dcnm_vrf: Deployment of multiple sub-if on multiple interfaces leads to partially success

[smukkavi]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Ansible Version and collection version

3.0.0

DCNM version

• V 12.1.1e

Affected module(s)

• dcnm_vrf

Ansible Playbook

# Copy-paste your anisble playbook here 

- name: Merge vrfs
    cisco.dcnm.dcnm_vrf:
      fabric: "{{ FABRIC }}"
      state: merged
      config:
      - vrf_name: "{{ vrf.vrf_name }}"
        vrf_id: "{{ vrf.vrf_id }}"
        import_vpn_rt:         "{{ vrf.import_vpn_rt }}"
        export_vpn_rt:         "{{ vrf.export_vpn_rt }}"
        adv_default_routes:    "{{ vrf.adv_default_routes }}"
        static_default_route:  "{{ vrf.static_default_route }}"
        adv_host_routes:       "{{ vrf.adv_host_routes }}"
        vrf_template: Default_VRF_Universal
        vrf_extension_template: Default_VRF_Extension_Universal
        vlan_id: "{{ vrf.vlan_id }}"
        service_vrf_template: null
        deploy: true
        attach: "{{ vrf_lite_config }}

-   deploy: true
    ip_address: 10.30.5.17
    vrf_lite:
    -   dot1q: 20
        interface: Ethernet1/31
        ipv4_addr: 10.5.5.0/31
        ipv6_addr: 2010::10:34:0:0/127
        neighbor_ipv4: 10.5.5.1
        neighbor_ipv6: 2010::10:34:0:1
        peer_vrf: NEP6DECSP21_to_NEP6DSRJ21_RISE_DMZ
-   deploy: true
    ip_address: 10.30.5.17
    vrf_lite:
    -   dot1q: 20
        interface: Ethernet1/32
        ipv4_addr: 10.5.5.2/31
        ipv6_addr: 2010::10:34:0:2/127
        neighbor_ipv4: 10.5.5.3
        neighbor_ipv6: 2010::10:34:0:3
        peer_vrf: NEP6DECSP21_to_NEP6DSRJ22_RISE_DMZ
-   deploy: true
    ip_address: 10.30.5.18
    vrf_lite:
    -   dot1q: 20
        interface: Ethernet1/31
        ipv4_addr: 10.5.5.4/31
        ipv6_addr: 2010::10:34:0:4/127
        neighbor_ipv4: 10.5.5.5
        neighbor_ipv6: 2010::10:34:0:5
        peer_vrf: NEP6DECSP22_to_NEP6DSRJ21_RISE_DMZ
-   deploy: true
    ip_address: 10.30.5.18
    vrf_lite:
    -   dot1q: 20
        interface: Ethernet1/32
        ipv4_addr: 10.5.5.6/31
        ipv6_addr: 2010::10:34:0:6/127
        neighbor_ipv4: 10.5.5.7
        neighbor_ipv6: 2010::10:34:0:7
        peer_vrf: NEP6DECSP22_to_NEP6DSRJ22_RISE_DMZ

Debug Output

Expected Behavior

Actual Behavior

NEP6DECSP21# sh ip int brief vrf rise_dmz IP Interface Status for VRF "rise_dmz"(28) Interface IP Address Interface Status Vlan20 forward-enabled protocol-up/link-up/admin-up
Eth1/31.20 10.5.5.0 protocol-down/link-down/admin-up

NEP6DECSP21# sh ip int brief vrf rise_mgmt IP Interface Status for VRF "rise_mgmt"(29) Interface IP Address Interface Status Vlan300 forward-enabled protocol-up/link-up/admin-up
Eth1/31.300 10.6.6.0 protocol-down/link-down/admin-up

Steps to Reproduce

1. Configure external fabric without any external devices
2. Configure Link between local fabric and the external fabric using NDFC GUI, provided all the parameters for VRF Lite with the local switch - Border Gateway Spine name, interface, temp IP/mask, external device name, ext device IP, Ext device interface - these IP's are temporary as they will be modified while supplying VRF config and then VRF-Lite script followed by VRF Lite script.
3. Run the VRF script as provided above along with VRF-Lite parameters. Here 2 physical interfaces are chosen on each spine (2x BGW spines)
4. Check the spines, the 2nd interface has NO config deployed from the Ansible playbook, it retains the originally provided temp IP and other information in NDFC GUI in VRF detached state. Only the interface Eth1/31 is deployed correctly on both spines, but not the next interface Etg1/32. Here is the CLI on the spine.

