Try Spotterimplements rest api for global acl configuration
| "added in version" 2.6.0 of arubanetworks.aos_switch"
Authors: Ashish Pant (@hpe)
preview | supported by community
Install with ansible-galaxy collection install arubanetworks.aos_switch:==1.7.0
collections:
- name: arubanetworks.aos_switch
version: 1.7.0This implements rest api's which will configure acl policies standard and extended onto device
- name: Create ip access-list extended permit_all with rule permit ip any any
arubaoss_acl_policy:
acl_name: permit_all
source_ip_address: 0.0.0.0
source_ip_mask: 255.255.255.255
destination_ip_address: 0.0.0.0
destination_ip_mask: 255.255.255.255
acl_action: AA_PERMIT
protocol_type: PT_IP
acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended permit_port_80 with rule permit tcp any eq 80
arubaoss_acl_policy:
acl_name: permit_port_80
source_ip_address: 0.0.0.0
source_ip_mask: 255.255.255.255
protocol_type: PT_TCP
source_port:
port_not_equal: 0 # Set to 0
port_range_start: 80 # Set to equal port
port_range_end: 80 # Set to equal port
destination_ip_address: 0.0.0.0
destination_ip_mask: 255.255.255.255
destination_port: {"port_not_equal": 0,"port_range_start": 80,"port_range_end": 80}
acl_action: AA_PERMIT
acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended deny_all_ports_not_80 with rule deny tcp any neq 80
arubaoss_acl_policy:
acl_name: deny_all_ports_not_80
source_ip_address: 0.0.0.0
source_ip_mask: 255.255.255.255
protocol_type: PT_TCP
source_port:
port_not_equal: 80 # Set to neq port
port_range_start: 0
port_range_end: 0
destination_ip_address: 0.0.0.0
destination_ip_mask: 255.255.255.255
destination_port: {"port_not_equal": 80,"port_range_start": 0,"port_range_end": 0}
acl_action: AA_PERMIT
acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended deny_all_ports_less_than_80 with rule deny tcp any lt 80
arubaoss_acl_policy:
acl_name: deny_all_ports_less_than_80
source_ip_address: 0.0.0.0
source_ip_mask: 255.255.255.255
protocol_type: PT_TCP
source_port:
port_not_equal: 0 # Set to 0
port_range_start: 1 # Start is 1
port_range_end: 79 # End is port - 1
destination_ip_address: 0.0.0.0
destination_ip_mask: 255.255.255.255
destination_port:
port_not_equal: 0 # Set to 0
port_range_start: 1 # Start is 1
port_range_end: 79 # End is port - 1
acl_action: AA_PERMIT
acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended deny_all_ports_gt_than_80 with rule deny tcp any gt 80
arubaoss_acl_policy:
acl_name: deny_all_ports_gt_than_80
source_ip_address: 0.0.0.0
source_ip_mask: 255.255.255.255
protocol_type: PT_TCP
source_port:
port_not_equal: 0 # Set to 0
port_range_start: 81 # Start is 1 + port
port_range_end: 65535 # Highest port value is 65535
destination_ip_address: 0.0.0.0
destination_ip_mask: 255.255.255.255
destination_port:
port_not_equal: 0 # Set to 0
port_range_start: 81 # Start is 1 + port
port_range_end: 65535 # Highest port value is 65535
acl_action: AA_PERMIT
acl_type: AT_EXTENDED_IPV4
- name: add standard acl
arubaoss_acl_policy:
acl_name: "{{item.acl}}"
source_ip_address: "{{item.ip}}"
acl_action: "{{item.action}}"
is_log: "{{item.log}}"
remark: testing
with_items:
- {"acl":"test2","action":"AA_PERMIT","ip":"any","log":False}
- {"acl":"test3","action":"AA_PERMIT","ip":"any","log":True}
- name: delte acl policy
arubaoss_acl_policy:
acl_name: "{{item}}"
state: delete
with_items:
- test2
- test3
tos:
choices:
- 0
- 2
- 4
- 8
description: Match a specific IP type of service flag - Tos value
required: false
type: int
host:
description: 'Specifies the DNS host name or address for connecting to the remote
device over the specified transport. The value of host is used as the destination
address for the transport.
