cisco.ios.ios_acls 模块 – 用于配置 ACL 的资源模块。

注意

此模块是 cisco.ios 集合（版本 9.0.3）的一部分。

如果您正在使用 ansible 包，则可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装，请运行 ansible-galaxy collection list。

要安装它，请使用：ansible-galaxy collection install cisco.ios。

要在剧本中使用它，请指定：cisco.ios.ios_acls。

cisco.ios 1.0.0 中的新增功能

概要 

此模块在 IOS 平台上配置和管理命名或编号的 ACL。

参数 

参数	注释
config 列表 / 元素=字典	ACL 配置选项的列表。
acls 列表 / 元素=字典	访问控制列表 (ACL) 属性的列表。
aces 列表 / 元素=字典	ACL 中的条目。
destination 字典	指定数据包目标。
address 字符串	要匹配的主机地址，或任何单个主机地址。
any 布尔值	匹配任何源地址。选项 `false` `true`
host 字符串	单个目标主机
object_group 字符串	目标网络对象组
port_protocol 字典	指定目标端口和协议。注意，对 TCP/UDP 协议选项有效
eq 字符串	仅匹配给定端口号上的数据包。
gt 字符串	仅匹配端口号更大的数据包。
lt 字符串	仅匹配端口号更小的数据包。
neq 字符串	仅匹配不在给定端口号上的数据包。
range 字典	端口组。
end 整数	指定端口范围的结尾。
start 整数	指定端口范围的开始。
wildcard_bits 字符串	目标通配符位，对 IPV4 地址有效。
dscp 字符串	匹配具有给定 dscp 值的数据包。
enable_fragments 布尔值	启用非初始片段。选项 `false` `true`
evaluate 字符串	评估访问列表
grant 字符串	指定操作。选项 `“permit”` `“deny”`
log 字典	记录与此条目匹配的内容。
set 布尔值	启用记录与此条目匹配的内容选项 `false` `true`
user_cookie 字符串	用户定义的 cookie（最多 64 个字符）
log_input 字典	记录与此条目匹配的内容，包括输入接口。
set 布尔值	启用记录与此条目匹配的内容，包括输入接口。选项 `false` `true`
user_cookie 字符串	用户定义的 cookie（最多 64 个字符）
option 字典	匹配具有给定 IP 选项值的数据包。仅对命名 ACL 有效。
add_ext 布尔值	匹配具有地址扩展选项 (147) 的数据包。选项 `false` `true`
any_options 布尔值	匹配具有 ANY 选项的数据包。选项 `false` `true`
com_security 布尔值	匹配具有商业安全选项 (134) 的数据包。选项 `false` `true`
dps 布尔值	匹配具有动态数据包状态选项 (151) 的数据包。选项 `false` `true`
encode 布尔值	匹配具有编码选项 (15) 的数据包。选项 `false` `true`
eool 布尔值	匹配具有选项结束 (0) 的数据包。选项 `false` `true`
ext_ip 布尔值	匹配具有扩展 IP 选项 (145) 的数据包。选项 `false` `true`
ext_security 布尔值	匹配具有扩展安全选项 (133) 的数据包。选项 `false` `true`
finn 布尔值	匹配具有实验性流控制选项 (205) 的数据包。选项 `false` `true`
imitd 布尔值	匹配具有 IMI 流量描述符选项 (144) 的数据包。选项 `false` `true`
lsr 布尔值	匹配具有宽松源路由选项 (131) 的数据包。选项 `false` `true`
mtup 布尔值	匹配具有 MTU 探测选项 (11) 的数据包。选项 `false` `true`
mtur 布尔值	匹配具有 MTU 回复选项 (12) 的数据包。选项 `false` `true`
no_op 布尔值	匹配具有无操作选项 (1) 的数据包。选项 `false` `true`
nsapa 布尔值	匹配具有 NSAP 地址选项 (150) 的数据包。选项 `false` `true`
record_route 布尔值	匹配具有记录路由选项 (7) 的数据包。选项 `false` `true`
router_alert 布尔值	匹配具有路由器警报选项 (148) 的数据包。选项 `false` `true`
