cisco.ios.ios_acls_module.rst

cisco.ios.ios_acls

Resource module to configure ACLs.

Version added: 1.0.0

• Synopsis
• Parameters
• Notes
• Examples
• Return Values
• Status

Synopsis

• This module configures and manages the named or numbered ACLs on IOS platforms.

Parameters

Parameter							Choices/Defaults	Comments
config list / elements=dictionary								A list of ACL configuration options.
	acls list / elements=dictionary							A list of Access Control Lists (ACL) attributes.
		aces list / elements=dictionary						The entries within the ACL.
			destination dictionary					Specify the packet destination.
				address string				Host address to match, or any single host address.
				any boolean			Choices: no yes	Match any source address.
				host string				A single destination host
				object_group string				Destination network object group
				port_protocol dictionary				Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options
					eq string			Match only packets on a given port number.
					gt string			Match only packets with a greater port number.
					lt string			Match only packets with a lower port number.
					neq string			Match only packets not on a given port number.
					range dictionary			Port group.
						end integer		Specify the end of the port range.
						start integer		Specify the start of the port range.
				wildcard_bits string				Destination wildcard bits, valid with IPV4 address.
			dscp string					Match packets with given dscp value.
			enable_fragments boolean				Choices: no yes	Enable non-initial fragments.
			evaluate string					Evaluate an access list
			grant string				Choices: permit deny	Specify the action.
			log dictionary					Log matches against this entry.
				set boolean			Choices: no yes	Enable Log matches against this entry
				user_cookie string				User defined cookie (max of 64 char)
			log_input dictionary					Log matches against this entry, including input interface.
				set boolean			Choices: no yes	Enable Log matches against this entry, including input interface.
				user_cookie string				User defined cookie (max of 64 char)
			option dictionary					Match packets with given IP Options value. Valid only for named acls.
				add_ext boolean			Choices: no yes	Match packets with Address Extension Option (147).
				any_options boolean			Choices: no yes	Match packets with ANY Option.
				com_security boolean			Choices: no yes	Match packets with Commercial Security Option (134).
				dps boolean			Choices: no yes	Match packets with Dynamic Packet State Option (151).
				encode boolean			Choices: no yes	Match packets with Encode Option (15).
				eool boolean			Choices: no yes	Match packets with End of Options (0).
				ext_ip boolean			Choices: no yes	Match packets with Extended IP Option (145).
				ext_security boolean			Choices: no yes	Match packets with Extended Security Option (133).
				finn boolean			Choices: no yes	Match packets with Experimental Flow Control Option (205).
				imitd boolean			Choices: no yes	Match packets with IMI Traffic Desriptor Option (144).
				lsr boolean			Choices: no yes	Match packets with Loose Source Route Option (131).
				mtup boolean			Choices: no yes	Match packets with MTU Probe Option (11).
				mtur boolean			Choices: no yes	Match packets with MTU Reply Option (12).
				no_op boolean			Choices: no yes	Match packets with No Operation Option (1).
				nsapa boolean			Choices: no yes	Match packets with NSAP Addresses Option (150).
				record_route boolean			Choices: no yes	Match packets with Record Route Option (7).
				router_alert boolean			Choices: no yes	Match packets with Router Alert Option (148).
				sdb boolean			Choices: no yes	Match packets with Selective Directed Broadcast Option (149).
				security boolean			Choices: no yes	Match packets with Basic Security Option (130).
				ssr boolean			Choices: no yes	Match packets with Strict Source Routing Option (137).
				stream_id boolean			Choices: no yes	Match packets with Stream ID Option (136).
				timestamp boolean			Choices: no yes	Match packets with Time Stamp Option (68).
				traceroute boolean			Choices: no yes	Match packets with Trace Route Option (82).
				ump boolean			Choices: no yes	Match packets with Upstream Multicast Packet Option (152).
				visa boolean			Choices: no yes	Match packets with Experimental Access Control Option (142).
				zsu boolean			Choices: no yes	Match packets with Experimental Measurement Option (10).
			precedence string					Match packets with given precedence value.
			protocol string					Specify the protocol to match. Refer to vendor documentation for valid values.
			protocol_options dictionary					protocol type.
				ahp boolean			Choices: no yes	Authentication Header Protocol.
				eigrp boolean			Choices: no yes	Cisco's EIGRP routing protocol.
				esp boolean			Choices: no yes	Encapsulation Security Payload.
				gre boolean			Choices: no yes	Cisco's GRE tunneling.
