| Parameter |
Choices/Defaults |
Comments |
|
config
list
/ elements=dictionary
|
|
A list of dictionaries specifying ACL configurations.
|
|
acls
list
/ elements=dictionary
|
|
A list of Access Control Lists (ACLs).
|
|
|
aces
list
/ elements=dictionary
|
|
List of Access Control Entries (ACEs) for this Access Control List (ACL).
|
|
|
|
authen
boolean
|
|
Match if authentication header is present.
|
|
|
|
capture
boolean
|
|
Capture matched packet.
|
|
|
|
destination
dictionary
|
|
Specifies the packet destination.
|
|
|
|
|
address
string
|
|
The destination IP address to match.
|
|
|
|
|
any
boolean
|
|
Match any destination address.
|
|
|
|
|
host
string
|
|
The host IP address to match.
|
|
|
|
|
net_group
string
|
|
Name of net-group.
|
|
|
|
|
port_group
string
|
|
Name of port-group.
|
|
|
|
|
port_protocol
dictionary
|
|
Specify the source port or protocol.
|
|
|
|
|
|
eq
string
|
|
Match only packets on a given port number.
|
|
|
|
|
|
gt
string
|
|
Match only packets with a greater port number.
|
|
|
|
|
|
lt
string
|
|
Match only packets with a lower port number.
|
|
|
|
|
|
neq
string
|
|
Match only packets not on a given port number.
|
|
|
|
|
|
range
dictionary
|
|
Match only packets in the range of port numbers
|
|
|
|
|
|
|
end
string
|
|
Specify the end of the port range
|
|
|
|
|
|
|
start
string
|
|
Specify the start of the port range
|
|
|
|
|
prefix
string
|
|
Destination network prefix.
|
|
|
|
|
wildcard_bits
string
|
|
The Wildcard bits to apply to destination address.
|
|
|
|
destopts
boolean
|
|
Match if destination opts header is present.
|
|
|
|
dscp
dictionary
|
|
Match packets with given DSCP value.
|
|
|
|
|
eq
string
|
|
Match only packets on a given dscp value
|
|
|
|
|
gt
string
|
|
Match only packets with a greater dscp value
|
|
|
|
|
lt
string
|
|
Match only packets with a lower dscp value
|
|
|
|
|
neq
string
|
|
Match only packets not on a given dscp value
|
|
|
|
|
range
dictionary
|
|
Match only packets in the range of dscp values
|
|
|
|
|
|
end
string
|
|
End of the dscp range
|
|
|
|
|
|
start
string
|
|
Start of the dscp range
|
|
|
|
fragments
boolean
|
|
Check non-intial fragments.
|
|
|
|
grant
string
|
|
Forward or drop packets matching the Access Control Entry (ACE).
|
|
|
|
hop_by_hop
boolean
|
|
Match if hop-by-hop opts header is present.
|
|
|
|
icmp_off
boolean
|
|
Enable/disable the ICMP message for this entry.
|
|
|
|
line
string
|
|
An ACE excluding the sequence number.
This key is mutually exclusive with all the other attributes except 'sequence'.
When used with other attributes, the value of this key will get precedence and the other keys will be ignored.
This should only be used when an attribute doesn't exist in the argspec but is valid for the device.
For fact gathering, any ACE that is not fully parsed, will show up as a value of this attribute, excluding the sequence number, which will be populated as value of the sequence key.
aliases: ace
|
|
|
|
log
boolean
|
|
Enable/disable log matches against this entry.
|
|
|
|
log_input
boolean
|
|
Enable/disable log matches against this entry, including input interface.
|
|
|
|
packet_length
dictionary
|
|
Match packets given packet length.
