The L3out module offers support floating SVIs. The interfaces ip_shared attribute is available to set a secondary IP. The ip_shared attribute is not used when configuring a floating SVI.

Example of floating svi secondary IP DN:
uni/tn-isovalent/out-isovalent.vrf-01-bgp-AS-65152/lnodep-border-leafs/lifp-hx-dev-01-fi-a-vlan-16/vlifp-[topology/pod-1/node-101]-[vlan-16]/addr-[1.1.1.1/24]

Example of svi secondary IP DN:
uni/tn-isovalent/out-isovalent.vrf-01-bgp-AS-65152/lnodep-border-leafs/lifp-hx-dev-01-fi-a-vlan-16/rspathL3OutAtt-[topology/pod-1/paths-101/pathep-[hx-dev-01-fi-a]]/addr-[1.1.1.1/24]

The module should allow user to configure shared_ip on floating SVI.

Hello,
I could not find how to add annotation natively via Nexus-as-Code for an ACI tenant.
I used "aci_rest_managed" resource and it worked but it would be good to have in NaC module itself.

Thank you.

how can i add a filter present in the tenant common to subject of a contract in a client tenant ?

Within the policy external_connectivity_policy (apic.fabric_policies) there is no option to choose route-reflectors by default the configuration is full-mesh. It would be great to set this flag through Terraform.

Would like to be able to add vpc interfaces as static ports in the Endpoint Group module.

https://developer.cisco.com/docs/nexus-as-code/aaa-settings/#classes lists LDAP as supported attribute, but there is no support for LDAP in the AAA module.

variables.tf update needed:

variable "default_realm" {
  description = "Default realm. Choices: `local`, `tacacs`, `radius`, `ldap`."
  type        = string
  default     = "local"

  validation {
    condition     = contains(["local", "tacacs", "radius", "ldap"], var.default_realm)
    error_message = "Valid values are `local`, `tacacs` or `radius`."
  }
}
variable "console_realm" {
  description = "Console realm. Choices: `local`, `tacacs`, `radius`, `ldap`."
  type        = string
  default     = "local"

  validation {
    condition     = contains(["local", "tacacs", "radius", "ldap"], var.console_realm)
    error_message = "Valid values are `local`, `tacacs` or `radius`."
  }
}

and main.tf:

resource "aci_rest_managed" "aaaDefaultAuth" {
  dn         = "${aci_rest_managed.aaaAuthRealm.dn}/defaultauth"
  class_name = "aaaDefaultAuth"
  content = {
    fallbackCheck = var.default_fallback_check ? "true" : "false"
    realm         = var.default_realm
    providerGroup = var.default_realm == "tacacs" || var.default_realm == "radius" || var.default_realm == "ldap" ? var.default_login_domain : ""
  }
}

resource "aci_rest_managed" "aaaConsoleAuth" {
  dn         = "${aci_rest_managed.aaaAuthRealm.dn}/consoleauth"
  class_name = "aaaConsoleAuth"
  content = {
    realm         = var.console_realm
    providerGroup = var.console_realm == "tacacs" || var.console_realm == "radius" || var.default_realm == "ldap" ? var.console_login_domain : ""
  }
}

Unfortunately it is currently not supported to specify Netflow Interface Policies (NetFlow Exporters, NetFlow Exporters for VM Networking, NetFlow Monitors, NetFlow Records) and link them to an Interface Policy Group. Adding those policies would be highly appreciated.

I dont quite understand why the location of the policies is different, for example:

err_disabled_recovery resides under fabric_policies:

apic:
  fabric_policies:
    err_disabled_recovery:
      interval: 360
      mcp_loop: true
      ep_move: true
      bpdu_guard: true

and mcp resides under access_policies:

apic:
access_policies:
 mcp:
   action: false
   admin_state: true
   key: cisco
   frequency_sec: 5
   initial_delay: 300
   loop_detection: 5
   per_vlan: false

even though both have the same path in the gui:

Location in GUI: Fabric » Access Policies » Policies » Global » Error Disabled Recovery Policy

Location in GUI: Fabric » Access Policies » Policies » Global » MCP Instance Policy default

Not possible to add descriptions to aaep's per now, at least as far as i can see in the doc:
https://developer.cisco.com/docs/nexus-as-code/#!aaep/examples

Would be nice to add description.

Hello,

First of all, thanks for your work, that's great !