				hbh boolean			Choices: no yes	Hop by Hop options header. Valid for IPV6
				icmp dictionary				Internet Control Message Protocol.
					administratively_prohibited boolean		Choices: no yes	Administratively prohibited
					alternate_address boolean		Choices: no yes	Alternate address
					conversion_error boolean		Choices: no yes	Datagram conversion
					dod_host_prohibited boolean		Choices: no yes	Host prohibited
					dod_net_prohibited boolean		Choices: no yes	Net prohibited
					echo boolean		Choices: no yes	Echo (ping)
					echo_reply boolean		Choices: no yes	Echo reply
					general_parameter_problem boolean		Choices: no yes	Parameter problem
					host_isolated boolean		Choices: no yes	Host isolated
					host_precedence_unreachable boolean		Choices: no yes	Host unreachable for precedence
					host_redirect boolean		Choices: no yes	Host redirect
					host_tos_redirect boolean		Choices: no yes	Host redirect for TOS
					host_tos_unreachable boolean		Choices: no yes	Host unreachable for TOS
					host_unknown boolean		Choices: no yes	Host unknown
					host_unreachable boolean		Choices: no yes	Host unreachable
					information_reply boolean		Choices: no yes	Information replies
					information_request boolean		Choices: no yes	Information requests
					mask_reply boolean		Choices: no yes	Mask replies
					mask_request boolean		Choices: no yes	mask_request
					mobile_redirect boolean		Choices: no yes	Mobile host redirect
					net_redirect boolean		Choices: no yes	Network redirect
					net_tos_redirect boolean		Choices: no yes	Net redirect for TOS
					net_tos_unreachable boolean		Choices: no yes	Network unreachable for TOS
					net_unreachable boolean		Choices: no yes	Net unreachable
					network_unknown boolean		Choices: no yes	Network unknown
					no_room_for_option boolean		Choices: no yes	Parameter required but no room
					option_missing boolean		Choices: no yes	Parameter required but not present
					packet_too_big boolean		Choices: no yes	Fragmentation needed and DF set
					parameter_problem boolean		Choices: no yes	All parameter problems
					port_unreachable boolean		Choices: no yes	Port unreachable
					precedence_unreachable boolean		Choices: no yes	Precedence cutoff
					protocol_unreachable boolean		Choices: no yes	Protocol unreachable
					reassembly_timeout boolean		Choices: no yes	Reassembly timeout
					redirect boolean		Choices: no yes	All redirects
					router_advertisement boolean		Choices: no yes	Router discovery advertisements
					router_solicitation boolean		Choices: no yes	Router discovery solicitations
					source_quench boolean		Choices: no yes	Source quenches
					source_route_failed boolean		Choices: no yes	Source route failed
					time_exceeded boolean		Choices: no yes	All time exceededs
					timestamp_reply boolean		Choices: no yes	Timestamp replies
					timestamp_request boolean		Choices: no yes	Timestamp requests
					traceroute boolean		Choices: no yes	Traceroute
					ttl_exceeded boolean		Choices: no yes	TTL exceeded
					unreachable boolean		Choices: no yes	All unreachables
				igmp dictionary				Internet Gateway Message Protocol.
					dvmrp boolean		Choices: no yes	Distance Vector Multicast Routing Protocol(2)
					host_query boolean		Choices: no yes	IGMP Membership Query(0)
					mtrace_resp boolean		Choices: no yes	Multicast Traceroute Response(7)
					mtrace_route boolean		Choices: no yes	Multicast Traceroute(8)
					pim boolean		Choices: no yes	Protocol Independent Multicast(3)
					trace boolean		Choices: no yes	Multicast trace(4)
					v1host_report boolean		Choices: no yes	IGMPv1 Membership Report(1)
					v2host_report boolean		Choices: no yes	IGMPv2 Membership Report(5)
					v2leave_group boolean		Choices: no yes	IGMPv2 Leave Group(6)
					v3host_report boolean		Choices: no yes	IGMPv3 Membership Report(9)
				ip boolean			Choices: no yes	Any Internet Protocol.
				ipinip boolean			Choices: no yes	IP in IP tunneling.
				ipv6 boolean			Choices: no yes	Any IPv6.
				nos boolean			Choices: no yes	KA9Q NOS compatible IP over IP tunneling.
				ospf boolean			Choices: no yes	OSPF routing protocol.
				pcp boolean			Choices: no yes	Payload Compression Protocol.
				pim boolean			Choices: no yes	Protocol Independent Multicast.
				protocol_number integer				An IP protocol number
				sctp boolean			Choices: no yes	Stream Control Transmission Protocol.
				tcp dictionary				Match TCP packet flags
					ack boolean		Choices: no yes	Match on the ACK bit
					established boolean		Choices: no yes	Match established connections
					fin boolean		Choices: no yes	Match on the FIN bit
					psh boolean		Choices: no yes	Match on the PSH bit
					rst boolean		Choices: no yes	Match on the RST bit
					syn boolean		Choices: no yes	Match on the SYN bit
					urg boolean		Choices: no yes	Match on the URG bit
				udp boolean			Choices: no yes	User Datagram Protocol.
