KB-perByte
commented
11 months ago @jorgenspange can you please share the show access-list command output and some more details about the playbook and collection version you are using?
Regards
Closed jorgenspange closed 8 months ago
KB-perByte
commented
11 months ago @jorgenspange can you please share the show access-list command output and some more details about the playbook and collection version you are using?
Regards
jorgenspange
commented
11 months ago RandomSwitch#show access-lists
Standard IP access list RM-MCAST-RP
10 permit 239.0.0.0 0.255.255.255
20 permit any
30 deny 232.0.0.0 0.255.255.255
Extended IP access list 101
10 permit tcp 10.100.50.0 0.0.0.255 any eq 22
Extended IP access list BYOD_CORP_Devices_acl
10 permit ip object-group Guest-ISE-DHCP object-group Obj-Guest-Network
20 permit icmp object-group Guest-ISE-DHCP object-group Obj-Guest-Network
50 deny ip object-group Private-IPrange object-group Obj-Guest-Network
60 deny ip object-group Obj-Guest-Network object-group Obj-Guest-Network
150 permit ip any any
Extended IP access list BYOD_CORP_Devices_acl_in
10 permit ip object-group Obj-Guest-Network object-group Guest-ISE-DHCP
20 permit icmp object-group Obj-Guest-Network object-group Guest-ISE-DHCP
50 deny ip object-group Obj-Guest-Network object-group Private-IPrange
60 deny ip object-group Obj-Guest-Network object-group Obj-Guest-Network
150 permit ip any any
Extended IP access list SNMP
10 permit ip host 10.10.10.173 any
20 permit ip host 10.10.10.182 any
30 permit ip host 10.10.10.200 any
40 deny ip any any log
Extended IP access list IP-Adm-V4-Int-ACL-global
Extended IP access list MCAST-IN
10 permit ip any 10.14.96.0 0.0.1.255 log
20 permit pim any any log
30 deny ip any any log
Extended IP access list NET-MGMT-VTY
10 permit tcp host 10.0.0.1 any
20 permit tcp host 10.0.0.2 any
30 permit tcp host 10.0.0.3 any
40 permit tcp host 10.0.0.4 any
50 permit tcp host 10.0.0.5 any
60 permit tcp host 10.0.0.6 any
70 permit tcp host 10.0.0.7 any
80 permit tcp host 10.0.0.8 any
90 permit tcp host 10.0.0.9 any
100 permit tcp host 10.0.0.10 any
110 permit tcp host 10.0.0.11 any
120 permit tcp host 10.0.0.12 any
130 permit tcp host 10.0.0.13 any
140 permit tcp host 10.0.0.14 any
150 deny ip any any log
Extended IP access list TELNET-DENY
5 permit tcp 10.0.0.15 0.0.0.255 any eq 22
6 permit tcp 10.0.0.16 0.0.0.255 any eq 22
7 permit tcp 10.0.0.17 0.0.0.255 any eq 22
8 permit tcp 10.0.0.18 0.0.0.255 any eq 22
9 permit tcp host 10.0.0.19 any eq 22
11 permit tcp host 10.0.0.20 any eq 22
12 permit tcp host 10.0.0.21 any eq 22
13 permit tcp host 10.0.0.22 any eq 22
14 permit tcp host 10.0.0.23 any eq 22
15 permit tcp host 10.0.0.24 any eq 22
16 permit tcp host 10.0.0.25 any eq 22
17 permit tcp host 10.0.0.26 any eq 22
18 permit tcp host 10.0.0.27 any eq 22
1000 deny ip any any log
Extended IP access list VTY-ALLOW
10 permit ip 146.213.0.0 0.0.0.255 any
20 permit ip 146.192.79.128 0.0.0.127 any
30 permit ip 10.219.0.0 0.0.255.255 any
40 permit ip 10.20.29.0 0.0.0.255 any
50 permit ip 10.180.0.0 0.3.255.255 any
60 permit ip any 146.214.0.0 0.0.0.255
70 permit ip any 10.219.0.0 0.0.255.255
80 permit ip any 10.20.29.0 0.0.0.255
Extended IP access list mcast_in
10 permit pim any any
20 permit igmp any any
1000 deny ip any any
Extended IP access list mcast_out
10 permit udp any any
20 permit pim any any
30 permit igmp any any
1000 deny ip any any
Extended IP access list implicit_deny
10 deny ip any any
Extended IP access list implicit_permit
10 permit ip any any
Extended IP access list preauth_v4
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list implicit_deny_v6
deny ipv6 any any sequence 10
IPv6 access list implicit_permit_v6
permit ipv6 any any sequence 10
IPv6 access list preauth_v6
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100Here's the output of show run part access-lists (i know it can be cleaned up, it will, but that's what we have to work with as of now).
