search

ansible-collections / cisco.iosxr

Ansible Network Collection for Cisco IOSXR
GNU General Public License v3.0
67 stars 47 forks source link

Utilize the cisco.iosxr.iosxr_acls modules to delete specific entries in access lists #319

Closed digitalfiend64 closed 1 year ago

digitalfiend64 commented 1 year ago

SUMMARY Utilize the cisco.ios.ios_acls, cisco.nxos.nxos_acls and cisco.iosxr.iosxr_acls modules to delete specific entries in access lists

ISSUE TYPE Feature Idea Currently there is only a merge to add new ACEs to existing acls but there is no way to delete ACEs without replacing the entire list. COMPONENT NAME cisco.ios.ios_acls, cisco.nxos.nxos_acls and cisco.iosxr.iosxr_acls

ADDITIONAL INFORMATION This would solve using a template and the config module to remove ACLs and do it all in the module

ashwini-mhatre commented 1 year ago

@digitalfiend64 you can use replaced or overridden state to delete specific entries in access-list. Here is the example How we can achieve this.

No access-list on device.

RP/0/RP0/CPU0:iosxr1#show access-lists 
Fri Jan 13 09:25:07.837 UTC
RP/0/RP0/CPU0:iosxr1#

Useing merged state to push access-lists

- name: IOS XR test ACL
  hosts: iosxr
  gather_facts: no
  connection: network_cli

  tasks:
    - name: Configure ACL
      cisco.iosxr.iosxr_acls:
        config:
          - afi: "ipv4"
            acls:
              - name: "QOS_WEBEX_VIDEO"
                aces:
                  - grant: permit
                    protocol: udp
                    source:
                      any: true
                    destination:
                      any: true
                      port_protocol:
                        eq: 5000
                    sequence: 50
                  - grant: permit
                    protocol: udp
                    source:
                      any: true
                    destination:
                      any: true
                      port_protocol:
                        eq: 9000
                    sequence: 30

        state: merged

After playbook execution 

RP/0/RP0/CPU0:iosxr1#show access-lists 
Fri Jan 13 09:28:38.781 UTC
ipv4 access-list QOS_WEBEX_VIDEO
 30 permit udp any any eq 9000
 50 permit udp any any eq 5000
RP/0/RP0/CPU0:iosxr1#

Lets delete 50 permit udp any any eq 5000 using replaced state 

- name: IOS XR test ACL
  hosts: iosxr
  gather_facts: no
  connection: network_cli

  tasks:
    - name: Replaced acl - delete ace 50 permit udp any any eq 5000
      cisco.iosxr.iosxr_acls:
        config:
          - afi: "ipv4"
            acls:
              - name: "QOS_WEBEX_VIDEO"
                aces:
                  - grant: permit
                    protocol: udp
                    source:
                      any: true
                    destination:
                      any: true
                      port_protocol:
                        eq: 9000
                    sequence: 30

        state: replaced

following commands will trigger in playbook execution

"commands": [ "ipv4 access-list QOS_WEBEX_VIDEO", "no 50" ],

Lets see access-list config on device.

RP/0/RP0/CPU0:iosxr1#show access-lists 
Fri Jan 13 09:33:28.314 UTC
ipv4 access-list QOS_WEBEX_VIDEO
 30 permit udp any any eq 9000
RP/0/RP0/CPU0:iosxr1#
ashwini-mhatre commented 1 year ago

Please use ace_popper to delete specific entries in access lists. code is available in netcommon https://github.com/ansible-collections/ansible.netcommon/pull/529