cisco.iosxr.iosxr_acls – ACLs resource module

Note

This plugin is part of the cisco.iosxr collection (version 2.4.0).

To install it use: ansible-galaxy collection install cisco.iosxr.

To use it in a playbook, specify: cisco.iosxr.iosxr_acls.

New in version 1.0.0: of cisco.iosxr

Synopsis

  • This module manages Access Control Lists (ACLs) on devices running IOS-XR.

Note

This module has a corresponding action plugin.

Parameters

Parameter Choices/Defaults Comments
config
list / elements=dictionary
A list of dictionaries specifying ACL configurations.
acls
list / elements=dictionary
A list of Access Control Lists (ACLs).
aces
list / elements=dictionary
List of Access Control Entries (ACEs) for this Access Control List (ACL).
authen
boolean
    Choices:
  • no
  • yes
Match if authentication header is present.
capture
boolean
    Choices:
  • no
  • yes
Capture matched packet.
destination
dictionary
Specifies the packet destination.
address
string
The destination IP address to match.
any
boolean
    Choices:
  • no
  • yes
Match any destination address.
host
string
The host IP address to match.
port_protocol
dictionary
Specify the source port or protocol.
eq
string
Match only packets on a given port number.
gt
string
Match only packets with a greater port number.
lt
string
Match only packets with a lower port number.
neq
string
Match only packets not on a given port number.
range
dictionary
Match only packets in the range of port numbers
end
string
Specify the end of the port range
start
string
Specify the start of the port range
prefix
string
Destination network prefix.
wildcard_bits
string
The Wildcard bits to apply to destination address.
destopts
boolean
    Choices:
  • no
  • yes
Match if destination opts header is present.
dscp
dictionary
Match packets with given DSCP value.
eq
string
Match only packets on a given dscp value
gt
string
Match only packets with a greater dscp value
lt
string
Match only packets with a lower dscp value
neq
string
Match only packets not on a given dscp value
range
dictionary
Match only packets in the range of dscp values
end
string
End of the dscp range
start
string
Start of the dscp range
fragments
boolean
    Choices:
  • no
  • yes
Check non-intial fragments.
grant
string
    Choices:
  • permit
  • deny
Forward or drop packets matching the Access Control Entry (ACE).
hop_by_hop
boolean
    Choices:
  • no
  • yes
Match if hop-by-hop opts header is present.
icmp_off
boolean
    Choices:
  • no
  • yes
Enable/disable the ICMP message for this entry.
line
string
An ACE excluding the sequence number.
This key is mutually exclusive with all the other attributes except 'sequence'.
When used with other attributes, the value of this key will get precedence and the other keys will be ignored.
This should only be used when an attribute doesn't exist in the argspec but is valid for the device.
For fact gathering, any ACE that is not fully parsed, will show up as a value of this attribute, excluding the sequence number, which will be populated as value of the sequence key.

