mikewiebe / mikewiebe.ndfc / 2.1.3 / module / dcnm_service_policy DCNM ansible module for managing service policies. | "added in version" 1.2.0 of mikewiebe.ndfc" Authors: Mallik Mudigonda (@mmudigon)mikewiebe.ndfc.dcnm_service_policy (2.1.3) — module
Install with ansible-galaxy collection install mikewiebe.ndfc:==2.1.3
collections: - name: mikewiebe.ndfc version: 2.1.3
DCNM ansible module for creating, deleting, querying and modifying service policies
# L4-L7 Service Insertion: # # Cisco DCNM has the ability to insert Layer 4-Layer 7 (L4-L7) service devices in a data center fabric, and also enables selectively # redirecting traffic to these service devices. You can add a service node, create route peering between the service node and the # service leaf switch, and then selectively redirect traffic to these service nodes. Ansible collections support 3 modules viz. # Service Node, Service Route Peering and Service Policy to enable this. # # Service Node: # # You have to create an external fabric and specify that a service node resides in that external fabric during service node creation. # Service policies are created on the service node to determine the actions to be applied to the traffic # # Route Peerings: # # Multiple Service Route Peerings can be created under service node. Each Route Peering creates required service networks that is used to # carry traffic towards the service node. # # Service Policy: # # Each route peering can have multiple service policies. Service policies can only be created for networks created through route peerings. # The service policies define the actions to be taken for matching traffic. # # Dependency Tree: # # Service Node # | # |---- Route Peering 1 # | | # . |---- Service Policy 1 # . | # . . # . . # . . # . |---- Service Policy N # . # |---- Route Peering N # | # |---- Service Policy 1 # | # . # . # . # |---- Service Policy N # # # This module supports the following states: # Merged: # Service Policies defined in the playbook will be merged into the target fabric. # - If the Service Policies does not exist it will be added. # - If the Service Policies exists but properties managed by the playbook are different # they will be updated if possible. # - Service Policies that are not specified in the playbook will be untouched. # # Replaced: # Service Policies defined in the playbook will be replaced in the target fabric. # - If the Service Policies does not exist it will be added. # - If the Service Policies exists but properties managed by the playbook are different # they will be updated if possible. # - Properties that can be managed by the module but are not specified # in the playbook will be deleted or defaulted if possible. # - Service Policies that are not specified in the playbook will be untouched. # # Overridden: # Service Policies defined in the playbook will be overridden in the target fabric. # - If the Service Policies does not exist it will be added. # - If the Service Policies exists but properties managed by the playbook are different # they will be updated if possible. # - Properties that can be managed by the module but are not specified # in the playbook will be deleted or defaulted if possible. # - Service Policies that are not specified in the playbook will be deleted. # # Deleted: # Service Policies defined in the playbook will be deleted. # # Query: # Returns the current DCNM state for the Service Policies listed in the playbook. # CREATING SERVICE POLICIES # ========================= - name: Create service policy including all optional objects cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external attach: true deploy: true state: merged config: - name: service_policy_1 node_name: it-sn-1 rp_name: it-fw-rp1 src_vrf: vrf_11 dest_vrf: vrf_11 src_network: net_11 dest_network: net_12 next_hop: 192.161.1.100 reverse_next_hop: 192.161.2.100 reverse: true policy: proto: tcp src_port: any dest_port: 22 action: permit next_hop_option: none acl_name: fwd_acl_10 rev_acl_name: rev_acl_10 route_map_num: 101 rev_route_map_num: 102
# DELETE SERVICE POLICIES # ======================= # 1. With Policy Name and Node name # # Deletes the specific service policy specified from the given node - name: Delete service policies with policy name and node name cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external state: deleted config: - name: service_policy_1 node_name: it-sn-1 - name: service_policy_2 node_name: it-sn-2 - name: service_policy_3 node_name: it-sn-2 - name: service_policy_4 node_name: it-sn-2 - name: service_policy_5 node_name: it-sn-2
# 2. With Node name alone # # Deletes all service policies from the specified nodes - name: Delete service policies with Node names cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external state: deleted config: - node_name: it-sn-1 - node_name: it-sn-2
# 3. With Node name and RP name # # Deletes all service policies under the specified route peering and node - name: Delete service policies with Node name and RP name cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external state: deleted config: - node_name: it-sn-1 rp_name: it-fw-rp1 - node_name: it-sn-2 rp_name: it-fw-rp2
# 4. Without config # # Deletes all service policies on the given fabric and attached fabric - name: Delete service policies without config cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external state: deleted
# OVERRIDE SERVICE POLICIES # ========================= # When this playbook is executed, service policy service_policy_1 will be created or replaced and all # other service policies in test_fabric and external will be deleted - name: Override all existing service policies with a new one cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external attach: true deploy: true state: overridden config: - name: service_policy_1 node_name: it-sn-1 rp_name: it-fw-rp1 src_vrf: vrf_11 dest_vrf: vrf_11 src_network: net_11 dest_network: net_12 next_hop: 192.161.1.100 reverse_next_hop: 192.161.2.100 policy: proto: icmp src_port: 555 dest_port: 22 action: permit next_hop_option: none acl_name: fwd_acl_555 rev_acl_name: rev_acl_555 route_map_num: 555 rev_route_map_num: 556
# REPLACE SERVICE POLICIES # ======================== - name: Replace service policy_1 with the one specified below cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external attach: true deploy: true state: replaced config: - name: service_policy_1 node_name: it-sn-1 rp_name: it-fw-rp1 src_vrf: vrf_11 dest_vrf: vrf_11 src_network: net_11 dest_network: net_12 next_hop: 192.161.1.100 reverse_next_hop: 192.161.2.100 policy: proto: udp src_port: 501 dest_port: 502 action: deny next_hop_option: drop_on_fail
# QUERY SERVICE POLICIES # ====================== - name: Query service policies based on service node and policy name cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external state: query config: - name: service_policy_1 node_name: it-sn-1
- name: Query service policies based on service node cisco.dcnm.dcnm_service_policy: fabric: test_fabric service_fabric: external state: query config: - node_name: it-sn-1
state: choices: - merged - replaced - overridden - deleted - query default: merged description: - the required state of the configuration after module completion. required: false type: str attach: default: true description: - a flag specifying if the given service policy is to be attached to the specified service node required: false type: bool config: description: - a list of dictionaries containing service policy and switch information elements: dict suboptions: dest_network: description: - name of the destination network for this service policy required: true type: str dest_vrf: description: - name of the destination vrf for this service policy required: true type: str name: description: - a unique name which identifies the service policy required: true type: str next_hop: default: '' description: - next hop ip address to be used in source to network direction - This must exactly match the next hop IP configured for the route peering associated with this policy required: false type: str policy: description: - details of the policy (ACL) to be applied suboptions: acl_name: default: will be auto-generated by DCNM description: - Name of the ACL in the forward direction required: false type: str action: choices: - permit - deny default: permit description: - action to apply for traffic matching the service profile required: false type: str dest_port: choices: - any - Min 1 - Max 65535 description: - destination port number to be matched to apply this ACL required: true type: str next_hop_option: choices: - none - drop-on-fail - drop default: none description: - option to specify how to redirect traffic required: false type: str proto: choices: - ip - icmp - tcp - udp description: - protocol to be matched to apply this ACL required: true type: str rev_acl_name: default: will be auto-generated by DCNM description: - Name of the ACL in the reverse direction required: false type: str rev_route_map_num: choices: - Min 1 - Max 65535) default: will be auto-generated by DCNM description: - route map match number for reverse direction required: false type: int route_map_num: choices: - Min 1 - Max 65535) default: will be auto-generated by DCNM description: - route map match number required: false type: int src_port: choices: - any - Min 1 - Max 65535 description: - source port number to be matched to apply this ACL required: true type: str type: dict reverse_next_hop: default: '' description: - reverse next hop ip address to be used in network to source direction - This must exactly match the reverse next hop IP configured for the route peering associated with this policy required: false type: str src_network: description: - name of the source network for this service policy required: true type: str src_vrf: description: - name of the source vrf for this service policy required: true type: str type: list deploy: default: true description: - a flag specifying if a service policy is to be deployed on the switches required: false type: bool fabric: description: - name of the target fabric for service policy operations required: true type: str service_fabric: description: - name of the external fabric attached to the service node for service policy operations required: true type: str