Try SpotterManage Layer 3 access control lists (ACL) configurations on SONiC
| "added in version" 2.1.0 of dellemc.enterprise_sonic"
Authors: Arun Saravanan Balachandran (@ArunSaravananBalachandran)
Install with ansible-galaxy collection install dellemc.enterprise_sonic:==2.4.0
collections:
- name: dellemc.enterprise_sonic
version: 2.4.0This module provides configuration management of Layer 3 access control lists (ACL) in devices running SONiC.
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit ipv6 host 192:168:1::2 any
# sonic#
- name: Merge provided Layer 3 ACL configurations
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test'
rules:
- sequence_num: 2
action: 'permit'
protocol:
name: 'icmp'
source:
any: true
destination:
host: '192.168.1.2'
protocol_options:
icmp:
type: 8
- sequence_num: 3
action: 'deny'
protocol:
number: 2
source:
any: true
destination:
any: true
- sequence_num: 4
action: 'deny'
protocol:
name: 'ip'
source:
any: true
destination:
any: true
vlan_id: 10
remark: 'Vlan10'
- name: 'test1'
remark: 'test_ip_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
prefix: '10.0.0.0/8'
destination:
any: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'udp'
source:
any: true
destination:
prefix: '20.1.0.0/16'
port_number:
gt: 1024
- sequence_num: 3
action: 'deny'
protocol:
name: 'ip'
source:
any: true
destination:
any: true
dscp:
value: 63
- address_family: 'ipv6'
acls:
- name: 'testv6'
rules:
- sequence_num: 2
action: 'deny'
protocol:
name: 'icmpv6'
source:
any: true
destination:
any: true
- name: 'testv6-1'
remark: 'test_ipv6_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'ipv6'
source:
prefix: '1000::/16'
destination:
any: true
dscp:
af22: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'tcp'
source:
any: true
destination:
prefix: '2000::1000:0/112'
port_number:
range:
begin: 100
end: 1000
- sequence_num: 3
action: 'permit'
protocol:
name: 'tcp'
source:
any: true
destination:
any: true
protocol_options:
tcp:
established: true
- sequence_num: 4
action: 'deny'
protocol:
name: 'udp'
source:
any: true
port_number:
eq: 3000
destination:
any: true
state: merged
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.2 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit ipv6 host 192:168:1::2 any
# seq 2 deny icmpv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.2 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp host 3000::1 any established
# seq 2 permit udp any any
# seq 3 deny icmpv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Replace device configuration of specified Layer 3 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test2'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
prefix: '192.168.1.0/24'
destination:
any: true
- address_family: 'ipv6'
acls:
- name: 'testv6'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
host: '3000::1'
destination:
any: true
protocol_options:
tcp:
ack: true
syn: true
fin: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'ipv6'
source:
any: true
destination:
any: true
state: replaced
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp host 3000::1 any fin syn ack
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Override device configuration of all Layer 3 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'ip'
source:
prefix: '100.1.1.0/24'
destination:
prefix: '100.1.2.0/24'
- sequence_num: 2
action: 'deny'
protocol:
name: 'udp'
source:
any: true
destination:
any: true
state: overridden
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test_acl
# seq 1 permit ip 100.1.1.0/24 100.1.2.0/24
# seq 2 deny udp any any
# sonic#
# sonic# show running-configuration ipv6 access-list
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete specified Layer 3 ACLs, ACL remark and ACL rule entries
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test'
rules:
- sequence_num: 2
- name: 'test2'
- address_family: 'ipv6'
acls:
- name: 'testv6-1'
remark: 'test_ipv6_acl'
rules:
- sequence_num: 3
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 4 deny udp any eq 3000 any
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete all Layer 3 ACLs for an address-family
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete all Layer 3 ACL configurations
dellemc.enterprise_sonic.sonic_l3_acls:
config:
state: deleted
state:
choices:
- merged
- replaced
- overridden
- deleted
default: merged
description:
- The state of the configuration after module completion.
- C(merged) - Merges provided L3 ACL configuration with on-device configuration.
- C(replaced) - Replaces on-device configuration of the specified L3 ACLs with provided
configuration.
- C(overridden) - Overrides all on-device L3 ACL configurations with the provided
configuration.