aliases: ace
log
boolean
    Choices:
  • no
  • yes
Enable/disable log matches against this entry.
log_input
boolean
    Choices:
  • no
  • yes
Enable/disable log matches against this entry, including input interface.
packet_length
dictionary
Match packets given packet length.
eq
integer
Match only packets on a given packet length
gt
integer
Match only packets with a greater packet length
lt
integer
Match only packets with a lower packet length
neq
integer
Match only packets not on a given packet length
range
dictionary
Match only packets in the range of packet lengths
end
integer
End of the packet length range
start
integer
Start of the packet length range
precedence
string
Match packets with given precedence value
protocol
string
Specify the protocol to match.
Refer to vendor documentation for valid values.
protocol_options
dictionary
Additional suboptions for the protocol.
icmp
dictionary
Internet Control Message Protocol settings.
administratively_prohibited
boolean
    Choices:
  • no
  • yes
Administratively prohibited
alternate_address
boolean
    Choices:
  • no
  • yes
Alternate address
conversion_error
boolean
    Choices:
  • no
  • yes
Datagram conversion
dod_host_prohibited
boolean
    Choices:
  • no
  • yes
Host prohibited
dod_net_prohibited
boolean
    Choices:
  • no
  • yes
Net prohibited
echo
boolean
    Choices:
  • no
  • yes
Echo (ping)
echo_reply
boolean
    Choices:
  • no
  • yes
Echo reply
general_parameter_problem
boolean
    Choices:
  • no
  • yes
Parameter problem
host_isolated
boolean
    Choices:
  • no
  • yes
Host isolated
host_precedence_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for precedence
host_redirect
boolean
    Choices:
  • no
  • yes
Host redirect
host_tos_redirect
boolean
    Choices:
  • no
  • yes
Host redirect for TOS
host_tos_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for TOS
host_unknown
boolean
    Choices:
  • no
  • yes
Host unknown
host_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable
information_reply
boolean
    Choices:
  • no
  • yes
Information replies
information_request
boolean
    Choices:
  • no
  • yes
Information requests
mask_reply
boolean
    Choices:
  • no
  • yes
Mask replies
mask_request
boolean
    Choices:
  • no
  • yes
Mask requests
mobile_redirect
boolean
    Choices:
  • no
  • yes
Mobile host redirect
net_redirect
boolean
    Choices:
  • no
  • yes
Network redirect
net_tos_redirect
boolean
    Choices:
  • no
  • yes
Net redirect for TOS
net_tos_unreachable
boolean
    Choices:
  • no
  • yes
Network unreachable for TOS
net_unreachable
boolean
    Choices:
  • no
  • yes
Net unreachable
network_unknown
boolean
    Choices:
  • no
  • yes
Network unknown
no_room_for_option
boolean
    Choices:
  • no
  • yes
Parameter required but no room
option_missing
boolean
    Choices:
  • no
  • yes
Parameter required but not present
packet_too_big
boolean
    Choices:
  • no
  • yes
Fragmentation needed and DF set
parameter_problem
boolean
    Choices:
  • no
  • yes
All parameter problems
port_unreachable
boolean
    Choices:
  • no
  • yes
Port unreachable
precedence_unreachable
boolean
    Choices:
  • no
  • yes
Precedence cutoff
protocol_unreachable
boolean
    Choices:
  • no
  • yes
Protocol unreachable
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly timeout
redirect
boolean
    Choices:
  • no
  • yes
All redirects
router_advertisement
boolean
    Choices:
  • no
  • yes
Router discovery advertisements
router_solicitation
boolean
    Choices:
  • no
  • yes
Router discovery solicitations
source_quench
boolean
    Choices:
  • no
  • yes
Source quenches
source_route_failed
boolean
    Choices:
  • no
  • yes
Source route failed
time_exceeded
boolean
    Choices:
  • no
  • yes
All time exceededs
timestamp_reply
boolean
    Choices:
  • no
  • yes
Timestamp replies
timestamp_request
boolean
    Choices:
  • no
  • yes
Timestamp requests
traceroute
boolean
    Choices:
  • no
  • yes
Traceroute
ttl_exceeded
boolean
    Choices:
  • no
  • yes
TTL exceeded
unreachable
boolean
    Choices:
  • no
  • yes
All unreachables
icmpv6
dictionary
Internet Control Message Protocol settings for IPv6.
address_unreachable
boolean
    Choices:
  • no
  • yes
Address Unreachable
administratively_prohibited
boolean
    Choices:
  • no
  • yes
Administratively Prohibited
beyond_scope_of_source_address
boolean
    Choices:
  • no
  • yes
Administratively Prohibited
destination_unreachable
boolean
    Choices:
  • no
  • yes
Destination Unreachable
echo
boolean
    Choices:
  • no
  • yes
Echo
echo_reply
boolean
    Choices:
  • no
  • yes
Echo Reply
erroneous_header_field
boolean
    Choices:
  • no
  • yes
Erroneous Header Field
group_membership_query
boolean
    Choices:
  • no
  • yes
Group Membership Query
group_membership_report
boolean
    Choices:
  • no
  • yes
Group Membership Report
group_membership_termination
boolean
    Choices:
  • no
  • yes
Group Membership Termination
host_unreachable
boolean
    Choices:
