ios_acls: operations fail on cat9000 configured with arp ACL

Question

ios_acls: operations fail on cat9000 configured with arp ACL

Opened this issue 4 months ago · 0 comments

SUMMARY

Catalyst 9000 switches support ARP ACLs for dynamic ARP inspection. The ios_acls module doesn't recognize these and tries to include the ACEs in the previous ACL, which causes operations to fail.

ISSUE TYPE

Bug Report

COMPONENT NAME

ios_acls

ANSIBLE VERSION

ansible [core 2.17.2]
  config file = /home/eric/src/cisco-integrations/cisco-ansible/ansible.cfg
  configured module search path = ['/home/eric/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/eric/src/cisco-integrations/cisco-ansible/.venv/lib64/python3.10/site-packages/ansible
  ansible collection location = /home/eric/src/ansible
  executable location = /home/eric/src/cisco-integrations/cisco-ansible/.venv/bin/ansible
  python version = 3.10.14 (main, Apr 17 2024, 00:00:00) [GCC 14.0.1 20240411 (Red Hat 14.0.1-0)] (/home/eric/src/cisco-integrations/cisco-ansible/.venv/bin/python3)
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

>  ansible-galaxy collection list cisco.ios

# /home/eric/src/ansible/ansible_collections
Collection Version
---------- -------
cisco.ios  9.0.1

# /home/eric/src/cisco-integrations/cisco-ansible/.venv/lib/python3.10/site-packages/ansible_collections
Collection Version
---------- -------
cisco.ios  8.0.0

# /home/eric/src/cisco-integrations/cisco-ansible/.venv/lib64/python3.10/site-packages/ansible_collections
Collection Version
---------- -------
cisco.ios  8.0.0

CONFIGURATION

COLLECTIONS_PATHS(/home/eric/src/cisco-integrations/cisco-ansible/ansible.cfg) = ['/home/eric/src/ansible']
CONFIG_FILE() = /home/eric/src/cisco-integrations/cisco-ansible/ansible.cfg
DEPRECATION_WARNINGS(/home/eric/src/cisco-integrations/cisco-ansible/ansible.cfg) = False
EDITOR(env: EDITOR) = /usr/bin/nano
HOST_KEY_CHECKING(/home/eric/src/cisco-integrations/cisco-ansible/ansible.cfg) = False
PAGER(env: PAGER) = less

OS / ENVIRONMENT

Target device is catalyst 9000v.

Initial ACL configuration:

ip access-list standard 10
 10 permit 192.168.1.0 0.0.0.255
arp access-list arp-test
 permit ip any mac any

STEPS TO REPRODUCE

  tasks:
    - name: ACL merge operation
      cisco.ios.ios_acls:
        config:
          - afi: ipv4
            acls:
              - name: ext_acl
                acl_type: extended
                aces:
                  - grant: permit
                    protocol_options:
                      ip: yes
                    source:
                      address: 192.0.2.0
                      wildcard_bits: 0.0.0.255
                    destination:
                      address: 192.0.3.0
                      wildcard_bits: 0.0.0.255

EXPECTED RESULTS

ACL ext_acl is created

ACTUAL RESULTS

Operation fails with error "Unsupported attribute for standard ACL - protocol."

TASK [ACL merge operation] ***************************************************************************************************************************
fatal: [10.100.201.128]: FAILED! => {"changed": false, "msg": "Unsupported attribute for standard ACL - protocol."}