Skip to content

Latest commit

 

History

History
3278 lines (3196 loc) · 136 KB

arista.eos.eos_acls_module.rst

File metadata and controls

3278 lines (3196 loc) · 136 KB

arista.eos.eos_acls

ACLs resource module

Version added: 1.0.0

  • This module manages the IP access-list attributes of Arista EOS interfaces.
Parameter Choices/Defaults Comments
config
list / elements=dictionary
A dictionary of IP access-list options
acls
list / elements=dictionary
A list of Access Control Lists (ACL).
aces
list / elements=dictionary
Filtering data
destination
dictionary
The packet's destination address
address
string
dotted decimal notation of IP address
any
boolean
    Choices:
  • no
  • yes
Rule matches all source addresses
host
string
Host IP address
port_protocol
dictionary
Specify dest port/protocol, along with operator . (comes with tcp/udp).
subnet_address
string
A subnet address
wildcard_bits
string
Source wildcard bits
fragment_rules
boolean
    Choices:
  • no
  • yes
Add fragment rules
fragments
boolean
    Choices:
  • no
  • yes
Match non-head fragment packets
grant
string
    Choices:
  • permit
  • deny
Action to be applied on the rule
hop_limit
dictionary
Hop limit value.
line
string
For fact gathering, any ACE that is not fully parsed, while show up as a value of this attribute.