Running
cisco.ios 4.6.1ansible [core 2.15.1]Regards
jorgenspange
commented
11 months ago As agreed with Sagar another issue with the module has occured:
On some certain switches i get module failure, even though everything looks like other switches. Here's the debug when i run towards 2x 9k switches. Where one is working the other one is failing. The ones failing is failing consistently:
< TASK [connectivity.network.acls : debug] >
---------------------------------------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
ok: [Switch1] =>
msg:
- acls:
- aces:
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 10
source:
host: 172.16.4.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 20
source:
host: 172.16.4.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 30
source:
host: 172.16.5.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 40
source:
host: 172.16.5.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 50
source:
host: 172.16.6.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 60
source:
host: 172.16.6.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 70
source:
host: 172.16.7.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 80
source:
host: 172.16.7.2
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 90
source:
any: true
acl_type: extended
name: acl1
- aces:
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 10
source:
any: true
acl_type: extended
name: acl2
- aces:
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 10
source:
host: 172.16.10.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 20
source:
host: 172.16.10.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 30
source:
host: 172.16.11.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 40
source:
host: 172.16.11.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 50
source:
host: 172.16.12.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 60
source:
host: 172.16.12.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 70
source:
host: 172.16.13.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 80
source:
host: 172.16.13.2
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 90
source:
any: true
acl_type: extended
name: acl3
afi: ipv4
ok: [Switch2] =>
msg:
- acls:
- aces:
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 10
source:
host: 172.16.4.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 20
source:
host: 172.16.4.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 30
source:
host: 172.16.5.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 40
source:
host: 172.16.5.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 50
source:
host: 172.16.6.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 60
source:
host: 172.16.6.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 70
source:
host: 172.16.7.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 80
source:
host: 172.16.7.2
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 90
source:
any: true
acl_type: extended
name: acl1
- aces:
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 10
source:
any: true
acl_type: extended
name: acl2
- aces:
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 10
source:
host: 172.16.10.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 20
source:
host: 172.16.10.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 30
source:
host: 172.16.11.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 40
source:
host: 172.16.11.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 50
source:
host: 172.16.12.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 60
source:
host: 172.16.12.2
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 70
source:
host: 172.16.13.1
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 80
source:
host: 172.16.13.2
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 90
source:
any: true
acl_type: extended
name: acl3
afi: ipv4
Tuesday 04 July 2023 23:06:39 +0200 (0:00:01.437) 0:00:01.615 **********
________________________________________
/ TASK [connectivity.network.acls : \
\ configure_cisco.ios.ios | Apply acls.] /
----------------------------------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
task path: /Users/jorgenspange/.ansible/collections/ansible_collections/dnbconnectivity/network/roles/acls/tasks/configure_cisco.ios.ios.yml:7
fatal: [Switch1]: FAILED! => changed=false
module_stderr: 'unhashable type: ''dict'''
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
changed: [Switch2]Best regards
jorgenspange
commented
10 months ago @KB-perByte do you need any additional info?
KB-perByte
commented
10 months ago @jorgenspange nope, we are good with the info. I am yet to work on the fix.
KB-perByte
commented
10 months ago @jorgenspange which appliance version are you using?
jorgenspange
commented
10 months ago @KB-perByte ansible core 2.15.1:
[jorgenspange@Jorgens-MBP git/ansible-network-automation (main) ]$ ansible --version
ansible [core 2.15.1]
config file = /Users/jorgenspange/Documents/git/ansible-network-automation/ansible.cfg
configured module search path = ['/Users/jorgenspange/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/8.1.0/libexec/lib/python3.11/site-packages/ansible
ansible collection location = /Users/jorgenspange/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.11.4 (main, Jun 20 2023, 17:23:00) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/Cellar/ansible/8.1.0/libexec/bin/python3.11)
jinja version = 3.1.2
libyaml = True@jorgenspange My bad, my question was malformed. Which Cisco IOS version are you checking against? Regards
jorgenspange
commented
10 months ago @KB-perByte no worries, ios-xe 17.06.05. But the module error thing is not persistent to all switches, only a handful. For the idempotency that is the same towards all ios.
regards
KB-perByte
commented
10 months ago so @jorgenspange, I am on
test_app_1>sh version
Cisco IOS XE Software, Version 17.06.01aWhat I observe is the standard access-list rendered entirely different from the way you shared! which breaks the processing of the standard access-list. And the original issue where the extended access-list SNMP was not idempotent, is not reproducible at my end.
