cisco.ios.ios_acls 模块 – 用于配置 ACL 的资源模块。

注意

此模块是 cisco.ios 集合（版本 9.0.3）的一部分。

如果您正在使用 ansible 包，则可能已安装此集合。它不包含在 ansible-core 中。要检查是否已安装，请运行 ansible-galaxy collection list。

要安装它，请使用：ansible-galaxy collection install cisco.ios。

要在 playbook 中使用它，请指定：cisco.ios.ios_acls。

cisco.ios 1.0.0 中的新增功能

概要 

此模块在 IOS 平台上配置和管理已命名或编号的 ACL。

参数 

参数	注释
config list / elements=dictionary	ACL 配置选项的列表。
acls list / elements=dictionary	访问控制列表 (ACL) 属性的列表。
aces list / elements=dictionary	ACL 中的条目。
destination dictionary	指定数据包目标。
address string	要匹配的主机地址，或任何单个主机地址。
any boolean	匹配任何源地址。选项 `false` `true`
host string	单个目标主机
object_group string	目标网络对象组
port_protocol dictionary	指定目标端口以及协议。注意：对 TCP/UDP protocol_options 有效
eq string	仅匹配给定端口号上的数据包。
gt string	仅匹配端口号较大的数据包。
lt string	仅匹配端口号较小的数据包。
neq string	仅匹配不在给定端口号上的数据包。
range dictionary	端口组。
end integer	指定端口范围的末尾。
start integer	指定端口范围的开始。
wildcard_bits string	目标通配符位，对 IPV4 地址有效。
dscp string	匹配具有给定 dscp 值的数据包。
enable_fragments boolean	启用非初始分片。选项 `false` `true`
evaluate string	评估访问列表
grant string	指定操作。选项 `"permit"` `"deny"`
log dictionary	记录与此条目匹配的情况。
set boolean	启用记录与此条目匹配的情况选项 `false` `true`
user_cookie string	用户定义的 cookie（最多 64 个字符）
log_input dictionary	记录与此条目匹配的情况，包括输入接口。
set boolean	启用记录与此条目匹配的情况，包括输入接口。选项 `false` `true`
user_cookie string	用户定义的 cookie（最多 64 个字符）
option dictionary	匹配具有给定 IP 选项值的数据包。仅对已命名的 ACL 有效。
add_ext boolean	匹配具有地址扩展选项 (147) 的数据包。选项 `false` `true`
any_options boolean	匹配具有任何选项的数据包。选项 `false` `true`
com_security boolean	匹配具有商业安全选项 (134) 的数据包。选项 `false` `true`
dps boolean	匹配具有动态数据包状态选项 (151) 的数据包。选项 `false` `true`
encode boolean	匹配具有编码选项 (15) 的数据包。选项 `false` `true`
eool boolean	匹配具有选项结束 (0) 的数据包。选项 `false` `true`
ext_ip boolean	匹配具有扩展 IP 选项 (145) 的数据包。选项 `false` `true`
ext_security boolean	匹配具有扩展安全选项 (133) 的数据包。选项 `false` `true`
finn boolean	匹配具有实验性流控制选项 (205) 的数据包。选项 `false` `true`
imitd boolean	匹配具有 IMI 流量描述符选项 (144) 的数据包。选项 `false` `true`
lsr boolean	匹配具有宽松源路由选项 (131) 的数据包。选项 `false` `true`
mtup boolean	匹配具有 MTU 探测选项 (11) 的数据包。选项 `false` `true`
mtur boolean	匹配具有 MTU 回复选项 (12) 的数据包。选项 `false` `true`
no_op boolean	匹配具有无操作选项 (1) 的数据包。选项 `false` `true`
nsapa boolean	匹配具有 NSAP 地址选项 (150) 的数据包。选项 `false` `true`
record_route boolean	匹配具有记录路由选项 (7) 的数据包。选项 `false` `true`
router_alert boolean	匹配具有路由器警报选项 (148) 的数据包。选项 `false` `true`
sdb boolean	匹配具有选择性定向广播选项 (149) 的数据包。选项 `false` `true`
security boolean	匹配具有基本安全选项 (130) 的数据包。选项 `false` `true`
ssr boolean	匹配具有严格源路由选项 (137) 的数据包。选项 `false` `true`
stream_id boolean	匹配具有流 ID 选项 (136) 的数据包。选项 `false` `true`
timestamp boolean	匹配具有时间戳选项 (68) 的数据包。选项 `false` `true`
traceroute boolean	匹配具有跟踪路由选项 (82) 的数据包。选项 `false` `true`
ump boolean	匹配具有上游多播数据包选项 (152) 的数据包。选项 `false` `true`
visa boolean	匹配具有实验性访问控制选项 (142) 的数据包。选项 `false` `true`
zsu boolean	匹配具有实验性测量选项 (10) 的数据包。选项 `false` `true`
precedence string	匹配具有给定优先级值的数据包。
protocol string	指定要匹配的协议。有关有效值，请参阅供应商文档。
protocol_options dictionary	协议类型。
ahp boolean	身份验证标头协议。选项 `false` `true`
eigrp boolean	Cisco 的 EIGRP 路由协议。选项 `false` `true`
esp boolean	封装安全有效负载。选项 `false` `true`