			remarks list / elements=string					The remarks/description of the ACL. The remarks attribute used within an ace with or without a sequence number will produce remarks that are pushed before the ace entry. Remarks entry used as the only key in as the list option will produce non ace specific remarks, these remarks would be pushed at the end of all the aces for an acl. Remarks is treated a block, for every single remarks updated for an ace all the remarks are negated and added back to maintain the order of remarks mentioned. As the appliance deletes all the remarks once the ace is updated, the set of remarks would be re-applied that is an expected behavior.
			sequence integer					Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values.
			source dictionary					Specify the packet source.
				address string				Source network address.
				any boolean			Choices: no yes	Match any source address.
				host string				A single source host
				object_group string				Source network object group
				port_protocol dictionary				Specify the source port along with protocol. Note, Valid with TCP/UDP protocol_options
					eq string			Match only packets on a given port number.
					gt string			Match only packets with a greater port number.
					lt string			Match only packets with a lower port number.
					neq string			Match only packets not on a given port number.
					range dictionary			Port group.
						end integer		Specify the end of the port range.
						start integer		Specify the start of the port range.
				wildcard_bits string				Source wildcard bits, valid with IPV4 address.
			time_range string					Specify a time-range.
			tos dictionary					Match packets with given TOS value. Note, DSCP and TOS are mutually exclusive
				max_reliability boolean			Choices: no yes	Match packets with max reliable TOS (2).
				max_throughput boolean			Choices: no yes	Match packets with max throughput TOS (4).
				min_delay boolean			Choices: no yes	Match packets with min delay TOS (8).
				min_monetary_cost boolean			Choices: no yes	Match packets with min monetary cost TOS (1).
				normal boolean			Choices: no yes	Match packets with normal TOS (0).
				service_value integer				Type of service value
			ttl dictionary					Match packets with given TTL value.
				eq integer				Match only packets on a given TTL number.
				gt integer				Match only packets with a greater TTL number.
				lt integer				Match only packets with a lower TTL number.
				neq integer				Match only packets not on a given TTL number.
				range dictionary				Match only packets in the range of TTLs.
					end integer			Specify the end of the port range.
					start integer			Specify the start of the port range.
		acl_type string					Choices: extended standard	ACL type Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory.
		name string / required						The name or the number of the ACL.
	afi string / required						Choices: ipv4 ipv6	The Address Family Indicator (AFI) for the Access Control Lists (ACL).
running_config string								This option is used only with state parsed. The value of this option should be the output received from the IOS device by executing the command sh access-list. The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state string							Choices: merged ← replaced overridden deleted gathered rendered parsed	The state the configuration should be left in The state merged is the default state which merges the want and have config, but for ACL module as the IOS platform doesn't allow update of ACE over an pre-existing ACE sequence in ACL, same way ACLs resource module will error out for respective scenario and only addition of new ACE over new sequence will be allowed with merge state. The states rendered, gathered and parsed does not perform any change on the device. The state rendered will transform the configuration in config option to platform specific CLI commands which will be returned in the rendered key within the result. For state rendered active connection to remote host is not required. The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result. The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result. The value of running_config option should be the same format as the output of commands sh running-config | section access-list for all acls related information and sh access-lists | include access list to obtain configuration specific of an empty acls, the following commands are executed on device. Config data from both the commands should be kept together one after another for the parsers to pick the commands correctly. For state parsed active connection to remote host is not required. The state overridden, modify/add the ACLs defined, deleted all other ACLs. The state replaced, modify/add only the ACEs of the ACLs defined only. It does not perform any other change on the device. The state deleted, deletes only the specified ACLs, or all if not specified.