- C(deleted) - Deletes on-device L3 ACL configuration.
type: str
config:
description:
- Specifies Layer 3 ACL configurations.
elements: dict
suboptions:
acls:
description:
- List of ACL configuration for the given address family.
elements: dict
suboptions:
name:
description:
- Specifies the ACL name.
required: true
type: str
remark:
description:
- Specifies remark for the ACL.
type: str
rules:
description:
- List of rules with the ACL.
- I(sequence_num), I(action), I(protocol), I(source) & I(destination) are
required for adding a new rule.
- If I(state=deleted), options other than I(sequence_num) are not considered.
elements: dict
suboptions:
action:
choices:
- deny
- discard
- do-not-nat
- permit
- transit
description:
- Specifies the action taken on the matched packet.
type: str
destination:
description:
- Specifies the destination of the packet.
- I(any), I(host) and I(prefix) are mutually exclusive.
suboptions:
any:
description:
- Match any destination network address.
type: bool
host:
description:
- Network address of a single destination host.
type: str
port_number:
description:
- Specifies the destination port (valid only for TCP or UDP)
- Only one suboption can be specified for port_number in a rule.
suboptions:
eq:
description:
- Match packets with destination port equal to the given port
number.
- The range is from 0 to 65535.
type: int
gt:
description:
- Match packets with destination port greater than the given port
number.
- The range is from 0 to 65534.
type: int
lt:
description:
- Match packets with destination port lesser than the given port
number.
- The range is from 1 to 65535.
type: int
range:
description:
- Match packets with destination port in the given range.
- I(begin) and I(end) are required together.
suboptions:
begin:
description:
- Specifies the beginning of the port range.
- The range is from 0 to 65534.
type: int
end:
description:
- Specifies the end of the port range.
- The range is from 1 to 65535.
type: int
type: dict
type: dict
prefix:
description:
- Destination network prefix in the format A.B.C.D/mask (ipv4) or
A::B/mask (ipv6).
type: str
type: dict
dscp:
description:
- Match packets using DSCP value.
- Only one suboption can be specified for dscp in a rule.
suboptions:
af11:
description:
- Match packets with AF11 DSCP (001010 - Decimal value 10).
type: bool
af12:
description:
- Match packets with AF12 DSCP (001100 - Decimal value 12).
type: bool
af13:
description:
- Match packets with AF13 DSCP (001110 - Decimal value 14).
type: bool
af21:
description:
- Match packets with AF21 DSCP (010010 - Decimal value 18).
type: bool
af22:
description:
- Match packets with AF22 DSCP (010100 - Decimal value 20).
type: bool
af23:
description:
- Match packets with AF23 DSCP (010110 - Decimal value 22).
type: bool
af31:
description:
- Match packets with AF31 DSCP (011010 - Decimal value 26).
type: bool
af32:
description:
- Match packets with AF32 DSCP (011100 - Decimal value 28).
type: bool
af33:
description:
- Match packets with AF33 DSCP (011110 - Decimal value 30).
type: bool
af41:
description:
- Match packets with AF41 DSCP (100010 - Decimal value 34).
type: bool
af42:
description:
- Match packets with AF42 DSCP (100100 - Decimal value 36).
type: bool
af43:
description:
- Match packets with AF43 DSCP (100110 - Decimal value 38).
type: bool
cs1:
description:
- Match packets with CS1 DSCP (001000 - Decimal value 8).
type: bool
cs2:
description:
- Match packets with CS2 DSCP (010000 - Decimal value 16).
type: bool
cs3:
description:
- Match packets with CS3 DSCP (011000 - Decimal value 24).
type: bool
cs4:
description:
- Match packets with CS4 DSCP (100000 - Decimal value 32).
type: bool
cs5:
description:
- Match packets with CS5 DSCP (101000 - Decimal value 40).
type: bool
cs6:
description:
- Match packets with CS6 DSCP (110000 - Decimal value 48).
type: bool
cs7:
description:
- Match packets with CS7 DSCP (111000 - Decimal value 56).
type: bool
default:
description:
- Match packets with CS0 DSCP (000000 - Decimal value 0).
type: bool
ef:
description:
- Match packets with EF DSCP (101110 - Decimal value 46).
type: bool
value:
description:
- Match packets with given DSCP value.
- The range is from 0 to 63.
type: int
voice_admit:
description:
- Match packets with VOICE-ADMIT DSCP (101100 - Decimal value 44).
type: bool
type: dict
protocol:
description:
- Specifies the protocol to match.
- Only one suboption can be specified for protocol in a rule.
suboptions:
name:
choices:
- ip
- ipv6
- icmp
- icmpv6
- tcp
- udp
description:
- Match packets with the given protocol.
