wobscale/dellemc.os9
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dellemc.os9/roles/os9_acl/README.md
Komal Uttamrao Patil 90b090b021
OS9 Ansible Collections (#2) 
* adding OS9 ansible collections

* adding OS9 collections

Co-authored-by: Patil <Komal_uttamrao_Patil@Dell.com>
2020-07-09 19:29:51 -07:00

139 lines
8.7 KiB
Markdown
Raw Blame History

ACL role
========
This role facilitates the configuration of an access-control list (ACL). It supports the configuration of different types of ACLs (standard and extended) for both IPv4 and IPv6, and assigns the access-class to the line terminals.
The ACL role requires an SSH connection for connectivity to a Dell EMC Networking device. You can use any of the built-in OS connection variables.
Role variables
--------------
- Role is abstracted using the *ansible_network_os* variable that can take dellemc.os9.os9 as a value
- If *os9_cfg_generate* is set to true, the variable generates the role configuration commands in a file
- Any role variable with a corresponding state variable set to absent negates the configuration of that variable
- Setting an empty value for any variable negates the corresponding configuration
- Variables and values are case-sensitive
**os9_acl keys**
| Key | Type | Description | Support |
|------------|---------------------------|---------------------------------------------------------|-----------------------|
| ``type`` | string (required): ipv4, ipv6, mac | Configures the L3 (IPv4/IPv6) or L2 (MAC) access-control list | os9 |
| ``name`` | string (required) | Configures the name of the access-control list | os9 |
| ``description`` | string | Configures the description about the access-control list | os9 |
| ``remark`` | list | Configures the ACL remark (see ``remark.*``) | os9 |
| ``remark.number`` | integer (required) | Configures the remark sequence number | os9 |
| ``remark.description`` | string | Configures the remark description | os9 |
| ``remark.state`` | string: absent,present\* | Deletes the configured remark for an ACL entry if set to absent | os9 |
| ``extended`` | boolean: true,false | Configures an extended ACL type if set to true; configures a standard ACL if set to false | os9 |
| ``entries`` | list | Configures ACL rules (see ``seqlist.*``) | os9 |
| ``entries.number`` | integer (required) | Specifies the sequence number of the ACL rule | os9 |
| ``entries.permit`` | boolean (required): true,false | Specifies the rule to permit packets if set to true; specifies to reject packets if set to false | os9 |
| ``entries.protocol`` | string (required) | Specifies the type of protocol or the protocol number to filter | os9 |
| ``entries.source`` | string (required) | Specifies the source address to match in the packets | os9 |
| ``entries.src_condition`` | string | Specifies the condition to filter packets from the source address; ignored if MAC | os9 |
| ``entries.destination`` | string (required) | Specifies the destination address to match in the packets | os9 |
| ``entries.dest_condition`` | string | Specifies the condition to filter packets to the destination address | os9 |
| ``entries.other_options`` | string | Specifies the other options applied on packets (count, log, order, monitor, and so on) | os9 |
| ``entries.state`` | string: absent,present\* | Deletes the rule from the ACL if set to absent | os9 |
| ``stage_ingress`` | list | Configures ingress ACL to the interface (see ``stage_ingress.*``) | os9 |
| ``stage_ingress.name`` | string (required) | Configures the ingress ACL filter to the interface with this interface name | os9 |
| ``stage_ingress.state`` | string: absent,present\* | Deletes the configured ACL from the interface if set to absent | os9 |
| ``stage_ingress.seq_number`` | integer | Configure the sequence number (greater than 0) to rank precedence for this interface and direction |
| ``stage_egress`` | list | Configures egress ACL to the interface (see ``stage_egress.*``) | os9 |
| ``stage_egress.name`` | string (required) | Configures the egress ACL filter to the interface with this interface name | os9 |
| ``stage_egress.state`` | string: absent,present\* | Deletes the configured egress ACL from the interface if set to absent | os9 |
