Skip to content

Latest commit

 

History

History
610 lines (538 loc) · 20.1 KB

cisco.nxos.nxos_acl_interfaces_module.rst

File metadata and controls

610 lines (538 loc) · 20.1 KB
Raw

cisco.nxos.nxos_acl_interfaces

ACL interfaces resource module

Version added: 1.0.0

Synopsis

  • Add and remove Access Control Lists on interfaces in NX-OS platform

Parameters

Parameter Choices/Defaults Comments
config
list / elements=dictionary
A list of interfaces to be configured with ACLs
access_groups
list / elements=dictionary
List of address family indicators with ACLs to be configured on the interface
acls
list / elements=dictionary
List of Access Control Lists for the interface
direction
string / required
    Choices:
  • in
  • out
Direction to be applied for the ACL
name
string / required
Name of the ACL to be added/removed
port
boolean
    Choices:
  • no
  • yes
Use ACL as port policy.
afi
string / required
    Choices:
  • ipv4
  • ipv6
Address Family Indicator of the ACLs to be configured
name
string / required
Name of the interface
running_config
string
This option is used only with state parsed.
The value of this option should be the output received from the NX-OS device by executing the command show running-config | section '^interface'.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state
string
    Choices:
  • deleted
  • gathered
  • merged ←
  • overridden
  • rendered
  • replaced
  • parsed
The state the configuration should be left in

Notes

Note

  • Tested against NX-OS 7.3.(0)D1(1) on VIRL
  • Unsupported for Cisco MDS

Examples

# Using merged

# Before state:
# ------------
#

- name: Merge ACL interfaces configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
      - name: Ethernet1/2
        access_groups:
          - afi: ipv6
            acls:
              - name: ACL1v6
                direction: in

      - name: Eth1/5
        access_groups:
          - afi: ipv4
            acls:
              - name: PortACL
                direction: in
                port: true

              - name: ACL1v4
                direction: out

          - afi: ipv6
            acls:
              - name: ACL1v6
                direction: in
    state: merged

# After state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

# Using replaced

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Replace interface configuration with given configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
      - name: Eth1/5
        access_groups:
          - afi: ipv4
            acls:
              - name: NewACLv4
                direction: out

      - name: Ethernet1/3
        access_groups:
          - afi: ipv6
            acls:
              - name: NewACLv6
                direction: in
                port: true
    state: replaced

# After state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/3
#   ipv6 port traffic-filter NewACLv6 in
# interface Ethernet1/5
#   ip access-group NewACLv4 out

# Using overridden

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Override interface configuration with given configuration
  cisco.nxos.nxos_acl_interfaces:
    config:
      - name: Ethernet1/3
        access_groups:
          - afi: ipv4
            acls:
              - name: ACL1v4
                direction: out

              - name: PortACL
                port: true
                direction: in
          - afi: ipv6
            acls:
              - name: NewACLv6
                direction: in
                port: true
    state: overridden

# After state:
# ------------
# interface Ethernet1/3
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in
#   ipv6 port traffic-filter NewACLv6 in

# Using deleted to remove ACL config from specified interfaces

# Before state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Delete ACL configuration on interfaces
  cisco.nxos.nxos_acl_interfaces:
    config:
      - name: Ethernet1/5
      - name: Ethernet1/2
    state: deleted

# After state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
# interface Ethernet1/5

# Using deleted to remove ACL config from all interfaces

# Before state:
# -------------
# interface Ethernet1/1
#   ip access-group ACL2v4 in
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ip port access-group PortACL in
#   ip access-group ACL1v4 out
#   ipv6 traffic-filter ACL1v6 in

- name: Delete ACL configuration from all interfaces
  cisco.nxos.nxos_acl_interfaces:
    state: deleted

# After state:
# -------------
# interface Ethernet1/1
# interface Ethernet1/2
# interface Ethernet1/5

# Using parsed

- name: Parse given configuration into structured format
  cisco.nxos.nxos_acl_interfaces:
    running_config: |
      interface Ethernet1/2
      ipv6 traffic-filter ACL1v6 in
      interface Ethernet1/5
      ipv6 traffic-filter ACL1v6 in
      ip access-group ACL1v4 out
      ip port access-group PortACL in
    state: parsed

# returns
# parsed:
#   - name: Ethernet1/2
#     access_groups:
#       - afi: ipv6
#         acls:
#           - name: ACL1v6
#             direction: in
#  - name: Ethernet1/5
#    access_groups:
#      - afi: ipv4
#        acls:
#          - name: PortACL
#            direction: in
#            port: True
#          - name: ACL1v4
#            direction: out
#      - afi: ipv6
#        acls:
#          - name: ACL1v6
#             direction: in


# Using gathered:

# Before state:
# ------------
# interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
#   ipv6 traffic-filter ACL1v6 in
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in

- name: Gather existing configuration from device
  cisco.nxos.nxos_acl_interfaces:
    config:
    state: gathered

# returns
# gathered:
#   - name: Ethernet1/2
#     access_groups:
#       - afi: ipv6
#         acls:
#           - name: ACL1v6
#             direction: in
#  - name: Ethernet1/5
#    access_groups:
#      - afi: ipv4
#        acls:
#          - name: PortACL
#            direction: in
#            port: True
#          - name: ACL1v4
#            direction: out
#      - afi: ipv6
#        acls:
#          - name: ACL1v6
#             direction: in


# Using rendered

- name: Render required configuration to be pushed to the device
  cisco.nxos.nxos_acl_interfaces:
    config:
      - name: Ethernet1/2
        access_groups:
          - afi: ipv6
            acls:
              - name: ACL1v6
                direction: in
      - name: Ethernet1/5
        access_groups:
          - afi: ipv4
            acls:
              - name: PortACL
                direction: in
                port: true
              - name: ACL1v4
                direction: out
          - afi: ipv6
            acls:
              - name: ACL1v6
                direction: in
    state: rendered


# returns
# rendered:
#   interface Ethernet1/2
#   ipv6 traffic-filter ACL1v6 in
#   interface Ethernet1/5
#   ipv6 traffic-filter ACL1v6 in
#   ip access-group ACL1v4 out
#   ip port access-group PortACL in

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
dictionary
when changed
The resulting configuration model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
dictionary
always
The configuration prior to the model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list
always
The set of commands pushed to the remote device.

Sample:
['interface Ethernet1/2', 'ipv6 traffic-filter ACL1v6 out', 'ip port access-group PortACL in']


Status

Authors

  • Adharsh Srivats Rangarajan (@adharshsrivatsr)