Notes

Note

• Tested against Cisco IOSXE Version 17.3 on CML.
• Module behavior is not idempotent when sequence for aces are not mentioned
• This module works with connection network_cli. See https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html

Examples

# Using merged

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: std_acl
            acl_type: standard
            aces:
              - grant: deny
                source:
                  address: 192.168.1.200
              - grant: deny
                source:
                  address: 192.168.2.0
                  wildcard_bits: 0.0.0.255
          - name: 110
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
                source:
                  address: 192.168.3.0
                  wildcard_bits: 255.255.255.0
                destination:
                  any: true
                grant: permit
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  host: 198.51.100.0
                destination:
                  host: 198.51.110.0
                  port_protocol:
                    eq: telnet
          - name: extended_acl_1
            acl_type: extended
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    fin: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                option:
                  traceroute: true
                ttl:
                  eq: 10
          - name: 123
            aces:
              - remarks:
                  - "remarks for extended ACL 1"
                  - "check ACL"
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 198.51.101.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                tos:
                  service_value: 12
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.4.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  lt: 20
      - afi: ipv6
        acls:
          - name: R1_TRAFFIC
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    ack: true
                source:
                  any: true
                  port_protocol:
                    eq: www
                destination:
                  any: true
                  port_protocol:
                    eq: telnet
                dscp: af11
    state: merged

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '100'
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - 30 permit icmp 192.168.3.0 255.255.255.0 any traceroute
#  - ip access-list extended extended_acl_1
#  - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
#  - ip access-list standard std_acl
#  - deny 192.168.1.20
#  - deny 192.168.2.0 0.0.0.255
#  - ip access-list extended 123
#  - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#  - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
#  - remark remarks for extended ACL 1
#  - remark check ACL
#  - ipv6 access-list R1_TRAFFIC
#  - deny tcp any eq www any eq telnet ack dscp af11
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            echo: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      - destination:
#          any: true
#        grant: permit
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 30
#        source:
#          address: 0.0.0.0
#          wildcard_bits: 255.255.255.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      - remarks:
#        - remarks for extended ACL 1
#        - check ACL
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: extended_acl_1
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.20
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# ------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

# vios#show running-config | include ip(v6)* access-list|remark
# ip access-list standard std_acl
# ip access-list extended extended_acl_1
# ip access-list extended 110
# ip access-list extended 123
#  remark remarks for extended ACL 1
#  remark check ACL
# ipv6 access-list R1_TRAFFIC

# Using merged (update existing ACE - will fail)

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 100
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 100
            aces:
              - sequence: 10
                protocol_options:
                  icmp:
                    traceroute: true
    state: merged

# After state:
# ------------
#
# Play Execution fails, with error:
# Cannot update existing sequence 10 of ACLs 100 with state merged.
# Please use state replaced or overridden.

# Using replaced

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: Replaces device configuration of listed acls with provided configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: replaced

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#  - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
#  - ip access-list extended 150
#  - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 20
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '150'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4

# After state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended 150
#    20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

# Using replaced - example remarks specific

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE LINE 10
#  10 remark ============
#  10 remark ALLOW HOST FROM TEST 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

- name: Replace remarks of ace with sequence 10
  # check_mode: true
  cisco.ios.ios_acls:
    state: replaced
    config:
      - acls:
          - aces:
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - The new first remarks before 10
                  - ============new
                  - The new second remarks before 10
                sequence: 10
                source:
                  host: 1.1.1.1
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 20
                  - ============
                  - ALLOW HOST remarks AFTER LINE  20
                sequence: 20
                source:
                  host: 2.2.2.2
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 30
                  - ============
                  - ALLOW HOST remarks AFTER LINE  30
                sequence: 30
                source:
                  host: 3.3.3.3
            acl_type: extended
            name: TEST
        afi: ipv4

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 10
#       - ===========1=
#       - ALLOW HOST FROM TEST 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4
# commands:
# - ip access-list extended TEST
# - no 10 remark
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - The new first remarks before 10
#       - ============new
#       - The new second remarks before 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark The new first remarks before 10
#  10 remark ============new
#  10 remark The new second remarks before 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