I'm using 4 SR-MPLS_L3OUT in the infra tenant : SR-MPLS_RT1, SR-MPLS_RT2, SR-MPLS_RT3 and SR-MPLS_RT4.
In a tenant configuration on nac yaml files, i would like to add all 4 sr_mpls_infra_l3out entries in 1 sr_mpls_l3outs like this (with 2) :

      sr_mpls_l3outs:
        - name: SR-MPLS_DEV
          external_endpoint_groups:
              - name: ExtEPG_SR-MPLS_DEV
                subnets:
                  - prefix: 0.0.0.0/0
                contracts:
                  consumers:
                  - Contract_Permit-All_DEV
          vrf: VRF_DEV
          sr_mpls_infra_l3out: SR-MPLS_L3Out_RT1
          outbound_route_map: RM4RC_export_RT1
          inbound_route_map: RM4RC_import_RT1
          sr_mpls_infra_l3out: SR-MPLS_L3Out_RT2
          outbound_route_map: RM4RC_export_RT2
          inbound_route_map: RM4RC_import_RT2

I understand with the online documentation that sr_mpls_infra_l3out, outbound_route_map and inbound_route_map are strings and then cannot be duplicate.

Confirmed by terraform's error :

terraform apply
module.aci.data.utils_yaml_merge.model: Reading...
╷
│ Error: Error reading YAML string
│
│   with module.aci.data.utils_yaml_merge.model,
│   on .terraform\modules\aci\merge.tf line 20, in data "utils_yaml_merge" "model":
│   20: data "utils_yaml_merge" "model" {
│
│ Error reading YAML string: yaml: unmarshal errors:
│   line 137: mapping key "sr_mpls_infra_l3out" already defined at line 133
│   line 138: mapping key "outbound_route_map" already defined at line 134
│   line 139: mapping key "inbound_route_map" already defined at line 135

I was able to create 4 sr_mpls_l3outs with 1 sr_mpls_infra_l3out on each but that is not the way it should work because it adds 3 more L3Out per tenant.
It would be nice to be capable of associate different outbound_route_map and inbound_route_map (and even external_endpoint_groups) to each sr_mpls_infra_l3out !
Is there a way to do this configuration ? Or should I wait for an upcoming release with this feature ? A maybe a "feature request" ?

Thank you.

Question: How to protect sensitive content ex. passwords in different yaml files?

Link: https://developer.cisco.com/docs/nexus-as-code/#!oob-node-address/oob-node-address

Is there any option to add OOB Management EPG when assigning oob-node-address, as there is in the GUI:

Br

apic:
access_policies:
mcp:
action: false
admin_state: true
frequency_sec: 5
initial_delay: 300
loop_detection: 5
per_vlan: true
key: $ECRETKEY1

Error: The post rest request failed 29s
10149│ 29s
10150│ with module.nac-aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol, 29s
10151│ on .terraform/modules/nac-aci/modules/terraform-aci-mcp/main.tf line 1, in resource "aci_rest_managed" "mcpInstPol": 29s
10152│ 1: resource "aci_rest_managed" "mcpInstPol" { 29s
10153│ 29s
10154│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Password is 29s
10155│ required for MCP Instance Policy.]]]], err: %!s(). Please report this 29s
10156│ issue to the provider developers.

Not taking into account when pushing this configuration or when changing the key it is not changing anything when hitting terraform apply.

Not sure if this is expected behavior ?

NaC version = 0.8.1
Terraform module = v2.13.2

Setting the following feature causes the feature to break on ACI (tested with version 6.04(d)), and it causes the interfaces to go into FabricTrack Oper State. (see screenshots output after using NaC abstraction)

Setting port-tracking

port_tracking:
  admin_state: true
  delay: 120
  min_links: 2

Using the native terraform module works as expected if configured in the main.tf (as part of test)

Optional include the support for [include_apic_ports] in the abstraction layer (https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/port_tracking#include_apic_ports)

NaC version = 0.8.1
Terraform ACI module = v2.13.2

For example, in the aci_fabric_policies.tf module "aci_fabric_leaf_switch_profile_auto" (starting code line 368), the replace statement does not account for when a suffix is added in the default values for autogenerating fabric/access leaf/spine profiles, etc.

Working "LEAF\g" -> output is LEAF1001, LEAF1002 etc..
Not working "LEAF\g_SwPro" -> output is LEAF

Expected behaviour is to account for suffixes added to the naming

Maintenance groups does not seem to work, when applying them they show up as failed because no version is specified.