NEP6DECSP21# sh ip int brief vrf rise_dmz IP Interface Status for VRF "rise_dmz"(28) Interface IP Address Interface Status Vlan20 forward-enabled protocol-up/link-up/admin-up
Eth1/31.20 10.5.5.0 protocol-down/link-down/admin-up

NEP6DECSP21# sh ip int brief vrf rise_mgmt IP Interface Status for VRF "rise_mgmt"(29) Interface IP Address Interface Status Vlan300 forward-enabled protocol-up/link-up/admin-up
Eth1/31.300 10.6.6.0 protocol-down/link-down/admin-up

But the interface eth1/32 does not show up any sib-interfaces deployed

References

[dsx1123]

experiencing a similar issue with vrf lite, also another observation, if vrf has been attached to the border before, if just adding vrf_lite configuration, the playbook will not change the VRF_LITE configuration at all. for example, here is the example of playbook

---
- name: VRF Lite issue
  hosts: ndfc2
  gather_facts: false
  tasks:
    - name: attach vrf first
      cisco.dcnm.dcnm_vrf:
        fabric: fabric_n9kv
        config:
          - vrf_name: vrf_red
            attach:
              - ip_address: 192.168.123.13

    - name: config vrf_lite
      cisco.dcnm.dcnm_vrf:
        fabric: fabric_n9kv
        config:
          - vrf_name: vrf_red
            attach:
              - ip_address: 192.168.123.13
                vrf_lite:
                - peer_vrf: vrf_red
                  interface: Ethernet1/1
                  ipv4_addr: 10.33.0.1/30
                  neighbor_ipv4: 10.33.0.2
                  dot1q: 2

verbose output:

ansible-playbook [core 2.12.10]
  config file = /root/.ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /root/virtualenv/ansible/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /root/virtualenv/ansible/bin/ansible-playbook
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True
Using /root/.ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading collection cisco.dcnm from /root/.ansible/collections/ansible_collections/cisco/dcnm
Loading callback plugin default of type stdout, v2.0 from /root/virtualenv/ansible/lib/python3.9/site-packages/ansible/plugins/callback/default.py
Loading collection ansible.posix from /root/.ansible/collections/ansible_collections/ansible/posix
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Loading callback plugin ansible.posix.profile_tasks of type aggregate, v2.0 from /root/.ansible/collections/ansible_collections/ansible/posix/plugins/callback/profile_tasks.py

PLAYBOOK: vrf_lite_issue.yml ******************************************************************************************************************************************************
Positional arguments: vrf_lite_issue.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/hosts',)
forks: 5
1 plays in vrf_lite_issue.yml

PLAY [VRF Lite issue] *************************************************************************************************************************************************************
Trying secret FileVaultSecret(filename='/root/.vault_pass') for vault_id=default
META: ran handlers
Loading collection ansible.netcommon from /root/.ansible/collections/ansible_collections/ansible/netcommon

