I just recently learned about this module, which is both powerful and allows me to simplify my code for updating ACL. There are numerous states/actions available depending on your requirements. refer to ansible link.
https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html
One of my use cases is to create a proposed configuration that parse data from a file and run it.
I. Create a proposed configuration (you can use txt etc)..
lab@lab-virtual-machine:~/Desktop/W_ACL$ cat proposed.cfg
Standard IP access list 12
110 permit 10.33.33.33
120 permit 10.44.44.44
II. Ansible Code
- name: ACL UPDATE
hosts: Switches
gather_facts: False
connection: network_cli tasks: GET TIME TIME- name: Parse the commands for provided configuration
cisco.ios.ios_acls:
running_config: “{{ lookup(‘file’, ‘/home/lab/Desktop/W_ACL/proposed.cfg’) }}”
state: parsed
register: proposed_cfg - name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config: “{{ proposed_cfg.parsed }}”
state: merged - debug:
msg : “parsed_buggy : {{ proposed_cfg }}”
…
- name: Parse the commands for provided configuration
III. State Parse
We parse it, then save the results in proposed_cfg.
TASK [Parse the commands for provided configuration] *
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
ok: [192.168.68.4]
TASK [debug] *
ok: [192.168.68.4] => {
“msg”: “proposed config : {‘parsed’: [{‘afi’: ‘ipv4’, ‘acls’: [{‘name’: ’12’, ‘acl_type’: ‘standard’, ‘aces’: [{‘sequence’: 110, ‘grant’: ‘permit’, ‘source’: {‘host’: ‘10.33.33.33’}}, {‘sequence’: 120, ‘grant’: ‘permit’, ‘source’: {‘host’: ‘10.44.44.44’}}]}]}], ‘changed’: False, ‘failed’: False}”
}
IV. Execute the command using Merge
We must get the parsed data, which includes the afi & acl arguments, from the proposed cfg variable.
lab@lab-virtual-machine:~/Desktop/W_ACL$ ansible-playbook 2acl.yml -i inventory
PLAY [ACL UPDATE]
TASK [Parse the commands for provided configuration] *
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
ok: [192.168.68.4]
TASK [Merge provided configuration with device configuration]
changed: [192.168.68.4]
V. Result
Pre-checks:
test-switch-01#sh ip access-lists 12
Standard IP access list 12
10 permit 172.23.164.13
20 permit 172.23.164.12
30 permit 172.23.164.11
40 permit 172.23.164.10
50 permit 172.31.207.20
60 permit 172.31.207.243
70 permit 172.23.12.77
80 permit 172.28.14.0, wildcard bits 0.0.0.255
90 permit 10.0.0.250, wildcard bits 0.255.255.0
100 permit 10.36.56.0, wildcard bits 0.0.0.255
130 deny any log
Post-checks:
test-switch-01#sh ip access-lists 12
Standard IP access list 12
10 permit 172.23.164.13
20 permit 172.23.164.12
30 permit 172.23.164.11
40 permit 172.23.164.10
120 permit 10.44.44.44
110 permit 10.33.33.33
50 permit 172.31.207.20
60 permit 172.31.207.243
70 permit 172.23.12.77
80 permit 172.28.14.0, wildcard bits 0.0.0.255
90 permit 10.0.0.250, wildcard bits 0.255.255.0
100 permit 10.36.56.0, wildcard bits 0.0.0.255
130 deny any log