Resource module to configure ACLs.
Version added: 1.0.0
- This module manages Access Control Lists (ACLs) on devices running IOS-XR.
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-al
# Fri Sep 22 03:57:04.758 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
- name: Merge the provided configuration with the existing running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: '2001:db8:1234::/48'
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# name: acl_1
# afi: ipv4
#
# commands:
# - ipv6 access-list acl6_1
# - 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# - 20 permit icmpv6 any any router-advertisement precedence network destopts
# - ipv4 access-list acl_1
# - 16 remark TEST_ACL_1_REMARK
# - 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# - 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# - ipv4 access-list acl_2
# - 10 remark TEST_ACL_2_REMARK
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:35:19.977 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:37:33.542 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_1
# - 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# - 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 21
# source:
# address: 198.51.100.32
# port_protocol:
# range:
# end: '121'
# start: pop3
# wildcard_bits: 0.0.0.15
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# eq: af23
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# router_advertisement: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:58:38.345 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:38:36.205 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
state: replaced
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
# Task Output
# -----------
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_2
# - no 10
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 11
# source:
# host: 198.51.100.130
# ttl:
# eq: 100
# - destination:
# any: true
# grant: deny
# protocol: icmp
# sequence: 12
# source:
# any: true
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:56:21.103 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
# - ipv4 access-list acl_1
# - no 16
# - no 21
# - no 23
# - 10 permit tcp any any
# - ipv4 access-list acl_2
# - no 10
# - 20 permit igmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: tcp
# sequence: 10
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 20
# source:
# any: true
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
#
# after:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
#
# after:
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
# - no ipv6 access-list acl6_1
#
# after: []
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# gathered:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# rendered:
# - ipv4 access-list acl_2
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
# Using parsed
# parsed.cfg
# ------------
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# parsed:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
Common return values are documented here, the following are the fields unique to this module:
- Nilashish Chakraborty (@NilashishC)