aci_rest_managed with class l1PhysIf -> Code: 400 unknown attribute 'annotation' in element

[ma-double-t]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.7.4

APIC version and APIC Platform

5.2(8h)

Affected Resource(s)

aci_rest_managed

Terraform Configuration Files

resource "aci_rest_managed" "individual_port_description" {

  class_name = "l1PhysIf"
  dn         = "topology/pod-2/node-2005/sys/phys-[eth1/20]"
  content = {
    descr = "desc-vpc-member-01"
  }
}

Debug Output

│ Error: The post rest request failed │ │ with aci_rest_managed.individual_port_description["test01:1"], │ on main.tf line 107, in resource "aci_rest_managed" "individual_port_description": │ 107: resource "aci_rest_managed" "individual_port_description" { │ │ Code: 400 Response: [map[error:map[attributes:map[code:400 text:unknown attribute 'annotation' in element 'l1PhysIf']]]], err: %!s(). Please report this issue to the provider developers.

Expected Behavior

Expect that deploy runs sucessfully since the annotation attribute is optional.

Actual Behavior

Deploy doesn't run since the class 'l1PhysIf' doesn't have a the needed attribute and there is no way to suppress the creation of the default value.

Steps to Reproduce

Apply above mentioned terraform code

[akinross]

Hi @ma-double-t,

This class is marked as a non configurable class in the meta information that is part of the concrete model and thus we have not included it into list of unsupported annotation classes.

The logical and concrete domains are separated; the logical configurations are rendered into concrete configurations by applying the policies in relation to the available physical resources. No configuration is carried out against concrete entities. Concrete entities are configured implicitly as a side effect of the changes to the APIC policy model.

When I try send it via REST directly I get "Invalid access, MO: l1PhysIf" returned. Are you able to configure this description with REST directly?

Could you provide me a bit more information on what it is that you are trying to achieve with this?

[ma-double-t]

Hi @akinross,

my goal is to achieve individual port descriptions for host configurations with virtual port channels (vpc). Currently the port description specified in the resource "aci_access_port_block" is pushed down to the physical interface (class "l1PhysIf").

Example:

Hostname: Testhost-A
VPC configured as logical switch pair: switch 1001 Port and switch 1005
Configured Port in resource "aci_access_port_block" -> Port 1/10
Description in resource "aci_access_port_block" -> virtual-port-channel-100

Result:

Port Description on switch 1001 AND 1005 Port 1/10 is "virtual-port-channel-100"

Desired Result:

Port Description on switch 1001: "virtual-port-channel-100-individual-text-01" Port Description on switch 1005: "virtual-port-channel-100-individual-text-02"

I can do this via CLI on the APIC - is there any way to achieve this with terraform? I've already tried this with the resource "aci_rest" but ran into another error: Invalid access, MO: l1PhysIf

[akinross]

Hi @ma-double-t,

Could you share the terraform configuration? Also could you provide the CLI command which you are using on APIC?

[ma-double-t]

Hi @akinross,

CLI Configuration from a previous config task. I've anonymized names.

Baseline - identical descriptions on leaf switch lf-1001 Port 1/45 and lf-1005 Port 1/45

lf-1001# show interface status
------------------------------------------------------------------------------------------------
 Port           Name                Status     Vlan       Duplex   Speed    Type                
------------------------------------------------------------------------------------------------
 mgmt0          --                  connected  routed     full     1G       --                 
 Eth1/1         dnac                connected  trunk      full     1G       10g                
 ..
 ..                           
 Eth1/45        f5-99-2600-z24      linknotcon trunk      full     inherit  10g                

lf-1005# show interface status
------------------------------------------------------------------------------------------------
 Port           Name                Status     Vlan       Duplex   Speed    Type                
------------------------------------------------------------------------------------------------
 mgmt0          --                  connected  routed     full     1G       --                 
 Eth1/1         dnac                connected  trunk      full     1G       10g                
 ..
 ..                           
 Eth1/45        f5-99-2600-z24      linknotcon trunk      full     inherit  10g  

Editing the description via CLI on leaf switch lf-1001

apic# configure
apic(config)# leaf lf-1001
apic(config-leaf)# interface ethernet 1/45
apic(config-leaf-if)# description f5-99-2600-z24-lnk2
apic(config-leaf-if)# end
apic# 

Check

lf-1001# show interface status
------------------------------------------------------------------------------------------------
 Port           Name                Status     Vlan       Duplex   Speed    Type                
------------------------------------------------------------------------------------------------
 mgmt0          --                  connected  routed     full     1G       --                 
 Eth1/1         dnac                connected  trunk      full     1G       10g                
 ..
 ..                           
 Eth1/45        f5-99-2600-z24-lnk2 linknotcon trunk      full     inherit  10g     

