Interesting way of doing it.
What do you mean by :
> *Also, the idempotency works at the ACL level but the module at the ACE
> level and that always worried me*
>
Thank you for the feedback
Julien
On Monday, January 22, 2018 at 4:12:18 PM UTC+1, Claudia de Luna wrote:
>
> HI Julien,
>
> I confess I've not used this module for ACL management for many of the
> reasons you note. Also, the idempotency works at the ACL level but the
> module at the ACE level and that always worried me. I can see myself
> checking for one ACE and basically turning my ACL into a one line ACL.
>
> I tend to use the template module and then the xxxx-config module (ios or
> nxos).
>
> I'd stay away from the include_vars and go with a group_vars file or a
> host_vars file depending on what you need.
>
> For example, I have a standard NTP ACL for all the NXOS devices which I
> represent with a group called [nxos] in my host file.
>
> So in my group_vars directory i have an nxos.yml file with something like
> this:
>
> ntp_acl:
> - src: any
> dest: 1.1.1.123/24
> - src: any
> dest: 1.1.1.23/24
>
>
> and in my template file I have
>
> # ntp_acl.j2
> no ip access-list NTP_ACL
> ip access-list NTP_ACL
> permit ip any 192.168.2.123/24
> permit ip any 192.168.1.23/24
>
>
>
>
> {% for ace in ntp_acl %}
> # Additional Local NTP Servers
> permit ip {{ ace.src }} {{ ace.dest }}
>
> {% endfor %}
>
>
> # End ntp_acl.j2
>
>
> That builds the ACL I want using the template module and then I use the
> config module to apply it.
>
> so i have a make_cfg.yml playbook with this task
>
> - name: Create hostname config file from template
> template:
> src: templates/ntp_acl.j2
> dest: src/{{ inventory_hostname }}.cfg
>
>
> and then I have an apply_cfg.yml playbook with this task
>
> - name: Configure Using nxos_config Module
> nxos_config:
> provider: "{{ cli }}"
> backup: yes
> match: none
> timeout: 15
> src: src/{{ inventory_hostname }}.cfg
> intended_config: src/{{ inventory_hostname }}.cfg
> diff_against: intended
>
>
> I do this when I'm first setting up a site but these can certainly be in
> one playbook.
>
> You can also use the config module to do diffs so thats how I check
> compliance.
>
> Not sure if that helps...but that may be another way to tackle the
> problem...
>
>
>
>
> On Tuesday, January 16, 2018 at 7:16:19 AM UTC-8, Julien Guirlinger wrote:
>>
>>
>> Hello,
>>
>> Does anybody use ansible to manage ACL on Cisco Nexus switches ?
>>
>> I have started to use, but i face some issues :
>> - I didn't find a way to set the "per entry statistics on my ACL"
>> - I have to call the module for each ACE in my ACL, which is not
>> satisfying for performance and for readability when it comes to large ACL
>> - I'm still not sure of the way i should write my playbook, either
>> including all the ACL in it with a task for each ACE, or looping over a
>> dict containing my ACL (a file imported via an "include_vars" statement for
>> exemple)
>>
>> I will be happy to have feedback of how you achieve it.
>>
>> Thanks
>>
>> Julien
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/de8ebe98-b9da-4bfe-a1d5-a1a316d42e26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