aliases: ace
log
boolean
    Choices:
  • no
  • yes
Log matches against this rule
protocol
string
Specify the protocol to match.
Refer to vendor documentation for valid values.
protocol_options
dictionary
All the possible sub options for the protocol chosen.
icmp
dictionary
Internet Control Message Protocol settings.
administratively_prohibited
boolean
    Choices:
  • no
  • yes
Administratively prohibited
alternate_address
boolean
    Choices:
  • no
  • yes
Alternate address
conversion_error
boolean
    Choices:
  • no
  • yes
Datagram conversion
dod_host_prohibited
boolean
    Choices:
  • no
  • yes
Host prohibited
dod_net_prohibited
boolean
    Choices:
  • no
  • yes
Net prohibited
echo
boolean
    Choices:
  • no
  • yes
Echo (ping)
echo_reply
boolean
    Choices:
  • no
  • yes
Echo reply
general_parameter_problem
boolean
    Choices:
  • no
  • yes
Parameter problem
host_isolated
boolean
    Choices:
  • no
  • yes
Host isolated
host_precedence_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for precedence
host_redirect
boolean
    Choices:
  • no
  • yes
Host redirect
host_tos_redirect
boolean
    Choices:
  • no
  • yes
Host redirect for TOS
host_tos_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for TOS
host_unknown
boolean
    Choices:
  • no
  • yes
Host unknown
host_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable
information_reply
boolean
    Choices:
  • no
  • yes
Information replies
information_request
boolean
    Choices:
  • no
  • yes
Information requests
mask_reply
boolean
    Choices:
  • no
  • yes
Mask replies
mask_request
boolean
    Choices:
  • no
  • yes
Mask requests
message_code
integer
ICMP message code
message_num
integer
icmp msg type number.
message_type
integer
ICMP message type
mobile_redirect
boolean
    Choices:
  • no
  • yes
Mobile host redirect
net_redirect
boolean
    Choices:
  • no
  • yes
Network redirect
net_tos_redirect
boolean
    Choices:
  • no
  • yes
Net redirect for TOS
net_tos_unreachable
boolean
    Choices:
  • no
  • yes
Network unreachable for TOS
net_unreachable
boolean
    Choices:
  • no
  • yes
Net unreachable
network_unknown
boolean
    Choices:
  • no
  • yes
Network unknown
no_room_for_option
boolean
    Choices:
  • no
  • yes
Parameter required but no room
option_missing
boolean
    Choices:
  • no
  • yes
Parameter required but not present
packet_too_big
boolean
    Choices:
  • no
  • yes
Fragmentation needed and DF set
parameter_problem
boolean
    Choices:
  • no
  • yes
All parameter problems
port_unreachable
boolean
    Choices:
  • no
  • yes
Port unreachable
precedence_unreachable
boolean
    Choices:
  • no
  • yes
Precedence cutoff
protocol_unreachable
boolean
    Choices:
  • no
  • yes
Protocol unreachable
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly timeout
redirect
boolean
    Choices:
  • no
  • yes
All redirects
router_advertisement
boolean
    Choices:
  • no
  • yes
Router discovery advertisements
router_solicitation
boolean
    Choices:
  • no
  • yes
Router discovery solicitations
source_quench
boolean
    Choices:
  • no
  • yes
Source quenches
source_route_failed
boolean
    Choices:
  • no
  • yes
Source route failed
time_exceeded
boolean
    Choices:
  • no
  • yes
All time exceededs
timestamp_reply
boolean
    Choices:
  • no
  • yes
Timestamp replies
timestamp_request
boolean
    Choices:
  • no
  • yes
Timestamp requests
traceroute
boolean
    Choices:
  • no
  • yes
Traceroute
ttl_exceeded
boolean
    Choices:
  • no
  • yes
TTL exceeded
unreachable
boolean
    Choices:
  • no
  • yes
All unreachables
icmpv6
dictionary
Options for icmpv6.
address_unreachable
boolean
    Choices:
  • no
  • yes
address unreachable
beyond_scope
boolean
    Choices:
  • no
  • yes
beyond_scope
echo_reply
boolean
    Choices:
  • no
  • yes
echo_reply
echo_request
boolean
    Choices:
  • no
  • yes
echo reques
erroneous_header
boolean
    Choices:
  • no
  • yes
erroneous header
fragment_reassembly_exceeded
boolean
    Choices:
  • no
  • yes
fragment_reassembly_exceeded
hop_limit_exceeded
boolean
    Choices:
  • no
  • yes
hop limit exceeded
neighbor_advertisement
boolean
    Choices:
  • no
  • yes
neighbor advertisement
neighbor_solicitation
boolean
    Choices:
  • no
  • yes
neighbor_solicitation
no_admin
boolean
    Choices:
  • no
  • yes
no admin
no_route
boolean
    Choices:
  • no
  • yes
no route
packet_too_big
boolean
    Choices:
  • no
  • yes
packet too big
parameter_problem
boolean
    Choices:
  • no
  • yes
parameter problem
port_unreachable
boolean
    Choices:
  • no
  • yes
port unreachable
redirect_message
boolean
    Choices:
  • no
  • yes
redirect message
reject_route
boolean
    Choices:
  • no
  • yes
reject route
router_advertisement
boolean
    Choices:
  • no
  • yes
router_advertisement
router_solicitation
boolean
    Choices:
  • no
  • yes
router_solicitation
source_address_failed
boolean
    Choices:
  • no
  • yes
source_address_failed
source_routing_error
boolean
    Choices:
  • no
  • yes
source_routing_error
time_exceeded
boolean
    Choices:
  • no
  • yes
time_exceeded
unreachable
boolean
    Choices:
  • no
  • yes
unreachable
unrecognized_ipv6_option
boolean
    Choices:
  • no
  • yes
unrecognized_ipv6_option
unrecognized_next_header
boolean
    Choices:
  • no
  • yes
unrecognized_next_header
ip
dictionary
Internet Protocol.
nexthop_group
string
Nexthop-group name.
ipv6
dictionary
Internet V6 Protocol.
nexthop_group
string
Nexthop-group name.
tcp
dictionary
Options for tcp protocol.
flags
dictionary
Match TCP packet flags
ack
boolean
    Choices:
  • no
  • yes
Match on the ACK bit
established
boolean
    Choices:
  • no
  • yes
Match established connections
fin
boolean
    Choices:
  • no
  • yes
Match on the FIN bit
psh
boolean
    Choices:
  • no
  • yes
Match on the PSH bit
rst
boolean
    Choices:
  • no
  • yes
Match on the RST bit
syn
boolean
    Choices:
  • no
  • yes
Match on the SYN bit
urg
boolean
    Choices:
  • no
  • yes
Match on the URG bit
remark
string
Specify a comment
sequence
integer
sequence number for the ordered list of rules
source
dictionary
The packet's source address
address
string
dotted decimal notation of IP address
any
boolean
    Choices:
  • no
  • yes
Rule matches all source addresses
host
string
Host IP address
port_protocol
dictionary
Specify source port/protocoli, along with operator. (comes with tcp/udp).
subnet_address
string
A subnet address
wildcard_bits
string
Source wildcard bits
tracked
boolean
    Choices:
  • no
  • yes
Match packets in existing ICMP/UDP/TCP connections
ttl
dictionary
Compares the TTL (time-to-live) value in the packet to a specified value
eq
integer
Match a single TTL value
gt
integer
Match TTL greater than this number
lt
integer
Match TTL lesser than this number
neq
integer
Match TTL not equal to this value
vlan
string
Vlan options
name
string / required
Name of the acl-list
standard
boolean
    Choices:
  • no
  • yes
standard access-list or not
afi
string / required
    Choices:
  • ipv4
  • ipv6
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
running_config
string
This option is used only with state parsed.
The value of this option should be the output received from the EOS device by executing the command show running-config | section access-list.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state
string
    Choices:
  • deleted
  • merged ←
  • overridden
  • replaced
  • gathered
  • rendered
  • parsed
The state the configuration should be left in.