Router#sh access-lists
Standard IP access list test-rm
10 permit 239.0.0.0, wildcard bits 0.255.255.255
20 permit any
30 deny 232.0.0.0, wildcard bits 0.255.255.255
Extended IP access list SNMP
10 permit ip host 10.10.10.173 any
20 permit ip host 10.10.10.182 any
30 permit ip host 10.10.10.200 any
40 deny ip any any logTrying to figure out if it's a version-specific change or a configuration specific one.
jorgenspange
commented
10 months ago @KB-perByte
Here's the task:
- acls:
- aces:
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 10
source:
host: 192.168.14.21
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 20
source:
host: 192.168.14.22
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 30
source:
host: 192.168.14.23
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 40
source:
host: 192.168.14.24
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 50
source:
host: 192.168.15.21
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 60
source:
host: 192.168.15.22
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 70
source:
host: 10.16.8.21
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 80
source:
host: 10.16.8.22
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 90
source:
any: true
acl_type: extended
name: ntp-peer
- aces:
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 10
source:
any: true
acl_type: extended
name: ntp-serve
- aces:
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 10
source:
host: 192.168.115.173
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 20
source:
host: 192.168.115.182
- destination:
any: true
grant: permit
protocol_options:
ip: true
sequence: 30
source:
host: 192.168.240.200
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 40
source:
any: true
acl_type: extended
name: SNMP
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 10
source:
address: 192.168.77.248
wildcard_bits: 0.0.0.7
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 20
source:
host: 192.168.115.173
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 30
source:
host: 192.168.115.182
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 40
source:
host: 192.168.240.200
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 50
source:
host: 192.168.30.9
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 60
source:
host: 192.168.32.170
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 70
source:
host: 192.168.32.171
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 80
source:
host: 192.168.241.10
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 90
source:
host: 192.168.8.22
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 100
source:
host: 192.168.6.10
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 110
source:
host: 192.168.6.11
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 120
source:
host: 192.168.137.105
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 130
source:
host: 192.168.70.13
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 140
source:
host: 192.168.70.14
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 150
source:
host: 192.168.70.19
- destination:
any: true
grant: deny
log:
set: true
protocol_options:
ip: true
sequence: 160
source:
any: true
acl_type: extended
name: NET-MGMT-VTY
afi: ipv4here's the output when the task is ran with -vvvv
changed: [c9600] => changed=true
after:
- acls:
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 10
source:
address: 192.168.30.0
wildcard_bits: 0.0.0.255
acl_type: extended
name: '101'
- aces:
- destination:
object_group: Obj-Guest-Network
grant: permit
protocol: ip
sequence: 10
source:
object_group: Guest-ISE-DHCP
- destination:
object_group: Obj-Guest-Network
grant: permit
protocol: icmp
sequence: 20
source:
object_group: Guest-ISE-DHCP
- destination:
object_group: Obj-Guest-Network
grant: deny
protocol: ip
sequence: 50
source:
object_group: Private-IPrange
- destination:
object_group: Obj-Guest-Network
grant: deny
protocol: ip
sequence: 60
source:
object_group: Obj-Guest-Network
- destination:
any: true
grant: permit
protocol: ip
sequence: 150
source:
any: true
acl_type: extended
name: BYOD_CORP_Devices_acl
- aces:
- destination:
object_group: Guest-ISE-DHCP
grant: permit
protocol: ip
sequence: 10
source:
object_group: Obj-Guest-Network
- destination:
object_group: Guest-ISE-DHCP
grant: permit
protocol: icmp
sequence: 20
source:
object_group: Obj-Guest-Network
- destination:
object_group: Private-IPrange
grant: deny
protocol: ip
sequence: 50
source:
object_group: Obj-Guest-Network
- destination:
object_group: Obj-Guest-Network
grant: deny
protocol: ip
sequence: 60
source:
object_group: Obj-Guest-Network
- destination:
any: true
grant: permit
protocol: ip
sequence: 150
source:
any: true
acl_type: extended
name: BYOD_CORP_Devices_acl_in
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
host: 192.168.115.173
- destination:
any: true
grant: permit
protocol: ip
sequence: 20
source:
host: 192.168.115.182
- destination:
any: true
grant: permit
protocol: ip
sequence: 30
source:
host: 192.168.240.200
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 40
source:
any: true
acl_type: extended
name: -SNMP
- acl_type: extended
name: IP-Adm-V4-Int-ACL-global
- aces:
- destination:
address: 192.168.96.0
wildcard_bits: 0.0.1.255
grant: permit
log:
set: true
protocol: ip
sequence: 10
source:
any: true
- destination:
any: true
grant: permit
log:
set: true
protocol: pim
sequence: 20
source:
any: true
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 30
source:
any: true
acl_type: extended
name: MCAST-IN
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 10
source:
address: 192.168.77.248
