arista.eos.eos_acls – ACLs resource module
Note
This plugin is part of the arista.eos collection (version 1.3.0).
To install it use: ansible-galaxy collection install arista.eos.
To use it in a playbook, specify: arista.eos.eos_acls.
New in version 1.0.0: of arista.eos
Synopsis
- This module manages the IP access-list attributes of Arista EOS interfaces.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config list / elements=dictionary | A dictionary of IP access-list options | |||||||
| acls list / elements=dictionary | A list of Access Control Lists (ACL). | |||||||
| aces list / elements=dictionary | Filtering data | |||||||
| destination dictionary | The packet's destination address | |||||||
| address string | dotted decimal notation of IP address | |||||||
| any boolean |
| Rule matches all source addresses | ||||||
| host string | Host IP address | |||||||
| port_protocol dictionary | Specify dest port/protocol, along with operator . (comes with tcp/udp). | |||||||
| subnet_address string | A subnet address | |||||||
| wildcard_bits string | Source wildcard bits | |||||||
| fragment_rules boolean |
| Add fragment rules | ||||||
| fragments boolean |
| Match non-head fragment packets | ||||||
| grant string |
| Action to be applied on the rule | ||||||
| hop_limit dictionary | Hop limit value. | |||||||
| line string | For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute. aliases: ace | |||||||
| log boolean |
| Log matches against this rule | ||||||
| protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
| protocol_options dictionary | All the possible sub options for the protocol chosen. | |||||||
| icmp dictionary | Internet Control Message Protocol settings. | |||||||
| administratively_prohibited boolean |
| Administratively prohibited | ||||||
| alternate_address boolean |
| Alternate address | ||||||
| conversion_error boolean |
| Datagram conversion | ||||||
| dod_host_prohibited boolean |
| Host prohibited | ||||||
| dod_net_prohibited boolean |
| Net prohibited | ||||||
| echo boolean |
| Echo (ping) | ||||||
| echo_reply boolean |
| Echo reply | ||||||
| general_parameter_problem boolean |
| Parameter problem | ||||||
| host_isolated boolean |
| Host isolated | ||||||
| host_precedence_unreachable boolean |
| Host unreachable for precedence | ||||||
| host_redirect boolean |
| Host redirect | ||||||
| host_tos_redirect boolean |
| Host redirect for TOS | ||||||
| host_tos_unreachable boolean |
| Host unreachable for TOS | ||||||
| host_unknown boolean |
| Host unknown | ||||||
| host_unreachable boolean |
| Host unreachable | ||||||
| information_reply boolean |
| Information replies | ||||||
| information_request boolean |
| Information requests | ||||||
| mask_reply boolean |
| Mask replies | ||||||
| mask_request boolean |
| Mask requests | ||||||
| message_code integer | ICMP message code | |||||||
| message_num integer | icmp msg type number. | |||||||
| message_type integer | ICMP message type | |||||||
| mobile_redirect boolean |
| Mobile host redirect | ||||||
| net_redirect boolean |
| Network redirect | ||||||
| net_tos_redirect boolean |
| Net redirect for TOS | ||||||
| net_tos_unreachable boolean |
| Network unreachable for TOS | ||||||
| net_unreachable boolean |
| Net unreachable | ||||||
| network_unknown boolean |
| Network unknown | ||||||
| no_room_for_option boolean |
| Parameter required but no room | ||||||
| option_missing boolean |
| Parameter required but not present | ||||||
| packet_too_big boolean |
| Fragmentation needed and DF set | ||||||
| parameter_problem boolean |
| All parameter problems | ||||||
| port_unreachable boolean |
| Port unreachable | ||||||
| precedence_unreachable boolean |
| Precedence cutoff | ||||||
| protocol_unreachable boolean |
| Protocol unreachable | ||||||
| reassembly_timeout boolean |
| Reassembly timeout | ||||||
| redirect boolean |
| All redirects | ||||||
| router_advertisement boolean |
| Router discovery advertisements | ||||||
| router_solicitation boolean |
| Router discovery solicitations | ||||||
| source_quench boolean |
| Source quenches | ||||||
| source_route_failed boolean |
| Source route failed | ||||||
| time_exceeded boolean |
| All time exceededs | ||||||
| timestamp_reply boolean |
| Timestamp replies | ||||||
| timestamp_request boolean |
| Timestamp requests | ||||||
| traceroute boolean |
| Traceroute | ||||||
| ttl_exceeded boolean |
| TTL exceeded | ||||||
| unreachable boolean |
| All unreachables | ||||||
| icmpv6 dictionary | Options for icmpv6. | |||||||
| address_unreachable boolean |
| address unreachable | ||||||
| beyond_scope boolean |
| beyond_scope | ||||||
| echo_reply boolean |
| echo_reply | ||||||
| echo_request boolean |
| echo reques | ||||||
| erroneous_header boolean |
| erroneous header | ||||||
| fragment_reassembly_exceeded boolean |
| fragment_reassembly_exceeded | ||||||
| hop_limit_exceeded boolean |
| hop limit exceeded | ||||||
| neighbor_advertisement boolean |
| neighbor advertisement | ||||||
| neighbor_solicitation boolean |
| neighbor_solicitation | ||||||
| no_admin boolean |
| no admin | ||||||
| no_route boolean |
| no route | ||||||
| packet_too_big boolean |
| packet too big | ||||||
| parameter_problem boolean |
| parameter problem | ||||||
| port_unreachable boolean |
| port unreachable | ||||||
| redirect_message boolean |
| redirect message | ||||||
| reject_route boolean |
| reject route | ||||||
| router_advertisement boolean |
| router_advertisement | ||||||
| router_solicitation boolean |
| router_solicitation | ||||||
| source_address_failed boolean |
| source_address_failed | ||||||
| source_routing_error boolean |
| source_routing_error | ||||||
| time_exceeded boolean |
| time_exceeded | ||||||
| unreachable boolean |
| unreachable | ||||||
| unrecognized_ipv6_option boolean |
| unrecognized_ipv6_option | ||||||
| unrecognized_next_header boolean |
| unrecognized_next_header | ||||||
| ip dictionary | Internet Protocol. | |||||||
| nexthop_group string | Nexthop-group name. | |||||||
| ipv6 dictionary | Internet V6 Protocol. | |||||||
| nexthop_group string | Nexthop-group name. | |||||||
| tcp dictionary | Options for tcp protocol. | |||||||
