cisco.ios icon indicating copy to clipboard operation
cisco.ios copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

ios_acls replaced wrong order in ACE modification.

Open tin-ot opened this issue 2 years ago • 7 comments

SUMMARY

ios_acls is trying insert lines before they are removed. Thus only the "no lines" are executed.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
ANSIBLE VERSION
ansible [core 2.12.5]
  config file = 
  configured module search path = 
  ansible python module location = 
  ansible collection location = 
  executable location =
  python version = 3.8.8 (default, Aug 11 2021, 06:52:42) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
Collection Version
---------- -------
cisco.ios  *   

from git hub, last commit : 
commit bbcfad521426e17f6d8d8d355c5bcab8e058b3b9 (HEAD -> main, origin/main, origin/HEAD)
Merge: f63b413 dfc9b21
Author: Sagar Paul <[email protected]>
Date:   Tue Jun 14 16:46:34 2022 +0530
CONFIGURATION
OS / ENVIRONMENT

Switch Ports Model SW Version SW Image Mode

  • 1 64 C9300-48UXM 16.9.5 CAT9K_IOSXE INSTALL 2 64 C9300-48UXM 16.9.5 CAT9K_IOSXE INSTALL
STEPS TO REPRODUCE
config before :
Standard IP access list 99
    20 permit 127.0.0.2
    10 permit 127.0.0.1
    30 deny   any

    - name: snmp
      cisco.ios.ios_acls:
        config:
          - afi: ipv4
            acls:
              - name: 99
                acl_type: standard
                aces:
                  - sequence: 10
                    grant: permit
                    source:
                      host: 127.0.0.1
                  # - sequence: 20
                  #   grant: permit
                  #   source:
                  #     host: 127.0.0.2
                  - sequence: 20
                    grant: deny
                    source:
                      any: true
        state: replaced
      register: ios_snmp_acl_out
EXPECTED RESULTS

config after:


```paste below
Standard IP access list 99
    10 permit 127.0.0.1
    20 deny   any

     "commands": [
        "ip access-list standard 99",
        "no 20 permit host 127.0.0.2",
        "no 30 deny host any",
        "20 deny any"
    ],
ACTUAL RESULTS

config after:

Standard IP access list 99
    10 permit 127.0.0.1

     "commands": [
        "ip access-list standard 99",
        "no 20 permit host 127.0.0.2",
        "20 deny any",
        "no 30 deny host any"
    ],

I would fail the same with any ACE reordering.

tin-ot avatar Jun 13 '22 16:06 tin-ot

I tried to replicate your issues using the same module and same layout.

Here is what mine did. Please use the pastebin link to see the attached code.

https://pastebin.com/tfnU6ECk

MrSteve81 avatar Jun 14 '22 15:06 MrSteve81

before :

SWITCH:#sh access-lists 99
Standard IP access list 99
    20 permit 127.0.0.3
    30 permit 127.0.0.2
    10 permit 127.0.0.1
    40 deny   any

Config


    - name: snmp 0.1 Create access-list for SNMP user
      cisco.ios.ios_acls:
        config:
          - afi: ipv4
            acls:
              - name: 99
                acl_type: standard
                aces:
                  - sequence: 10
                    grant: permit
                    source:
                      host: 127.0.0.1
                  - sequence: 20
                    grant: permit
                    source:
                      host: 127.0.0.2
                  - sequence: 30
                    grant: deny
                    source:
                      any: true
        state: replaced
      register: ios_snmp_acl_out

-vvv


    "commands": [
        "ip access-list standard 99",
        "no 20 permit host 127.0.0.3",
        "20 permit host 127.0.0.2",
        "no 30 permit host 127.0.0.2",
        "30 deny any",
        "no 40 deny host any"
    ]

after:

SWITCH:#sh access-lists 99
Standard IP access list 99
    10 permit 127.0.0.1

Anyhow even the code you pasted is wrong.

You can't handle the ACE sequence by sequence. If the IP is already configured in a later lines it will be reject by the switched.

All the "no" have to go first then only it can add the updated lines.

tin-ot avatar Jun 15 '22 10:06 tin-ot

**** GREAT FIND ****

I am not sure of what version of Cisco.ios collections you are using for ansible. Your post shows *

I am attempting the same on a build that has Cisco.ios collection 2.5 I know a bit out dated but it is working here for sequence. I once again used the same information you posted in the second post and attempted a run and tried it again this morning and it worked. It could be an issue with your install for the Cisco.ios collection.

The commands look to be firing in the correct order on my end to remove and replace the ace lines.

https://pastebin.com/uvbXdM9Y

************ UPDATE AFTER I TRIED A FRESH RUN WITH A ACL I CREATED *********** I understand what you are saying about the ip issue but your examples don't cause a break In my world using your examples. Weird....... But I did get it to fail on my system doing this so I agree it can be replicated on my system here. I moved a IP address from seq 35 to seq 5 to see if it would cause the issue and it did. I re-ran the ansible play and it fixed it after a second run.

https://pastebin.com/Sb363Qww

MrSteve81 avatar Jun 15 '22 14:06 MrSteve81

It's not about the collection version. It's about the commands to be wrong on the switch.

As I told you, The commands are not taken into account by the switch. I you try to apply an ACE with an IP that already exists in the ACL, then you get this message :

SWITCH(config-std-nacl)#do show access-list 99
Standard IP access list 99
    30 permit 127.0.0.3
    20 permit 127.0.0.2
    10 permit 127.0.0.1
    50 deny   any
SWITCH(config-std-nacl)#40 permit 127.0.0.3
% % Duplicate permit statement ignored.

(same if try to insert with a lower sequence number)

if you try to deny any with another sequence number. no error message but the command is simply ignored and nothing is applied.

SWITCH(config-std-nacl)#40 deny any
SWITCH(config-std-nacl)#do show access-list 99
Standard IP access list 99
    30 permit 127.0.0.3
    20 permit 127.0.0.2
    10 permit 127.0.0.1
    50 deny   any

Maybe the witch version is relevant. I am updating the original post.

tin-ot avatar Jun 16 '22 15:06 tin-ot

( btw if you apply it a second time it works. But you can loose hand to your witch in the mean time. eg: with tty acls... it already happened to me)

(the first pastebin is in a valid order)

tin-ot avatar Jun 16 '22 15:06 tin-ot

Understood

Actually to be honest I had a similar issue with the prefix list module not failing if you put a improper subnet mask.
It goes back to the module not recognizing the errors iOS kicks out..
It would show changed but it would not apply to the switch.
The link below [KB-perByte] explains the issue behind it. https://github.com/ansible-collections/cisco.ios/issues/560#issuecomment-1099865515

MrSteve81 avatar Jun 16 '22 15:06 MrSteve81

So I have run into another example of The commands being fired in a weird order.
Example:

Say I have a existing ACL that is parsed and configured to the router using the ios_acl module.
This ACL fails to have deny ip any any log-input in the last line configured.
I then run a task that checks it and registers there is nothing in the ACL matching that line.
The next Task adds the missing Line to sequence number 300 so the acl is configured to spec. I then prompt the user that they need to update there ACL file that are sending to the unit using parsed feature.
The user then goes to that file and adds 100 deny ip any any log-input to the file.
When I run the replaced ios_acl module it fires the commands in this order.
ok: [192.168.68.112] => { "cisc_rt_000130_ext_acl_ran.commands": [ "ip access-list extended EXTERNAL_ACL", "100 deny ip any any log-input", "no 300 deny ip any any log-input" ] } Basically trying to add sequence 100 first then remove 300 but that deletes the line completely.

MrSteve81 avatar Jul 28 '22 16:07 MrSteve81