amnesh.soodar.soodar_acls module – Manages ACLs on Soodar devices.

Note

This module is part of the amnesh.soodar collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install https://soodar.ir/ansible/amnesh.soodar.tar.gz.

To use it in a playbook, specify: amnesh.soodar.soodar_acls.

Synopsis 

This module configures and manages ACLs on Soodar platforms.

Note

This module has a corresponding action plugin.

Parameters 

Parameter	Comments
config list / elements=dictionary	A list of ACL configuration options.
acls list / elements=dictionary	A list of Access Control Lists (ACL) attributes.
aces list / elements=dictionary	The entries within the ACL.
destination dictionary	Specify the packet destination.
address string	Host address prefix to match.
any boolean	Match any source address. Choices: `false` `true`
port_protocol dictionary	Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options
eq string	Match only packets on a given port number.
gt string	Match only packets with a greater port number.
lt string	Match only packets with a lower port number.
range dictionary	Port group.
end string	Specify the end of the port range.
start string	Specify the start of the port range.
grant string	Specify the action. Choices: `"permit"` `"deny"`
protocol string	Specify the protocol to match. Refer to vendor documentation for valid values.
protocol_options dictionary	protocol type.
ah boolean	Authentication Header Protocol. Choices: `false` `true`
eigrp boolean	Cisco’s EIGRP routing protocol. Choices: `false` `true`
esp boolean	Encapsulation Security Payload. Choices: `false` `true`
gre boolean	GRE tunneling. Choices: `false` `true`
hopopt boolean	Hop by Hop options header. Valid for IPV6 Choices: `false` `true`
icmp dictionary	Internet Control Message Protocol.
administratively_prohibited boolean	Administratively prohibited Choices: `false` `true`
alternate_address boolean	Alternate address Choices: `false` `true`
conversion_error boolean	Datagram conversion Choices: `false` `true`
dod_host_prohibited boolean	Host prohibited Choices: `false` `true`
dod_net_prohibited boolean	Net prohibited Choices: `false` `true`
echo boolean	Echo (ping) Choices: `false` `true`
echo_reply boolean	Echo reply Choices: `false` `true`
general_parameter_problem boolean	Parameter problem Choices: `false` `true`
host_isolated boolean	Host isolated Choices: `false` `true`
host_precedence_unreachable boolean	Host unreachable for precedence Choices: `false` `true`
host_redirect boolean	Host redirect Choices: `false` `true`
host_tos_redirect boolean	Host redirect for TOS Choices: `false` `true`
host_tos_unreachable boolean	Host unreachable for TOS Choices: `false` `true`
host_unknown boolean	Host unknown Choices: `false` `true`
host_unreachable boolean	Host unreachable Choices: `false` `true`
information_reply boolean	Information replies Choices: `false` `true`
information_request boolean	Information requests Choices: `false` `true`
mask_reply boolean	Mask replies Choices: `false` `true`
mask_request boolean	mask_request Choices: `false` `true`
mobile_redirect boolean	Mobile host redirect Choices: `false` `true`
net_redirect boolean	Network redirect Choices: `false` `true`
net_tos_redirect boolean	Net redirect for TOS Choices: `false` `true`
net_tos_unreachable boolean	Network unreachable for TOS Choices: `false` `true`
net_unreachable boolean	Net unreachable Choices: `false` `true`
network_unknown boolean	Network unknown Choices: `false` `true`
no_room_for_option boolean	Parameter required but no room Choices: `false` `true`
option_missing boolean	Parameter required but not present Choices: `false` `true`
packet_too_big boolean	Fragmentation needed and DF set Choices: `false` `true`
parameter_problem boolean	All parameter problems Choices: `false` `true`
port_unreachable boolean	Port unreachable Choices: `false` `true`
precedence_unreachable boolean	Precedence cutoff Choices: `false` `true`
protocol_unreachable boolean	Protocol unreachable Choices: `false` `true`
reassembly_timeout boolean	Reassembly timeout Choices: `false` `true`
redirect boolean	All redirects Choices: `false` `true`
router_advertisement boolean	Router discovery advertisements Choices: `false` `true`
router_solicitation boolean	Router discovery solicitations Choices: `false` `true`
source_quench boolean	Source quenches Choices: `false` `true`
source_route_failed boolean	Source route failed Choices: `false` `true`
time_exceeded boolean	All time exceededs Choices: `false` `true`
timestamp_reply boolean	Timestamp replies Choices: `false` `true`
timestamp_request boolean	Timestamp requests Choices: `false` `true`
traceroute boolean	Traceroute Choices: `false` `true`
ttl_exceeded boolean	TTL exceeded Choices: `false` `true`
unreachable boolean	All unreachables Choices: `false` `true`
igmp boolean	Internet Gateway Message Protocol. Choices: `false` `true`
ip boolean	Any Internet Protocol. Choices: `false` `true`
ipcomp boolean	Payload Compression Protocol. Choices: `false` `true`
ipinip boolean	IP in IP tunneling. Choices: `false` `true`
ipv6 boolean	Any IPv6. Choices: `false` `true`
ospf boolean	OSPF routing protocol. Choices: `false` `true`
pim boolean	Protocol Independent Multicast. Choices: `false` `true`
protocol_number integer	An IP protocol number
sctp boolean	Stream Control Transmission Protocol. Choices: `false` `true`
tcp dictionary	Match TCP packet flags
ack boolean	Match on the ACK bit Choices: `false` `true`
fin boolean	Match on the FIN bit Choices: `false` `true`
psh boolean	Match on the PSH bit Choices: `false` `true`
rst boolean	Match on the RST bit Choices: `false` `true`
syn boolean	Match on the SYN bit Choices: `false` `true`
urg boolean	Match on the URG bit Choices: `false` `true`
udp boolean	User Datagram Protocol. Choices: `false` `true`
reflect boolean	Enable reflect option for this entry. Choices: `false` `true`
remarks list / elements=string	The remarks/description of the ACL. The remarks attribute used within an ace with or without a sequence number will produce remarks that are pushed before the ace entry. Remarks entry used as the only key in as the list option will produce non ace specific remarks, these remarks would be pushed at the end of all the aces for an acl. Remarks is treated a block, for every single remarks updated for an ace all the remarks are negated and added back to maintain the order of remarks mentioned. As the appliance deletes all the remarks once the ace is updated, the set of remarks would be re-applied that is an expected behavior.
sequence integer	Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values.
source dictionary	Specify the packet source.
address string	Source network address.
any boolean	Match any source address. Choices: `false` `true`
port_protocol dictionary	Specify the source port along with protocol. Note, Valid with TCP/UDP protocol_options
eq string	Match only packets on a given port number.
gt string	Match only packets with a greater port number.
lt string	Match only packets with a lower port number.
range dictionary	Port group.
end string	Specify the end of the port range.
start string	Specify the start of the port range.
name string / required	The name or the number of the ACL.
afi string / required	The Address Family Indicator (AFI) for the Access Control Lists (ACL). Choices: `"ipv4"` `"ipv6"`
running_config string	This option is used only with state parsed. The value of this option should be the output received from the Soodar device by executing the command sh access-list. The state parsed reads the configuration from `running_config` option and transforms it into Ansible structured data as per the resource module’s argspec and the value is then returned in the parsed key within the result.
state string	The state the configuration should be left in The state merged is the default state which merges the want and have config, but for ACL module as the Soodar platform doesn’t allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state. The states rendered, gathered and parsed does not perform any change on the device. The state rendered will transform the configuration in `config` option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required. The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result. The state parsed reads the configuration from `running_config` option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of `running_config` option should be the same format as the output of commands sh running-config \| section access-list for all acls related information and sh access-lists \| include access list to obtain configuration specific of an empty acls, the following commands are executed on device. Config data from both the commands should be kept together one after another for the parsers to pick the commands correctly. For state parsed active connection to remote host is not required. The state overridden, modify/add the ACLs defined, deleted all other ACLs. The state replaced, modify/add only the ACEs of the ACLs defined only. It does not perform any other change on the device. The state deleted, deletes only the specified ACLs, or all if not specified. Choices: `"merged"` ← (default) `"replaced"` `"overridden"` `"deleted"` `"gathered"` `"rendered"` `"parsed"`

