dellemc / dellemc.enterprise_sonic / 2.4.0 / module / sonic_l2_acls Manage Layer 2 access control lists (ACL) configurations on SONiC | "added in version" 2.1.0 of dellemc.enterprise_sonic" Authors: Arun Saravanan Balachandran (@ArunSaravananBalachandran)dellemc.enterprise_sonic.sonic_l2_acls (2.4.0) — module
Install with ansible-galaxy collection install dellemc.enterprise_sonic:==2.4.0
collections: - name: dellemc.enterprise_sonic version: 2.4.0
This module provides configuration management of Layer 2 access control lists (ACL) in devices running SONiC.
# Using merged # # Before State: # ------------- # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # sonic# - name: Merge provided Layer 2 ACL configurations dellemc.enterprise_sonic.sonic_l2_acls: config: - name: 'test' rules: - sequence_num: 2 action: 'permit' source: any: true destination: any: true ethertype: value: '0x88cc' remark: 'LLDP' - sequence_num: 3 action: 'permit' source: any: true destination: address: '00:00:10:00:00:00' address_mask: '00:00:ff:ff:00:00' pcp: value: 4 mask: 6 - sequence_num: 4 action: 'deny' source: any: true destination: any: true vlan_tag_format: multi_tagged: true - name: 'test1' remark: 'test_mac_acl' rules: - sequence_num: 1 action: 'permit' source: host: '11:11:11:11:11:11' destination: any: true - sequence_num: 2 action: 'permit' source: any: true destination: any: true ethertype: arp: true vlan_id: 100 - sequence_num: 3 action: 'deny' source: any: true destination: any: true dei: 0 state: merged
# After State: # ------------ # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6 # seq 4 deny any any vlan-tag-format multi-tagged # ! # mac access-list test1 # remark test_mac_acl # seq 1 permit host 11:11:11:11:11:11 any # seq 2 permit any any arp vlan 100 # seq 3 deny any any dei 0 # sonic# # Using replaced # # Before State: # ------------- # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6 # ! # mac access-list test1 # remark test_mac_acl # seq 1 permit host 11:11:11:11:11:11 any # seq 2 permit any any arp vlan 100 # seq 3 deny any any dei 0 # sonic# - name: Replace device configuration of specified Layer 2 ACLs with provided configuration dellemc.enterprise_sonic.sonic_l2_acls: config: - name: 'test1' rules: - sequence_num: 1 action: 'permit' source: any: true destination: any: true ethertype: arp: true vlan_id: 200 - sequence_num: 2 action: 'discard' source: any: true destination: any: true - name: 'test2' rules: - sequence_num: 1 action: 'permit' source: host: '33:33:33:33:33:33' destination: host: '44:44:44:44:44:44' state: replaced
# After State: # ------------ # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6 # ! # mac access-list test1 # seq 1 permit any any arp vlan 200 # seq 2 discard any any # ! # mac access-list test2 # seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44 # sonic# # Using overridden # # Before State: # ------------- # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6 # ! # mac access-list test1 # seq 1 permit any any arp vlan 200 # seq 2 discard any any # ! # mac access-list test2 # seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44 # sonic# - name: Override device configuration of all Layer 2 ACLs with provided configuration dellemc.enterprise_sonic.sonic_l2_acls: config: - name: 'test1' remark: 'test_mac_acl' rules: - sequence_num: 1 action: 'permit' source: host: '11:11:11:11:11:11' destination: any: true vlan_id: 100 - sequence_num: 2 action: 'permit' source: any: true destination: any: true pcp: traffic_type: 'ca' - sequence_num: 3 action: 'deny' source: any: true destination: any: true ethertype: ipv4: true state: overridden
# After State: # ------------ # # sonic# show running-configuration mac access-list # ! # mac access-list test1 # remark test_mac_acl # seq 1 permit host 11:11:11:11:11:11 any vlan 100 # seq 2 permit any any pcp ca # seq 3 deny any any ip # sonic# # Using deleted # # Before State: # ------------- # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6 # ! # mac access-list test1 # remark test_mac_acl # seq 1 permit host 11:11:11:11:11:11 any vlan 100 # seq 2 deny any any ip # ! # mac access-list test2 # seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44 # sonic# - name: Delete specified Layer 2 ACLs, ACL remark and ACL rule entries dellemc.enterprise_sonic.sonic_l2_acls: config: - name: 'test' rules: - sequence_num: 3 - name: 'test1' remark: 'test_mac_acl' - name: 'test2' state: deleted
# After State: # ------------ # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # ! # mac access-list test1 # seq 1 permit host 11:11:11:11:11:11 any vlan 100 # seq 2 deny any any ip # sonic# # Using deleted # # Before State: # ------------- # # sonic# show running-configuration mac access-list # ! # mac access-list test # seq 1 permit host 22:22:22:22:22:22 any vlan 20 # seq 2 permit any any 0x88cc remark LLDP # seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6 # ! # mac access-list test1 # remark test_mac_acl # seq 1 permit host 11:11:11:11:11:11 any vlan 100 # seq 2 deny any any ip # ! # mac access-list test2 # seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44 # sonic# - name: Delete all Layer 2 ACL configurations