Note
This plugin is part of the cisco.ios collection (version 2.5.0).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cisco.ios
.
To use it in a playbook, specify: cisco.ios.ios_acls
.
New in version 1.0.0: of cisco.ios
Note
This module has a corresponding action plugin.
Parameter | Choices/Defaults | Comments | ||||||
---|---|---|---|---|---|---|---|---|
config list / elements=dictionary | A dictionary of ACL options. | |||||||
acls list / elements=dictionary | A list of Access Control Lists (ACL). | |||||||
aces list / elements=dictionary | The entries within the ACL. | |||||||
destination dictionary | Specify the packet destination. | |||||||
address string | Host address to match, or any single host address. | |||||||
any boolean |
| Match any source address. | ||||||
host string | A single destination host | |||||||
object_group string | Destination network object group | |||||||
port_protocol dictionary | Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
eq string | Match only packets on a given port number. | |||||||
gt string | Match only packets with a greater port number. | |||||||
lt string | Match only packets with a lower port number. | |||||||
neq string | Match only packets not on a given port number. | |||||||
range dictionary | Port group. | |||||||
end integer | Specify the end of the port range. | |||||||
start integer | Specify the start of the port range. | |||||||
wildcard_bits string | Destination wildcard bits, valid with IPV4 address. | |||||||
dscp string | Match packets with given dscp value. | |||||||
evaluate string | Evaluate an access list | |||||||
fragments string | Check non-initial fragments. | |||||||
grant string |
| Specify the action. | ||||||
log dictionary | Log matches against this entry. | |||||||
set boolean |
| Enable Log matches against this entry | ||||||
user_cookie string | User defined cookie (max of 64 char) | |||||||
log_input dictionary | Log matches against this entry, including input interface. | |||||||
set boolean |
| Enable Log matches against this entry, including input interface. | ||||||
user_cookie string | User defined cookie (max of 64 char) | |||||||
option dictionary | Match packets with given IP Options value. Valid only for named acls. | |||||||
add_ext boolean |
| Match packets with Address Extension Option (147). | ||||||
any_options boolean |
| Match packets with ANY Option. | ||||||
com_security boolean |
| Match packets with Commercial Security Option (134). | ||||||
dps boolean |
| Match packets with Dynamic Packet State Option (151). | ||||||
encode boolean |
| Match packets with Encode Option (15). | ||||||
eool boolean |
| Match packets with End of Options (0). | ||||||
ext_ip boolean |
| Match packets with Extended IP Option (145). | ||||||
ext_security boolean |
| Match packets with Extended Security Option (133). | ||||||
finn boolean |
| Match packets with Experimental Flow Control Option (205). | ||||||
imitd boolean |
| Match packets with IMI Traffic Desriptor Option (144). | ||||||
lsr boolean |
| Match packets with Loose Source Route Option (131). | ||||||
mtup boolean |
| Match packets with MTU Probe Option (11). | ||||||
mtur boolean |
| Match packets with MTU Reply Option (12). | ||||||
no_op boolean |
| Match packets with No Operation Option (1). | ||||||
nsapa boolean |
| Match packets with NSAP Addresses Option (150). | ||||||
record_route boolean |
| Match packets with Record Route Option (7). | ||||||
router_alert boolean |
| Match packets with Router Alert Option (148). | ||||||
sdb boolean |
| Match packets with Selective Directed Broadcast Option (149). | ||||||
security boolean |
| Match packets with Basic Security Option (130). | ||||||
ssr boolean |
| Match packets with Strict Source Routing Option (137). | ||||||
stream_id boolean |
| Match packets with Stream ID Option (136). | ||||||
timestamp boolean |
| Match packets with Time Stamp Option (68). | ||||||
traceroute boolean |
| Match packets with Trace Route Option (82). | ||||||
ump boolean |
| Match packets with Upstream Multicast Packet Option (152). | ||||||
visa boolean |
| Match packets with Experimental Access Control Option (142). | ||||||
zsu boolean |
| Match packets with Experimental Measurement Option (10). | ||||||
precedence integer | Match packets with given precedence value. | |||||||
protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
protocol_options dictionary | protocol type. | |||||||
ahp boolean |
| Authentication Header Protocol. | ||||||
eigrp boolean |
| Cisco's EIGRP routing protocol. | ||||||
esp boolean |
| Encapsulation Security Payload. | ||||||
gre boolean |
| Cisco's GRE tunneling. | ||||||
hbh boolean |
| Hop by Hop options header. Valid for IPV6 | ||||||
icmp dictionary | Internet Control Message Protocol. | |||||||
administratively_prohibited boolean |
