cisco.nxos.nxos_acls 模块 – ACL 资源模块

注意

此模块是 cisco.nxos 集合 (版本 9.2.1) 的一部分。

如果您使用的是 ansible 包，则可能已安装此集合。它不包含在 ansible-core 中。要检查它是否已安装，请运行 ansible-galaxy collection list。

要安装它，请使用： ansible-galaxy collection install cisco.nxos。

要在 playbook 中使用它，请指定： cisco.nxos.nxos_acls。

cisco.nxos 1.0.0 中的新增功能

概要 

管理 Cisco NX-OS 平台上的命名 IP ACL。

参数 

参数	注释
config 列表 / 元素=字典	ACL 选项的字典。
acls 列表 / 元素=字典	ACL 列表。
aces 列表 / 元素=字典	ACL 中的条目。
destination 字典	指定数据包目标。
address 字符串	目标网络地址。
any 布尔值	任何目标地址。选项 `false` `true`
host 字符串	主机 IP 地址。
port_protocol 字典	指定目标端口或协议（仅限于 TCP 和 UDP）。
eq 字符串	仅匹配给定端口号上的数据包。
gt 字符串	仅匹配端口号更大的数据包。
lt 字符串	仅匹配端口号更小的数据包。
neq 字符串	仅匹配不在给定端口号上的数据包。
range 字典	仅匹配端口号范围内的数据包。
end 字符串	指定端口范围的结束。
start 字符串	指定端口范围的开始。
prefix 字符串	目标网络前缀。仅适用于 ipv4 小于 31 和 ipv6 小于 127 的前缀。32 (ipv4) 和 128 (ipv6) 的前缀应在“host”键中给出。
wildcard_bits 字符串	目标通配符位。
dscp 字符串	匹配具有给定 DSCP 值的数据包。
fragments 布尔值	检查非初始片段。选项 `false` `true`
grant 字符串	要应用于规则的操作。选项 `"permit"` `"deny"`
log 布尔值	记录与此条目匹配的日志。选项 `false` `true`
precedence 字符串	匹配具有给定优先级值的数据包。
protocol 字符串	指定协议。
protocol_options 字典	所选协议的所有可能的子选项。
icmp 字典	ICMP 协议选项。
administratively_prohibited 布尔值	管理上禁止选项 `false` `true`
alternate_address 布尔值	备用地址选项 `false` `true`
conversion_error 布尔值	数据报转换错误选项 `false` `true`
dod_host_prohibited 布尔值	主机禁止选项 `false` `true`
dod_net_prohibited 布尔值	网络禁止选项 `false` `true`
echo 布尔值	回显（ping）选项 `false` `true`
echo_reply 布尔值	回显回复选项 `false` `true`
echo_request 布尔值	回显请求（ping）选项 `false` `true`
general_parameter_problem 布尔值	参数问题选项 `false` `true`
host_isolated 布尔值	主机隔离选项 `false` `true`
host_precedence_unreachable 布尔值	主机因优先级不可达选项 `false` `true`
host_redirect 布尔值	主机重定向选项 `false` `true`
host_tos_redirect 布尔值	针对 TOS 的主机重定向选项 `false` `true`
host_tos_unreachable 布尔值	主机因 TOS 不可达选项 `false` `true`
host_unknown 布尔值	主机未知选项 `false` `true`
host_unreachable 布尔值	主机不可达选项 `false` `true`
information_reply 布尔值	信息回复选项 `false` `true`
information_request 布尔值	信息请求选项 `false` `true`
mask_reply 布尔值	掩码回复选项 `false` `true`
mask_request 布尔值	掩码请求选项 `false` `true`
message_code 整数	ICMP 消息代码
message_type 整数	ICMP 消息类型
mobile_redirect 布尔值	移动主机重定向选项 `false` `true`
net_redirect 布尔值	网络重定向选项 `false` `true`
net_tos_redirect 布尔值	针对 TOS 的网络重定向选项 `false` `true`
net_tos_unreachable 布尔值	网络因 TOS 不可达选项 `false` `true`
net_unreachable 布尔值	网络不可达选项 `false` `true`
network_unknown 布尔值	网络未知选项 `false` `true`
no_room_for_option 布尔值	缺少参数空间选项 `false` `true`
option_missing 布尔值	缺少必需参数选项 `false` `true`
packet_too_big 布尔值	需要分片且 DF 设置选项 `false` `true`
parameter_problem 布尔值	所有参数问题选项 `false` `true`
port_unreachable 布尔值	端口不可达选项 `false` `true`
precedence_unreachable 布尔值	优先级截止选项 `false` `true`
protocol_unreachable 布尔值	协议不可达选项 `false` `true`
reassembly_timeout 布尔值	重组超时选项 `false` `true`
redirect 布尔值	所有重定向选项 `false` `true`
router_advertisement 布尔值	路由器发现广告选项 `false` `true`
router_solicitation 布尔值	路由器发现请求选项 `false` `true`
source_quench 布尔值	源抑制选项 `false` `true`
