dellemc.enterprise_sonic.sonic_acl_interfaces 模块 – 在 SONiC 上管理访问控制列表 (ACL) 与接口绑定

注意

此模块是 dellemc.enterprise_sonic 集合 (版本 2.5.1) 的一部分。

如果您使用的是 ansible 软件包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装它,请运行 ansible-galaxy collection list

要安装它,请使用: ansible-galaxy collection install dellemc.enterprise_sonic

要在剧本中使用它,请指定: dellemc.enterprise_sonic.sonic_acl_interfaces

dellemc.enterprise_sonic 2.1.0 中的新增功能

概要

  • 此模块提供在运行 SONiC 的设备中应用访问控制列表 (ACL) 到接口的配置管理。

  • 需要提前在设备中创建 ACL。

参数

参数

注释

config

列表 / 元素=字典

指定接口访问组配置。

access_groups

列表 / 元素=字典

要为接口设置的访问组配置。

acls

列表 / 元素=字典

给定类型的 ACL 列表。

direction

字符串 / 必需

指定将应用 ACL 的数据包方向。

选项

  • "in"

  • "out"

name

字符串 / 必需

要应用于接口的 ACL 的名称。

type

字符串 / 必需

要应用于接口的 ACL 的类型。

选项

  • "mac"

  • "ipv4"

  • "ipv6"

name

字符串 / 必需

接口的全名,例如 Eth1/1。

state

字符串

模块完成后的配置状态。

merged - 将提供的接口访问组配置与设备上的配置合并。

replaced - 将指定接口的设备上访问组配置替换为提供的配置。

overridden - 将所有设备上的接口访问组配置覆盖为提供的配置。

deleted - 删除设备上的接口访问组配置。

选项

  • "merged" ← (默认)

  • "replaced"

  • "overridden"

  • "deleted"

备注

注意

  • 支持 check_mode

示例

# Using merged
#
# Before State:
# -------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# sonic#

  - name: Merge provided interface access-group configurations
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
        - name: 'Eth1/1'
          access_groups:
            - type: 'mac'
              acls:
                - name: 'mac-acl-1'
                  direction: 'in'
                - name: 'mac-acl-2'
                  direction: 'out'
            - type: 'ipv6'
              acls:
                - name: 'ipv6-acl-2'
                  direction: 'out'
        - name: 'Eth1/2'
          access_groups:
            - type: 'ipv4'
              acls:
                - name: 'ip-acl-1'
                  direction: 'in'
      state: merged

# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#


# Using replaced
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#

  - name: Replace device access-group configuration of specified interfaces with provided configuration
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
        - name: 'Eth1/2'
          access_groups:
            - type: 'ipv6'
              acls:
                - name: 'ipv6-acl-2'
                  direction: 'out'
        - name: 'Eth1/3'
          access_groups:
            - type: 'ipv4'
              acls:
                - name: 'ip-acl-2'
                  direction: 'out'
      state: replaced

# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#


# Using overridden
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#

  - name: Override all interfaces access-group device configuration with provided configuration
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
        - name: 'Eth1/1'
          access_groups:
            - type: 'ip'
              acls:
                - name: 'ip-acl-2'
                  direction: 'out'
        - name: 'Eth1/2'
          access_groups:
            - type: 'ip'
              acls:
                - name: 'ip-acl-2'
                  direction: 'out'
      state: overridden

# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/1
# Egress IP access-list ip-acl-2 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# sonic#


# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#

  - name: Delete specified interfaces access-group configurations
    dellemc.enterprise_sonic.sonic_l2_acls:
      config:
        - name: 'Eth1/1'
          access_groups:
            - type: 'mac'
              acls:
                - name: 'mac-acl-1'
                  direction: 'in'
            - type: 'ipv6'
        - name: 'Eth1/2'
      state: deleted

# After State:
# ------------
#
# sonic# show mac access-group
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# sonic#


# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#

  - name: Delete all interface access-group configurations
    dellemc.enterprise_sonic.sonic_acl_interfaces:
      config:
      state: deleted

# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# sonic#

返回值

常用的返回值已在 此处 记录,以下是此模块特有的字段

描述

after

列表 / 元素=字符串

模块调用后的结果配置。

返回:已更改时

示例: ["The configuration returned will always be in the same format as the parameters above.\n"]

after(generated)

列表 / 元素=字符串

生成的配置模块调用。

返回:check_mode

示例: ["The configuration returned will always be in the same format as the parameters above.\n"]

before

列表 / 元素=字符串

模块调用之前的配置。

返回:始终返回

示例: ["The configuration returned will always be in the same format as the parameters above.\n"]

commands

列表 / 元素=字符串

推送到远程设备的命令集。

返回:始终返回

示例: ["command 1", "command 2", "command 3"]

作者

  • Arun Saravanan Balachandran (@ArunSaravananBalachandran)