dellemc.enterprise_sonic.sonic_l2_acls: config: state: deleted
state: choices: - merged - replaced - overridden - deleted default: merged description: - The state of the configuration after module completion. - C(merged) - Merges provided L2 ACL configuration with on-device configuration. - C(replaced) - Replaces on-device configuration of the specified L2 ACLs with provided configuration. - C(overridden) - Overrides all on-device L2 ACL configurations with the provided configuration. - C(deleted) - Deletes on-device L2 ACL configuration. type: str config: description: - Specifies Layer 2 ACL configurations. elements: dict suboptions: name: description: - Specifies the ACL name. required: true type: str remark: description: - Specifies remark for the ACL. type: str rules: description: - List of rules with the ACL. - I(sequence_num), I(action), I(source) & I(destination) are required for adding a new rule. - If I(state=deleted), options other than I(sequence_num) are not considered. - I(ethertype) and I(vlan_tag_format) are mutually exclusive. elements: dict suboptions: action: choices: - deny - discard - do-not-nat - permit - transit description: - Specifies the action taken on the matched Ethernet frame. type: str dei: choices: - 0 - 1 description: - Match Ethernet frame with the given Drop Eligible Indicator (DEI) value. type: int destination: description: - Specifies the destination of the Ethernet frame. - I(address) and I(address_mask) are required together. - I(any), I(host) and I(address) are mutually exclusive. suboptions: address: description: - Destination MAC address. type: str address_mask: description: - Destination MAC address mask. type: str any: description: - Match any destination MAC address. type: bool host: description: - MAC address of a single destination host. type: str type: dict ethertype: description: - Specifies the EtherType of the Ethernet frame. - Only one suboption can be specified for ethertype in a rule. suboptions: arp: description: - Match Ethernet frame with ARP EtherType (0x806). type: bool ipv4: description: - Match Ethernet frame with IPv4 EtherType (0x800). type: bool ipv6: description: - Match Ethernet frame with IPv6 EtherType (0x86DD). type: bool value: description: - Specifies the EtherType value to match as a hexadecimal string. - The range is from 0x600 to 0xffff. type: str type: dict pcp: description: - Match Ethernet frames using Priority Code Point (PCP) value. - I(mask) is valid only when I(value) is specified. - I(value) and I(traffic_type) are mutually exclusive. suboptions: mask: description: - Match Ethernet frame with given PCP value and mask. - The range is from 0 to 7. type: int traffic_type: choices: - be - bk - ee - ca - vi - vo - ic - nc description: - Match Ethernet frame with PCP value for the given traffic type. - C(be) - Match Ethernet frame with Best effort PCP (0). - C(bk) - Match Ethernet frame with Background PCP (1). - C(ee) - Match Ethernet frame with Excellent effort PCP (2). - C(ca) - Match Ethernet frame with Critical applications PCP (3). - C(vi) - Match Ethernet frame with Video, < 100 ms latency and jitter PCP (4). - C(vo) - Match Ethernet frame with Voice, < 10 ms latency and jitter PCP (5). - C(ic) - Match Ethernet frame with Internetwork control PCP (6). - C(nc) - Match Ethernet frame with Network control PCP (7). type: str value: description: - Match Ethernet frame with the given PCP value. - The range is from 0 to 7 type: int type: dict remark: description: - Specifies remark for the ACL rule. type: str sequence_num: description: - Specifies the sequence number of the rule. - The range is from 1 to 65535. required: true type: int source: description: - Specifies the source of the Ethernet frame. - I(address) and I(address_mask) are required together. - I(any), I(host) and I(address) are mutually exclusive. suboptions: address: description: - Source MAC address. type: str address_mask: description: - Source MAC address mask. type: str any: description: - Match any source MAC address. type: bool host: description: - MAC address of a single source host. type: str type: dict vlan_id: description: - Match Ethernet frame with the given VLAN ID. type: int vlan_tag_format: description: - Match Ethernet frame with the given VLAN tag format. suboptions: multi_tagged: description: - Match three of more VLAN tagged Ethernet frame. type: bool type: dict type: list type: list
after: description: The resulting configuration model invocation. returned: when changed sample: "The configuration returned will always be in the same format\n of the parameters\ \ above.\n" type: list after(generated): description: The generated configuration model invocation. returned: when C(check_mode) sample: "The configuration returned will always be in the same format\n of the parameters\ \ above.\n" type: list before: description: The configuration prior to the model invocation. returned: always sample: "The configuration returned will always be in the same format\n of the parameters\ \ above.\n" type: list commands: description: The set of commands pushed to the remote device. returned: always sample: - command 1 - command 2 - command 3 type: list