# Using replaced - example remarks specific on targeted sequence

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

- name: Replace remarks of ace with sequence 10
  # check_mode: true
  cisco.ios.ios_acls:
    state: replaced
    config:
      - acls:
          - aces:
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - The new first remarks before 10
                  - ============new
                  - The new second remarks before 10
                sequence: 10
                source:
                  host: 1.1.1.1
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 20
                  - ============
                  - ALLOW HOST remarks AFTER LINE  20
                sequence: 20
                source:
                  host: 2.2.2.2
              - destination:
                  any: true
                grant: permit
                protocol: ip
                remarks:
                  - FIRST REMARK BEFORE LINE 30
                  - ============
                  - ALLOW HOST remarks AFTER LINE  30
                sequence: 30
                source:
                  host: 3.3.3.3
            acl_type: extended
            name: TEST
        afi: ipv4

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4
# commands:
# - ip access-list extended TEST
# - 10 remark The new first remarks before 10
# - 10 remark ============new
# - 10 remark The new second remarks before 10
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - The new first remarks before 10
#       - ============new
#       - The new second remarks before 10
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 20
#       - ============
#       - ALLOW HOST remarks AFTER LINE  20
#       sequence: 20
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE LINE 30
#       - ============
#       - ALLOW HOST remarks AFTER LINE  30
#       sequence: 30
#       source:
#         host: 3.3.3.3
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark The new first remarks before 10
#  10 remark ============new
#  10 remark The new second remarks before 10
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE LINE 20
#  20 remark ============
#  20 remark ALLOW HOST remarks AFTER LINE  20
#  20 permit ip host 2.2.2.2 any
#  30 remark FIRST REMARK BEFORE LINE 30
#  30 remark ============
#  30 remark ALLOW HOST remarks AFTER LINE  30
#  30 permit ip host 3.3.3.3 any

# Using overridden

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended R1_TRAFFIC
#     10 deny tcp any eq www any eq telnet ack dscp af11
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: Override device configuration of all acls with provided configuration
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 20
                protocol_options:
                  tcp:
                    ack: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: overridden

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      acl_type: extended
#      name: R1_TRAFFIC
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
# commands:
#  - ip access-list extended 110
#  - no 20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
#  - no 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#  - 20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
#  - ip access-list extended 150
#  - 10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10
#  - no ip access-list extended 123
#  - no ip access-list extended R1_TRAFFIC
#  - no ip access-list standard std_acl
#  - no ip access-list extended test
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.110.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            syn: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: '150'
#    afi: ipv4

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list extended 110
#     20 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq www ack dscp ef ttl eq 10
# ip access-list extended 150
#     10 deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using overridden - example remarks specific on multiple sequence

# Before state:
# -------------
#
# vios#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE SEQUENCE 10
#  10 remark ============
#  10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#  20 remark FIRST REMARK BEFORE SEQUENCE 20
#  20 remark ============
#  20 remark ALLOW HOST FROM SEQUENCE 20
#  20 permit ip host 1.1.1.1 any
#  30 remark FIRST REMARK BEFORE SEQUENCE 30
#  30 remark ============
#  30 remark ALLOW HOST FROM SEQUENCE 30
#  30 permit ip host 2.2.2.2 any
#  40 remark FIRST REMARK BEFORE SEQUENCE 40
#  40 remark ============
#  40 remark ALLOW NEW HOST FROM SEQUENCE 40
#  40 permit ip host 3.3.3.3 any
#  remark Remark not specific to sequence
#  remark ============
#  remark End Remarks
# ip access-list extended test_acl
#  10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ip access-list extended 110
#  10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
# ip access-list extended 123
#  10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#  20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ipv6 access-list R1_TRAFFIC
#  sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Override remarks and ace configurations
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: TEST
            acl_type: extended
            aces:
              - sequence: 10
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 10"
                  - "============"
                  - "REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE"
                grant: permit
                protocol: ip
                source:
                  host: 1.1.1.1
                destination:
                  any: true
              - sequence: 20
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 20"
                  - "============"
                  - "ALLOW HOST FROM SEQUENCE 20"
                grant: permit
                protocol: ip
                source:
                  host: 192.168.0.1
                destination:
                  any: true
              - sequence: 30
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 30"
                  - "============"
                  - "ALLOW HOST FROM SEQUENCE 30 updated"
                grant: permit
                protocol: ip
                source:
                  host: 2.2.2.2
                destination:
                  any: true
              - sequence: 40
                remarks:
                  - "FIRST REMARK BEFORE SEQUENCE 40"
                  - "============"
                  - "ALLOW NEW HOST FROM SEQUENCE 40"
                grant: permit
                protocol: ip
                source:
                  host: 3.3.3.3
                destination:
                  any: true
              - remarks:
                  - "Remark not specific to sequence"
                  - "============"
                  - "End Remarks 1"
    state: overridden

