cisco.ios.ios_acls – ACLs resource module

Note

This plugin is part of the cisco.ios collection (version 2.5.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.ios.

To use it in a playbook, specify: cisco.ios.ios_acls.

New in version 1.0.0: of cisco.ios

Synopsis

  • This module configures and manages the named or numbered ACLs on IOS platforms.

Note

This module has a corresponding action plugin.

Parameters

Parameter Choices/Defaults Comments
config
list / elements=dictionary
A dictionary of ACL options.
acls
list / elements=dictionary
A list of Access Control Lists (ACL).
aces
list / elements=dictionary
The entries within the ACL.
destination
dictionary
Specify the packet destination.
address
string
Host address to match, or any single host address.
any
boolean
    Choices:
  • no
  • yes
Match any source address.
host
string
A single destination host
object_group
string
Destination network object group
port_protocol
dictionary
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
eq
string
Match only packets on a given port number.
gt
string
Match only packets with a greater port number.
lt
string
Match only packets with a lower port number.
neq
string
Match only packets not on a given port number.
range
dictionary
Port group.
end
integer
Specify the end of the port range.
start
integer
Specify the start of the port range.
wildcard_bits
string
Destination wildcard bits, valid with IPV4 address.
dscp
string
Match packets with given dscp value.
evaluate
string
Evaluate an access list
fragments
string
Check non-initial fragments.
grant
string
    Choices:
  • permit
  • deny
Specify the action.
log
dictionary
Log matches against this entry.
set
boolean
    Choices:
  • no
  • yes
Enable Log matches against this entry
user_cookie
string
User defined cookie (max of 64 char)
log_input
dictionary
Log matches against this entry, including input interface.
set
boolean
    Choices:
  • no
  • yes
Enable Log matches against this entry, including input interface.
user_cookie
string
User defined cookie (max of 64 char)
option
dictionary
Match packets with given IP Options value.
Valid only for named acls.
add_ext
boolean
    Choices:
  • no
  • yes
Match packets with Address Extension Option (147).
any_options
boolean
    Choices:
  • no
  • yes
Match packets with ANY Option.
com_security
boolean
    Choices:
  • no
  • yes
Match packets with Commercial Security Option (134).
dps
boolean
    Choices:
  • no
  • yes
Match packets with Dynamic Packet State Option (151).
encode
boolean
    Choices:
  • no
  • yes
Match packets with Encode Option (15).
eool
boolean
    Choices:
  • no
  • yes
Match packets with End of Options (0).
ext_ip
boolean
    Choices:
  • no
  • yes
Match packets with Extended IP Option (145).
ext_security
boolean
    Choices:
  • no
  • yes
Match packets with Extended Security Option (133).
finn
boolean
    Choices:
  • no
  • yes
Match packets with Experimental Flow Control Option (205).
imitd
boolean
    Choices:
  • no
  • yes
Match packets with IMI Traffic Desriptor Option (144).
lsr
boolean
    Choices:
  • no
  • yes
Match packets with Loose Source Route Option (131).
mtup
boolean
    Choices:
  • no
  • yes
Match packets with MTU Probe Option (11).
mtur
boolean
    Choices:
  • no
  • yes
Match packets with MTU Reply Option (12).
no_op
boolean
    Choices:
  • no
  • yes
Match packets with No Operation Option (1).
nsapa
boolean
    Choices:
  • no
  • yes
Match packets with NSAP Addresses Option (150).
record_route
boolean
    Choices:
  • no
  • yes
Match packets with Record Route Option (7).
router_alert
boolean
    Choices:
  • no
  • yes
Match packets with Router Alert Option (148).
sdb
boolean
    Choices:
  • no
  • yes
Match packets with Selective Directed Broadcast Option (149).
security
boolean
    Choices:
  • no
  • yes
Match packets with Basic Security Option (130).
ssr
boolean
    Choices:
  • no
  • yes
Match packets with Strict Source Routing Option (137).
stream_id
boolean
    Choices:
  • no
  • yes
Match packets with Stream ID Option (136).
timestamp
boolean
    Choices:
  • no
  • yes
Match packets with Time Stamp Option (68).
traceroute
boolean
    Choices:
  • no
  • yes
Match packets with Trace Route Option (82).
ump
boolean
    Choices:
  • no
  • yes
Match packets with Upstream Multicast Packet Option (152).
visa
boolean
    Choices:
  • no
  • yes
Match packets with Experimental Access Control Option (142).
zsu
boolean
    Choices:
  • no
  • yes
Match packets with Experimental Measurement Option (10).