Notes 

Note

Tested against Soodar Version 23.11
This module works with connection amnesh.soodar.network_cli.

Examples 

# Using merged

# Before state:
# -------------
#
# Router# sh running-config | section access-list
# ip access-list 110
#    10 deny icmp 192.0.2.0/24 192.0.3.0/24 echo

- name: Merge provided configuration with device configuration
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
        acls:
          - name: std_acl
            aces:
              - grant: deny
                source:
                  address: 192.168.1.200/32
              - grant: deny
                source:
                  address: 192.168.2.0/24
          - name: 110
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
                source:
                  address: 192.168.3.0/24
                destination:
                  any: true
                grant: permit
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0/24
                destination:
                  address: 198.51.110.0/24
                  port_protocol:
                    eq: telnet
          - name: extended_acl_1
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    fin: true
                source:
                  address: 192.0.2.0/24
                destination:
                  address: 192.0.3.0/24
                  port_protocol:
                    eq: www
          - name: 123
            aces:
              - remarks:
                  - "remarks for extended ACL 1"
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0/24
                destination:
                  address: 198.51.101.0/24
                  port_protocol:
                    eq: telnet
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 192.0.3.0/24
                destination:
                  address: 192.0.4.0/24
                  port_protocol:
                    eq: www
      - afi: ipv6
        acls:
          - name: R1_TRAFFIC
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  any: true
                  port_protocol:
                    eq: www
                destination:
                  any: true
                  port_protocol:
                    eq: telnet
    state: merged

