Skip to content

Latest commit

 

History

History
4086 lines (3994 loc) · 163 KB

cisco.nxos.nxos_acls_module.rst

File metadata and controls

4086 lines (3994 loc) · 163 KB

cisco.nxos.nxos_acls

ACLs resource module

Version added: 1.0.0

  • Manage named IP ACLs on the Cisco NX-OS platform
Parameter Choices/Defaults Comments
config
list / elements=dictionary
A dictionary of ACL options.
acls
list / elements=dictionary
A list of the ACLs.
aces
list / elements=dictionary
The entries within the ACL.
destination
dictionary
Specify the packet destination.
address
string
Destination network address.
any
boolean
    Choices:
  • no
  • yes
Any destination address.
host
string
Host IP address.
port_protocol
dictionary
Specify the destination port or protocol (only for TCP and UDP).
eq
string
Match only packets on a given port number.
gt
string
Match only packets with a greater port number.
lt
string
Match only packets with a lower port number.
neq
string
Match only packets not on a given port number.
range
dictionary
Match only packets in the range of port numbers.
end
string
Specify the end of the port range.
start
string
Specify the start of the port range.
prefix
string
Destination network prefix. Only for prefixes of value less than 31 for ipv4 and 127 for ipv6. Prefixes of 32 (ipv4) and 128 (ipv6) should be given in the 'host' key.
wildcard_bits
string
Destination wildcard bits.
dscp
string
Match packets with given DSCP value.
fragments
boolean
    Choices:
  • no
  • yes
Check non-initial fragments.
grant
string
    Choices:
  • permit
  • deny
Action to be applied on the rule.
log
boolean
    Choices:
  • no
  • yes
Log matches against this entry.
precedence
string
Match packets with given precedence value.
protocol
string
Specify the protocol.
protocol_options
dictionary
All possible suboptions for the protocol chosen.
icmp
dictionary
ICMP protocol options.
administratively_prohibited
boolean
    Choices:
  • no
  • yes
Administratively prohibited
alternate_address
boolean
    Choices:
  • no
  • yes
Alternate address
conversion_error
boolean
    Choices:
  • no
  • yes
Datagram conversion
dod_host_prohibited
boolean
    Choices:
  • no
  • yes
Host prohibited
dod_net_prohibited
boolean
    Choices:
  • no
  • yes
Net prohibited
echo
boolean
    Choices:
  • no
  • yes
Echo (ping)
echo_reply
boolean
    Choices:
  • no
  • yes
Echo reply
echo_request
boolean
    Choices:
  • no
  • yes
Echo request (ping)
general_parameter_problem
boolean
    Choices:
  • no
  • yes
Parameter problem
host_isolated
boolean
    Choices:
  • no
  • yes
Host isolated
host_precedence_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for precedence
host_redirect
boolean
    Choices:
  • no
  • yes
Host redirect
host_tos_redirect
boolean
    Choices:
  • no
  • yes
Host redirect for TOS
host_tos_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for TOS
host_unknown
boolean
    Choices:
  • no
  • yes
Host unknown
host_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable
information_reply
boolean
    Choices:
  • no
  • yes
Information replies
information_request
boolean
    Choices:
  • no
  • yes
Information requests
mask_reply
boolean
    Choices:
  • no
  • yes
Mask replies
mask_request
boolean
    Choices:
  • no
  • yes
Mask requests
message_code
integer
ICMP message code
message_type
integer
ICMP message type
mobile_redirect
boolean
    Choices:
  • no
  • yes
Mobile host redirect
net_redirect
boolean
    Choices:
  • no
  • yes
Network redirect
net_tos_redirect
boolean
    Choices:
  • no
  • yes
Net redirect for TOS
net_tos_unreachable
boolean
    Choices:
  • no
  • yes
Network unreachable for TOS
net_unreachable
boolean
    Choices:
  • no
  • yes
Net unreachable
network_unknown
boolean
    Choices:
  • no
  • yes
Network unknown
no_room_for_option
boolean
    Choices:
  • no
  • yes
Parameter required but no room
option_missing
boolean
    Choices:
  • no
  • yes
Parameter required but not present
packet_too_big
boolean
    Choices:
  • no
  • yes
Fragmentation needed and DF set
parameter_problem
boolean
    Choices:
  • no
  • yes
All parameter problems
port_unreachable
boolean
    Choices:
  • no
  • yes
Port unreachable
precedence_unreachable
boolean
    Choices:
  • no
  • yes
Precedence cutoff
protocol_unreachable
boolean
    Choices:
  • no
  • yes
Protocol unreachable
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly timeout
redirect
boolean
    Choices:
  • no
  • yes
All redirects
router_advertisement
boolean
    Choices:
  • no
  • yes
Router discovery advertisements
router_solicitation
boolean
    Choices:
  • no
  • yes
Router discovery solicitations
source_quench
boolean
    Choices:
  • no
  • yes
Source quenches
source_route_failed
boolean
    Choices:
  • no
  • yes
Source route failed
time_exceeded
boolean
    Choices:
  • no
  • yes
All time exceeded.
timestamp_reply
boolean
    Choices:
  • no
  • yes
Timestamp replies
timestamp_request