'
type: str
port:
description: 'Specifies the port to use when building the connection to the remote
device.
'
type: int
state:
choices:
- create
- delete
default: create
description: Create or deletes acl policy.
required: false
is_log:
description: Enable/disable acl logging.
required: false
type: bool
remark:
description: Description for acl policy
required: false
type: str
timeout:
description: 'Specifies the timeout in seconds for communicating with the network
device for either connecting or sending commands. If the timeout is exceeded before
the operation is completed, the module will error.
'
type: int
use_ssl:
description: 'Configures use SSL (HTTPS) for access to the remote device.
'
type: bool
acl_name:
description:
- Name for acl policy being configured.
required: true
type: str
acl_type:
choices:
- AT_STANDARD_IPV4
- AT_EXTENDED_IPV4
- AT_CONNECTOIN_RATE_FILTER
default: AT_STANDARD_IPV4
description:
- Type of acl policy to be configured.
required: false
password:
description: 'Specifies the password to use to authenticate the connection to the
remote device. This value is used to authenticate the SSH session. If the value
is not specified in the task, the value of environment variable ANSIBLE_NET_PASSWORD
will be used instead.
'
type: str
provider:
description: A dict object containing connection details.
suboptions:
api_version:
default: None
description: 'Configures (force) API version (vX.Y) for acces to the remote device.
'
type: str
host:
description: 'Specifies the DNS host name or address for connecting to the remote
device over the specified transport. The value of host is used as the destination
address for the transport.
'
type: str
password:
description: 'Specifies the password to use to authenticate the connection to
the remote device. This value is used to authenticate the SSH session. If the
value is not specified in the task, the value of environment variable ANSIBLE_NET_PASSWORD
will be used instead.
'
type: str
port:
description: 'Specifies the port to use when building the connection to the remote
device.
'
type: int
ssh_keyfile:
description: 'Specifies the SSH key to use to authenticate the connection to the
remote device. This value is the path to the key used to authenticate the SSH
session. If the value is not specified in the task, the value of environment
variable ANSIBLE_NET_SSH_KEYFILE will be used instead.
'
type: path
timeout:
description: 'Specifies the timeout in seconds for communicating with the network
device for either connecting or sending commands. If the timeout is exceeded
before the operation is completed, the module will error.
'
type: int
transport:
default: aossapi
description: 'Configures the transport (aossapi or network_cli) mode.
'
type: str
use_proxy:
default: false
description: 'Configures use (Local) Proxy for access to the remote device.
'
type: bool
use_ssl:
description: 'Configures use SSL (HTTPS) for access to the remote device.
'
type: bool
username:
description: 'Configures the username to use to authenticate the connection to
the remote device. This value is used to authenticate the SSH session. If the
value is not specified in the task, the value of environment variable ANSIBLE_NET_USERNAME
will be used instead.
'
type: str
validate_certs:
default: false
description: 'Configures validation of certification for access to the remote
device.
'
type: bool
type: dict
username:
description: 'Configures the username to use to authenticate the connection to the
remote device. This value is used to authenticate the SSH session. If the value
is not specified in the task, the value of environment variable ANSIBLE_NET_USERNAME
will be used instead.
