Closed digitalfiend64 closed 1 year ago
@digitalfiend64 you can use replaced or overridden state to delete specific entries in access-list. Here is the example How we can achieve this.
No access-list on device.
RP/0/RP0/CPU0:iosxr1#show access-lists
Fri Jan 13 09:25:07.837 UTC
RP/0/RP0/CPU0:iosxr1#
Useing merged state to push access-lists
- name: IOS XR test ACL
hosts: iosxr
gather_facts: no
connection: network_cli
tasks:
- name: Configure ACL
cisco.iosxr.iosxr_acls:
config:
- afi: "ipv4"
acls:
- name: "QOS_WEBEX_VIDEO"
aces:
- grant: permit
protocol: udp
source:
any: true
destination:
any: true
port_protocol:
eq: 5000
sequence: 50
- grant: permit
protocol: udp
source:
any: true
destination:
any: true
port_protocol:
eq: 9000
sequence: 30
state: merged
After playbook execution
RP/0/RP0/CPU0:iosxr1#show access-lists
Fri Jan 13 09:28:38.781 UTC
ipv4 access-list QOS_WEBEX_VIDEO
30 permit udp any any eq 9000
50 permit udp any any eq 5000
RP/0/RP0/CPU0:iosxr1#
Lets delete 50 permit udp any any eq 5000 using replaced state
- name: IOS XR test ACL
hosts: iosxr
gather_facts: no
connection: network_cli
tasks:
- name: Replaced acl - delete ace 50 permit udp any any eq 5000
cisco.iosxr.iosxr_acls:
config:
- afi: "ipv4"
acls:
- name: "QOS_WEBEX_VIDEO"
aces:
- grant: permit
protocol: udp
source:
any: true
destination:
any: true
port_protocol:
eq: 9000
sequence: 30
state: replaced
following commands will trigger in playbook execution
"commands": [ "ipv4 access-list QOS_WEBEX_VIDEO", "no 50" ],
Lets see access-list config on device.
RP/0/RP0/CPU0:iosxr1#show access-lists
Fri Jan 13 09:33:28.314 UTC
ipv4 access-list QOS_WEBEX_VIDEO
30 permit udp any any eq 9000
RP/0/RP0/CPU0:iosxr1#
Please use ace_popper to delete specific entries in access lists. code is available in netcommon https://github.com/ansible-collections/ansible.netcommon/pull/529
SUMMARY Utilize the cisco.ios.ios_acls, cisco.nxos.nxos_acls and cisco.iosxr.iosxr_acls modules to delete specific entries in access lists
ISSUE TYPE Feature Idea Currently there is only a merge to add new ACEs to existing acls but there is no way to delete ACEs without replacing the entire list. COMPONENT NAME cisco.ios.ios_acls, cisco.nxos.nxos_acls and cisco.iosxr.iosxr_acls
ADDITIONAL INFORMATION This would solve using a template and the config module to remove ACLs and do it all in the module