source_route_failed 布尔值	源路由失败选项 `false` `true`
time_exceeded 布尔值	所有超时选项 `false` `true`
timestamp_reply 布尔值	时间戳回复选项 `false` `true`
timestamp_request 布尔值	时间戳请求选项 `false` `true`
traceroute 布尔值	Traceroute 选项 `false` `true`
ttl_exceeded 布尔值	TTL 超时选项 `false` `true`
unreachable 布尔值	所有不可达选项 `false` `true`
icmpv6 字典	ICMPv6 协议选项。
beyond_scope 布尔值	目标超出范围。选项 `false` `true`
destination_unreachable 布尔值	目标地址不可达。选项 `false` `true`
echo_reply 布尔值	回显回复。选项 `false` `true`
echo_request 布尔值	回显请求（ping）。选项 `false` `true`
fragments 布尔值	检查非初始片段。选项 `false` `true`
header 布尔值	参数报头问题。选项 `false` `true`
hop_limit 布尔值	跃点限制在传输过程中超过。选项 `false` `true`
mld_query 布尔值	组播侦听器发现查询。选项 `false` `true`
mld_reduction 布尔值	组播侦听器发现减少。选项 `false` `true`
mld_report 布尔值	组播侦听器发现报告。选项 `false` `true`
mldv2 布尔值	组播侦听器发现协议。选项 `false` `true`
nd_na 布尔值	邻居发现邻居广告。选项 `false` `true`
nd_ns 布尔值	邻居发现邻居请求。选项 `false` `true`
next_header 布尔值	参数下一个报头问题。选项 `false` `true`
no_admin 布尔值	管理禁止目标。选项 `false` `true`
no_route 布尔值	没有到目的地的路由。选项 `false` `true`
packet_too_big 布尔值	数据包过大。选项 `false` `true`
parameter_option 布尔值	参数选项问题。选项 `false` `true`
parameter_problem 布尔值	所有参数问题。选项 `false` `true`
port_unreachable 布尔值	端口不可达。选项 `false` `true`
reassembly_timeout 布尔值	重组超时。选项 `false` `true`
renum_command 布尔值	路由器重编号命令。选项 `false` `true`
renum_result 布尔值	路由器重编号结果。选项 `false` `true`
renum_seq_number 布尔值	路由器重编号序列号重置。选项 `false` `true`
router_advertisement 布尔值	邻居发现路由器广告。选项 `false` `true`
router_renumbering 布尔值	所有路由器重编号。选项 `false` `true`
router_solicitation 布尔值	邻居发现路由器请求。选项 `false` `true`
telemetry_path 布尔值	已启用IPT。选项 `false` `true`
telemetry_queue 布尔值	BDC/HDC 感兴趣的流。选项 `false` `true`
time_exceeded 布尔值	所有超时选项 `false` `true`
unreachable 布尔值	全部不可达。选项 `false` `true`
igmp 字典	IGMP协议选项。
dvmrp 布尔值	距离矢量组播路由协议选项 `false` `true`
host_query 布尔值	主机查询选项 `false` `true`
host_report 布尔值	主机报告选项 `false` `true`
tcp 字典	TCP标志。
ack 布尔值	匹配ACK位选项 `false` `true`
established 布尔值	匹配已建立连接选项 `false` `true`
fin 布尔值	匹配FIN位选项 `false` `true`
psh 布尔值	匹配PSH位选项 `false` `true`
rst 布尔值	匹配RST位选项 `false` `true`
syn 布尔值	匹配SYN位选项 `false` `true`
urg 布尔值	匹配URG位选项 `false` `true`
remark 字符串	访问列表条目注释。
sequence 整数	序列号。
source 字典	指定数据包源。
address 字符串	源网络地址。
any 布尔值	任何源地址。选项 `false` `true`
host 字符串	主机 IP 地址。
port_protocol 字典	指定目标端口或协议（仅限于 TCP 和 UDP）。
eq 字符串	仅匹配给定端口号上的数据包。
gt 字符串	仅匹配端口号更大的数据包。
lt 字符串	仅匹配端口号更小的数据包。
neq 字符串	仅匹配不在给定端口号上的数据包。
range 字典	仅匹配端口号范围内的数据包。
end 字符串	指定端口范围的结束。
start 字符串	指定端口范围的开始。
prefix 字符串	源网络前缀。仅适用于IPv4掩码值小于31和IPv6掩码值小于127的前缀。掩码为32（IPv4）和128（IPv6）的前缀应在“host”键中给出。
wildcard_bits 字符串	源通配符位。
name 字符串 / 必需	ACL 的名称。
afi 字符串 / 必需	ACL 的地址族指示器 (AFI)。选项 `"ipv4"` `"ipv6"`
running_config 字符串	此选项仅与状态 parsed 一起使用。此选项的值应是从 NX-OS 设备通过执行命令 show running-config \| section ‘ip(v6* access-list) 收到的输出。状态 parsed 从 `running_config` 选项读取配置，并根据资源模块的 argspec 将其转换为 Ansible 结构化数据，然后在结果中的 parsed 键中返回该值。
state 字符串	配置应保留的状态选项 `"deleted"` `"gathered"` `"merged"` ← (默认) `"overridden"` `"rendered"` `"replaced"` `"parsed"`