sdb 布尔值	匹配具有选择性定向广播选项 (149) 的数据包。选项 `false` `true`
security 布尔值	匹配具有基本安全选项 (130) 的数据包。选项 `false` `true`
ssr 布尔值	匹配具有严格源路由选项 (137) 的数据包。选项 `false` `true`
stream_id 布尔值	匹配具有流 ID 选项 (136) 的数据包。选项 `false` `true`
timestamp 布尔值	匹配具有时间戳选项 (68) 的数据包。选项 `false` `true`
traceroute 布尔值	匹配具有跟踪路由选项 (82) 的数据包。选项 `false` `true`
ump 布尔值	匹配具有上游多播数据包选项 (152) 的数据包。选项 `false` `true`
visa 布尔值	匹配具有实验性访问控制选项 (142) 的数据包。选项 `false` `true`
zsu 布尔值	匹配具有实验性测量选项 (10) 的数据包。选项 `false` `true`
precedence 字符串	匹配具有给定优先级值的数据包。
protocol 字符串	指定要匹配的协议。请参阅供应商文档以获取有效值。
protocol_options 字典	协议类型。
ahp 布尔值	身份验证标头协议。选项 `false` `true`
eigrp 布尔值	Cisco 的 EIGRP 路由协议。选项 `false` `true`
esp 布尔值	封装安全负载。选项 `false` `true`
gre 布尔值	Cisco 的 GRE 隧道。选项 `false` `true`
hbh 布尔值	逐跳选项标头。对 IPV6 有效选项 `false` `true`
icmp 字典	互联网控制消息协议。
administratively_prohibited 布尔值	管理禁止选项 `false` `true`
alternate_address 布尔值	备用地址选项 `false` `true`
conversion_error 布尔值	数据报转换选项 `false` `true`
dod_host_prohibited 布尔值	禁止主机选项 `false` `true`
dod_net_prohibited 布尔值	禁止网络选项 `false` `true`
echo 布尔值	回显 (ping) 选项 `false` `true`
echo_reply 布尔值	回显回复选项 `false` `true`
general_parameter_problem 布尔值	参数问题选项 `false` `true`
host_isolated 布尔值	主机隔离选项 `false` `true`
host_precedence_unreachable 布尔值	主机优先级不可达选项 `false` `true`
host_redirect 布尔值	主机重定向选项 `false` `true`
host_tos_redirect 布尔值	TOS 主机重定向选项 `false` `true`
host_tos_unreachable 布尔值	TOS 主机不可达选项 `false` `true`
host_unknown 布尔值	未知主机选项 `false` `true`
host_unreachable 布尔值	主机不可达选项 `false` `true`
information_reply 布尔值	信息回复选项 `false` `true`
information_request 布尔值	信息请求选项 `false` `true`
mask_reply 布尔值	掩码回复选项 `false` `true`
mask_request 布尔值	mask_request 选项 `false` `true`
移动主机重定向布尔值	mobile_redirect 选项 `false` `true`
net_redirect 布尔值	网络重定向选项 `false` `true`
net_tos_redirect 布尔值	TOS 网络重定向选项 `false` `true`
net_tos_unreachable 布尔值	TOS 网络不可达选项 `false` `true`
net_unreachable 布尔值	网络不可达选项 `false` `true`
network_unknown 布尔值	未知网络选项 `false` `true`
no_room_for_option 布尔值	需要参数，但没有空间选项 `false` `true`
option_missing 布尔值	需要参数，但不存在选项 `false` `true`
packet_too_big 布尔值	需要分片，但设置了 DF 位选项 `false` `true`
parameter_problem 布尔值	所有参数问题选项 `false` `true`
