cisco.iosxr.iosxr_acls 模块 – 用于配置 ACL 的资源模块。
注意
此模块是 cisco.iosxr 集合(版本 10.2.2)的一部分。
如果您正在使用 ansible 包,您可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install cisco.iosxr。
要在 playbook 中使用它,请指定:cisco.iosxr.iosxr_acls。
cisco.iosxr 1.0.0 中的新功能
概要
此模块管理运行 IOS-XR 的设备上的访问控制列表 (ACL)。
参数
参数 |
注释 |
|---|---|
指定 ACL 配置的字典列表。 |
|
访问控制列表 (ACL) 的列表。 |
|
此访问控制列表 (ACL) 的访问控制条目 (ACE) 列表。 |
|
如果存在身份验证标头,则匹配。 选择
|
|
捕获匹配的数据包。 选择
|
|
指定数据包目标。 |
|
要匹配的目标 IP 地址。 |
|
匹配任何目标地址。 选择
|
|
要匹配的主机 IP 地址。 |
|
网络组的名称。 |
|
端口组的名称。 |
|
指定源端口或协议。 |
|
仅匹配给定端口号上的数据包。 |
|
仅匹配端口号更大的数据包。 |
|
仅匹配端口号更小的数据包。 |
|
仅匹配不在给定端口号上的数据包。 |
|
仅匹配端口号范围内的数据包 |
|
指定端口范围的末尾 |
|
指定端口范围的开头 |
|
目标网络前缀。 |
|
要应用于目标地址的通配符位。 |
|
如果存在目标选项标头,则匹配。 选择
|
|
匹配具有给定 DSCP 值的数据包。 |
|
仅匹配给定 dscp 值的数据包 |
|
仅匹配具有更大 dscp 值的数据包 |
|
仅匹配具有更小 dscp 值的数据包 |
|
仅匹配不在给定 dscp 值上的数据包 |
|
仅匹配 dscp 值范围内的数据包 |
|
dscp 范围的末尾 |
|
dscp 范围的开头 |
|
检查非初始分片。 选择
|
|
转发或丢弃与访问控制条目 (ACE) 匹配的数据包。 选择
|
|
如果存在逐跳选项标头,则匹配。 选择
|
|
启用/禁用此条目的 ICMP 消息。 选择
|
|
不包括序列号的 ACE。 此键与除“sequence”之外的所有其他属性互斥。 当与其他属性一起使用时,此键的值将具有优先权,其他键将被忽略。 这只应在 argspec 中不存在属性但在设备上有效时使用。 对于事实收集,任何未完全解析的 ACE 都将显示为此属性的值,不包括序列号,该序列号将填充为 sequence 键的值。 |
|
启用/禁用此条目的日志匹配。 选择
|
|
启用/禁用此条目的日志匹配,包括输入接口。 选择
|
|
匹配给定数据包长度的数据包。 |
|
仅匹配给定数据包长度的数据包 |
|
仅匹配数据包长度更大的数据包 |
|
仅匹配数据包长度更小的数据包 |
|
仅匹配不在给定数据包长度的数据包 |
|
仅匹配数据包长度范围内的数据包 |
|
数据包长度范围的末尾 |
|
数据包长度范围的开头 |
|
匹配具有给定优先级值的数据包 |
|
指定要匹配的协议。 有关有效值,请参阅供应商文档。 |
|
协议的附加子选项。 |
|
Internet 控制消息协议设置。 |
|
管理禁止 选择
|
|
备用地址 选择
|
|
数据报转换 选择
|
|
禁止主机 选择
|
|
禁止网络 选择
|
|
回声 (ping) 选择
|
|
回声回复 选择
|
|
参数问题 选择
|
|
隔离的主机 选择
|
|
主机优先级不可达 选择
|
|
主机重定向 选择
|
|
TOS 的主机重定向 选择
|
|
TOS 的主机不可达 选择
|
|
未知主机 选择
|
|
主机不可达 选择
|
|
信息回复 选择
|
|
信息请求 选择
|
|
掩码回复 选择
|
|
掩码请求 选择
|
|
移动主机重定向 选择
|
|
网络重定向 选择
|
|
用于TOS的网络重定向 选择
|
|
用于TOS的网络不可达 选择
|
|
网络不可达 选择
|
|
未知网络 选择
|
|
需要参数但没有空间 选择
|
|
需要参数但未提供 选择
|
|
需要分片且DF位已设置 选择
|
|
所有参数问题 选择
|
|
端口不可达 选择
|
|
优先级截止 选择
|
|
协议不可达 选择
|
|
重组超时 选择
|
|
所有重定向 选择
|
|
路由器发现通告 选择
|
|
路由器发现请求 选择
|
|
源抑制 选择
|
|
源路由失败 选择
|
|
所有超时 选择
|
|
时间戳回复 选择
|
|
时间戳请求 选择
|
|
路由跟踪 选择
|
|
TTL 超时 选择
|
|
所有不可达 选择
|
|
IPv6的互联网控制消息协议设置。 |
|
地址不可达 选择
|
|
管理禁止 选择
|
|
管理禁止 选择
|
|
目标不可达 选择
|
|
回显 选择
|
|
回显回复 选择
|
|
错误的头部字段 选择
|
|
组成员查询 选择
|
|
组成员报告 选择
|
|
组成员终止 选择
|
|
主机不可达 选择
|
|
邻居发现 - 邻居通告 选择
|
|
邻居发现 - 邻居请求 选择
|
|
邻居重定向 选择
|
|
无路由到达目标 选择
|
|
节点信息请求被拒绝 选择
|
|
节点信息成功回复 选择
|
|
数据包过大 选择
|
|
参数问题 选择
|
|
端口不可达 选择
|
|
查询主题是域名 选择
|
|
查询主题是IPv4地址 选择
|
|
查询主题是IPv6地址 选择
|
|
重组超时 选择
|
|
重定向 选择
|
|
路由器通告 选择
|
|
路由器重新编号 选择
|
|
路由器请求 选择
|
|
RR 命令 选择
|
|
RR 结果 选择
|
|
RR 序列号重置 选择
|
|
超时 选择
|
|
TTL 超时 选择
|
|
未知查询类型 选择
|
|
不可达 选择
|
|
无法识别的下一个头部 选择
|
|
无法识别的选项 选择
|
|
你是谁回复 选择
|
|
你是谁请求 选择
|
|
互联网组管理协议(IGMP)设置。 |
|
匹配距离向量多播路由协议 选择
|
|
匹配主机查询 选择
|
|
匹配主机报告 选择
|
|
匹配 mtrace 选择
|
|
匹配 mtrace 响应 选择
|
|
匹配协议无关多播 选择
|
|
多播跟踪 选择
|
|
匹配 TCP 数据包标志 |
|
匹配 ACK 位 选择
|
|
匹配已建立的连接 选择
|
|
匹配 FIN 位 选择
|
|
匹配 PSH 位 选择
|
|
匹配 RST 位 选择
|
|
匹配 SYN 位 选择
|
|
匹配 URG 位 选择
|
|
访问列表的注释或描述。 |
|
如果存在路由头部则匹配。 选择
|
|
访问控制条目(ACE)的序列号。 |
|
指定数据包源。 |
|
要匹配的源 IP 地址。 |
|
匹配任何源地址。 选择
|
|
要匹配的主机 IP 地址。 |
|
网络组的名称。 |
|
端口组的名称。 |
|
指定源端口或协议。 |
|
仅匹配给定端口号上的数据包。 |
|
仅匹配端口号更大的数据包。 |
|
仅匹配端口号更小的数据包。 |
|
仅匹配不在给定端口号上的数据包。 |
|
仅匹配端口号范围内的数据包 |
|
指定端口范围的末尾 |
|
指定端口范围的开头 |
|
源网络前缀。 |
|
要应用于源地址的通配符位。 |
|
匹配指定的 TTL 值。 |
|
仅匹配具有精确 TTL 值的数据包。 |
|
仅匹配具有较大 TTL 值的数据包。 |
|
仅匹配具有较小 TTL 值的数据包。 |
|
仅匹配不具有给定 TTL 值的数据包。 |
|
仅匹配给定 TTL 值范围内的数据包。 |
|
TTL 范围的结尾。 |
|
TTL 范围的开始。 |
|
访问控制列表(ACL)的名称。 |
|
访问控制列表(ACL)的地址族指示符(AFI)。 选择