注释 

注意

在 VIRL 上针对 NX-OS 7.3.(0)D1(1) 进行了测试
不支持 Cisco MDS
由于 NX-OS 允许使用不同的序列号再次配置规则，因此用户应为访问控制条目提供序列号以保持幂等性。如果没有给出序列号，则该规则将被设备添加为新规则。

示例 

# Using merged

# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'

- name: Merge provided ACLs configuration with device configuration
  cisco.nxos.nxos_acls:
    state: merged
    config:
      - afi: ipv4
        acls:
          - name: ACL1v4
            aces:
              - grant: deny
                destination:
                  address: 192.0.2.64
                  wildcard_bits: 0.0.0.255
                source:
                  any: true
                  port_protocol:
                    lt: 55
                protocol: tcp
                protocol_options:
                  tcp:
                    ack: true
                    fin: true
                sequence: 50

      - afi: ipv6
        acls:
          - name: ACL1v6
            aces:
              - grant: permit
                sequence: 10
                source:
                  any: true
                destination:
                  prefix: 2001:db8:12::/32
                protocol: sctp

# Task Output
# -----------
# before: []
#
# commands:
# - ip access-list ACL1v4
# - 50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# - ipv6 access-list ACL1v6
# - 10 permit sctp any 2001:db8:12::/32
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          prefix: 2001:db8:12::/32
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      name: ACL1v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.2.64
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#            fin: true
#        sequence: 50
#        source:
#          any: true
#          port_protocol:
#            lt: '55'
#      name: ACL1v4
#    afi: ipv4


# After state:
# ------------
#
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#  50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
#  10 permit sctp any any

# Using replaced

# Before state:
# ----------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Replace existing ACL configuration with provided configuration
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
      - afi: ipv6
        acls:
          - name: ACL1v6
            aces:
              - sequence: 20
                grant: permit
                source:
                  any: true
                destination:
                  any: true
                protocol: pim