# Task Output
# -----------
#
# before:
# - acls:
#   - aces:
#     - destination:
#         address: 192.0.3.0
#         wildcard_bits: 0.0.0.255
#       dscp: ef
#       grant: deny
#       protocol: icmp
#       protocol_options:
#         icmp:
#           echo: true
#       sequence: 10
#       source:
#         address: 192.0.2.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         eq: 10
#     acl_type: extended
#     name: '110'
#   - aces:
#     - destination:
#         address: 198.51.101.0
#         port_protocol:
#           eq: telnet
#         wildcard_bits: 0.0.0.255
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 10
#       source:
#         address: 198.51.100.0
#         wildcard_bits: 0.0.0.255
#       tos:
#         service_value: 12
#     - destination:
#         address: 192.0.4.0
#         port_protocol:
#           eq: www
#         wildcard_bits: 0.0.0.255
#       dscp: ef
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 20
#       source:
#         address: 192.0.3.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         lt: 20
#     acl_type: extended
#     name: '123'
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 20
#       - ============
#       - ALLOW HOST FROM SEQUENCE 20
#       sequence: 20
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 30
#       - ============
#       - ALLOW HOST FROM SEQUENCE 30
#       sequence: 30
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 40
#       - ============
#       - ALLOW NEW HOST FROM SEQUENCE 40
#       sequence: 40
#       source:
#         host: 3.3.3.3
#     - remarks:
#       - FIRST REMARK BEFORE SEQUENCE 10
#       - ============
#       - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#       sequence: 10
#     - remarks:
#       - Remark not specific to sequence
#       - ============
#       - End Remarks
#     acl_type: extended
#     name: TEST
#   - aces:
#     - destination:
#         address: 192.0.3.0
#         port_protocol:
#           eq: www
#         wildcard_bits: 0.0.0.255
#       grant: deny
#       option:
#         traceroute: true
#       protocol: tcp
#       protocol_options:
#         tcp:
#           fin: true
#       sequence: 10
#       source:
#         address: 192.0.2.0
#         wildcard_bits: 0.0.0.255
#       ttl:
#         eq: 10
#     acl_type: extended
#     name: test_acl
#   afi: ipv4
# - acls:
#   - aces:
#     - destination:
#         any: true
#         port_protocol:
#           eq: telnet
#       dscp: af11
#       grant: deny
#       protocol: tcp
#       protocol_options:
#         tcp:
#           ack: true
#       sequence: 10
#       source:
#         any: true
#         port_protocol:
#           eq: www
#     name: R1_TRAFFIC
#   afi: ipv6
# commands:
# - no ipv6 access-list R1_TRAFFIC
# - ip access-list extended TEST
# - no 10  # removes all remarks and ace entry for sequence 10
# - no 20 permit ip host 1.1.1.1 any  # removing the ace automatically removes the remarks
# - no 30 remark  # just remove remarks for sequence 30
# - no remark  # remove all remarks at end of acl, that has no sequence
# - 10 remark FIRST REMARK BEFORE SEQUENCE 10
# - 10 remark ============
# - 10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
# - 10 permit ip host 1.1.1.1 any
# - 20 remark FIRST REMARK BEFORE SEQUENCE 20
# - 20 remark ============
# - 20 remark ALLOW HOST FROM SEQUENCE 20
# - 20 permit ip host 192.168.0.1 any
# - 30 remark FIRST REMARK BEFORE SEQUENCE 30
# - 30 remark ============
# - 30 remark ALLOW HOST FROM SEQUENCE 30 updated
# - remark Remark not specific to sequence
# - remark ============
# - remark End Remarks 1
# - no ip access-list extended 110
# - no ip access-list extended 123
# - no ip access-list extended test_acl
# after:
# - acls:
#   - aces:
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 10
#       - ============
#       - REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#       sequence: 10
#       source:
#         host: 1.1.1.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 20
#       - ============
#       - ALLOW HOST FROM SEQUENCE 20
#       sequence: 20
#       source:
#         host: 192.168.0.1
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 30
#       - ============
#       - ALLOW HOST FROM SEQUENCE 30 updated
#       sequence: 30
#       source:
#         host: 2.2.2.2
#     - destination:
#         any: true
#       grant: permit
#       protocol: ip
#       remarks:
#       - FIRST REMARK BEFORE SEQUENCE 40
#       - ============
#       - ALLOW NEW HOST FROM SEQUENCE 40
#       sequence: 40
#       source:
#         host: 3.3.3.3
#     - remarks:
#       - Remark not specific to sequence
#       - ============
#       - End Remarks 1
#     acl_type: extended
#     name: TEST
#   afi: ipv4