port_unreachable 布尔值	端口不可达选项 `false` `true`
precedence_unreachable 布尔值	优先级截止选项 `false` `true`
protocol_unreachable 布尔值	协议不可达选项 `false` `true`
reassembly_timeout 布尔值	重组超时选项 `false` `true`
redirect 布尔值	所有重定向选项 `false` `true`
router_advertisement 布尔值	路由器发现通告选项 `false` `true`
router_solicitation 布尔值	路由器发现请求选项 `false` `true`
source_quench 布尔值	源抑制选项 `false` `true`
source_route_failed 布尔值	源路由失败选项 `false` `true`
time_exceeded 布尔值	所有超时选项 `false` `true`
timestamp_reply 布尔值	时间戳回复选项 `false` `true`
timestamp_request 布尔值	时间戳请求选项 `false` `true`
traceroute 布尔值	Traceroute 选项 `false` `true`
ttl_exceeded 布尔值	TTL 超时选项 `false` `true`
unreachable 布尔值	所有不可达选项 `false` `true`
igmp 字典	互联网网关消息协议。
dvmrp 布尔值	距离向量组播路由协议(2) 选项 `false` `true`
host_query 布尔值	IGMP 成员资格查询(0) 选项 `false` `true`
mtrace_resp 布尔值	组播跟踪路由响应(7) 选项 `false` `true`
mtrace_route 布尔值	组播跟踪路由(8) 选项 `false` `true`
pim 布尔值	协议无关组播(3) 选项 `false` `true`
trace 布尔值	组播跟踪(4) 选项 `false` `true`
v1host_report 布尔值	IGMPv1 成员资格报告(1) 选项 `false` `true`
v2host_report 布尔值	IGMPv2 成员资格报告(5) 选项 `false` `true`
v2leave_group 布尔值	IGMPv2 离开组(6) 选项 `false` `true`
v3host_report 布尔值	IGMPv3 成员资格报告(9) 选项 `false` `true`
ip 布尔值	任何互联网协议。选项 `false` `true`
ipinip 布尔值	IP in IP 隧道。选项 `false` `true`
ipv6 布尔值	任何 IPv6。选项 `false` `true`
nos 布尔值	KA9Q NOS 兼容的 IP over IP 隧道。选项 `false` `true`
ospf 布尔值	OSPF 路由协议。选项 `false` `true`
pcp 布尔值	有效负载压缩协议。选项 `false` `true`
pim 布尔值	协议无关组播。选项 `false` `true`
protocol_number 整数	一个 IP 协议号
sctp 布尔值	流控制传输协议。选项 `false` `true`
tcp 字典	匹配 TCP 数据包标志
ack 布尔值	匹配 ACK 位选项 `false` `true`
established 布尔值	匹配已建立的连接选项 `false` `true`
fin 布尔值	匹配 FIN 位选项 `false` `true`
psh 布尔值	匹配 PSH 位选项 `false` `true`
rst 布尔值	匹配 RST 位选项 `false` `true`
syn 布尔值	匹配 SYN 位选项 `false` `true`
urg 布尔值	匹配 URG 位选项 `false` `true`
udp 布尔值	用户数据报协议。选项 `false` `true`
remarks 列表 / 元素=字符串	ACL 的备注/描述。在具有或不具有序列号的 ACE 中使用的备注属性将生成在 ACE 条目之前推送的备注。作为列表选项中唯一键使用的备注条目将生成非 ACE 特定的备注，这些备注将在 ACL 的所有 ACE 的末尾推送。备注被视为一个块，对于 ACE 的每个单独更新的备注，所有备注都会被否定并添加回来以保持提到的备注的顺序。由于设备在 ACE 更新后会删除所有备注，因此将重新应用备注集，这是预期的行为。
sequence 整数	访问控制条目 (ACE) 的序列号。请参阅供应商文档以获取有效值。
source 字典	指定数据包源。
address 字符串	源网络地址。
any 布尔值	匹配任何源地址。选项 `false` `true`