precedence
integer
Match packets with given precedence value.
protocol
string
Specify the protocol to match.
Refer to vendor documentation for valid values.
protocol_options
dictionary
protocol type.
ahp
boolean
    Choices:
  • no
  • yes
Authentication Header Protocol.
eigrp
boolean
    Choices:
  • no
  • yes
Cisco's EIGRP routing protocol.
esp
boolean
    Choices:
  • no
  • yes
Encapsulation Security Payload.
gre
boolean
    Choices:
  • no
  • yes
Cisco's GRE tunneling.
hbh
boolean
    Choices:
  • no
  • yes
Hop by Hop options header. Valid for IPV6
icmp
dictionary
Internet Control Message Protocol.
administratively_prohibited
boolean
    Choices:
  • no
  • yes
Administratively prohibited
alternate_address
boolean
    Choices:
  • no
  • yes
Alternate address
conversion_error
boolean
    Choices:
  • no
  • yes
Datagram conversion
dod_host_prohibited
boolean
    Choices:
  • no
  • yes
Host prohibited
dod_net_prohibited
boolean
    Choices:
  • no
  • yes
Net prohibited
echo
boolean
    Choices:
  • no
  • yes
Echo (ping)
echo_reply
boolean
    Choices:
  • no
  • yes
Echo reply
general_parameter_problem
boolean
    Choices:
  • no
  • yes
Parameter problem
host_isolated
boolean
    Choices:
  • no
  • yes
Host isolated
host_precedence_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for precedence
host_redirect
boolean
    Choices:
  • no
  • yes
Host redirect
host_tos_redirect
boolean
    Choices:
  • no
  • yes
Host redirect for TOS
host_tos_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for TOS
host_unknown
boolean
    Choices:
  • no
  • yes
Host unknown
host_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable
information_reply
boolean
    Choices:
  • no
  • yes
Information replies
information_request
boolean
    Choices:
  • no
  • yes
Information requests
mask_reply
boolean
    Choices:
  • no
  • yes
Mask replies
mask_request
boolean
    Choices:
  • no
  • yes
mask_request
mobile_redirect
boolean
    Choices:
  • no
  • yes
Mobile host redirect
net_redirect
boolean
    Choices:
  • no
  • yes
Network redirect
net_tos_redirect
boolean
    Choices:
  • no
  • yes
Net redirect for TOS
net_tos_unreachable
boolean
    Choices:
  • no
  • yes
Network unreachable for TOS
net_unreachable
boolean
    Choices:
  • no
  • yes
Net unreachable
network_unknown
boolean
    Choices:
  • no
  • yes
Network unknown
no_room_for_option
boolean
    Choices:
  • no
  • yes
Parameter required but no room
option_missing
boolean
    Choices:
  • no
  • yes
Parameter required but not present
packet_too_big
boolean
    Choices:
  • no
  • yes
Fragmentation needed and DF set
parameter_problem
boolean
    Choices:
  • no
  • yes
All parameter problems
port_unreachable
boolean
    Choices:
  • no
  • yes
Port unreachable
precedence_unreachable
boolean
    Choices:
  • no
  • yes
Precedence cutoff
protocol_unreachable
boolean
    Choices:
  • no
  • yes
Protocol unreachable
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly timeout
redirect
boolean
    Choices:
  • no
  • yes
All redirects
router_advertisement
boolean
    Choices:
  • no
  • yes
Router discovery advertisements
router_solicitation
boolean
    Choices:
  • no
  • yes
Router discovery solicitations
source_quench
boolean
    Choices:
  • no
  • yes
Source quenches
source_route_failed
boolean
    Choices:
  • no
  • yes
Source route failed
time_exceeded
boolean
    Choices:
  • no
  • yes
All time exceededs
timestamp_reply
boolean
    Choices:
  • no
  • yes
Timestamp replies
timestamp_request
boolean
    Choices:
  • no
  • yes
Timestamp requests
traceroute
boolean
    Choices:
  • no
  • yes
Traceroute
ttl_exceeded
boolean
    Choices:
  • no
  • yes
TTL exceeded
unreachable
boolean
    Choices:
  • no
  • yes
All unreachables
igmp
dictionary
Internet Gateway Message Protocol.
dvmrp
boolean
    Choices:
  • no
  • yes
Distance Vector Multicast Routing Protocol(2)
host_query
boolean
    Choices:
  • no
  • yes
IGMP Membership Query(0)
mtrace_resp
boolean
    Choices:
  • no
  • yes
Multicast Traceroute Response(7)
mtrace_route
boolean
    Choices:
  • no
  • yes
Multicast Traceroute(8)
pim
boolean
    Choices:
  • no
  • yes
Protocol Independent Multicast(3)
trace
boolean
    Choices:
  • no
  • yes
Multicast trace(4)
v1host_report
boolean
    Choices:
  • no
  • yes
IGMPv1 Membership Report(1)
v2host_report
boolean
    Choices:
  • no
  • yes
IGMPv2 Membership Report(5)
v2leave_group
boolean
    Choices:
  • no
  • yes
IGMPv2 Leave Group(6)
v3host_report
boolean
    Choices:
  • no
  • yes
IGMPv3 Membership Report(9)
ip
boolean
    Choices:
  • no
  • yes
Any Internet Protocol.
ipinip
boolean
    Choices:
  • no
  • yes
IP in IP tunneling.
ipv6
boolean
    Choices:
  • no
  • yes
Any IPv6.
nos
boolean
    Choices:
  • no
  • yes
KA9Q NOS compatible IP over IP tunneling.
ospf
boolean
    Choices:
  • no
  • yes
OSPF routing protocol.
pcp
boolean
    Choices:
  • no
  • yes
Payload Compression Protocol.
pim
boolean
    Choices:
  • no
  • yes
Protocol Independent Multicast.
protocol_number
integer
An IP protocol number
sctp
boolean
    Choices:
  • no
  • yes
Stream Control Transmission Protocol.
tcp
dictionary
Match TCP packet flags
ack
boolean
    Choices:
  • no
  • yes
Match on the ACK bit
established
boolean
    Choices:
  • no
  • yes
Match established connections
fin
boolean
    Choices:
  • no
  • yes
Match on the FIN bit
psh
boolean
    Choices:
  • no
  • yes
Match on the PSH bit
rst
boolean
    Choices:
  • no
  • yes
Match on the RST bit
syn
boolean
    Choices:
  • no
  • yes
Match on the SYN bit
urg
boolean
    Choices:
  • no
  • yes
Match on the URG bit
udp
boolean
    Choices:
  • no
  • yes
User Datagram Protocol.
sequence
integer
Sequence Number for the Access Control Entry(ACE).
Refer to vendor documentation for valid values.
source
dictionary
Specify the packet source.
address
string
Source network address.
any
boolean
    Choices:
  • no
  • yes
Match any source address.
host
string
A single source host
object_group
string
Source network object group
port_protocol
dictionary
Specify the source port along with protocol.
Note, Valid with TCP/UDP protocol_options
eq
string
Match only packets on a given port number.
gt
string
Match only packets with a greater port number.
lt
string
Match only packets with a lower port number.
neq
string
Match only packets not on a given port number.
range
dictionary
Port group.
end
integer
Specify the end of the port range.
start
integer
Specify the start of the port range.
wildcard_bits
string
Source wildcard bits, valid with IPV4 address.
time_range
string
Specify a time-range.
tos
dictionary
Match packets with given TOS value.
Note, DSCP and TOS are mutually exclusive
max_reliability
boolean
    Choices:
  • no
  • yes
Match packets with max reliable TOS (2).
max_throughput
boolean
    Choices:
  • no
  • yes
Match packets with max throughput TOS (4).
min_delay
boolean
    Choices:
  • no
  • yes
Match packets with min delay TOS (8).
min_monetary_cost
boolean
    Choices:
  • no
  • yes
Match packets with min monetary cost TOS (1).
normal
boolean
    Choices:
  • no
  • yes
Match packets with normal TOS (0).
service_value
integer
Type of service value
ttl
dictionary
Match packets with given TTL value.
eq
integer
Match only packets on a given TTL number.
gt
integer
Match only packets with a greater TTL number.
lt
integer
Match only packets with a lower TTL number.
neq
integer
Match only packets not on a given TTL number.
range
dictionary
Match only packets in the range of TTLs.
end
integer
Specify the end of the port range.
start
integer
Specify the start of the port range.
acl_type
string
    Choices:
  • extended
  • standard
ACL type
Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory.
name
string / required
The name or the number of the ACL.
afi
string / required
    Choices:
  • ipv4
  • ipv6
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
running_config
string
This option is used only with state parsed.
The value of this option should be the output received from the IOS device by executing the command sh access-list.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state
string
    Choices:
  • merged
  • replaced
  • overridden
  • deleted
  • gathered
  • rendered
  • parsed
The state the configuration should be left in
The states merged is the default state which merges the want and have config, but for ACL module as the IOS platform doesn't allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state.
The states rendered, gathered and parsed does not perform any change on the device.
The state rendered will transform the configuration in config option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required.
The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result.
The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of running_config option should be the same format as the output of command show running-config | include ip route|ipv6 route executed on device. For state parsed active connection to remote host is not required.

