dellemc.enterprise_sonic.sonic_l3_acls module – Manage Layer 3 access control lists (ACL) configurations on SONiC
Note
This module is part of the dellemc.enterprise_sonic collection (version 2.5.1).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_l3_acls.
New in dellemc.enterprise_sonic 2.1.0
Synopsis
- This module provides configuration management of Layer 3 access control lists (ACL) in devices running SONiC.
Parameters
Parameter | Comments |
|---|---|
config list / elements=dictionary | Specifies Layer 3 ACL configurations. |
|
acls list / elements=dictionary |
List of ACL configuration for the given address family. |
|
name string / required |
Specifies the ACL name. |
|
remark string |
Specifies remark for the ACL. |
|
rules list / elements=dictionary |
List of rules with the ACL. sequence_num, action, protocol, source & destination are required for adding a new rule. If state=deleted, options other than sequence_num are not considered. |
|
action string |
Specifies the action taken on the matched packet. Choices:
|
|
destination dictionary |
Specifies the destination of the packet. any, host and prefix are mutually exclusive. |
|
any boolean |
Match any destination network address. Choices:
|
|
host string |
Network address of a single destination host. |
|
port_number dictionary |
Specifies the destination port (valid only for TCP or UDP) Only one suboption can be specified for port_number in a rule. |
|
eq integer |
Match packets with destination port equal to the given port number. The range is from 0 to 65535. |
|
gt integer |
Match packets with destination port greater than the given port number. The range is from 0 to 65534. |
|
lt integer |
Match packets with destination port lesser than the given port number. The range is from 1 to 65535. |
|
range dictionary |
Match packets with destination port in the given range. begin and end are required together. |
|
begin integer |
Specifies the beginning of the port range. The range is from 0 to 65534. |
|
end integer |
Specifies the end of the port range. The range is from 1 to 65535. |
|
prefix string |
Destination network prefix in the format A.B.C.D/mask (ipv4) or A::B/mask (ipv6). |
|
dscp dictionary |
Match packets using DSCP value. Only one suboption can be specified for dscp in a rule. |
|
af11 boolean |
Match packets with AF11 DSCP (001010 - Decimal value 10). Choices:
|
|
af12 boolean |
Match packets with AF12 DSCP (001100 - Decimal value 12). Choices:
|
|
af13 boolean |
Match packets with AF13 DSCP (001110 - Decimal value 14). Choices:
|
|
af21 boolean |
Match packets with AF21 DSCP (010010 - Decimal value 18). Choices:
|
|
af22 boolean |
Match packets with AF22 DSCP (010100 - Decimal value 20). Choices:
|
|
af23 boolean |
Match packets with AF23 DSCP (010110 - Decimal value 22). Choices:
|
|
af31 boolean |
Match packets with AF31 DSCP (011010 - Decimal value 26). Choices:
|
|
af32 boolean |
Match packets with AF32 DSCP (011100 - Decimal value 28). Choices:
|
|
af33 boolean |
Match packets with AF33 DSCP (011110 - Decimal value 30). Choices:
|
|
af41 boolean |
Match packets with AF41 DSCP (100010 - Decimal value 34). Choices:
|
|
af42 boolean |
Match packets with AF42 DSCP (100100 - Decimal value 36). Choices:
|
|
af43 boolean |
Match packets with AF43 DSCP (100110 - Decimal value 38). Choices:
|
|
cs1 boolean |
Match packets with CS1 DSCP (001000 - Decimal value 8). Choices:
|
|
cs2 boolean |
Match packets with CS2 DSCP (010000 - Decimal value 16). Choices:
|
|
cs3 boolean |
Match packets with CS3 DSCP (011000 - Decimal value 24). Choices:
|
|
cs4 boolean |
Match packets with CS4 DSCP (100000 - Decimal value 32). Choices:
|
|
cs5 boolean |
Match packets with CS5 DSCP (101000 - Decimal value 40). Choices:
|
|
cs6 boolean |
Match packets with CS6 DSCP (110000 - Decimal value 48). Choices:
|
|
cs7 boolean |
Match packets with CS7 DSCP (111000 - Decimal value 56). Choices:
|
|
default boolean |
Match packets with CS0 DSCP (000000 - Decimal value 0). Choices:
|
|
ef boolean |
Match packets with EF DSCP (101110 - Decimal value 46). Choices:
|
|
value integer |
Match packets with given DSCP value. The range is from 0 to 63. |
|
voice_admit boolean |
Match packets with VOICE-ADMIT DSCP (101100 - Decimal value 44). Choices:
|
|
protocol dictionary |
Specifies the protocol to match. Only one suboption can be specified for protocol in a rule. |
|
name string |
Match packets with the given protocol.
