.3
# acl_type: extended
# name: TEST
# afi: ipv4
# commands:
# - ip access-list extended TEST
# - no 10 remark
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - The new first remarks before 10
# - ============new
# - The new second remarks before 10
# sequence: 10
# source:
# host: 1.1.1.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 20
# - ============
# - ALLOW HOST remarks AFTER LINE 20
# sequence: 20
# source:
# host: 2.2.2.2
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 30
# - ============
# - ALLOW HOST remarks AFTER LINE 30
# sequence: 30
# source:
# host: 3.3.3.3
# acl_type: extended
# name: TEST
# afi: ipv4
# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
# 10 remark The new first remarks before 10
# 10 remark ============new
# 10 remark The new second remarks before 10
# 10 permit ip host 1.1.1.1 any
# 20 remark FIRST REMARK BEFORE LINE 20
# 20 remark ============
# 20 remark ALLOW HOST remarks AFTER LINE 20
# 20 permit ip host 2.2.2.2 any
# 30 remark FIRST REMARK BEFORE LINE 30
# 30 remark ============
# 30 remark ALLOW HOST remarks AFTER LINE 30
# 30 permit ip host 3.3.3.3 any
# Using replaced - example remarks specific on targeted sequence
# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
# 10 permit ip host 1.1.1.1 any
# 20 remark FIRST REMARK BEFORE LINE 20
# 20 remark ============
# 20 remark ALLOW HOST remarks AFTER LINE 20
# 20 permit ip host 2.2.2.2 any
# 30 remark FIRST REMARK BEFORE LINE 30
# 30 remark ============
# 30 remark ALLOW HOST remarks AFTER LINE 30
# 30 permit ip host 3.3.3.3 any
- name: Replace remarks of ace with sequence 10
# check_mode: true
cisco.ios.ios_acls:
state: replaced
config:
- acls:
- aces:
- destination:
any: true
grant: permit
protocol: ip
remarks:
- The new first remarks before 10
- ============new
- The new second remarks before 10
sequence: 10
source:
host: 1.1.1.1
- destination:
any: true
grant: permit
protocol: ip
remarks:
- FIRST REMARK BEFORE LINE 20
- ============
- ALLOW HOST remarks AFTER LINE 20
sequence: 20
source:
host: 2.2.2.2
- destination:
any: true
grant: permit
protocol: ip
remarks:
- FIRST REMARK BEFORE LINE 30
- ============
- ALLOW HOST remarks AFTER LINE 30
sequence: 30
source:
host: 3.3.3.3
acl_type: extended
name: TEST
afi: ipv4
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: ip
# sequence: 10
# source:
# host: 1.1.1.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 20
# - ============
# - ALLOW HOST remarks AFTER LINE 20
# sequence: 20
# source:
# host: 2.2.2.2
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 30
# - ============
# - ALLOW HOST remarks AFTER LINE 30
# sequence: 30
# source:
# host: 3.3.3.3
# acl_type: extended
# name: TEST
# afi: ipv4
# commands:
# - ip access-list extended TEST
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - The new first remarks before 10
# - ============new
# - The new second remarks before 10
# sequence: 10
# source:
# host: 1.1.1.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 20
# - ============
# - ALLOW HOST remarks AFTER LINE 20
# sequence: 20
# source:
# host: 2.2.2.2
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE LINE 30
# - ============
# - ALLOW HOST remarks AFTER LINE 30
# sequence: 30
# source:
# host: 3.3.3.3
# acl_type: extended
# name: TEST
# afi: ipv4
# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
# 10 remark The new first remarks before 10
# 10 remark ============new
# 10 remark The new second remarks before 10
# 10 permit ip host 1.1.1.1 any
# 20 remark FIRST REMARK BEFORE LINE 20
# 20 remark ============
# 20 remark ALLOW HOST remarks AFTER LINE 20
# 20 permit ip host 2.2.2.2 any
# 30 remark FIRST REMARK BEFORE LINE 30
# 30 remark ============
# 30 remark ALLOW HOST remarks AFTER LINE 30
# 30 permit ip host 3.3.3.3 any
# Using overridden
# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
- name: Override device configuration of all acls with provided configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: overridden
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# acl_type: extended
# name: R1_TRAFFIC
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test
# afi: ipv4
# commands:
# - ip access-list extended 110
# - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# - ip access-list extended 150
# - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# - no ip access-list extended 123
# - no ip access-list extended R1_TRAFFIC
# - no ip access-list standard std_acl
# - no ip access-list extended test
# after:
# - acls:
# - aces:
# - destination:
# address: 198.51.110.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 198.51.100.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.110.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 10
# source:
# address: 198.51.100.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: '150'
# afi: ipv4
# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
# 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# ip access-list extended 150
# 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Using overridden - example remarks specific on multiple sequence
# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
