Try SpotterDCNM ansible module for managing service policies.
| "added in version" 1.2.0 of mikewiebe.ndfc"
Authors: Mallik Mudigonda (@mmudigon)
Install with ansible-galaxy collection install mikewiebe.ndfc:==2.1.3
collections:
- name: mikewiebe.ndfc
version: 2.1.3DCNM ansible module for creating, deleting, querying and modifying service policies
# L4-L7 Service Insertion:
#
# Cisco DCNM has the ability to insert Layer 4-Layer 7 (L4-L7) service devices in a data center fabric, and also enables selectively
# redirecting traffic to these service devices. You can add a service node, create route peering between the service node and the
# service leaf switch, and then selectively redirect traffic to these service nodes. Ansible collections support 3 modules viz.
# Service Node, Service Route Peering and Service Policy to enable this.
#
# Service Node:
#
# You have to create an external fabric and specify that a service node resides in that external fabric during service node creation.
# Service policies are created on the service node to determine the actions to be applied to the traffic
#
# Route Peerings:
#
# Multiple Service Route Peerings can be created under service node. Each Route Peering creates required service networks that is used to
# carry traffic towards the service node.
#
# Service Policy:
#
# Each route peering can have multiple service policies. Service policies can only be created for networks created through route peerings.
# The service policies define the actions to be taken for matching traffic.
#
# Dependency Tree:
#
# Service Node
# |
# |---- Route Peering 1
# | |
# . |---- Service Policy 1
# . |
# . .
# . .
# . .
# . |---- Service Policy N
# .
# |---- Route Peering N
# |
# |---- Service Policy 1
# |
# .
# .
# .
# |---- Service Policy N
#
#
# This module supports the following states:
# Merged:
# Service Policies defined in the playbook will be merged into the target fabric.
# - If the Service Policies does not exist it will be added.
# - If the Service Policies exists but properties managed by the playbook are different
# they will be updated if possible.
# - Service Policies that are not specified in the playbook will be untouched.
#
# Replaced:
# Service Policies defined in the playbook will be replaced in the target fabric.
# - If the Service Policies does not exist it will be added.
# - If the Service Policies exists but properties managed by the playbook are different
# they will be updated if possible.
# - Properties that can be managed by the module but are not specified
# in the playbook will be deleted or defaulted if possible.
# - Service Policies that are not specified in the playbook will be untouched.
#
# Overridden:
# Service Policies defined in the playbook will be overridden in the target fabric.
# - If the Service Policies does not exist it will be added.
# - If the Service Policies exists but properties managed by the playbook are different
# they will be updated if possible.
# - Properties that can be managed by the module but are not specified
# in the playbook will be deleted or defaulted if possible.
# - Service Policies that are not specified in the playbook will be deleted.
#
# Deleted:
# Service Policies defined in the playbook will be deleted.
#
# Query:
# Returns the current DCNM state for the Service Policies listed in the playbook.
# CREATING SERVICE POLICIES
# =========================
- name: Create service policy including all optional objects
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
attach: true
deploy: true
state: merged
config:
- name: service_policy_1
node_name: it-sn-1
rp_name: it-fw-rp1
src_vrf: vrf_11
dest_vrf: vrf_11
src_network: net_11
dest_network: net_12
next_hop: 192.161.1.100
reverse_next_hop: 192.161.2.100
reverse: true
policy:
proto: tcp
src_port: any
dest_port: 22
action: permit
next_hop_option: none
acl_name: fwd_acl_10
rev_acl_name: rev_acl_10
route_map_num: 101
rev_route_map_num: 102
# DELETE SERVICE POLICIES
# =======================
# 1. With Policy Name and Node name
#
# Deletes the specific service policy specified from the given node
- name: Delete service policies with policy name and node name
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
state: deleted
config:
- name: service_policy_1
node_name: it-sn-1
- name: service_policy_2
node_name: it-sn-2
- name: service_policy_3
node_name: it-sn-2
- name: service_policy_4
node_name: it-sn-2
- name: service_policy_5
node_name: it-sn-2
# 2. With Node name alone
#
# Deletes all service policies from the specified nodes
- name: Delete service policies with Node names
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
state: deleted
config:
- node_name: it-sn-1
- node_name: it-sn-2
# 3. With Node name and RP name
#
# Deletes all service policies under the specified route peering and node
- name: Delete service policies with Node name and RP name
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
state: deleted
config:
- node_name: it-sn-1
rp_name: it-fw-rp1
- node_name: it-sn-2
rp_name: it-fw-rp2
