Try SpotterManage access control list (ACL) to interface binding on SONiC
| "added in version" 2.1.0 of dellemc.enterprise_sonic"
Authors: Arun Saravanan Balachandran (@ArunSaravananBalachandran)
Install with ansible-galaxy collection install dellemc.enterprise_sonic:==2.4.0
collections:
- name: dellemc.enterprise_sonic
version: 2.4.0This module provides configuration management of applying access control lists (ACL) to interfaces in devices running SONiC.
ACL needs to be created earlier in the device.
# Using merged
#
# Before State:
# -------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# sonic#
- name: Merge provided interface access-group configurations
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
- name: 'Eth1/1'
access_groups:
- type: 'mac'
acls:
- name: 'mac-acl-1'
direction: 'in'
- name: 'mac-acl-2'
direction: 'out'
- type: 'ipv6'
acls:
- name: 'ipv6-acl-2'
direction: 'out'
- name: 'Eth1/2'
access_groups:
- type: 'ipv4'
acls:
- name: 'ip-acl-1'
direction: 'in'
state: merged
# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Ingress IP access-list ip-acl-1 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# sonic#
- name: Replace device access-group configuration of specified interfaces with provided configuration
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
- name: 'Eth1/2'
access_groups:
- type: 'ipv6'
acls:
- name: 'ipv6-acl-2'
direction: 'out'
- name: 'Eth1/3'
access_groups:
- type: 'ipv4'
acls:
- name: 'ip-acl-2'
direction: 'out'
state: replaced
# After State:
# ------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
- name: Override all interfaces access-group device configuration with provided configuration
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
- name: 'Eth1/1'
access_groups:
- type: 'ip'
acls:
- name: 'ip-acl-2'
direction: 'out'
- name: 'Eth1/2'
access_groups:
- type: 'ip'
acls:
- name: 'ip-acl-2'
direction: 'out'
state: overridden
# After State:
# ------------
#
# sonic# show mac access-group
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/1
# Egress IP access-list ip-acl-2 on Eth1/2
# sonic#
# sonic# show ipv6 access-group
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
- name: Delete specified interfaces access-group configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'Eth1/1'
access_groups:
- type: 'mac'
acls:
- name: 'mac-acl-1'
direction: 'in'
- type: 'ipv6'
- name: 'Eth1/2'
state: deleted
# After State:
# ------------
#
# sonic# show mac access-group
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show mac access-group
# Ingress MAC access-list mac-acl-1 on Eth1/1
# Egress MAC access-list mac-acl-2 on Eth1/1
# sonic#
# sonic# show ip access-group
# Egress IP access-list ip-acl-2 on Eth1/3
# sonic#
# sonic# show ipv6 access-group
# Ingress IPV6 access-list ipv6-acl-1 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/1
# Egress IPV6 access-list ipv6-acl-2 on Eth1/2
# sonic#
- name: Delete all interface access-group configurations
dellemc.enterprise_sonic.sonic_acl_interfaces:
config:
state: deleted
state:
choices:
- merged
- replaced
- overridden
- deleted
default: merged
description:
- The state of the configuration after module completion.
- I(merged) - Merges provided interface access-group configuration with on-device
configuration.
- I(replaced) - Replaces on-device access-group configuration of the specified interfaces
with provided configuration.
- I(overridden) - Overrides all on-device interface access-group configurations with
the provided configuration.
- I(deleted) - Deletes on-device interface access-group configuration.
type: str
config:
description:
- Specifies interface access-group configurations.
elements: dict
suboptions:
access_groups:
description:
- Access-group configurations to be set for the interface.
elements: dict
suboptions:
acls:
description:
- List of ACLs for the given type.
elements: dict
suboptions:
direction:
choices:
- in
- out
description:
- Specifies the direction of the packets that the ACL will be applied
on.
required: true
type: str
name:
description:
- Name of the ACL to be applied on the interface.
required: true
type: str
type: list
type:
choices:
- mac
- ipv4
- ipv6
description:
- Type of the ACLs to be applied on the interface.
required: true
type: str
type: list
name:
description:
- Full name of the interface, i.e. Eth1/1.
required: true
type: str
type: list
after:
description: The resulting configuration model invocation.
returned: when changed
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
after(generated):
description: The generated configuration model invocation.
returned: when C(check_mode)
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
before:
description: The configuration prior to the model invocation.
returned: always
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
commands:
description: The set of commands pushed to the remote device.
returned: always
sample:
- command 1
- command 2
- command 3
type: list