wildcard_bits: 0.0.0.7
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 20
source:
host: 192.168.115.173
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 30
source:
host: 192.168.115.182
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 40
source:
host: 192.168.240.200
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 50
source:
host: 192.168.30.9
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 60
source:
host: 192.168.32.170
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 70
source:
host: 192.168.32.171
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 80
source:
host: 192.168.241.10
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 90
source:
host: 192.168.8.22
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 100
source:
host: 192.168.6.10
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 110
source:
host: 192.168.6.11
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 120
source:
host: 10.110.137.105
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 130
source:
host: 192.168.70.13
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 140
source:
host: 192.168.70.14
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 150
source:
host: 192.168.70.19
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 160
source:
any: true
acl_type: extended
name: NET-MGMT-VTY
- aces:
- grant: permit
sequence: 10
source:
address: 239.0.0.0
wildcard_bits: 0.255.255.255
- grant: permit
sequence: 20
source:
host: any
- grant: deny
sequence: 30
source:
address: 232.0.0.0
wildcard_bits: 0.255.255.255
acl_type: standard
name: RM-MCAST-RP
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 5
source:
address: 192.168.10.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 6
source:
address: 192.168.20.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 7
source:
address: 192.168.30.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 8
source:
address: 192.168.43.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 9
source:
host: 192.168.73.30
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 11
source:
host: 192.168.73.31
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 12
source:
host: 192.168.73.32
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 13
source:
host: 192.168.95.16
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 14
source:
host: 192.168.95.17
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 15
source:
host: 192.168.95.21
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 16
source:
host: 192.168.95.22
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 17
source:
host: 192.168.95.23
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 18
source:
host: 192.168.95.25
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 1000
source:
any: true
acl_type: extended
name: TELNET-DENY
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
address: 146.213.0.0
wildcard_bits: 0.0.0.255
- destination:
any: true
grant: permit
protocol: ip
sequence: 20
source:
address: 146.192.79.128
wildcard_bits: 0.0.0.127
- destination:
any: true
grant: permit
protocol: ip
sequence: 30
source:
address: 10.219.0.0
wildcard_bits: 0.0.255.255
- destination:
any: true
grant: permit
protocol: ip
sequence: 40
source:
address: 10.20.29.0
wildcard_bits: 0.0.0.255
- destination:
any: true
grant: permit
protocol: ip
sequence: 50
source:
address: 10.180.0.0
wildcard_bits: 0.3.255.255
- destination:
address: 146.214.0.0
wildcard_bits: 0.0.0.255
grant: permit
protocol: ip
sequence: 60
source:
any: true
- destination:
address: 10.219.0.0
wildcard_bits: 0.0.255.255
grant: permit
protocol: ip
sequence: 70
source:
any: true
- destination:
address: 10.20.29.0
wildcard_bits: 0.0.0.255
grant: permit
protocol: ip
sequence: 80
source:
any: true
acl_type: extended
name: VTY-ALLOW
- aces:
- destination:
any: true
grant: permit
protocol: pim
sequence: 10
source:
any: true
- destination:
any: true
grant: permit
protocol: igmp
sequence: 20
source:
any: true
- destination:
any: true
grant: deny
protocol: ip
sequence: 1000
source:
any: true
acl_type: extended
name: _mcast_in
- aces:
- destination:
any: true
grant: permit
protocol: udp
sequence: 10
source:
any: true
- destination:
any: true
grant: permit
protocol: pim
sequence: 20
source:
any: true
- destination:
any: true
grant: permit
protocol: igmp
sequence: 30
source:
any: true
- destination:
any: true
grant: deny
protocol: ip
sequence: 1000
source:
any: true
acl_type: extended
name: _mcast_out
- aces:
- destination:
any: true
grant: deny
protocol: ip
sequence: 10
source:
any: true
acl_type: extended
name: implicit_deny
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
any: true
acl_type: extended
name: implicit_permit
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
host: 192.168.14.21
- destination:
any: true
grant: permit
protocol: ip
sequence: 20
source:
host: 192.168.14.22
- destination:
any: true
grant: permit
protocol: ip
sequence: 30
source:
host: 192.168.14.23
- destination:
any: true
grant: permit
protocol: ip
sequence: 40
source:
host: 192.168.14.24
- destination:
any: true
grant: permit
protocol: ip
sequence: 50
source:
host: 192.168.15.21
- destination:
any: true
grant: permit
protocol: ip
sequence: 60
source:
host: 192.168.15.22
- destination:
any: true
grant: permit
protocol: ip
sequence: 70
source:
host: 192.168.8.21
- destination:
any: true
grant: permit
protocol: ip
sequence: 80
source:
host: 192.168.8.22
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 90
source:
any: true
acl_type: extended
name: ntp-peer
- aces:
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 10
source:
any: true
acl_type: extended
