Try SpotterManage Layer 2 access control lists (ACL) configurations on SONiC
| "added in version" 2.1.0 of dellemc.enterprise_sonic"
Authors: Arun Saravanan Balachandran (@ArunSaravananBalachandran)
Install with ansible-galaxy collection install dellemc.enterprise_sonic:==2.4.0
collections:
- name: dellemc.enterprise_sonic
version: 2.4.0This module provides configuration management of Layer 2 access control lists (ACL) in devices running SONiC.
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# sonic#
- name: Merge provided Layer 2 ACL configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test'
rules:
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
value: '0x88cc'
remark: 'LLDP'
- sequence_num: 3
action: 'permit'
source:
any: true
destination:
address: '00:00:10:00:00:00'
address_mask: '00:00:ff:ff:00:00'
pcp:
value: 4
mask: 6
- sequence_num: 4
action: 'deny'
source:
any: true
destination:
any: true
vlan_tag_format:
multi_tagged: true
- name: 'test1'
remark: 'test_mac_acl'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '11:11:11:11:11:11'
destination:
any: true
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
arp: true
vlan_id: 100
- sequence_num: 3
action: 'deny'
source:
any: true
destination:
any: true
dei: 0
state: merged
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# seq 4 deny any any vlan-tag-format multi-tagged
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any
# seq 2 permit any any arp vlan 100
# seq 3 deny any any dei 0
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any
# seq 2 permit any any arp vlan 100
# seq 3 deny any any dei 0
# sonic#
- name: Replace device configuration of specified Layer 2 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test1'
rules:
- sequence_num: 1
action: 'permit'
source:
any: true
destination:
any: true
ethertype:
arp: true
vlan_id: 200
- sequence_num: 2
action: 'discard'
source:
any: true
destination:
any: true
- name: 'test2'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '33:33:33:33:33:33'
destination:
host: '44:44:44:44:44:44'
state: replaced
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# seq 1 permit any any arp vlan 200
# seq 2 discard any any
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# seq 1 permit any any arp vlan 200
# seq 2 discard any any
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Override device configuration of all Layer 2 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test1'
remark: 'test_mac_acl'
rules:
- sequence_num: 1
action: 'permit'
source:
host: '11:11:11:11:11:11'
destination:
any: true
vlan_id: 100
- sequence_num: 2
action: 'permit'
source:
any: true
destination:
any: true
pcp:
traffic_type: 'ca'
- sequence_num: 3
action: 'deny'
source:
any: true
destination:
any: true
ethertype:
ipv4: true
state: overridden
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 permit any any pcp ca
# seq 3 deny any any ip
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Delete specified Layer 2 ACLs, ACL remark and ACL rule entries
dellemc.enterprise_sonic.sonic_l2_acls:
config:
- name: 'test'
rules:
- sequence_num: 3
- name: 'test1'
remark: 'test_mac_acl'
- name: 'test2'
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# !
# mac access-list test1
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration mac access-list
# !
# mac access-list test
# seq 1 permit host 22:22:22:22:22:22 any vlan 20
# seq 2 permit any any 0x88cc remark LLDP
# seq 3 permit any 00:00:10:00:00:00 00:00:ff:ff:00:00 pcp vi pcp-mask 6
# !
# mac access-list test1
# remark test_mac_acl
# seq 1 permit host 11:11:11:11:11:11 any vlan 100
# seq 2 deny any any ip
# !
# mac access-list test2
# seq 1 permit host 33:33:33:33:33:33 host 44:44:44:44:44:44
# sonic#
- name: Delete all Layer 2 ACL configurations
dellemc.enterprise_sonic.sonic_l2_acls:
config:
state: deleted
state:
choices:
- merged
- replaced
- overridden
- deleted
default: merged
description:
- The state of the configuration after module completion.
- C(merged) - Merges provided L2 ACL configuration with on-device configuration.
- C(replaced) - Replaces on-device configuration of the specified L2 ACLs with provided
configuration.
- C(overridden) - Overrides all on-device L2 ACL configurations with the provided
configuration.
- C(deleted) - Deletes on-device L2 ACL configuration.
type: str
config:
description:
- Specifies Layer 2 ACL configurations.
elements: dict
suboptions:
name:
description:
- Specifies the ACL name.
required: true
type: str
remark:
description:
- Specifies remark for the ACL.
type: str
rules:
description:
- List of rules with the ACL.
