111
NxosAcls() generates Ansible task instances conformant with cisco.nxos.nxos_acls. These task instances can then be passed to Playbook().add_task()
- See TODO
- 20210627: Add handling for port_protocol range start/end
- 20210627: Improve handling for port_protocol
- 20200104: Add verification for address properties
- 20200104: Add verification for wildcard_bits properties
| Method | Description |
|---|---|
| add_ace() | Add an access control entry (ACE) to a list() of
ipv4 or ipv6 ACEs. - Type: function()
- Example:
See add_acl()
|
| add_acl() | Add all currently-set access control entries (ACEs) to an access control list (ACL): - Type: function()
- Example:
pb = Playbook(log)
pb.profile_nxos()
pb.ansible_password = 'mypassword'
pb.file = '/tmp/nxos_acls.yaml'
pb.name = 'nxos_acls play'
pb.add_host('dc-101')
task = NxosAcls(log)
task.remark = 'example ipv4 acl'
task.sequence = 5
task.add_ace()
task.afi = 'ipv4'
task.grant = 'permit'
task.protocol = 'ip'
task.sequence = 10
task.dscp = 'af31'
task.destination_address = '1.2.2.2'
task.destination_wildcard_bits = '0.0.255.255'
task.source_address = '1.1.1.1'
task.source_wildcard_bits = '0.0.0.255'
task.add_ace()
task.name = 'IPv4_ACL'
task.add_acl()
task.state = 'merged'
task.commit()
pb.add_task(task)
pb.append_playbook()
pb.write_playbook()
|
| commit() | Perform final verification and commit the current task: - Type: function()
- Alias: update()
- Example:
See add_acl()
See ScriptKit Example above for full script
|
| Property (aces) | Description |
|---|---|
| destination_address | Destination network address: - Type: str()
- Valid values: ipv4 or ipv6 network
- Examples:
task.destination_address = '1.1.1.0/24'
task.destination_address = '2011:a::0/120'
|
| destination_any | Any destination address: - Type: bool()
- Valid values:
- False
- True
- Example:
task.destination_any = False
|
| destination_host | Destination host IP address: - Type: str()
- Valid values:
- ipv4 address
- ipv6 address
- Examples:
task.destination_address = '1.1.1.2'
task.destination_address = '2011:a::2'
|
| destination_port_eq | Match on a specific destination port number: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.destination_port_eq = 80
task.destination_port_eq = 8088
|
| destination_port_gt | Match destination port numbers greater than provided value: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.destination_port_gt = 80
task.destination_port_gt = 8088
|
| destination_port_lt | Match destination port numbers less than provided value: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.destination_port_lt = 80
task.destination_port_lt = 8088
|
| destination_port_neq | Match destination port numbers not equal to provided value: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.destination_port_neq = 80
task.destination_port_neq = 8088
|
| destination_port_range_end | Match destination port numbers within a range, where value is the end of the range: - Type: int()
- Valid values:
- range: 0-65535
- Example:
task.destination_port_range_end = 8088
|
| destination_port_range_start | Match destination port numbers within a range, where value is the start of the range: - Type: int()
- Valid values:
- range: 0-65535
- Example:
task.destination_port_range_start = 8000
|
| destination_prefix | Destination network prefix. Destination prefixes of 32 (ipv4) and 128 (ipv6) should be specified using the property: destination_host: - Type: int()
- Valid values:
- range ipv4: 0-31
- range ipv6: 0-127
- See also: destination_host
- Examples:
task.destination_prefix = 24
task.destination_prefix = 120
|
| destination_wildcard_bits | Destination wildcard bits: - Type: str()
- Valid values:
- A wildcard mask
- Examples:
task.destination_wildcard_bits = '255.255.0.0'
task.destination_wildcard_bits = '255:255::255:0'
|
| dscp | Match packets with given DSCP value: - Type: str()
- Valid values:
- range: 1-64
- af11 (001010)
- af12 (001100)
- af13 (001110)
- af21 (010010)
- af22 (010100)
- af23 (010110)
- af31 (011010)
- af32 (011100)
- af33 (011110)
- af41 (100010)
- af42 (100100)
- af43 (100110)
- cs1 (001000) (precedence 1)
- cs2 (010000) (precedence 2)
- cs3 (011000) (precedence 3)
- cs4 (100000) (precedence 4)
- cs5 (101000) (precedence 5)
- cs6 (110000) (precedence 6)
- cs7 (111000) (precedence 7)
- default
- ef
- Examples:
task.dscp = 61
task.dscp = 'cs5'
task.dscp = 'af11'
task.dscp = 'default'
task.dscp = 'ef'
|
| fragments | Check non-initial fragments: - Type: bool()
- Valid values:
- False
- True
- Example:
task.fragments = False
- Required
|
| grant | Action to be applied on the rule: - Type: str()
