cisco.iosxr.iosxr_acls 模块 – 配置 ACL 的资源模块。
注意
此模块是 cisco.iosxr 集合 (版本 10.2.2) 的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用: ansible-galaxy collection install cisco.iosxr。
要在 playbook 中使用它,请指定: cisco.iosxr.iosxr_acls。
cisco.iosxr 1.0.0 中的新增功能
摘要
此模块管理在运行 IOS-XR 的设备上的访问控制列表 (ACL)。
参数
参数 |
注释 |
|---|---|
一个字典列表,指定 ACL 配置。 |
|
访问控制列表 (ACL) 列表。 |
|
此访问控制列表 (ACL) 的访问控制条目 (ACE) 列表。 |
|
如果存在身份验证报头,则匹配。 选项
|
|
捕获匹配的数据包。 选项
|
|
指定数据包目标。 |
|
要匹配的目标 IP 地址。 |
|
匹配任何目标地址。 选项
|
|
要匹配的主机 IP 地址。 |
|
网络组名称。 |
|
端口组名称。 |
|
指定源端口或协议。 |
|
仅匹配给定端口号上的数据包。 |
|
仅匹配端口号较大的数据包。 |
|
仅匹配端口号较小的数据包。 |
|
仅匹配不在给定端口号上的数据包。 |
|
仅匹配端口号范围内的的数据包 |
|
指定端口范围的结束。 |
|
指定端口范围的开始。 |
|
目标网络前缀。 |
|
要应用于目标地址的通配符位。 |
|
如果存在目标选项报头,则匹配。 选项
|
|
匹配具有给定 DSCP 值的数据包。 |
|
仅匹配给定 dscp 值上的数据包 |
|
仅匹配 dscp 值较大的数据包 |
|
仅匹配 dscp 值较小的数据包 |
|
仅匹配不在给定 dscp 值上的数据包 |
|
仅匹配 dscp 值范围内的的数据包 |
|
dscp 范围的结束 |
|
dscp 范围的开始 |
|
检查非初始片段。 选项
|
|
转发或丢弃与访问控制条目 (ACE) 匹配的数据包。 选项
|
|
如果存在逐跳选项报头,则匹配。 选项
|
|
启用/禁用此条目的 ICMP 消息。 选项
|
|
不包含序列号的 ACE。 此键与除“sequence”之外的所有其他属性互斥。 与其他属性一起使用时,此键的值将优先,其他键将被忽略。 仅当 argspec 中不存在属性但对设备有效时才应使用此方法。 对于事实收集,任何未完全解析的 ACE 将显示为此属性的值,不包括序列号,序列号将填充为 sequence 键的值。 |
|
启用/禁用针对此条目的日志匹配。 选项
|
|
启用/禁用针对此条目的日志匹配,包括输入接口。 选项
|
|
匹配给定数据包长度的数据包。 |
|
仅匹配给定数据包长度上的数据包 |
|
仅匹配数据包长度较大的数据包 |
|
仅匹配数据包长度较小的数据包 |
|
仅匹配不在给定数据包长度上的数据包 |
|
仅匹配数据包长度范围内的的数据包 |
|
数据包长度范围的结束 |
|
数据包长度范围的开始 |
|
匹配具有给定优先级值的数据包 |
|
指定要匹配的协议。 有关有效值,请参阅供应商文档。 |
|
协议的其他子选项。 |
|
互联网控制消息协议设置。 |
|
管理上禁止 选项
|
|
备用地址 选项
|
|
数据报转换 选项
|
|
主机禁止 选项
|
|
网络禁止 选项
|
|
回显 (ping) 选项
|
|
回显回复 选项
|
|
参数问题 选项
|
|
主机隔离 选项
|
|
主机对于优先级不可达 选项
|
|
主机重定向 选项
|
|
TOS 主机重定向 选项
|
|
主机对于 TOS 不可达 选项
|
|
主机未知 选项
|
|
主机不可达 选项
|
|
信息回复 选项
|
|
信息请求 选项
|
|
掩码回复 选项
|
|
掩码请求 选项
|
|
移动主机重定向 选项
|
|
网络重定向 选项
|
|
TOS 网络重定向 选项
|
|
网络对于 TOS 不可达 选项
|
|
网络不可达 选项
|
|
网络未知 选项
|
|
需要参数但空间不足 选项
|
|
需要参数但不存在 选项
|
|
需要分片且DF标志已设置 选项
|
|
所有参数问题 选项
|
|
端口不可达 选项
|
|
优先级被截断 选项
|
|
协议不可达 选项
|
|
重组超时 选项
|
|
所有重定向 选项
|
|
路由器发现通告 选项
|
|
路由器发现请求 选项
|
|
源抑制 选项
|
|
源路由失败 选项
|
|
所有超时 选项
|
|
时间戳回复 选项
|
|
时间戳请求 选项
|
|
Traceroute 选项
|
|
TTL 超时 选项
|
|
所有不可达 选项
|
|
IPv6 的互联网控制消息协议设置。 |
|
地址不可达 选项
|
|
管理上禁止 选项
|
|
管理上禁止 选项
|
|
目标不可达 选项
|
|
回显 选项
|
|
回显回复 选项
|
|
错误的首部字段 选项
|
|
组成员查询 选项
|
|
组成员报告 选项
|
|
组成员终止 选项
|
|
主机不可达 选项
|
|
邻居发现 - 邻居通告 选项
|
|
邻居发现 - 邻居请求 选项
|
|
邻居重定向 选项
|
|
无到达目标的路由 选项
|
|
节点信息请求被拒绝 选项
|
|
节点信息成功回复 选项
|
|
数据包过大 选项
|
|
参数问题 选项
|
|
端口不可达 选项
|
|
查询主题是域名 选项
|
|
查询主题是IPv4地址 选项
|
|
查询主题是IPv6地址 选项
|
|
重组超时 选项
|
|
重定向 选项
|
|
路由器通告 选项
|
|
路由器重新编号 选项
|
|
路由器请求 选项
|
|
RR命令 选项
|
|
RR结果 选项
|
|
RR序列号重置 选项
|
|
超时 选项
|
|
TTL超时 选项
|
|
未知查询类型 选项
|
|
不可达 选项
|
|
无法识别的下一个首部 选项
|
|
无法识别的选项 选项
|
|
你是谁回复 选项
|
|
你是谁请求 选项
|
|
互联网组管理协议 (IGMP) 设置。 |
|
匹配距离矢量组播路由协议 选项
|
|
匹配主机查询 选项
|
|
匹配主机报告 选项
|
|
匹配mtrace 选项
|
|
匹配mtrace响应 选项
|
|
匹配协议无关组播 选项
|
|
组播跟踪 选项
|
|
匹配TCP数据包标志 |
|
匹配ACK位 选项
|
|
匹配已建立的连接 选项
|
|
匹配FIN位 选项
|
|
匹配PSH位 选项
|
|
匹配RST位 选项
|
|
匹配SYN位 选项
|
|
匹配URG位 选项
|
|
访问列表的注释或描述。 |
|
如果存在路由报头则匹配。 选项
|
|
访问控制条目 (ACE) 的序列号。 |
|
指定数据包源。 |
|
要匹配的源IP地址。 |
|
匹配任何源地址。 选项
|
|
要匹配的主机 IP 地址。 |
|
网络组名称。 |
|
端口组名称。 |
|
指定源端口或协议。 |
|
仅匹配给定端口号上的数据包。 |
|
仅匹配端口号较大的数据包。 |
|
仅匹配端口号较小的数据包。 |
|
仅匹配不在给定端口号上的数据包。 |
|
仅匹配端口号范围内的的数据包 |
|
指定端口范围的结束。 |
|
指定端口范围的开始。 |
|
源网络前缀。 |
|
要应用于源地址的通配符位。 |
|
根据指定的TTL值进行匹配。 |
|
仅匹配具有精确TTL值的数据包。 |
|
仅匹配具有更大TTL值的数据包。 |
|
仅匹配具有较小TTL值的数据包。 |
|
仅匹配不具有给定TTL值的数据包。 |
|