host 字符串	单个源主机
object_group 字符串	源网络对象组
port_protocol 字典	指定源端口和协议。注意，对 TCP/UDP 协议选项有效
eq 字符串	仅匹配给定端口号上的数据包。
gt 字符串	仅匹配端口号更大的数据包。
lt 字符串	仅匹配端口号更小的数据包。
neq 字符串	仅匹配不在给定端口号上的数据包。
range 字典	端口组。
end 整数	指定端口范围的结尾。
start 整数	指定端口范围的开始。
wildcard_bits 字符串	源通配符位，对 IPV4 地址有效。
time_range 字符串	指定时间范围。
tos 字典	匹配具有给定 TOS 值的数据包。注意，DSCP 和 TOS 是互斥的
max_reliability 布尔值	匹配具有最大可靠性 TOS (2) 的数据包。选项 `false` `true`
max_throughput 布尔值	匹配具有最大吞吐量 TOS (4) 的数据包。选项 `false` `true`
min_delay 布尔值	匹配具有最小延迟 TOS (8) 的数据包。选项 `false` `true`
min_monetary_cost 布尔值	匹配具有最小货币成本 TOS (1) 的数据包。选项 `false` `true`
normal 布尔值	匹配具有正常 TOS (0) 的数据包。选项 `false` `true`
service_value 整数	服务类型值
ttl 字典	匹配具有给定 TTL 值的数据包。
eq 整数	仅匹配给定 TTL 编号的数据包。
gt 整数	仅匹配 TTL 编号更大的数据包。
lt 整数	仅匹配 TTL 编号更小的数据包。
neq 整数	仅匹配不在给定 TTL 编号上的数据包。
range 字典	仅匹配 TTL 范围的数据包。
end 整数	指定端口范围的结尾。
start 整数	指定端口范围的开始。
acl_type 字符串	ACL 类型注意，对于命名 ACL，这是强制性的，但对于编号 ACL，则不是强制性的。选项 `"extended"` `"standard"`
name 字符串 / 必需	ACL 的名称或编号。
afi 字符串 / 必需	访问控制列表 (ACL) 的地址族指示符 (AFI)。选项 `"ipv4"` `"ipv6"`
running_config 字符串	此选项仅与状态 parsed 一起使用。此选项的值应是从 IOS 设备执行命令 sh access-list 收到的输出。状态 parsed 从 `running_config` 选项读取配置，并根据资源模块的 argspec 将其转换为 Ansible 结构化数据，然后该值在结果内的 parsed 键中返回。
state 字符串	配置应保留的状态状态 merged 是默认状态，它会合并 want 和 have 配置，但是对于 ACL 模块，由于 IOS 平台不允许在 ACL 中更新预先存在的 ACE 序列上的 ACE，因此 ACL 资源模块也会针对相应的情况报错，并且只允许在 merge 状态下在新的序列上添加新的 ACE。状态 rendered、gathered 和 parsed 不会对设备执行任何更改。状态 rendered 会将 `config` 选项中的配置转换为特定于平台的 CLI 命令，这些命令将在结果内的 rendered 键中返回。对于状态 rendered，不需要与远程主机的活动连接。状态 gathered 将从设备中获取运行配置，并将其转换为与资源模块 argspec 格式相同的结构化数据，并在结果内的 gathered 键中返回该值。状态 parsed 从 `running_config` 选项读取配置，并根据资源模块参数将其转换为 JSON 格式，该值在结果内的 parsed 键中返回。 `running_config` 选项的值应与命令 sh running-config \| section access-list 的输出格式相同，以获取所有与 acl 相关的信息，并与 sh access-lists \| include access list 相同以获取空 acl 的特定配置，以下命令在设备上执行。来自两个命令的配置数据应一个接一个地放在一起，以便解析器正确地提取命令。对于状态 parsed，不需要与远程主机的活动连接。状态 overridden，修改/添加定义的 ACL，删除所有其他 ACL。状态 replaced，仅修改/添加仅定义的 ACL 的 ACE。它不会对设备执行任何其他更改。状态 deleted，仅删除指定的 ACL，如果未指定，则删除所有 ACL。选项 `"merged"` ←（默认） `"replaced"` `"overridden"` `"deleted"` `"gathered"` `"rendered"` `"parsed"`

