| Parameter |
Choices/Defaults |
Comments |
|
config
list
/ elements=dictionary
|
|
A list of ACL configuration options.
|
|
acls
list
/ elements=dictionary
|
|
A list of Access Control Lists (ACL) attributes.
|
|
|
aces
list
/ elements=dictionary
|
|
The entries within the ACL.
|
|
|
|
destination
dictionary
|
|
Specify the packet destination.
|
|
|
|
|
address
string
|
|
Host address to match, or any single host address.
|
|
|
|
|
any
boolean
|
|
Match any source address.
|
|
|
|
|
host
string
|
|
A single destination host
|
|
|
|
|
object_group
string
|
|
Destination network object group
|
|
|
|
|
port_protocol
dictionary
|
|
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|
|
|
|
|
eq
string
|
|
Match only packets on a given port number.
|
|
|
|
|
|
gt
string
|
|
Match only packets with a greater port number.
|
|
|
|
|
|
lt
string
|
|
Match only packets with a lower port number.
|
|
|
|
|
|
neq
string
|
|
Match only packets not on a given port number.
|
|
|
|
|
|
range
dictionary
|
|
Port group.
|
|
|
|
|
|
|
end
integer
|
|
Specify the end of the port range.
|
|
|
|
|
|
|
start
integer
|
|
Specify the start of the port range.
|
|
|
|
|
wildcard_bits
string
|
|
Destination wildcard bits, valid with IPV4 address.
|
|
|
|
dscp
string
|
|
Match packets with given dscp value.
|
|
|
|
enable_fragments
boolean
|
|
Enable non-initial fragments.
|
|
|
|
evaluate
string
|
|
Evaluate an access list
|
|
|
|
fragments
string
|
|
Check non-initial fragments.
This option is DEPRECATED and is replaced with enable_fragments which accepts bool as input this attribute will be removed after 2024-01-01.
|
|
|
|
grant
string
|
|
Specify the action.
|
|
|
|
log
dictionary
|
|
Log matches against this entry.
|
|
|
|
|
set
boolean
|
|
Enable Log matches against this entry
|
|
|
|
|
user_cookie
string
|
|
User defined cookie (max of 64 char)
|
|
|
|
log_input
dictionary
|
|
Log matches against this entry, including input interface.
|
|
|
|
|
set
boolean
|
|
Enable Log matches against this entry, including input interface.
|
|
|
|
|
user_cookie
string
|
|
User defined cookie (max of 64 char)
|
|
|
|
option
dictionary
|
|
Match packets with given IP Options value.
Valid only for named acls.
|
|
|
|
|
add_ext
boolean
|
|
Match packets with Address Extension Option (147).
|
|
|
|
|
any_options
boolean
|
|
Match packets with ANY Option.
|
|
|
|
|
com_security
boolean
|
|
Match packets with Commercial Security Option (134).
|
|
|
|
|
dps
boolean
|
|
Match packets with Dynamic Packet State Option (151).
|
|
|
|
|
encode
boolean
|
|
Match packets with Encode Option (15).
|
|
|
|
|
eool
boolean
|
|
Match packets with End of Options (0).
|
|
|
|
|
ext_ip
boolean
|
|
Match packets with Extended IP Option (145).
|
|
|
|
|
ext_security
boolean
|
|
Match packets with Extended Security Option (133).
|
|
|
|
|
finn
boolean
|
|
Match packets with Experimental Flow Control Option (205).
|
|
|
|
|
imitd
boolean
|
|
Match packets with IMI Traffic Desriptor Option (144).
|
|
|
|
|
lsr
boolean
|
|
Match packets with Loose Source Route Option (131).
|
|
|
|
|
mtup
boolean
|
|
Match packets with MTU Probe Option (11).
|
|
|
|
|
mtur
boolean
|
|
Match packets with MTU Reply Option (12).
|
|
|
|
|
no_op
boolean
|
|
Match packets with No Operation Option (1).
|
|
|
|
|
nsapa
boolean
|
|
Match packets with NSAP Addresses Option (150).
|
|
|
|
|
record_route
boolean
|
|
Match packets with Record Route Option (7).
|
|
|
|
|
router_alert
boolean
|
|
Match packets with Router Alert Option (148).