仅匹配给定TTL值范围内的的数据包。 |
|
TTL范围的结束。 |
|
TTL范围的开始。 |
|
访问控制列表 (ACL) 的名称。 |
|
访问控制列表 (ACL) 的地址族指示符 (AFI)。 选项
|
|
默认情况下,模块将连接到远程设备并检索当前运行配置,将其用作与源内容进行比较的基础。有时,不希望任务为 playbook 中的每个任务获取当前运行配置。running_config 参数允许实现者传入用作比较基础配置的配置。此选项的值应是从设备执行命令 **show running-config router static** 后收到的输出。 |
|
配置应保留的状态。 选项
|
示例
# Using merged to add new ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-al
# Fri Sep 22 03:57:04.758 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
- name: Merge the provided configuration with the existing running configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
aces:
- sequence: 10
grant: deny
protocol: tcp
source:
prefix: '2001:db8:1234::/48'
port_protocol:
range:
start: ftp
end: telnet
destination:
any: true
protocol_options:
tcp:
syn: true
ttl:
range:
start: 180
end: 250
routing: true
authen: true
log: true
- sequence: 20
grant: permit
protocol: icmpv6
source:
any: true
destination:
any: true
protocol_options:
icmpv6:
router_advertisement: true
precedence: network
destopts: true
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 16
remark: TEST_ACL_1_REMARK
- sequence: 21
grant: permit
protocol: tcp
source:
host: 192.0.2.10
port_protocol:
range:
start: pop3
end: 121
destination:
address: 198.51.100.0
wildcard_bits: 0.0.0.15
protocol_options:
tcp:
rst: true
- sequence: 23
grant: deny
protocol: icmp
source:
any: true
destination:
prefix: 198.51.100.0/28
protocol_options:
icmp:
reassembly_timeout: true
dscp:
lt: af12
- name: acl_2
aces:
- sequence: 10
remark: TEST_ACL_2_REMARK
state: merged
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# name: acl_1
# afi: ipv4
#
# commands:
# - ipv6 access-list acl6_1
# - 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 authen routing log
# - 20 permit icmpv6 any any router-advertisement precedence network destopts
# - ipv4 access-list acl_1
# - 16 remark TEST_ACL_1_REMARK
# - 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# - 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# - ipv4 access-list acl_2
# - 10 remark TEST_ACL_2_REMARK
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:35:19.977 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using merged to update existing ACLs
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 04:37:33.542 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Update existing ACEs
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 21
source:
prefix: 198.51.100.32/28
port_protocol:
range:
start: pop3
end: 121
protocol_options:
tcp:
syn: true
- sequence: 23
protocol_options:
icmp:
router_advertisement: true
dscp:
eq: af23
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_1
# - 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# - 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# sequence: 21
# source:
# address: 198.51.100.32
# port_protocol:
# range:
# end: '121'
# start: pop3
# wildcard_bits: 0.0.0.15
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# eq: af23
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# router_advertisement: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:58:38.345 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp 198.51.100.32 0.0.0.15 range pop3 121 198.51.100.0 0.0.0.15 syn