gre boolean	Cisco 的 GRE 隧道。选项 `false` `true`
hbh boolean	逐跳选项标头。对 IPV6 有效选项 `false` `true`
icmp dictionary	Internet 控制消息协议。
administratively_prohibited boolean	管理禁止选项 `false` `true`
alternate_address boolean	备用地址选项 `false` `true`
转换错误 boolean	数据报转换选项 `false` `true`
dod_host_prohibited boolean	禁止主机选项 `false` `true`
dod_net_prohibited boolean	禁止网络选项 `false` `true`
echo boolean	回显（ping）选项 `false` `true`
echo_reply boolean	回显回复选项 `false` `true`
general_parameter_problem boolean	参数问题选项 `false` `true`
host_isolated boolean	主机隔离选项 `false` `true`
host_precedence_unreachable boolean	优先级主机不可达选项 `false` `true`
host_redirect boolean	主机重定向选项 `false` `true`
host_tos_redirect boolean	TOS 主机重定向选项 `false` `true`
host_tos_unreachable boolean	TOS 主机不可达选项 `false` `true`
host_unknown boolean	未知主机选项 `false` `true`
host_unreachable boolean	主机不可达选项 `false` `true`
information_reply boolean	信息回复选项 `false` `true`
information_request boolean	信息请求选项 `false` `true`
mask_reply boolean	掩码回复选项 `false` `true`
mask_request boolean	mask_request 选项 `false` `true`
移动主机重定向 boolean	移动主机重定向选项 `false` `true`
net_redirect boolean	网络重定向选项 `false` `true`
net_tos_redirect boolean	TOS 网络重定向选项 `false` `true`
net_tos_unreachable boolean	TOS 网络不可达选项 `false` `true`
net_unreachable boolean	网络不可达选项 `false` `true`
network_unknown boolean	未知网络选项 `false` `true`
no_room_for_option boolean	需要参数但无空间选项 `false` `true`
option_missing boolean	需要参数但未提供选项 `false` `true`
packet_too_big boolean	需要分片且设置了 DF 选项 `false` `true`
parameter_problem boolean	所有参数问题选项 `false` `true`
port_unreachable boolean	端口不可达选项 `false` `true`
precedence_unreachable boolean	优先级截断选项 `false` `true`
protocol_unreachable boolean	协议不可达选项 `false` `true`
reassembly_timeout boolean	重组超时选项 `false` `true`
redirect boolean	所有重定向选项 `false` `true`
router_advertisement boolean	路由器发现通告选项 `false` `true`
router_solicitation boolean	路由器发现请求选项 `false` `true`
source_quench boolean	源抑制选项 `false` `true`
source_route_failed boolean	源路由失败选项 `false` `true`
time_exceeded boolean	所有超时选项 `false` `true`
timestamp_reply boolean	时间戳回复选项 `false` `true`
timestamp_request boolean	时间戳请求选项 `false` `true`
traceroute boolean	路由跟踪选项 `false` `true`
ttl_exceeded boolean	TTL 超时选项 `false` `true`
unreachable boolean	所有不可达选项 `false` `true`
igmp dictionary	Internet 网关消息协议。
dvmrp boolean	距离矢量多播路由协议(2) 选项 `false` `true`
host_query boolean	IGMP 成员查询(0) 选项 `false` `true`
mtrace_resp boolean	多播路由跟踪响应(7) 选项 `false` `true`
mtrace_route boolean	多播路由跟踪(8) 选项 `false` `true`
pim boolean	协议无关多播(3) 选项 `false` `true`
trace boolean	多播跟踪(4) 选项 `false` `true`
v1host_report boolean	IGMPv1 成员报告(1) 选项 `false` `true`
v2host_report boolean	IGMPv2 成员报告(5) 选项 `false` `true`
v2leave_group boolean	IGMPv2 离开组(6) 选项 `false` `true`
v3host_report boolean	IGMPv3 成员报告(9) 选项 `false` `true`
ip boolean	任何 Internet 协议。选项 `false` `true`
ipinip boolean	IP in IP 隧道。选项 `false` `true`
ipv6 boolean	任何 IPv6。选项 `false` `true`
nos boolean	KA9Q NOS 兼容的 IP over IP 隧道。选项 `false` `true`
ospf boolean	OSPF 路由协议。选项 `false` `true`
pcp boolean	有效负载压缩协议。选项 `false` `true`
pim boolean	协议无关多播。选项 `false` `true`