| Administratively prohibited | ||||||
alternate_address boolean |
| Alternate address | ||||||
conversion_error boolean |
| Datagram conversion | ||||||
dod_host_prohibited boolean |
| Host prohibited | ||||||
dod_net_prohibited boolean |
| Net prohibited | ||||||
echo boolean |
| Echo (ping) | ||||||
echo_reply boolean |
| Echo reply | ||||||
general_parameter_problem boolean |
| Parameter problem | ||||||
host_isolated boolean |
| Host isolated | ||||||
host_precedence_unreachable boolean |
| Host unreachable for precedence | ||||||
host_redirect boolean |
| Host redirect | ||||||
host_tos_redirect boolean |
| Host redirect for TOS | ||||||
host_tos_unreachable boolean |
| Host unreachable for TOS | ||||||
host_unknown boolean |
| Host unknown | ||||||
host_unreachable boolean |
| Host unreachable | ||||||
information_reply boolean |
| Information replies | ||||||
information_request boolean |
| Information requests | ||||||
mask_reply boolean |
| Mask replies | ||||||
mask_request boolean |
| mask_request | ||||||
mobile_redirect boolean |
| Mobile host redirect | ||||||
net_redirect boolean |
| Network redirect | ||||||
net_tos_redirect boolean |
| Net redirect for TOS | ||||||
net_tos_unreachable boolean |
| Network unreachable for TOS | ||||||
net_unreachable boolean |
| Net unreachable | ||||||
network_unknown boolean |
| Network unknown | ||||||
no_room_for_option boolean |
| Parameter required but no room | ||||||
option_missing boolean |
| Parameter required but not present | ||||||
packet_too_big boolean |
| Fragmentation needed and DF set | ||||||
parameter_problem boolean |
| All parameter problems | ||||||
port_unreachable boolean |
| Port unreachable | ||||||
precedence_unreachable boolean |
| Precedence cutoff | ||||||
protocol_unreachable boolean |
| Protocol unreachable | ||||||
reassembly_timeout boolean |
| Reassembly timeout | ||||||
redirect boolean |
| All redirects | ||||||
router_advertisement boolean |
| Router discovery advertisements | ||||||
router_solicitation boolean |
| Router discovery solicitations | ||||||
source_quench boolean |
| Source quenches | ||||||
source_route_failed boolean |
| Source route failed | ||||||
time_exceeded boolean |
| All time exceededs | ||||||
timestamp_reply boolean |
| Timestamp replies | ||||||
timestamp_request boolean |
| Timestamp requests | ||||||
traceroute boolean |
| Traceroute | ||||||
ttl_exceeded boolean |
| TTL exceeded | ||||||
unreachable boolean |
| All unreachables | ||||||
igmp dictionary | Internet Gateway Message Protocol. | |||||||
dvmrp boolean |
| Distance Vector Multicast Routing Protocol(2) | ||||||
host_query boolean |
| IGMP Membership Query(0) | ||||||
mtrace_resp boolean |
| Multicast Traceroute Response(7) | ||||||
mtrace_route boolean |
| Multicast Traceroute(8) | ||||||
pim boolean |
| Protocol Independent Multicast(3) | ||||||
trace boolean |
| Multicast trace(4) | ||||||
v1host_report boolean |
| IGMPv1 Membership Report(1) | ||||||
v2host_report boolean |
| IGMPv2 Membership Report(5) | ||||||
v2leave_group boolean |
| IGMPv2 Leave Group(6) | ||||||
v3host_report boolean |
| IGMPv3 Membership Report(9) | ||||||
ip boolean |
| Any Internet Protocol. | ||||||
ipinip boolean |
| IP in IP tunneling. | ||||||
ipv6 boolean |
| Any IPv6. | ||||||
nos boolean |
| KA9Q NOS compatible IP over IP tunneling. | ||||||
ospf boolean |
| OSPF routing protocol. | ||||||
pcp boolean |
| Payload Compression Protocol. | ||||||
pim boolean |
| Protocol Independent Multicast. | ||||||
protocol_number integer | An IP protocol number | |||||||
sctp boolean |
| Stream Control Transmission Protocol. | ||||||
tcp dictionary | Match TCP packet flags | |||||||
ack boolean |
| Match on the ACK bit | ||||||
established boolean |
| Match established connections | ||||||
fin boolean |
| Match on the FIN bit | ||||||
psh boolean |
| Match on the PSH bit | ||||||
rst boolean |
| Match on the RST bit | ||||||
syn boolean |
| Match on the SYN bit | ||||||
urg boolean |
| Match on the URG bit | ||||||
udp boolean |
| User Datagram Protocol. | ||||||
sequence integer | Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values. | |||||||
source dictionary | Specify the packet source. | |||||||
address string | Source network address. | |||||||
any boolean |
| Match any source address. | ||||||
host string | A single source host | |||||||
object_group string | Source network object group | |||||||
port_protocol dictionary | Specify the source port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
eq string | Match only packets on a given port number. | |||||||
gt string | Match only packets with a greater port number. | |||||||
lt string | Match only packets with a lower port number. | |||||||
neq string | Match only packets not on a given port number. | |||||||
