cisco.iosxr.iosxr_acls module – Resource module to configure ACLs.
Note
This module is part of the cisco.iosxr collection (version 6.1.1).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.iosxr.
To use it in a playbook, specify: cisco.iosxr.iosxr_acls.
New in cisco.iosxr 1.0.0
Synopsis
This module manages Access Control Lists (ACLs) on devices running IOS-XR.
Aliases: acls
Parameters
Parameter |
Comments |
|---|---|
A list of dictionaries specifying ACL configurations. |
|
A list of Access Control Lists (ACLs). |
|
List of Access Control Entries (ACEs) for this Access Control List (ACL). |
|
Match if authentication header is present. Choices:
|
|
Capture matched packet. Choices:
|
|
Specifies the packet destination. |
|
The destination IP address to match. |
|
Match any destination address. Choices:
|
|
The host IP address to match. |
|
Name of net-group. |
|
Name of port-group. |
|
Specify the source port or protocol. |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Match only packets in the range of port numbers |
|
Specify the end of the port range |
|
Specify the start of the port range |
|
Destination network prefix. |
|
The Wildcard bits to apply to destination address. |
|
Match if destination opts header is present. Choices:
|
|
Match packets with given DSCP value. |
|
Match only packets on a given dscp value |
|
Match only packets with a greater dscp value |
|
Match only packets with a lower dscp value |
|
Match only packets not on a given dscp value |
|
Match only packets in the range of dscp values |
|
End of the dscp range |
|
Start of the dscp range |
|
Check non-intial fragments. Choices:
|
|
Forward or drop packets matching the Access Control Entry (ACE). Choices:
|
|
Match if hop-by-hop opts header is present. Choices:
|
|
Enable/disable the ICMP message for this entry. Choices:
|
|
An ACE excluding the sequence number. This key is mutually exclusive with all the other attributes except ‘sequence’. When used with other attributes, the value of this key will get precedence and the other keys will be ignored. This should only be used when an attribute doesn’t exist in the argspec but is valid for the device. For fact gathering, any ACE that is not fully parsed, will show up as a value of this attribute, excluding the sequence number, which will be populated as value of the sequence key. |
|
Enable/disable log matches against this entry. Choices:
|
|
Enable/disable log matches against this entry, including input interface. Choices:
|
|
Match packets given packet length. |
|
Match only packets on a given packet length |
|
Match only packets with a greater packet length |
|
Match only packets with a lower packet length |
|
Match only packets not on a given packet length |
|
Match only packets in the range of packet lengths |
|
End of the packet length range |
|
Start of the packet length range |
|
Match packets with given precedence value |
|
Specify the protocol to match. Refer to vendor documentation for valid values. |
|
Additional suboptions for the protocol. |
|
Internet Control Message Protocol settings. |
|
Administratively prohibited Choices:
|
|
Alternate address Choices:
|
|
Datagram conversion Choices:
|
|
Host prohibited Choices:
|
|
Net prohibited Choices:
|
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Parameter problem Choices:
|
|
Host isolated Choices:
|
|
Host unreachable for precedence Choices:
|
|
Host redirect Choices:
|
|
Host redirect for TOS Choices:
|
|
Host unreachable for TOS Choices:
|
|
Host unknown Choices:
|
|
Host unreachable Choices:
|
|
Information replies Choices:
|
|
Information requests Choices:
|
|
Mask replies Choices:
|
|
Mask requests Choices:
|
|
Mobile host redirect Choices:
|
|
Network redirect Choices:
|
|
Net redirect for TOS Choices:
|
|
Network unreachable for TOS Choices:
|
|
Net unreachable Choices:
|
|
Network unknown Choices:
|
|
Parameter required but no room Choices:
|
|
Parameter required but not present Choices:
|
|
Fragmentation needed and DF set Choices:
|
|
All parameter problems Choices:
|
|
Port unreachable Choices:
|
|
Precedence cutoff Choices:
|
|
Protocol unreachable Choices:
|
|
Reassembly timeout Choices:
|
|
All redirects Choices:
|
|
Router discovery advertisements Choices:
|
|
Router discovery solicitations Choices:
|
|
Source quenches Choices:
|
|
Source route failed Choices:
|
|
All time exceededs Choices:
|
|
Timestamp replies Choices:
|
|
Timestamp requests Choices:
|
|
Traceroute Choices:
|
|
TTL exceeded Choices:
|
|
All unreachables Choices:
|
|
Internet Control Message Protocol settings for IPv6. |
|
Address Unreachable Choices:
|
|
Administratively Prohibited Choices:
|
|
Administratively Prohibited Choices:
|
|
Destination Unreachable Choices:
|
|
Echo Choices:
|
|
Echo Reply Choices:
|
|
Erroneous Header Field Choices:
|
|
Group Membership Query Choices:
|
|
Group Membership Report Choices:
|
|
Group Membership Termination Choices:
|
|
Host Unreachable Choices:
|
|
Neighbor Discovery - Neighbor Advertisement Choices:
|
|
Neighbor Discovery - Neighbor Solicitation Choices:
|
|
Neighbor Redirect Choices:
|
|
No Route To Destination Choices:
|
|
Node Information Request Is Refused Choices:
|
|
Node Information Successful Reply Choices:
|
|
Packet Too Big Choices:
|
|
Parameter Problem Choices:
|
|
Port Unreachable Choices:
|
|
Query Subject Is Domain name Choices:
|
|
Query Subject Is IPv4 address Choices:
|
|
Query Subject Is IPv6 address Choices:
|
|
Reassembly Timeout Choices:
|
|
Redirect Choices:
|
|
Router Advertisement Choices:
|
|
Router Renumbering Choices:
|
|
Router Solicitation Choices:
|
|
