amnesh.soodar.soodar_acls module – Manages ACLs on Soodar devices.
Note
This module is part of the amnesh.soodar collection (version 1.0.0).
To install it, use: ansible-galaxy collection install https://soodar.ir/ansible/amnesh.soodar.tar.gz.
To use it in a playbook, specify: amnesh.soodar.soodar_acls.
New in amnesh.soodar 1.0
Synopsis
This module configures and manages ACLs on Soodar platforms.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
A dictionary of ACL options. |
|
A list of Access Control Lists (ACL). |
|
The entries within the ACL. |
|
Specify the packet destination. |
|
Host prefix to match. |
|
Match any destination address. Choices:
|
|
Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Port group. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Specify the action. Choices:
|
|
Specify the protocol to match. Refer to vendor documentation for valid values. |
|
protocol type. |
|
Authentication Header Protocol. Choices:
|
|
Cisco’s EIGRP routing protocol. Choices:
|
|
Encapsulation Security Payload. Choices:
|
|
Cisco’s GRE tunneling. Choices:
|
|
Hop by Hop options header. Valid for IPV6 Choices:
|
|
Internet Control Message Protocol. |
|
Administratively prohibited Choices:
|
|
Alternate address Choices:
|
|
Datagram conversion Choices:
|
|
Host prohibited Choices:
|
|
Net prohibited Choices:
|
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Parameter problem Choices:
|
|
Host isolated Choices:
|
|
Host unreachable for precedence Choices:
|
|
Host redirect Choices:
|
|
Host redirect for TOS Choices:
|
|
Host unreachable for TOS Choices:
|
|
Host unknown Choices:
|
|
Host unreachable Choices:
|
|
Information replies Choices:
|
|
Information requests Choices:
|
|
Mask replies Choices:
|
|
mask_request Choices:
|
|
Mobile host redirect Choices:
|
|
Network redirect Choices:
|
|
Net redirect for TOS Choices:
|
|
Network unreachable for TOS Choices:
|
|
Net unreachable Choices:
|
|
Network unknown Choices:
|
|
Parameter required but no room Choices:
|
|
Parameter required but not present Choices:
|
|
Fragmentation needed and DF set Choices:
|
|
All parameter problems Choices:
|
|
Port unreachable Choices:
|
|
Precedence cutoff Choices:
|
|
Protocol unreachable Choices:
|
|
Reassembly timeout Choices:
|
|
All redirects Choices:
|
|
Router discovery advertisements Choices:
|
|
Router discovery solicitations Choices:
|
|
Source quenches Choices:
|
|
Source route failed Choices:
|
|
All time exceededs Choices:
|
|
Timestamp replies Choices:
|
|
Timestamp requests Choices:
|
|
Traceroute Choices:
|
|
TTL exceeded Choices:
|
|
All unreachables Choices:
|
|
Internet Gateway Message Protocol. Choices:
|
|
Any Internet Protocol. Choices:
|
|
IP in IP tunneling. Choices:
|
|
Any IPv6. Choices:
|
|
KA9Q NOS compatible IP over IP tunneling. Choices:
|
|
OSPF routing protocol. Choices:
|
|
Payload Compression Protocol. Choices:
|
|
Protocol Independent Multicast. Choices:
|
|
An IP protocol number |
|
Stream Control Transmission Protocol. Choices:
|
|
Match TCP packet flags |
|
Match on the ACK bit Choices:
|
|
Match established connections Choices:
|
|
Match on the FIN bit Choices:
|
|
Match on the PSH bit Choices:
|
|
Match on the RST bit Choices:
|
|
Match on the SYN bit Choices:
|
|
Match on the URG bit Choices:
|
|
User Datagram Protocol. Choices:
|
|
Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values. |
|
Specify the packet source. |
|
Source network prefix. |
|
Match any source address. Choices:
|
|
Specify the source port along with protocol. Note, Valid with TCP/UDP protocol_options |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Port group. |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
The name or the number of the ACL. |
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL). Choices:
|
|
This option is used only with state parsed. The value of this option should be the output received from the Soodar device by executing the command sh access-list. The state parsed reads the configuration from |
|
The state the configuration should be left in The states merged is the default state which merges the want and have config, but for ACL module as the Soodar platform doesn’t allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state. The states rendered, gathered and parsed does not perform any change on the device. The state rendered will transform the configuration in The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result. The state parsed reads the configuration from Choices:
|
Notes
Note
Tested against Soodar Version 21.04
Examples
# Using Deleted
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
acls:
- name: test
acl_type: extended
- name: 110
- afi: ipv6
acls:
- name: R1_TRAFFIC
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list test
# - no ip access-list 110
# - no ipv6 access-list R1_TRAFFIC
# After state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list test
# - no ip access-list 110
# - no ip access-list 123
# After state:
# -------------
#
# soodar# sh ip access-lists
# IPv6 access list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured ACLs)"
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
- name: 'Delete ALL of configured ACLs (Note: This WILL delete the all configured
ACLs)'
amnesh.soodar.soodar_acls:
state: deleted
# Commands fired:
# ---------------
#
# - no ip access-list test
# - no ip access-list 110
# - no ip access-list 123
# - no ip access-list test
# - no ipv6 access-list R1_TRAFFIC
# After state:
# -------------
#
# soodar# sh ip access-lists
# Using merged
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 100
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 echo
- name: Merge provided configuration with device configuration
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
acls:
- name: 100
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
state: merged
# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 echo
- name: Merge provided configuration with device configuration
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0/24
destination:
address: 198.51.110.0/24
