When using the cisco.nxos.nxos_acls module the module doesn’t send the terminal message back when the ios device detects a duplicate entry when no sequence number is in the config
digitalfiend64 opened this issue · 1 comments
SUMMARY
When using the cisco.nxos.nxos_acls module the module doesn’t send the terminal message back when the ios device detects a duplicate entry when no sequence number is in the config
Example before configuration:
ipv4 access-list QOS_WEBEX_VIDEO
30 permit udp any any eq 9000
Example after configuration:
ipv4 access-list QOS_WEBEX_VIDEO
30 permit udp any any eq 9000
ISSUE TYPE
- Bug Report
COMPONENT NAME
cisco.nxos.nxos_acls module
ANSIBLE VERSION
ansible [core 2.12.6]
config file = /home/REDACTED/.ansible.cfg
configured module search path = ['/home/REDACTED/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
ansible collection location = /home/REDACTED/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.8.12 (default, Sep 16 2021, 10:46:05) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
jinja version = 3.0.2
libyaml = True
##### COLLECTION VERSION
<!--- Paste verbatim output from "ansible-galaxy collection list
<namespace>.<collection>" between the quotes
for example: ansible-galaxy collection list community.general
-->
```paste below
collection Version
---------- -------
cisco.nxos 4.0.0
CONFIGURATION
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/REDACTED/.ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/home/REDACTED/.ansible.cfg) = yaml
DEFAULT_TIMEOUT(/home/REDACTED/.ansible.cfg) = 120
DEPRECATION_WARNINGS(/home/REDACTED/.ansible.cfg) = False
GALAXY_IGNORE_CERTS(/home/REDACTED/.ansible.cfg) = True
GALAXY_SERVER_LIST(/home/REDACTED/.ansible.cfg) = ['inbound_yeti_repo', 'published_repo', 'rh-certified_repo']
HOST_KEY_CHECKING(/home/REDACTED/.ansible.cfg) = False
PARAMIKO_HOST_KEY_AUTO_ADD(/home/REDACTED/.ansible.cfg) = True
PERSISTENT_COMMAND_TIMEOUT(/home/REDACTED/.ansible.cfg) = 300
PERSISTENT_CONNECT_TIMEOUT(/home/REDACTED/.ansible.cfg) = 120
RETRY_FILES_ENABLED(/home/REDACTED/.ansible.cfg) = False
OS / ENVIRONMENT
NXOS: version 7.0(3)I7(6)
STEPS TO REPRODUCE
Attempted to use the cisco.nxos.nxos_acls module to configure an access list and add a duplicate entry
Example before configuration:
ip access-list QOS_WEBEX_VIDEO
permit udp any any eq 9000
Example after configuration:
ipv4 access-list QOS_WEBEX_VIDEO
30 permit udp any any eq 9000
- name: Configure ACL
cisco.nxos.nxos_acls:
config:
- afi: "ipv4"
acls:
- name: "QOS_WEBEX_VIDEO"
aces:
- grant: permit
protocol: udp
source:
any: true
destination:
any: true
port_protocol:
eq: 9000
state: merged
EXPECTED RESULTS
Expected the terminal message be sent to the ansible debug
(config)#ip access-list QOS_WEBEX_VIDEO
(config-acl)# permit udp any any eq 9000
Multiple rule exists, please specify sequence number
ACTUAL RESULTS
commands:
- ip access-list QOS_WEBEX_VIDEO
- permit udp any any eq 9000
invocation:
module_args:
config:
- acls:
- aces:
- authen: null
capture: null
destination:
address: null
any: true
host: null
net_group: null
port_group: null
port_protocol:
eq: '9000'
gt: null
lt: null
neq: null
range: null
prefix: null
wildcard_bits: null
destopts: null
dscp: null
fragments: null
grant: permit
hop_by_hop: null
icmp_off: null
line: null
log: null
log_input: null
packet_length: null
precedence: null
protocol: udp
protocol_options: null
remark: null
routing: null
sequence: null
source:
address: null
any: true
host: null
net_group: null
port_group: null
port_protocol: null
prefix: null
wildcard_bits: null
ttl: null
name: QOS_WEBEX_VIDEO
afi: ipv4
running_config: null
state: merged
Hey @digitalfiend64 the play itself needs to be specific about the sequence number in the configuration for it to be idempotent or throw the duplicate entry message. Without a sequence number, it would not be comparing it to an existing entry considering other attribute values are the same.
Regards