Closed digitalfiend64 closed 1 year ago
KB-perByte
commented
1 year ago Hey @digitalfiend64, Based on how the RMs are designed merged should never be able to delete any configuration entries. So while adding merged should work. But to remove and modify it's recommended to use overridden/ replaced state. Regards.
KB-perByte
commented
1 year ago Hey @digitalfiend64, I am adding an example scenario on basis of the ask here. Suppose the running configuration is -
testAppliance#show access-list
Standard IP access list std_acl
10 deny 192.168.1.200
20 deny 192.168.2.0, wildcard bits 0.0.0.255
Extended IP access list test_extd_acl
10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ackwhich was done using a merged play like -
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- acls:
- aces:
- destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
dscp: ef
grant: deny
protocol: icmp
protocol_options:
icmp:
traceroute: true
sequence: 10
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
ttl:
eq: 10
- destination:
host: 198.51.110.0
port_protocol:
eq: telnet
grant: deny
protocol: tcp
protocol_options:
tcp:
ack: true
sequence: 20
source:
host: 198.51.100.0
acl_type: extended
name: 'test_extd_acl'
- aces:
- grant: deny
sequence: 10
source:
host: 192.168.1.200
- grant: deny
sequence: 20
source:
address: 192.168.2.0
wildcard_bits: 0.0.0.255
acl_type: standard
name: std_acl
afi: ipv4
state: mergedwe encounter a situation where we want a fresh entry that is to be added also negating all other entries under an ACE we simply use the replaced state -
- name: Replaces provided configuration with device configuration
cisco.ios.ios_acls:
config:
- acls:
- aces:
- grant: deny
protocol_options:
tcp:
fin: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
option:
traceroute: true
ttl:
eq: 10
acl_type: extended
name: 'test_extd_acl'
- aces:
- grant: deny
sequence: 10
source:
host: 192.168.1.200
- grant: deny
sequence: 20
source:
address: 192.168.2.0
wildcard_bits: 0.0.0.255
acl_type: standard
name: std_acl
afi: ipv4
state: replacedThe commands generated now would be
"commands": [
"ip access-list extended test_extd_acl",
"no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10",
"no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack",
"deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10"
],making the final configuration -
Standard IP access list std_acl
10 deny 192.168.1.200
20 deny 192.168.2.0, wildcard bits 0.0.0.255
Extended IP access list test_extd_acl
10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10I suppose that is the ask in the feature request and as replaced and overridden states are capable of dealing with surplus ACE entries we need not add negate capabilities to the merged state. Regards.
KB-perByte
commented
1 year ago Closing this out, as the filter plugin is released with https://github.com/ansible-collections/ansible.netcommon/pull/529
SUMMARY
Utilize the cisco.ios.ios_acls, cisco.nxos.nxos_acls and cisco.iosxr.iosxr_acls modules to delete specific entries in access lists
ISSUE TYPE
COMPONENT NAME
cisco.ios.ios_acls, cisco.nxos.nxos_acls and cisco.iosxr.iosxr_acls
ADDITIONAL INFORMATION
This would solve using a template and the config module to remove ACLs and do it all in the module