arista.eos.eos_acls – ACLs resource module
Note
This plugin is part of the arista.eos collection (version 2.2.0).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install arista.eos
.
To use it in a playbook, specify: arista.eos.eos_acls
.
New in version 1.0.0: of arista.eos
Synopsis
- This module manages the IP access-list attributes of Arista EOS interfaces.
Note
This module has a corresponding action plugin.
Parameters
Parameter | Choices/Defaults | Comments | ||||||
---|---|---|---|---|---|---|---|---|
config list / elements=dictionary | A dictionary of IP access-list options | |||||||
acls list / elements=dictionary | A list of Access Control Lists (ACL). | |||||||
aces list / elements=dictionary | Filtering data | |||||||
destination dictionary | The packet's destination address | |||||||
address string | dotted decimal notation of IP address | |||||||
any boolean |
| Rule matches all source addresses | ||||||
host string | Host IP address | |||||||
port_protocol dictionary | Specify dest port/protocol, along with operator . (comes with tcp/udp). | |||||||
subnet_address string | A subnet address | |||||||
wildcard_bits string | Source wildcard bits | |||||||
fragment_rules boolean |
| Add fragment rules | ||||||
fragments boolean |
| Match non-head fragment packets | ||||||
grant string |
| Action to be applied on the rule | ||||||
hop_limit dictionary | Hop limit value. | |||||||
line string | For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute. aliases: ace | |||||||
log boolean |
| Log matches against this rule | ||||||
protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
protocol_options dictionary | All the possible sub options for the protocol chosen. | |||||||
icmp dictionary | Internet Control Message Protocol settings. | |||||||
administratively_prohibited boolean |
| Administratively prohibited | ||||||
alternate_address boolean |
| Alternate address | ||||||
conversion_error boolean |
| Datagram conversion | ||||||
dod_host_prohibited boolean |
| Host prohibited | ||||||
dod_net_prohibited boolean |
| Net prohibited | ||||||
echo boolean |
| Echo (ping) | ||||||
echo_reply boolean |
| Echo reply | ||||||
general_parameter_problem boolean |
| Parameter problem | ||||||
host_isolated boolean |
| Host isolated | ||||||
host_precedence_unreachable boolean |
| Host unreachable for precedence | ||||||
host_redirect boolean |
| Host redirect | ||||||
host_tos_redirect boolean |
| Host redirect for TOS | ||||||
host_tos_unreachable boolean |
| Host unreachable for TOS | ||||||
host_unknown boolean |
| Host unknown | ||||||
host_unreachable boolean |
| Host unreachable | ||||||
information_reply boolean |
| Information replies | ||||||
information_request boolean |
| Information requests | ||||||
mask_reply boolean |
| Mask replies | ||||||
mask_request boolean |
| Mask requests | ||||||
message_code integer | ICMP message code | |||||||
message_num integer | icmp msg type number. | |||||||
message_type integer | ICMP message type | |||||||
mobile_redirect boolean |
| Mobile host redirect | ||||||
net_redirect boolean |
| Network redirect | ||||||
net_tos_redirect boolean |
| Net redirect for TOS | ||||||
net_tos_unreachable boolean |
| Network unreachable for TOS | ||||||
net_unreachable boolean |
| Net unreachable | ||||||
network_unknown boolean |
| Network unknown | ||||||
no_room_for_option boolean |
| Parameter required but no room | ||||||
option_missing boolean |
| Parameter required but not present | ||||||
packet_too_big boolean |
| Fragmentation needed and DF set | ||||||
parameter_problem boolean |
| All parameter problems | ||||||
port_unreachable boolean |
| Port unreachable | ||||||
precedence_unreachable boolean |
| Precedence cutoff | ||||||
protocol_unreachable boolean |
| Protocol unreachable | ||||||
reassembly_timeout boolean |
| Reassembly timeout | ||||||
redirect boolean |
| All redirects | ||||||
router_advertisement boolean |
| Router discovery advertisements | ||||||
router_solicitation boolean |
| Router discovery solicitations | ||||||
source_quench boolean |
| Source quenches | ||||||
source_route_failed boolean |
| Source route failed | ||||||
time_exceeded boolean |
| All time exceededs | ||||||
timestamp_reply boolean |
| Timestamp replies | ||||||
timestamp_request boolean |
| Timestamp requests | ||||||
traceroute boolean |
| Traceroute | ||||||
ttl_exceeded boolean |
| TTL exceeded | ||||||
unreachable boolean |
| All unreachables | ||||||
icmpv6 dictionary | Options for icmpv6. | |||||||
address_unreachable boolean |
| address unreachable | ||||||
beyond_scope boolean |
| beyond_scope | ||||||
echo_reply boolean |
| echo_reply | ||||||
echo_request boolean |
| echo reques | ||||||
erroneous_header boolean |