Notes

Note

  • Tested against Cisco IOSv Version 15.2 on VIRL

Examples

# Using merged

# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: 100
        aces:
        - sequence: 10
          protocol_options:
            icmp:
              traceroute: true
    state: merged

# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.

# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: std_acl
        acl_type: standard
        aces:
        - grant: deny
          source:
            address: 192.168.1.200
        - grant: deny
          source:
            address: 192.168.2.0
            wildcard_bits: 0.0.0.255
      - name: 110
        aces:
        - sequence: 10
          protocol_options:
            icmp:
              traceroute: true
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            host: 198.51.100.0
          destination:
            host: 198.51.110.0
            port_protocol:
              eq: telnet
      - name: test
        acl_type: extended
        aces:
        - grant: deny
          protocol_options:
            tcp:
              fin: true
          source:
            address: 192.0.2.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 192.0.3.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          option:
            traceroute: true
          ttl:
            eq: 10
      - name: 123
        aces:
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 198.51.101.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          tos:
            service_value: 12
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            address: 192.0.3.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 192.0.4.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          dscp: ef
          ttl:
            lt: 20
    - afi: ipv6
      acls:
      - name: R1_TRAFFIC
        aces:
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            any: true
            port_protocol:
              eq: www
          destination:
            any: true
            port_protocol:
              eq: telnet
          dscp: af11
    state: merged

# Commands fired:
# ---------------
#
# - ip access-list standard std_acl
# - deny 192.168.1.200
# - deny 192.168.2.0 0.0.0.255
# - ip access-list extended 110
# - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - ip access-list extended test
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# - ip access-list extended 123
# - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack dscp af11

# After state:
# ------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10


# Using replaced

# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10


- name: Replaces device configuration of listed acls with provided configuration
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: 110
        aces:
        - grant: deny
          protocol_options:
            tcp:
              syn: true
          source:
            address: 192.0.2.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 192.0.3.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          dscp: ef
          ttl:
            eq: 10
      - name: 150
        aces:
        - grant: deny
          sequence: 20
          protocol_options:
            tcp:
              syn: true
          source:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          destination:
            address: 198.51.110.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          dscp: ef
          ttl:
            eq: 10
    state: replaced

# Commands fired:
# ---------------
#
# - no ip access-list extended 110
# - ip access-list extended 110
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# - ip access-list extended 150
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# After state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list 150
#    20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

# Using overridden

# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

- name: Override device configuration of all acls with provided configuration
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: 110
        aces:
        - grant: deny
          sequence: 20
          protocol_options:
            tcp:
              ack: true
          source:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          destination:
            address: 198.51.110.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          dscp: ef
          ttl:
            eq: 10
      - name: 150
        aces:
        - grant: deny
          sequence: 10
          protocol_options:
            tcp:
              syn: true
          source:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          destination:
            address: 198.51.110.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          dscp: ef
          ttl:
            eq: 10
    state: overridden

# Commands fired:
# ---------------
#
# - no ip access-list standard std_acl
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended 150
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended 150
# - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# - ip access-list extended 110
# - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10

# After state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
#    20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# Extended IP access list 150
#    10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using Deleted

# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: test
        acl_type: extended
      - name: 110
    - afi: ipv6
      acls:
      - name: R1_TRAFFIC
    state: deleted

# Commands fired:
# ---------------
#
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ipv6 access-list R1_TRAFFIC

# After state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20

# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
    state: deleted

# Commands fired:
# ---------------
#
# - no ip access-list standard std_acl
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123

# After state:
# -------------
#
# vios#sh access-lists
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

# Using Deleted without any config passed
#"(NOTE: This will delete all of configured ACLs)"

# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

- name: 'Delete ALL of configured ACLs (Note: This WILL delete the all configured
    ACLs)'
  cisco.ios.ios_acls:
    state: deleted

# Commands fired:
# ---------------
#
# - no ip access-list extended test
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test
# - no ipv6 access-list R1_TRAFFIC

# After state:
# -------------
#
# vios#sh access-lists

# Using Gathered

# Before state:
# -------------
#
# vios#sh access-lists
# Standard IP access list std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0, wildcard bits 0.0.0.255
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# Extended IP access list 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# Extended IP access list test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# IPv6 access list R1_TRAFFIC
#    deny tcp any eq www any eq telnet ack dscp af11 sequence 10

- name: Gather listed acls with provided configurations
  cisco.ios.ios_acls:
    config:
    state: gathered