name: ntp-serve
- aces:
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: udp
sequence: 10
source:
any: true
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: tcp
sequence: 20
source:
any: true
- destination:
any: true
grant: permit
protocol: udp
sequence: 30
source:
any: true
port_protocol:
eq: bootps
- destination:
any: true
port_protocol:
eq: bootpc
grant: permit
protocol: udp
sequence: 40
source:
any: true
- destination:
any: true
grant: permit
protocol: udp
sequence: 50
source:
any: true
port_protocol:
eq: bootpc
- destination:
any: true
grant: deny
protocol: ip
sequence: 60
source:
any: true
acl_type: extended
name: preauth_v4
afi: ipv4
- acls:
- aces:
- destination:
any: true
grant: deny
protocol: ipv6
sequence: 10
source:
any: true
name: implicit_deny_v6
- aces:
- destination:
any: true
grant: permit
protocol: ipv6
sequence: 10
source:
any: true
name: implicit_permit_v6
- aces:
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: udp
sequence: 10
source:
any: true
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: tcp
sequence: 20
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
protocol_options:
icmp:
router_solicitation: true
sequence: 50
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
protocol_options:
icmp:
router_advertisement: true
sequence: 60
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
protocol_options:
icmp:
redirect: true
sequence: 70
source:
any: true
- destination:
any: true
port_protocol:
eq: '546'
grant: permit
protocol: udp
sequence: 80
source:
any: true
port_protocol:
eq: '547'
- destination:
any: true
port_protocol:
eq: '547'
grant: permit
protocol: udp
sequence: 90
source:
any: true
port_protocol:
eq: '546'
- destination:
any: true
grant: deny
protocol: ipv6
sequence: 100
source:
any: true
name: preauth_v6
afi: ipv6
before:
- acls:
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 10
source:
address: 192.168.30.0
wildcard_bits: 0.0.0.255
acl_type: extended
name: '101'
- aces:
- destination:
object_group: Obj-Guest-Network
grant: permit
protocol: ip
sequence: 10
source:
object_group: Guest-ISE-DHCP
- destination:
object_group: Obj-Guest-Network
grant: permit
protocol: icmp
sequence: 20
source:
object_group: Guest-ISE-DHCP
- destination:
object_group: Obj-Guest-Network
grant: deny
protocol: ip
sequence: 50
source:
object_group: Private-IPrange
- destination:
object_group: Obj-Guest-Network
grant: deny
protocol: ip
sequence: 60
source:
object_group: Obj-Guest-Network
- destination:
any: true
grant: permit
protocol: ip
sequence: 150
source:
any: true
acl_type: extended
name: BYOD_CORP_Devices_acl
- aces:
- destination:
object_group: Guest-ISE-DHCP
grant: permit
protocol: ip
sequence: 10
source:
object_group: Obj-Guest-Network
- destination:
object_group: Guest-ISE-DHCP
grant: permit
protocol: icmp
sequence: 20
source:
object_group: Obj-Guest-Network
- destination:
object_group: Private-IPrange
grant: deny
protocol: ip
sequence: 50
source:
object_group: Obj-Guest-Network
- destination:
object_group: Obj-Guest-Network
grant: deny
protocol: ip
sequence: 60
source:
object_group: Obj-Guest-Network
- destination:
any: true
grant: permit
protocol: ip
sequence: 150
source:
any: true
acl_type: extended
name: BYOD_CORP_Devices_acl_in
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
host: 192.168.115.173
- destination:
any: true
grant: permit
protocol: ip
sequence: 20
source:
host: 192.168.115.182
- destination:
any: true
grant: permit
protocol: ip
sequence: 30
source:
host: 192.168.240.200
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 40
source:
any: true
acl_type: extended
name: -SNMP
- acl_type: extended
name: IP-Adm-V4-Int-ACL-global
- aces:
- destination:
address: 192.168.96.0
wildcard_bits: 0.0.1.255
grant: permit
log:
set: true
protocol: ip
sequence: 10
source:
any: true
- destination:
any: true
grant: permit
log:
set: true
protocol: pim
sequence: 20
source:
any: true
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 30
source:
any: true
acl_type: extended
name: MCAST-IN
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 10
source:
address: 192.168.77.248
wildcard_bits: 0.0.0.7
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 20
source:
host: 192.168.115.173
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 30
source:
host: 192.168.115.182
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 40
source:
host: 192.168.240.200
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 50
source:
host: 192.168.30.9
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 60
source:
host: 192.168.32.170
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 70
source:
host: 192.168.32.171
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 80
source:
host: 192.168.241.10
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 90
source:
host: 192.168.8.22
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 100
source:
host: 192.168.6.10
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 110
source:
host: 192.168.6.11
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 120
source:
host: 10.110.137.105
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 130
source:
host: 192.168.70.13
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 140
source:
host: 192.168.70.14
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 150
source:
host: 192.168.70.19
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 160
source:
any: true
acl_type: extended
name: NET-MGMT-VTY
- aces:
- grant: permit
sequence: 10
source:
address: 239.0.0.0
wildcard_bits: 0.255.255.255
- grant: permit
sequence: 20
source:
host: any
- grant: deny
sequence: 30
source:
address: 232.0.0.0
wildcard_bits: 0.255.255.255
acl_type: standard
name: RM-MCAST-RP
- aces:
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 5
source:
address: 192.168.10.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 6
source:
address: 192.168.20.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 7
source:
address: 192.168.30.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 8
source:
address: 192.168.43.0
wildcard_bits: 0.0.0.255
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 9
source:
host: 192.168.73.30
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 11
source:
host: 192.168.73.31
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 12
source:
host: 192.168.73.32
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 13
source:
host: 192.168.95.16
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 14
source:
host: 192.168.95.17
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 15
source:
host: 192.168.95.21
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 16
source:
host: 192.168.95.22
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 17
source:
host: 192.168.95.23
- destination:
any: true
port_protocol:
eq: '22'
grant: permit
protocol: tcp
sequence: 18
source:
host: 192.168.95.25
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 1000
source:
any: true
acl_type: extended
name: VTY-ALLOW
- aces:
- destination:
any: true
grant: permit
protocol: pim
sequence: 10
source:
any: true
- destination:
any: true
grant: permit
protocol: igmp
sequence: 20
source:
any: true
- destination:
any: true
grant: deny
protocol: ip
sequence: 1000
source:
any: true
acl_type: extended
name: _mcast_in
- aces:
- destination:
any: true
grant: permit
protocol: udp
sequence: 10
source:
any: true
- destination:
any: true
grant: permit
protocol: pim
sequence: 20
source:
any: true
- destination:
any: true
grant: permit
protocol: igmp
sequence: 30
source:
any: true
- destination:
any: true
grant: deny
protocol: ip
sequence: 1000
source:
any: true
acl_type: extended
name: _mcast_out
- aces:
- destination:
any: true
grant: deny
protocol: ip
sequence: 10
source:
any: true
acl_type: extended
name: implicit_deny
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
any: true
acl_type: extended
name: implicit_permit
- aces:
- destination:
any: true
grant: permit
protocol: ip
sequence: 10
source:
host: 192.168.14.21
- destination:
any: true
grant: permit
protocol: ip
sequence: 20
source:
host: 192.168.14.22
- destination:
any: true
grant: permit
protocol: ip
sequence: 30
source:
host: 192.168.14.23
- destination:
any: true
grant: permit
protocol: ip
sequence: 40
source:
host: 192.168.14.24
- destination:
any: true
grant: permit
protocol: ip
sequence: 50
source:
host: 192.168.15.21
- destination:
any: true
grant: permit
protocol: ip
sequence: 60
source:
host: 192.168.15.22
- destination:
any: true
grant: permit
protocol: ip
sequence: 70
source:
host: 192.168.8.21
- destination:
any: true
grant: permit
protocol: ip
sequence: 80
source:
host: 192.168.8.22
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 90
source:
any: true
acl_type: extended
name: ntp-peer
- aces:
- destination:
any: true
grant: deny
log:
set: true
protocol: ip
sequence: 10
source:
any: true
acl_type: extended
name: ntp-serve
- aces:
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: udp
sequence: 10
source:
any: true
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: tcp
sequence: 20
source:
any: true
- destination:
any: true
grant: permit
protocol: udp
sequence: 30
source:
any: true
port_protocol:
eq: bootps
- destination:
any: true
port_protocol:
eq: bootpc
grant: permit
protocol: udp
sequence: 40
source:
any: true
- destination:
any: true
grant: permit
protocol: udp
sequence: 50
source:
any: true
port_protocol:
eq: bootpc
- destination:
any: true
grant: deny
protocol: ip
sequence: 60
source:
any: true
acl_type: extended
name: preauth_v4
afi: ipv4
- acls:
- aces:
- destination:
any: true
grant: deny
protocol: ipv6
sequence: 10
source:
any: true
name: implicit_deny_v6
- aces:
- destination:
any: true
grant: permit
protocol: ipv6
sequence: 10
source:
any: true
name: implicit_permit_v6
- aces:
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: udp
sequence: 10
source:
any: true
- destination:
any: true
port_protocol:
eq: domain
grant: permit
protocol: tcp
sequence: 20
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
protocol_options:
icmp:
router_solicitation: true
sequence: 50
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
protocol_options:
icmp:
router_advertisement: true
sequence: 60
source:
any: true
- destination:
any: true
grant: permit
protocol: icmp
protocol_options:
icmp:
redirect: true
sequence: 70
source:
any: true
- destination:
any: true
port_protocol:
eq: '546'
grant: permit
protocol: udp
sequence: 80
source:
any: true
port_protocol:
eq: '547'
- destination:
any: true
port_protocol:
eq: '547'
grant: permit
protocol: udp
sequence: 90
source:
any: true
port_protocol:
eq: '546'
- destination:
any: true
grant: deny
protocol: ipv6
sequence: 100
source:
any: true
name: preauth_v6
afi: ipv6
commands:
- ip access-list extended ntp-peer
- no 10 permit host 192.168.14.21 any
- no 20 permit host 192.168.14.22 any
- no 30 permit host 192.168.14.23 any
- no 40 permit host 192.168.14.24 any
- no 50 permit host 192.168.15.21 any
- no 60 permit host 192.168.15.22 any
- no 70 permit host 192.168.8.21 any
- no 80 permit host 192.168.8.22 any
- no 90 deny any any log
- 10 permit ip host 192.168.14.21 any
- 20 permit ip host 192.168.14.22 any
- 30 permit ip host 192.168.14.23 any
- 40 permit ip host 192.168.14.24 any