| erroneous header | ||||||
fragment_reassembly_exceeded boolean |
| fragment_reassembly_exceeded | ||||||
hop_limit_exceeded boolean |
| hop limit exceeded | ||||||
neighbor_advertisement boolean |
| neighbor advertisement | ||||||
neighbor_solicitation boolean |
| neighbor_solicitation | ||||||
no_admin boolean |
| no admin | ||||||
no_route boolean |
| no route | ||||||
packet_too_big boolean |
| packet too big | ||||||
parameter_problem boolean |
| parameter problem | ||||||
port_unreachable boolean |
| port unreachable | ||||||
redirect_message boolean |
| redirect message | ||||||
reject_route boolean |
| reject route | ||||||
router_advertisement boolean |
| router_advertisement | ||||||
router_solicitation boolean |
| router_solicitation | ||||||
source_address_failed boolean |
| source_address_failed | ||||||
source_routing_error boolean |
| source_routing_error | ||||||
time_exceeded boolean |
| time_exceeded | ||||||
unreachable boolean |
| unreachable | ||||||
unrecognized_ipv6_option boolean |
| unrecognized_ipv6_option | ||||||
unrecognized_next_header boolean |
| unrecognized_next_header | ||||||
ip dictionary | Internet Protocol. | |||||||
nexthop_group string | Nexthop-group name. | |||||||
ipv6 dictionary | Internet V6 Protocol. | |||||||
nexthop_group string | Nexthop-group name. | |||||||
tcp dictionary | Options for tcp protocol. | |||||||
flags dictionary | Match TCP packet flags | |||||||
ack boolean |
| Match on the ACK bit | ||||||
established boolean |
| Match established connections | ||||||
fin boolean |
| Match on the FIN bit | ||||||
psh boolean |
| Match on the PSH bit | ||||||
rst boolean |
| Match on the RST bit | ||||||
syn boolean |
| Match on the SYN bit | ||||||
urg boolean |
| Match on the URG bit | ||||||
remark string | Specify a comment | |||||||
sequence integer | sequence number for the ordered list of rules | |||||||
source dictionary | The packet's source address | |||||||
address string | dotted decimal notation of IP address | |||||||
any boolean |
| Rule matches all source addresses | ||||||
host string | Host IP address | |||||||
port_protocol dictionary | Specify source port/protocoli, along with operator. (comes with tcp/udp). | |||||||
subnet_address string | A subnet address | |||||||
wildcard_bits string | Source wildcard bits | |||||||
tracked boolean |
| Match packets in existing ICMP/UDP/TCP connections | ||||||
ttl dictionary | Compares the TTL (time-to-live) value in the packet to a specified value | |||||||
eq integer | Match a single TTL value | |||||||
gt integer | Match TTL greater than this number | |||||||
lt integer | Match TTL lesser than this number | |||||||
neq integer | Match TTL not equal to this value | |||||||
vlan string | Vlan options | |||||||
name string / required | Name of the acl-list | |||||||
standard boolean |
| standard access-list or not | ||||||
afi string / required |
| The Address Family Indicator (AFI) for the Access Control Lists (ACL). | ||||||
running_config string | This option is used only with state parsed. The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list. The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result. | |||||||
state string |
| The state the configuration should be left in. |
Notes
Note
- Tested against Arista vEOS v4.20.10M
Examples
# Using merged # Before state: # ------------- # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 40 permit ip any any # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 - name: Merge provided configuration with device configuration arista.eos.eos_acls: config: - afi: ipv4 acls: - name: test1 aces: - sequence: 35 grant: deny protocol: ospf source: subnet_address: 20.0.0.0/8 destnation: any: true state: merged # After state: # ------------ # # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 35 deny ospf 20.0.0.0/8 any # 40 permit ip any any # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # Using merged # Before state: # ------------- # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 40 permit ip any any # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 - name: Merge to update the given configuration with an existing ace arista.eos.eos_acls: config: - afi: ipv4 acls: - name: test1 aces: - sequence: 35 log: true ttl: eq: 33 state: merged # After state: # ------------ # # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 35 deny ospf 20.0.0.0/8 any ttl eq 33 log # 40 permit ip any any # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # Using replaced # Before state: # ------------- # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 40 permit ip any any # ! # ip access-list test3 # 10 permit ip 35.33.0.0/16 any log # ! # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 - name: Replace device