-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnet_sec.yml
113 lines (109 loc) · 3.03 KB
/
net_sec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# _____ .__ ________ .__ __
# / _ \ | | ____ ___ ___ \______ \ |__| | __ ___________
# / /_\ \| | _/ __ \\ \/ / | | \| | |/ // __ \_ __ \
#/ | \ |_\ ___/ > < | ` \ | <\ ___/| | \/
#\____|__ /____/\___ >__/\_ \ /_______ /__|__|_ \\___ >__|
# \/ \/ \/ \/ \/ \/
#
# Use this template as you please, to configure router and switch access using AWX or Ansible.
# Automation.
#
---
- name: Configure Access List
hosts: "ios-devices"
gather_facts: false
connection: local
vars:
cli:
host: "{{ ansible_host }}"
password: "{{ ansible_password }}"
transport: cli
- ios_acl:
name: alex_inbound
seq: 20
action: deny
proto: tcp
src: 127.0.0.1/12
dest: any
log: enable
state: present
provider: "{{ cli }}"
- nxos_acl:
name: border_inbound
seq: 20
action: deny
protocol tcp
src: 127.0.0.1
- nxos_acl:
name: border_inbound
seq: 40
action: permit
proto: tcp
src: any
dest: 127.0.0.1
dest_port_op: eq
dest_port1: 22
state: present
log: enable
provider: "{{ cli }}"
- nxos_acl:
name: border_inbound
seq: 50
proto: tcp
action: permit
src: any
dest: 127.0.0.0.1/32
dest_port_op: eq
dest_port1: 80
state: present
log: enable
provider: "{{cli}}"
- nxos_acl:
name: border_inbound
seq: 60
action: permit
proto: tcp
src: any
dest: any
log: enable
established: enable
provider: "{{ cli }}"
- nxos_acl:
name: border_inbound
seq: 1000
action: permit
proto: ip
src: any
dest: any
state: present
log: enable
provider: "{{ cli }}"
- name: Apply ingress ACL to Ethernet 2/2
nxos_acl_interface:
name: border_inbound
interface: Ethernet2/2d
direction: ingress
state: present
provider: "{{ cli }}"
- name: Apply filter on bridge group 1
ios_config:
lines:
- bridge-group 1
- bridge-group 1 input-address-list 700
parents:
- interface GigbitEthernet0/1
tasks:
- name: Deny Hosts with Vendor ID (This can be specified by store ID)
ios_config:
lines:
-access-list 700 deny
-access-list 500 permit
provider: "{{ cli }}"
- name: Apply filter on bridge group 1
ios_config:
lines:
- bridge-group 1
- bridge-group 1 input-address-list 700
parents:
- interface GigabitEthernet0/1
provider: "{{ cli }}"