- C(ip) - Match any IPv4 packets.
- C(ipv6) - Match any IPv6 packets.
- C(icmp) - Match ICMP packets.
- C(icmpv6) - Match ICMPv6 packets.
- C(tcp) - Match TCP packets.
- C(udp) - Match UDP packets.
- C(ip) and C(icmp) are valid only for IPv4 ACLs.
- C(ipv6) and C(icmpv6) are valid only for IPv6 ACLs.
type: str
number:
description:
- Match packets with given protocol number.
- The range is from 0 to 255.
type: int
type: dict
protocol_options:
description:
- Specifies the additional packet match options for the chosen protocol.
- I(icmp), I(icmpv6) and I(tcp) are mutually exclusive.
suboptions:
icmp:
description:
- Packet match options for ICMP.
suboptions:
code:
description:
- Match packets with given ICMP code.
- The range is from 0 to 255.
type: int
type:
description:
- Match packets with given ICMP type.
- The range is from 0 to 255.
type: int
type: dict
icmpv6:
description:
- Packet match options for ICMPv6.
suboptions:
code:
description:
- Match packets with given ICMPv6 code.
- The range is from 0 to 255.
type: int
type:
description:
- Match packets with given ICMPv6 type.
- The range is from 0 to 255.
type: int
type: dict
tcp:
description:
- Packet match options for TCP.
- I(established) and other TCP flag options are mutually exclusive.
suboptions:
ack:
description:
- Match packets with ACK flag set.
type: bool
established:
description:
- Match packets which are part of established TCP session.
type: bool
fin:
description:
- Match packets with FIN flag set.
type: bool
not_ack:
description:
- Match packets with ACK flag cleared.
type: bool
not_fin:
description:
- Match packets with FIN flag cleared.
type: bool
not_psh:
description:
- Match packets with PSH flag cleared.
type: bool
not_rst:
description:
- Match packets with RST flag cleared.
type: bool
not_syn:
description:
- Match packets with SYN flag cleared.
type: bool
not_urg:
description:
- Match packets with URG flag cleared.
type: bool
psh:
description:
- Match packets with PSH flag set.
type: bool
rst:
description:
- Match packets with RST flag set.
type: bool
syn:
description:
- Match packets with SYN flag set.
type: bool
urg:
description:
- Match packets with URG flag set.
type: bool
type: dict
type: dict
remark:
description:
- Specifies remark for the ACL rule.
type: str
sequence_num:
description:
- Specifies the sequence number of the rule.
- The range is from 1 to 65535.
required: true
type: int
source:
description:
- Specifies the source of the packet.
- I(any), I(host) and I(prefix) are mutually exclusive.
suboptions:
any:
description:
- Match any source network address.
type: bool
host:
description:
- Network address of a single source host.
type: str
port_number:
description:
- Specifies the source port (valid only for TCP or UDP)
- Only one suboption can be specified for port_number in a rule.
suboptions:
eq:
description:
- Match packets with source port equal to the given port number.
- The range is from 0 to 65535.
type: int
gt:
description:
- Match packets with source port greater than the given port number.
- The range is from 0 to 65534.
type: int
lt:
description:
- Match packets with source port lesser than the given port number.
- The range is from 1 to 65535.
type: int
range:
description:
- Match packets with source port in the given range.
- I(begin) and I(end) are required together.
suboptions:
begin:
description:
- Specifies the beginning of the port range.
- The range is from 0 to 65534.
type: int
end:
description:
- Specifies the end of the port range.
- The range is from 1 to 65535.
type: int
type: dict
type: dict
prefix:
description:
- Source network prefix in the format A.B.C.D/mask (ipv4) or A::B/mask
(ipv6).
type: str
type: dict
vlan_id:
description:
- Match packets with the given VLAN ID value.
type: int
type: list
type: list
address_family:
choices:
- ipv4
- ipv6
description:
- Specifies the address family of the ACLs.
required: true
type: str
type: list
after:
description: The resulting configuration model invocation.
returned: when changed
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
after(generated):
description: The generated configuration model invocation.
returned: when C(check_mode)
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
before:
description: The configuration prior to the model invocation.
returned: always
sample: "The configuration returned will always be in the same format\n of the parameters\
\ above.\n"
type: list
commands:
description: The set of commands pushed to the remote device.
returned: always
sample:
- command 1
- command 2
- command 3
type: list