'
type: str
icmp_code:
default: -1
description: Applies to icmp code matching this field. Only PT_ICMP protocol_type
support icmp_code
required: false
type: int
icmp_type:
default: -1
description: Applies to icmp type matching this field. Only PT_ICMP protocol_type
support icmp_code
required: false
type: int
igmp_type:
choices:
- IT_HOST_QUERY
- IT_HOST_REPORT
- IT_DVMRP
- IT_PIM
- IT_TRACE
- IT_V2_HOST_REPORT
- IT_V2_HOST_LEAVE
- IT_MTRACE_REPLY
- IT_MTRACE_REQUEST
- IT_V3_HOST_REPORT
- IT_MROUTER_ADVERTISEMENT
- IT_MROUTER_SOLICITATION
- IT_MROUTER_TERMINATION
description: Applies to igmp type matching this field. Only PT_IGMP protocol_type
support igmp_type
required: false
match_bit:
choices:
- MB_ACK
- MB_FIN
- MB_RST
- MB_SYN
description: The set of TCP match bits. Only PT_TCP protocol_type support match_bit.
- MB_ACK Match TCP packets with the ACK bit set. - MB_FIN Match TCP packets with
the FIN bit set - MB_RST Match TCP packets with the RST bit set - MB_SYN Match TCP
packets with the SYN bit set
required: false
acl_action:
choices:
- AA_DENY
- AA_PERMIT
description:
- Type of action acl rule will take, required when defining ACL rule.
required: false
type: str
precedence:
choices:
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
description: Match a specific IP precedence flag.
required: false
type: int
api_version:
default: None
description: 'Configures (force) API version (vX.Y) for acces to the remote device.
'
type: str
sequence_no:
description: Sequence number for the ACL rule to be configured
required: false
type: int
source_port:
description: Dictionary of ports to match on. Applies to source port matching this
filter. Only PT_SCTP, PT_TCP and PT_UDP Protocol types support source_port. Maximum
value for port_range_end is 65525. Dictionary containing the keys 'port_not_equal','port_range_start',
'port_range_end'. See below for examples. Used with acl_type=AT_EXTENDED_IPV4
required: false
type: dict
ssh_keyfile:
description: 'Specifies the SSH key to use to authenticate the connection to the remote
device. This value is the path to the key used to authenticate the SSH session.
If the value is not specified in the task, the value of environment variable ANSIBLE_NET_SSH_KEYFILE
will be used instead.
'
type: path
protocol_type:
choices:
- PT_GRE
- PT_ESP
- PT_AH
- PT_OSPF
- PT_PIM
- PT_VRRP
- PT_ICMP
- PTIGMP
- PT_IP
- PT_SCTP
- PT_TCP
- PT_UDP
description: Protocol type for acl filter. Applicable for extended acl.
required: false
source_ip_mask:
description: Net mask source_ip_address in octet form i.e 255.255.255.0. Used with
acl_type=AT_EXTENDED_IPV4
required: false
validate_certs:
default: false
description: 'Configures validation of certification for access to the remote device.
'
type: bool
acl_source_mask:
description: net mask for source acl_source_address in octet form i.e 255.255.255.0,
used with acl_type=AT_STANDARD_IPV4
required: false
type: str
destination_port:
description: Dictionary of integer ports to match on. Applies to destination port
matching this filter. Only PT_SCTP, PT_TCP and PT_UDP Protocol types destination
source_port. Maximum value for port_range_end is 65525. Dictionary containing the
keys 'port_not_equal','port_range_start', 'port_range_end' See below for examples.
Used with acl_type=AT_EXTENDED_IPV4
required: false
type: dict
source_ip_address:
description: Applies to source IP Address matching this extended acl filter, i.e 192.168.0.1.
Used with acl_type=AT_EXTENDED_IPV4
required: false
acl_source_address:
description: source ip address for acl policy type standard i.e 192.168.0.1, used
with acl_type=AT_STANDARD_IPV4
required: false
type: str
destination_ip_address:
description: Applies to destination IP Address/Subnet matching this extended acl filter,
i.e 192.168.0.1. Used with acl_type=AT_EXTENDED_IPV4
required: false
is_connection_established:
description: Match TCP packets of an established connection on ACL rule. Only PT_TCP
protocol_type support is_connection_established
required: false
type: bool
message: description: The output message that the sample module generates original_message: description: The original name param that was passed in type: str