# After state:
# -------------
#
# foo#show running-config | section access-list
# ip access-list extended TEST
#  10 remark FIRST REMARK BEFORE SEQUENCE 10
#  10 remark ============
#  10 remark REMARKS FOR SEQUENCE 10 NO FOLLOWING ACE
#  10 permit ip host 1.1.1.1 any
#  20 remark FIRST REMARK BEFORE SEQUENCE 20
#  20 remark ============
#  20 remark ALLOW HOST FROM SEQUENCE 20
#  20 permit ip host 192.168.0.1 any
#  30 remark FIRST REMARK BEFORE SEQUENCE 30
#  30 remark ============
#  30 remark ALLOW HOST FROM SEQUENCE 30 updated
#  30 permit ip host 2.2.2.2 any
#  40 remark FIRST REMARK BEFORE SEQUENCE 40
#  40 remark ============
#  40 remark ALLOW NEW HOST FROM SEQUENCE 40
#  40 permit ip host 3.3.3.3 any
#  remark Remark not specific to sequence
#  remark ============
#  remark End Remarks 1

# Using deleted - delete ACL(s)

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended extended_acl_1
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10

- name: "Delete ACLs (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: extended_acl_1
            acl_type: extended
          - name: 110
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: extended_acl_1
#    afi: ipv4
# commands:
#  - no ip access-list extended 110
#  - no ip access-list extended extended_acl_1
# after:
#  - acls:
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    afi: ipv4

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20

# Using deleted - delete ACLs based on AFI

# Before state:
# -------------
#
# vios#sh running-config | section access-list
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: "Delete ACLs based on AFI (Note: This won't delete the all configured ACLs)"
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list extended 110
#  - no ip access-list extended 123
#  - no ip access-list standard std_acl
#  - no ip access-list extended test
# after:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# After state:
# -------------
#
# vios#sh running-config | section access-list
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11


# Using deleted - delete all ACLs

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#     10 deny   192.168.1.200
#     20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#     10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#     20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#     10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#     20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#     10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#     sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Delete ALL of configured ACLs
  cisco.ios.ios_acls:
    state: deleted

# Task Output
# -----------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6
# commands:
#  - no ip access-list extended test
#  - no ip access-list extended 110
#  - no ip access-list extended 123
#  - no ip access-list extended test
#  - no ipv6 access-list R1_TRAFFIC
# after: []

# After state:
# -------------
#
# vios#sh running-config | section access-list


# Using gathered

# Before state:
# -------------
#
# vios#sh access-lists
# ip access-list standard std_acl
#    10 deny   192.168.1.200
#    20 deny   192.168.2.0 0.0.0.255
# ip access-list extended 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
#    20 deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# ip access-list extended 123
#    10 deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
#    20 deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# ip access-list extended test
#    10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# ipv6 access-list R1_TRAFFIC
#    sequence 10 deny tcp any eq www any eq telnet ack dscp af11

- name: Gather ACLs configuration from target device
  cisco.ios.ios_acls:
    state: gathered