|
|
|
|
|
eq
integer
|
|
Match only packets on a given packet length
|
|
|
|
|
gt
integer
|
|
Match only packets with a greater packet length
|
|
|
|
|
lt
integer
|
|
Match only packets with a lower packet length
|
|
|
|
|
neq
integer
|
|
Match only packets not on a given packet length
|
|
|
|
|
range
dictionary
|
|
Match only packets in the range of packet lengths
|
|
|
|
|
|
end
integer
|
|
End of the packet length range
|
|
|
|
|
|
start
integer
|
|
Start of the packet length range
|
|
|
|
precedence
string
|
|
Match packets with given precedence value
|
|
|
|
protocol
string
|
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|
|
|
protocol_options
dictionary
|
|
Additional suboptions for the protocol.
|
|
|
|
|
icmp
dictionary
|
|
Internet Control Message Protocol settings.
|
|
|
|
|
|
administratively_prohibited
boolean
|
|
Administratively prohibited
|
|
|
|
|
|
alternate_address
boolean
|
|
Alternate address
|
|
|
|
|
|
conversion_error
boolean
|
|
Datagram conversion
|
|
|
|
|
|
dod_host_prohibited
boolean
|
|
Host prohibited
|
|
|
|
|
|
dod_net_prohibited
boolean
|
|
Net prohibited
|
|
|
|
|
|
echo
boolean
|
|
Echo (ping)
|
|
|
|
|
|
echo_reply
boolean
|
|
Echo reply
|
|
|
|
|
|
general_parameter_problem
boolean
|
|
Parameter problem
|
|
|
|
|
|
host_isolated
boolean
|
|
Host isolated
|
|
|
|
|
|
host_precedence_unreachable
boolean
|
|
Host unreachable for precedence
|
|
|
|
|
|
host_redirect
boolean
|
|
Host redirect
|
|
|
|
|
|
host_tos_redirect
boolean
|
|
Host redirect for TOS
|
|
|
|
|
|
host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
|
|
|
|
|
host_unknown
boolean
|
|
Host unknown
|
|
|
|
|
|
host_unreachable
boolean
|
|
Host unreachable
|
|
|
|
|
|
information_reply
boolean
|
|
Information replies
|
|
|
|
|
|
information_request
boolean
|
|
Information requests
|
|
|
|
|
|
mask_reply
boolean
|
|
Mask replies
|
|
|
|
|
|
mask_request
boolean
|
|
Mask requests
|
|
|
|
|
|
mobile_redirect
boolean
|
|
Mobile host redirect
|
|
|
|
|
|
net_redirect
boolean
|
|
Network redirect
|
|
|
|
|
|
net_tos_redirect
boolean
|
|
Net redirect for TOS
|
|
|
|
|
|
net_tos_unreachable
boolean
|
|
Network unreachable for TOS
|
|
|
|
|
|
net_unreachable
boolean
|
|
Net unreachable
|
|
|
|
|
|
network_unknown
boolean
|
|
Network unknown
|
|
|
|
|
|
no_room_for_option
boolean
|
|
Parameter required but no room
|
|
|
|
|
|
option_missing
boolean
|
|
Parameter required but not present
|
|
|
|
|
|
packet_too_big
boolean
|
|
Fragmentation needed and DF set
|
|
|
|
|
|
parameter_problem
boolean
|
|
All parameter problems
|
|
|
|
|
|
port_unreachable
boolean
|
|
Port unreachable
|
|
|
|
|
|
precedence_unreachable
boolean
|
|
Precedence cutoff
|
|
|
|
|
|
protocol_unreachable
boolean
|
|
Protocol unreachable
|
|
|
|
|
|
reassembly_timeout
boolean
|
|
Reassembly timeout
|
|
|
|
|
|
redirect
boolean
|
|
All redirects
|
|
|
|
|
|
router_advertisement
boolean
|
|
Router discovery advertisements
|
|
|
|
|
|
router_solicitation
boolean
|
|
Router discovery solicitations
|
|
|
|
|
|
source_quench
boolean
|
|
Source quenches
|
|
|
|
|
|
source_route_failed
boolean
|
|
Source route failed
|
|
|
|
|
|
time_exceeded
boolean
|
|
All time exceededs
|
|
|
|
|
|
timestamp_reply
boolean
|
|
Timestamp replies
|
|
|
|
|
|
timestamp_request
boolean
|
|
Timestamp requests
|
|
|
|
|
|
traceroute
boolean
|
|
Traceroute
|
|
|
|
|
|
ttl_exceeded
boolean
|
|
TTL exceeded
|
|
|
|
|
|
unreachable
boolean
|
|
All unreachables
|
|
|
|
|
icmpv6
dictionary
|
|
Internet Control Message Protocol settings for IPv6.