|
|
|
|
|
sdb
boolean
|
|
Match packets with Selective Directed Broadcast Option (149).
|
|
|
|
|
security
boolean
|
|
Match packets with Basic Security Option (130).
|
|
|
|
|
ssr
boolean
|
|
Match packets with Strict Source Routing Option (137).
|
|
|
|
|
stream_id
boolean
|
|
Match packets with Stream ID Option (136).
|
|
|
|
|
timestamp
boolean
|
|
Match packets with Time Stamp Option (68).
|
|
|
|
|
traceroute
boolean
|
|
Match packets with Trace Route Option (82).
|
|
|
|
|
ump
boolean
|
|
Match packets with Upstream Multicast Packet Option (152).
|
|
|
|
|
visa
boolean
|
|
Match packets with Experimental Access Control Option (142).
|
|
|
|
|
zsu
boolean
|
|
Match packets with Experimental Measurement Option (10).
|
|
|
|
precedence
string
|
|
Match packets with given precedence value.
|
|
|
|
protocol
string
|
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|
|
|
protocol_options
dictionary
|
|
protocol type.
|
|
|
|
|
ahp
boolean
|
|
Authentication Header Protocol.
|
|
|
|
|
eigrp
boolean
|
|
Cisco's EIGRP routing protocol.
|
|
|
|
|
esp
boolean
|
|
Encapsulation Security Payload.
|
|
|
|
|
gre
boolean
|
|
Cisco's GRE tunneling.
|
|
|
|
|
hbh
boolean
|
|
Hop by Hop options header. Valid for IPV6
|
|
|
|
|
icmp
dictionary
|
|
Internet Control Message Protocol.
|
|
|
|
|
|
administratively_prohibited
boolean
|
|
Administratively prohibited
|
|
|
|
|
|
alternate_address
boolean
|
|
Alternate address
|
|
|
|
|
|
conversion_error
boolean
|
|
Datagram conversion
|
|
|
|
|
|
dod_host_prohibited
boolean
|
|
Host prohibited
|
|
|
|
|
|
dod_net_prohibited
boolean
|
|
Net prohibited
|
|
|
|
|
|
echo
boolean
|
|
Echo (ping)
|
|
|
|
|
|
echo_reply
boolean
|
|
Echo reply
|
|
|
|
|
|
general_parameter_problem
boolean
|
|
Parameter problem
|
|
|
|
|
|
host_isolated
boolean
|
|
Host isolated
|
|
|
|
|
|
host_precedence_unreachable
boolean
|
|
Host unreachable for precedence
|
|
|
|
|
|
host_redirect
boolean
|
|
Host redirect
|
|
|
|
|
|
host_tos_redirect
boolean
|
|
Host redirect for TOS
|
|
|
|
|
|
host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
|
|
|
|
|
host_unknown
boolean
|
|
Host unknown
|
|
|
|
|
|
host_unreachable
boolean
|
|
Host unreachable
|
|
|
|
|
|
information_reply
boolean
|
|
Information replies
|
|
|
|
|
|
information_request
boolean
|
|
Information requests
|
|
|
|
|
|
mask_reply
boolean
|
|
Mask replies
|
|
|
|
|
|
mask_request
boolean
|
|
mask_request
|
|
|
|
|
|
mobile_redirect
boolean
|
|
Mobile host redirect
|
|
|
|
|
|
net_redirect
boolean
|
|
Network redirect
|
|
|
|
|
|
net_tos_redirect
boolean
|
|
Net redirect for TOS
|
|
|
|
|
|
net_tos_unreachable
boolean
|
|
Network unreachable for TOS
|
|
|
|
|
|
net_unreachable
boolean
|
|
Net unreachable
|
|
|
|
|
|
network_unknown
boolean
|
|
Network unknown
|
|
|
|
|
|
no_room_for_option
boolean
|
|
Parameter required but no room
|
|
|
|
|
|
option_missing
boolean
|
|
Parameter required but not present
|
|
|
|
|
|
packet_too_big
boolean
|
|
Fragmentation needed and DF set