Also using them fails:

Here is my config:

---
apic:
  node_policies:
    update_groups:
      - name: odd
      - name: even

---
apic:
  node_policies:
    nodes:
      - id: 2101
        pod: 1
        role: leaf
        update_group: odd
      - id: 2102
        pod: 1
        role: leaf
        name: LabDrLeaf2102
        update_group: even
      - id: 2901
        pod: 1
        role: spine
        update_group: odd

How can I create a routed domain without associating it with a vlan pool which is a mandatory field

apic:
access_policies:
routed_domains:
- name: L3Out
vlan_pool: ??? <- mandatory

Leave the VLAN pool field blank because you do not need it for routed interface L3
For example, you need the pool for L3 connections with SVIs and subinterfaces.

The current contract implementation does not allow for uni directional contracts under the subject.

Currently revFltPorts is hardcoded to "yes"

Uni directional contracts are required for situations where DSR is required with a SG to return flows to a L4-7 devices, and also when configuring leaking between VRFs where consumer and provider contracts are required in both directions.

resource "aci_rest_managed" "vzSubj" {
  for_each   = { for subj in var.subjects : subj.name => subj }
  dn         = "${aci_rest_managed.vzBrCP.dn}/subj-${each.value.name}"
  class_name = "vzSubj"
  content = {
    name        = each.value.name
    nameAlias   = each.value.alias
    descr       = each.value.description
    revFltPorts = "yes"
    prio        = each.value.qos_class
    targetDscp  = each.value.target_dscp
  }
}

Unidirectional contract payload:

{
    "vzSubj": {
        "attributes": {
            "dn": "uni/tn-demo-05/brc-test/subj-test1",
            "name": "test1",
            "revFltPorts": "false",
            "rn": "subj-test1",
            "status": "created"
        },
        "children": [
            {
                "vzInTerm": {
                    "attributes": {
                        "dn": "uni/tn-demo-05/brc-test/subj-test1/intmnl",
                        "status": "created",
                        "targetDscp": "64"
                    },
                    "children": []
                }
            },
            {
                "vzOutTerm": {
                    "attributes": {
                        "dn": "uni/tn-demo-05/brc-test/subj-test1/outtmnl",
                        "status": "created",
                        "targetDscp": "64"
                    },
                    "children": []
                }
            }
        ]
    }
}

Hello,

When testing netascode/nac-aci/aci v0.8.0 with below yaml file as input on APIC v4.2, simulator, default Fabric L2 MTU Policy / Port MTU size(bytes) will be updated between 9000 and 9216 every time after running terraform apply with the same input yaml file. That's because below yaml input will be applied by two modules -- terraform-aci-fabric-l2-mtu and terraform-aci-l2-mtu-policy and the two modules are all applied on default Fabric L2 MTU Policy / Port MTU size(bytes), but with different values.

apic:
  fabric_policies:
    l2_port_mtu: 9000
    l2_mtu_policies:
      - name: default
        port_mtu_size: 9216

If module aci_l2_mtu_policy is designed for customized L2 MTU Policy, how about excluding default as showed below?

Line 150 https://github.com/netascode/terraform-aci-nac-aci/blob/eda11599284526188037bfaecb6db17beeec7eca/aci_fabric_policies.tf
from
for_each = { for policy in try(local.fabric_policies.l2_mtu_policies, []) : policy.name => policy if local.modules.aci_l2_mtu_policy && var.manage_fabric_policies }
to
for_each = { for policy in try(local.fabric_policies.l2_mtu_policies, []) : policy.name => policy if local.modules.aci_l2_mtu_policy && var.manage_fabric_policies && policy.name != "default" }

Good day,

After you have created a service graph template in ACI you have to right click it to and click apply. This apply option does not seem to be available from the module.

Is it anything that I dont know, or is this not implemented per now?

Best regards

Hello, I'm writing a module for Data Plane Policing policies which can be defined as an access_policy.interface_policy (like cdp) to be attached to an interface policy group; or it can be defined as a Tenant policy to be attached to an EPG or L3out logical interface profile.

My question is for the data_plane_policer_policies definition in defaults.yaml - where would be the best place to place a single defaults definition for something that needs to be under defaults.apic.access_policies.interface_policies and defaults.apic.tenants.policies.

