Ansible - Remove IPs from Network Objects - Cisco Devices

liviu.munteanu@oracle.com · ‎09-29-2021

Hi Everybody,

I am trying to fugure out the best way (optimized) to create network objects groups on cisco devices.
I was able to get the result that I needed using the following playbook:

1. Initial Object Config:

object-group network CUSTOMER1
description Last Modified By CR22222222
host 1.0.0.1
host 1.0.0.2
host 1.0.0.3
host 1.0.0.4
object-group network CUSTOMER2
description Last Modified By CR111111
host 2.0.0.2
host 2.0.0.1

2. group_vars - gvCustomersRemoved.yml

removedFromCustomerObjects:
  - name: CUSTOMER1
    RemovedIPs:
      - 1.0.0.3
      - 1.0.0.4
    CR: CR666666
  - name: CUSTOMER2
    RemovedIPs:
      - 2.0.0.1
    CR: CR666666

3. Playbook:

---
- name: Allow Customer IPs
  hosts: gvRouters
  gather_facts: false
  connection: network_cli
  vars_files:
    - .../gvCustomersRemoved.ymll

  tasks:
  # Search for the IPs to be removed in the customer object configuration
  - name: Search IP
    ios_command:
      commands: "show object-group {{item.0.name}} | include {{ item.1 }}"
    with_subelements:
      - "{{ removedFromCustomerObjects | default([])}}"
      - RemovedIPs
    register: commandResult

  # Create New List With The Lines Could Be Found In The Running Config
  - set_fact:
      toBeRemoved: []
  - set_fact:
      toBeRemoved: "{{ toBeRemoved + item.1 }}"
    with_subelements:
      - "{{commandResult.results}}"
      - stdout_lines
  - set_fact:
      toBeRemoved: "{{ toBeRemoved | regex_replace('host ', '') }}"
    with_items: "{{commandResult.results}}"
  - set_fact:
      toBeRemoved: "{{ toBeRemoved | reject('match', '^$')| list }}"

  - name: Remove IP
    ios_config:
      parents: "{{ 'object-group network ' + item.0.name }}"
      lines:
        - "description Last Modfied By {{ item.0.CR }}"
        - "{{ 'no host ' + item.1 }}"
match: 'line'
      replace: 'line'
    with_subelements:
      - "{{ removedFromCustomerObjects | default([])}}"
      - RemovedIPs
    when: item.1 in toBeRemoved

After running the playbook, the following commands where sent to the device:
show archive log config all

My question is: would somebody know a better way to get this done? As it can be seen, the "object-group network" command is being used multiple times, in case of objects with mutiple host / networks.

Seb Rupik · ‎09-29-2021

Hi there,

Have you considered using the ansible cisco.ios.ios_acls module specifying a state of 'replaced' in the playbook?

https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html

cheers,

Seb.

liviu.munteanu@oracle.com · ‎09-29-2021

Hi Seb,

Thanks for replying. Unfortunately, I can't see the how the module would be related to my question.

My ACLs are using object-groups. My intension is to create or modify network object groups and use them as members of the object grous referred in my ACLs. The ios_acls module has the option to refer:

object_group

string

Destination network object group

This is not creating or modifying object-groups.