|
|
|
|
|
|
address_unreachable
boolean
|
|
Address Unreachable
|
|
|
|
|
|
administratively_prohibited
boolean
|
|
Administratively Prohibited
|
|
|
|
|
|
beyond_scope_of_source_address
boolean
|
|
Administratively Prohibited
|
|
|
|
|
|
destination_unreachable
boolean
|
|
Destination Unreachable
|
|
|
|
|
|
echo
boolean
|
|
Echo
|
|
|
|
|
|
echo_reply
boolean
|
|
Echo Reply
|
|
|
|
|
|
erroneous_header_field
boolean
|
|
Erroneous Header Field
|
|
|
|
|
|
group_membership_query
boolean
|
|
Group Membership Query
|
|
|
|
|
|
group_membership_report
boolean
|
|
Group Membership Report
|
|
|
|
|
|
group_membership_termination
boolean
|
|
Group Membership Termination
|
|
|
|
|
|
host_unreachable
boolean
|
|
Host Unreachable
|
|
|
|
|
|
nd_na
boolean
|
|
Neighbor Discovery - Neighbor Advertisement
|
|
|
|
|
|
nd_ns
boolean
|
|
Neighbor Discovery - Neighbor Solicitation
|
|
|
|
|
|
neighbor_redirect
boolean
|
|
Neighbor Redirect
|
|
|
|
|
|
no_route_to_destination
boolean
|
|
No Route To Destination
|
|
|
|
|
|
node_information_request_is_refused
boolean
|
|
Node Information Request Is Refused
|
|
|
|
|
|
node_information_successful_reply
boolean
|
|
Node Information Successful Reply
|
|
|
|
|
|
packet_too_big
boolean
|
|
Packet Too Big
|
|
|
|
|
|
parameter_problem
boolean
|
|
Parameter Problem
|
|
|
|
|
|
port_unreachable
boolean
|
|
Port Unreachable
|
|
|
|
|
|
query_subject_is_domainname
boolean
|
|
Query Subject Is Domain name
|
|
|
|
|
|
query_subject_is_IPv4address
boolean
|
|
Query Subject Is IPv4 address
|
|
|
|
|
|
query_subject_is_IPv6address
boolean
|
|
Query Subject Is IPv6 address
|
|
|
|
|
|
reassembly_timeout
boolean
|
|
Reassembly Timeout
|
|
|
|
|
|
redirect
boolean
|
|
Redirect
|
|
|
|
|
|
router_advertisement
boolean
|
|
Router Advertisement
|
|
|
|
|
|
router_renumbering
boolean
|
|
Router Renumbering
|
|
|
|
|
|
router_solicitation
boolean
|
|
Router Solicitation
|
|
|
|
|
|
rr_command
boolean
|
|
RR Command
|
|
|
|
|
|
rr_result
boolean
|
|
RR Result
|
|
|
|
|
|
rr_seqnum_reset
boolean
|
|
RR Seqnum Reset
|
|
|
|
|
|
time_exceeded
boolean
|
|
Time Exceeded
|
|
|
|
|
|
ttl_exceeded
boolean
|
|
TTL Exceeded
|
|
|
|
|
|
unknown_query_type
boolean
|
|
Unknown Query Type
|
|
|
|
|
|
unreachable
boolean
|
|
Unreachable
|
|
|
|
|
|
unrecognized_next_header
boolean
|
|
Unrecognized Next Header
|
|
|
|
|
|
unrecognized_option
boolean
|
|
Unrecognized Option
|
|
|
|
|
|
whoareyou_reply
boolean
|
|
Whoareyou Reply
|
|
|
|
|
|
whoareyou_request
boolean
|
|
Whoareyou Request
|
|
|
|
|
igmp
dictionary
|
|
Internet Group Management Protocol (IGMP) settings.
