arubanetworks / arubanetworks.aos_switch / 1.7.0 / module / arubaoss_acl_policy implements rest api for global acl configuration | "added in version" 2.6.0 of arubanetworks.aos_switch" Authors: Ashish Pant (@hpe) preview | supported by communityarubanetworks.aos_switch.arubaoss_acl_policy (1.7.0) — module
Install with ansible-galaxy collection install arubanetworks.aos_switch:==1.7.0
collections: - name: arubanetworks.aos_switch version: 1.7.0
This implements rest api's which will configure acl policies standard and extended onto device
- name: Create ip access-list extended permit_all with rule permit ip any any arubaoss_acl_policy: acl_name: permit_all source_ip_address: 0.0.0.0 source_ip_mask: 255.255.255.255 destination_ip_address: 0.0.0.0 destination_ip_mask: 255.255.255.255 acl_action: AA_PERMIT protocol_type: PT_IP acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended permit_port_80 with rule permit tcp any eq 80 arubaoss_acl_policy: acl_name: permit_port_80 source_ip_address: 0.0.0.0 source_ip_mask: 255.255.255.255 protocol_type: PT_TCP source_port: port_not_equal: 0 # Set to 0 port_range_start: 80 # Set to equal port port_range_end: 80 # Set to equal port destination_ip_address: 0.0.0.0 destination_ip_mask: 255.255.255.255 destination_port: {"port_not_equal": 0,"port_range_start": 80,"port_range_end": 80} acl_action: AA_PERMIT acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended deny_all_ports_not_80 with rule deny tcp any neq 80 arubaoss_acl_policy: acl_name: deny_all_ports_not_80 source_ip_address: 0.0.0.0 source_ip_mask: 255.255.255.255 protocol_type: PT_TCP source_port: port_not_equal: 80 # Set to neq port port_range_start: 0 port_range_end: 0 destination_ip_address: 0.0.0.0 destination_ip_mask: 255.255.255.255 destination_port: {"port_not_equal": 80,"port_range_start": 0,"port_range_end": 0} acl_action: AA_PERMIT acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended deny_all_ports_less_than_80 with rule deny tcp any lt 80 arubaoss_acl_policy: acl_name: deny_all_ports_less_than_80 source_ip_address: 0.0.0.0 source_ip_mask: 255.255.255.255 protocol_type: PT_TCP source_port: port_not_equal: 0 # Set to 0 port_range_start: 1 # Start is 1 port_range_end: 79 # End is port - 1 destination_ip_address: 0.0.0.0 destination_ip_mask: 255.255.255.255 destination_port: port_not_equal: 0 # Set to 0 port_range_start: 1 # Start is 1 port_range_end: 79 # End is port - 1 acl_action: AA_PERMIT acl_type: AT_EXTENDED_IPV4
- name: Create ip access-list extended deny_all_ports_gt_than_80 with rule deny tcp any gt 80 arubaoss_acl_policy: acl_name: deny_all_ports_gt_than_80 source_ip_address: 0.0.0.0 source_ip_mask: 255.255.255.255 protocol_type: PT_TCP source_port: port_not_equal: 0 # Set to 0 port_range_start: 81 # Start is 1 + port port_range_end: 65535 # Highest port value is 65535 destination_ip_address: 0.0.0.0 destination_ip_mask: 255.255.255.255 destination_port: port_not_equal: 0 # Set to 0 port_range_start: 81 # Start is 1 + port port_range_end: 65535 # Highest port value is 65535 acl_action: AA_PERMIT acl_type: AT_EXTENDED_IPV4
- name: add standard acl arubaoss_acl_policy: acl_name: "{{item.acl}}" source_ip_address: "{{item.ip}}" acl_action: "{{item.action}}" is_log: "{{item.log}}" remark: testing with_items: - {"acl":"test2","action":"AA_PERMIT","ip":"any","log":False} - {"acl":"test3","action":"AA_PERMIT","ip":"any","log":True}
- name: delte acl policy arubaoss_acl_policy: acl_name: "{{item}}" state: delete with_items: - test2 - test3
tos: choices: - 0 - 2 - 4 - 8 description: Match a specific IP type of service flag - Tos value required: false type: int host: description: 'Specifies the DNS host name or address for connecting to the remote device over the specified transport. The value of host is used as the destination address for the transport. ' type: str port: description: 'Specifies the port to use when building the connection to the remote device. ' type: int state: choices: - create - delete default: create description: Create or deletes acl policy. required: false is_log: description: Enable/disable acl logging. required: false type: bool remark: description: Description for acl policy required: false type: str timeout: description: 'Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. ' type: int use_ssl: description: 'Configures use SSL (HTTPS) for access to the remote device. ' type: bool acl_name: description: - Name for acl policy being configured. required: true type: str acl_type: choices: - AT_STANDARD_IPV4 - AT_EXTENDED_IPV4 - AT_CONNECTOIN_RATE_FILTER default: AT_STANDARD_IPV4 description: - Type of acl policy to be configured. required: false password: description: 'Specifies the password to use to authenticate the connection to the remote device. This value is used to authenticate the SSH session. If the value is not specified in the task, the value of environment variable ANSIBLE_NET_PASSWORD will be used instead. ' type: str provider: description: A dict object containing connection details. suboptions: api_version: default: None description: 'Configures (force) API version (vX.Y) for acces to the remote device. ' type: str host: description: 'Specifies the DNS host name or address for connecting to the remote device over the specified transport. The value of host is used as the destination address for the transport. ' type: str password: description: 'Specifies the password to use to authenticate the connection to the remote device. This value is used to authenticate the SSH session. If the value is not specified in the task, the value of environment variable ANSIBLE_NET_PASSWORD will be used instead. ' type: str port: description: 'Specifies the