port_protocol:
eq: telnet
- name: test
aces:
- grant: deny
protocol_options:
tcp:
fin: true
source:
address: 192.0.2.0/24
destination:
address: 192.0.3.0/24
port_protocol:
eq: www
- name: 123
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0/24
destination:
address: 198.51.101.0/24
port_protocol:
eq: telnet
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 192.0.3.0/24
destination:
address: 192.0.4.0/24
port_protocol:
eq: www
- afi: ipv6
acls:
- name: R1_TRAFFIC
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
any: true
port_protocol:
eq: www
destination:
any: true
port_protocol:
eq: telnet
state: merged
# Commands fired:
# ---------------
#
# - ip access-list 110
# - 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - ip access-list test
# - deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# - ip access-list 123
# - deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet
# - deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack
# After state:
# ------------
#
# soodar# sh ip access-lists
# IP access list 100
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 echo
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
# Using overridden
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
- name: Override device configuration of all acls with provided configuration
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0/24
port_protocol:
eq: telnet
destination:
address: 198.51.110.0/24
port_protocol:
eq: www
- name: 150
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0/24
port_protocol:
eq: telnet
destination:
address: 198.51.110.0/24
port_protocol:
eq: telnet
state: overridden
# Commands fired:
# ---------------
#
# - no ip access-list 110
# - no ip access-list 123
# - no ip access-list 150
# - no ip access-list test
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list 150
# - 10 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
# - ip access-list 110
# - 20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq www ack
# After state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq www ack
# IP access list 150
# 10 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
# Using replaced
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
- name: Replaces device configuration of listed acls with provided configuration
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0/24
destination:
address: 192.0.3.0/24
port_protocol:
eq: www
- name: 150
aces:
- grant: deny
sequence: 20
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0/24
port_protocol:
eq: telnet
destination:
address: 198.51.110.0/24
port_protocol:
eq: telnet
state: replaced
# Commands fired:
# ---------------
#
# - no ip access-list 110
# - ip access-list 110
# - deny tcp 192.0.2.0/24 192.0.3.0/24 eq www syn
# - ip access-list 150
# - 20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
# After state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www syn
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list 150
# 20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
# Using Gathered
# Before state:
# -------------
#
# soodar# sh ip access-lists
# IP access list 110
# 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
# 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# IP access list 123
# 10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
# 20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# IP access list test
# 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# IPv6 access list R1_TRAFFIC
# 10 deny tcp any eq www any eq telnet ack
- name: Gather listed acls with provided configurations
amnesh.soodar.soodar_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0/24"
# },
# "dscp": "ef",
# "grant": "deny",
# "protocol_options": {
# "icmp": {
# "echo": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "192.0.2.0/24"
# }
# }
# ],
# "acl_type": "extended",
# "name": "110"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "198.51.101.0/24",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "198.51.100.0/24"
# }
# },
# {
# "destination": {
# "address": "192.0.4.0/24",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 20,
# "source": {
# "address": "192.0.3.0/24"
# }
# }
# ],
# "acl_type": "extended",
# "name": "123"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0/24",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "fin": true
# }
# },
# "sequence": 10,
# "source": {
# "address": "192.0.2.0/24"
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_acl"
# }
# ],
# "afi": "ipv4"
# },
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "sequence": 10,
# "source": {
# "any": true,
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "name": "R1_TRAFFIC"
# }
# ],
# "afi": "ipv6"
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the existing running configuration
amnesh.soodar.soodar_acls:
config:
- afi: ipv4
acls:
- name: 110
aces:
- grant: deny
sequence: 10
protocol_options:
tcp:
syn: true
source:
address: 192.0.2.0/24
destination:
address: 192.0.3.0/24
port_protocol:
eq: www
- name: 150
aces:
- grant: deny
protocol_options:
tcp:
syn: true
source:
address: 198.51.100.0/24
port_protocol:
eq: telnet
destination:
address: 198.51.110.0/24
port_protocol:
eq: telnet
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "ip access-list 110",
# "10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn",
# "ip access-list 150",
# "deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet"
# ]
# Using Parsed
# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack
- name: Parse the commands for provided configuration
amnesh.soodar.soodar_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "protocol_options": {
# "tcp": {
# "ack": true
# }
# },
# "source": {
# "any": true,
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "name": "R1_TRAFFIC"
# }
# ],
# "afi": "ipv6"
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The configuration as structured data after module completion. Returned: when changed Sample: |
|
The configuration as structured data prior to module invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device Returned: always Sample: |