Closed michalstaporek closed 3 years ago
@michalstaporek Thanks for logging the issue, but with the above information I'm unable to reproduce the issue, the only difference in the config is the 1st ipv6 config name for DHCP Server
which I've changed to DHCP-Server
instead, for ref:
Switch Config:
IPv6 access list DHCP-Server
permit udp any eq 546 any eq 547 sequence 10
permit udp any eq 547 any eq 546 sequence 20
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
IPv6 access list system-cpp-dhcpv6-cs
permit udp any eq 546 any eq 547 sequence 10
IPv6 access list system-cpp-dhcpv6-sc
permit udp any eq 547 any eq 546 sequence 10
IPv6 access list system-cpp-icmpv6-na
permit icmp any any nd-na sequence 10
IPv6 access list system-cpp-icmpv6-ns
permit icmp any any nd-ns sequence 10
IPv6 access list system-cpp-icmpv6-ra
permit icmp any any router-advertisement sequence 10
IPv6 access list system-cpp-icmpv6-rr
permit icmp any any redirect sequence 10
IPv6 access list system-cpp-icmpv6-rs
permit icmp any any router-solicitation sequence 10
Gathered Play run:
"gathered": [
{
"acls": [
{
"aces": [
{
"destination": {
"any": true,
"port_protocol": {
"eq": "547"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 10,
"source": {
"any": true,
"port_protocol": {
"eq": "546"
}
}
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "546"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 20,
"source": {
"any": true,
"port_protocol": {
"eq": "547"
}
}
},
{},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "domain"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 10,
"source": {
"any": true
}
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "domain"
}
},
"grant": "permit",
"protocol": "tcp",
"sequence": 20,
"source": {
"any": true
}
},
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"source": {
"any": true
}
},
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"protocol_options": {
"icmp": {
"router_solicitation": true
}
},
"sequence": 50,
"source": {
"any": true
}
},
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"protocol_options": {
"icmp": {
"router_advertisement": true
}
},
"sequence": 60,
"source": {
"any": true
}
},
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"protocol_options": {
"icmp": {
"redirect": true
}
},
"sequence": 70,
"source": {
"any": true
}
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "546"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 80,
"source": {
"any": true,
"port_protocol": {
"eq": "547"
}
}
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "547"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 90,
"source": {
"any": true,
"port_protocol": {
"eq": "546"
}
}
},
{
"grant": "deny",
"protocol": "ip"
}
],
"name": "DHCP-Server"
},
{
"aces": [
{
"destination": {
"any": true,
"port_protocol": {
"eq": "547"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 10,
"source": {
"any": true,
"port_protocol": {
"eq": "546"
}
}
}
],
"name": "system-cpp-dhcpv6-cs"
},
{
"aces": [
{
"destination": {
"any": true,
"port_protocol": {
"eq": "546"
}
},
"grant": "permit",
"protocol": "udp",
"sequence": 10,
"source": {
"any": true,
"port_protocol": {
"eq": "547"
}
}
}
],
"name": "system-cpp-dhcpv6-sc"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"source": {
"any": true
}
}
],
"name": "system-cpp-icmpv6-na"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"source": {
"any": true
}
}
],
"name": "system-cpp-icmpv6-ns"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"protocol_options": {
"icmp": {
"router_advertisement": true
}
},
"sequence": 10,
"source": {
"any": true
}
}
],
"name": "system-cpp-icmpv6-ra"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"protocol_options": {
"icmp": {
"redirect": true
}
},
"sequence": 10,
"source": {
"any": true
}
}
],
"name": "system-cpp-icmpv6-rr"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "icmp",
"protocol_options": {
"icmp": {
"router_solicitation": true
}
},
"sequence": 10,
"source": {
"any": true
}
}
],
"name": "system-cpp-icmpv6-rs"
}
],
"afi": "ipv6"
}
]
n @michalstaporek can you plz check if you're using the older version of the IOS collection, if yes plz update the IOS collection to the latest version i.e. 2.1.0
and you shouldn’t face the reported issue.
I am going ahead and close the issue, if you still face the issue with the updated collection plz feel free to reopen the bug.
I'm also seeing this bug with a Cisco 4500, even on the latest collection version 2.2.0
So apparently, the problem is that
Extended MAC access list system-cpp-bpdu-range
passes as a valid ACE, because the RE here doesn't match until the line end: https://github.com/ansible-collections/cisco.ios/blob/b8b18334067e865c51b783c397c467bcf6f1bc0d/plugins/module_utils/network/ios/rm_templates/acls.py#L184-L205 So then the next line
permit any 0180.c200.0000 0000.0000.000c
is considered a standard ACE in an extended ACL (whichever came before the first MAC ACL, in my case system-cpp-ripv2
, in @michalstaporek's case system-cpp-icmpv6-rs
Adding a $
at the end of above-mentioned regular expressions works for me, but I have no idea whether it breaks other setups/versions/models/...
I edited the last comment to add the analysis of the root cause, just adding another comment to make sure that it's noticed. (This comment can be deleted once the issue is re-opened.)
SUMMARY
When Ansible tries to collect ipv6 ACL details from a 4500 switch running IOS ver 03.11.02.E or 03.11.04.E it throws out the following error: "msg": "Unsupported parameters for (basic.py) module: std_source found in config -> acls -> aces.
ISSUE TYPE
COMPONENT NAME
cisco.ios.ios_acls
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
Trying to collect ACL details from a 4500 series switch running IOS ver 03.11.02.E or 03.11.04.E.
EXPECTED RESULTS
ACL details from the switch
ACTUAL RESULTS