# 10 remark FIRST REMARK BEFORE SEQUENCE 10
# 10 remark ============
# 10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# 20 remark FIRST REMARK BEFORE SEQUENCE 20
# 20 remark ============
# 20 remark ALLOW HOST FROM SEQUENCE 20
# 20 permit ip host 1.1.1.1 any
# 30 remark FIRST REMARK BEFORE SEQUENCE 30
# 30 remark ============
# 30 remark ALLOW HOST FROM SEQUENCE 30
# 30 permit ip host 2.2.2.2 any
# 40 remark FIRST REMARK BEFORE SEQUENCE 40
# 40 remark ============
# 40 remark ALLOW NEW HOST FROM SEQUENCE 40
# 40 permit ip host 3.3.3.3 any
# remark Remark not specific to sequence
# remark ============
# remark End Remarks
# ip access-list extended test_acl
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
- name: Override remarks and ace configurations
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: TEST
acl_type: extended
aces:
- sequence: 10
remarks:
- "FIRST REMARK BEFORE SEQUENCE 10"
- "============"
- "REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE"
grant: permit
protocol: ip
source:
host: 1.1.1.1
destination:
any: true
- sequence: 20
remarks:
- "FIRST REMARK BEFORE SEQUENCE 20"
- "============"
- "ALLOW HOST FROM SEQUENCE 20"
grant: permit
protocol: ip
source:
host: 192.168.0.1
destination:
any: true
- sequence: 30
remarks:
- "FIRST REMARK BEFORE SEQUENCE 30"
- "============"
- "ALLOW HOST FROM SEQUENCE 30 updated"
grant: permit
protocol: ip
source:
host: 2.2.2.2
destination:
any: true
- sequence: 40
remarks:
- "FIRST REMARK BEFORE SEQUENCE 40"
- "============"
- "ALLOW NEW HOST FROM SEQUENCE 40"
grant: permit
protocol: ip
source:
host: 3.3.3.3
destination:
any: true
- remarks:
- "Remark not specific to sequence"
- "============"
- "End Remarks 1"
state: overridden
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# echo: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 20
# - ============
# - ALLOW HOST FROM SEQUENCE 20
# sequence: 20
# source:
# host: 1.1.1.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 30
# - ============
# - ALLOW HOST FROM SEQUENCE 30
# sequence: 30
# source:
# host: 2.2.2.2
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 40
# - ============
# - ALLOW NEW HOST FROM SEQUENCE 40
# sequence: 40
# source:
# host: 3.3.3.3
# - remarks:
# - FIRST REMARK BEFORE SEQUENCE 10
# - ============
# - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# sequence: 10
# - remarks:
# - Remark not specific to sequence
# - ============
# - End Remarks
# acl_type: extended
# name: TEST
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test_acl
# afi: ipv4
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
# commands:
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended TEST
# - no 10 # removes all remarks and ace entry for sequence 10
# - no 20 permit ip host 1.1.1.1 any # removing the ace automatically removes the remarks
# - no 30 remark # just remove remarks for sequence 30
# - no remark # remove all remarks at end of acl, that has no sequence
# - 10 remark FIRST REMARK BEFORE SEQUENCE 10
# - 10 remark ============
# - 10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# - 10 permit ip host 1.1.1.1 any
# - 20 remark FIRST REMARK BEFORE SEQUENCE 20
# - 20 remark ============
# - 20 remark ALLOW HOST FROM SEQUENCE 20
# - 20 permit ip host 192.168.0.1 any
# - 30 remark FIRST REMARK BEFORE SEQUENCE 30
# - 30 remark ============
# - 30 remark ALLOW HOST FROM SEQUENCE 30 updated
# - remark Remark not specific to sequence
# - remark ============
# - remark End Remarks 1
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test_acl
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 10
# - ============
# - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# sequence: 10
# source:
# host: 1.1.1.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 20
# - ============
# - ALLOW HOST FROM SEQUENCE 20
# sequence: 20
# source:
# host: 192.168.0.1
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 30
# - ============
# - ALLOW HOST FROM SEQUENCE 30 updated
# sequence: 30
# source:
# host: 2.2.2.2
# - destination:
# any: true
# grant: permit
# protocol: ip
# remarks:
# - FIRST REMARK BEFORE SEQUENCE 40
# - ============
# - ALLOW NEW HOST FROM SEQUENCE 40
# sequence: 40
# source:
# host: 3.3.3.3
# - remarks:
# - Remark not specific to sequence
# - ============
# - End Remarks 1
# acl_type: extended
# name: TEST
# afi: ipv4
# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
# 10 remark FIRST REMARK BEFORE SEQUENCE 10
# 10 remark ============
# 10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# 10 permit ip host 1.1.1.1 any
# 20 remark FIRST REMARK BEFORE SEQUENCE 20
# 20 remark ============
# 20 remark ALLOW HOST FROM SEQUENCE 20
# 20 permit ip host 192.168.0.1 any
# 30 remark FIRST REMARK BEFORE SEQUENCE 30
# 30 remark ============
# 30 remark ALLOW HOST FROM SEQUENCE 30 updated
# 30 permit ip host 2.2.2.2 any
# 40 remark FIRST REMARK BEFORE SEQUENCE 40
# 40 remark ============
# 40 remark ALLOW NEW HOST FROM SEQUENCE 40
# 40 permit ip host 3.3.3.3 any
# remark Remark not specific to sequence
# remark ============
# remark End Remarks 1
# Using deleted - delete ACL(s)
# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended extended_acl_1