- 50 permit ip host 192.168.15.21 any
- 60 permit ip host 192.168.15.22 any
- 70 permit ip host 192.168.8.21 any
- 80 permit ip host 192.168.8.22 any
- 90 deny ip any any log
- ip access-list extended ntp-serve
- no 10 deny any any log
- 10 deny ip any any log
- ip access-list extended -SNMP
- no 10 permit host 192.168.115.173 any
- no 20 permit host 192.168.115.182 any
- no 30 permit host 192.168.240.200 any
- no 40 deny any any log
- 10 permit ip host 192.168.115.173 any
- 20 permit ip host 192.168.115.182 any
- 30 permit ip host 192.168.240.200 any
- 40 deny ip any any log
- ip access-list extended NET-MGMT-VTY
- no 160 deny any any log
- 160 deny ip any any log
invocation:
module_args:
config:
- acls:
- aces:
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 10
source:
address: null
any: null
host: 192.168.14.21
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 20
source:
address: null
any: null
host: 192.168.14.22
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 30
source:
address: null
any: null
host: 192.168.14.23
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 40
source:
address: null
any: null
host: 192.168.14.24
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 50
source:
address: null
any: null
host: 192.168.15.21
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 60
source:
address: null
any: null
host: 192.168.15.22
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 70
source:
address: null
any: null
host: 192.168.8.21
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 80
source:
address: null
any: null
host: 192.168.8.22
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: deny
log:
set: true
user_cookie: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 90
source:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
acl_type: extended
name: ntp-peer
- aces:
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: deny
log:
set: true
user_cookie: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 10
source:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
acl_type: extended
name: ntp-serve
- aces:
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 10
source:
address: null
any: null
host: 192.168.115.173
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 20
source:
address: null
any: null
host: 192.168.115.182
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 30
source:
address: null
any: null
host: 192.168.240.200
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: deny
log:
set: true
user_cookie: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 40
source:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
acl_type: extended
name: -SNMP
- aces:
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 10
source:
address: 192.168.77.248
any: null
host: null
object_group: null
port_protocol: null
wildcard_bits: 0.0.0.7
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 20
source:
address: null
any: null
host: 192.168.115.173
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 30
source:
address: null
any: null
host: 192.168.115.182
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 40
source:
address: null
any: null
host: 192.168.240.200
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 50
source:
address: null
any: null
host: 192.168.30.9
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 60
source:
address: null
any: null
host: 192.168.32.170
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 70
source:
address: null
any: null
host: 192.168.32.171
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 80
source:
address: null
any: null
host: 192.168.241.10
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 90
source:
address: null
any: null
host: 192.168.8.22
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 100
source:
address: null
any: null
host: 192.168.6.10
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 110
source:
address: null
any: null
host: 192.168.6.11
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 120
source:
address: null
any: null
host: 10.110.137.105
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 130
source:
address: null
any: null
host: 192.168.70.13
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 140
source:
address: null
any: null
host: 192.168.70.14
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol:
eq: '22'
gt: null
lt: null
neq: null
range: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: permit
log: null
log_input: null
option: null
precedence: null
protocol: tcp
protocol_options: null
remarks: null
sequence: 150
source:
address: null
any: null
host: 192.168.70.19
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
- destination:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
dscp: null
enable_fragments: null
evaluate: null
fragments: null
grant: deny
log:
set: true
user_cookie: null
log_input: null
option: null
precedence: null
protocol: null
protocol_options:
ahp: null
eigrp: null
esp: null
gre: null
hbh: null
icmp: null
igmp: null
ip: true
ipinip: null
ipv6: null
nos: null
ospf: null
pcp: null
pim: null
protocol_number: null
sctp: null
tcp: null
udp: null
remarks: null
sequence: 160
source:
address: null
any: true
host: null
object_group: null
port_protocol: null
wildcard_bits: null
time_range: null
tos: null
ttl: null
acl_type: extended
name: NET-MGMT-VTY
afi: ipv4
running_config: null
state: replaced
NOTIFIED HANDLER connectivity.network.password_encryption : Save ios. for c9600
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
Thursday 20 July 2023 11:10:34 +0200 (0:00:22.625) 0:00:24.351 *********
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
´´´´
Hope this helps.