protocol_number integer	一个 IP 协议号
sctp boolean	流控制传输协议。选项 `false` `true`
tcp dictionary	匹配 TCP 数据包标志
ack boolean	匹配 ACK 位选项 `false` `true`
established boolean	匹配已建立的连接选项 `false` `true`
fin boolean	匹配 FIN 位选项 `false` `true`
psh boolean	匹配 PSH 位选项 `false` `true`
rst boolean	匹配 RST 位选项 `false` `true`
syn boolean	匹配 SYN 位选项 `false` `true`
urg boolean	匹配 URG 位选项 `false` `true`
udp boolean	用户数据报协议。选项 `false` `true`
remarks list / elements=string	ACL 的备注/描述。在带有或不带有序列号的 ACE 中使用的 remarks 属性将产生在 ACE 条目之前推送的备注。用作列表选项中唯一键的 Remarks 条目将产生非 ACE 特定的备注，这些备注将在 ACL 的所有 ACE 之后推送。 Remarks 被视为一个块，对于为 ACE 更新的每个备注，所有备注都会被否定并添加回来，以保持备注中提到的顺序。由于设备会在更新 ACE 后删除所有备注，因此会重新应用备注集，这是一种预期的行为。
sequence integer	访问控制条目 (ACE) 的序列号。有关有效值，请参阅供应商文档。
source dictionary	指定数据包源。
address string	源网络地址。
any boolean	匹配任何源地址。选项 `false` `true`
host string	单个源主机
object_group string	源网络对象组
port_protocol dictionary	指定源端口以及协议。注意：对 TCP/UDP protocol_options 有效
eq string	仅匹配给定端口号上的数据包。
gt string	仅匹配端口号较大的数据包。
lt string	仅匹配端口号较小的数据包。
neq string	仅匹配不在给定端口号上的数据包。
range dictionary	端口组。
end integer	指定端口范围的末尾。
start integer	指定端口范围的开始。
wildcard_bits string	源通配符位，适用于 IPv4 地址。
time_range string	指定时间范围。
tos dictionary	匹配具有给定 TOS 值的数据包。注意，DSCP 和 TOS 是互斥的
max_reliability boolean	匹配具有最大可靠性 TOS (2) 的数据包。选项 `false` `true`
max_throughput boolean	匹配具有最大吞吐量 TOS (4) 的数据包。选项 `false` `true`
min_delay boolean	匹配具有最小延迟 TOS (8) 的数据包。选项 `false` `true`
min_monetary_cost boolean	匹配具有最低成本 TOS (1) 的数据包。选项 `false` `true`
normal boolean	匹配具有正常 TOS (0) 的数据包。选项 `false` `true`
service_value integer	服务类型值
ttl dictionary	匹配具有给定 TTL 值的数据包。
eq integer	仅匹配给定 TTL 号上的数据包。
gt integer	仅匹配具有较大 TTL 号的数据包。
lt integer	仅匹配具有较小 TTL 号的数据包。
neq integer	仅匹配不在给定 TTL 号上的数据包。
range dictionary	仅匹配在 TTL 范围内的的数据包。
end integer	指定端口范围的末尾。
start integer	指定端口范围的开始。
acl_type string	ACL 类型注意，对于命名 ACL，它是强制性的，但对于编号 ACL，它不是强制性的。选项 `"extended"` `"standard"`
name string / required	ACL 的名称或编号。
afi string / required	访问控制列表 (ACL) 的地址族指示符 (AFI)。选项 `"ipv4"` `"ipv6"`
running_config string	此选项仅与状态 parsed 一起使用。此选项的值应是通过执行命令 sh access-list 从 IOS 设备收到的输出。状态 parsed 从 `running_config` 选项读取配置，并根据资源模块的 argspec 将其转换为 Ansible 结构化数据，然后该值在结果中的 parsed 键中返回。
state string	配置应保留的状态状态 merged 是默认状态，它合并了想要和已有的配置，但对于 ACL 模块，由于 IOS 平台不允许在 ACL 中更新预先存在的 ACE 序列上的 ACE，因此 ACL 资源模块也会在各自的场景中出错，并且仅允许在合并状态下添加新序列上的新 ACE。状态 rendered、gathered 和 parsed 不会对设备执行任何更改。状态 rendered 会将 `config` 选项中的配置转换为特定于平台的 CLI 命令，这些命令将在结果中的 rendered 键中返回。对于状态 rendered，不需要与远程主机的活动连接。状态 gathered 将从设备获取运行配置，并按照资源模块 argspec 的格式将其转换为结构化数据，并且该值在结果中的 gathered 键中返回。状态 parsed 从 `running_config` 选项读取配置，并根据资源模块参数将其转换为 JSON 格式，并且该值在结果中的 parsed 键中返回。`running_config` 选项的值应与命令 sh running-config \| section access-list 的输出格式相同，以获取所有 ACL 相关信息，以及 sh access-lists \| include access list 以获取空 ACL 的特定配置，以下命令在设备上执行。来自这两个命令的配置数据应一个接一个地放在一起，以便解析器正确选择命令。对于状态 parsed，不需要与远程主机的活动连接。状态 overridden，修改/添加定义的 ACL，删除所有其他 ACL。状态 replaced，仅修改/添加仅定义的 ACL 的 ACE。它不会对设备执行任何其他更改。状态 deleted，仅删除指定的 ACL，如果未指定，则删除所有 ACL。选项 `"merged"` ← (默认) `"replaced"` `"overridden"` `"deleted"` `"gathered"` `"rendered"` `"parsed"`