port to use when building the connection to the remote device. ' type: int ssh_keyfile: description: 'Specifies the SSH key to use to authenticate the connection to the remote device. This value is the path to the key used to authenticate the SSH session. If the value is not specified in the task, the value of environment variable ANSIBLE_NET_SSH_KEYFILE will be used instead. ' type: path timeout: description: 'Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. ' type: int transport: default: aossapi description: 'Configures the transport (aossapi or network_cli) mode. ' type: str use_proxy: default: false description: 'Configures use (Local) Proxy for access to the remote device. ' type: bool use_ssl: description: 'Configures use SSL (HTTPS) for access to the remote device. ' type: bool username: description: 'Configures the username to use to authenticate the connection to the remote device. This value is used to authenticate the SSH session. If the value is not specified in the task, the value of environment variable ANSIBLE_NET_USERNAME will be used instead. ' type: str validate_certs: default: false description: 'Configures validation of certification for access to the remote device. ' type: bool type: dict username: description: 'Configures the username to use to authenticate the connection to the remote device. This value is used to authenticate the SSH session. If the value is not specified in the task, the value of environment variable ANSIBLE_NET_USERNAME will be used instead. ' type: str icmp_code: default: -1 description: Applies to icmp code matching this field. Only PT_ICMP protocol_type support icmp_code required: false type: int icmp_type: default: -1 description: Applies to icmp type matching this field. Only PT_ICMP protocol_type support icmp_code required: false type: int igmp_type: choices: - IT_HOST_QUERY - IT_HOST_REPORT - IT_DVMRP - IT_PIM - IT_TRACE - IT_V2_HOST_REPORT - IT_V2_HOST_LEAVE - IT_MTRACE_REPLY - IT_MTRACE_REQUEST - IT_V3_HOST_REPORT - IT_MROUTER_ADVERTISEMENT - IT_MROUTER_SOLICITATION - IT_MROUTER_TERMINATION description: Applies to igmp type matching this field. Only PT_IGMP protocol_type support igmp_type required: false match_bit: choices: - MB_ACK - MB_FIN - MB_RST - MB_SYN description: The set of TCP match bits. Only PT_TCP protocol_type support match_bit. - MB_ACK Match TCP packets with the ACK bit set. - MB_FIN Match TCP packets with the FIN bit set - MB_RST Match TCP packets with the RST bit set - MB_SYN Match TCP packets with the SYN bit set required: false acl_action: choices: - AA_DENY - AA_PERMIT description: - Type of action acl rule will take, required when defining ACL rule. required: false type: str precedence: choices: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 description: Match a specific IP precedence flag. required: false type: int api_version: default: None description: 'Configures (force) API version (vX.Y) for acces to the remote device. ' type: str sequence_no: description: Sequence number for the ACL rule to be configured required: false type: int source_port: description: Dictionary of ports to match on. Applies to source port matching this filter. Only PT_SCTP, PT_TCP and PT_UDP Protocol types support source_port. Maximum value for port_range_end is 65525. Dictionary containing the keys 'port_not_equal','port_range_start', 'port_range_end'. See below for examples. Used with acl_type=AT_EXTENDED_IPV4 required: false type: dict ssh_keyfile: description: 'Specifies the SSH key to use to authenticate the connection to the remote device. This value is the path to the key used to authenticate the SSH session. If the value is not specified in the task, the value of environment variable ANSIBLE_NET_SSH_KEYFILE will be used instead. ' type: path protocol_type: choices: - PT_GRE - PT_ESP - PT_AH - PT_OSPF - PT_PIM - PT_VRRP - PT_ICMP - PTIGMP - PT_IP - PT_SCTP - PT_TCP - PT_UDP description: Protocol type for acl filter. Applicable for extended acl. required: false source_ip_mask: description: Net mask source_ip_address in octet form i.e 255.255.255.0. Used with acl_type=AT_EXTENDED_IPV4 required: false validate_certs: default: false description: 'Configures validation of certification for access to the remote device. ' type: bool acl_source_mask: description: net mask for source acl_source_address in octet form i.e 255.255.255.0, used with acl_type=AT_STANDARD_IPV4 required: false type: str destination_port: description: Dictionary of integer ports to match on. Applies to destination port matching this filter. Only PT_SCTP, PT_TCP and PT_UDP Protocol types destination source_port. Maximum value for port_range_end is 65525. Dictionary containing the keys 'port_not_equal','port_range_start', 'port_range_end' See below for examples. Used with acl_type=AT_EXTENDED_IPV4 required: false type: dict source_ip_address: description: Applies to source IP Address matching this extended acl filter, i.e 192.168.0.1. Used with acl_type=AT_EXTENDED_IPV4 required: false acl_source_address: description: source ip address for acl policy type standard i.e 192.168.0.1, used with acl_type=AT_STANDARD_IPV4 required: false type: str destination_ip_address: description: Applies to destination IP Address/Subnet matching this extended acl filter, i.e 192.168.0.1. Used with acl_type=AT_EXTENDED_IPV4 required: false is_connection_established: description: Match TCP packets of an established connection on ACL rule. Only PT_TCP protocol_type support is_connection_established required: false type: bool
message: description: The output message that the sample module generates original_message: description: The original name param that was passed in type: str