|
|
默认情况下,该模块将连接到远程设备并检索当前运行配置,以用作与源内容进行比较的基础。 有时,不希望任务在剧本中的每个任务都获取当前运行配置。 *running_config* 参数允许实现者传入配置,以用作比较的基础配置。 此选项的值应该是通过执行命令**show running-config router static**从设备收到的输出。 |
|
配置应保持的状态。 选择
|
示例
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-al
# Fri Sep 22 03:57:04.758 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
- name: Merge the provided configuration with the existing running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: '2001:db8:1234::/48'
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# name: acl_1
# afi: ipv4
#
# commands:
# - ipv6 access-list acl6_1
# - 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# - 20 permit icmpv6 any any router-advertisement precedence network destopts
# - ipv4 access-list acl_1
# - 16 remark TEST_ACL_1_REMARK
# - 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# - 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# - ipv4 access-list acl_2
# - 10 remark TEST_ACL_2_REMARK
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:35:19.977 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:37:33.542 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_1
# - 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# - 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 21
# source:
# address: 198.51.100.32
# port_protocol:
# range:
# end: '121'
# start: pop3
# wildcard_bits: 0.0.0.15
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# eq: af23
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# router_advertisement: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:58:38.345 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:38:36.205 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
state: replaced
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
# Task Output
# -----------
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_2
# - no 10
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 11
# source:
# host: 198.51.100.130
# ttl:
# eq: 100
# - destination:
# any: true
# grant: deny
# protocol: icmp
# sequence: 12
# source:
# any: true
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:56:21.103 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
# - ipv4 access-list acl_1
# - no 16
# - no 21
# - no 23
# - 10 permit tcp any any
# - ipv4 access-list acl_2
# - no 10
# - 20 permit igmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: tcp
# sequence: 10
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 20
# source:
# any: true
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
#
# after:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
#
# after:
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
# - no ipv6 access-list acl6_1
#
# after: []
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# gathered:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# rendered:
# - ipv4 access-list acl_2
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
# Using parsed
# parsed.cfg
# ------------
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# parsed:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
返回值
常见的返回值记录在此处 此处,以下是此模块独有的字段
键 |
描述 |
|---|---|
生成的配置模型调用。 返回: 当更改时 示例: |
|
模型调用之前的配置。 返回: 总是 示例: |
|
推送到远程设备的命令集。 返回: 总是 示例: |
|
从远程设备收集的有关网络资源的结构化数据的事实。 返回: 当 state 为 示例: |
|
在 running_config 选项中提供的设备本机配置,按照模块 argspec 解析为结构化数据。 返回: 当 state 为 示例: |
|
在设备本机格式(离线)中呈现任务中提供的配置。 返回: 当 state 为 示例: |