Note

  • Tested against Arista EOS 4.24.6F
# Using merged

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Merge provided configuration with device configuration
  arista.eos.eos_acls:
    config:
      - afi: ipv4
        acls:
          - name: test1
            aces:
              - sequence: 35
                grant: deny
                protocol: ospf
                source:
                  subnet_address: 20.0.0.0/8
                destination:
                  any: true
    state: merged

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    35 deny ospf 20.0.0.0/8 any
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using merged

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Merge to update the given configuration with an existing ace
  arista.eos.eos_acls:
    config:
      - afi: ipv4
        acls:
          - name: test1
            aces:
              - sequence: 35
                log: true
                ttl:
                  eq: 33
    state: merged

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    35 deny ospf 20.0.0.0/8 any ttl eq 33 log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using replaced

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

- name: Replace device configuration with provided configuration
  arista.eos.eos_acls:
    config:
      - afi: ipv4
        acls:
          - name: test1
            aces:
              - sequence: 35
                grant: permit
                protocol: ospf
                source:
                  subnet_address: 20.0.0.0/8
                destination:
                  any: true
    state: replaced

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    35 permit ospf 20.0.0.0/8 any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# Using overridden

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# !
# ip access-list test3
#    10 permit ip 35.33.0.0/16 any log
# !
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20


- name: override device configuration with  provided configuration
  arista.eos.eos_acls:
    config:
      - afi: ipv4
        acls:
          - name: test1
            aces:
              - sequence: 35
                grant: permit
                protocol: ospf
                source:
                  subnet_address: 20.0.0.0/8
                destination:
                  any: true
    state: overridden

# After state:
# ------------
#
# show running-config | section access-list
# ip access-list test1
#    35 permit ospf 20.0.0.0/8 any
# !

# Using deleted:

# Before state:
# -------------
# show running-config | section access-list
# ip access-list test1
#    10 permit ip 10.10.10.0/24 any ttl eq 200
#    20 permit ip 10.30.10.0/24 host 10.20.10.1
#    30 deny tcp host 10.10.20.1 eq finger www any syn log
#    40 permit ip any any
# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20

# !

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
      - afi: ipv4
        acls:
          - name: test1
    state: deleted

# After state:
# ------------
#
# show running-config | section access-list

# ipv6 access-list test2
#     10 deny icmpv6 any any reject-route hop-limit eq 20


# using gathered

# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
# ip access-list test2
#    40 permit vlan 55 0xE2 icmpv6 any any log

- name: Gather the existing configuration
  arista.eos.eos_acls:
    state: gathered

# returns:

#  arista.eos.eos_acls:
#    config:
#      - afi: "ipv4"
#        acls:
#          - name: test1
#            aces:
#            - sequence: 35
#              grant: "deny"
#              protocol: "ospf"
#              source:
#                subnet_address: 20.0.0.0/8
#              destination:
#                any: true
#      - afi: "ipv6"
#         acls:
#           - name: test2
#             aces:
#               - sequence: 40
#                 grant: "permit"
#                 vlan: "55 0xE2"
#                 protocol: "icmpv6"
#                 log: true
#                 source:
#                   any: true
#                 destination:
#                   any: true

# using rendered

- name: Delete provided configuration
  arista.eos.eos_acls:
    config:
      - afi: ipv4
        acls:
          - name: test1
            aces:
              - sequence: 35
                grant: deny
                protocol: ospf
                source:
                  subnet_address: 20.0.0.0/8
                destination:
                  any: true
      - afi: ipv6
        acls:
          - name: test2
            aces:
              - sequence: 40
                grant: permit
                vlan: 55 0xE2
                protocol: icmpv6
                log: true
                source:
                  any: true
                destination:
                  any: true
    state: rendered

# returns:

# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
# ip access-list test2
#    40 permit vlan 55 0xE2 icmpv6 any any log

# Using Parsed

# parsed_acls.cfg

# ipv6 access-list standard test2
#    10 permit any log
# !
# ip access-list test1
#    35 deny ospf 20.0.0.0/8 any
#    45 remark Run by ansible
#    55 permit tcp any any
# !

- name: parse configs
  arista.eos.eos_acls:
    running_config: "{{ lookup('file', './parsed_acls.cfg') }}"
    state: parsed

# returns
# "parsed": [
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "destination": {
#                                 "any": true
#                             },
#                             "grant": "deny",
#                             "protocol": "ospf",
#                             "sequence": 35,
#                             "source": {
#                                 "subnet_address": "20.0.0.0/8"
#                             }
#                         },
#                         {
#                             "remark": "Run by ansible",
#                             "sequence": 45
#                         },
#                         {
#                             "destination": {
#                                 "any": true
#                             },
#                             "grant": "permit",
#                             "protocol": "tcp",
#                             "sequence": 55,
#                             "source": {
#                                 "any": true
#                             }
#                         }
#                     ],
#                     "name": "test1"
#                 }
#             ],
#             "afi": "ipv4"
#         },
#         {
#             "acls": [
#                 {
#                     "aces": [
#                         {
#                             "grant": "permit",
#                             "log": true,
#                             "sequence": 10,
#                             "source": {
#                                 "any": true
#                             }
#                         }
#                     ],
#                     "name": "test2",
#                     "standard": true
#                 }
#             ],
#             "afi": "ipv6"
#         }
#     ]

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
list
when changed
The resulting configuration model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
list
always
The configuration prior to the model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list
always
The set of commands pushed to the remote device.

Sample:
['ipv6 access-list standard test2', '10 permit any log', 'ip access-list test1', '35 deny ospf 20.0.0.0/8 any', '45 remark Run by ansible', '55 permit tcp any any']


Authors

  • Gomathiselvi S (@GomathiselviS)