# 4. Without config
#
# Deletes all service policies on the given fabric and attached fabric
- name: Delete service policies without config
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
state: deleted
# OVERRIDE SERVICE POLICIES
# =========================
# When this playbook is executed, service policy service_policy_1 will be created or replaced and all
# other service policies in test_fabric and external will be deleted
- name: Override all existing service policies with a new one
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
attach: true
deploy: true
state: overridden
config:
- name: service_policy_1
node_name: it-sn-1
rp_name: it-fw-rp1
src_vrf: vrf_11
dest_vrf: vrf_11
src_network: net_11
dest_network: net_12
next_hop: 192.161.1.100
reverse_next_hop: 192.161.2.100
policy:
proto: icmp
src_port: 555
dest_port: 22
action: permit
next_hop_option: none
acl_name: fwd_acl_555
rev_acl_name: rev_acl_555
route_map_num: 555
rev_route_map_num: 556
# REPLACE SERVICE POLICIES
# ========================
- name: Replace service policy_1 with the one specified below
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
attach: true
deploy: true
state: replaced
config:
- name: service_policy_1
node_name: it-sn-1
rp_name: it-fw-rp1
src_vrf: vrf_11
dest_vrf: vrf_11
src_network: net_11
dest_network: net_12
next_hop: 192.161.1.100
reverse_next_hop: 192.161.2.100
policy:
proto: udp
src_port: 501
dest_port: 502
action: deny
next_hop_option: drop_on_fail
# QUERY SERVICE POLICIES
# ======================
- name: Query service policies based on service node and policy name
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
state: query
config:
- name: service_policy_1
node_name: it-sn-1
- name: Query service policies based on service node
cisco.dcnm.dcnm_service_policy:
fabric: test_fabric
service_fabric: external
state: query
config:
- node_name: it-sn-1
state:
choices:
- merged
- replaced
- overridden
- deleted
- query
default: merged
description:
- the required state of the configuration after module completion.
required: false
type: str
attach:
default: true
description:
- a flag specifying if the given service policy is to be attached to the specified
service node
required: false
type: bool
config:
description:
- a list of dictionaries containing service policy and switch information
elements: dict
suboptions:
dest_network:
description:
- name of the destination network for this service policy
required: true
type: str
dest_vrf:
description:
- name of the destination vrf for this service policy
required: true
type: str
name:
description:
- a unique name which identifies the service policy
required: true
type: str
next_hop:
default: ''
description:
- next hop ip address to be used in source to network direction
- This must exactly match the next hop IP configured for the route peering associated
with this policy
required: false
type: str
policy:
description:
- details of the policy (ACL) to be applied
suboptions:
acl_name:
default: will be auto-generated by DCNM
description:
- Name of the ACL in the forward direction
required: false
type: str
action:
choices:
- permit
- deny
default: permit
description:
- action to apply for traffic matching the service profile
required: false
type: str
dest_port:
choices:
- any
- Min 1
- Max 65535
description:
- destination port number to be matched to apply this ACL
required: true
type: str
next_hop_option:
choices:
- none
- drop-on-fail
- drop
default: none
description:
- option to specify how to redirect traffic
required: false
type: str
proto:
choices:
- ip
- icmp
- tcp
- udp
description:
- protocol to be matched to apply this ACL
required: true
type: str
rev_acl_name:
default: will be auto-generated by DCNM
description:
- Name of the ACL in the reverse direction
required: false
type: str
rev_route_map_num:
choices:
- Min 1
- Max 65535)
default: will be auto-generated by DCNM
description:
- route map match number for reverse direction
required: false
type: int
route_map_num:
choices:
- Min 1
- Max 65535)
default: will be auto-generated by DCNM
description:
- route map match number
required: false
type: int
src_port:
choices:
- any
- Min 1
- Max 65535
description:
- source port number to be matched to apply this ACL
required: true
type: str
type: dict
reverse_next_hop:
default: ''
description:
- reverse next hop ip address to be used in network to source direction
- This must exactly match the reverse next hop IP configured for the route peering
associated with this policy
required: false
type: str
src_network:
description:
- name of the source network for this service policy
required: true
type: str
src_vrf:
description:
- name of the source vrf for this service policy
required: true
type: str
type: list
deploy:
default: true
description:
- a flag specifying if a service policy is to be deployed on the switches
required: false
type: bool
fabric:
description:
- name of the target fabric for service policy operations
required: true
type: str
service_fabric:
description:
- name of the external fabric attached to the service node for service policy operations
required: true
type: str