HI Julien,
I confess I've not used this module for ACL management for many of the
reasons you note. Also, the idempotency works at the ACL level but the
module at the ACE level and that always worried me. I can see myself
checking for one ACE and basically turning my ACL into a one line ACL.
I tend to use the template module and then the xxxx-config module (ios or
nxos).
I'd stay away from the include_vars and go with a group_vars file or a
host_vars file depending on what you need.
For example, I have a standard NTP ACL for all the NXOS devices which I
represent with a group called [nxos] in my host file.
So in my group_vars directory i have an nxos.yml file with something like
this:
ntp_acl:
- src: any
dest: 1.1.1.123/24
- src: any
dest: 1.1.1.23/24
and in my template file I have
# ntp_acl.j2
no ip access-list NTP_ACL
ip access-list NTP_ACL
permit ip any 192.168.2.123/24
permit ip any 192.168.1.23/24
{% for ace in ntp_acl %}
# Additional Local NTP Servers
permit ip {{ ace.src }} {{ ace.dest }}
{% endfor %}
# End ntp_acl.j2
That builds the ACL I want using the template module and then I use the
config module to apply it.
so i have a make_cfg.yml playbook with this task
- name: Create hostname config file from template
template:
src: templates/ntp_acl.j2
dest: src/{{ inventory_hostname }}.cfg
and then I have an apply_cfg.yml playbook with this task
- name: Configure Using nxos_config Module
nxos_config:
provider: "{{ cli }}"
backup: yes
match: none
timeout: 15
src: src/{{ inventory_hostname }}.cfg
intended_config: src/{{ inventory_hostname }}.cfg
diff_against: intended
I do this when I'm first setting up a site but these can certainly be in
one playbook.
You can also use the config module to do diffs so thats how I check
compliance.
Not sure if that helps...but that may be another way to tackle the
problem...
On Tuesday, January 16, 2018 at 7:16:19 AM UTC-8, Julien Guirlinger wrote:
>
>
> Hello,
>
> Does anybody use ansible to manage ACL on Cisco Nexus switches ?
>
> I have started to use, but i face some issues :
> - I didn't find a way to set the "per entry statistics on my ACL"
> - I have to call the module for each ACE in my ACL, which is not
> satisfying for performance and for readability when it comes to large ACL
> - I'm still not sure of the way i should write my playbook, either
> including all the ACL in it with a task for each ACE, or looping over a
> dict containing my ACL (a file imported via an "include_vars" statement for
> exemple)
>
> I will be happy to have feedback of how you achieve it.
>
> Thanks
>
> Julien
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c988842a-e10a-4746-896b-315eb6ef5257%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
