ce_acl_advance – Manages advanced ACL configuration on HUAWEI CloudEngine switches¶

New in version 2.4.

Synopsis
Parameters
Notes
Examples
Return Values
Status

Synopsis ¶

Manages advanced ACL configurations on HUAWEI CloudEngine switches.

Parameters ¶

Parameter	Choices/Defaults	Comments
acl_description -		ACL description. The value is a string of 1 to 127 characters.
acl_name - / required		ACL number or name. For a numbered rule group, the value ranging from 3000 to 3999 indicates a advance ACL. For a named rule group, the value is a string of 1 to 32 case-sensitive characters starting with a letter, spaces not supported.
acl_num -		ACL number. The value is an integer ranging from 3000 to 3999.
acl_step -		ACL step. The value is an integer ranging from 1 to 20. The default value is 5.
dest_ip -		Destination IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
dest_mask -		Destination IP address mask. The value is an integer ranging from 1 to 32.
dest_pool_name -		Name of a destination pool. The value is a string of 1 to 32 characters.
dest_port_begin -		Start port number of the destination port. The value is an integer ranging from 0 to 65535.
dest_port_end -		End port number of the destination port. The value is an integer ranging from 0 to 65535.
dest_port_op -	Choices: lt eq gt range	Range type of the destination port.
dest_port_pool_name -		Name of a destination port pool. The value is a string of 1 to 32 characters.
dscp -		Differentiated Services Code Point. The value is an integer ranging from 0 to 63.
established boolean	Choices: no ← yes	Match established connections.
frag_type -	Choices: fragment clear_fragment	Type of packet fragmentation.
icmp_code -		ICMP message code. Data packets can be filtered based on the ICMP message code. The value is an integer ranging from 0 to 255.
icmp_name -	Choices: unconfiged echo echo-reply fragmentneed-DFset host-redirect host-tos-redirect host-unreachable information-reply information-request net-redirect net-tos-redirect net-unreachable parameter-problem port-unreachable protocol-unreachable reassembly-timeout source-quench source-route-failed timestamp-reply timestamp-request ttl-exceeded address-mask-reply address-mask-request custom	ICMP name.
icmp_type -		ICMP type. This parameter is available only when the packet protocol is ICMP. The value is an integer ranging from 0 to 255.
igmp_type -	Choices: host-query mrouter-adver mrouter-solic mrouter-termi mtrace-resp mtrace-route v1host-report v2host-report v2leave-group v3host-report	Internet Group Management Protocol.
log_flag boolean	Choices: no ← yes	Flag of logging matched data packets.
precedence -		Data packets can be filtered based on the priority field. The value is an integer ranging from 0 to 7.
protocol -	Choices: ip icmp igmp ipinip tcp udp gre ospf	Protocol type.
rule_action -	Choices: permit deny	Matching mode of basic ACL rules.
rule_description -		Description about an ACL rule.
rule_id -		ID of a basic ACL rule in configuration mode. The value is an integer ranging from 0 to 4294967294.
rule_name -		Name of a basic ACL rule. The value is a string of 1 to 32 characters.
source_ip -		Source IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
src_mask -		Source IP address mask. The value is an integer ranging from 1 to 32.
src_pool_name -		Name of a source pool. The value is a string of 1 to 32 characters.
src_port_begin -		Start port number of the source port. The value is an integer ranging from 0 to 65535.
src_port_end -		End port number of the source port. The value is an integer ranging from 0 to 65535.
src_port_op -	Choices: lt eq gt range	Range type of the source port.
src_port_pool_name -		Name of a source port pool. The value is a string of 1 to 32 characters.
state -	Choices: present ← absent delete_acl	Specify desired state of the resource.
syn_flag -		TCP flag value. The value is an integer ranging from 0 to 63.
tcp_flag_mask -		TCP flag mask value. The value is an integer ranging from 0 to 63.
time_range -		Name of a time range in which an ACL rule takes effect.
tos -		ToS value on which data packet filtering is based. The value is an integer ranging from 0 to 15.
ttl_expired boolean	Choices: no ← yes	Whether TTL Expired is matched, with the TTL value of 1.
vrf_name -		VPN instance name. The value is a string of 1 to 31 characters.The default value is _public_.

Notes ¶

Note

This module requires the netconf system service be enabled on the remote device being managed.
Recommended connection is netconf.
This module also works with local connections for legacy playbooks.

Examples ¶

- name: CloudEngine advance acl test
  hosts: cloudengine
  connection: local
  gather_facts: no
  vars:
    cli:
      host: "{{ inventory_hostname }}"
      port: "{{ ansible_ssh_port }}"
      username: "{{ username }}"
      password: "{{ password }}"
      transport: cli

  tasks:

  - name: "Config ACL"
    ce_acl_advance:
      state: present
      acl_name: 3200
      provider: "{{ cli }}"

  - name: "Undo ACL"
    ce_acl_advance:
      state: delete_acl
      acl_name: 3200
      provider: "{{ cli }}"

  - name: "Config ACL advance rule"
    ce_acl_advance:
      state: present
      acl_name: test
      rule_name: test_rule
      rule_id: 111
      rule_action: permit
      protocol: tcp
      source_ip: 10.10.10.10
      src_mask: 24
      frag_type: fragment
      provider: "{{ cli }}"

  - name: "Undo ACL advance rule"
    ce_acl_advance:
      state: absent
      acl_name: test
      rule_name: test_rule
      rule_id: 111
      rule_action: permit
      protocol: tcp
      source_ip: 10.10.10.10
      src_mask: 24
      frag_type: fragment
      provider: "{{ cli }}"

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
changed boolean	always	check to see if a change was made on the device Sample: True
end_state dictionary	always	k/v pairs of aaa params after module execution
existing dictionary	always	k/v pairs of existing aaa server Sample: {'aclNumOrName': 'test', 'aclType': 'Advance'}
proposed dictionary	always	k/v pairs of parameters passed into module Sample: {'acl_name': 'test', 'state': 'delete_acl'}
updates list	always	command sent to the device Sample: ['undo acl name test']

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors¶

wangdezhuang (@QijunPan)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

ce_acl_advance – Manages advanced ACL configuration on HUAWEI CloudEngine switches¶

Synopsis¶

Parameters¶

Notes¶

Examples¶

Return Values¶

Status¶