注释 

注意

在 CML 上针对 Cisco IOSXE 版本 17.3 进行了测试。
当未提及 ace 的序列时，模块行为不是幂等的
此模块使用连接 network_cli。请参阅 https://docs.ansible.org.cn/ansible/latest/network/user_guide/platform_ios.html

示例 

# Using merged

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: std_acl
            acl_type: standard
            aces:
              - grant: deny
                source:
                  address: 192.168.1.200
              - grant: deny
                source:
                  address: 192.168.2.0
                  wildcard_bits: 0.0.0.255
          - name: 110
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
                source:
                  address: 192.168.3.0
                  wildcard_bits: 255.255.255.0
                destination:
                  any: true
                grant: permit
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  host: 198.51.100.0
                destination:
                  host: 198.51.110.0
                  port_protocol:
                    eq: telnet
          - name: extended_acl_1
            acl_type: extended
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    fin: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                option:
                  traceroute: true
                ttl:
                  eq: 10
          - name: 123
            aces:
              - remarks:
                  - "remarks for extended ACL 1"
                  - "check ACL"
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 198.51.101.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                tos:
                  service_value: 12
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.4.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  lt: 20
      - afi: ipv6
        acls:
          - name: R1_TRAFFIC
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  any: true
                  port_protocol:
                    eq: www
                destination:
                  any: true
                  port_protocol:
                    eq: telnet
                dscp: af11
    state: merged

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '100'
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - 30 permit icmp 192.168.3.0 255.255.255.0 any traceroute
#  - ip access-list extended extended_acl_1
#  - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
#  - ip access-list standard std_acl
#  - deny 192.168.1.20
#  - deny 192.168.2.0 0.0.0.255
#  - ip access-list extended 123
#  - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#  - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
#  - remark remarks for extended ACL 1
#  - remark check ACL
#  - ipv6 access-list R1_TRAFFIC
#  - deny tcp any eq www any eq telnet ack dscp af11
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      - destination:
#          any: true
#        grant: permit
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 30
#        source:
#          address: 0.0.0.0
#          wildcard_bits: 255.255.255.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      - remarks:
#        - remarks for extended ACL 1
#        - check ACL
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: extended_acl_1
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.20
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# ------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

# vios#show running-config | include ip(v6)* access-list|remark
# ip access-list standard std_acl
# ip access-list extended extended_acl_1
# ip access-list extended 110
# ip access-list extended 123
#  remark remarks for extended ACL 1
#  remark check ACL
# ipv6 access-list R1_TRAFFIC

# Using merged (update existing ACE - will fail)

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 100
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
    state: merged

# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.

# Using replaced

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: Replaces device configuration of listed acls with provided configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: replaced

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#  - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
#  - ip access-list extended 150
#  - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 20
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '150'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4

# After state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended 150
#    20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

# Using replaced - example remarks specific

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE LINE 10
#  10 remark ============
#  10 remark ALLOW HOST FROM TEST 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

- name: Replace remarks of ace with sequence 10
  # check_mode: true
  cisco.ios.ios_acls:
    state: replaced
    config:
      - acls:
          - aces:
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - The new first remarks before 10
                  - ============new
                  - The new second remarks before 10
                sequence: 10
                source:
                  host: 1.1.1.1
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 20
                  - ============
                  - ALLOW HOST remarks AFTER LINE  20
                sequence: 20
                source:
                  host: 2.2.2.2
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 30
                  - ============
                  - ALLOW HOST remarks AFTER LINE  30
                sequence: 30
                source:
                  host: 3.3.3.3
            acl_type: extended
            name: TEST
        afi: ipv4