|
|
|
|
|
|
dvmrp
boolean
|
|
Match Distance Vector Multicast Routing Protocol
|
|
|
|
|
|
host_query
boolean
|
|
Match Host Query
|
|
|
|
|
|
host_report
boolean
|
|
Match Host Report
|
|
|
|
|
|
mtrace
boolean
|
|
Match mtrace
|
|
|
|
|
|
mtrace_response
boolean
|
|
Match mtrace response
|
|
|
|
|
|
pim
boolean
|
|
Match Protocol Independent Multicast
|
|
|
|
|
|
trace
boolean
|
|
Multicast trace
|
|
|
|
|
tcp
dictionary
|
|
Match TCP packet flags
|
|
|
|
|
|
ack
boolean
|
|
Match on the ACK bit
|
|
|
|
|
|
established
boolean
|
|
Match established connections
|
|
|
|
|
|
fin
boolean
|
|
Match on the FIN bit
|
|
|
|
|
|
psh
boolean
|
|
Match on the PSH bit
|
|
|
|
|
|
rst
boolean
|
|
Match on the RST bit
|
|
|
|
|
|
syn
boolean
|
|
Match on the SYN bit
|
|
|
|
|
|
urg
boolean
|
|
Match on the URG bit
|
|
|
|
remark
string
|
|
Comments or a description for the access list.
|
|
|
|
routing
boolean
|
|
Match if routing header is present.
|
|
|
|
sequence
integer
|
|
Sequence number for the Access Control Entry (ACE).
|
|
|
|
source
dictionary
|
|
Specifies the packet source.
|
|
|
|
|
address
string
|
|
The source IP address to match.
|
|
|
|
|
any
boolean
|
|
Match any source address.
|
|
|
|
|
host
string
|
|
The host IP address to match.
|
|
|
|
|
net_group
string
|
|
Name of net-group.
|
|
|
|
|
port_group
string
|
|
Name of port-group.
|
|
|
|
|
port_protocol
dictionary
|
|
Specify the source port or protocol.
|
|
|
|
|
|
eq
string
|
|
Match only packets on a given port number.
|
|
|
|
|
|
gt
string
|
|
Match only packets with a greater port number.
|
|
|
|
|
|
lt
string
|
|
Match only packets with a lower port number.
|
|
|
|
|
|
neq
string
|
|
Match only packets not on a given port number.
|
|
|
|
|
|
range
dictionary
|
|
Match only packets in the range of port numbers
|
|
|
|
|
|
|
end
string
|
|
Specify the end of the port range
|
|
|
|
|
|
|
start
string
|
|
Specify the start of the port range
|
|
|
|
|
prefix
string
|
|
Source network prefix.
|
|
|
|
|
wildcard_bits
string
|
|
The Wildcard bits to apply to source address.
|
|
|
|
ttl
dictionary
|
|
Match against specified TTL value.
|
|
|
|
|
eq
integer
|
|
Match only packets with exact TTL value.
|
|
|
|
|
gt
integer
|
|
Match only packets with a greater TTL value.
|
|
|
|
|
lt
integer
|
|
Match only packets with a lower TTL value.
|
|
|
|
|
neq
integer
|
|
Match only packets that won't have the given TTL value.
|
|
|
|
|
range
dictionary
|
|
Match only packets in the range of given TTL values.
|
|
|
|
|
|
end
integer
|
|
End of the TTL range.
|
|
|
|
|
|
start
integer
|
|
Start of the TTL range.
|
|
|
name
string
|
|
The name of the Access Control List (ACL).
|
|
afi
string
/ required
|
|
The Address Family Indicator (AFI) for the Access Control Lists (ACL).
|
|
running_config
string
|
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. This value of this option should be the output received from device by executing command show running-config router static.
|
|
state
string
|
Choices:
merged ← - replaced
- overridden
- deleted
- gathered
- rendered
- parsed
|
The state the configuration should be left in.
|