AOS-CX configure ACL using Ansible

View Only

last person joined: 6 days ago

Back to discussions

Expand all | Collapse all

AOS-CX configure ACL using Ansible

This thread has been viewed 20 times

1. AOS-CX configure ACL using Ansible

0 Kudos
EMPLOYEE

tal.madari
Posted Feb 11, 2021 12:51 AM

Reply Reply Privately
Hi,
I'm trying to write a playbook for configuring ACL on AOS-CX, this is the PB:

---
- hosts: all
roles:
- role: arubanetworks.aoscx_role
tasks:
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'10': {action: deny,
count: true,
log: true,
dst_ip: 10.255.254.0/255.255.255.0,
protocol: icmp,
src_ip: any
}
}
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'20': {action: permit,
count: true,
log: true,
dst_ip: 10.255.254.0/255.255.255.0,
protocol: tcp,
port: 80,
src_ip: any
}
}
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'30': {action: permit,
count: true,
log: true,
dst_ip: 10.255.254.0/255.255.255.0,
protocol: tcp,
port: 443,
src_ip: any
}
}
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'40': {action: deny,
count: true,
log: true,
dst_ip: any,
protocol: ip,
src_ip: any,
}
}

Is there any way to configure several entires in one task instead of one to each entry?
I managed to add the 'log' statement, by I can't find how can I add L4 port?

------------------------------
Tal Madari
------------------------------
2. RE: AOS-CX configure ACL using Ansible

0 Kudos
MVP GURU

alagoutte
Posted Feb 11, 2021 02:25 AM

Reply Reply Privately
Hi Tal,

I think, you can add multiple acl_entries on the same "block"

What do you mean by L4 Port ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message
3. RE: AOS-CX configure ACL using Ansible

0 Kudos
EMPLOYEE

tal.madari
Posted Feb 11, 2021 02:30 AM

Reply Reply Privately
Hi alagoutte,

Thanks for replaying.
I've tried to add few more entries but it gives me an error message after the 1st entry.
as for L4 - trying to config port for the protocol, example: TCP port 80 or TCP port 22

thx

------------------------------
Tal Madari
------------------------------

Original Message
4. RE: AOS-CX configure ACL using Ansible

0 Kudos
MVP GURU

alagoutte
Posted Feb 11, 2021 08:11 AM

Reply Reply Privately
What error do you have ?

you have for protocol...
protocol: tcp,
port: 443,

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message
5. RE: AOS-CX configure ACL using Ansible

0 Kudos
EMPLOYEE

Tiffany.Chiapuzio-Wong
Posted Feb 11, 2021 12:59 PM

Reply Reply Privately
Hi Tal!

For the ACL entries you just need to supply a dictionary of entries with the key being the sequence number and you should be able to put as many entries as you'd like. I typically have a variable file with the entries defined and then just pass that variable into the task.

For example my variable file ipv4_acl_entries.yml :

v4_acl_entries: '1': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp, src_ip: 10.10.12.12/255.255.255.255} '10': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: sctp, src_ip: 10.10.12.12/255.255.255.255} '10000': {action: permit, count: true, dst_ip: 10.60.20.2/255.255.255.0, protocol: any, src_ip: 10.60.30.2/255.255.255.0} '11': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp, src_ip: 10.10.12.12/255.255.255.255} '12': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: pim, src_ip: 10.10.12.12/255.255.255.255} '13': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: icmp, src_ip: 10.10.12.12/255.255.255.255} '14': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: pim, src_ip: 10.10.12.12/255.255.255.255} '15': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: icmp, src_ip: 10.10.12.12/255.255.255.255} '16': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: ospf, src_ip: 10.10.12.12/255.255.255.255} '17': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: icmp, src_ip: 10.10.12.12/255.255.255.255} '18': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp, src_ip: 10.10.12.12/255.255.255.255} '19': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: sctp, src_ip: 10.10.12.12/255.255.255.255} '2': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: esp, src_ip: 10.10.12.12/255.255.255.255} '20': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: igmp, src_ip: 10.10.12.12/255.255.255.255} '21': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: ospf, src_ip: 10.10.12.12/255.255.255.255} '22': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: ah, src_ip: 10.10.12.12/255.255.255.255} '23': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: udp, src_ip: 10.10.12.12/255.255.255.255} '24': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: sctp, src_ip: 10.10.12.12/255.255.255.255} '25': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: igmp, src_ip: 10.10.12.12/255.255.255.255} '26': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: igmp, src_ip: 10.10.12.12/255.255.255.255} '27': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp, src_ip: 10.10.12.12/255.255.255.255} '28': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp, src_ip: 10.10.12.12/255.255.255.255}

And then in your playbook you would only need to do the following:

--- - hosts: all roles: - role: arubanetworks.aoscx_role vars_files: - vars_files/acl_entries.yml tasks: - name: Configure IPv4 ACL aoscx_acl: name: ipv4_acl type: ipv4 acl_entries: "{{v4_acl_entries}}"

Would you please output the error you're receiving with the multiple entries?

------------------------------
Tiffany Chiapuzio-Wong
------------------------------

Original Message

Developer

AOS-CX configure ACL using Ansible

1. AOS-CX configure ACL using Ansible

2. RE: AOS-CX configure ACL using Ansible

3. RE: AOS-CX configure ACL using Ansible

4. RE: AOS-CX configure ACL using Ansible

5. RE: AOS-CX configure ACL using Ansible