RR Command Choices:
|
|
RR Result Choices:
|
|
RR Seqnum Reset Choices:
|
|
Time Exceeded Choices:
|
|
TTL Exceeded Choices:
|
|
Unknown Query Type Choices:
|
|
Unreachable Choices:
|
|
Unrecognized Next Header Choices:
|
|
Unrecognized Option Choices:
|
|
Whoareyou Reply Choices:
|
|
Whoareyou Request Choices:
|
|
Internet Group Management Protocol (IGMP) settings. |
|
Match Distance Vector Multicast Routing Protocol Choices:
|
|
Match Host Query Choices:
|
|
Match Host Report Choices:
|
|
Match mtrace Choices:
|
|
Match mtrace response Choices:
|
|
Match Protocol Independent Multicast Choices:
|
|
Multicast trace Choices:
|
|
Match TCP packet flags |
|
Match on the ACK bit Choices:
|
|
Match established connections Choices:
|
|
Match on the FIN bit Choices:
|
|
Match on the PSH bit Choices:
|
|
Match on the RST bit Choices:
|
|
Match on the SYN bit Choices:
|
|
Match on the URG bit Choices:
|
|
Comments or a description for the access list. |
|
Match if routing header is present. Choices:
|
|
Sequence number for the Access Control Entry (ACE). |
|
Specifies the packet source. |
|
The source IP address to match. |
|
Match any source address. Choices:
|
|
The host IP address to match. |
|
Name of net-group. |
|
Name of port-group. |
|
Specify the source port or protocol. |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Match only packets in the range of port numbers |
|
Specify the end of the port range |
|
Specify the start of the port range |
|
Source network prefix. |
|
The Wildcard bits to apply to source address. |
|
Match against specified TTL value. |
|
Match only packets with exact TTL value. |
|
Match only packets with a greater TTL value. |
|
Match only packets with a lower TTL value. |
|
Match only packets that won’t have the given TTL value. |
|
Match only packets in the range of given TTL values. |
|
End of the TTL range. |
|
Start of the TTL range. |
|
The name of the Access Control List (ACL). |
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). Choices:
|
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command show running-config router static. |
|
The state the configuration should be left in. Choices:
|
Examples
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-al
# Fri Sep 22 03:57:04.758 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
- name: Merge the provided configuration with the existing running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: '2001:db8:1234::/48'
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# name: acl_1
# afi: ipv4
#
# commands:
# - ipv6 access-list acl6_1
# - 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# - 20 permit icmpv6 any any router-advertisement precedence network destopts
# - ipv4 access-list acl_1
# - 16 remark TEST_ACL_1_REMARK
# - 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# - 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# - ipv4 access-list acl_2
# - 10 remark TEST_ACL_2_REMARK
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:35:19.977 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:37:33.542 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_1
# - 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# - 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 21
# source:
# address: 198.51.100.32
# port_protocol:
# range:
# end: '121'
# start: pop3
# wildcard_bits: 0.0.0.15
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# eq: af23
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# router_advertisement: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:58:38.345 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:38:36.205 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
state: replaced
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
# Task Output
# -----------
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_2
# - no 10
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 11
# source:
# host: 198.51.100.130
# ttl:
# eq: 100
# - destination:
# any: true
# grant: deny
# protocol: icmp
# sequence: 12
# source:
# any: true
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:56:21.103 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
# - ipv4 access-list acl_1
# - no 16
# - no 21
# - no 23
# - 10 permit tcp any any
# - ipv4 access-list acl_2
# - no 10
# - 20 permit igmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: tcp
# sequence: 10
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 20
# source:
# any: true
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
#
# after:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
#
# after:
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
# - no ipv6 access-list acl6_1
#
# after: []
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# gathered:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# rendered:
# - ipv4 access-list acl_2
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
# Using parsed
# parsed.cfg
# ------------
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# parsed:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The resulting configuration model invocation. Returned: when changed Sample: |
|
The configuration prior to the model invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |
|
Facts about the network resource gathered from the remote device as structured data. Returned: when state is Sample: |
|
The device native config provided in running_config option parsed into structured data as per module argspec. Returned: when state is Sample: |
|
The provided configuration in the task rendered in device-native format (offline). Returned: when state is Sample: |