range dictionary | Port group. | |||||||
end integer | Specify the end of the port range. | |||||||
start integer | Specify the start of the port range. | |||||||
wildcard_bits string | Source wildcard bits, valid with IPV4 address. | |||||||
time_range string | Specify a time-range. | |||||||
tos dictionary | Match packets with given TOS value. Note, DSCP and TOS are mutually exclusive | |||||||
max_reliability boolean |
| Match packets with max reliable TOS (2). | ||||||
max_throughput boolean |
| Match packets with max throughput TOS (4). | ||||||
min_delay boolean |
| Match packets with min delay TOS (8). | ||||||
min_monetary_cost boolean |
| Match packets with min monetary cost TOS (1). | ||||||
normal boolean |
| Match packets with normal TOS (0). | ||||||
service_value integer | Type of service value | |||||||
ttl dictionary | Match packets with given TTL value. | |||||||
eq integer | Match only packets on a given TTL number. | |||||||
gt integer | Match only packets with a greater TTL number. | |||||||
lt integer | Match only packets with a lower TTL number. | |||||||
neq integer | Match only packets not on a given TTL number. | |||||||
range dictionary | Match only packets in the range of TTLs. | |||||||
end integer | Specify the end of the port range. | |||||||
start integer | Specify the start of the port range. | |||||||
acl_type string |
| ACL type Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory. | ||||||
name string / required | The name or the number of the ACL. | |||||||
afi string / required |
| The Address Family Indicator (AFI) for the Access Control Lists (ACL). | ||||||
running_config string | This option is used only with state parsed. The value of this option should be the output received from the IOS device by executing the command sh access-list. The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result. | |||||||
state string |
| The state the configuration should be left in The states merged is the default state which merges the want and have config, but for ACL module as the IOS platform doesn't allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state. The states rendered, gathered and parsed does not perform any change on the device. The state rendered will transform the configuration in config option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required.The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result. The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of running_config option should be the same format as the output of command show running-config | include ip route|ipv6 route executed on device. For state parsed active connection to remote host is not required. |
Note
# Using merged # Before state: # ------------- # # vios#sh access-lists # Extended IP access list 100 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10 - name: Merge provided configuration with device configuration cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: 100 aces: - sequence: 10 protocol_options: icmp: traceroute: true state: merged # After state: # ------------ # # Play Execution fails, with error: # Cannot update existing sequence 10 of ACLs 100 with state merged. # Please use state replaced or overridden. # Before state: # ------------- # # vios#sh access-lists # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10 - name: Merge provided configuration with device configuration cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: std_acl acl_type: standard aces: - grant: deny source: address: 192.168.1.200 - grant: deny source: address: 192.168.2.0 wildcard_bits: 0.0.0.255 - name: 110 aces: - sequence: 10 protocol_options: icmp: traceroute: true - grant: deny protocol_options: tcp: ack: true source: host: 198.51.100.0 destination: host: 198.51.110.0 port_protocol: eq: telnet - name: test acl_type: extended aces: - grant: deny protocol_options: tcp: fin: true source: address: 192.0.2.0 wildcard_bits: 0.0.0.255 destination: address: 192.0.3.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www option: traceroute: true ttl: eq: 10 - name: 123 aces: - grant: deny protocol_options: tcp: ack: true source: address: 198.51.100.0 wildcard_bits: 0.0.0.255 destination: address: 198.51.101.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet tos: service_value: 12 - grant: deny protocol_options: tcp: ack: true source: address: 192.0.3.0 wildcard_bits: 0.0.0.255 destination: address: 192.0.4.