arubanetworks / arubanetworks.aoscx / 4.3.2 / module / aoscx_acl Module for configuration of Access Control Lists in AOSCX switches. | "added in version" 2.8.0 of arubanetworks.aoscx" Authors: Aruba Networks (@ArubaNetworks) preview | supported by certifiedarubanetworks.aoscx.aoscx_acl (4.3.2) — module
Install with ansible-galaxy collection install arubanetworks.aoscx:==4.3.2
collections: - name: arubanetworks.aoscx version: 4.3.2
This module provides the functionality for configuring Access Control Lists on AOSCX switches. For more detailed documentation see docs/aoscx_acl.md in this repository.
# Deny a host inside an allowed network # The following example shows how to allow all incoming traffic from a certain # IPv4 network, but deny a single host, and keep a count of how many packets # are sent to the switch from that host. Two ACEs are added, the one with # lowest sequence number is checked first for matches. One ACE is in charge of # denying incoming traffic from the single host, while the other one allows # incoming from the rest of the network. - name: > Configure IPv4 ACL to allow traffic from a network except a single host. aoscx_acl: name: allow_network_deny_host type: ipv4 acl_entries: 1: comment: "Deny the host" action: deny count: true src_ip: 158.10.12.57/32 protocol: tcp 2: comment: "Allow the network" action: permit src_ip: 158.10.12.1/16 protocol: tcp
# Deny a host and log urgent packets # The following example shows how to deny all incoming and outgoing traffic # from a single host, and log only when packet was urgent. - name: Configure IPv6 ACL that denies all traffic and logs urgent packets aoscx_acl: name: deny_host_log_urgent acl_entries: 9: comment: "match urgent packets for log" tcp_urg: true log: true src_ip: 2001:db8::12/32 dst_ip: 2001:db8::12/32 action: deny 10: comment: "match the rest of the packets" log: false src_ip: 2001:db8::12/32 dst_ip: 2001:db8::12/32 action: deny
# Deny a network # The following example shows how to deny all incoming and outgoing traffic # from a network. - name: Configure IPv6 ACL that denies all traffic aoscx_acl: name: deny_network acl_entries: 10: action: deny count: True protocol: tcp src_ip: 2001:db8::/32
# Simple L4 example # The following example shows how to configure rules with L4 ports. It will # allow traffic form ports 5000, 5001 and 5002 to port 3657. Note that when # a match for only one port is intended, `src/dst_l4_port_max` and # `src/dst_l4_port_min` must be equal. - name: Configure port range aoscx_acl: name: simple_ports type: ipv4 acl_entries: 1: comment: "Use a range of ports" src_ip: 100.10.25.2/24 dst_ip: 100.10.25.2/24 src_l4_port_max: 5002 src_l4_port_min: 5000 dst_l4_port_max: 3657 dst_l4_port_min: 3567 action: permit
- name: Configure port range aoscx_acl: name: simple_ports type: ipv4 acl_entries: 1: comment: "Use a range of ports" src_ip: 100.10.25.2/24 dst_ip: 100.10.25.2/24 src_l4_port: 5000-5002 dst_l4_port: 3567-3657 action: permit
- name: Configure port aoscx_acl: name: simple_ports type: ipv4 acl_entries: 1: comment: " Use a port" src_ip: 100.10.25.2/24 dst_ip: 100.10.25.2/24 src_l4_port: 5000 dst_l4_port: 3567 action: permit
- name: Delete ACL entry aoscx_acl: name: simple_ports type: ipv4 acl_entries: 1: comment: "Use a range of ports" src_ip: 100.10.25.2/24 dst_ip: 100.10.25.2/24 src_l4_port_max: 5002 src_l4_port_min: 5000 dst_l4_port_max: 3657 dst_l4_port_min: 3567 action: permit state: delete
- name: Delete ipv4 ACL from config aoscx_acl: name: ipv4_acl type: ipv4 state: delete
name: description: Name of the access control list. required: true type: str type: choices: - ipv4 - ipv6 - mac description: Type of ACL required: true type: str state: choices: - create - update - delete default: create description: The action taken with the current ACL required: false type: str acl_entries: description: 'A dictionary, where the key is the sequence number of the Access Control Entry, and the value is a dictionary representing the Access Control Entry. A detailed description of these ACE dictionaries is provided in the notes section, and in docs/aoscx_acl.md The ACEs are configured using a dictionary representation. A description of all available fields are provided here. All fields are optional, but there are certain internal dependencies that are related to how ACLs work. ' required: false suboptions: action: description: 'Define the action to take on an ACL match. There are two options: `permit`, and `deny`. `permit`: packets will be forwarded. `deny`: packets will be dropped. ACE will only be activated when an associated action is provided. ' required: false type: str comment: description: Comment associated with the ACE required: false type: str count: description: 'When true, increment hit count for packets that match this ACL. ' required: false type: bool dscp: description: Different Services Code Point matching attribute. required: false type: int dst_ip: description: 'String with source IP matching attribute. If no IP address is specified, the ACL Entry will not match on destination IP address. The following IPv4 and IPv6 address formats are accepted. IPv4 