Should there be a single definition, or should it just be copied to those two locations?

How can I create a useg epg

This error was reported:

╷
│ Error: The post rest request failed
│ 
│   with module.aci.module.aci_pod_setup["2"].aci_rest_managed.fabricExtRoutablePodSubnet["172.31.3.0/24"],
│   on .terraform/modules/aci/modules/terraform-aci-pod-setup/main.tf line 11, in resource "aci_rest_managed" "fabricExtRoutablePodSubnet":
│   11: resource "aci_rest_managed" "fabricExtRoutablePodSubnet" {
│ 
│ Code: 400 Response: [map[error:map[attributes:map[code:102 text:configured object ((Dn0)) not found Dn0=uni/controller/setuppol/setupp-2/extrtpodsubnet-[172.31.3.0/24],
│ ]]]], err: %!s(<nil>). Please report this issue to the provider developers.
╵ 

The configuration applied successfully in a subsequent apply operation.

I believe the terraform-aci-pod-setup module needs a dependency on the aci_rest_managed.fabricSetupP resource to be added to the aci_rest_managed.fabricExtRoutablePodSubnet resource.

Proposed solution:

resource "aci_rest_managed" "fabricExtRoutablePodSubnet" {
  for_each   = { for extpool in var.external_tep_pools : extpool.prefix => extpool }
  dn         = "uni/controller/setuppol/setupp-${var.pod_id}/extrtpodsubnet-[${each.value.prefix}]"
  class_name = "fabricExtRoutablePodSubnet"
  content = {
    pool                = each.value.prefix
    reserveAddressCount = each.value.reserved_address_count
    state               = "active"
  }

  depends_on = [
    aci_rest_managed.fabricSetupP
  ]
}

Some resources prompts for changes when values are not defined, this is affecting;

Bridge Domain, where vmac is changed from "not applicable" to "" when not defined:

  # module.aci.module.aci_bridge_domain["mgmt/192.168.0.0"].aci_rest_managed.fvBD will be updated in-place
  ~ resource "aci_rest_managed" "fvBD" {
      ~ content    = {
          ~ "vmac"                  = "not-applicable" -> ""
            # (17 unchanged elements hidden)
        }
        id         = "uni/tn-mgmt/BD-192.168.0.0"
        # (3 unchanged attributes hidden)
    }

Inband and outband node adress where ipv6 addr and gateway is not defined is also changed from "::" to "":

  # module.aci.module.aci_inband_node_address["1901"].aci_rest_managed.mgmtRsInBStNode will be updated in-place
  ~ resource "aci_rest_managed" "mgmtRsInBStNode" {
      ~ content    = {
          ~ "v6Addr" = "::" -> ""
          ~ "v6Gw"   = "::" -> ""
            # (3 unchanged elements hidden)
        }
        id         = "uni/tn-mgmt/mgmtp-default/inb-inband/rsinBStNode-[topology/pod-1/node-1901]"
        # (3 unchanged attributes hidden)
    }

  # module.aci.module.aci_oob_node_address["1901"].aci_rest_managed.mgmtRsOoBStNode will be updated in-place
  ~ resource "aci_rest_managed" "mgmtRsOoBStNode" {
      ~ content    = {
          ~ "v6Addr" = "::" -> ""
          ~ "v6Gw"   = "::" -> ""
            # (3 unchanged elements hidden)
        }
        id         = "uni/tn-mgmt/mgmtp-default/oob-ooband/rsooBStNode-[topology/pod-1/node-1901]"
        # (3 unchanged attributes hidden)
    }

See original issue: netascode/terraform-aci-l3out-interface-profile#17
The IPv6 Link-Local address cannot be changed.
The value is hardcoded to "llAddr = "::""

While trying to apply pod policies it fails like this:

╷
│ Error: The post rest request failed
│
│   with module.aci.module.aci_fabric_pod_profile_auto["1"].aci_rest_managed.fabricRsPodPGrp["pod-1"],
│   on .terraform/modules/aci/modules/terraform-aci-fabric-pod-profile/main.tf line 35, in resource "aci_rest_managed" "fabricRsPodPGrp":
│   35: resource "aci_rest_managed" "fabricRsPodPGrp" {
│
│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Validation failed: Validation failed: there is POD selector of type ALL and one of type range. Last considered for validation:
│ Dn0=uni/fabric/podprof-default/pods-default-typ-ALL, ]]]], err: %!s(<nil>). Please report this issue to the provider developers.

