Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aoscx_acl_vlan module renames the VLAN #22

Open
jimdavis66 opened this issue Jan 4, 2023 · 6 comments
Open

aoscx_acl_vlan module renames the VLAN #22

jimdavis66 opened this issue Jan 4, 2023 · 6 comments

Comments

@jimdavis66
Copy link

I have found an issue where the aoscx_acl_vlan module renames the VLAN. For example, show running config before running a playbook:

vlan 164
    name Dev-A
    vsx-sync

Run the playbook:

tasks:
    - name: Add acl_ipv4_Test ACL to VLAN 164.
      aoscx_acl_vlan:
        acl_name: acl_ipv4_Test
        acl_type: ipv4
        acl_vlan_list: 
          - 164

Show running config after playbook has finished:

vlan 164
    name VLAN164
    vsx-sync

As a workaround, I'm having to update the names of the VLANs at the end of the playbook with aoscx_vlan module:

- name: Fix VLAN 164 name (Workaround)
      aoscx_vlan:
        vlan_id: 164
        name: Dev-A
@alagoutte
Copy link

hi @jimdavis66 do you have look the collection (and not role ?)

it is recommended to use collection

@tchiapuziowong
Copy link
Member

hi @jimdavis66 - can you do what @alagoutte recommended and see if this issue is present in the collection as well?

@jimdavis66
Copy link
Author

Hi @alagoutte and @tchiapuziowong
Sorry for the confusion. I am using the collection, and here is a full example of my playbook. Am I doing something wrong here?
Thanks!

---
# AOS-CX

- name: Remove applied ACLs from VLANs on VSX Primary 
  hosts: sw-corepr
  collections:
    - arubanetworks.aoscx
  gather_facts: false
  tasks:
    - name: Remove acl_ipv4_Test ACL from VLAN 164.
      aoscx_acl_vlan:
        acl_name: acl_ipv4_Test
        acl_type: ipv4
        acl_vlan_list: 
          - 164
        state: delete

- name: Create ACL Configuration on each Core Switch
  hosts: layer3
  collections:
    - arubanetworks.aoscx
  gather_facts: false
  tasks:

    - name: Remove acl_ipv4_Test from config.
      aoscx_acl:
        name: acl_ipv4_Test
        type: ipv4
        state: delete

    - name: Recreate acl_ipv4_Test to Test network restrictions.
      aoscx_acl:
        name: acl_ipv4_Test
        type: ipv4
        acl_entries:
          # Allow specific access for basic networking
          10:
            comment: Permit internal DNS requests
            src_ip: any
            dst_ip: 192.168.20.50/255.255.255.255
            dst_l4_port_max: 53
            dst_l4_port_min: 53
            protocol: udp
            count: true
            action: permit
          11:
            comment: Permit internal DNS requests
            src_ip: any
            dst_ip: 192.168.20.60/255.255.255.255
            dst_l4_port_max: 53
            dst_l4_port_min: 53
            protocol: udp
            count: true
            action: permit
          12:
            comment: Permit internal DNS requests
            src_ip: any
            dst_ip: 192.168.201.1/255.255.255.255
            dst_l4_port_max: 53
            dst_l4_port_min: 53
            protocol: udp
            count: true
            action: permit
          15:
            comment: Permit DHCP
            src_ip: any
            dst_ip: any
            dst_l4_port_max: 68
            dst_l4_port_min: 67
            protocol: udp
            count: true
            action: permit
          17:
            comment: Permit 6082 to PaloAlto Captive Portal
            dst_ip: 192.168.201.1/255.255.255.255
            dst_l4_port_max: 6082
            dst_l4_port_min: 6082
            protocol: tcp
            count: true
            action: permit
          # Allow specific web access to on-prem servers.
          20:
            comment: Permit HTTPS to ServerA
            dst_ip: 192.168.20.75/255.255.255.255
            dst_l4_port_max: 443
            dst_l4_port_min: 443
            protocol: tcp
            count: true
            action: permit
          21:
            comment: Permit HTTPS to ServerB
            dst_ip: 192.168.20.63/255.255.255.255
            dst_l4_port_max: 443
            dst_l4_port_min: 443
            protocol: tcp
            count: true
            action: permit
          # Deny all access to the rest of the LAN
          40:
            comment: Deny access to 192.168.0.0 LAN
            src_ip: any
            dst_ip: 192.168.0.0/255.255.0.0
            protocol: any
            count: true
            action: deny
          50:
            comment: Deny access to 10.0.0.0 LAN
            src_ip: any
            dst_ip: 10.0.0.0/255.0.0.0
            protocol: any
            count: true
            action: deny 
          # Permit all other access to WAN and let the PaloAlto do the filtering
          60:
            comment: Permit access to WAN
            dst_ip: any
            protocol: any
            count: true
            action: permit