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 10
#       - ===========1=
#       - ALLOW HOST FROM TEST 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4
# commands:
# - ip access-list extended TEST
# - no 10 remark
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - The new first remarks before 10
#       - ============new
#       - The new second remarks before 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark The new first remarks before 10
#  10 remark ============new
#  10 remark The new second remarks before 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

# Using replaced - example remarks specific on targeted sequence

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

- name: Replace remarks of ace with sequence 10
  # check_mode: true
  cisco.ios.ios_acls:
    state: replaced
    config:
      - acls:
          - aces:
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - The new first remarks before 10
                  - ============new
                  - The new second remarks before 10
                sequence: 10
                source:
                  host: 1.1.1.1
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 20
                  - ============
                  - ALLOW HOST remarks AFTER LINE  20
                sequence: 20
                source:
                  host: 2.2.2.2
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 30
                  - ============
                  - ALLOW HOST remarks AFTER LINE  30
                sequence: 30
                source:
                  host: 3.3.3.3
            acl_type: extended
            name: TEST
        afi: ipv4

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4
# commands:
# - ip access-list extended TEST
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - The new first remarks before 10
#       - ============new
#       - The new second remarks before 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark The new first remarks before 10
#  10 remark ============new
#  10 remark The new second remarks before 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

# Using overridden

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: Override device configuration of all acls with provided configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: overridden

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#  - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
#  - ip access-list extended 150
#  - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
#  - no ip access-list extended 123
#  - no ip access-list extended R1_TRAFFIC
#  - no ip access-list standard std_acl
#  - no ip access-list extended test
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '150'
#    afi: ipv4

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
#     20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# ip access-list extended 150
#     10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using overridden - example remarks specific on multiple sequence

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE SEQUENCE 10
#  10 remark ============
#  10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#  20 remark FIRST REMARK BEFORE SEQUENCE 20
#  20 remark ============
#  20 remark ALLOW HOST FROM SEQUENCE 20
#  20 permit ip host 1.1.1.1 any
#  30 remark FIRST REMARK BEFORE SEQUENCE 30
#  30 remark ============
#  30 remark ALLOW HOST FROM SEQUENCE 30
#  30 permit ip host 2.2.2.2 any
#  40 remark FIRST REMARK BEFORE SEQUENCE 40
#  40 remark ============
#  40 remark ALLOW NEW HOST FROM SEQUENCE 40
#  40 permit ip host 3.3.3.3 any
#  remark Remark not specific to sequence
#  remark ============
#  remark End Remarks
# ip access-list extended test_acl
#  10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ip access-list extended 110
#  10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 123
#  10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#  20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ipv6 access-list R1_TRAFFIC
#  sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Override remarks and ace configurations
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: TEST
            acl_type: extended
            aces:
              - sequence: 10
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 10"
                  - "============"
                  - "REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE"
                grant: permit
                protocol: ip
                source:
                  host: 1.1.1.1
                destination:
                  any: true
              - sequence: 20
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 20"
                  - "============"
                  - "ALLOW HOST FROM SEQUENCE 20"
                grant: permit
                protocol: ip
                source:
                  host: 192.168.0.1
                destination:
                  any: true
              - sequence: 30
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 30"
                  - "============"
                  - "ALLOW HOST FROM SEQUENCE 30 updated"
                grant: permit
                protocol: ip
                source:
                  host: 2.2.2.2
                destination:
                  any: true
              - sequence: 40
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 40"
                  - "============"
                  - "ALLOW NEW HOST FROM SEQUENCE 40"
                grant: permit
                protocol: ip
                source:
                  host: 3.3.3.3
                destination:
                  any: true
              - remarks:
                  - "Remark not specific to sequence"
                  - "============"
                  - "End Remarks 1"
    state: overridden