configuration with provided configuration arista.eos.eos_acls: config: - afi: ipv4 acls: - name: test1 aces: - sequence: 35 grant: permit protocol: ospf source: subnet_address: 20.0.0.0/8 destination: any: true state: replaced # After state: # ------------ # # show running-config | section access-list # ip access-list test1 # 35 permit ospf 20.0.0.0/8 any # ! # ip access-list test3 # 10 permit ip 35.33.0.0/16 any log # ! # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # Using overridden # Before state: # ------------- # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 40 permit ip any any # ! # ip access-list test3 # 10 permit ip 35.33.0.0/16 any log # ! # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 - name: override device configuration with provided configuration arista.eos.eos_acls: config: - afi: ipv4 acls: - name: test1 aces: - sequence: 35 action: permit protocol: ospf source: subnet_address: 20.0.0.0/8 destination: any: true state: overridden # After state: # ------------ # # show running-config | section access-list # ip access-list test1 # 35 permit ospf 20.0.0.0/8 any # ! # Using deleted: # Before state: # ------------- # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 40 permit ip any any # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # ! - name: Delete provided configuration arista.eos.eos_acls: config: - afi: ipv4 state: deleted # After state: # ------------ # # show running-config | section access-list # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # Before state: # ------------- # show running-config | section access-list # ip access-list test1 # 10 permit ip 10.10.10.0/24 any ttl eq 200 # 20 permit ip 10.30.10.0/24 host 10.20.10.1 # 30 deny tcp host 10.10.20.1 eq finger www any syn log # 40 permit ip any any # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # ! - name: Delete provided configuration arista.eos.eos_acls: config: - afi: ipv4 acls: - name: test1 state: deleted # After state: # ------------ # # show running-config | section access-list # ipv6 access-list test2 # 10 deny icmpv6 any any reject-route hop-limit eq 20 # using gathered # ip access-list test1 # 35 deny ospf 20.0.0.0/8 any # ip access-list test2 # 40 permit vlan 55 0xE2 icmpv6 any any log - name: Gather the exisitng condiguration arista.eos.eos_acls: state: gathered # returns: # arista.eos.eos_acls: # config: # - afi: "ipv4" # acls: # - name: test1 # aces: # - sequence: 35 # grant: "deny" # protocol: "ospf" # source: # subnet_address: 20.0.0.0/8 # destination: # any: true # - afi: "ipv6" # acls: # - name: test2 # aces: # - sequence: 40 # grant: "permit" # vlan: "55 0xE2" # protocol: "icmpv6" # log: true # source: # any: true # destination: # any: true # using rendered - name: Delete provided configuration arista.eos.eos_acls: config: - afi: ipv4 acls: - name: test1 aces: - sequence: 35 grant: deny protocol: ospf source: subnet_address: 20.0.0.0/8 destination: any: true - afi: ipv6 acls: - name: test2 aces: - sequence: 40 grant: permit vlan: 55 0xE2 protocol: icmpv6 log: true source: any: true destination: any: true state: rendered # returns: # ip access-list test1 # 35 deny ospf 20.0.0.0/8 any # ip access-list test2 # 40 permit vlan 55 0xE2 icmpv6 any any log # Using Parsed # parsed_acls.cfg # ipv6 access-list standard test2 # 10 permit any log # ! # ip access-list test1 # 35 deny ospf 20.0.0.0/8 any # 45 remark Run by ansible # 55 permit tcp any any # ! - name: parse configs arista.eos.eos_acls: running_config: "{{ lookup('file', './parsed_acls.cfg') }}" state: parsed # returns # "parsed": [ # { # "acls": [ # { # "aces": [ # { # "destination": { # "any": true # }, # "grant": "deny", # "protocol": "ospf", # "sequence": 35, # "source": { # "subnet_address": "20.0.0.0/8" # } # }, # { # "remark": "Run by ansible", # "sequence": 45 # }, # { # "destination": { # "any": true # }, # "grant": "permit", # "protocol": "tcp", # "sequence": 55, # "source": { # "any": true # } # } # ], # "name": "test1" # } # ], # "afi": "ipv4" # }, # { # "acls": [ # { # "aces": [ # { # "grant": "permit", # "log": true, # "sequence": 10, # "source": { # "any": true # } # } # ], # "name": "test2", # "standard": true # } # ], # "afi": "ipv6" # } # ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
after list / elements=string | when changed | The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
before list / elements=string | always | The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
commands list / elements=string | always | The set of commands pushed to the remote device. Sample: ['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any'] |
Authors
- Gomathiselvi S (@GomathiselviS)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/arista/eos/eos_acls_module.html