备注 

注意

已在 CML 上的 Cisco IOSXE 版本 17.3 上测试。
当未提及 ace 的序列时，模块行为不是幂等的
此模块与连接 network_cli 一起使用。请参阅 https://docs.ansible.org.cn/ansible/latest/network/user_guide/platform_ios.html

示例 

# Using merged

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: std_acl
            acl_type: standard
            aces:
              - grant: deny
                source:
                  address: 192.168.1.200
              - grant: deny
                source:
                  address: 192.168.2.0
                  wildcard_bits: 0.0.0.255
          - name: 110
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
                source:
                  address: 192.168.3.0
                  wildcard_bits: 255.255.255.0
                destination:
                  any: true
                grant: permit
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  host: 198.51.100.0
                destination:
                  host: 198.51.110.0
                  port_protocol:
                    eq: telnet
          - name: extended_acl_1
            acl_type: extended
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    fin: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                option:
                  traceroute: true
                ttl:
                  eq: 10
          - name: 123
            aces:
              - remarks:
                  - "remarks for extended ACL 1"
                  - "check ACL"
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 198.51.101.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                tos:
                  service_value: 12
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.4.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  lt: 20
      - afi: ipv6
        acls:
          - name: R1_TRAFFIC
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  any: true
                  port_protocol:
                    eq: www
                destination:
                  any: true
                  port_protocol:
                    eq: telnet
                dscp: af11
    state: merged

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '100'
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - 30 permit icmp 192.168.3.0 255.255.255.0 any traceroute
#  - ip access-list extended extended_acl_1
#  - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
#  - ip access-list standard std_acl
#  - deny 192.168.1.20
#  - deny 192.168.2.0 0.0.0.255
#  - ip access-list extended 123
#  - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#  - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
#  - remark remarks for extended ACL 1
#  - remark check ACL
#  - ipv6 access-list R1_TRAFFIC
#  - deny tcp any eq www any eq telnet ack dscp af11
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      - destination:
#          any: true
#        grant: permit
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 30
#        source:
#          address: 0.0.0.0
#          wildcard_bits: 255.255.255.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      - remarks:
#        - remarks for extended ACL 1
#        - check ACL
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: extended_acl_1
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.20
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# ------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

# vios#show running-config | include ip(v6)* access-list|remark
# ip access-list standard std_acl
# ip access-list extended extended_acl_1
# ip access-list extended 110
# ip access-list extended 123
#  remark remarks for extended ACL 1
#  remark check ACL
# ipv6 access-list R1_TRAFFIC

# Using merged (update existing ACE - will fail)

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 100
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
    state: merged

# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.