              - remark: Replaced ACE
          - name: ACL2v6
    state: replaced

# Task Output
# -----------
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - ipv6 access-list ACL1v6
#  - no 10 permit sctp any any
#  - no 20 remark IPv6 ACL
#  - remark Replaced ACE
#  - 20 permit pim any any
#  - ipv6 access-list ACL2v6
#  - no 10 deny ipv6 any 2001:db8:3000::/36
#  - no 20 permit tcp host 2001:db8:2000:2::2 host 2001:db8:2000:ab::2
#
# after:
#  - acls:
#    - aces:
#      - remark: Replaced ACE
#        sequence: 10
#      - destination:
#          any: true
#        grant: permit
#        protocol: pim
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v6
#    - name: ACL2v6
#    afi: ipv6

# After state:
# ---------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ipv6 access-list ACL1v6
#   10 remark Replaced ACE
#   20 permit pim any any
# ipv6 access-list ACL2v6

# Using overridden

# Before state:
# ----------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Override existing configuration with provided configuration
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
        acls:
          - name: NewACL
            aces:
              - grant: deny
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.255.255
                destination:
                  any: true
                protocol: eigrp
              - remark: Example for overridden state
    state: overridden

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ipv6 access-list ACL1v6
#  - no ipv6 access-list ACL2v6
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - ip access-list NewACL
#  - deny eigrp 192.0.2.0 0.0.255.255 any
#  - remark Example for overridden state
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: deny
#        protocol: eigrp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.255.255
#      - remark: Example for overridden state
#        sequence: 20
#      name: NewACL
#    afi: ipv4

# After state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list NewACL
#   10 deny eigrp 192.0.2.0 0.0.255.255 any
#   20 remark Example for overridden state

# Using deleted - delete all
#
# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ip access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Delete all ACLs
  cisco.nxos.nxos_acls:
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - no ipv6 access-list ACL1v6
#  - no ipv6 access-list ACL2v6
#
# after: []


# After state:
# -----------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
#

# Using deleted - delete AFI

# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ip access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ip access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Delete all ACLs in given AFI
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6

# After state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ip access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

# Using deleted - delete ACLs

# Before state:
# -------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#   10 permit ip any any
#   20 deny udp any any
# ip access-list ACL2v4
#   10 permit ahp 192.0.2.0 0.0.0.255 any
# ipv6 access-list ACL1v6
#   10 permit sctp any any
#   20 remark IPv6 ACL
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

- name: Delete specific ACLs
  cisco.nxos.nxos_acls:
    state: deleted
    config:
      - afi: ipv4
        acls:
          - name: ACL1v4
          - name: ACL2v4
      - afi: ipv6
        acls:
          - name: ACL1v6

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: sctp
#        sequence: 10
#        source:
#          any: true
#      - remark: IPv6 ACL
#        sequence: 20
#      name: ACL1v6
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#     - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6
#  - acls:
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ip
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          any: true
#        grant: deny
#        protocol: udp
#        sequence: 20
#        source:
#          any: true
#      name: ACL1v4
#    - aces:
#      - destination:
#          any: true
#        grant: permit
#        protocol: ahp
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#      name: ACL2v4
#    afi: ipv4
#
# commands:
#  - no ip access-list ACL1v4
#  - no ip access-list ACL2v4
#  - no ipv6 access-list ACL1v6
#
# after:
#  - acls:
#    - aces:
#      - destination:
#          prefix: 2001:db8:3000::/36
#        grant: deny
#        protocol: ipv6
#        sequence: 10
#        source:
#          any: true
#      - destination:
#          host: 2001:db8:2000:ab::2
#        grant: permit
#        protocol: tcp
#        sequence: 20
#        source:
#          host: 2001:db8:2000:2::2
#      name: ACL2v6
#    afi: ipv6

# After state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ipv6 access-list ACL2v6
#  10 deny ipv6 any 2001:db8:3000::/36
#  20 permit tcp 2001:db8:2000:2::2/128 2001:db8:2000:ab::2/128

# Using parsed

- name: Parse given config to structured data
  cisco.nxos.nxos_acls:
    running_config: |
      ip access-list ACL1v4
        50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
      ipv6 access-list ACL1v6
        10 permit sctp any any
    state: parsed

