Try SpotterACL interfaces resource module
| "added in version" 1.0.0 of cisco.nxos"
Authors: Adharsh Srivats Rangarajan (@adharshsrivatsr)
Install with ansible-galaxy collection install cisco.nxos:==7.0.0
collections:
- name: cisco.nxos
version: 7.0.0Add and remove Access Control Lists on interfaces in NX-OS platform
# Using merged
# Before state:
# ------------
#
- name: Merge ACL interfaces configuration
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/2
access_groups:
- afi: ipv6
acls:
- name: ACL1v6
direction: in
- name: Eth1/5
access_groups:
- afi: ipv4
acls:
- name: PortACL
direction: in
port: true
- name: ACL1v4
direction: out
- afi: ipv6
acls:
- name: ACL1v6
direction: in
state: merged
# After state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
# Using replaced
# Before state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Replace interface configuration with given configuration
cisco.nxos.nxos_acl_interfaces:
config:
- name: Eth1/5
access_groups:
- afi: ipv4
acls:
- name: NewACLv4
direction: out
- name: Ethernet1/3
access_groups:
- afi: ipv6
acls:
- name: NewACLv6
direction: in
port: true
state: replaced
# After state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/3
# ipv6 port traffic-filter NewACLv6 in
# interface Ethernet1/5
# ip access-group NewACLv4 out
# Using overridden
# Before state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Override interface configuration with given configuration
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/3
access_groups:
- afi: ipv4
acls:
- name: ACL1v4
direction: out
- name: PortACL
port: true
direction: in
- afi: ipv6
acls:
- name: NewACLv6
direction: in
port: true
state: overridden
# After state:
# ------------
# interface Ethernet1/3
# ip access-group ACL1v4 out
# ip port access-group PortACL in
# ipv6 port traffic-filter NewACLv6 in
# Using deleted to remove ACL config from specified interfaces
# Before state:
# -------------
# interface Ethernet1/1
# ip access-group ACL2v4 in
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Delete ACL configuration on interfaces
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/5
- name: Ethernet1/2
state: deleted
# After state:
# -------------
# interface Ethernet1/1
# ip access-group ACL2v4 in
# interface Ethernet1/2
# interface Ethernet1/5
# Using deleted to remove ACL config from all interfaces
# Before state:
# -------------
# interface Ethernet1/1
# ip access-group ACL2v4 in
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ip port access-group PortACL in
# ip access-group ACL1v4 out
# ipv6 traffic-filter ACL1v6 in
- name: Delete ACL configuration from all interfaces
cisco.nxos.nxos_acl_interfaces:
state: deleted
# After state:
# -------------
# interface Ethernet1/1
# interface Ethernet1/2
# interface Ethernet1/5
# Using parsed
- name: Parse given configuration into structured format
cisco.nxos.nxos_acl_interfaces:
running_config: |
interface Ethernet1/2
ipv6 traffic-filter ACL1v6 in
interface Ethernet1/5
ipv6 traffic-filter ACL1v6 in
ip access-group ACL1v4 out
ip port access-group PortACL in
state: parsed
# returns
# parsed:
# - name: Ethernet1/2
# access_groups:
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# - name: Ethernet1/5
# access_groups:
# - afi: ipv4
# acls:
# - name: PortACL
# direction: in
# port: True
# - name: ACL1v4
# direction: out
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# Using gathered:
# Before state:
# ------------
# interface Ethernet1/2
# ipv6 traffic-filter ACL1v6 in
# interface Ethernet1/5
# ipv6 traffic-filter ACL1v6 in
# ip access-group ACL1v4 out
# ip port access-group PortACL in
- name: Gather existing configuration from device
cisco.nxos.nxos_acl_interfaces:
config:
state: gathered
# returns
# gathered:
# - name: Ethernet1/2
# access_groups:
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# - name: Ethernet1/5
# access_groups:
# - afi: ipv4
# acls:
# - name: PortACL
# direction: in
# port: True
# - name: ACL1v4
# direction: out
# - afi: ipv6
# acls:
# - name: ACL1v6
# direction: in
# Using rendered
- name: Render required configuration to be pushed to the device
cisco.nxos.nxos_acl_interfaces:
config:
- name: Ethernet1/2
access_groups:
- afi: ipv6
acls:
- name: ACL1v6
direction: in
- name: Ethernet1/5
access_groups:
- afi: ipv4
acls:
- name: PortACL
direction: in
port: true
- name: ACL1v4
direction: out
- afi: ipv6
acls:
- name: ACL1v6
direction: in
state: rendered
state:
choices:
- deleted
- gathered
- merged
- overridden
- rendered
- replaced
- parsed
default: merged
description: The state the configuration should be left in
type: str
config:
description: A list of interfaces to be configured with ACLs
elements: dict
suboptions:
access_groups:
description: List of address family indicators with ACLs to be configured on the
interface
elements: dict
suboptions:
acls:
description: List of Access Control Lists for the interface
elements: dict
suboptions:
direction:
choices:
- in
- out
description: Direction to be applied for the ACL
required: true
type: str
name:
description: Name of the ACL to be added/removed
required: true
type: str
port:
description: Use ACL as port policy.
type: bool
type: list
afi:
choices:
- ipv4
- ipv6
description: Address Family Indicator of the ACLs to be configured
required: true
type: str
type: list
name:
description: Name of the interface
required: true
type: str
type: list
running_config:
description:
- This option is used only with state I(parsed).
- The value of this option should be the output received from the NX-OS device by
executing the command B(show running-config | section '^interface').
- The state I(parsed) reads the configuration from C(running_config) option and transforms
it into Ansible structured data as per the resource module's argspec and the value
is then returned in the I(parsed) key within the result.
type: str
after:
description: The resulting configuration model invocation.
returned: when changed
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: dict
before:
description: The configuration prior to the model invocation.
returned: always
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: dict
commands:
description: The set of commands pushed to the remote device.
returned: always
sample:
- interface Ethernet1/2
- ipv6 traffic-filter ACL1v6 out
- ip port access-group PortACL in
type: list