boolean
    Choices:
  • no
  • yes
Timestamp requests
traceroute
boolean
    Choices:
  • no
  • yes
Traceroute
ttl_exceeded
boolean
    Choices:
  • no
  • yes
TTL exceeded
unreachable
boolean
    Choices:
  • no
  • yes
All unreachables
icmpv6
dictionary
ICMPv6 protocol options.
beyond_scope
boolean
    Choices:
  • no
  • yes
Destination beyond scope.
destination_unreachable
boolean
    Choices:
  • no
  • yes
Destination address is unreachable.
echo_reply
boolean
    Choices:
  • no
  • yes
Echo reply.
echo_request
boolean
    Choices:
  • no
  • yes
Echo request (ping).
fragments
boolean
    Choices:
  • no
  • yes
Check non-initial fragments.
header
boolean
    Choices:
  • no
  • yes
Parameter header problem.
hop_limit
boolean
    Choices:
  • no
  • yes
Hop limit exceeded in transit.
mld_query
boolean
    Choices:
  • no
  • yes
Multicast Listener Discovery Query.
mld_reduction
boolean
    Choices:
  • no
  • yes
Multicast Listener Discovery Reduction.
mld_report
boolean
    Choices:
  • no
  • yes
Multicast Listener Discovery Report.
mldv2
boolean
    Choices:
  • no
  • yes
Multicast Listener Discovery Protocol.
nd_na
boolean
    Choices:
  • no
  • yes
Neighbor discovery neighbor advertisements.
nd_ns
boolean
    Choices:
  • no
  • yes
Neighbor discovery neighbor solicitations.
next_header
boolean
    Choices:
  • no
  • yes
Parameter next header problems.
no_admin
boolean
    Choices:
  • no
  • yes
Administration prohibited destination.
no_route
boolean
    Choices:
  • no
  • yes
No route to destination.
packet_too_big
boolean
    Choices:
  • no
  • yes
Packet too big.
parameter_option
boolean
    Choices:
  • no
  • yes
Parameter option problems.
parameter_problem
boolean
    Choices:
  • no
  • yes
All parameter problems.
port_unreachable
boolean
    Choices:
  • no
  • yes
Port unreachable.
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly timeout.
renum_command
boolean
    Choices:
  • no
  • yes
Router renumbering command.
renum_result
boolean
    Choices:
  • no
  • yes
Router renumbering result.
renum_seq_number
boolean
    Choices:
  • no
  • yes
Router renumbering sequence number reset.
router_advertisement
boolean
    Choices:
  • no
  • yes
Neighbor discovery router advertisements.
router_renumbering
boolean
    Choices:
  • no
  • yes
All router renumbering.
router_solicitation
boolean
    Choices:
  • no
  • yes
Neighbor discovery router solicitations.
telemetry_path
boolean
    Choices:
  • no
  • yes
IPT enabled.
telemetry_queue
boolean
    Choices:
  • no
  • yes
Flow of interest for BDC/HDC.
time_exceeded
boolean
    Choices:
  • no
  • yes
All time exceeded.
unreachable
boolean
    Choices:
  • no
  • yes
All unreachable.
igmp
dictionary
IGMP protocol options.
dvmrp
boolean
    Choices:
  • no
  • yes
Distance Vector Multicast Routing Protocol
host_query
boolean
    Choices:
  • no
  • yes
Host Query
host_report
boolean
    Choices:
  • no
  • yes
Host Report
tcp
dictionary
TCP flags.
ack
boolean
    Choices:
  • no
  • yes
Match on the ACK bit
established
boolean
    Choices:
  • no
  • yes
Match established connections
fin
boolean
    Choices:
  • no
  • yes
Match on the FIN bit
psh
boolean
    Choices:
  • no
  • yes
Match on the PSH bit
rst
boolean
    Choices:
  • no
  • yes
Match on the RST bit
syn
boolean
    Choices:
  • no
  • yes
Match on the SYN bit
urg
boolean
    Choices:
  • no
  • yes
Match on the URG bit
remark
string
Access list entry comment.
sequence
integer
Sequence number.
source
dictionary
Specify the packet source.
address
string
Source network address.
any
boolean
    Choices:
  • no
  • yes
Any source address.
host
string
Host IP address.
port_protocol
dictionary
Specify the destination port or protocol (only for TCP and UDP).
eq
string
Match only packets on a given port number.
gt
string
Match only packets with a greater port number.
lt
string
Match only packets with a lower port number.
neq
string
Match only packets not on a given port number.
range
dictionary
Match only packets in the range of port numbers.
end
string
Specify the end of the port range.
start
string
Specify the start of the port range.
prefix
string
Source network prefix. Only for prefixes of mask value less than 31 for ipv4 and 127 for ipv6. Prefixes of mask 32 (ipv4) and 128 (ipv6) should be given in the 'host' key.
wildcard_bits
string
Source wildcard bits.
name
string / required
Name of the ACL.
afi
string / required
    Choices:
  • ipv4
  • ipv6
The Address Family Indicator (AFI) for the ACL.
running_config
string
This option is used only with state parsed.
The value of this option should be the output received from the NX-OS device by executing the command show running-config | section 'ip(v6* access-list).
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state
string
    Choices:
  • deleted
  • gathered
  • merged ←
  • overridden
  • rendered
  • replaced
  • parsed
The state the configuration should be left in

