Skip to content

Commit

Permalink
Add QoS and Interface modules, fix bugs and docs
Browse files Browse the repository at this point in the history 
A restructuring has been done to interface modules to
allow for configuration of interface admin state and
other interface specific configurations in the
aoscx_interface module. Inclusion of QoS specific configurations
is added to new modules and existing interface module.

This commit:
- fix documentation for various modules
- fix idempotency for ACL Entries and VLANs
- restructures interface modules
- includes QoS modules

New modules included are:
- aoscx_interface
- aoscx_qos
- aoscx_qos_cos
- aoscx_qos_dscp
- aoscx_queue
- aoscx_queue_profile
- aoscx_queue_profile_entry
- aoscx_system
  • Loading branch information
@tchiapuziowong
tchiapuziowong committed Feb 8, 2022
1 parent abd8722 commit 2a3baed
Show file tree
Hide file tree
Showing 25 changed files with 3,429 additions and 436 deletions.
20 changes: 11 additions & 9 deletions docs/aoscx_acl.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,17 +109,17 @@ portal](https://developer.arubanetworks.com/aruba-aoscx/reference#acl_entry).
| `tcp_rst` | Boolean | TCP RST flag matching attribute |
| `tcp_urg` | Boolean | TCP URG flag matching attribute |
| `src_l4_port_group` | URL | URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `"/system/acl_object_groups/{name},{object_type}"`. This attribute is mutually exclusive with the `src_l4_port_min`, `src_l4_port_max`, and `src_l4_port_range_reverse` attributes, and if this attribute is configured, the other ones will be ignored. The referenced object group must be of type `l4port` |
| `src_l4_port_max` | Int32 | Maximum L4 port to match on the packet |
| `src_l4_port_min` | Int32 | Minimum L4 port to match on the packet |
| `src_l4_port_max` | Int32 | Maximum L4 port to match on the packet. To match any port this field can be left empty. |
| `src_l4_port_min` | Int32 | Minimum L4 port to match on the packet. To match any port this field can be left empty. |
| `dst_l4_port_group` | URL | URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `"/system/acl_object_groups/{name},{object_type}"`. This attribute is mutually exclusive with the `dst_l4_port_min`, `dst_l4_port_max`, and `dst_l4_port_range_reverse` attributes. If this attribute is configured, the others will be ignored. The referenced object group must be of type `l4port` |
| `dst_l4_port_max` | Int32 | Maximum IP destination port matching attribute. Used in conjunction with `dst_l4_port_min` and `dst_l4_port_range_reverse` |
| `dst_l4_port_min` | Int32 | Minimum IP destination port matching attribute. Used in conjunction with `dst_l4_port_max` and `dst_l4_port_range_reverse` |
| `src_ip_group` | URL | URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `"/system/acl_object_groups/{name},{object_type}"`. This attribute is mutually exclusive with the source IP address attribute. If `src_ip_group` is configured, `src_ip` will be ignored. The referenced object group must be of type `ipv4` or `ipv6`. |
| `src_ip` | IP Network Address | String with source IP matching attribute. If no IP address is specified, the ACL Entry will not match on source IP address. The following IPv4 and IPV6 formats are accepted. IPv4 format (A.B.C.D/W.X.Y.Z) IPv6 format (A:B::C:D/W:X::Y:Z) |
| `src_ip` | IP Network Address | String with source IP matching attribute. If no IP address is specified, the ACL Entry will not match on source IP address. The following IPv4 and IPV6 formats are accepted. IPv4 format (A.B.C.D/W.X.Y.Z) IPv6 format (A:B::C:D/W:X::Y:Z). To match any address the field can be left empty or use the 'any' keyword |