Choices:
|
|
number integer |
Match packets with given protocol number. The range is from 0 to 255. |
|
protocol_options dictionary |
Specifies the additional packet match options for the chosen protocol. icmp, icmpv6 and tcp are mutually exclusive. |
|
icmp dictionary |
Packet match options for ICMP. |
|
code integer |
Match packets with given ICMP code. The range is from 0 to 255. |
|
type integer |
Match packets with given ICMP type. The range is from 0 to 255. |
|
icmpv6 dictionary |
Packet match options for ICMPv6. |
|
code integer |
Match packets with given ICMPv6 code. The range is from 0 to 255. |
|
type integer |
Match packets with given ICMPv6 type. The range is from 0 to 255. |
|
tcp dictionary |
Packet match options for TCP. established and other TCP flag options are mutually exclusive. |
|
ack boolean |
Match packets with ACK flag set. Choices:
|
|
established boolean |
Match packets which are part of established TCP session. Choices:
|
|
fin boolean |
Match packets with FIN flag set. Choices:
|
|
not_ack boolean |
Match packets with ACK flag cleared. Choices:
|
|
not_fin boolean |
Match packets with FIN flag cleared. Choices:
|
|
not_psh boolean |
Match packets with PSH flag cleared. Choices:
|
|
not_rst boolean |
Match packets with RST flag cleared. Choices:
|
|
not_syn boolean |
Match packets with SYN flag cleared. Choices:
|
|
not_urg boolean |
Match packets with URG flag cleared. Choices:
|
|
psh boolean |
Match packets with PSH flag set. Choices:
|
|
rst boolean |
Match packets with RST flag set. Choices:
|
|
syn boolean |
Match packets with SYN flag set. Choices:
|
|
urg boolean |
Match packets with URG flag set. Choices:
|
|
remark string |
Specifies remark for the ACL rule. |
|
sequence_num integer / required |
Specifies the sequence number of the rule. The range is from 1 to 65535. |
|
source dictionary |
Specifies the source of the packet. any, host and prefix are mutually exclusive. |
|
any boolean |
Match any source network address. Choices:
|
|
host string |
Network address of a single source host. |
|
port_number dictionary |
Specifies the source port (valid only for TCP or UDP) Only one suboption can be specified for port_number in a rule. |
|
eq integer |
Match packets with source port equal to the given port number. The range is from 0 to 65535. |
|
gt integer |
Match packets with source port greater than the given port number. The range is from 0 to 65534. |
|
lt integer |
Match packets with source port lesser than the given port number. The range is from 1 to 65535. |
|
range dictionary |
Match packets with source port in the given range. begin and end are required together. |
|
begin integer |
Specifies the beginning of the port range. The range is from 0 to 65534. |
|
end integer |
Specifies the end of the port range. The range is from 1 to 65535. |
|
prefix string |
Source network prefix in the format A.B.C.D/mask (ipv4) or A::B/mask (ipv6). |
|
vlan_id integer |
Match packets with the given VLAN ID value. |
|
address_family string / required |
Specifies the address family of the ACLs. Choices:
|
state string | The state of the configuration after module completion.
Choices:
|
Notes
Note
- Supports
check_mode.