Note

  • Tested against NX-OS 7.3.(0)D1(1) on VIRL
  • Unsupported for Cisco MDS
  • As NX-OS allows configuring a rule again with different sequence numbers, the user is expected to provide sequence numbers for the access control entries to preserve idempotency. If no sequence number is given, the rule will be added as a new rule by the device.
# Using merged

# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'

- name: Merge provided ACLs configuration with device configuration
  cisco.nxos.nxos_acls:
    state: merged
    config:
      - afi: ipv4
        acls:
          - name: ACL1v4
            aces:
              - grant: deny
                destination:
                  address: 192.0.2.64
                  wildcard_bits: 0.0.0.255
                source:
                  any: true
                  port_protocol:
                    lt: 55
                protocol: tcp
                protocol_options:
                  tcp:
                    ack: true
                    fin: true
                sequence: 50

      - afi: ipv6
        acls:
          - name: ACL1v6
            aces:
              - grant: permit
                sequence: 10
                source:
                  any: true
                destination:
                  prefix: 2001:db8:12::/32
                protocol: sctp

# Task Output
# -----------
# before: []
#
# commands:
# - ip access-list ACL1v4
# - 50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# - ipv6 access-list ACL1v6
# - 10 permit sctp any 2001:db8:12::/32
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          prefix: 2001:db8:12::/32
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      name: ACL1v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.2.64
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#            fin: true
#        sequence: 50
#        source:
#          any: true
#          port_protocol:
#            lt: '55'
#      name: ACL1v4
#    afi: ipv4


# After state:
# ------------
#
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#  50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
#  10 permit sctp any any

# Using replaced

# Before state:
# ----------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Replace existing ACL configuration with provided configuration
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
      - afi: ipv6
        acls:
          - name: ACL1v6
            aces:
              - sequence: 20
                grant: permit
                source:
                  any: true
                destination:
                  any: true
                protocol: pim

              - remark: Replaced ACE
          - name: ACL2v6
    state: replaced

# Task Output
# -----------
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - ipv6 access-list ACL1v6
#  - no 10 permit sctp any any
#  - no 20 remark IPv6 ACL
#  - remark Replaced ACE
#  - 20 permit pim any any
#  - ipv6 access-list ACL2v6
#  - no 10 deny ipv6 any 2001:db8:3000::/36
#  - no 20 permit tcp host 2001:db8:2000:2::2 host 2001:db8:2000:ab::2
#
# after:
#  - acls:
#    - aces:
#      - remark: Replaced ACE
#        sequence: 10
#      - destination:
#          any: true
#        grant: permit
#        protocol: pim
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v6
#    - name: ACL2v6
#    afi: ipv6

# After state:
# ---------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ipv6 access-list ACL1v6
#   10 remark Replaced ACE
#   20 permit pim any any
# ipv6 access-list ACL2v6

# Using overridden

# Before state:
# ----------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Override existing configuration with provided configuration
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
        acls:
          - name: NewACL
            aces:
              - grant: deny
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.255.255
                destination:
                  any: true
                protocol: eigrp
              - remark: Example for overridden state
    state: overridden

