Try SpotterManages advanced ACL configuration on HUAWEI CloudEngine switches.
Authors: wangdezhuang (@QijunPan)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Manages advanced ACL configurations on HUAWEI CloudEngine switches.
- name: CloudEngine advance acl test
hosts: cloudengine
connection: local
gather_facts: no
vars:
cli:
host: "{{ inventory_hostname }}"
port: "{{ ansible_ssh_port }}"
username: "{{ username }}"
password: "{{ password }}"
transport: cli
tasks:
- name: "Config ACL"
ce_acl_advance:
state: present
acl_name: 3200
provider: "{{ cli }}"
- name: "Undo ACL"
ce_acl_advance:
state: delete_acl
acl_name: 3200
provider: "{{ cli }}"
- name: "Config ACL advance rule"
ce_acl_advance:
state: present
acl_name: test
rule_name: test_rule
rule_id: 111
rule_action: permit
protocol: tcp
source_ip: 10.10.10.10
src_mask: 24
frag_type: fragment
provider: "{{ cli }}"
- name: "Undo ACL advance rule"
ce_acl_advance:
state: absent
acl_name: test
rule_name: test_rule
rule_id: 111
rule_action: permit
protocol: tcp
source_ip: 10.10.10.10
src_mask: 24
frag_type: fragment
provider: "{{ cli }}"
tos:
description:
- ToS value on which data packet filtering is based. The value is an integer ranging
from 0 to 15.
dscp:
description:
- Differentiated Services Code Point. The value is an integer ranging from 0 to 63.
state:
choices:
- present
- absent
- delete_acl
default: present
description:
- Specify desired state of the resource.
required: false
acl_num:
description:
- ACL number. The value is an integer ranging from 3000 to 3999.
dest_ip:
description:
- Destination IP address. The value is a string of 0 to 255 characters.The default
value is 0.0.0.0. The value is in dotted decimal notation.
rule_id:
description:
- ID of a basic ACL rule in configuration mode. The value is an integer ranging from
0 to 4294967294.
acl_name:
description:
- ACL number or name. For a numbered rule group, the value ranging from 3000 to 3999
indicates a advance ACL. For a named rule group, the value is a string of 1 to 32
case-sensitive characters starting with a letter, spaces not supported.
required: true
acl_step:
description:
- ACL step. The value is an integer ranging from 1 to 20. The default value is 5.
log_flag:
default: 'no'
description:
- Flag of logging matched data packets.
type: bool
protocol:
choices:
- ip
- icmp
- igmp
- ipinip
- tcp
- udp
- gre
- ospf
description:
- Protocol type.
src_mask:
description:
- Source IP address mask. The value is an integer ranging from 1 to 32.
syn_flag:
description:
- TCP flag value. The value is an integer ranging from 0 to 63.
vrf_name:
description:
- VPN instance name. The value is a string of 1 to 31 characters.The default value
is _public_.
dest_mask:
description:
- Destination IP address mask. The value is an integer ranging from 1 to 32.
frag_type:
choices:
- fragment
- clear_fragment
description:
- Type of packet fragmentation.
icmp_code:
description:
- ICMP message code. Data packets can be filtered based on the ICMP message code.
The value is an integer ranging from 0 to 255.
icmp_name:
choices:
- unconfiged
- echo
- echo-reply
- fragmentneed-DFset
- host-redirect
- host-tos-redirect
- host-unreachable
- information-reply
- information-request
- net-redirect
- net-tos-redirect
- net-unreachable
- parameter-problem
- port-unreachable
- protocol-unreachable
- reassembly-timeout
- source-quench
- source-route-failed
- timestamp-reply
- timestamp-request
- ttl-exceeded
- address-mask-reply
- address-mask-request
- custom
description:
- ICMP name.
icmp_type:
description:
- ICMP type. This parameter is available only when the packet protocol is ICMP. The
value is an integer ranging from 0 to 255.
igmp_type:
choices:
- host-query
- mrouter-adver
- mrouter-solic
- mrouter-termi
- mtrace-resp
- mtrace-route
- v1host-report
- v2host-report
- v2leave-group
- v3host-report
description:
- Internet Group Management Protocol.
rule_name:
description:
- Name of a basic ACL rule. The value is a string of 1 to 32 characters.
source_ip:
description:
- Source IP address. The value is a string of 0 to 255 characters.The default value
is 0.0.0.0. The value is in dotted decimal notation.
precedence:
description:
- Data packets can be filtered based on the priority field. The value is an integer
ranging from 0 to 7.
time_range:
description:
- Name of a time range in which an ACL rule takes effect.
established:
default: 'no'
description:
- Match established connections.
type: bool
rule_action:
choices:
- permit
- deny
description:
- Matching mode of basic ACL rules.
src_port_op:
choices:
- lt
- eq
- gt
- range
description:
- Range type of the source port.
ttl_expired:
default: 'no'
description:
- Whether TTL Expired is matched, with the TTL value of 1.
type: bool
dest_port_op:
choices:
- lt
- eq
- gt
- range
description:
- Range type of the destination port.
src_port_end:
description:
- End port number of the source port. The value is an integer ranging from 0 to 65535.
dest_port_end:
description:
- End port number of the destination port. The value is an integer ranging from 0
to 65535.
src_pool_name:
description:
- Name of a source pool. The value is a string of 1 to 32 characters.
tcp_flag_mask:
description:
- TCP flag mask value. The value is an integer ranging from 0 to 63.
dest_pool_name:
description:
- Name of a destination pool. The value is a string of 1 to 32 characters.
src_port_begin:
description:
- Start port number of the source port. The value is an integer ranging from 0 to
65535.
acl_description:
description:
- ACL description. The value is a string of 1 to 127 characters.
dest_port_begin:
description:
- Start port number of the destination port. The value is an integer ranging from
0 to 65535.
rule_description:
description:
- Description about an ACL rule.
src_port_pool_name:
description:
- Name of a source port pool. The value is a string of 1 to 32 characters.
dest_port_pool_name:
description:
- Name of a destination port pool. The value is a string of 1 to 32 characters.
changed:
description: check to see if a change was made on the device
returned: always
sample: true
type: bool
end_state:
description: k/v pairs of aaa params after module execution
returned: always
sample: {}
type: dict
existing:
description: k/v pairs of existing aaa server
returned: always
sample:
aclNumOrName: test
aclType: Advance
type: dict
proposed:
description: k/v pairs of parameters passed into module
returned: always
sample:
acl_name: test
state: delete_acl
type: dict
updates:
description: command sent to the device
returned: always
sample:
- undo acl name test
type: list