dellemc.enterprise_sonic.sonic_acl_interfaces module – Manage access control list (ACL) to interface binding on SONiC
Note
This module is part of the dellemc.enterprise_sonic collection (version 3.0.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_acl_interfaces.
New in dellemc.enterprise_sonic 2.1.0
Synopsis
- This module provides configuration management of applying access control lists (ACL) to interfaces in devices running SONiC. 
- ACL needs to be created earlier in the device. 
Parameters
| Parameter | Comments | 
|---|---|
| Specifies interface access-group configurations. | |
| Access-group configurations to be set for the interface. | |
| List of ACLs for the given type. | |
| Specifies the direction of the packets that the ACL will be applied on. Choices: 
 | |
| Name of the ACL to be applied on the interface. | |
| Type of the ACLs to be applied on the interface. Choices: 
 | |
| Full name of the interface, i.e. Eth1/1. | |
| The state of the configuration after module completion. merged - Merges provided interface access-group configuration with on-device configuration. replaced - Replaces on-device access-group configuration of the specified interfaces with provided configuration. overridden - Overrides all on-device interface access-group configurations with the provided configuration. deleted - Deletes on-device interface access-group configuration. Choices: 
 | 
Notes
Note
- Supports - check_mode.
Examples
# Using merged
#
# Before State:
# -------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# sonic#
  - name: Merge provided interface access-group configurations
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
        - name: 'Eth1/1'
          access_groups:
            - type: 'mac'
              acls:
                - name: 'mac-acl-1'
                  direction: 'in'
                - name: 'mac-acl-2'
                  direction: 'out'
            - type: 'ipv6'
              acls:
                - name: 'ipv6-acl-2'
                  direction: 'out'
        - name: 'Eth1/2'
          access_groups:
            - type: 'ipv4'
              acls:
                - name: 'ip-acl-1'
                  direction: 'in'
      state: merged
# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#
  - name: Replace device access-group configuration of specified interfaces with provided configuration
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
        - name: 'Eth1/2'
          access_groups:
            - type: 'ipv6'
              acls:
                - name: 'ipv6-acl-2'
                  direction: 'out'
        - name: 'Eth1/3'
          access_groups:
            - type: 'ipv4'
              acls:
                - name: 'ip-acl-2'
                  direction: 'out'
      state: replaced
# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
  - name: Override all interfaces access-group device configuration with provided configuration
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
        - name: 'Eth1/1'
          access_groups:
            - type: 'ip'
              acls:
                - name: 'ip-acl-2'
                  direction: 'out'
        - name: 'Eth1/2'
          access_groups:
            - type: 'ip'
              acls:
                - name: 'ip-acl-2'
                  direction: 'out'
      state: overridden
# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/1
# Egress IP access-list ip-acl-2 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
  - name: Delete specified interfaces access-group configurations
    dellemc.enterprise_sonic.sonic_l2_acls:
      config:
        - name: 'Eth1/1'
          access_groups:
            - type: 'mac'
              acls:
                - name: 'mac-acl-1'
                  direction: 'in'
            - type: 'ipv6'
        - name: 'Eth1/2'
      state: deleted
# After State:
# ------------
#
# sonic# show mac access-group
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
  - name: Delete all interface access-group configurations
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
      state: deleted
# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# sonic#
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Description | 
|---|---|
| The resulting configuration module invocation. Returned: when changed Sample:  | |
| The generated configuration module invocation. Returned: when  Sample:  | |
| The configuration prior to the module invocation. Returned: always Sample:  | |
| The set of commands pushed to the remote device. Returned: always Sample:  | 