| `dst_ip_group` | URL | URL in string format of the ACL object group resource. This URL refers to the REST API interface and has the following format: `"/system/acl_object_groups/{name},{object_type}"`. This attribute is mutually exclusive with the destination IP address attribute. If `dst_ip_group` is configured, `dst_ip` will be ignored. The referenced object group must be of type `ipv4` or `ipv6`. |
| `dst_ip` | IP Network Address | String with source IP matching attribute. If no IP address is specified, the ACL Entry will not match on destination IP address. The following IPv4 and IPv6 address formats are accepted. IPv4 format (A.B.C.D/W.X.Y.Z) IPv6 format (A:B::C:D/W:X::Y:Z) |
| `src_mac` | MAC address | String with source MAC matching attribute. Two formats are allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ) |
| `dst_mac` | MAC address | String with destination MAC matching attribute. Two formats are allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ) |
| `dst_ip` | IP Network Address | String with source IP matching attribute. If no IP address is specified, the ACL Entry will not match on destination IP address. The following IPv4 and IPv6 address formats are accepted. IPv4 format (A.B.C.D/W.X.Y.Z) IPv6 format (A:B::C:D/W:X::Y:Z). To match any address the field can be left empty or use the 'any' keyword |
| `src_mac` | MAC address | String with source MAC matching attribute. Two formats are allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ). To match any address the field can be left empty or use the 'any' keyword |
| `dst_mac` | MAC address | String with destination MAC matching attribute. Two formats are allowed (AAAA.BBBB.CCCC or AAAA.BBBB.CCCC/XXXX.YYYY.ZZZZ). To match any address the field can be left empty or use the 'any' keyword |
| `action` | String | Define the action to take on an ACL match. There are two options: `permit`, and `deny`. `permit`: packets will be forwarded. `deny`: packets will be dropped. ACE will only be activated when an associated action is provided. |
| `count` | Boolean | When true, increment hit count for packets that match this ACL |
| `dscp` | Int32 | Different Services Code Point matching attribute |
Expand All @@ -145,7 +145,9 @@ IPv4 network, but deny a single host, and keep a count of how many packets are
sent to the switch from that host. Two ACEs are added, the one with lowest
sequence number is checked first for matches. One ACE is in charge of denying
incoming traffic from the single host, while the other one allows incoming from
the rest of the network.
the rest of the network. Note that in both cases the entries match all
destination addresses, because `dst_ip` is empty. In that case, all destination
traffic is denied because the first entry takes precedence.

```YAML
- name: Configure IPv4 ACL that allows traffic from a network except a single host
Expand All @@ -157,7 +159,7 @@ the rest of the network.
comment: "Deny the host"
action: deny
count: true
scr_ip: 158.10.12.57/255.255.255.255
src_ip: 158.10.12.57/255.255.255.255
protocol: tcp
2:
comment: "Allow the network"
Expand Down Expand Up @@ -211,7 +213,7 @@ a match for only one port is intended, `src/dst_l4_port_max` and
src_l4_port_max: 5002
src_l4_port_min: 5000
dst_l4_port_max: 3657
dst_l4_port_min: 3567
dst_l4_port_min: 3657
action: permit
```