Here is my pod policy config:

---
apic:
 pod_policies:
   pods:
     - id: 1
       tep_pool: 10.4.96.0/19
       policy: default

If I try to add this to the fabric policies:

---
apic:
 fabric_policies:
   pod_profiles:
     - name: default
       selectors:
         - name: default 
           type: all
 pod_policies:
   pods:
     - id: 1
       tep_pool: 10.4.96.0/19
       policy: default

It fails like this:

│ Error: The post rest request failed
│
│   with module.aci.module.aci_fabric_pod_profile_manual["pod-1"].aci_rest_managed.fabricPodS["pod-1"],
│   on .terraform/modules/aci/modules/terraform-aci-fabric-pod-profile/main.tf line 25, in resource "aci_rest_managed" "fabricPodS":
│   25: resource "aci_rest_managed" "fabricPodS" {
│
│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Validation failed: POD Ids overlap. Dn0=uni/fabric/podprof-pod-1, ]]]], err: %!s(<nil>). Please report this issue to the provider developers.
╵

I'm having this enabled:

apic:
  auto_generate_switch_pod_profiles: true
  auto_generate_pod_profiles: true
  fabric_policies:
    pod_profile_name: "pod-\\g<id>"
    pod_profile_pod_selector_name: "pod-\\g<id>"

Not quite sure about how the auto generation things work either so if someone could explain that aswell it would be awesome.

Hi,

This is a small request for improvement :

I noticed that the description field of the interface_profiles was not available (work as designed/as documented) :

It would be great to add it like this

l3outs:
             [...]
         node_profiles:
             [...]
              interface_profiles:
                - name: vl10
                  description: "SVI Vlan 10" # Support this
                  interfaces:
                   [...]

Thanks in advance

Currently only the following values are accepted for i.e. "port-disable" and "bd-learn-disable", missing the option to deselect either option, just to generate a log entry. Disabling the interface or disable learning within a BD can be aggressive and have widespread affect. (ex. trunk interface towards legacy network)

ep_loop_protection:
  admin_state: true
  detection_interval: 180
  detection_multiplier: 10
  **action: port-disable**

thanks

Alexander

MCP action boolean when set to false, the expectation is that the flag is cleared on the APIC controller.
Setting the boolean to true is setting correctly the flag on the APIC controller.

mcp:
action: false
admin_state: true
key: password
frequency_sec: 5
initial_delay: 300
loop_detection: 5
per_vlan: true

Within the mgmt tenant, there is a default node mgmt epg (Out-of-Band EPG - default) , however, this value is not accepted as entry for validation for different fabric policies such as dns, tacacs etc.

However this is the default epg used by the APIC controllers and we cannot change this, resulting in mismatching node mgmt epg for leafs/spines vs apic and thus this reflects the contract that needs to be applied.

It would make sense to use the default oob epg that is available under the mgmt tenant to have all leafs/spines/apic use the default oob epg.

ERROR:

Error: Invalid value for variable
│
│ on .terraform/modules/nac-aci/aci_fabric_policies.tf line 160, in module "aci_dns_policy":
│ 160: mgmt_epg_type = try(each.value.mgmt_epg, local.defaults.apic.fabric_policies.dns_policies.mgmt_epg)
│ ├────────────────
│ │ var.mgmt_epg_type is "default"
│
│ Allowed values are inb or oob.
│
│ This was checked by the validation rule at .terraform/modules/nac-aci/modules/terraform-aci-dns-policy/variables.tf:16,3-13.

Current example and usage only allows for a single match rule per context in import_route_map and export_route_map

          import_route_map:
            description: desc
            type: global
            contexts:
              - name: CONTEXT1
                description: desc1
                action: deny
                order: 2
                match_rule: MATCH1
                set_rule: SET1

Would like to be able to define multiple match rules per context similar to apic.tenants.polices

New usage and example would be:

          import_route_map:
            description: desc
            type: global
            contexts:
              - name: CONTEXT1
                description: desc1
                action: deny
                order: 2
                match_rule: 
                  - MATCH1
                  - MATCH2
                  - MATCHn
                set_rule: SET1

I would like to know in which folder I have to put the custom modules.yaml file since it only uses the one inside the .terraform folder which enables all the modules creating resources not required with the default setting. also I would like to know how the external bridge domains can be created since it seems to be an absent feature