aoscx-ansible-role
aoscx-ansible-role copied to clipboard
Published
20 hours ago •
aruba
aruba
aoscx_acl_vlan module renames the VLAN
I have found an issue where the aoscx_acl_vlan module renames the VLAN. For example, show running config before running a playbook:
vlan 164
name Dev-A
vsx-sync
Run the playbook:
tasks:
- name: Add acl_ipv4_Test ACL to VLAN 164.
aoscx_acl_vlan:
acl_name: acl_ipv4_Test
acl_type: ipv4
acl_vlan_list:
- 164
Show running config after playbook has finished:
vlan 164
name VLAN164
vsx-sync
As a workaround, I'm having to update the names of the VLANs at the end of the playbook with aoscx_vlan module:
- name: Fix VLAN 164 name (Workaround)
aoscx_vlan:
vlan_id: 164
name: Dev-A
hi @jimdavis66 do you have look the collection (and not role ?)
it is recommended to use collection
hi @jimdavis66 - can you do what @alagoutte recommended and see if this issue is present in the collection as well?
Hi @alagoutte and @tchiapuziowong Sorry for the confusion. I am using the collection, and here is a full example of my playbook. Am I doing something wrong here? Thanks!
---
# AOS-CX
- name: Remove applied ACLs from VLANs on VSX Primary
hosts: sw-corepr
collections:
- arubanetworks.aoscx
gather_facts: false
tasks:
- name: Remove acl_ipv4_Test ACL from VLAN 164.
aoscx_acl_vlan:
acl_name: acl_ipv4_Test
acl_type: ipv4
acl_vlan_list:
- 164
state: delete
- name: Create ACL Configuration on each Core Switch
hosts: layer3
collections:
- arubanetworks.aoscx
gather_facts: false
tasks:
- name: Remove acl_ipv4_Test from config.
aoscx_acl:
name: acl_ipv4_Test
type: ipv4
state: delete
- name: Recreate acl_ipv4_Test to Test network restrictions.
aoscx_acl:
name: acl_ipv4_Test
type: ipv4
acl_entries:
# Allow specific access for basic networking
10:
comment: Permit internal DNS requests
src_ip: any
dst_ip: 192.168.20.50/255.255.255.255
dst_l4_port_max: 53
dst_l4_port_min: 53
protocol: udp
count: true
action: permit
11:
comment: Permit internal DNS requests
src_ip: any
dst_ip: 192.168.20.60/255.255.255.255
dst_l4_port_max: 53
dst_l4_port_min: 53
protocol: udp
count: true
action: permit
12:
comment: Permit internal DNS requests
src_ip: any
dst_ip: 192.168.201.1/255.255.255.255
dst_l4_port_max: 53
dst_l4_port_min: 53
protocol: udp
count: true
action: permit
15:
comment: Permit DHCP
src_ip: any
dst_ip: any
dst_l4_port_max: 68
dst_l4_port_min: 67
protocol: udp
count: true
action: permit
17:
comment: Permit 6082 to PaloAlto Captive Portal
dst_ip: 192.168.201.1/255.255.255.255
dst_l4_port_max: 6082
dst_l4_port_min: 6082
protocol: tcp
count: true
action: permit
# Allow specific web access to on-prem servers.
20:
comment: Permit HTTPS to ServerA
dst_ip: 192.168.20.75/255.255.255.255
dst_l4_port_max: 443
dst_l4_port_min: 443
protocol: tcp
count: true
action: permit
21:
comment: Permit HTTPS to ServerB
dst_ip: 192.168.20.63/255.255.255.255
dst_l4_port_max: 443
dst_l4_port_min: 443
protocol: tcp
count: true
action: permit
# Deny all access to the rest of the LAN
40:
comment: Deny access to 192.168.0.0 LAN
src_ip: any
dst_ip: 192.168.0.0/255.255.0.0
protocol: any
count: true
action: deny
50:
comment: Deny access to 10.0.0.0 LAN
src_ip: any
dst_ip: 10.0.0.0/255.0.0.0
protocol: any
count: true
action: deny
# Permit all other access to WAN and let the PaloAlto do the filtering
60:
comment: Permit access to WAN
dst_ip: any
protocol: any
count: true
action: permit
- name: Apply ACLs to VLANs on VSX Primary
hosts: sw-corepr
collections:
- arubanetworks.aoscx
gather_facts: false
tasks:
- name: Apply acl_ipv4_Test to VLAN 164.