# Module Execution Result:
# ------------------------
#
# "gathered": [
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "address": "192.0.3.0",
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "dscp": "ef",
#                             "grant": "deny",
#                             "protocol_options": {
#                                 "icmp": {
#                                     "echo": true
#                                 }
#                             },
#                             "sequence": 10,
#                             "source": {
#                                 "address": "192.0.2.0",
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "ttl": {
#                                 "eq": 10
#                             }
#                         }
#                     ],
#                     "acl_type": "extended",
#                     "name": "110"
#                 },
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "address": "198.51.101.0",
#                                 "port_protocol": {
#                                     "eq": "telnet"
#                                 },
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "grant": "deny",
#                             "protocol_options": {
#                                 "tcp": {
#                                     "ack": true
#                                 }
#                             },
#                             "sequence": 10,
#                             "source": {
#                                 "address": "198.51.100.0",
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "tos": {
#                                 "service_value": 12
#                             }
#                         },
#                         {
#                             "destination": {
#                                 "address": "192.0.4.0",
#                                 "port_protocol": {
#                                     "eq": "www"
#                                 },
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "dscp": "ef",
#                             "grant": "deny",
#                             "protocol_options": {
#                                 "tcp": {
#                                     "ack": true
#                                 }
#                             },
#                             "sequence": 20,
#                             "source": {
#                                 "address": "192.0.3.0",
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "ttl": {
#                                 "lt": 20
#                             }
#                         }
#                     ],
#                     "acl_type": "extended",
#                     "name": "123"
#                 },
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "address": "192.0.3.0",
#                                 "port_protocol": {
#                                     "eq": "www"
#                                 },
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "grant": "deny",
#                             "option": {
#                                 "traceroute": true
#                             },
#                             "protocol_options": {
#                                 "tcp": {
#                                     "fin": true
#                                 }
#                             },
#                             "sequence": 10,
#                             "source": {
#                                 "address": "192.0.2.0",
#                                 "wildcard_bits": "0.0.0.255"
#                             },
#                             "ttl": {
#                                 "eq": 10
#                             }
#                         }
#                     ],
#                     "acl_type": "extended",
#                     "name": "test_acl"
#                 }
#             ],
#             "afi": "ipv4"
#         },
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "any": true,
#                                 "port_protocol": {
#                                     "eq": "telnet"
#                                 }
#                             },
#                             "dscp": "af11",
#                             "grant": "deny",
#                             "protocol_options": {
#                                 "tcp": {
#                                     "ack": true
#                                 }
#                             },
#                             "sequence": 10,
#                             "source": {
#                                 "any": true,
#                                 "port_protocol": {
#                                     "eq": "www"
#                                 }
#                             }
#                         }
#                     ],
#                     "name": "R1_TRAFFIC"
#                 }
#             ],
#             "afi": "ipv6"
#         }
#     ]

# Using Rendered

- name: Rendered the provided configuration with the existing running configuration
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: 110
        aces:
        - grant: deny
          sequence: 10
          protocol_options:
            tcp:
              syn: true
          source:
            address: 192.0.2.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 192.0.3.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          dscp: ef
          ttl:
            eq: 10
      - name: 150
        aces:
        - grant: deny
          protocol_options:
            tcp:
              syn: true
          source:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          destination:
            address: 198.51.110.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          dscp: ef
          ttl:
            eq: 10
    state: rendered

# Module Execution Result:
# ------------------------
#
# "rendered": [
#         "ip access-list extended 110",
#         "10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10",
#         "ip access-list extended 150",
#         "deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10"
#     ]

# Using Parsed

# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11

- name: Parse the commands for provided configuration
  cisco.ios.ios_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Module Execution Result:
# ------------------------
#
# "parsed": [
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "any": true,
#                                 "port_protocol": {
#                                     "eq": "telnet"
#                                 }
#                             },
#                             "dscp": "af11",
#                             "grant": "deny",
#                             "protocol_options": {
#                                 "tcp": {
#                                     "ack": true
#                                 }
#                             },
#                             "source": {
#                                 "any": true,
#                                 "port_protocol": {
#                                     "eq": "www"
#                                 }
#                             }
#                         }
#                     ],
#                     "name": "R1_TRAFFIC"
#                 }
#             ],
#             "afi": "ipv6"
#         }
#     ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
list / elements=string
when changed
The configuration as structured data after module completion.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
list / elements=string
always
The configuration as structured data prior to module invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list / elements=string
always
The set of commands pushed to the remote device

Sample:
['ip access-list extended 110', 'deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10']


Authors

  • Sumit Jaiswal (@justjais)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html