Ansible

Working with module ios_config in ansible and use match parameters

The match parameter specifies how exactly the commands should be compared (which is considered a change):

  • line – commands are checked line by line. This mode is used by default
  • strict – not only the commands themselves must match, but also their position relative to each other
  • exact – commands must match the configuration exactly, and there must be no extra lines
  • none – the module will not compare commands with the current configuration

How to use parameter match: line in ios_config command with ansible?

The match: line mode is used by default.

In this mode, the module checks only for the presence of lines listed in the lines list in the corresponding mode. It does not check the order of the lines.

The following ACL is configured on router 192.168.0.22:

R1#sh run | s access
ip access-list extended IN_to_OUT
 permit tcp 192.168.2.0 0.0.0.255 any eq 22

An example of using playbook ios_cinfig_match_line.yml in line mode:

---

- name: Run cfg commands on router
  hosts: 192.168.0.22

  tasks:

    - name: Config ACL
      ios_config:
        parents:
          - ip access-list extended IN_to_OUT
        lines:
          - permit tcp 192.168.2.0 0.0.0.255 any eq www
          - permit tcp 192.168.2.0 0.0.0.255 any eq 22
          - permit icmp any any

Playbook execution result:

Note that there are only two of the three ACL lines in the updates list. Since the module compares commands independently in lines mode, it found that only two of the three commands were missing.

As a result, the configuration on the router looks like this:

R1#sh run | s access
ip access-list extended IN_to_OUT
 permit tcp 192.168.2.0 0.0.0.255 any eq 22
 permit tcp 192.168.2.0 0.0.0.255 any eq www
 permit icmp any any

That is, the order of commands has changed. And although in this case it is not important, sometimes it may not lead to the results that were expected.

If you run the playbook again with this configuration, it will not make any changes since all rows have been found.

How to use parameter match: exact in ios_config command with ansible?

An example where the order of commands is important.

ACL on the router:

R1#sh run | s access
ip access-list extended IN_to_OUT
 permit tcp 192.168.2.0 0.0.0.255 any eq 22
 permit tcp 192.168.2.0 0.0.0.255 any eq www
 deny icmp any any

Playbook ios_config_match_exact.yml

---

- name: Run cfg commands on router
  hosts: 192.168.0.22

  tasks:

    - name: Config ACL
      ios_config:
        parents:
          - ip access-list extended IN_to_OUT
        lines:
          - permit tcp 192.168.2.0 0.0.0.255 any eq www
          - permit tcp 192.168.2.0 0.0.0.255 any eq 22
          - permit icmp any any
          - deny   ip any any

If you run the playbook, the result will be(without match exact):

ansible-playbook ios_config_match_exact.yml -v

R1#sh run | s access
ip access-list extended IN_to_OUT
 permit tcp 192.168.2.0 0.0.0.255 any eq 22
 permit tcp 192.168.2.0 0.0.0.255 any eq www
 deny   ip any any
 permit icmp any any

In that case the last rule will never work.

Let’s add match exact and see what happen.

---

- name: Run cfg commands on router
  hosts: 192.168.0.22

  tasks:

    - name: Config ACL
      ios_config:
        before:
          - no ip access-list extended IN_to_OUT
        parents:
          - ip access-list extended IN_to_OUT
        lines:
          - permit tcp 192.168.2.0 0.0.0.255 any eq 22
          - permit tcp 192.168.2.0 0.0.0.255 any eq www
          - permit icmp any any
          - deny   ip any any
        match: exact

$ ansible-playbook ios_config_match_exact.yml -v

R1#sh run | s access
ip access-list extended IN_to_OUT
 permit tcp 192.168.2.0 0.0.0.255 any eq 22
 permit tcp 192.168.2.0 0.0.0.255 any eq www
 permit icmp any any
 deny   ip any any

How to use parameter match: strict in ios_config command with ansible?

The match: strict option does not require the object to be exactly as specified in the problem, but the commands that are listed in the lines list must be in the same order.

If the parents list is specified, the commands in the lines list must immediately follow the parents commands.

The router has this ACL:

ip access-list extended IN_to_OUT
 permit tcp 192.168.2.0 0.0.0.255 any eq www
 permit tcp 192.168.2.0 0.0.0.255 any eq 22
 permit icmp any any
 deny   ip any any

Playbook ios_config_match_strict.yml:

---

- name: Run cfg commands on router
  hosts: 192.168.0.22

  tasks:

    - name: Config ACL
      ios_config:
        before:
          - no ip access-list extended IN_to_OUT
        parents:
          - ip access-list extended IN_to_OUT
        lines:
          - permit tcp 192.168.2.0 0.0.0.255 any eq www
          - permit tcp 192.168.2.0 0.0.0.255 any eq 22
          - permit icmp any any
        match: strict

Playbook execution:

ansible-playbook ios_config_match_strict.yml -v

Since there were no changes, the ACL remained the same.

In the same situation, using match: exact would detect a change, and the ACL would only consist of the lines in the lines list.

How to use parameter match: none in ios_config command with ansible?

Using match: none disables the idempotency of the task: each time the playbook is executed, the commands specified in the task will be sent.

Example playbook ios_config_match_none.yml:

---

- name: Run cfg commands on router
  hosts: 192.168.100.1

  tasks:

    - name: Config ACL
      ios_config:
        before:
          - no ip access-list extended IN_to_OUT
        parents:
          - ip access-list extended IN_to_OUT
        lines:
          - permit tcp 192.168.2.0 0.0.0.255 any eq www
          - permit tcp 192.168.2.0 0.0.0.255 any eq 22
          - permit icmp any any
        match: none

Using match: none is appropriate when, regardless of the current configuration, all commands need to be sent.

Leave a Reply

Your email address will not be published. Required fields are marked *