|
|
|
|
|
|
parameter_problem
boolean
|
|
All parameter problems
|
|
|
|
|
|
port_unreachable
boolean
|
|
Port unreachable
|
|
|
|
|
|
precedence_unreachable
boolean
|
|
Precedence cutoff
|
|
|
|
|
|
protocol_unreachable
boolean
|
|
Protocol unreachable
|
|
|
|
|
|
reassembly_timeout
boolean
|
|
Reassembly timeout
|
|
|
|
|
|
redirect
boolean
|
|
All redirects
|
|
|
|
|
|
router_advertisement
boolean
|
|
Router discovery advertisements
|
|
|
|
|
|
router_solicitation
boolean
|
|
Router discovery solicitations
|
|
|
|
|
|
source_quench
boolean
|
|
Source quenches
|
|
|
|
|
|
source_route_failed
boolean
|
|
Source route failed
|
|
|
|
|
|
time_exceeded
boolean
|
|
All time exceededs
|
|
|
|
|
|
timestamp_reply
boolean
|
|
Timestamp replies
|
|
|
|
|
|
timestamp_request
boolean
|
|
Timestamp requests
|
|
|
|
|
|
traceroute
boolean
|
|
Traceroute
|
|
|
|
|
|
ttl_exceeded
boolean
|
|
TTL exceeded
|
|
|
|
|
|
unreachable
boolean
|
|
All unreachables
|
|
|
|
|
igmp
dictionary
|
|
Internet Gateway Message Protocol.
|
|
|
|
|
|
dvmrp
boolean
|
|
Distance Vector Multicast Routing Protocol(2)
|
|
|
|
|
|
host_query
boolean
|
|
IGMP Membership Query(0)
|
|
|
|
|
|
mtrace_resp
boolean
|
|
Multicast Traceroute Response(7)
|
|
|
|
|
|
mtrace_route
boolean
|
|
Multicast Traceroute(8)
|
|
|
|
|
|
pim
boolean
|
|
Protocol Independent Multicast(3)
|
|
|
|
|
|
trace
boolean
|
|
Multicast trace(4)
|
|
|
|
|
|
v1host_report
boolean
|
|
IGMPv1 Membership Report(1)
|
|
|
|
|
|
v2host_report
boolean
|
|
IGMPv2 Membership Report(5)
|
|
|
|
|
|
v2leave_group
boolean
|
|
IGMPv2 Leave Group(6)
|
|
|
|
|
|
v3host_report
boolean
|
|
IGMPv3 Membership Report(9)
|
|
|
|
|
ip
boolean
|
|
Any Internet Protocol.
|
|
|
|
|
ipinip
boolean
|
|
IP in IP tunneling.
|
|
|
|
|
ipv6
boolean
|
|
Any IPv6.
|
|
|
|
|
nos
boolean
|
|
KA9Q NOS compatible IP over IP tunneling.
|
|
|
|
|
ospf
boolean
|
|
OSPF routing protocol.
|
|
|
|
|
pcp
boolean
|
|
Payload Compression Protocol.
|
|
|
|
|
pim
boolean
|
|
Protocol Independent Multicast.
|
|
|
|
|
protocol_number
integer
|
|
An IP protocol number
|
|
|
|
|
sctp
boolean
|
|
Stream Control Transmission Protocol.
|
|
|
|
|
tcp
dictionary
|
|
Match TCP packet flags
|
|
|
|
|
|
ack
boolean
|
|
Match on the ACK bit
|
|
|
|
|
|
established
boolean
|
|
Match established connections
|
|
|
|
|
|
fin
boolean
|
|
Match on the FIN bit
|
|
|
|
|
|
psh
boolean
|
|
Match on the PSH bit
|
|
|
|
|
|
rst
boolean
|
|
Match on the RST bit
|
|
|
|
|
|
syn
boolean
|
|
Match on the SYN bit
|
|
|
|
|
|
urg
boolean
|
|
Match on the URG bit
|
|
|
|
|
udp
boolean
|
|
User Datagram Protocol.
|
|
|
|
remarks
list
/ elements=string
|
|
The remarks/description of the ACL.
The remarks attribute used within an ace with or without a sequence number will produce remarks that are pushed before the ace entry.
Remarks entry used as the only key in as the list option will produce non ace specific remarks, these remarks would be pushed at the end of all the aces for an acl.
