Try SpotterModule for configuration of Access Control Lists in AOSCX switches.
| "added in version" 2.8.0 of arubanetworks.aoscx"
Authors: Aruba Networks (@ArubaNetworks)
preview | supported by certified
Install with ansible-galaxy collection install arubanetworks.aoscx:==4.3.2
collections:
- name: arubanetworks.aoscx
version: 4.3.2This module provides the functionality for configuring Access Control Lists on AOSCX switches. For more detailed documentation see docs/aoscx_acl.md in this repository.
# Deny a host inside an allowed network
# The following example shows how to allow all incoming traffic from a certain
# IPv4 network, but deny a single host, and keep a count of how many packets
# are sent to the switch from that host. Two ACEs are added, the one with
# lowest sequence number is checked first for matches. One ACE is in charge of
# denying incoming traffic from the single host, while the other one allows
# incoming from the rest of the network.
- name: >
Configure IPv4 ACL to allow traffic from a network except a single host.
aoscx_acl:
name: allow_network_deny_host
type: ipv4
acl_entries:
1:
comment: "Deny the host"
action: deny
count: true
src_ip: 158.10.12.57/32
protocol: tcp
2:
comment: "Allow the network"
action: permit
src_ip: 158.10.12.1/16
protocol: tcp
# Deny a host and log urgent packets
# The following example shows how to deny all incoming and outgoing traffic
# from a single host, and log only when packet was urgent.
- name: Configure IPv6 ACL that denies all traffic and logs urgent packets
aoscx_acl:
name: deny_host_log_urgent
acl_entries:
9:
comment: "match urgent packets for log"
tcp_urg: true
log: true
src_ip: 2001:db8::12/32
dst_ip: 2001:db8::12/32
action: deny
10:
comment: "match the rest of the packets"
log: false
src_ip: 2001:db8::12/32
dst_ip: 2001:db8::12/32
action: deny
# Deny a network
# The following example shows how to deny all incoming and outgoing traffic
# from a network.
- name: Configure IPv6 ACL that denies all traffic
aoscx_acl:
name: deny_network
acl_entries:
10:
action: deny
count: True
protocol: tcp
src_ip: 2001:db8::/32
# Simple L4 example
# The following example shows how to configure rules with L4 ports. It will
# allow traffic form ports 5000, 5001 and 5002 to port 3657. Note that when
# a match for only one port is intended, `src/dst_l4_port_max` and
# `src/dst_l4_port_min` must be equal.
- name: Configure port range
aoscx_acl:
name: simple_ports
type: ipv4
acl_entries:
1:
comment: "Use a range of ports"
src_ip: 100.10.25.2/24
dst_ip: 100.10.25.2/24
src_l4_port_max: 5002
src_l4_port_min: 5000
dst_l4_port_max: 3657
dst_l4_port_min: 3567
action: permit
- name: Configure port range
aoscx_acl:
name: simple_ports
type: ipv4
acl_entries:
1:
comment: "Use a range of ports"
src_ip: 100.10.25.2/24
dst_ip: 100.10.25.2/24
src_l4_port: 5000-5002
dst_l4_port: 3567-3657
action: permit
- name: Configure port
aoscx_acl:
name: simple_ports
type: ipv4
acl_entries:
1:
comment: " Use a port"
src_ip: 100.10.25.2/24
dst_ip: 100.10.25.2/24
src_l4_port: 5000
dst_l4_port: 3567
action: permit
- name: Delete ACL entry
aoscx_acl:
name: simple_ports
type: ipv4
acl_entries:
1:
comment: "Use a range of ports"
src_ip: 100.10.25.2/24
dst_ip: 100.10.25.2/24
src_l4_port_max: 5002
src_l4_port_min: 5000
dst_l4_port_max: 3657
dst_l4_port_min: 3567
action: permit
state: delete
- name: Delete ipv4 ACL from config
aoscx_acl:
name: ipv4_acl
type: ipv4
state: delete
name:
description: Name of the access control list.
required: true
type: str
type:
choices:
- ipv4
- ipv6
- mac
description: Type of ACL
required: true
type: str
state:
choices:
- create
- update
- delete
default: create
description: The action taken with the current ACL
required: false
type: str
acl_entries:
description: 'A dictionary, where the key is the sequence number of the Access Control
Entry, and the value is a dictionary representing the Access Control Entry. A detailed
description of these ACE dictionaries is provided in the notes section, and in docs/aoscx_acl.md
The ACEs are configured using a dictionary representation. A description of all
available fields are provided here. All fields are optional, but there are certain
internal dependencies that are related to how ACLs work.
'
required: false
suboptions:
action:
description: 'Define the action to take on an ACL match. There are two options:
`permit`, and `deny`. `permit`: packets will be forwarded. `deny`: packets will
be dropped. ACE will only be activated when an associated action is provided.
'
required: false
type: str
comment:
description: Comment associated with the ACE
required: false
type: str
count:
description: 'When true, increment hit count for packets that match this ACL.