  • no
  • yes
Host Unreachable
nd_na
boolean
    Choices:
  • no
  • yes
Neighbor Discovery - Neighbor Advertisement
nd_ns
boolean
    Choices:
  • no
  • yes
Neighbor Discovery - Neighbor Solicitation
neighbor_redirect
boolean
    Choices:
  • no
  • yes
Neighbor Redirect
no_route_to_destination
boolean
    Choices:
  • no
  • yes
No Route To Destination
node_information_request_is_refused
boolean
    Choices:
  • no
  • yes
Node Information Request Is Refused
node_information_successful_reply
boolean
    Choices:
  • no
  • yes
Node Information Successful Reply
packet_too_big
boolean
    Choices:
  • no
  • yes
Packet Too Big
parameter_problem
boolean
    Choices:
  • no
  • yes
Parameter Problem
port_unreachable
boolean
    Choices:
  • no
  • yes
Port Unreachable
query_subject_is_domainname
boolean
    Choices:
  • no
  • yes
Query Subject Is Domain name
query_subject_is_IPv4address
boolean
    Choices:
  • no
  • yes
Query Subject Is IPv4 address
query_subject_is_IPv6address
boolean
    Choices:
  • no
  • yes
Query Subject Is IPv6 address
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly Timeout
redirect
boolean
    Choices:
  • no
  • yes
Redirect
router_advertisement
boolean
    Choices:
  • no
  • yes
Router Advertisement
router_renumbering
boolean
    Choices:
  • no
  • yes
Router Renumbering
router_solicitation
boolean
    Choices:
  • no
  • yes
Router Solicitation
rr_command
boolean
    Choices:
  • no
  • yes
RR Command
rr_result
boolean
    Choices:
  • no
  • yes
RR Result
rr_seqnum_reset
boolean
    Choices:
  • no
  • yes
RR Seqnum Reset
time_exceeded
boolean
    Choices:
  • no
  • yes
Time Exceeded
ttl_exceeded
boolean
    Choices:
  • no
  • yes
TTL Exceeded
unknown_query_type
boolean
    Choices:
  • no
  • yes
Unknown Query Type
unreachable
boolean
    Choices:
  • no
  • yes
Unreachable
unrecognized_next_header
boolean
    Choices:
  • no
  • yes
Unrecognized Next Header
unrecognized_option
boolean
    Choices:
  • no
  • yes
Unrecognized Option
whoareyou_reply
boolean
    Choices:
  • no
  • yes
Whoareyou Reply
whoareyou_request
boolean
    Choices:
  • no
  • yes
Whoareyou Request
igmp
dictionary
Internet Group Management Protocol (IGMP) settings.
dvmrp
boolean
    Choices:
  • no
  • yes
Match Distance Vector Multicast Routing Protocol
host_query
boolean
    Choices:
  • no
  • yes
Match Host Query
host_report
boolean
    Choices:
  • no
  • yes
Match Host Report
mtrace
boolean
    Choices:
  • no
  • yes
Match mtrace
mtrace_response
boolean
    Choices:
  • no
  • yes
Match mtrace response
pim
boolean
    Choices:
  • no
  • yes
Match Protocol Independent Multicast
trace
boolean
    Choices:
  • no
  • yes
Multicast trace
tcp
dictionary
Match TCP packet flags
ack
boolean
    Choices:
  • no
  • yes
Match on the ACK bit
established
boolean
    Choices:
  • no
  • yes
Match established connections
fin
boolean
    Choices:
  • no
  • yes
Match on the FIN bit
psh
boolean
    Choices:
  • no
  • yes
Match on the PSH bit
rst
boolean
    Choices:
  • no
  • yes
Match on the RST bit
syn
boolean
    Choices:
  • no
  • yes
Match on the SYN bit
urg
boolean
    Choices:
  • no
  • yes
Match on the URG bit
remark
string
Comments or a description for the access list.
routing
boolean
    Choices:
  • no
  • yes
Match if routing header is present.
sequence
integer
Sequence number for the Access Control Entry (ACE).
source
dictionary
Specifies the packet source.
address
string
The source IP address to match.
any
boolean
    Choices:
  • no
  • yes
Match any source address.
host
string
The host IP address to match.
port_protocol
dictionary
Specify the source port or protocol.
eq
string
Match only packets on a given port number.
gt
string
Match only packets with a greater port number.
lt
string
Match only packets with a lower port number.
neq
string
Match only packets not on a given port number.
range
dictionary
Match only packets in the range of port numbers
end
string
Specify the end of the port range
start
string
Specify the start of the port range
prefix
string
Source network prefix.
wildcard_bits
string
The Wildcard bits to apply to source address.
ttl
dictionary
Match against specified TTL value.
eq
integer
Match only packets with exact TTL value.
gt
integer
Match only packets with a greater TTL value.
lt
integer
Match only packets with a lower TTL value.
neq
integer
Match only packets that won't have the given TTL value.
range
dictionary
Match only packets in the range of given TTL values.
end
integer
End of the TTL range.
start
integer
Start of the TTL range.
name
string
The name of the Access Control List (ACL).
afi
string / required
    Choices:
  • ipv4
  • ipv6
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
running_config
string
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command show running-config router static.
state
string
    Choices:
  • merged ←
  • replaced
  • overridden
  • deleted
  • gathered
  • rendered
  • parsed
The state the configuration should be left in.