# Using replaced

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: Replaces device configuration of listed acls with provided configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: replaced

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#  - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
#  - ip access-list extended 150
#  - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 20
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '150'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4

# After state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended 150
#    20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

# Using replaced - example remarks specific

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE LINE 10
#  10 remark ============
#  10 remark ALLOW HOST FROM TEST 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

- name: Replace remarks of ace with sequence 10
  # check_mode: true
  cisco.ios.ios_acls:
    state: replaced
    config:
      - acls:
          - aces:
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - The new first remarks before 10
                  - ============new
                  - The new second remarks before 10
                sequence: 10
                source:
                  host: 1.1.1.1
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 20
                  - ============
                  - ALLOW HOST remarks AFTER LINE  20
                sequence: 20
                source:
                  host: 2.2.2.2
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 30
                  - ============
                  - ALLOW HOST remarks AFTER LINE  30
                sequence: 30
                source:
                  host: 3.3.3.3
            acl_type: extended
            name: TEST
        afi: ipv4

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 10
#       - ===========1=
#       - ALLOW HOST FROM TEST 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4
# commands:
# - ip access-list extended TEST
# - no 10 remark
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - The new first remarks before 10
#       - ============new
#       - The new second remarks before 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark The new first remarks before 10
#  10 remark ============new
#  10 remark The new second remarks before 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

# Using replaced - example remarks specific on targeted sequence

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

- name: Replace remarks of ace with sequence 10
  # check_mode: true
  cisco.ios.ios_acls:
    state: replaced
    config:
      - acls:
          - aces:
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - The new first remarks before 10
                  - ============new
                  - The new second remarks before 10
                sequence: 10
                source:
                  host: 1.1.1.1
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 20
                  - ============
                  - ALLOW HOST remarks AFTER LINE  20
                sequence: 20
                source:
                  host: 2.2.2.2
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 30
                  - ============
                  - ALLOW HOST remarks AFTER LINE  30
                sequence: 30
                source:
                  host: 3.3.3.3
            acl_type: extended
            name: TEST
        afi: ipv4

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4
# commands:
# - ip access-list extended TEST
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - The new first remarks before 10
#       - ============new
#       - The new second remarks before 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark The new first remarks before 10
#  10 remark ============new
#  10 remark The new second remarks before 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

# Using overridden

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: Override device configuration of all acls with provided configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: overridden

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#  - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
#  - ip access-list extended 150
#  - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
#  - no ip access-list extended 123
#  - no ip access-list extended R1_TRAFFIC
#  - no ip access-list standard std_acl
#  - no ip access-list extended test
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '150'
#    afi: ipv4

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
#     20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# ip access-list extended 150
#     10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using overridden - example remarks specific on multiple sequence