aoscx_acl_vlan:
acl_name: acl_ipv4_Test
acl_type: ipv4
acl_vlan_list:
- 164
- name: Fix VLAN 164 name (Workaround)
aoscx_vlan:
vlan_id: 164
name: Dev-A
@jimdavis66 can you provide what the before/after config from the switch looks like? (without the workaround)
Config before (with redactions):
!
access-list ip ACL-VLAN20
10 permit any 192.168.254.37 192.168.20.0/255.255.255.0
20 deny tcp any 192.168.20.35 eq http
30 deny tcp any 192.168.20.35 eq https
40 permit any any 192.168.20.0/255.255.255.0
access-list ip acl_ipv4_Test
10 comment Permit internal DNS requests
10 permit udp any 192.168.20.50 eq dns count
11 comment Permit internal DNS requests
11 permit udp any 192.168.20.60 eq dns count
12 comment Permit internal DNS requests
12 permit udp any 192.168.201.1 eq dns count
15 comment Permit DHCP
15 permit udp any any range 67 68 count
17 comment Permit 6082 to PaloAlto Captive Portal
17 permit tcp any 192.168.201.1 eq 6082 count
20 comment Permit HTTPS to ServerA
20 permit tcp any 192.168.20.75 eq https count
21 comment Permit HTTPS to ServerB
21 permit tcp any 192.168.20.63 eq https count
40 comment Deny access to 192.168.0.0 LAN
40 deny any any 192.168.0.0/255.255.0.0 count
50 comment Deny access to 10.0.0.0 LAN
50 deny any any 10.0.0.0/255.0.0.0 count
60 comment Permit access to WAN
60 permit any any any count
!
vlan 1
vsx-sync
vlan 2
vsx-sync
vlan 164
name Dev-A
vsx-sync
apply access-list ip acl_ipv4_Test in
vlan 165
name Dev-B
vsx-sync
!
!
interface vlan 164
vsx-sync active-gateways
description Dev-A
ip address 192.168.164.2/24
active-gateway ip mac 12:01:00:00:01:00
active-gateway ip 192.168.164.1
ip helper-address 192.168.20.50
interface vlan 165
vsx-sync active-gateways
description Dev-B
ip address 192.168.165.2/24
active-gateway ip mac 12:01:00:00:01:00
active-gateway ip 192.168.165.1
ip helper-address 192.168.20.50
!
!
Config after (with redactions):
!
access-list ip ACL-VLAN20
10 permit any 192.168.254.37 192.168.20.0/255.255.255.0
20 deny tcp any 192.168.20.35 eq http
30 deny tcp any 192.168.20.35 eq https
40 permit any any 192.168.20.0/255.255.255.0
access-list ip acl_ipv4_Test
10 comment Permit internal DNS requests
10 permit udp any 192.168.20.50 eq dns count
11 comment Permit internal DNS requests
11 permit udp any 192.168.20.60 eq dns count
12 comment Permit internal DNS requests
12 permit udp any 192.168.201.1 eq dns count
15 comment Permit DHCP
15 permit udp any any range 67 68 count
17 comment Permit 6082 to PaloAlto Captive Portal
17 permit tcp any 192.168.201.1 eq 6082 count
20 comment Permit HTTPS to ServerA
20 permit tcp any 192.168.20.75 eq https count
21 comment Permit HTTPS to ServerB
21 permit tcp any 192.168.20.63 eq https count
40 comment Deny access to 192.168.0.0 LAN
40 deny any any 192.168.0.0/255.255.0.0 count
50 comment Deny access to 10.0.0.0 LAN
50 deny any any 10.0.0.0/255.0.0.0 count
60 comment Permit access to WAN
60 permit any any any count
!
vlan 1
vsx-sync
vlan 2
vsx-sync
vlan 164
name VLAN 164
vsx-sync
apply access-list ip acl_ipv4_Test in
vlan 165
name Dev-B
vsx-sync
!
!
interface vlan 164
vsx-sync active-gateways
description Dev-A
ip address 192.168.164.2/24
active-gateway ip mac 12:01:00:00:01:00
active-gateway ip 192.168.164.1
ip helper-address 192.168.20.50
interface vlan 165
vsx-sync active-gateways
description Dev-B
ip address 192.168.165.2/24
active-gateway ip mac 12:01:00:00:01:00
active-gateway ip 192.168.165.1
ip helper-address 192.168.20.50
!
!
Thanks!
You have last pyaoscx module on the ansible machine ? ( pip3 install pyaoscx )