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ipv6 access-list ACL1v6
#  - no ipv6 access-list ACL2v6
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - ip access-list NewACL
#  - deny eigrp 192.0.2.0 0.0.255.255 any
#  - remark Example for overridden state
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: deny
#        protocol: eigrp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.255.255
#      - remark: Example for overridden state
#        sequence: 20
#      name: NewACL
#    afi: ipv4

# After state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list NewACL
#   10 deny eigrp 192.0.2.0 0.0.255.255 any
#   20 remark Example for overridden state

# Using deleted - delete all
#
# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ip access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Delete all ACLs
  cisco.nxos.nxos_acls:
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - no ipv6 access-list ACL1v6
#  - no ipv6 access-list ACL2v6
#
# after: []


# After state:
# -----------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
#

# Using deleted - delete AFI

# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ip access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Delete all ACLs in given AFI
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6

# After state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ip access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

# Using deleted - delete ACLs

# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Delete specific ACLs
  cisco.nxos.nxos_acls:
    state: deleted
    config:
      - afi: ipv4
        acls:
          - name: ACL1v4
          - name: ACL2v4
      - afi: ipv6
        acls:
          - name: ACL1v6

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - no ipv6 access-list ACL1v6
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6

# After state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

# Using parsed

- name: Parse given config to structured data
  cisco.nxos.nxos_acls:
    running_config: |
      ip access-list ACL1v4
        50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
      ipv6 access-list ACL1v6
        10 permit sctp any any
    state: parsed

# Task Output
# ------------
#
# parsed:
# - afi: ipv4
#   acls:
#     - name: ACL1v4
#       aces:
#         - grant: deny
#           destination:
#             address: 192.0.2.64
#             wildcard_bits: 0.0.0.255
#           source:
#             any: true
#             port_protocol:
#               lt: 55
#           protocol: tcp
#           protocol_options:
#             tcp:
#               ack: true
#               fin: true
#           sequence: 50
#
# - afi: ipv6
#   acls:
#     - name: ACL1v6
#       aces:
#         - grant: permit
#           sequence: 10
#           source:
#             any: true
#           destination:
#             prefix: 2001:db8:12::/32
#           protocol: sctp


# Using gathered:

# Before state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#  50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
#  10 permit sctp any any

- name: Gather existing configuration
  cisco.nxos.nxos_acls:
    state: gathered

# Task Output
# -----------
#
# gathered:
# - afi: ipv4
#   acls:
#     - name: ACL1v4
#       aces:
#         - grant: deny
#           destination:
#             address: 192.0.2.64
#             wildcard_bits: 0.0.0.255
#           source:
#             any: true
#             port_protocol:
#               lt: 55
#           protocol: tcp
#           protocol_options:
#             tcp:
#               ack: true
#               fin: true
#           sequence: 50

# - afi: ipv6
#   acls:
#     - name: ACL1v6
#       aces:
#         - grant: permit
#           sequence: 10
#           source:
#             any: true
#           destination:
#             prefix: 2001:db8:12::/32
#           protocol: sctp


# Using rendered

- name: Render required configuration to be pushed to the device
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
        acls:
          - name: ACL1v4
            aces:
              - grant: deny
                destination:
                  address: 192.0.2.64
                  wildcard_bits: 0.0.0.255
                source:
                  any: true
                  port_protocol:
                    lt: 55
                protocol: tcp
                protocol_options:
                  tcp:
                    ack: true
                    fin: true
                sequence: 50
      - afi: ipv6
        acls:
          - name: ACL1v6
            aces:
              - grant: permit
                sequence: 10
                source:
                  any: true
                destination:
                  prefix: '2001:db8:12::/32'
                protocol: sctp
    state: rendered


# Task Output
# -----------
#
# rendered:
#  ip access-list ACL1v4
#   50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
#  ipv6 access-list ACL1v6
#   10 permit sctp any any

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
dictionary
when changed
The resulting configuration model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
dictionary
always
The configuration prior to the model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list
always
The set of commands pushed to the remote device.

Sample:
['ip access-list ACL1v4', '10 permit ip any any precedence critical log', '20 deny tcp any lt smtp host 192.0.2.64 ack fin']
gathered
list
when state is gathered
Facts about the network resource gathered from the remote device as structured data.

Sample:
This output will always be in the same format as the module argspec.
parsed
list
when state is parsed
The device native config provided in running_config option parsed into structured data as per module argspec.

Sample:
This output will always be in the same format as the module argspec.
rendered
list
when state is rendered
The provided configuration in the task rendered in device-native format (offline).

Sample:
['ip access-list ACL1v4', '10 permit ip any any precedence critical log', '20 deny tcp any lt smtp host 192.0.2.64 ack fin']


Authors

  • Adharsh Srivats Rangarajan (@adharshsrivatsr)