- name: Apply ACLs to VLANs on VSX Primary
  hosts: sw-corepr
  collections:
    - arubanetworks.aoscx
  gather_facts: false
  tasks:
    - name: Apply acl_ipv4_Test to VLAN 164.
      aoscx_acl_vlan:
        acl_name: acl_ipv4_Test
        acl_type: ipv4
        acl_vlan_list: 
          - 164
        
    - name: Fix VLAN 164 name (Workaround)
      aoscx_vlan:
        vlan_id: 164
        name: Dev-A

@tchiapuziowong
Copy link
Member

@jimdavis66 can you provide what the before/after config from the switch looks like? (without the workaround)

@jimdavis66
Copy link
Author

Config before (with redactions):

!
access-list ip ACL-VLAN20
    10 permit any 192.168.254.37 192.168.20.0/255.255.255.0
    20 deny tcp any 192.168.20.35 eq http
    30 deny tcp any 192.168.20.35 eq https
    40 permit any any 192.168.20.0/255.255.255.0
access-list ip acl_ipv4_Test
    10 comment Permit internal DNS requests
    10 permit udp any 192.168.20.50 eq dns count
    11 comment Permit internal DNS requests
    11 permit udp any 192.168.20.60 eq dns count
    12 comment Permit internal DNS requests
    12 permit udp any 192.168.201.1 eq dns count
    15 comment Permit DHCP
    15 permit udp any any range 67 68 count
    17 comment Permit 6082 to PaloAlto Captive Portal
    17 permit tcp any 192.168.201.1 eq 6082 count
    20 comment Permit HTTPS to ServerA
    20 permit tcp any 192.168.20.75 eq https count
    21 comment Permit HTTPS to ServerB
    21 permit tcp any 192.168.20.63 eq https count
    40 comment Deny access to 192.168.0.0 LAN
    40 deny any any 192.168.0.0/255.255.0.0 count
    50 comment Deny access to 10.0.0.0 LAN
    50 deny any any 10.0.0.0/255.0.0.0 count
    60 comment Permit access to WAN
    60 permit any any any count
!
vlan 1
    vsx-sync
vlan 2
    vsx-sync
vlan 164
    name Dev-A
    vsx-sync
    apply access-list ip acl_ipv4_Test in
vlan 165
    name Dev-B
    vsx-sync
!
!
interface vlan 164
    vsx-sync active-gateways
    description Dev-A
    ip address 192.168.164.2/24
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 192.168.164.1
    ip helper-address 192.168.20.50
interface vlan 165
    vsx-sync active-gateways
    description Dev-B
    ip address 192.168.165.2/24
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 192.168.165.1
    ip helper-address 192.168.20.50
!
!

Config after (with redactions):

!
access-list ip ACL-VLAN20
    10 permit any 192.168.254.37 192.168.20.0/255.255.255.0
    20 deny tcp any 192.168.20.35 eq http
    30 deny tcp any 192.168.20.35 eq https
    40 permit any any 192.168.20.0/255.255.255.0
access-list ip acl_ipv4_Test
    10 comment Permit internal DNS requests
    10 permit udp any 192.168.20.50 eq dns count
    11 comment Permit internal DNS requests
    11 permit udp any 192.168.20.60 eq dns count
    12 comment Permit internal DNS requests
    12 permit udp any 192.168.201.1 eq dns count
    15 comment Permit DHCP
    15 permit udp any any range 67 68 count
    17 comment Permit 6082 to PaloAlto Captive Portal
    17 permit tcp any 192.168.201.1 eq 6082 count
    20 comment Permit HTTPS to ServerA
    20 permit tcp any 192.168.20.75 eq https count
    21 comment Permit HTTPS to ServerB
    21 permit tcp any 192.168.20.63 eq https count
    40 comment Deny access to 192.168.0.0 LAN
    40 deny any any 192.168.0.0/255.255.0.0 count
    50 comment Deny access to 10.0.0.0 LAN
    50 deny any any 10.0.0.0/255.0.0.0 count
    60 comment Permit access to WAN
    60 permit any any any count
!
vlan 1
    vsx-sync
vlan 2
    vsx-sync
vlan 164
    name VLAN 164
    vsx-sync
    apply access-list ip acl_ipv4_Test in
vlan 165
    name Dev-B
    vsx-sync
!
!
interface vlan 164
    vsx-sync active-gateways
    description Dev-A
    ip address 192.168.164.2/24
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 192.168.164.1
    ip helper-address 192.168.20.50
interface vlan 165
    vsx-sync active-gateways
    description Dev-B
    ip address 192.168.165.2/24
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 192.168.165.1
    ip helper-address 192.168.20.50
!
!

@alagoutte
Copy link

Thanks!

You have last pyaoscx module on the ansible machine ? ( pip3 install pyaoscx )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alagoutte @jimdavis66 @tchiapuziowong