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www dscp: ef ttl: lt: 20 - afi: ipv6 acls: - name: R1_TRAFFIC aces: - grant: deny protocol_options: tcp: ack: true source: any: true port_protocol: eq: www destination: any: true port_protocol: eq: telnet dscp: af11 state: merged # Commands fired: # --------------- # # - ip access-list standard std_acl # - deny 192.168.1.200 # - deny 192.168.2.0 0.0.0.255 # - ip access-list extended 110 # - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # - ip access-list extended test # - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # - ip access-list extended 123 # - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # - ipv6 access-list R1_TRAFFIC # - deny tcp any eq www any eq telnet ack dscp af11 # After state: # ------------ # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 100 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 # Using replaced # Before state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 - name: Replaces device configuration of listed acls with provided configuration cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: 110 aces: - grant: deny protocol_options: tcp: syn: true source: address: 192.0.2.0 wildcard_bits: 0.0.0.255 destination: address: 192.0.3.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www dscp: ef ttl: eq: 10 - name: 150 aces: - grant: deny sequence: 20 protocol_options: tcp: syn: true source: address: 198.51.100.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet destination: address: 198.51.110.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet dscp: ef ttl: eq: 10 state: replaced # Commands fired: # --------------- # # - no ip access-list extended 110 # - ip access-list extended 110 # - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10 # - ip access-list extended 150 # - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10 # After state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10 # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list 150 # 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 # Using overridden # Before state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 - name: Override device configuration of all acls with provided configuration cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: 110 aces: - grant: deny sequence: 20 protocol_options: tcp: ack: true source: address: 198.51.100.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet destination: address: 198.51.110.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www dscp: ef ttl: eq: 10 - name: 150 aces: - grant: deny sequence: 10 protocol_options: tcp: syn: true source: address: 198.51.100.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet destination: address: 198.51.110.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet dscp: ef ttl: eq: 10 state: overridden # Commands fired: # --------------- # # - no ip access-list standard std_acl # - no ip access-list extended 110 # - no ip access-list extended 123 # - no ip access-list extended 150 # - no ip access-list extended test # - no ipv6 access-list R1_TRAFFIC # - ip access-list extended 150 # - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10 # - ip access-list extended 110 # - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10 # After state: # ------------- # # vios#sh access-lists # Extended IP access list 110 # 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10 # Extended IP access list 150 # 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10 # Using Deleted # Before state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 - name: "Delete ACLs (Note: This won't delete the all configured ACLs)" cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: test acl_type: extended - name: 110 - afi: ipv6 acls: - name: R1_TRAFFIC state: deleted # Commands fired: # --------------- # # - no ip access-list extended test # - no ip access-list extended 110 # - no ipv6 access-list R1_TRAFFIC # After state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Before state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 - name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)" cisco.ios.ios_acls: config: - afi: ipv4 state: deleted # Commands fired: # --------------- # # - no ip access-list standard std_acl # - no ip access-list extended test # - no ip access-list extended 110 # - no ip access-list extended 123 # After state: # ------------- # # vios#sh access-lists # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 # Using Deleted without any config passed #"(NOTE: This will delete all of configured ACLs)" # Before state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 - name: 'Delete ALL of configured ACLs (Note: This WILL delete the all configured ACLs)' cisco.ios.ios_acls: state: deleted # Commands fired: # --------------- # # - no ip access-list extended test # - no ip access-list extended 110 # - no ip access-list extended 123 # - no ip access-list extended test # - no ipv6 access-list R1_TRAFFIC # After state: # ------------- # # vios#sh access-lists # Using Gathered # Before state: # ------------- # # vios#sh access-lists # Standard IP access list std_acl # 10 deny 192.168.1.200 # 20 deny 192.168.2.0, wildcard