# 23 deny icmp any 198.51.100.0 0.0.0.15 router-advertisement dscp eq af23
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using replaced to replace a whole ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:38:36.205 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Replace device configurations of listed ACL with provided configurations
cisco.iosxr.iosxr_acls:
state: replaced
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
# Task Output
# -----------
# before:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - ipv4 access-list acl_2
# - no 10
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: udp
# sequence: 10
# source:
# address: 192.168.1.0
# wildcard_bits: 0.0.0.255
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 11
# source:
# host: 198.51.100.130
# ttl:
# eq: 100
# - destination:
# any: true
# grant: deny
# protocol: icmp
# sequence: 12
# source:
# any: true
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Fri Sep 22 05:56:21.103 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 11 permit igmp host 198.51.100.130 any ttl eq 100
# 12 deny icmp any any
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using overridden to override all ACLs in the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 10 permit udp 192.168.1.0 0.0.0.255 any
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Overridde all ACLs configuration with provided configuration
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_1
aces:
- sequence: 10
grant: permit
source:
any: true
destination:
any: true
protocol: tcp
- name: acl_2
aces:
- sequence: 20
grant: permit
source:
any: true
destination:
any: true
protocol: igmp
state: overridden
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
# - ipv4 access-list acl_1
# - no 16
# - no 21
# - no 23
# - 10 permit tcp any any
# - ipv4 access-list acl_2
# - no 10
# - 20 permit igmp any any
#
# after:
# - acls:
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: tcp
# sequence: 10
# source:
# any: true
# name: acl_1
# - aces:
# - destination:
# any: true
# grant: permit
# protocol: igmp
# sequence: 20
# source:
# any: true
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 06:31:22.178 UTC
# ipv4 access-list acl_1
# 10 permit tcp any any
# ipv4 access-list acl_2
# 20 permit igmp any any
# Using deleted to delete an entire ACL
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete a single ACL
cisco.iosxr.iosxr_acls:
config:
- afi: ipv6
acls:
- name: acl6_1
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv6 access-list acl6_1
#
# after:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# After state:
# -------------
# RP/0/RP0/CPU0:ios#sh access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# Using deleted to delete all ACLs under one AFI
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs under one AFI
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
#
# after:
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:22:57.021 UTC
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
# Using deleted to delete all ACLs from the device
# Before state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Delete all ACLs from the device
cisco.iosxr.iosxr_acls:
state: deleted