Terraform configuration - values get deployed dynamically via csv file

// Creates Leaf Access Port Selector for all nodes and binds leaf access port policy group 

resource "aci_access_port_selector" "hosts_interfacePortSelectors" {

  for_each = local.hosts_profiles

  leaf_interface_profile_dn      = each.value[0].lag == "vpc" ? "uni/infra/accportprof-${each.value[0].vpc_domain}" : "uni/infra/accportprof-${each.value[0].switch}"
  name                           = each.value[0].accprtsel_name
  access_port_selector_type      = "range"
  relation_infra_rs_acc_base_grp = each.value[0].lag == "none" ? "uni/infra/funcprof/accportgrp-${each.value[0].acc_grp_policy}" : aci_leaf_access_bundle_policy_group.hosts_vpcPolicyGroup[each.value[0].host_name].id

  // APIC Path: Fabric/Access Policies/Interfaces/Leaf Interfaces/Profiles/lf-switch

  // Logic:
  // if lag value is "vpc" leaf_interface_profile_dn must refer to a vpc domain else to a single switch for standard ports and regular port-channel.
  // if lag value is "none" relation_infra_rs_acc_base_grp must refer to the profile specified in the csv file else to the newly created bundle policy group.
}

// Creates Leaf Access Port Block and binds it to the leaf access port selector.

resource "aci_access_port_block" "interface_port_block" {

  for_each = local.hosts_profiles

  access_port_selector_dn = aci_access_port_selector.hosts_interfacePortSelectors[each.value[0].host_name].id
  description             = each.value[0].description
  from_card               = each.value[0].modul_start
  from_port               = each.value[0].port_start
  to_card                 = each.value[0].modul_end
  to_port                 = each.value[0].port_end
}

[akinross]

From configuration point, which option do you use from the VPC design guide: https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-vpc.pdf.

Or could you provide a static example since the looping constructs with vars make it hard to follow what is actually provided.

[ma-double-t]

Hi @akinross,

I use Option 1:

VPC with SAME Leaf interfaces across two leafs with Combined Profiles In the example below, the following are defined: • A Combined Switch Profile called Leaf201_202_SwProf (Node 201 and Node 202) • A Combined Interface Profile called Leaf201_202_IntProf (Node 201 and Node 202) • An Access Port Selector called Eth1_1 (under the Leaf201_202 Interface Profile) is pointing towards a vPC Interface policy group. • The vPC Interface Policy group is pointing towards an AAEP called Customer_AEP. • The AEP (Customer_AEP) has an association with the Customer_PhysDom. • The Customer_PhysDom has an association with a Vlan Pool called Customer_Static_VLPool. So what does this do? On ports Eth1/1 on both switches Leaf201 and Leaf202, you will configure those ports to be apart of a vPC. This vPC interface will have access to Vlans 1201-1299. Depending on the Interface Policy Group, you could enable LACP Active and other interface specific policy configurations.

[akinross]

Hi @ma-double-t,

I think in order for you to achieve your desired configuration you would need to switch to option 2.

I have not verified this so this is purely based on the documentation. Be aware that there are recommendations mentioned in the document, I will see if I can get some additional information and get back to you if I do.

[ma-double-t]

Hi @akinross,

would be great if at least changing the description would be possible in the future. Since we have already deployed more than 50 devices with option 1 in our datacenter changing the vpc configuration is not an option. Especially since the recommendation on option 3 is: do not do this configuration approach in production.

[akinross]

Hi @akinross,

would be great if at least changing the description would be possible in the future. Since we have already deployed more than 50 devices with option 1 in our datacenter changing the vpc configuration is not an option. Especially since the recommendation on option 3 is: do not do this configuration approach in production.

Edited the previous comment where I think that option 2 would be sufficient already, you would still have the issue of already deployed configuration. I do not know if this is possible to change ( would assume this is a design limitation and thus the design guide is also providing the different options), would need to check internally to validate this. I will get back to you on that.

[akinross]

Hi @ma-double-t,

You should be able to set a leaf interface override ( UI = Fabric -> Access Policies -> Interfaces -> Leaf Interfaces -> Overrides ) for each interface. Could you please try the below config snippet with your own variables?

resource "aci_rest_managed" "host_path_selector" {
  class_name = "infraHPathS"
  dn         = "uni/infra/hpaths-101_eth1_1"
  content = {
    name = "101_eth1_1"
    descr = "desc-vpc-member-01"
  }
}

resource "aci_rest_managed" "host_path_selector_interface" {
  class_name = "infraRsHPathAtt"
  dn         = "${aci_rest_managed.host_path_selector.id}/rsHPathAtt-[topology/pod-1/paths-101/pathep-[eth1/1]]"
  content = {
    tDn = "topology/pod-1/paths-101/pathep-[eth1/1]"
  }
}

Please let me know if this helped solve it for you.

[ma-double-t]

Hi @akinross,

Excellent! I've tried your snippets with my code and it work flawless. Many thx for your support!