Examples

# Using merged to add new ACLs

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#

- name: Merge the provided configuration with the existing running configuration
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv6
      acls:
      - name: acl6_1
        aces:
        - sequence: 10
          grant: deny
          protocol: tcp
          source:
            prefix: 2001:db8:1234::/48
            port_protocol:
              range:
                start: ftp
                end: telnet
          destination:
            any: true
          protocol_options:
            tcp:
              syn: true
          ttl:
            range:
              start: 180
              end: 250
          routing: true
          authen: true
          log: true

        - sequence: 20
          grant: permit
          protocol: icmpv6
          source:
            any: true
          destination:
            any: true
          protocol_options:
            icmpv6:
              router_advertisement: true
          precedence: network
          destopts: true

    - afi: ipv4
      acls:
      - name: acl_1
        aces:
        - sequence: 16
          remark: TEST_ACL_1_REMARK

        - sequence: 21
          grant: permit
          protocol: tcp
          source:
            host: 192.0.2.10
            port_protocol:
              range:
                start: pop3
                end: 121
          destination:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.15
          protocol_options:
            tcp:
              rst: true

        - sequence: 23
          grant: deny
          protocol: icmp
          source:
            any: true
          destination:
            prefix: 198.51.100.0/28
          protocol_options:
            icmp:
              reassembly_timeout: true
          dscp:
            lt: af12

      - name: acl_2
        aces:
        - sequence: 10
          remark: TEST_ACL_2_REMARK
    state: merged

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using merged to update existing ACLs

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Update existing ACEs
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_1
        aces:
        - sequence: 21
          source:
            prefix: 198.51.100.32/28
            port_protocol:
              range:
                start: pop3
                end: 121
          protocol_options:
            tcp:
              syn: true

        - sequence: 23
          protocol_options:
            icmp:
              router_advertisement: true
          dscp:
            eq: af23

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:47:18.711 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
#  23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using replaced to replace a whole ACL

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Replace device configurations of listed ACL with provided configurations
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_2
        aces:
        - sequence: 11
          grant: permit
          protocol: igmp
          source:
            host: 198.51.100.130
          destination:
            any: true
          ttl:
            eq: 100

        - sequence: 12
          grant: deny
          source:
            any: true
          destination:
            any: true
          protocol: icmp
    state: replaced

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:19:51.496 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
#  23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
#  11 permit igmp host 198.51.100.130 any ttl eq 100
#  12 deny icmp any any
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using overridden to override all ACLs in the device

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Overridde all ACLs configuration with provided configuration
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_1
        aces:
        - sequence: 10
          grant: permit
          source:
            any: true
          destination:
            any: true
          protocol: tcp

      - name: acl_2
        aces:
        - sequence: 20
          grant: permit
          source:
            any: true
          destination:
            any: true
          protocol: igmp
    state: overridden

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
#  10 permit tcp any any
# ipv4 access-list acl_2
#  20 permit igmp any any