# Module Execution Result:
# ------------------------
#
# before:
#  - acls:
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: icmp
#        protocol_options:
#          icmp:
#            traceroute: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      - destination:
#          host: 198.51.110.0
#          port_protocol:
#            eq: telnet
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          host: 198.51.100.0
#      acl_type: extended
#      name: '110'
#    - aces:
#      - destination:
#          address: 198.51.101.0
#          port_protocol:
#            eq: telnet
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          address: 198.51.100.0
#          wildcard_bits: 0.0.0.255
#        tos:
#          service_value: 12
#      - destination:
#          address: 192.0.4.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        dscp: ef
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 20
#        source:
#          address: 192.0.3.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          lt: 20
#      acl_type: extended
#      name: '123'
#    - aces:
#      - grant: deny
#        sequence: 10
#        source:
#          host: 192.168.1.200
#      - grant: deny
#        sequence: 20
#        source:
#          address: 192.168.2.0
#          wildcard_bits: 0.0.0.255
#      acl_type: standard
#      name: std_acl
#    - aces:
#      - destination:
#          address: 192.0.3.0
#          port_protocol:
#            eq: www
#          wildcard_bits: 0.0.0.255
#        grant: deny
#        option:
#          traceroute: true
#        protocol: tcp
#        protocol_options:
#          tcp:
#            fin: true
#        sequence: 10
#        source:
#          address: 192.0.2.0
#          wildcard_bits: 0.0.0.255
#        ttl:
#          eq: 10
#      acl_type: extended
#      name: test
#    afi: ipv4
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

# Using rendered

- name: Render the provided configuration into platform specific configuration lines
  cisco.ios.ios_acls:
    config:
      - afi: ipv4
        acls:
          - name: 110
            aces:
              - grant: deny
                sequence: 10
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 192.0.2.0
                  wildcard_bits: 0.0.0.255
                destination:
                  address: 192.0.3.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: www
                dscp: ef
                ttl:
                  eq: 10
          - name: 150
            aces:
              - grant: deny
                protocol_options:
                  tcp:
                    syn: true
                source:
                  address: 198.51.100.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                destination:
                  address: 198.51.110.0
                  wildcard_bits: 0.0.0.255
                  port_protocol:
                    eq: telnet
                dscp: ef
                ttl:
                  eq: 10
    state: rendered

# Module Execution Result:
# ------------------------
#
# rendered:
#  - ip access-list extended 110
#  - 10 deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www syn dscp ef ttl eq 10
#  - ip access-list extended 150
#  - deny tcp 198.51.100.0 0.0.0.255 eq telnet 198.51.110.0 0.0.0.255 eq telnet syn dscp ef ttl eq 10

# Using Parsed

# File: parsed.cfg
# ----------------
#
# IPv6 access-list R1_TRAFFIC
# deny tcp any eq www any eq telnet ack dscp af11

- name: Parse the commands for provided configuration
  cisco.ios.ios_acls:
    running_config: "{{ lookup('file', 'parsed.cfg') }}"
    state: parsed

# Module Execution Result:
# ------------------------
#
# parsed:
#  - acls:
#    - aces:
#      - destination:
#          any: true
#          port_protocol:
#            eq: telnet
#        dscp: af11
#        grant: deny
#        protocol: tcp
#        protocol_options:
#          tcp:
#            ack: true
#        sequence: 10
#        source:
#          any: true
#          port_protocol:
#            eq: www
#      name: R1_TRAFFIC
#    afi: ipv6

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
after dictionary	when changed	The resulting configuration after module execution. Sample: This output will always be in the same format as the module argspec.
before dictionary	when state is merged, replaced, overridden, deleted or purged	The configuration prior to the module execution. Sample: This output will always be in the same format as the module argspec.
commands list	when state is merged, replaced, overridden, deleted or purged	The set of commands pushed to the remote device. Sample: ['ip access-list extended 110', 'deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10', 'permit ip host 2.2.2.2 host 3.3.3.3']
gathered list	when state is gathered	Facts about the network resource gathered from the remote device as structured data. Sample: This output will always be in the same format as the module argspec.
parsed list	when state is parsed	The device native config provided in running_config option parsed into structured data as per module argspec. Sample: This output will always be in the same format as the module argspec.
rendered list	when state is rendered	The provided configuration in the task rendered in device-native format (offline). Sample: ['ip access-list extended test', 'permit ip host 2.2.2.2 host 3.3.3.3', 'permit tcp host 1.1.1.1 host 5.5.5.5 eq www']

Status

Authors

• Sumit Jaiswal (@justjais)
• Sagar Paul (@KB-perByte)