- Valid values:
- deny
- permit
- Example:
task.fragments = 'deny'
|
| log | Log matches against this entry: - Type: bool()
- Valid values:
- False
- True
- Example:
task.log = False
- Required
|
| precedence | Precedence to match: - Type: str()
- Valid values:
- critical
- flash
- flash-override
- immediate
- internet
- network
- priority
- routine
- Example:
task.precedence = 'priority'
|
| protocol | Protocol to match: - Type: str() or int()
- Valid values:
- int() range: 1-256
- ahp
- eigrp
- esp
- gre
- icmp
- igmp
- ip
- nos
- ospf
- pcp
- pim
- tcp
- udf
- udp
- Examples:
task.protocol = 80
task.protocol = 'icmp'
|
| remark | ACL comment: - Type: str()
- Example:
task.remark = 'deny transit'
|
| sequence | ACE sequence number: - Type: int()
- Valid values:
- range: 1-4294967295
- Example:
task.sequence = 10
|
| source_address | Source network address: - Type: str()
- Valid values:
- ipv4 network
- ipv6 network
- Examples:
task.source_address = '1.1.1.0/24'
task.source_address = '2011:a::0/120'
|
| source_any | Any source address: - Type: bool()
- Valid values:
- False
- True
- Example:
task.source_any = True
|
| source_host | Source host IP address: - Type: str()
- Valid values:
- ipv4 address
- ipv6 address
- Examples:
task.source_host = '1.1.1.2'
task.source_host = '2011:a::2'
|
| source_port_eq | Match on a specific source port number: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.source_port_eq = 80
task.source_port_eq = 8088
|
| source_port_gt | Match source port numbers greater than provided value: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.source_port_gt = 80
task.source_port_gt = 8088
|
| source_port_lt | Match source port numbers less than provided value: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.source_port_lt = 80
task.source_port_lt = 8088
|
| source_port_neq | Match source port numbers not equal to provided value: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.source_port_neq = 80
task.source_port_neq = 8088
|
| source_port_range_end | Match source port numbers within a range, where value is the end of the range: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.source_port_range_end = 8088
|
| source_port_range_start | Match source port numbers within a range, where value is the start of the range: - Type: int()
- Valid values:
- range: 0-65535
- Examples:
task.source_port_range_start = 8000
|
| source_prefix | Source network prefix.
Source prefixes of 32 (ipv4) and 128 (ipv6)
should be specified using the property
- Type: int()
- Valid values: int()
- range ipv4: 0-31
- range ipv6: 0-127
- See also: source_host
- Examples:
task.source_prefix = 24
task.source_prefix = 120
|
| source_wildcard_bits | Source wildcard bits: - Type: str()
- Valid values:
- A wildcard mask
- Examples:
task.source_wildcard_bits = '255.255.0.0'
task.source_wildcard_bits = '255:255::255:0'
|
| Property (acl) | Description |
|---|---|
| name | Name of the ACL: - Type: str()
- Example:
task.name = 'deny ipv6'
- Required
|
| Property (icmp) | Description |
|---|---|
| icmp_administratively_prohibited |
|
| icmp_alternate_address |
|
| icmp_conversion_error |
|
| icmp_dod_net_prohibited |
|
| icmp_echo_request |
|
| icmp_echo |
|
| icmp_echo_reply |
|
| icmp_general_parameter_problem |
|
| icmp_host_isolated |
|
| icmp_host_precedence_unreachable |
|
| icmp_host_redirect |
|
| icmp_host_tos_redirect |
|
| icmp_host_tos_unreachable |
|
| icmp_host_unknown |
|
| icmp_host_unreachable |
|
| icmp_information_reply |
|
| icmp_information_request |
|
| icmp_mask_reply |
|
| icmp_mask_request |
|
| icmp_message_code |
|
| icmp_message_type |
|
| icmp_mobile_redirect |
|
| icmp_net_redirect |
|
| icmp_net_tos_redirect |
|
| icmp_net_tos_unreachable |
|
| icmp_net_unreachable |
|
| icmp_network_unknown |
|
| icmp_no_room_for_option |
|
| icmp_option_missing |
|
| icmp_packet_too_big |
|
| icmp_parameter_problem |
|
| icmp_port_unreachable |
|
| icmp_precedence_unreachable |
|
| icmp_protocol_unreachable |
|
| icmp_reassembly_timeout |
|
| icmp_redirect |
|
| icmp_router_advertisement |
|
| icmp_router_solicitation |
|
| icmp_source_quench |
|
| icmp_source_route_failed |
|
| icmp_time_exceeded |
|
| icmp_timestamp_reply |
|
| icmp_timestamp_request |
|
| icmp_traceroute |
|
| icmp_ttl_exceeded |
|
| icmp_unreachable |
|
| Property (igmp) | Description |
|---|---|
| igmp_dvmrp |
|
| igmp_host_query |
|
| igmp_host_report |
|
| Property (tcp) | Description |
|---|---|
| tcp_ack |
|
| tcp_established |
|
| tcp_fin |
|
| tcp_psh |
|
| tcp_rst |
|
| tcp_syn |
|
| tcp_urg |
|
- Allen Robel (@PacketCalc)