# Using deleted to delete an entire ACL

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Delete a single ACL
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv6
      acls:
      - name: acl6_1
    state: deleted

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK

# Using deleted to delete all ACLs under one AFI

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Delete all ACLs under one AFI
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
    state: deleted

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

# Using deleted to delete all ACLs from the device

# Before state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
#  16 remark TEST_ACL_1_REMARK
#  21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
#  23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
#  10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network destopts

- name: Delete all ACLs from the device
  cisco.iosxr.iosxr_acls:
    state: deleted

# After state:
# -------------

# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#

# Using gathered to gather ACL facts from the device

- name: Gather ACL interfaces facts using gathered state
  cisco.iosxr.iosxr_acls:
    state: gathered

# Task Output (redacted)
# -----------------------
#

# "gathered": [
#    {
#        "acls": [
#            {
#                "aces": [
#                    {
#                        "remark": "TEST_ACL_1_REMARK",
#                        "sequence": 16
#                    },
#                    {
#                        "destination": {
#                            "address": "198.51.100.0",
#                            "wildcard_bits": "0.0.0.15"
#                        },
#                        "grant": "permit",
#                        "protocol": "tcp",
#                        "protocol_options": {
#                            "tcp": {
#                                "rst": true
#                            }
#                        },
#                        "sequence": 21,
#                        "source": {
#                            "host": "192.0.2.10",
#                            "port_protocol": {
#                                "range": {
#                                    "end": "121",
#                                    "start": "pop3"
#                                }
#                            }
#                        }
#                    },
#                    {
#                        "destination": {
#                            "address": "198.51.100.0",
#                            "wildcard_bits": "0.0.0.15"
#                        },
#                        "dscp": {
#                            "lt": "af12"
#                        },
#                        "grant": "deny",
#                        "protocol": "icmp",
#                        "protocol_options": {
#                            "icmp": {
#                                "reassembly_timeout": true
#                            }
#                        },
#                        "sequence": 23,
#                        "source": {
#                            "any": true
#                        }
#                    }
#                ],
#                "name": "acl_1"
#            },
#            {
#                "aces": [
#                    {
#                        "remark": "TEST_ACL_2_REMARK",
#                        "sequence": 10
#                    }
#                ],
#                "name": "acl_2"
#            }
#        ],
#        "afi": "ipv4"
#    },
#    {
#        "acls": [
#            {
#                "aces": [
#                    {
#                        "authen": true,
#                        "destination": {
#                            "any": true
#                        },
#                        "grant": "deny",
#                        "log": true,
#                        "protocol": "tcp",
#                        "protocol_options": {
#                            "tcp": {
#                                "syn": true
#                            }
#                        },
#                        "routing": true,
#                        "sequence": 10,
#                        "source": {
#                            "port_protocol": {
#                                "range": {
#                                   "end": "telnet",
#                                   "start": "ftp"
#                                }
#                            },
#                            "prefix": "2001:db8:1234::/48"
#                        },
#                        "ttl": {
#                            "range": {
#                                "end": 250,
#                                "start": 180
#                            }
#                        }
#                    },
#                    {
#                        "destination": {
#                            "any": true
#                        },
#                        "destopts": true,
#                        "grant": "permit",
#                        "precedence": "network",
#                        "protocol": "icmpv6",
#                        "protocol_options": {
#                            "icmpv6": {
#                                "router_advertisement": true
#                            }
#                        },
#                        "sequence": 20,
#                        "source": {
#                            "any": true
#                        }
#                    }
#                ],
#                "name": "acl6_1"
#            }
#        ],
#        "afi": "ipv6"
#    }
#  ]

# Using rendered

- name: Render platform specific commands (without connecting to the device)
  cisco.iosxr.iosxr_acls:
    config:
    - afi: ipv4
      acls:
      - name: acl_2
        aces:
        - sequence: 11
          grant: permit
          protocol: igmp
          source:
            host: 198.51.100.130
          destination:
            any: true
          ttl:
            eq: 100

        - sequence: 12
          grant: deny
          source:
            any: true
          destination:
            any: true
          protocol: icmp
    state: rendered