Examples
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit ipv6 host 192:168:1::2 any
# sonic#
- name: Merge provided Layer 3 ACL configurations
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test'
rules:
- sequence_num: 2
action: 'permit'
protocol:
name: 'icmp'
source:
any: true
destination:
host: '192.168.1.2'
protocol_options:
icmp:
type: 8
- sequence_num: 3
action: 'deny'
protocol:
number: 2
source:
any: true
destination:
any: true
- sequence_num: 4
action: 'deny'
protocol:
name: 'ip'
source:
any: true
destination:
any: true
vlan_id: 10
remark: 'Vlan10'
- name: 'test1'
remark: 'test_ip_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
prefix: '10.0.0.0/8'
destination:
any: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'udp'
source:
any: true
destination:
prefix: '20.1.0.0/16'
port_number:
gt: 1024
- sequence_num: 3
action: 'deny'
protocol:
name: 'ip'
source:
any: true
destination:
any: true
dscp:
value: 63
- address_family: 'ipv6'
acls:
- name: 'testv6'
rules:
- sequence_num: 2
action: 'deny'
protocol:
name: 'icmpv6'
source:
any: true
destination:
any: true
- name: 'testv6-1'
remark: 'test_ipv6_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'ipv6'
source:
prefix: '1000::/16'
destination:
any: true
dscp:
af22: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'tcp'
source:
any: true
destination:
prefix: '2000::1000:0/112'
port_number:
range:
begin: 100
end: 1000
- sequence_num: 3
action: 'permit'
protocol:
name: 'tcp'
source:
any: true
destination:
any: true
protocol_options:
tcp:
established: true
- sequence_num: 4
action: 'deny'
protocol:
name: 'udp'
source:
any: true
port_number:
eq: 3000
destination:
any: true
state: merged
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.2 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit ipv6 host 192:168:1::2 any
# seq 2 deny icmpv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.2 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp host 3000::1 any established
# seq 2 permit udp any any
# seq 3 deny icmpv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Replace device configuration of specified Layer 3 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test2'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
prefix: '192.168.1.0/24'
destination:
any: true
- address_family: 'ipv6'
acls:
- name: 'testv6'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
host: '3000::1'
destination:
any: true
protocol_options:
tcp:
ack: true
syn: true
fin: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'ipv6'
source:
any: true
destination:
any: true
state: replaced
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp host 3000::1 any fin syn ack
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Override device configuration of all Layer 3 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'ip'
source:
prefix: '100.1.1.0/24'
destination:
prefix: '100.1.2.0/24'
- sequence_num: 2
action: 'deny'
protocol:
name: 'udp'
source:
any: true
destination:
any: true
state: overridden
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test_acl
# seq 1 permit ip 100.1.1.0/24 100.1.2.0/24
# seq 2 deny udp any any
# sonic#
# sonic# show running-configuration ipv6 access-list
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete specified Layer 3 ACLs, ACL remark and ACL rule entries
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test'
rules:
- sequence_num: 2
- name: 'test2'
- address_family: 'ipv6'
acls:
- name: 'testv6-1'
remark: 'test_ipv6_acl'
rules:
- sequence_num: 3
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 4 deny udp any eq 3000 any
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete all Layer 3 ACLs for an address-family
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete all Layer 3 ACL configurations
dellemc.enterprise_sonic.sonic_l3_acls:
config:
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# sonic#
# sonic# show running-configuration ipv6 access-list
# sonic#
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Description |
|---|---|
after list / elements=string | The resulting configuration module invocation. Returned: when changed Sample: |
after(generated) list / elements=string | The generated configuration module invocation. Returned: when Sample: |
before list / elements=string | The configuration prior to the module invocation. Returned: always Sample: |
commands list / elements=string | The set of commands pushed to the remote device. Returned: always Sample: |
Collection links
© 2012–2018 Michael DeHaan
© 2018–2024 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/dellemc/enterprise_sonic/sonic_l3_acls_module.html