Re: Ansible Nexus ACL push abort config session on Failure

TheHubGuy · ‎03-30-2022

Hey team,

We are trying to push ACL via nxos_config and our playbook has steps for something like this:

config session

no ip access-list test_ingress

ip access-list test_ingress

permit blah blah

commit

The issue we are seeing with this playbook is, whenever there is a failure for any of the ACL lines, the session gets committed instead of aborted.

test_ingress ; permit tcp 1.1.1.1/32 2.2.2.2/32 eq 443 (FAILURE) (from the accounting logs)

... and the session is committed.

Is there a way to abort the session if we see any FAILURE? The failure can be due to tacacs accounting.

Georg Pauwen · ‎03-31-2022

Hello,

the line would be:

any_errors_fatal: true

Can you post your entire playbook so we can test ? What exactly do you mean by:

--> whenever there is a failure for any of the ACL lines, the session gets committed instead of aborted.

What does a 'failure' mean in this context ?

TheHubGuy · ‎03-31-2022

Hi Georg,

When we push the ACL via like this:

------------------------

config session

no ip access-list test_ingress

ip access-list test_ingress

permit #ACL1

permit #ACL2

.....

permit #ACL10005

.....

permit #ACL 20000

commit

----------------

if any of that ACL line fails to get pushed to the box, the session is committed right away. Let's say #ACL10005 gets failed to push, the session is committed without pushing anything after #ACL10005. We would like to abort the config session in this case rather than commit it.

--- Playbook -----

main.yaml

---
- name: precheck commands
  cisco.nxos.nxos_command:
    commands:
      - "{{ item }}"
  loop: "{{ precheck }}"
  ignore_errors: yes
  register: precheck_command_outputs

- name: NXOS FACTS | GATHER FACTS
  cisco.nxos.nxos_facts:
    gather_subset:
      - config
      - "!default"

- name: ACL push - add
  cisco.nxos.nxos_config:
    save_when: modified
    lines: "{{ lookup('template', 'nxos_acl_add.j2') }}"
    replace: block
    match: none
  retries: 3
  register: aclpush
  until: aclpush.failed|bool == false
  when: " acl_change.acl_parent_line not in ansible_net_config"

- name: postcheck commands
  cisco.nxos.nxos_command:
    commands:
      - "{{ item }}"
  loop: "{{ postcheck }}"
  ignore_errors: yes

nxos_acl_add.j2

config session ansible-acl-push
{{ acl_change.acl_parent_line }}
{% for line in acl_change.acl_content %}
  {{ line }}
{% endfor %}
commit

Georg Pauwen · ‎03-31-2022

Hello,

what if you add the line marked in bold (as previously suggested) ?

---
- name: precheck commands
--> any_errors_fatal: true
cisco.nxos.nxos_command:
commands:
- "{{ item }}"
loop: "{{ precheck }}"
ignore_errors: yes
register: precheck_command_outputs

- name: NXOS FACTS | GATHER FACTS
cisco.nxos.nxos_facts:
gather_subset:
- config
- "!default"

- name: ACL push - add
cisco.nxos.nxos_config:
save_when: modified
lines: "{{ lookup('template', 'nxos_acl_add.j2') }}"
replace: block
match: none
retries: 3
register: aclpush
until: aclpush.failed|bool == false
when: " acl_change.acl_parent_line not in ansible_net_config"

- name: postcheck commands
cisco.nxos.nxos_command:
commands:
- "{{ item }}"
loop: "{{ postcheck }}"
ignore_errors: yes