nxos_acl module

Hello,

Does anybody use ansible to manage ACL on Cisco Nexus switches ?

I have started to use, but i face some issues :

  • I didn’t find a way to set the “per entry statistics on my ACL”
  • I have to call the module for each ACE in my ACL, which is not satisfying for performance and for readability when it comes to large ACL
  • I’m still not sure of the way i should write my playbook, either including all the ACL in it with a task for each ACE, or looping over a dict containing my ACL (a file imported via an “include_vars” statement for exemple)

I will be happy to have feedback of how you achieve it.

Thanks

Julien

HI Julien,

I confess I’ve not used this module for ACL management for many of the reasons you note. Also, the idempotency works at the ACL level but the module at the ACE level and that always worried me. I can see myself checking for one ACE and basically turning my ACL into a one line ACL.

I tend to use the template module and then the xxxx-config module (ios or nxos).

I’d stay away from the include_vars and go with a group_vars file or a host_vars file depending on what you need.

For example, I have a standard NTP ACL for all the NXOS devices which I represent with a group called [nxos] in my host file.

So in my group_vars directory i have an nxos.yml file with something like this:

`
ntp_acl:

  • src: any
    dest: 1.1.1.123/24
  • src: any
    dest: 1.1.1.23/24
    `

and in my template file I have

`

ntp_acl.j2

no ip access-list NTP_ACL
ip access-list NTP_ACL
permit ip any 192.168.2.123/24
permit ip any 192.168.1.23/24

{% for ace in ntp_acl %}

Additional Local NTP Servers

permit ip {{ ace.src }} {{ ace.dest }}

{% endfor %}

End ntp_acl.j2

`

That builds the ACL I want using the template module and then I use the config module to apply it.

so i have a make_cfg.yml playbook with this task

`

  • name: Create hostname config file from template
    template:
    src: templates/ntp_acl.j2
    dest: src/{{ inventory_hostname }}.cfg
    `

and then I have an apply_cfg.yml playbook with this task

`

  • name: Configure Using nxos_config Module
    nxos_config:
    provider: “{{ cli }}”
    backup: yes
    match: none
    timeout: 15
    src: src/{{ inventory_hostname }}.cfg
    intended_config: src/{{ inventory_hostname }}.cfg
    diff_against: intended
    `

I do this when I’m first setting up a site but these can certainly be in one playbook.

You can also use the config module to do diffs so thats how I check compliance.

Not sure if that helps…but that may be another way to tackle the problem…

Interesting way of doing it.

What do you mean by :

Also, the idempotency works at the ACL level but the module at the ACE level and that always worried me

Thank you for the feedback

Julien

Hi Julian,

All I meant by that comment is that in the module notes the statement below is made. It actually is at the ACE level but I’m not 100% clear on the implications. I need to try it out.

  • Although this module is idempotent in that if the ace as presented in the task is identical to the one on the switch, no changes will be made. If there is any difference, what is in Ansible will be pushed (configured options will be overridden). This is to improve security, but at the same time remember an ACE is removed, then re-added, so if there is a change, the new ACE will be exactly what parameters you are sending to the module.

Let me know if you find a better way! or if you can work through the nxos_acl module.

Take care,

Claudia