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE SEQUENCE 10
#  10 remark ============
#  10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#  20 remark FIRST REMARK BEFORE SEQUENCE 20
#  20 remark ============
#  20 remark ALLOW HOST FROM SEQUENCE 20
#  20 permit ip host 1.1.1.1 any
#  30 remark FIRST REMARK BEFORE SEQUENCE 30
#  30 remark ============
#  30 remark ALLOW HOST FROM SEQUENCE 30
#  30 permit ip host 2.2.2.2 any
#  40 remark FIRST REMARK BEFORE SEQUENCE 40
#  40 remark ============
#  40 remark ALLOW NEW HOST FROM SEQUENCE 40
#  40 permit ip host 3.3.3.3 any
#  remark Remark not specific to sequence
#  remark ============
#  remark End Remarks
# ip access-list extended test_acl
#  10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ip access-list extended 110
#  10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 123
#  10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#  20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ipv6 access-list R1_TRAFFIC
#  sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Override remarks and ace configurations
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: TEST
            acl_type: extended
            aces:
              - sequence: 10
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 10"
                  - "============"
                  - "REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE"
                grant: permit
                protocol: ip
                source:
                  host: 1.1.1.1
                destination:
                  any: true
              - sequence: 20
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 20"
                  - "============"
                  - "ALLOW HOST FROM SEQUENCE 20"
                grant: permit
                protocol: ip
                source:
                  host: 192.168.0.1
                destination:
                  any: true
              - sequence: 30
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 30"
                  - "============"
                  - "ALLOW HOST FROM SEQUENCE 30 updated"
                grant: permit
                protocol: ip
                source:
                  host: 2.2.2.2
                destination:
                  any: true
              - sequence: 40
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 40"
                  - "============"
                  - "ALLOW NEW HOST FROM SEQUENCE 40"
                grant: permit
                protocol: ip
                source:
                  host: 3.3.3.3
                destination:
                  any: true
              - remarks:
                  - "Remark not specific to sequence"
                  - "============"
                  - "End Remarks 1"
    state: overridden

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         address: 192.0.3.0
#         wildcard_bits: 0.0.0.255
#       dscp: ef
#       grant: deny
#       protocol: icmp
#       protocol_options:
#         icmp:
#           echo: true
#       sequence: 10
#       source:
#         address: 192.0.2.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         eq: 10
#     acl_type: extended
#     name: '110'
#   - aces:
#     - destination:
#         address: 198.51.101.0
#         port_protocol:
#           eq: telnet
#         wildcard_bits: 0.0.0.255
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 10
#       source:
#         address: 198.51.100.0
#         wildcard_bits: 0.0.0.255
#       tos:
#         service_value: 12
#     - destination:
#         address: 192.0.4.0
#         port_protocol:
#           eq: www
#         wildcard_bits: 0.0.0.255
#       dscp: ef
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 20
#       source:
#         address: 192.0.3.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         lt: 20
#     acl_type: extended
#     name: '123'
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 20
#       - ============
#       - ALLOW HOST FROM SEQUENCE 20
#       sequence: 20
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 30
#       - ============
#       - ALLOW HOST FROM SEQUENCE 30
#       sequence: 30
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 40
#       - ============
#       - ALLOW NEW HOST FROM SEQUENCE 40
#       sequence: 40
#       source:
#         host: 3.3.3.3
#     - remarks:
#       - FIRST REMARK BEFORE SEQUENCE 10
#       - ============
#       - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#       sequence: 10
#     - remarks:
#       - Remark not specific to sequence
#       - ============
#       - End Remarks
#     acl_type: extended
#     name: TEST
#   - aces:
#     - destination:
#         address: 192.0.3.0
#         port_protocol:
#           eq: www
#         wildcard_bits: 0.0.0.255
#       grant: deny
#       option:
#         traceroute: true
#       protocol: tcp
#       protocol_options:
#         tcp:
#           fin: true
#       sequence: 10
#       source:
#         address: 192.0.2.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         eq: 10
#     acl_type: extended
#     name: test_acl
#   afi: ipv4
# - acls:
#   - aces:
#     - destination:
#         any: true
#         port_protocol:
#           eq: telnet
#       dscp: af11
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 10
#       source:
#         any: true
#         port_protocol:
#           eq: www
#     name: R1_TRAFFIC
#   afi: ipv6
# commands:
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended TEST
# - no 10  # removes all remarks and ace entry for sequence 10
# - no 20 permit ip host 1.1.1.1 any  # removing the ace automatically removes the remarks
# - no 30 remark  # just remove remarks for sequence 30
# - no remark  # remove all remarks at end of acl, that has no sequence
# - 10 remark FIRST REMARK BEFORE SEQUENCE 10
# - 10 remark ============
# - 10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# - 10 permit ip host 1.1.1.1 any
# - 20 remark FIRST REMARK BEFORE SEQUENCE 20
# - 20 remark ============
# - 20 remark ALLOW HOST FROM SEQUENCE 20
# - 20 permit ip host 192.168.0.1 any
# - 30 remark FIRST REMARK BEFORE SEQUENCE 30
# - 30 remark ============
# - 30 remark ALLOW HOST FROM SEQUENCE 30 updated
# - remark Remark not specific to sequence
# - remark ============
# - remark End Remarks 1
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test_acl
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 10
#       - ============
#       - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 20
#       - ============
#       - ALLOW HOST FROM SEQUENCE 20
#       sequence: 20
#       source:
#         host: 192.168.0.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 30
#       - ============
#       - ALLOW HOST FROM SEQUENCE 30 updated
#       sequence: 30
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 40
#       - ============
#       - ALLOW NEW HOST FROM SEQUENCE 40
#       sequence: 40
#       source:
#         host: 3.3.3.3
#     - remarks:
#       - Remark not specific to sequence
#       - ============
#       - End Remarks 1
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE SEQUENCE 10
#  10 remark ============
#  10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE SEQUENCE 20
#  20 remark ============
#  20 remark ALLOW HOST FROM SEQUENCE 20
#  20 permit ip host 192.168.0.1 any
#  30 remark FIRST REMARK BEFORE SEQUENCE 30
#  30 remark ============
#  30 remark ALLOW HOST FROM SEQUENCE 30 updated
#  30 permit ip host 2.2.2.2 any
#  40 remark FIRST REMARK BEFORE SEQUENCE 40
#  40 remark ============
#  40 remark ALLOW NEW HOST FROM SEQUENCE 40
#  40 permit ip host 3.3.3.3 any
#  remark Remark not specific to sequence
#  remark ============
#  remark End Remarks 1