bits 0.0.0.255 # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # Extended IP access list 123 # 10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # 20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # Extended IP access list test # 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # IPv6 access list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 sequence 10 - name: Gather listed acls with provided configurations cisco.ios.ios_acls: config: state: gathered # Module Execution Result: # ------------------------ # # "gathered": [ # { # "acls": [ # { # "aces": [ # { # "destination": { # "address": "192.0.3.0", # "wildcard_bits": "0.0.0.255" # }, # "dscp": "ef", # "grant": "deny", # "protocol_options": { # "icmp": { # "echo": true # } # }, # "sequence": 10, # "source": { # "address": "192.0.2.0", # "wildcard_bits": "0.0.0.255" # }, # "ttl": { # "eq": 10 # } # } # ], # "acl_type": "extended", # "name": "110" # }, # { # "aces": [ # { # "destination": { # "address": "198.51.101.0", # "port_protocol": { # "eq": "telnet" # }, # "wildcard_bits": "0.0.0.255" # }, # "grant": "deny", # "protocol_options": { # "tcp": { # "ack": true # } # }, # "sequence": 10, # "source": { # "address": "198.51.100.0", # "wildcard_bits": "0.0.0.255" # }, # "tos": { # "service_value": 12 # } # }, # { # "destination": { # "address": "192.0.4.0", # "port_protocol": { # "eq": "www" # }, # "wildcard_bits": "0.0.0.255" # }, # "dscp": "ef", # "grant": "deny", # "protocol_options": { # "tcp": { # "ack": true # } # }, # "sequence": 20, # "source": { # "address": "192.0.3.0", # "wildcard_bits": "0.0.0.255" # }, # "ttl": { # "lt": 20 # } # } # ], # "acl_type": "extended", # "name": "123" # }, # { # "aces": [ # { # "destination": { # "address": "192.0.3.0", # "port_protocol": { # "eq": "www" # }, # "wildcard_bits": "0.0.0.255" # }, # "grant": "deny", # "option": { # "traceroute": true # }, # "protocol_options": { # "tcp": { # "fin": true # } # }, # "sequence": 10, # "source": { # "address": "192.0.2.0", # "wildcard_bits": "0.0.0.255" # }, # "ttl": { # "eq": 10 # } # } # ], # "acl_type": "extended", # "name": "test_acl" # } # ], # "afi": "ipv4" # }, # { # "acls": [ # { # "aces": [ # { # "destination": { # "any": true, # "port_protocol": { # "eq": "telnet" # } # }, # "dscp": "af11", # "grant": "deny", # "protocol_options": { # "tcp": { # "ack": true # } # }, # "sequence": 10, # "source": { # "any": true, # "port_protocol": { # "eq": "www" # } # } # } # ], # "name": "R1_TRAFFIC" # } # ], # "afi": "ipv6" # } # ] # Using Rendered - name: Rendered the provided configuration with the existing running configuration cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: 110 aces: - grant: deny sequence: 10 protocol_options: tcp: syn: true source: address: 192.0.2.0 wildcard_bits: 0.0.0.255 destination: address: 192.0.3.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www dscp: ef ttl: eq: 10 - name: 150 aces: - grant: deny protocol_options: tcp: syn: true source: address: 198.51.100.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet destination: address: 198.51.110.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet dscp: ef ttl: eq: 10 state: rendered # Module Execution Result: # ------------------------ # # "rendered": [ # "ip access-list extended 110", # "10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10", # "ip access-list extended 150", # "deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10" # ] # Using Parsed # File: parsed.cfg # ---------------- # # IPv6 access-list R1_TRAFFIC # deny tcp any eq www any eq telnet ack dscp af11 - name: Parse the commands for provided configuration cisco.ios.ios_acls: running_config: "{{ lookup('file', 'parsed.cfg') }}" state: parsed # Module Execution Result: # ------------------------ # # "parsed": [ # { # "acls": [ # { # "aces": [ # { # "destination": { # "any": true, # "port_protocol": { # "eq": "telnet" # } # }, # "dscp": "af11", # "grant": "deny", # "protocol_options": { # "tcp": { # "ack": true # } # }, # "source": { # "any": true, # "port_protocol": { # "eq": "www" # } # } # } # ], # "name": "R1_TRAFFIC" # } # ], # "afi": "ipv6" # } # ]
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
after list / elements=string | when changed | The configuration as structured data after module completion. Sample: The configuration returned will always be in the same format of the parameters above. |
before list / elements=string | always | The configuration as structured data prior to module invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
commands list / elements=string | always | The set of commands pushed to the remote device Sample: ['ip access-list extended 110', 'deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10'] |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html