Remarks is treated a block, for every single remarks updated for an ace all the remarks are negated and added back to maintain the order of remarks mentioned.
As the appliance deletes all the remarks once the ace is updated, the set of remarks would be re-applied that is an expected behavior.
|
|
|
|
sequence
integer
|
|
Sequence Number for the Access Control Entry(ACE).
Refer to vendor documentation for valid values.
|
|
|
|
source
dictionary
|
|
Specify the packet source.
|
|
|
|
|
address
string
|
|
Source network address.
|
|
|
|
|
any
boolean
|
|
Match any source address.
|
|
|
|
|
host
string
|
|
A single source host
|
|
|
|
|
object_group
string
|
|
Source network object group
|
|
|
|
|
port_protocol
dictionary
|
|
Specify the source port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|
|
|
|
|
eq
string
|
|
Match only packets on a given port number.
|
|
|
|
|
|
gt
string
|
|
Match only packets with a greater port number.
|
|
|
|
|
|
lt
string
|
|
Match only packets with a lower port number.
|
|
|
|
|
|
neq
string
|
|
Match only packets not on a given port number.
|
|
|
|
|
|
range
dictionary
|
|
Port group.
|
|
|
|
|
|
|
end
integer
|
|
Specify the end of the port range.
|
|
|
|
|
|
|
start
integer
|
|
Specify the start of the port range.
|
|
|
|
|
wildcard_bits
string
|
|
Source wildcard bits, valid with IPV4 address.
|
|
|
|
time_range
string
|
|
Specify a time-range.
|
|
|
|
tos
dictionary
|
|
Match packets with given TOS value.
Note, DSCP and TOS are mutually exclusive
|
|
|
|
|
max_reliability
boolean
|
|
Match packets with max reliable TOS (2).
|
|
|
|
|
max_throughput
boolean
|
|
Match packets with max throughput TOS (4).
|
|
|
|
|
min_delay
boolean
|
|
Match packets with min delay TOS (8).
|
|
|
|
|
min_monetary_cost
boolean
|
|
Match packets with min monetary cost TOS (1).
|
|
|
|
|
normal
boolean
|
|
Match packets with normal TOS (0).
|
|
|
|
|
service_value
integer
|
|
Type of service value
|
|
|
|
ttl
dictionary
|
|
Match packets with given TTL value.
|
|
|
|
|
eq
integer
|
|
Match only packets on a given TTL number.
|
|
|
|
|
gt
integer
|
|
Match only packets with a greater TTL number.
|
|
|
|
|
lt
integer
|
|
Match only packets with a lower TTL number.
|
|
|
|
|
neq
integer
|
|
Match only packets not on a given TTL number.
|
|
|
|
|
range
dictionary
|
|
Match only packets in the range of TTLs.
|
|
|
|
|
|
end
integer
|
|
Specify the end of the port range.
|
|
|
|
|
|
start
integer
|
|
Specify the start of the port range.
|
|
|
acl_type
string
|
Choices:
- extended
- standard
|
ACL type
Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory.
|
|
|
name
string
/ required
|
|
The name or the number of the ACL.
|
|
afi
string
/ required
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
|
|
running_config
string
|
|
This option is used only with state parsed.
The value of this option should be the output received from the IOS device by executing the command sh access-list.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
|
|
state
string
|
Choices:
merged ← - replaced
- overridden
- deleted
- gathered
- rendered
- parsed
|
The state the configuration should be left in
The state merged is the default state which merges the want and have config, but for ACL module as the IOS platform doesn't allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state.
The states rendered, gathered and parsed does not perform any change on the device.
The state rendered will transform the configuration in config option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required.
The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result.
The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of running_config option should be the same format as the output of commands sh running-config | section access-list for all acls related information and sh access-lists | include access list to obtain configuration specific of an empty acls, the following commands are executed on device. Config data from both the commands should be kept together one after another for the parsers to pick the commands correctly. For state parsed active connection to remote host is not required.
The state overridden, modify/add the ACLs defined, deleted all other ACLs.
The state replaced, modify/add only the ACEs of the ACLs defined only. It does not perform any other change on the device.
The state deleted, deletes only the specified ACLs, or all if not specified.
|