# Using deleted - delete ACL(s)

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended extended_acl_1
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: extended_acl_1
            acl_type: extended
          - name: 110
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: extended_acl_1
#    afi: ipv4
# commands:
#  - no ip access-list extended 110
#  - no ip access-list extended extended_acl_1
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    afi: ipv4

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20

# Using deleted - delete ACLs based on AFI

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list extended 110
#  - no ip access-list extended 123
#  - no ip access-list standard std_acl
#  - no ip access-list extended test
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11


# Using deleted - delete all ACLs

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Delete ALL of configured ACLs
  cisco.ios.ios_acls:
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list extended test
#  - no ip access-list extended 110
#  - no ip access-list extended 123
#  - no ip access-list extended test
#  - no ipv6 access-list R1_TRAFFIC
# after: []

# After state:
# -------------
#
# vios#sh running-config | section access-list


# Using gathered

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Gather ACLs configuration from target device
  cisco.ios.ios_acls:
    state: gathered

# Module Execution Result:
# ------------------------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# Using rendered

- name: Render the provided configuration into platform specific configuration lines
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: rendered

# Module Execution Result:
# ------------------------
#
# rendered:
#  - ip access-list extended 110
#  - 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
#  - ip access-list extended 150
#  - deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using Parsed

# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11

- name: Parse the commands for provided configuration
  cisco.ios.ios_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Module Execution Result:
# ------------------------
#
# parsed:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

返回值 

常见的返回值记录在此处，以下是此模块独有的字段

Key	描述
after dictionary	模块执行后的结果配置。 Returned: 当更改时 Sample: `"此输出将始终与模块 argspec 的格式相同。\n"`
before dictionary	模块执行之前的配置。返回: 当 state 为 `merged`, `replaced`, `overridden`, `deleted` 或 `purged` 时返回 Sample: `"此输出将始终与模块 argspec 的格式相同。\n"`
commands list / elements=string	推送到远程设备的命令集。返回: 当 state 为 `merged`, `replaced`, `overridden`, `deleted` 或 `purged` 时返回示例: `["ip access-list extended 110", "deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10", "permit ip host 2.2.2.2 host 3.3.3.3"]`
gathered list / elements=string	从远程设备收集的关于网络资源的结构化数据。返回: 当 state 为 `gathered` 时返回示例: `["此输出将始终与模块参数规格格式相同。\n"]`
parsed list / elements=string	根据模块参数规格，将 running_config 选项中提供的设备原生配置解析为结构化数据。返回: 当 state 为 `parsed` 时返回示例: `["此输出将始终与模块参数规格格式相同。\n"]`
rendered list / elements=string	任务中提供的配置以设备原生格式（离线）呈现。返回: 当 state 为 `rendered` 时返回示例: `["ip access-list extended test", "permit ip host 2.2.2.2 host 3.3.3.3", "permit tcp host 1.1.1.1 host 5.5.5.5 eq www"]`

作者

Sumit Jaiswal (@justjais)
Sagar Paul (@KB-perByte)