# Task Output
# -----------
#
# before:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
#
# commands:
# - no ipv4 access-list acl_1
# - no ipv4 access-list acl_2
# - no ipv6 access-list acl6_1
#
# after: []
# After state:
# -------------
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Thu Feb 20 05:07:45.767 UTC
# RP/0/RP0/CPU0:ios#
# Using gathered to gather ACL facts from the device
# RP/0/RP0/CPU0:ios#show access-lists afi-all
# Wed Sep 27 09:34:04.831 UTC
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Gather ACL interfaces facts using gathered state
cisco.iosxr.iosxr_acls:
state: gathered
# Task Output (redacted)
# -----------------------
#
# gathered:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
# Using rendered
- name: Render platform specific commands (without connecting to the device)
cisco.iosxr.iosxr_acls:
config:
- afi: ipv4
acls:
- name: acl_2
aces:
- sequence: 11
grant: permit
protocol: igmp
source:
host: 198.51.100.130
destination:
any: true
ttl:
eq: 100
- sequence: 12
grant: deny
source:
any: true
destination:
any: true
protocol: icmp
state: rendered
# Task Output (redacted)
# -----------------------
# rendered:
# - ipv4 access-list acl_2
# - 11 permit igmp host 198.51.100.130 any ttl eq 100
# - 12 deny icmp any any
# Using parsed
# parsed.cfg
# ------------
# ipv4 access-list acl_1
# 16 remark TEST_ACL_1_REMARK
# 21 permit tcp host 192.0.2.10 range pop3 121 198.51.100.0 0.0.0.15 rst
# 23 deny icmp any 198.51.100.0 0.0.0.15 reassembly-timeout dscp lt af12
# ipv4 access-list acl_2
# 10 remark TEST_ACL_2_REMARK
# ipv6 access-list acl6_1
# 10 deny tcp 2001:db8:1234::/48 range ftp telnet any syn ttl range 180 250 routing authen log
# 20 permit icmpv6 any any router-advertisement precedence network destopts
- name: Parse externally provided ACL config to agnostic model
cisco.iosxr.iosxr_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Task Output (redacted)
# -----------------------
# parsed:
# - acls:
# - aces:
# - remark: TEST_ACL_1_REMARK
# sequence: 16
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# grant: permit
# protocol: tcp
# protocol_options:
# tcp:
# rst: true
# sequence: 21
# source:
# host: 192.0.2.10
# port_protocol:
# range:
# end: '121'
# start: pop3
# - destination:
# address: 198.51.100.0
# wildcard_bits: 0.0.0.15
# dscp:
# lt: af12
# grant: deny
# protocol: icmp
# protocol_options:
# icmp:
# reassembly_timeout: true
# sequence: 23
# source:
# any: true
# name: acl_1
# - aces:
# - remark: TEST_ACL_2_REMARK
# sequence: 10
# name: acl_2
# afi: ipv4
# - acls:
# - aces:
# - authen: true
# destination:
# any: true
# grant: deny
# log: true
# protocol: tcp
# protocol_options:
# tcp:
# syn: true
# routing: true
# sequence: 10
# source:
# port_protocol:
# range:
# end: telnet
# start: ftp
# prefix: 2001:db8:1234::/48
# ttl:
# range:
# end: 250
# start: 180
# - destination:
# any: true
# destopts: true
# grant: permit
# precedence: network
# protocol: icmpv6
# protocol_options:
# icmpv6:
# router_advertisement: true
# sequence: 20
# source:
# any: true
# name: acl6_1
# afi: ipv6
返回值
常见的返回值已在此处记录,以下是此模块特有的字段
键 |
描述 |
|---|---|
生成的配置模型调用。 已返回:已更改时 示例: |
|
模型调用之前的配置。 已返回:始终 示例: |
|
推送到远程设备的命令集。 已返回:始终 示例: |
|
从远程设备收集的有关网络资源的事实,作为结构化数据。 已返回:当 state 为 示例: |
|
根据模块argspec,将running_config选项中提供的设备原生配置解析为结构化数据。 已返回:当 state 为 示例: |
|
以设备原生格式(离线)呈现的任务中提供的配置。 已返回:当 state 为 示例: |