dellemc / dellemc.enterprise_sonic / 2.4.0 / module / sonic_acl_interfaces Manage access control list (ACL) to interface binding on SONiC | "added in version" 2.1.0 of dellemc.enterprise_sonic" Authors: Arun Saravanan Balachandran (@ArunSaravananBalachandran)dellemc.enterprise_sonic.sonic_acl_interfaces (2.4.0) — module
Install with ansible-galaxy collection install dellemc.enterprise_sonic:==2.4.0
collections: - name: dellemc.enterprise_sonic version: 2.4.0
This module provides configuration management of applying access control lists (ACL) to interfaces in devices running SONiC.
ACL needs to be created earlier in the device.
# Using merged # # Before State: # ------------- # # sonic# show mac access-group # sonic# # sonic# show ip access-group # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # sonic# - name: Merge provided interface access-group configurations dellemc.enterprise_sonic.sonic_acl_interfaces: config: - name: 'Eth1/1' access_groups: - type: 'mac' acls: - name: 'mac-acl-1' direction: 'in' - name: 'mac-acl-2' direction: 'out' - type: 'ipv6' acls: - name: 'ipv6-acl-2' direction: 'out' - name: 'Eth1/2' access_groups: - type: 'ipv4' acls: - name: 'ip-acl-1' direction: 'in' state: merged
# After State: # ------------ # # sonic# show mac access-group # Ingress MAC access-list mac-acl-1 on Eth1/1 # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Ingress IP access-list ip-acl-1 on Eth1/2 # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/1 # sonic# # Using replaced # # Before State: # ------------- # # sonic# show mac access-group # Ingress MAC access-list mac-acl-1 on Eth1/1 # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Ingress IP access-list ip-acl-1 on Eth1/2 # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/1 # sonic# - name: Replace device access-group configuration of specified interfaces with provided configuration dellemc.enterprise_sonic.sonic_acl_interfaces: config: - name: 'Eth1/2' access_groups: - type: 'ipv6' acls: - name: 'ipv6-acl-2' direction: 'out' - name: 'Eth1/3' access_groups: - type: 'ipv4' acls: - name: 'ip-acl-2' direction: 'out' state: replaced
# After State: # ------------ # # sonic# show mac access-group # Ingress MAC access-list mac-acl-1 on Eth1/1 # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Egress IP access-list ip-acl-2 on Eth1/3 # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/2 # sonic# # Using overridden # # Before State: # ------------- # # sonic# show mac access-group # Ingress MAC access-list mac-acl-1 on Eth1/1 # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Egress IP access-list ip-acl-2 on Eth1/3 # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/2 # sonic# - name: Override all interfaces access-group device configuration with provided configuration dellemc.enterprise_sonic.sonic_acl_interfaces: config: - name: 'Eth1/1' access_groups: - type: 'ip' acls: - name: 'ip-acl-2' direction: 'out' - name: 'Eth1/2' access_groups: - type: 'ip' acls: - name: 'ip-acl-2' direction: 'out' state: overridden
# After State: # ------------ # # sonic# show mac access-group # sonic# # sonic# show ip access-group # Egress IP access-list ip-acl-2 on Eth1/1 # Egress IP access-list ip-acl-2 on Eth1/2 # sonic# # sonic# show ipv6 access-group # sonic# # Using deleted # # Before State: # ------------- # # sonic# show mac access-group # Ingress MAC access-list mac-acl-1 on Eth1/1 # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Egress IP access-list ip-acl-2 on Eth1/3 # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/2 # sonic# - name: Delete specified interfaces access-group configurations dellemc.enterprise_sonic.sonic_l2_acls: config: - name: 'Eth1/1' access_groups: - type: 'mac' acls: - name: 'mac-acl-1' direction: 'in' - type: 'ipv6' - name: 'Eth1/2' state: deleted
# After State: # ------------ # # sonic# show mac access-group # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Egress IP access-list ip-acl-2 on Eth1/3 # sonic# # sonic# show ipv6 access-group # sonic# # Using deleted # # Before State: # ------------- # # sonic# show mac access-group # Ingress MAC access-list mac-acl-1 on Eth1/1 # Egress MAC access-list mac-acl-2 on Eth1/1 # sonic# # sonic# show ip access-group # Egress IP access-list ip-acl-2 on Eth1/3 # sonic# # sonic# show ipv6 access-group # Ingress IPV6 access-list ipv6-acl-1 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/1 # Egress IPV6 access-list ipv6-acl-2 on Eth1/2 # sonic# - name: Delete all interface access-group configurations dellemc.enterprise_sonic.sonic_acl_interfaces: config: state: deleted
state: choices: - merged - replaced - overridden - deleted default: merged description: - The state of the configuration after module completion. - I(merged) - Merges provided interface access-group configuration with on-device configuration. - I(replaced) - Replaces on-device access-group configuration of the specified interfaces with provided configuration. - I(overridden) - Overrides all on-device interface access-group configurations with the provided configuration. - I(deleted) - Deletes on-device interface access-group configuration. type: str config: description: - Specifies interface access-group configurations. elements: dict suboptions: access_groups: description: - Access-group configurations to be set for the interface. elements: dict suboptions: acls: description: - List of ACLs for the given type. elements: dict suboptions: direction: choices: - in - out description: - Specifies the direction of the packets that the ACL will be applied on. required: true type: str name: description: - Name of the ACL to be applied on the interface. required: true type: str type: list type: choices: - mac - ipv4 - ipv6 description: - Type of the ACLs to be applied on the interface. required: true type: str type: list name: description: - Full name of the interface, i.e. Eth1/1. required: true type: str type: list
after: description: The resulting configuration model invocation. returned: when changed sample: "The configuration returned will always be in the same format\n of the parameters\ \ above.\n" type: list after(generated): description: The generated configuration model invocation. returned: when C(check_mode) sample: "The configuration returned will always be in the same format\n of the parameters\ \ above.\n" type: list before: description: The configuration prior to the model invocation. returned: always sample: "The configuration returned will always be in the same format\n of the parameters\ \ above.\n" type: list commands: description: The set of commands pushed to the remote device. returned: always sample: - command 1 - command 2 - command 3 type: list