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: extended_acl_1
acl_type: extended
- name: 110
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: extended_acl_1
# afi: ipv4
# commands:
# - no ip access-list extended 110
# - no ip access-list extended extended_acl_1
# after:
# - acls:
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# afi: ipv4
# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Using deleted - delete ACLs based on AFI
# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
cisco.ios.ios_acls:
config:
- afi: ipv4
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test
# afi: ipv4
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
# commands:
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list standard std_acl
# - no ip access-list extended test
# after:
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
# After state:
# -------------
#
# vios#sh running-config | section access-list
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
# Using deleted - delete all ACLs
# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
- name: Delete ALL of configured ACLs
cisco.ios.ios_acls:
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test
# afi: ipv4
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
# commands:
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC
# after: []
# After state:
# -------------
#
# vios#sh running-config | section access-list
# Using gathered
# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
# 10 deny 192.168.1.200
# 20 deny 192.168.2.0 0.0.0.255
# ip access-list extended 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
# 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
# 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
# sequence 10 deny tcp any eq www any eq telnet ack dscp af11
- name: Gather ACLs configuration from target device
cisco.ios.ios_acls:
state: gathered
# Module Execution Result:
# ------------------------
#
# before:
# - acls:
# - aces:
# - destination:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# traceroute: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# - destination:
# host: 198.51.110.0
# port_protocol:
# eq: telnet
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# host: 198.51.100.0
# acl_type: extended
# name: '110'
# - aces:
# - destination:
# address: 198.51.101.0
# port_protocol:
# eq: telnet
# wildcard_bits: 0.0.0.255
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.255
# tos:
# service_value: 12
# - destination:
# address: 192.0.4.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# dscp: ef
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 20
# source:
# address: 192.0.3.0
# wildcard_bits: 0.0.0.255
# ttl:
# lt: 20
# acl_type: extended
# name: '123'
# - aces:
# - grant: deny
# sequence: 10
# source:
# host: 192.168.1.200
# - grant: deny
# sequence: 20
# source:
# address: 192.168.2.0
# wildcard_bits: 0.0.0.255
# acl_type: standard
# name: std_acl
# - aces:
# - destination:
# address: 192.0.3.0
# port_protocol:
# eq: www
# wildcard_bits: 0.0.0.255
# grant: deny
# option:
# traceroute: true
# protocol: tcp
# protocol_options:
# tcp:
# fin: true
# sequence: 10
# source:
# address: 192.0.2.0
# wildcard_bits: 0.0.0.255
# ttl:
# eq: 10
# acl_type: extended
# name: test
# afi: ipv4
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
# Using rendered
- name: Render the provided configuration into platform specific configuration lines
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
eq: 10
- name: 150
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
destination:
address: 198.51.110.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
dscp: ef
ttl:
eq: 10
state: rendered
# Module Execution Result:
# ------------------------
#
# rendered:
# - ip access-list extended 110
# - 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# - ip access-list extended 150
# - deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Using Parsed
# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11
- name: Parse the commands for provided configuration
cisco.ios.ios_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# parsed:
# - acls:
# - aces:
# - destination:
# any: true
# port_protocol:
# eq: telnet
# dscp: af11
# grant: deny
# protocol: tcp
# protocol_options:
# tcp:
# ack: true
# sequence: 10
# source:
# any: true
# port_protocol:
# eq: www
# name: R1_TRAFFIC
# afi: ipv6
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The resulting configuration after module execution. Returned: when changed Sample: |
|
The configuration prior to the module execution. Returned: when state is Sample: |
|
The set of commands pushed to the remote device. Returned: when state is Sample: |
|
Facts about the network resource gathered from the remote device as structured data. Returned: when state is Sample: |
|
The device native config provided in running_config option parsed into structured data as per module argspec. Returned: when state is Sample: |
|
The provided configuration in the task rendered in device-native format (offline). Returned: when state is Sample: |