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: '100'
#    afi: ipv4
# commands:
#  - ip access-list 110
#  - deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
#  - 30 permit icmp 192.168.3.0/24 any traceroute
#  - ip access-list_acl_1
#  - deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
#  - ip access-list std_acl
#  - deny 192.168.1.20/32
#  - deny 192.168.2.0/24
#  - ip access-list 123
#  - deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#  - deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
#  - remark remarks for extended ACL 1
#  - ipv6 access-list R1_TRAFFIC
#  - deny tcp any eq www any eq telnet ack
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          any: true
#        grant: permit
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 30
#        source:
#          address: 0.0.0.0/8
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      - remarks:
#        - remarks for extended ACL 1
#      name: '123'
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: extended_acl_1
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.20/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# ------------
#
# Router# sh running-config | section access-list
# ip access-list std_acl
#    10 deny 192.168.1.200/32
#    20 deny 192.168.2.0/24
# ip access-list 100
#    10 deny icmp 192.0.2.0/24 192.0.3.0/24 echo
# ip access-list 110
#    10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#    20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#    10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#    20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list test
#    10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack

# Router# show running-config | include ip(v6)* access-list|remark
# ip access-list std_acl
# ip access-list extended_acl_1
# ip access-list 110
# ip access-list 123
#  remark remarks for extended ACL 1
# ipv6 access-list R1_TRAFFIC

# Using merged (update existing ACE - will fail)

# Before state:
# -------------
#
# Router# sh running-config | section access-list
# ip access-list 100
#    10 deny icmp 192.0.2.0/24 192.0.3.0/24 echo

- name: Merge provided configuration with device configuration
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
        acls:
          - name: 100
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
    state: merged

# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.

# Using replaced

# Before state:
# -------------
#
# Router# sh running-config | section access-list
# ip access-list std_acl
#    10 deny 192.168.1.200
#    20 deny 192.168.2.0 0.0.0.255
# ip access-list 110
#    10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#    20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#    10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#    20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack
# ip access-list test
#    10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin

- name: Replaces device configuration of listed acls with provided configuration
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0/24
                destination:
                  address: 192.0.3.0/24
                  port_protocol:
                    eq: www
          - name: 150
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0/24
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0/24
                  port_protocol:
                    eq: telnet
    state: replaced

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list 110
#  - no 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#  - no 20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
#  - deny tcp 192.0.2.0/24 192.0.3.0/24 eq www syn
#  - ip access-list 150
#  - 20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#          port_protocol:
#            eq: telnet
#      name: '150'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: test
#    afi: ipv4

# After state:
# -------------
#
# Router# sh access-lists
# ip access-list std_acl
#    10 deny 192.168.1.200/32
#    20 deny 192.168.2.0/24
# ip access-list 110
#    10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www syn
# ip access-list 123
#    10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#    20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list 150
#    20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
# ip access-list test
#    10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack

# Using overridden

# Before state:
# -------------
#
# Router# sh access-lists
# ip access-list std_acl
#     10 deny 192.168.1.200/32
#     20 deny 192.168.2.0/24
# ip access-list 110
#     10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#     20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#     10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#     20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack
# ip access-list test
#     10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin

- name: Override device configuration of all acls with provided configuration
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0/24
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0/24
                  port_protocol:
                    eq: www
          - name: 150
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0/24
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0/24
                  port_protocol:
                    eq: telnet
          - name: implicit_deny
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0/24
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0/24
                  port_protocol:
                    eq: telnet
    state: overridden

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          host: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0/24
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list 110
#  - no 20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
#  - no 10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#  - 20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq www ack
#  - ip access-list 150
#  - 10 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn
#  - no ip access-list 123
#  - no ip access-list R1_TRAFFIC
#  - no ip access-list std_acl
#  - no ip access-list test
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#          port_protocol:
#            eq: telnet
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#          port_protocol:
#            eq: telnet
#      name: '150'
#    afi: ipv4

# After state:
# -------------
#
# Router# sh running-config | section access-list
# ip access-list 110
#     20 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq www ack
# ip access-list 150
#     10 deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn

# Using deleted - delete ACL(s)

# Before state:
# -------------
#
# Router# sh access-lists
# ip access-list std_acl
#     10 deny 192.168.1.200/32
#     20 deny 192.168.2.0/24
# ip access-list 110
#     10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#     20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#     10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#     20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list extended_acl_1
#     10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin

- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
        acls:
          - name: extended_acl_1
          - name: 110
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/24
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: extended_acl_1
#    afi: ipv4
# commands:
#  - no ip access-list 110
#  - no ip access-list extended_acl_1
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/24
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    afi: ipv4