For the module error i could only recreate this for 4500X switches, but it is not consistent across the platform. Only certain switches fail.
Regards
bl1nkbl1nk
commented
9 months ago The problem seems to also exist when using log at the end.
"ip access-list standard Network-Management",
"no 170 deny 0.0.0.0 127.255.255.255 log",
"no 180 deny 128.0.0.0 127.255.255.255 log",
"170 deny 0.0.0.0 127.255.255.255 log",
"180 deny 128.0.0.0 127.255.255.255 log",
"remark ACL configured by Ansible"On the box itself there is a triple space. maybe it has something to do with that? I can see no other diff in between the lines
ip access-list standard Network-Management
...
170 deny 0.0.0.0 127.255.255.255 log
180 deny 128.0.0.0 127.255.255.255 log
remark ACL configured by AnsibleHi,
Here's a problem with the module error towards a Cisco 9300X-24Y running IOS-XE 17.06.05:
fatal: [SW01]: FAILED! => changed=false
module_stderr: |-
no 10 permit host 192.168.136.2
no 10 permit host 192.168.136.2
^
% Invalid input detected at '^' marker.
SW01(config)#
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
Edit:
Seems like this occurs because there is an existing standard acl with the same name, so it fails when i try to replace it with an. extended acl.
Edit2:
After manually deleting the standard acl, the module error did not occur anymore.
Edit3:
Also getting this module error, which is towards C9500 running ios-xe 17.03
fatal: [C9500]: FAILED! => changed=false
module_stderr: 'unhashable type: ''dict'''
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
dmeister0428
commented
9 months ago I see similar issues with standard ACLs, they aren't idempotent. Here is what gets applied each time for an ACL that isn't changed:
"changed": true,
"commands": [
"ip access-list standard test",
"no 10 permit host 10.65.107.10",
"no 60 permit host 10.70.48.10",
"no 70 permit host 10.70.56.10",
"10 permit 10.65.107.10",
"60 permit 10.70.48.10",
"70 permit 10.70.56.10"
],The ACL has several other lines that aren't updated for whatever reason. The only difference is those lines are subnets instead of individual hosts.
Here is the full ACL in question:
ip access-list standard test 10 permit 10.65.107.10 60 permit 10.70.48.10 70 permit 10.70.56.10 100 permit 10.61.152.0 0.0.0.255 110 permit 69.67.17.0 0.0.0.255
jorgenspange
commented
8 months ago Also something which is kind off stupid, from ciscos side, is that it seems that on catalyst 9k switches, acls get numerated even though you create them without sequence numbers, so when you replace and ansible tries to delete the old one because it's numerated, the command fails:
Standard IP access list SNMP
20 permit 192.168.115.182
10 permit 192.168.115.173
30 permit 192.168.240.200 (31832 matches)
50 deny any log (520 matches)
here i am trying to delete the deny entry when logged on the switch:
SW01(config-std-nacl)#no 50 deny host any log
^
% Invalid input detected at '^' marker.and here with ansible:
fatal: [SW01]: FAILED! => changed=false
module_stderr: |-
no 50 deny host any log
no 50 deny host any log
^
% Invalid input detected at '^' marker.
SW01(config-std-nacl)#
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact errorEDIT:
As a matter of fact it works when logging into ios:
sw01(config-std-nacl)#no 50 deny any log
sw01(config-std-nacl)#
sw01(config-std-nacl)#For some reason ansible tries to delete it by writing no 50 deny HOST any log, instead of no 50 deny any log.
As far as i can see from the log, it does not include the "HOST" thing in the deny command when applying the ACL:
"ip access-list standard SNMP", "permit host 192.168.0.173", "permit host 192.168.0.182", "permit host 192.168.0.200", "permit 172.16.10.233 0.0.0.7", "deny any log"
When using state replaced it is not idempotent even though I am using sequencing in the acl.
Here's the output of the commands when I've ran it with -vvv:
Even though no changes is done it reapplies the acl.