# Task Output
# ------------
#
# parsed:
# - afi: ipv4
#   acls:
#     - name: ACL1v4
#       aces:
#         - grant: deny
#           destination:
#             address: 192.0.2.64
#             wildcard_bits: 0.0.0.255
#           source:
#             any: true
#             port_protocol:
#               lt: 55
#           protocol: tcp
#           protocol_options:
#             tcp:
#               ack: true
#               fin: true
#           sequence: 50
#
# - afi: ipv6
#   acls:
#     - name: ACL1v6
#       aces:
#         - grant: permit
#           sequence: 10
#           source:
#             any: true
#           destination:
#             prefix: 2001:db8:12::/32
#           protocol: sctp


# Using gathered:

# Before state:
# ------------
# nxos-9k# show running-config | section '^ip(v6)* access-list'
# ip access-list ACL1v4
#  50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
# ipv6 access-list ACL1v6
#  10 permit sctp any any

- name: Gather existing configuration
  cisco.nxos.nxos_acls:
    state: gathered

# Task Output
# -----------
#
# gathered:
# - afi: ipv4
#   acls:
#     - name: ACL1v4
#       aces:
#         - grant: deny
#           destination:
#             address: 192.0.2.64
#             wildcard_bits: 0.0.0.255
#           source:
#             any: true
#             port_protocol:
#               lt: 55
#           protocol: tcp
#           protocol_options:
#             tcp:
#               ack: true
#               fin: true
#           sequence: 50

# - afi: ipv6
#   acls:
#     - name: ACL1v6
#       aces:
#         - grant: permit
#           sequence: 10
#           source:
#             any: true
#           destination:
#             prefix: 2001:db8:12::/32
#           protocol: sctp


# Using rendered

- name: Render required configuration to be pushed to the device
  cisco.nxos.nxos_acls:
    config:
      - afi: ipv4
        acls:
          - name: ACL1v4
            aces:
              - grant: deny
                destination:
                  address: 192.0.2.64
                  wildcard_bits: 0.0.0.255
                source:
                  any: true
                  port_protocol:
                    lt: 55
                protocol: tcp
                protocol_options:
                  tcp:
                    ack: true
                    fin: true
                sequence: 50
      - afi: ipv6
        acls:
          - name: ACL1v6
            aces:
              - grant: permit
                sequence: 10
                source:
                  any: true
                destination:
                  prefix: '2001:db8:12::/32'
                protocol: sctp
    state: rendered


# Task Output
# -----------
#
# rendered:
#  ip access-list ACL1v4
#   50 deny tcp any lt 55 192.0.2.64 0.0.0.255 ack fin
#  ipv6 access-list ACL1v6
#   10 permit sctp any any

返回值 

常见的返回值已在此处记录，以下是此模块独有的字段

键	描述
after 字典	生成的配置模型调用。返回：发生更改时示例： `"The configuration returned will always be in the same format\n of the parameters above.\n"`
before 字典	模型调用之前的配置。返回：始终返回示例： `"The configuration returned will always be in the same format\n of the parameters above.\n"`
commands 列表 / 元素=字符串	推送到远程设备的命令集。返回：始终返回示例： `["ip access-list ACL1v4", "10 permit ip any any precedence critical log", "20 deny tcp any lt smtp host 192.0.2.64 ack fin"]`
gathered 列表 / 元素=字符串	从远程设备收集的关于网络资源的事实，以结构化数据表示。返回：当 state 为 `gathered` 时示例： `["This output will always be in the same format as the module argspec.\n"]`
parsed 列表 / 元素=字符串	根据模块 argspec 将 running_config 选项中提供的设备原生配置解析为结构化数据。返回：当 state 为 `parsed` 时示例： `["This output will always be in the same format as the module argspec.\n"]`
rendered 列表 / 元素=字符串	以设备原生格式（脱机）呈现的任务中提供的配置。返回：当 state 为 `rendered` 时示例： `["ip access-list ACL1v4", "10 permit ip any any precedence critical log", "20 deny tcp any lt smtp host 192.0.2.64 ack fin"]`

作者

Adharsh Srivats Rangarajan (@adharshsrivatsr)