# After state:
# -------------
#
# Router# sh running-config | section access-list
# ip access-list std_acl
#    10 deny 192.168.1.200/32
#    20 deny 192.168.2.0/24
# ip access-list 123
#    10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#    20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack

# Using deleted - delete ACLs based on AFI

# Before state:
# -------------
#
# Router# sh running-config | section access-list
# ip access-list std_acl
#     10 deny 192.168.1.200/32
#     20 deny 192.168.2.0/24
# ip access-list 110
#     10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#     20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#     10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#     20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list test
#     10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack

- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list 110
#  - no ip access-list 123
#  - no ip access-list std_acl
#  - no ip access-list test
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# -------------
#
# Router# sh running-config | section access-list
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack


# Using deleted - delete all ACLs

# Before state:
# -------------
#
# Router# sh access-lists
# ip access-list std_acl
#     10 deny 192.168.1.200/32
#     20 deny 192.168.2.0/24
# ip access-list 110
#     10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#     20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#     10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#     20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list test
#     10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack

- name: Delete ALL of configured ACLs
  amnesh.soodar.soodar_acls:
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          address: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0/24
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list test
#  - no ip access-list 110
#  - no ip access-list 123
#  - no ip access-list test
#  - no ipv6 access-list R1_TRAFFIC
# after: []

# After state:
# -------------
#
# Router# sh running-config | section access-list


# Using gathered

# Before state:
# -------------
#
# Router# sh access-lists
# ip access-list std_acl
#    10 deny 192.168.1.200/32
#    20 deny 192.168.2.0/24
# ip access-list 110
#    10 deny icmp 192.0.2.0/24 192.0.3.0/24 traceroute
#    20 deny tcp 198.51.100.0/24 198.51.110.0/24 eq telnet ack
# ip access-list 123
#    10 deny tcp 198.51.100.0/24 198.51.101.0/24 eq telnet ack
#    20 deny tcp 192.0.3.0/24 192.0.4.0/24 eq www ack
# ip access-list test
#    10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www fin
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack

- name: Gather ACLs configuration from target device
  amnesh.soodar.soodar_acls:
    state: gathered

# Module Execution Result:
# ------------------------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      - destination:
#          host: 198.51.110.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0/24
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0/24
#      - destination:
#          address: 192.0.4.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0/24
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          address: 192.168.1.200/32
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0/24
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0/24
#          port_protocol:
#            eq: www
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0/24
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# Using rendered

- name: Render the provided configuration into platform specific configuration lines
  amnesh.soodar.soodar_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0/24
                destination:
                  address: 192.0.3.0/24
                  port_protocol:
                    eq: www
          - name: 150
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0/24
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0/24
                  port_protocol:
                    eq: telnet
    state: rendered

# Module Execution Result:
# ------------------------
#
# rendered:
#  - ip access-list 110
#  - 10 deny tcp 192.0.2.0/24 192.0.3.0/24 eq www syn
#  - ip access-list 150
#  - deny tcp 198.51.100.0/24 eq telnet 198.51.110.0/24 eq telnet syn

# Using Parsed

# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack

- name: Parse the commands for provided configuration
  amnesh.soodar.soodar_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Module Execution Result:
# ------------------------
#
# parsed:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
after dictionary	The resulting configuration after module execution. Returned: when changed Sample: `"This output will always be in the same format as the module argspec.\n"`
before dictionary	The configuration prior to the module execution. Returned: when state is `merged`, `replaced`, `overridden`, `deleted` or `purged` Sample: `"This output will always be in the same format as the module argspec.\n"`
commands list / elements=string	The set of commands pushed to the remote device. Returned: when state is `merged`, `replaced`, `overridden`, `deleted` or `purged` Sample: `["sample command 1", "sample command 2", "sample command 3"]`
gathered list / elements=string	Facts about the network resource gathered from the remote device as structured data. Returned: when state is `gathered` Sample: `["This output will always be in the same format as the module argspec.\n"]`
parsed list / elements=string	The device native config provided in running_config option parsed into structured data as per module argspec. Returned: when state is `parsed` Sample: `["This output will always be in the same format as the module argspec.\n"]`
rendered list / elements=string	The provided configuration in the task rendered in device-native format (offline). Returned: when state is `rendered` Sample: `["sample command 1", "sample command 2", "sample command 3"]`

Authors

Sumit Jaiswal (@justjais)
Sagar Paul (@KB-perByte)
Mahdi Varasteh (@m-varasteh)

amnesh.soodar.soodar_acls module – Manages ACLs on Soodar devices.

Synopsis

Parameters

Notes

Examples

Return Values

Authors

Collection links

Synopsis 

Parameters 

Notes 

Examples 

Return Values 