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         address: 192.0.3.0
#         wildcard_bits: 0.0.0.255
#       dscp: ef
#       grant: deny
#       protocol: icmp
#       protocol_options:
#         icmp:
#           echo: true
#       sequence: 10
#       source:
#         address: 192.0.2.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         eq: 10
#     acl_type: extended
#     name: '110'
#   - aces:
#     - destination:
#         address: 198.51.101.0
#         port_protocol:
#           eq: telnet
#         wildcard_bits: 0.0.0.255
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 10
#       source:
#         address: 198.51.100.0
#         wildcard_bits: 0.0.0.255
#       tos:
#         service_value: 12
#     - destination:
#         address: 192.0.4.0
#         port_protocol:
#           eq: www
#         wildcard_bits: 0.0.0.255
#       dscp: ef
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 20
#       source:
#         address: 192.0.3.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         lt: 20
#     acl_type: extended
#     name: '123'
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 20
#       - ============
#       - ALLOW HOST FROM SEQUENCE 20
#       sequence: 20
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 30
#       - ============
#       - ALLOW HOST FROM SEQUENCE 30
#       sequence: 30
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 40
#       - ============
#       - ALLOW NEW HOST FROM SEQUENCE 40
#       sequence: 40
#       source:
#         host: 3.3.3.3
#     - remarks:
#       - FIRST REMARK BEFORE SEQUENCE 10
#       - ============
#       - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#       sequence: 10
#     - remarks:
#       - Remark not specific to sequence
#       - ============
#       - End Remarks
#     acl_type: extended
#     name: TEST
#   - aces:
#     - destination:
#         address: 192.0.3.0
#         port_protocol:
#           eq: www
#         wildcard_bits: 0.0.0.255
#       grant: deny
#       option:
#         traceroute: true
#       protocol: tcp
#       protocol_options:
#         tcp:
#           fin: true
#       sequence: 10
#       source:
#         address: 192.0.2.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         eq: 10
#     acl_type: extended
#     name: test_acl
#   afi: ipv4
# - acls:
#   - aces:
#     - destination:
#         any: true
#         port_protocol:
#           eq: telnet
#       dscp: af11
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 10
#       source:
#         any: true
#         port_protocol:
#           eq: www
#     name: R1_TRAFFIC
#   afi: ipv6
# commands:
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended TEST
# - no 10  # removes all remarks and ace entry for sequence 10
# - no 20 permit ip host 1.1.1.1 any  # removing the ace automatically removes the remarks
# - no 30 remark  # just remove remarks for sequence 30
# - no remark  # remove all remarks at end of acl, that has no sequence
# - 10 remark FIRST REMARK BEFORE SEQUENCE 10
# - 10 remark ============
# - 10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# - 10 permit ip host 1.1.1.1 any
# - 20 remark FIRST REMARK BEFORE SEQUENCE 20
# - 20 remark ============
# - 20 remark ALLOW HOST FROM SEQUENCE 20
# - 20 permit ip host 192.168.0.1 any
# - 30 remark FIRST REMARK BEFORE SEQUENCE 30
# - 30 remark ============
# - 30 remark ALLOW HOST FROM SEQUENCE 30 updated
# - remark Remark not specific to sequence
# - remark ============
# - remark End Remarks 1
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test_acl
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 10
#       - ============
#       - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 20
#       - ============
#       - ALLOW HOST FROM SEQUENCE 20
#       sequence: 20
#       source:
#         host: 192.168.0.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 30
#       - ============
#       - ALLOW HOST FROM SEQUENCE 30 updated
#       sequence: 30
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 40
#       - ============
#       - ALLOW NEW HOST FROM SEQUENCE 40
#       sequence: 40
#       source:
#         host: 3.3.3.3
#     - remarks:
#       - Remark not specific to sequence
#       - ============
#       - End Remarks 1
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE SEQUENCE 10
#  10 remark ============
#  10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE SEQUENCE 20
#  20 remark ============
#  20 remark ALLOW HOST FROM SEQUENCE 20
#  20 permit ip host 192.168.0.1 any
#  30 remark FIRST REMARK BEFORE SEQUENCE 30
#  30 remark ============
#  30 remark ALLOW HOST FROM SEQUENCE 30 updated
#  30 permit ip host 2.2.2.2 any
#  40 remark FIRST REMARK BEFORE SEQUENCE 40
#  40 remark ============
#  40 remark ALLOW NEW HOST FROM SEQUENCE 40
#  40 permit ip host 3.3.3.3 any
#  remark Remark not specific to sequence
#  remark ============
#  remark End Remarks 1