- I(sequence_num), I(action), I(source) & I(destination) are required for adding
a new rule.
- If I(state=deleted), options other than I(sequence_num) are not considered.
- I(ethertype) and I(vlan_tag_format) are mutually exclusive.
elements: dict
suboptions:
action:
choices:
- deny
- discard
- do-not-nat
- permit
- transit
description:
- Specifies the action taken on the matched Ethernet frame.
type: str
dei:
choices:
- 0
- 1
description:
- Match Ethernet frame with the given Drop Eligible Indicator (DEI) value.
type: int
destination:
description:
- Specifies the destination of the Ethernet frame.
- I(address) and I(address_mask) are required together.
- I(any), I(host) and I(address) are mutually exclusive.
suboptions:
address:
description:
- Destination MAC address.
type: str
address_mask:
description:
- Destination MAC address mask.
type: str
any:
description:
- Match any destination MAC address.
type: bool
host:
description:
- MAC address of a single destination host.
type: str
type: dict
ethertype:
description:
- Specifies the EtherType of the Ethernet frame.
- Only one suboption can be specified for ethertype in a rule.
suboptions:
arp:
description:
- Match Ethernet frame with ARP EtherType (0x806).
type: bool
ipv4:
description:
- Match Ethernet frame with IPv4 EtherType (0x800).
type: bool
ipv6:
description:
- Match Ethernet frame with IPv6 EtherType (0x86DD).
type: bool
value:
description:
- Specifies the EtherType value to match as a hexadecimal string.
- The range is from 0x600 to 0xffff.
type: str
type: dict
pcp:
description:
- Match Ethernet frames using Priority Code Point (PCP) value.
- I(mask) is valid only when I(value) is specified.
- I(value) and I(traffic_type) are mutually exclusive.
suboptions:
mask:
description:
- Match Ethernet frame with given PCP value and mask.
- The range is from 0 to 7.
type: int
traffic_type:
choices:
- be
- bk
- ee
- ca
- vi
- vo
- ic
- nc
description:
- Match Ethernet frame with PCP value for the given traffic type.
- C(be) - Match Ethernet frame with Best effort PCP (0).
- C(bk) - Match Ethernet frame with Background PCP (1).
- C(ee) - Match Ethernet frame with Excellent effort PCP (2).
- C(ca) - Match Ethernet frame with Critical applications PCP (3).
- C(vi) - Match Ethernet frame with Video, < 100 ms latency and jitter
PCP (4).
- C(vo) - Match Ethernet frame with Voice, < 10 ms latency and jitter
PCP (5).
- C(ic) - Match Ethernet frame with Internetwork control PCP (6).
- C(nc) - Match Ethernet frame with Network control PCP (7).
type: str
value:
description:
- Match Ethernet frame with the given PCP value.
- The range is from 0 to 7
type: int
type: dict
remark:
description:
- Specifies remark for the ACL rule.
type: str
sequence_num:
description:
- Specifies the sequence number of the rule.
- The range is from 1 to 65535.
required: true
type: int
source:
description:
- Specifies the source of the Ethernet frame.
- I(address) and I(address_mask) are required together.
- I(any), I(host) and I(address) are mutually exclusive.
suboptions:
address:
description:
- Source MAC address.
type: str
address_mask:
description:
- Source MAC address mask.
type: str
any:
description:
- Match any source MAC address.
type: bool
host:
description:
- MAC address of a single source host.
type: str
type: dict
vlan_id:
description:
- Match Ethernet frame with the given VLAN ID.
type: int
vlan_tag_format:
description:
- Match Ethernet frame with the given VLAN tag format.
suboptions:
multi_tagged:
description:
- Match three of more VLAN tagged Ethernet frame.
type: bool
type: dict
type: list
type: list
after:
description: The resulting configuration model invocation.
returned: when changed
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
after(generated):
description: The generated configuration model invocation.
returned: when C(check_mode)
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
before:
description: The configuration prior to the model invocation.
returned: always
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
commands:
description: The set of commands pushed to the remote device.
returned: always
sample:
- command 1
- command 2
- command 3
type: list