| flags dictionary | Match TCP packet flags | |||||||
| ack boolean |
| Match on the ACK bit | ||||||
| established boolean |
| Match established connections | ||||||
| fin boolean |
| Match on the FIN bit | ||||||
| psh boolean |
| Match on the PSH bit | ||||||
| rst boolean |
| Match on the RST bit | ||||||
| syn boolean |
| Match on the SYN bit | ||||||
| urg boolean |
| Match on the URG bit | ||||||
| remark string | Specify a comment | |||||||
| sequence integer | sequence number for the ordered list of rules | |||||||
| source dictionary | The packet's source address | |||||||
| address string | dotted decimal notation of IP address | |||||||
| any boolean |
| Rule matches all source addresses | ||||||
| host string | Host IP address | |||||||
| port_protocol dictionary | Specify source port/protocoli, along with operator. (comes with tcp/udp). | |||||||
| subnet_address string | A subnet address | |||||||
| wildcard_bits string | Source wildcard bits | |||||||
| tracked boolean |
| Match packets in existing ICMP/UDP/TCP connections | ||||||
| ttl dictionary | Compares the TTL (time-to-live) value in the packet to a specified value | |||||||
| eq integer | Match a single TTL value | |||||||
| gt integer | Match TTL greater than this number | |||||||
| lt integer | Match TTL lesser than this number | |||||||
| neq integer | Match TTL not equal to this value | |||||||
| vlan string | Vlan options | |||||||
| name string / required | Name of the acl-list | |||||||
| standard boolean |
| standard access-list or not | ||||||
| afi string / required |
| The Address Family Indicator (AFI) for the Access Control Lists (ACL). | ||||||
| running_config string | This option is used only with state parsed. The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list. The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result. | |||||||
| state string |
| The state the configuration should be left in. | ||||||
Notes
Note
- Tested against Arista vEOS v4.20.10M
Examples
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge provided configuration with device configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destnation:
any: true
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using merged
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Merge to update the given configuration with an existing ace
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
log: true
ttl:
eq: 33
state: merged
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 35 deny ospf 20.0.0.0/8 any ttl eq 33 log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using replaced
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: Replace device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: replaced
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Using overridden
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# !
# ip access-list test3
# 10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
- name: override device configuration with provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
action: permit
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
state: overridden
# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
# 35 permit ospf 20.0.0.0/8 any
# !
# Using deleted:
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
# 10 permit ip 10.10.10.0/24 any ttl eq 200
# 20 permit ip 10.30.10.0/24 host 10.20.10.1
# 30 deny tcp host 10.10.20.1 eq finger www any syn log
# 40 permit ip any any
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# !
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
state: deleted
# After state:
# ------------
#
# show running-config | section access-list
# ipv6 access-list test2
# 10 deny icmpv6 any any reject-route hop-limit eq 20
# using gathered
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
- name: Gather the exisitng condiguration
arista.eos.eos_acls:
state: gathered
# returns:
# arista.eos.eos_acls:
# config:
# - afi: "ipv4"
# acls:
# - name: test1
# aces:
# - sequence: 35
# grant: "deny"
# protocol: "ospf"
# source:
# subnet_address: 20.0.0.0/8
# destination:
# any: true
# - afi: "ipv6"
# acls:
# - name: test2
# aces:
# - sequence: 40
# grant: "permit"
# vlan: "55 0xE2"
# protocol: "icmpv6"
# log: true
# source:
# any: true
# destination:
# any: true
# using rendered
- name: Delete provided configuration
arista.eos.eos_acls:
config:
- afi: ipv4
acls:
- name: test1
aces:
- sequence: 35
grant: deny
protocol: ospf
source:
subnet_address: 20.0.0.0/8
destination:
any: true
- afi: ipv6
acls:
- name: test2
aces:
- sequence: 40
grant: permit
vlan: 55 0xE2
protocol: icmpv6
log: true
source:
any: true
destination:
any: true
state: rendered
# returns:
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# ip access-list test2
# 40 permit vlan 55 0xE2 icmpv6 any any log
# Using Parsed
# parsed_acls.cfg
# ipv6 access-list standard test2
# 10 permit any log
# !
# ip access-list test1
# 35 deny ospf 20.0.0.0/8 any
# 45 remark Run by ansible
# 55 permit tcp any any
# !
- name: parse configs
arista.eos.eos_acls:
running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
state: parsed
# returns
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "deny",
# "protocol": "ospf",
# "sequence": 35,
# "source": {
# "subnet_address": "20.0.0.0/8"
# }
# },
# {
# "remark": "Run by ansible",
# "sequence": 45
# },
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "protocol": "tcp",
# "sequence": 55,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test1"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "grant": "permit",
# "log": true,
# "sequence": 10,
# "source": {
# "any": true
# }
# }
# ],
# "name": "test2",
# "standard": true
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after list / elements=string | when changed | The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| before list / elements=string | always | The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| commands list / elements=string | always | The set of commands pushed to the remote device. Sample: ['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any'] |
Authors
- Gomathiselvi S (@GomathiselviS)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/arista/eos/eos_acls_module.html