# Using deleted - delete ACL(s)

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended extended_acl_1
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: extended_acl_1
            acl_type: extended
          - name: 110
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: extended_acl_1
#    afi: ipv4
# commands:
#  - no ip access-list extended 110
#  - no ip access-list extended extended_acl_1
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    afi: ipv4

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20

# Using deleted - delete ACLs based on AFI

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list extended 110
#  - no ip access-list extended 123
#  - no ip access-list standard std_acl
#  - no ip access-list extended test
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11


# Using deleted - delete all ACLs

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Delete ALL of configured ACLs
  cisco.ios.ios_acls:
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list extended test
#  - no ip access-list extended 110
#  - no ip access-list extended 123
#  - no ip access-list extended test
#  - no ipv6 access-list R1_TRAFFIC
# after: []

# After state:
# -------------
#
# vios#sh running-config | section access-list


# Using gathered

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Gather ACLs configuration from target device
  cisco.ios.ios_acls:
    state: gathered

# Module Execution Result:
# ------------------------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# Using rendered

- name: Render the provided configuration into platform specific configuration lines
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: rendered

# Module Execution Result:
# ------------------------
#
# rendered:
#  - ip access-list extended 110
#  - 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
#  - ip access-list extended 150
#  - deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using Parsed

# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11

- name: Parse the commands for provided configuration
  cisco.ios.ios_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Module Execution Result:
# ------------------------
#
# parsed:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

返回值 

通用返回值记录在此处，以下是此模块独有的字段

键	描述
after 字典	模块执行后的结果配置。返回: 当更改时示例: `"此输出将始终与模块 argspec 的格式相同。\n"`
before 字典	模块执行前的配置。返回: 当 state 为 `merged`、`replaced`、`overridden`、`deleted` 或 `purged` 时示例: `"此输出将始终与模块 argspec 的格式相同。\n"`
commands 列表 / 元素=字符串	推送到远程设备的命令集。返回: 当 state 为 `merged`、`replaced`、`overridden`、`deleted` 或 `purged` 时示例: `["ip access-list extended 110", "deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10", "permit ip host 2.2.2.2 host 3.3.3.3"]`
已收集列表 / 元素=字符串	从远程设备收集的网络资源的事实数据，以结构化数据的形式呈现。返回: 当 state 为 `gathered` 时示例: `["此输出将始终与模块的argspec格式相同。\n"]`
已解析列表 / 元素=字符串	根据模块的argspec，将 running_config 选项中提供的设备原生配置解析为结构化数据。返回: 当 state 为 `parsed` 时示例: `["此输出将始终与模块的argspec格式相同。\n"]`
已渲染列表 / 元素=字符串	任务中提供的配置以设备原生格式（离线）呈现。返回: 当 state 为 `rendered` 时示例: `["ip access-list extended test", "permit ip host 2.2.2.2 host 3.3.3.3", "permit tcp host 1.1.1.1 host 5.5.5.5 eq www"]`

作者

Sumit Jaiswal (@justjais)
Sagar Paul (@KB-perByte)