# Task Output (redacted)
# -----------------------

# "rendered": [
#    "ipv4 access-list acl_2",
#    "11 permit igmp host 198.51.100.130 any ttl eq 100",
#    "12 deny icmp any any"

# Using parsed

# parsed.cfg
# ------------
#
# ipv4 access-list acl_1
#  10 remark TEST_ACL_2_REMARK
# ipv4 access-list acl_2
#  11 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
#  21 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts
# ipv6 access-list acl6_1
#  10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
#  20 permit icmpv6 any any router-advertisement precedence network packet-length eq 576 destopts

- name: Parse externally provided ACL config to agnostic model
  cisco.iosxr.iosxr_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Task Output (redacted)
# -----------------------
#  "parsed": [
#        {
#            "acls": [
#                {
#                    "aces": [
#                      {
#                            "remark": "TEST_ACL_2_REMARK",
#                            "sequence": 10
#                        }
#                    ],
#                   "name": "acl_1"
#                },
#                {
#                    "aces": [
#                        {
#                            "authen": true,
#                            "destination": {
#                                "any": true
#                            },
#                            "grant": "deny",
#                            "log": true,
#                            "protocol": "tcp",
#                            "protocol_options": {
#                                "tcp": {
#                                    "syn": true
#                                }
#                            },
#                            "routing": true,
#                            "sequence": 11,
#                            "source": {
#                                "port_protocol": {
#                                    "range": {
#                                        "end": "telnet",
#                                        "start": "ftp"
#                                    }
#                                },
#                                "prefix": "2001:db8:1234::/48"
#                            },
#                            "ttl": {
#                                "range": {
#                                    "end": 250,
#                                    "start": 180
#                                }
#                            }
#                        },
#                        {
#                            "destination": {
#                                "any": true
#                            },
#                            "destopts": true,
#                            "grant": "permit",
#                            "packet_length": {
#                                "eq": 576
#                            },
#                            "precedence": "network",
#                            "protocol": "icmpv6",
#                            "protocol_options": {
#                                "icmpv6": {
#                                    "router_advertisement": true
#                                }
#                            },
#                            "sequence": 21,
#                            "source": {
#                                "any": true
#                            }
#                        }
#                    ],
#                    "name": "acl_2"
#                }
#            ],
#            "afi": "ipv4"
#        },
#        {
#            "acls": [
#                {
#                    "aces": [
#                        {
#                            "authen": true,
#                            "destination": {
#                                "any": true
#                            },
#                            "grant": "deny",
#                            "log": true,
#                            "protocol": "tcp",
#                            "protocol_options": {
#                                "tcp": {
#                                    "syn": true
#                                }
#                            },
#                            "routing": true,
#                            "sequence": 10,
#                            "source": {
#                                "port_protocol": {
#                                    "range": {
#                                        "end": "telnet",
#                                        "start": "ftp"
#                                    }
#                                },
#                                "prefix": "2001:db8:1234::/48"
#                            },
#                            "ttl": {
#                                "range": {
#                                    "end": 250,
#                                    "start": 180
#                                }
#                            }
#                        },
#                        {
#                            "destination": {
#                                "any": true
#                            },
#                            "destopts": true,
#                            "grant": "permit",
#                            "packet_length": {
#                                "eq": 576
#                            },
#                            "precedence": "network",
#                            "protocol": "icmpv6",
#                            "protocol_options": {
#                                "icmpv6": {
#                                    "router_advertisement": true
#                                }
#                            },
#                            "sequence": 20,
#                            "source": {
#                                "any": true
#                            }
#                        }
#                    ],
#                    "name": "acl6_1"
#                }
#            ],
#            "afi": "ipv6"
#        }
#    ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
list / elements=string
when changed
The resulting configuration model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
list / elements=string
always
The configuration prior to the model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list / elements=string
always
The set of commands pushed to the remote device.

Sample:
['ipv6 access-list acl6_1', '10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log', '20 permit icmpv6 any any router-advertisement precedence network destopts', 'ipv4 access-list acl_1', '16 remark TEST_ACL_1_REMARK', '21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst', '23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12']


Authors

  • Nilashish Chakraborty (@NilashishC)