dellemc.enterprise_sonic.sonic_l2_acls 模块 – 在 SONiC 上管理第 2 层访问控制列表 (ACL) 配置
注意
此模块是 dellemc.enterprise_sonic 集合 (版本 2.5.1) 的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用: ansible-galaxy collection install dellemc.enterprise_sonic。
要在剧本中使用它,请指定: dellemc.enterprise_sonic.sonic_l2_acls。
dellemc.enterprise_sonic 2.1.0 中的新增功能
概要
此模块提供运行 SONiC 的设备中第 2 层访问控制列表 (ACL) 的配置管理。
参数
参数 |
注释 |
|---|---|
指定第 2 层 ACL 配置。 |
|
指定 ACL 名称。 |
|
指定 ACL 的备注。 |
|
具有 ACL 的规则列表。 sequence_num、action、source 和 destination 是添加新规则所必需的。 如果 state=deleted,则不考虑 sequence_num 以外的选项。 ethertype 和 vlan_tag_format 是互斥的。 |
|
指定对匹配的以太网帧采取的操作。 选项
|
|
匹配具有给定丢弃合格指示器 (DEI) 值的以太网帧。 选项
|
|
指定以太网帧的目标。 address 和 address_mask 必须同时指定。 any、host 和 address 是互斥的。 |
|
目标 MAC 地址。 |
|
目标 MAC 地址掩码。 |
|
匹配任何目标 MAC 地址。 选项
|
|
单个目标主机的 MAC 地址。 |
|
指定以太网帧的 EtherType。 在一个规则中只能指定一个 ethertype 子选项。 |
|
匹配具有 ARP EtherType (0x806) 的以太网帧。 选项
|
|
匹配具有 IPv4 EtherType (0x800) 的以太网帧。 选项
|
|
匹配具有 IPv6 EtherType (0x86DD) 的以太网帧。 选项
|
|
指定要匹配的 EtherType 值,十六进制字符串。 范围为 0x600 到 0xffff。 |
|
使用优先级代码点 (PCP) 值匹配以太网帧。 只有在指定 value 时,mask 才有效。 value 和 traffic_type 是互斥的。 |
|
匹配具有给定 PCP 值和掩码的以太网帧。 范围为 0 到 7。 |
|
匹配具有给定流量类型的 PCP 值的以太网帧。
选项
|
|
匹配具有给定 PCP 值的以太网帧。 范围为 0 到 7 |
|
指定 ACL 规则的备注。 |
|
指定规则的序号。 范围为 1 到 65535。 |
|
指定以太网帧的源。 address 和 address_mask 必须同时指定。 any、host 和 address 是互斥的。 |
|
源 MAC 地址。 |
|
源 MAC 地址掩码。 |
|
匹配任何源 MAC 地址。 选项
|
|
单个源主机的 MAC 地址。 |
|
匹配具有给定 VLAN ID 的以太网帧。 |
|
匹配具有给定 VLAN 标记格式的以太网帧。 |
|
匹配三个或更多 VLAN 标记的以太网帧。 选项
|
|
模块完成后的配置状态。
选项
|
注释
注意
支持
check_mode。
示例
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# sonic#
- name: Merge provided Layer 2 ACL configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test'
rules:
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
value: '0x88cc'
remark: 'LLDP'
- sequence_num: 3
action: 'permit'
source:
any: true
destination:
address: '00:00:10:00:00:00'
address_mask: '00:00:ff:ff:00:00'
pcp:
value: 4
mask: 6
- sequence_num: 4
action: 'deny'
source:
any: true
destination:
any: true
vlan_tag_format:
multi_tagged: true
- name: 'test1'
remark: 'test_mac_acl'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '11:11:11:11:11:11'
destination:
any: true
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
arp: true
vlan_id: 100
- sequence_num: 3
action: 'deny'
source:
any: true
destination:
any: true
dei: 0
state: merged
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# seq 4 deny any any vlan-tag-format multi-tagged
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any
# seq 2 permit any any arp vlan 100
# seq 3 deny any any dei 0
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any
# seq 2 permit any any arp vlan 100
# seq 3 deny any any dei 0
# sonic#
- name: Replace device configuration of specified Layer 2 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test1'
rules:
- sequence_num: 1
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
arp: true
vlan_id: 200
- sequence_num: 2
action: 'discard'
source:
any: true
destination:
any: true
- name: 'test2'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '33:33:33:33:33:33'
destination:
host: '44:44:44:44:44:44'
state: replaced
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# seq 1 permit any any arp vlan 200
# seq 2 discard any any
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# seq 1 permit any any arp vlan 200
# seq 2 discard any any
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Override device configuration of all Layer 2 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test1'
remark: 'test_mac_acl'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '11:11:11:11:11:11'
destination:
any: true
vlan_id: 100
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
pcp:
traffic_type: 'ca'
- sequence_num: 3
action: 'deny'
source:
any: true
destination:
any: true
ethertype:
ipv4: true
state: overridden
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 permit any any pcp ca
# seq 3 deny any any ip
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Delete specified Layer 2 ACLs, ACL remark and ACL rule entries
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test'
rules:
- sequence_num: 3
- name: 'test1'
remark: 'test_mac_acl'
- name: 'test2'
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# !
# mac access-list test1
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Delete all Layer 2 ACL configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# sonic#
返回值
常见的返回值已在此处记录,以下是此模块独有的字段:
键 |
描述 |
|---|---|
模块调用后的配置结果。 返回:发生更改时 示例: |
|
生成的模块调用配置。 返回:当 示例: |
|
模块调用之前的配置。 返回:始终返回 示例: |
|
推送到远程设备的命令集。 返回:始终返回 示例: |