format with prefix length or subnet mask (A.B.C.D/W or A.B.C.D/W.X.Y.Z). IPv6 format (A:B::C:D/W). To match any address the field can be left empty or use the ''any'' keyword. ' required: false type: str dst_ip_group: description: 'URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`. This attribute is mutually exclusive with the destination IP address attribute. If `dst_ip_group` is configured, `dst_ip` will be ignored. The referenced object group must be of type `ipv4` or `ipv6`. ' required: false type: str dst_l4_port: description: 'Range of L4 ports or L4 destination port to match on the packet. Use only if `dst_l4_port_min` and `dst_l4_port_max` are not specified. ' required: false type: str dst_l4_port_group: description: 'URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`. This attribute is mutually exclusive with the `dst_l4_port_min`, `dst_l4_port_max`, and `dst_l4_port_range_reverse` attributes. If this attribute is configured, the others will be ignored. The referenced object group must be of type `l4port`. ' required: false type: str dst_l4_port_max: description: 'Maximum IP destination port matching attribute. Used in conjunction with `dst_l4_port_min` and `dst_l4_port_range_reverse`. Use only if `dst_l4_port` is not specified. ' required: false type: int dst_l4_port_min: description: 'Minimum IP destination port matching attribute. Used in conjunction with `dst_l4_port_max` and `dst_l4_port_range_reverse`. Use only if `dst_l4_port` is not specified. ' required: false type: int dst_mac: description: 'String with destination MAC matching attribute. Two formats are allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ). ' required: false type: str ecn: description: Explicit Congestion Notification matching attribute. required: false type: int ethertype: description: Ethernet type matching attribute. required: false type: int fragment: description: Fragment matching attribute. required: false type: bool icmp_code: description: ICMP code matching attribute. required: false type: int icmp_type: description: ICMP type matching attribute. required: false type: int ip_precedence: description: IP Precedence matching attribute. required: false type: int log: description: 'ACE attribute log action; when true, log information for packets that match ACL. ' required: false type: bool pcp: description: Priority Code Point matching attribute. required: false type: int protocol: description: IPv4 protocol matching attribute. type: int src_ip: description: 'String with source IP matching attribute. If no IP address is specified, the ACL Entry will not match on source IP address. The following IPv4 and IPV6 formats are accepted. IPv4 format with prefix length or subnet mask (A.B.C.D/W or A.B.C.D/W.X.Y.Z). IPv6 format (A:B::C:D/W). To match any address the field can be left empty or use the ''any'' keyword. ' required: false type: str src_ip_group: description: 'URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`. This attribute is mutually exclusive with the source IP address attribute. If `src_ip_group` is configured, `src_ip` will be ignored. The referenced object group must be of type `ipv4` or `ipv6`. ' required: false type: str src_l4_port: description: 'Range of L4 ports or L4 source port to match on the packet. Use only if `src_l4_port_min` and `src_l4_port_max` are not specified. ' required: false type: str src_l4_port_group: description: 'URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `/system/acl_object_groups/{name},{object_type}`. This attribute is mutually exclusive with the `src_l4_port_min`, `src_l4_port_max`, and `src_l4_port_range_reverse` attributes, and if this attribute is configured, the other ones will be ignored. The referenced object group must be of type `l4port`. ' required: false type: str src_l4_port_max: description: 'Maximum L4 port to match on the packet. Use only if `src_l4_port` is not specified. ' required: false type: int src_l4_port_min: description: 'Minimum L4 port to match on the packet. Use only if `src_l4_port` is not specified. ' required: false type: int src_mac: description: 'String with source MAC matching attribute. Two formats are allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ). ' required: false type: str tcp_ack: description: TCP Acknowledge flag matching attribute required: false type: bool tcp_cwr: description: TCP CWR flag matching attribute required: false type: bool tcp_ece: description: TCP ECE flag matching attribute required: false type: bool tcp_established: description: TCP established state (ACK or RST flag is set) required: false type: bool tcp_fin: description: TCP FIN flag matching attribute required: false type: bool tcp_psh: description: TCP PSH flag matching attribute required: false type: bool tcp_rst: description: TCP RST flag matching attribute required: false type: bool tcp_urg: description: TCP URG flag matching attribute required: false type: bool tos: description: IP Type of service value matching attribute. type: int ttl: description: Time-to-live matching attribute. type: int vlan: description: VLAN ID matching attribute. type: int type: dict