'
required: false
type: bool
dscp:
description: Different Services Code Point matching attribute.
required: false
type: int
dst_ip:
description: 'String with source IP matching attribute. If no IP address is specified,
the ACL Entry will not match on destination IP address. The following IPv4 and
IPv6 address formats are accepted. IPv4 format with prefix length or subnet
mask (A.B.C.D/W or A.B.C.D/W.X.Y.Z). IPv6 format (A:B::C:D/W). To match any
address the field can be left empty or use the ''any'' keyword.
'
required: false
type: str
dst_ip_group:
description: 'URL in string format of the ACL object group resource. This URL
refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`.
This attribute is mutually exclusive with the destination IP address attribute.
If `dst_ip_group` is configured, `dst_ip` will be ignored. The referenced object
group must be of type `ipv4` or `ipv6`.
'
required: false
type: str
dst_l4_port:
description: 'Range of L4 ports or L4 destination port to match on the packet.
Use only if `dst_l4_port_min` and `dst_l4_port_max` are not specified.
'
required: false
type: str
dst_l4_port_group:
description: 'URL in string format of the ACL object group resource. This URL
refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`.
This attribute is mutually exclusive with the `dst_l4_port_min`, `dst_l4_port_max`,
and `dst_l4_port_range_reverse` attributes. If this attribute is configured,
the others will be ignored. The referenced object group must be of type `l4port`.
'
required: false
type: str
dst_l4_port_max:
description: 'Maximum IP destination port matching attribute. Used in conjunction
with `dst_l4_port_min` and `dst_l4_port_range_reverse`. Use only if `dst_l4_port`
is not specified.
'
required: false
type: int
dst_l4_port_min:
description: 'Minimum IP destination port matching attribute. Used in conjunction
with `dst_l4_port_max` and `dst_l4_port_range_reverse`. Use only if `dst_l4_port`
is not specified.
'
required: false
type: int
dst_mac:
description: 'String with destination MAC matching attribute. Two formats are
allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ).
'
required: false
type: str
ecn:
description: Explicit Congestion Notification matching attribute.
required: false
type: int
ethertype:
description: Ethernet type matching attribute.
required: false
type: int
fragment:
description: Fragment matching attribute.
required: false
type: bool
icmp_code:
description: ICMP code matching attribute.
required: false
type: int
icmp_type:
description: ICMP type matching attribute.
required: false
type: int
ip_precedence:
description: IP Precedence matching attribute.
required: false
type: int
log:
description: 'ACE attribute log action; when true, log information for packets
that match ACL.
'
required: false
type: bool
pcp:
description: Priority Code Point matching attribute.
required: false
type: int
protocol:
description: IPv4 protocol matching attribute.
type: int
src_ip:
description: 'String with source IP matching attribute. If no IP address is specified,
the ACL Entry will not match on source IP address. The following IPv4 and IPV6
formats are accepted. IPv4 format with prefix length or subnet mask (A.B.C.D/W
or A.B.C.D/W.X.Y.Z). IPv6 format (A:B::C:D/W). To match any address the field
can be left empty or use the ''any'' keyword.
'
required: false
type: str
src_ip_group:
description: 'URL in string format of the ACL object group resource. This URL
refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`.
This attribute is mutually exclusive with the source IP address attribute. If
`src_ip_group` is configured, `src_ip` will be ignored. The referenced object
group must be of type `ipv4` or `ipv6`.
'
required: false
type: str
src_l4_port:
description: 'Range of L4 ports or L4 source port to match on the packet. Use
only if `src_l4_port_min` and `src_l4_port_max` are not specified.
'
required: false
type: str
src_l4_port_group:
description: 'URL in string format of the ACL object group resource. This URL
refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`.
This attribute is mutually exclusive with the `src_l4_port_min`, `src_l4_port_max`,
and `src_l4_port_range_reverse` attributes, and if this attribute is configured,
the other ones will be ignored. The referenced object group must be of type
`l4port`.
'
required: false
type: str
src_l4_port_max:
description: 'Maximum L4 port to match on the packet. Use only if `src_l4_port`
is not specified.
'
required: false
type: int
src_l4_port_min:
description: 'Minimum L4 port to match on the packet. Use only if `src_l4_port`
is not specified.
'
required: false
type: int
src_mac:
description: 'String with source MAC matching attribute. Two formats are allowed
(AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ).
'
required: false
type: str
tcp_ack:
description: TCP Acknowledge flag matching attribute
required: false
type: bool
tcp_cwr:
description: TCP CWR flag matching attribute
required: false
type: bool
tcp_ece:
description: TCP ECE flag matching attribute
required: false
type: bool
tcp_established:
description: TCP established state (ACK or RST flag is set)
required: false
type: bool
tcp_fin:
description: TCP FIN flag matching attribute
required: false
type: bool
tcp_psh:
description: TCP PSH flag matching attribute
required: false
type: bool
tcp_rst:
description: TCP RST flag matching attribute
required: false
type: bool
tcp_urg:
description: TCP URG flag matching attribute
required: false
type: bool
tos:
description: IP Type of service value matching attribute.
type: int
ttl:
description: Time-to-live matching attribute.
type: int
vlan:
description: VLAN ID matching attribute.
type: int
type: dict