TASK [attach vrf first] ***********************************************************************************************************************************************************
task path: /root/workspace/ansible/dcnm/misc/vrf_lite_issue.yml:6
Friday 10 March 2023  12:24:12 -0800 (0:00:00.082)       0:00:00.082 **********
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<shdu-ndfc-2.cisco.com> attempting to start connection
<shdu-ndfc-2.cisco.com> using connection plugin ansible.netcommon.httpapi
Found ansible-connection at path /root/virtualenv/ansible/bin/ansible-connection
<shdu-ndfc-2.cisco.com> local domain socket does not exist, starting it
<shdu-ndfc-2.cisco.com> control socket path is /root/.ansible/pc/7d9005a669
<shdu-ndfc-2.cisco.com> redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<shdu-ndfc-2.cisco.com> Loading collection ansible.netcommon from /root/.ansible/collections/ansible_collections/ansible/netcommon
<shdu-ndfc-2.cisco.com> Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<shdu-ndfc-2.cisco.com> Loading collection cisco.dcnm from /root/.ansible/collections/ansible_collections/cisco/dcnm
<shdu-ndfc-2.cisco.com> local domain socket listeners started successfully
<shdu-ndfc-2.cisco.com> loaded API plugin ansible_collections.cisco.dcnm.plugins.httpapi.dcnm from path /root/.ansible/collections/ansible_collections/cisco/dcnm/plugins/httpapi/dcnm.py for platform type cisco.dcnm.dcnm
<shdu-ndfc-2.cisco.com>
<shdu-ndfc-2.cisco.com> local domain socket path is /root/.ansible/pc/7d9005a669
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: found cisco.dcnm.dcnm_vrf  at /root/.ansible/collections/ansible_collections/cisco/dcnm/plugins/modules/dcnm_vrf.py
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: running cisco.dcnm.dcnm_vrf
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: complete
ok: [shdu-ndfc-2.cisco.com] => {
    "changed": false,
    "diff": [],
    "invocation": {
        "module_args": {
            "config": [
                {
                    "attach": [
                        {
                            "ip_address": "192.168.123.13"
                        }
                    ],
                    "vrf_name": "vrf_red"
                }
            ],
            "fabric": "fabric_n9kv",
            "state": "merged"
        }
    },
    "response": []
}

TASK [config vrf_lite] ************************************************************************************************************************************************************
task path: /root/workspace/ansible/dcnm/misc/vrf_lite_issue.yml:14
Friday 10 March 2023  12:24:13 -0800 (0:00:01.413)       0:00:01.496 **********
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<shdu-ndfc-2.cisco.com> attempting to start connection
<shdu-ndfc-2.cisco.com> using connection plugin ansible.netcommon.httpapi
Found ansible-connection at path /root/virtualenv/ansible/bin/ansible-connection
<shdu-ndfc-2.cisco.com> found existing local domain socket, using it!
<shdu-ndfc-2.cisco.com> ESTABLISH HTTP(S) CONNECTFOR USER: admin TO https://shdu-ndfc-2.cisco.com:443
<shdu-ndfc-2.cisco.com> updating play_context for connection
<shdu-ndfc-2.cisco.com>
<shdu-ndfc-2.cisco.com> local domain socket path is /root/.ansible/pc/7d9005a669
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: found cisco.dcnm.dcnm_vrf  at /root/.ansible/collections/ansible_collections/cisco/dcnm/plugins/modules/dcnm_vrf.py
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: running cisco.dcnm.dcnm_vrf
<shdu-ndfc-2.cisco.com> ANSIBLE_NETWORK_IMPORT_MODULES: complete
ok: [shdu-ndfc-2.cisco.com] => {
    "changed": false,
    "diff": [],
    "invocation": {
        "module_args": {
            "config": [
                {
                    "attach": [
                        {
                            "ip_address": "192.168.123.13",
                            "vrf_lite": [
                                {
                                    "dot1q": 2,
                                    "interface": "Ethernet1/1",
                                    "ipv4_addr": "10.33.0.1/30",
                                    "neighbor_ipv4": "10.33.0.2",
                                    "peer_vrf": "vrf_red"
                                }
                            ]
                        }
                    ],
                    "vrf_name": "vrf_red"
                }
            ],
            "fabric": "fabric_n9kv",
            "state": "merged"
        }
    },
    "response": []
}
META: ran handlers
META: ran handlers

PLAY RECAP ************************************************************************************************************************************************************************
shdu-ndfc-2.cisco.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Friday 10 March 2023  12:24:14 -0800 (0:00:01.143)       0:00:02.640 **********
===============================================================================
attach vrf first ----------------------------------------------------------------------------------------------------------------------------------------------------------- 1.41s
/root/workspace/ansible/dcnm/misc/vrf_lite_issue.yml:6 ---------------------------------------------------------------------------------------------------------------------------
config vrf_lite ------------------------------------------------------------------------------------------------------------------------------------------------------------ 1.14s
/root/workspace/ansible/dcnm/misc/vrf_lite_issue.yml:14 --------------------------------------------------------------------------------------------------------------------------

[praveenramoorthy]

Fixed as part of #219