Expand Down
149 changes: 149 additions & 0 deletions docs/aoscx_interface.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
# module: aoscx_interface

Interface module for Ansible.

Version added: 2.8

- [Synopsis](#Synpsis)
- [Parameters](#Parameters)
- [Examples](#Examples)

# Synopsis

This module manages the interface attributes of Aruba AOSCX network devices.

# Parameters

| Parameter | Type | Choices/Defaults | Required | Comments |
|------------------|:-------|:----------------------------------------|:--------:|:---------------------------------------------------------------------------------------------------------------------------|
| `name` | string | | [x] | Name of the interface. Should be in the format chassis/slot/port e.g. 1/2/3. |
| `enabled` | bool | | [ ] | Administrative state of the interface. Use true to administratively enable it. |
| `description` | string | | [ ] | Description of the interface. |
| `duplex` | string | [`full`, `half`] | [ ] | Configure the interface for full duplex or half duplex. If this value is specified, `speeds` must also be specified. |
| `speeds` | list | | [ ] | Configure the speeds of the interface in megabits per second. If this value is specified, `duplex` must also be specified. |
| `qos` | string | | [ ] | Name of existing QoS configuration to apply to the interface. |
| `no_qos` | bool | | [ ] | Flag to remove the existing Qos of the interface. Use True to remove it. |
| `queue_profile` | string | | [ ] | Name of queue profile to apply to interface. |
| `qos_trust_mode` | string | [`cos`, `dscp`, `name`, `global`] | [ ] | Specifies the interface QoS Trust Mode. 'global' configures the interface to use the global configuration instead. |
| `state` | String | [`create`, `delete`, `update`]/`create` | [ ] | The action to be taken with the current Interface. |
| `vsx_sync` | list | [`acl`, `irdp`, `qos`, `rate_limits`, `vlan`, `vsx_virtual`, `virtual_gw_l3_src_mac_enable`, `policy`, `threshold_profile`, `macsec_policy`, `mka_policy`, `portfilter`, `client_ip_track_configuration`, `mgmd_acl`, `mgmd_enable`, `mgmd_robustness`, `mgmd_querier_max_response_time`, `mgmd_mld_version`, `mgmd_querier_interval`, `mgmd_last_member_query_interval`, `mgmd_querier_enable`, `mgmd_mld_static_groups`, `mgmd_igmp_static_groups`, `mgmd_igmp_version`] | [ ] | Controls which attributes should be synchonized between VSX peers. |


# Examples

## Enable full duplex at 1000 Mbits/s

Ansible version:

```YAML
- name: Configure Interface 1/1/2 - enable full duplex at 1000 Mbit/s
aoscx_interface:
name: 1/1/2
duplex: full
speeds:
- '1000'
enabled: true
```
CLI version:
```
interface 1/1/2
speed 1000-full
```

## Administratively disable an interface

Ansible version:

```YAML
- name: Administratively disable interface 1/1/2
aoscx_interface:
name: 1/1/2
enabled: false
```
CLI version:
```
interface 1/1/2
shutdown
```

## Configure a QoS trust mode

It is possible to set an specific trust mode for a particular interface, or to
configure an interface to use the global default trust mode of the device.

```YAML
- name: Set a QoS trust mode for interface 1/1/2
aoscx_interface:
name: 1/1/2
qos_trust_mode: cos

- name: Set interface 1/1/3 to use global trust mode
aoscx_interface:
name: 1/1/3
qos_trust_mode: global
```
## Configure a Queue Profile trust mode
```YAML
- name: Set a Queue Profile for interface 1/1/2
aoscx_interface:
name: 1/1/2
queue_profile: STRICT-PROFILE

- name: Set interface 1/1/3 to use global Queue Profile
aoscx_interface:
name: 1/1/3
use_global_queue_profile: true
```
## Associate QoS Schedule Profiles to an interface
To assign a Schedule Profile to an interface, you have to specify the name, to
remove it simply use the `no_qos` option.

```YAML
- name: Configure Schedule Profile on an interface
aoscx_interface:
name: 1/1/2
qos: STRICT-PROFILE
- name: Remove a Schedule Profile from an interface
aoscx_interface:
name: 1/1/3
no_qos: true
```

## Set QoS rate for an interface

```YAML
- name: Set the QoS rate to the 1/1/17 Interface
aoscx_interface:
name: 1/1/17
qos_rate:
broadcast: 200pps
unknown-unicast: 100kbps
multicast: 200pps
```

## Enable vsx-sync for interface 1/1/2

```YAML
- name: Configure Interface 1/1/2 - enable vsx-sync features
aoscx_interface:
name: 1/1/2
duplex: full
speeds:
- '1000'
vsx_sync:
- acl
- irdp
- qos
- rate_limits
- vlan
- vsx_virtual
```
Loading

0 comments on commit 2a3baed

Please sign in to comment.