| ``lineterminal`` | list | Configures the terminal to apply the ACL (see ``lineterminal.*``) | os9 |
| ``lineterminal.line`` | string (required) | Configures access-class on the line terminal | os9 |
| ``lineterminal.state`` | string: absent,present\* | Deletes the access-class from line terminal if set to absent | os9 |
| ``state`` | string: absent,present\* | Deletes the ACL if set to absent | os9 |
> **NOTE**: Asterisk (\*) denotes the default value if none is specified.
Connection variables
--------------------
Ansible Dell EMC Networking roles require connection information to establish communication with the nodes in inventory. This information can exist in the Ansible *group_vars* or *host_vars* directories or inventory, or in the playbook itself.
| Key | Required | Choices | Description |
|-------------|----------|------------|-------------------------------------------------------|
| ``ansible_host`` | yes | | Specifies the hostname or address for connecting to the remote device over the specified transport |
| ``ansible_port`` | no | | Specifies the port used to build the connection to the remote device; if value is unspecified, the ANSIBLE_REMOTE_PORT option is used; it defaults to 22 |
| ``ansible_ssh_user`` | no | | Specifies the username that authenticates the CLI login for the connection to the remote device; if value is unspecified, the ANSIBLE_REMOTE_USER environment variable value is used |
| ``ansible_ssh_pass`` | no | | Specifies the password that authenticates the connection to the remote device. |
| ``ansible_become`` | no | yes, no\* | Instructs the module to enter privileged mode on the remote device before sending any commands; if value is unspecified, the ANSIBLE_BECOME environment variable value is used, and the device attempts to execute all commands in non-privileged mode |
| ``ansible_become_method`` | no | enable, sudo\* | Instructs the module to allow the become method to be specified for handling privilege escalation; if value is unspecified, the ANSIBLE_BECOME_METHOD environment variable value is used. |
| ``ansible_become_pass`` | no | | Specifies the password to use if required to enter privileged mode on the remote device; if ``ansible_become`` is set to no this key is not applicable. |
| ``ansible_network_os`` | yes /os9, null\* | This value is used to load the correct terminal and cliconf plugins to communicate with the remote device. |
> **NOTE**: Asterisk (_*_) denotes the default value if none is specified.
Dependencies
------------
The *os9_acl* role is built on modules included in the core Ansible code. These modules were added in Ansible version 2.2.0.
Example playbook
----------------
This example uses the *os9_acl* role to configure different types of ACLs (standard and extended) for both IPv4 and IPv6 and assigns the access-class to the line terminals. The example creates a *hosts* file with the switch details and corresponding variables. The hosts file should define the *ansible_network_os* variable with the corresponding Dell EMC networking OS name.
When *os9_cfg_generate* is set to true, it generates the configuration commands as a .part file in the *build_dir* path. By default it is set to false. It writes a simple playbook that only references the *os9_acl* role.
**Sample hosts file**
leaf1 ansible_host= <ip_address>
**Sample host_vars/leaf1**
hostname: leaf1
ansible_become: yes
ansible_become_method: xxxxx
ansible_become_pass: xxxxx
ansible_ssh_user: xxxxx
ansible_ssh_pass: xxxxx
ansible_network_os: dellemc.os9.os9
build_dir: ../temp/os9
os9_acl:
- type: ipv4
name: ssh-only
description: ipv4acl
extended: true
remark:
- number: 5
description: "ipv4remark"
entries:
- number: 5
permit: true
protocol: tcp
source: any
src_condition: ack
destination: any
dest_condition: eq 22
other_options: count
state: present
stage_ingress:
- name: fortyGigE 1/28
state: present
stage_egress:
- name: fortyGigE 1/28
state: present
lineterminal:
- line: vty 1
state: present
- line: vty 2
state: absent
state: present
**Simple playbook to setup system - leaf.yaml**
- hosts: leaf1
roles:
- dellemc.os9.os9_acl
**Run**
ansible-playbook -i hosts leaf.yaml
(c) 2017-2020 Dell Inc. or its subsidiaries. All Rights Reserved.
Reference in a new issue View git blame Copy permalink