cisco.nxos.nxos_acl_interfaces – ACL interfaces resource module
Note
This plugin is part of the cisco.nxos collection (version 1.3.1).
To install it use: ansible-galaxy collection install cisco.nxos.
To use it in a playbook, specify: cisco.nxos.nxos_acl_interfaces.
New in version 1.0.0: of cisco.nxos
Synopsis
- Add and remove Access Control Lists on interfaces in NX-OS platform
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| config list / elements=dictionary | A list of interfaces to be configured with ACLs | ||||
| access_groups list / elements=dictionary | List of address family indicators with ACLs to be configured on the interface | ||||
| acls list / elements=dictionary | List of Access Control Lists for the interface | ||||
| direction string / required |
| Direction to be applied for the ACL | |||
| name string / required | Name of the ACL to be added/removed | ||||
| port boolean |
| Use ACL as port policy. | |||
| afi string / required |
| Address Family Indicator of the ACLs to be configured | |||
| name string / required | Name of the interface | ||||
| running_config string | This option is used only with state parsed. The value of this option should be the output received from the NX-OS device by executing the command show running-config | section '^interface'. The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result. | ||||
| state string |
| The state the configuration should be left in | |||
Notes
Note
- Tested against NX-OS 7.3.(0)D1(1) on VIRL
Examples
# Using merged
# Before state:
# ------------
#
- name: Merge ACL interfaces configuration
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/2
access_groups:
- afi: ipv6
acls:
- name: ACL1v6
direction: in
- name: Eth1/5
access_groups:
- afi: ipv4
acls:
- name: PortACL
direction: in
port: true
- name: ACL1v4
direction: out
- afi: ipv6
acls:
- name: ACL1v6
direction: in
state: merged
# After state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
# Using replaced
# Before state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Replace interface configuration with given configuration
cisco.nxos.nxos_acl_interfaces:
config:
- name: Eth1/5
access_groups:
- afi: ipv4
acls:
- name: NewACLv4
direction: out
- name: Ethernet1/3
access_groups:
- afi: ipv6
acls:
- name: NewACLv6
direction: in
port: true
state: replaced
# After state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/3
# ipv6 port traffic-filter NewACLv6 in
# interface Ethernet1/5
# ip access-group NewACLv4 out
# Using overridden
# Before state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Override interface configuration with given configuration
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/3
access_groups:
- afi: ipv4
acls:
- name: ACL1v4
direction: out
- name: PortACL
port: true
direction: in
- afi: ipv6
acls:
- name: NewACLv6
direction: in
port: true
state: overridden
# After state:
# ------------
# interface Ethernet1/3
# ip access-group ACL1v4 out
# ip port access-group PortACL in
# ipv6 port traffic-filter NewACLv6 in
# Using deleted to remove ACL config from specified interfaces
# Before state:
# -------------
# interface Ethernet1/1
# ip access-group ACL2v4 in
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Delete ACL configuration on interfaces
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/5
- name: Ethernet1/2
state: deleted
# After state:
# -------------
# interface Ethernet1/1
# ip access-group ACL2v4 in
# interface Ethernet1/2
# interface Ethernet1/5
# Using deleted to remove ACL config from all interfaces
# Before state:
# -------------
# interface Ethernet1/1
# ip access-group ACL2v4 in
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Delete ACL configuration from all interfaces
cisco.nxos.nxos_acl_interfaces:
state: deleted
# After state:
# -------------
# interface Ethernet1/1
# interface Ethernet1/2
# interface Ethernet1/5
# Using parsed
- name: Parse given configuration into structured format
cisco.nxos.nxos_acl_interfaces:
running_config: |
interface Ethernet1/2
ipv6 traffic-filter ACL1v6 in
interface Ethernet1/5
ipv6 traffic-filter ACL1v6 in
ip access-group ACL1v4 out
ip port access-group PortACL in
state: parsed
# returns
# parsed:
# - name: Ethernet1/2
# access_groups:
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# - name: Ethernet1/5
# access_groups:
# - afi: ipv4
# acls:
# - name: PortACL
# direction: in
# port: True
# - name: ACL1v4
# direction: out
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# Using gathered:
# Before state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ipv6 traffic-filter ACL1v6 in
# ip access-group ACL1v4 out
# ip port access-group PortACL in
- name: Gather existing configuration from device
cisco.nxos.nxos_acl_interfaces:
config:
state: gathered
# returns
# gathered:
# - name: Ethernet1/2
# access_groups:
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# - name: Ethernet1/5
# access_groups:
# - afi: ipv4
# acls:
# - name: PortACL
# direction: in
# port: True
# - name: ACL1v4
# direction: out
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# Using rendered
- name: Render required configuration to be pushed to the device
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/2
access_groups:
- afi: ipv6
acls:
- name: ACL1v6
direction: in
- name: Ethernet1/5
access_groups:
- afi: ipv4
acls:
- name: PortACL
direction: in
port: true
- name: ACL1v4
direction: out
- afi: ipv6
acls:
- name: ACL1v6
direction: in
state: rendered
# returns
# rendered:
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ipv6 traffic-filter ACL1v6 in
# ip access-group ACL1v4 out
# ip port access-group PortACL in
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after dictionary | when changed | The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| before dictionary | always | The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| commands list / elements=string | always | The set of commands pushed to the remote device. Sample: ['interface Ethernet1/2', 'ipv6 traffic-filter ACL1v6 out', 'ip port access-group PortACL in'] |
Authors
- Adharsh Srivats Rangarajan (@adharshsrivatsr)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/cisco/nxos/nxos_acl_interfaces_module.html